Commit aba077c0 authored by cdanger's avatar cdanger

Merge branch 'release/9.0.0'

parents 85438979 50cffaf2
......@@ -6,3 +6,4 @@
/.pmd
/.pmdruleset.xml
/.project
/.checkstyle
......@@ -4,6 +4,28 @@ All notable changes to this project are documented in this file following the [K
Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
## Unreleased
### Changed
- Version of parent project: 6.0.0:
- The XML schema definition of PDP Decision Cache extensions' base type have been simplified (a few attributes removed).
- Version of dependency authzforce-ce-core-pdp-api: 11.0.0 (API changes):
- Changed PDPEngine interface methods
- Changed PDP extensions' interface methods: DecisionResultFilter, RequestFilter, DecisionCache (new EvaluationContext parameter to enable context-dependent caches), RefPolicyProvider (renamed RefPolicyProvider.Utils class to RefPolicyProvider.Helper).
- Changed EvaluationContext interface methods:
- Use of Bag replaced with AttributeBag class (AttributeBags are Bags with extra metadata such as the source - AttributeSource - of the attribute values: request, PDP, attribute provider extension, etc.
- New methods to help PDP extensions to watch for changes to the context with listeners
- Changed Expression interface methods
- Changed VersionPatterns class methods to return new PolicyVersionPattern class that helps manipulate XACML VersionMatchTypes
- Renamed class IndividualDecisionRequest to IndividualXACMLRequest (XACML-specific model of Individual Decision Request)
- Renamed class IndividualPdpDecisionRequest to PdpDecisionRequest (individual request in XACML-agnostic AuthzForce model)
- Renamed class AttributeGUID(s) to AttributeFQN(s) (Fully Qualified Name is more appropriate than GUID)
- Renamed class MutableBag to MutableAttributeBag
- Aded BaseStaticRefPolicyProviderModule class as convenient base class for implementing static Policy Provider (StaticRefPolicyProviderModule) implementations
### Added
- [PolicyProvider implementation](pdp-testutils/src/main/java/org/ow2/authzforce/core/pdp/testutil/ext/MongoDBRefPolicyProviderModule.java) for testing and documentation purposes, using MongoDB as policy database system and Jongo as client library, with [JUnit test class](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MongoDBRefPolicyProviderModuleTest.java) showing how to use it.
## 8.0.0
### Changed
- Version of parent project: 5.1.0
......@@ -192,14 +214,14 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
## 3.6.0
### Added
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md) ); with specific adaptations and enhancements:
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md) ); with specific adaptations and enhancements:
1. XACML 3.0 Schema validation in all conformance tests (original files are not all compliant with XACML 3.0).
1. The original conformance test folder contains hundreds of files; for better readability and management, the folder is split in *mandatory* folder for tests on supported mandatory features (XACMl 3.0 core), *optional* folder for supported optional features (XACML 3.0 core and profiles), and *unsupported* for unsupported features.
1. For tests requiring a custom attribute finder, added a file with suffix `AttributeProvider.xml` that configures the `TestAttributeProviderModule`. This configuration file must contain a list of `Attributes` elements defining the attributes that this attribute provider is able to provide, with their constant values.
1. For tests requiring policies to be referenced via Policy(Set)IdReferences, added a directory named `refPolicies` containing a XACML Policy(Set) file per referenced Policy(Set).
1. For tests of Request syntax validation (syntax error expected to be detected by Authzforce PDP at initialization-time, i.e. before any Request evaluation), added suffix `.ignore` to the original test Policy(Set) and Response files.
1. For tests of Policy(Set) syntax validation (syntax error expected to be detected by Authzforce PDP at initialization-time, i.e. before any Request evaluation), added suffix `.ignore` to the original test Request and Response files.
- [HTML description](\src\test\resources\conformance\xacml-3.0-from-2.0-ct\ConformanceTests.html) of XACML 3.0 conformance tests
- [HTML description](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/ConformanceTests.html) of XACML 3.0 conformance tests
- Support of Policy(Set)Version in Policy(Set)IdReference handled by the native policy finder
- Support for Variable evaluation in Policy with scope management (variable is local to Policy where defined and inherited by Rules)
- Added support of xpathExpressions (optional XACML feature) in Request with support of namespace-prefix mappings extracted from XML document (XACML Request/Policy(Set)/Rule) (typically via `xmlns` declarations) where the xpathExpression is defined, e.g. XACML Request or Policy(Set).
......@@ -222,7 +244,7 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
### Fixed
- Issues reported by PMD and findbugs
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md).
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct\README.md).
- In logical OR, AND and N-OF functions, an Indeterminate argument results in Indeterminate result.
1. FIX for OR function: If at least one True argument, return True regardless of Indeterminate arguments; else (no True) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no True/Indeterminate -> all false) return false
1. FIX for AND function: If at least one False argument, return False regardless of Indeterminate arguments; else (no False) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no False/Indeterminate -> all true) return true
......
This diff is collapsed.
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>8.0.0</version>
<version>9.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......@@ -42,7 +42,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>9.1.0</version>
<version>11.0.0</version>
</dependency>
<!-- /Authzforce dependencies -->
......
......@@ -76,8 +76,8 @@ public final class AttributeAssignmentExpressionEvaluator
final XPathCompiler xPathCompiler, final ExpressionFactory expFactory) throws IllegalArgumentException
{
/*
* Cannot used AttributeGUID class to handle metadata because AttributeAssignment Category is not required like
* in AttributeDesignator which is what the AttributeGUID is used for
* Cannot used AttributeFQN class to handle metadata because AttributeAssignment Category is not required like
* in AttributeDesignator which is what the AttributeFQN is used for
*/
this.attributeId = Preconditions.checkNotNull(jaxbAttrAssignExp.getAttributeId(),
"Undefined AttributeAssignment/AttributeId");
......
......@@ -26,7 +26,8 @@ import java.util.Set;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.AttributeFQN;
import org.ow2.authzforce.core.pdp.api.AttributeFQNs;
import org.ow2.authzforce.core.pdp.api.AttributeProvider;
import org.ow2.authzforce.core.pdp.api.AttributeProviderModule;
import org.ow2.authzforce.core.pdp.api.CloseableAttributeProviderModule;
......@@ -113,7 +114,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
// not-null
private final Set<ModuleAdapter> moduleClosers;
private CloseableAttributeProvider(final Map<AttributeGUID, AttributeProviderModule> modulesByAttributeId, final Set<ModuleAdapter> moduleClosers, final boolean strictAttributeIssuerMatch)
private CloseableAttributeProvider(final Map<AttributeFQN, AttributeProviderModule> modulesByAttributeId, final Set<ModuleAdapter> moduleClosers, final boolean strictAttributeIssuerMatch)
{
super(modulesByAttributeId, null, strictAttributeIssuerMatch);
assert moduleClosers != null;
......@@ -121,7 +122,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
}
private static final CloseableAttributeProvider EVALUATION_CONTEXT_ONLY_SCOPED_CLOSEABLE_ATTRIBUTE_PROVIDER = new CloseableAttributeProvider(
Collections.<AttributeGUID, AttributeProviderModule> emptyMap(), Collections.<ModuleAdapter> emptySet(), true);
Collections.<AttributeFQN, AttributeProviderModule> emptyMap(), Collections.<ModuleAdapter> emptySet(), true);
/**
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the requested attribute ID, if any.
......@@ -153,7 +154,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
return EVALUATION_CONTEXT_ONLY_SCOPED_CLOSEABLE_ATTRIBUTE_PROVIDER;
}
final Map<AttributeGUID, AttributeProviderModule> modulesByAttributeId = HashCollections.newUpdatableMap();
final Map<AttributeFQN, AttributeProviderModule> modulesByAttributeId = HashCollections.newUpdatableMap();
final int moduleCount = jaxbAttributeProviderConfs.size();
final Set<ModuleAdapter> mutableModuleCloserSet = HashCollections.newUpdatableSet(moduleCount);
for (final AbstractAttributeProvider jaxbAttributeProviderConf : jaxbAttributeProviderConfs)
......@@ -176,8 +177,8 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
}
else
{
final Map<AttributeGUID, AttributeProviderModule> immutableCopyOfAttrProviderModsByAttrId = Collections
.<AttributeGUID, AttributeProviderModule> unmodifiableMap(modulesByAttributeId);
final Map<AttributeFQN, AttributeProviderModule> immutableCopyOfAttrProviderModsByAttrId = Collections
.<AttributeFQN, AttributeProviderModule> unmodifiableMap(modulesByAttributeId);
depAttrProvider = new ModularAttributeProvider(immutableCopyOfAttrProviderModsByAttrId, requiredAttrs, strictAttributeIssuerMatch);
}
......@@ -188,7 +189,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
for (final AttributeDesignatorType attrDesignator : moduleAdapter.getProvidedAttributes())
{
final AttributeGUID attrGUID = new AttributeGUID(attrDesignator);
final AttributeFQN attrGUID = AttributeFQNs.newInstance(attrDesignator);
final AttributeProviderModule duplicate = modulesByAttributeId.putIfAbsent(attrGUID, moduleAdapter.getAdaptedModule());
if (duplicate != null)
{
......
......@@ -28,19 +28,22 @@ import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.AttributeFQN;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableIndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.ImmutablePdpDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndividualXACMLRequest;
import org.ow2.authzforce.core.pdp.api.JaxbXACMLUtils.JaxbXACMLAttributesParser;
import org.ow2.authzforce.core.pdp.api.PdpDecisionRequestFactory;
import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.DatatypeFactoryRegistry;
import com.google.common.collect.ImmutableList;
/**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
......@@ -48,6 +51,17 @@ import org.ow2.authzforce.core.pdp.api.value.DatatypeFactoryRegistry;
*/
public final class DefaultRequestFilter extends BaseRequestFilter
{
private static final PdpDecisionRequestFactory<ImmutablePdpDecisionRequest> DEFAULT_REQUEST_FACTORY = new PdpDecisionRequestFactory<ImmutablePdpDecisionRequest>()
{
@Override
public ImmutablePdpDecisionRequest getInstance(final Map<AttributeFQN, AttributeBag<?>> namedAttributes, final Map<String, XdmNode> extraContentsByCategory,
final boolean returnApplicablePolicies)
{
return ImmutablePdpDecisionRequest.getInstance(namedAttributes, extraContentsByCategory, returnApplicablePolicies);
}
};
/**
*
* Factory for this type of request filter that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0 core spec,
......@@ -71,7 +85,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
return new DefaultRequestFilter(datatypeFactoryRegistry, DEFAULT_REQUEST_FACTORY, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
}
/**
......@@ -101,22 +115,42 @@ public final class DefaultRequestFilter extends BaseRequestFilter
public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
return new DefaultRequestFilter(datatypeFactoryRegistry, DEFAULT_REQUEST_FACTORY, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
}
}
private DefaultRequestFilter(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates,
final boolean requireContentForXPath, final Processor xmlProcessor)
private final PdpDecisionRequestFactory<ImmutablePdpDecisionRequest> reqFactory;
/**
* Creates instance of default request filter
*
* @param datatypeFactoryRegistry
* attribute datatype registry
* @param requestFactory
* decision request factory
* @param strictAttributeIssuerMatch
* true iff strict attribute Issuer match must be enforced (in particular request attributes with empty Issuer only match corresponding AttributeDesignators with empty Issuer)
* @param allowAttributeDuplicates
* true iff duplicate Attribute (with same metadata) elements in Request (for multi-valued attributes) must be allowed
* @param requireContentForXPath
* true iff Content elements must be parsed, else ignored
* @param xmlProcessor
* XML processor for parsing Content elements iff {@code requireContentForXPath}
*/
public DefaultRequestFilter(final DatatypeFactoryRegistry datatypeFactoryRegistry, final PdpDecisionRequestFactory<ImmutablePdpDecisionRequest> requestFactory,
final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates, final boolean requireContentForXPath, final Processor xmlProcessor)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
assert requestFactory != null;
reqFactory = requestFactory;
}
/** {@inheritDoc} */
@Override
public List<? extends IndividualDecisionRequest> filter(final List<Attributes> attributesList, final JaxbXACMLAttributesParser xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned,
public List<? extends IndividualXACMLRequest> filter(final List<Attributes> attributesList, final JaxbXACMLAttributesParser xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned,
final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
final Map<AttributeGUID, Bag<?>> namedAttributes = HashCollections.newUpdatableMap(attributesList.size());
final Map<AttributeFQN, AttributeBag<?>> namedAttributes = HashCollections.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashCollections.newUpdatableMap(attributesList.size());
/*
* attributesToIncludeInResult.size() <= attributesList.size()
......@@ -153,7 +187,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
for (final Entry<AttributeGUID, Bag<?>> attrEntry : categorySpecificAttributes)
for (final Entry<AttributeFQN, AttributeBag<?>> attrEntry : categorySpecificAttributes)
{
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
......@@ -165,6 +199,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
}
return Collections.singletonList(new ImmutableIndividualDecisionRequest(namedAttributes, extraContentsByCategory, attributesToIncludeInResult, isApplicablePolicyIdListReturned));
return Collections.singletonList(new IndividualXACMLRequest(reqFactory.getInstance(namedAttributes, extraContentsByCategory, isApplicablePolicyIdListReturned), ImmutableList
.copyOf(attributesToIncludeInResult)));
}
}
/**
* Copyright 2012-2017 Thales Services SAS.
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
*
*/
package org.ow2.authzforce.core.pdp.impl;
import java.util.Map;
import net.sf.saxon.s9api.XdmNode;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.IndividualPdpDecisionRequest;
import org.ow2.authzforce.core.pdp.api.value.Bag;
/**
* Immutable implementation of {@link IndividualPdpDecisionRequest} to be used as input to {@link BasePdpEngine}
*/
public final class ImmutablePdpDecisionRequest implements IndividualPdpDecisionRequest
{
private final Map<AttributeGUID, Bag<?>> attributes;
private final Map<String, XdmNode> extraContentsByCategory;
private final boolean isApplicablePolicyListReturned;
/**
* Create new instance
*
* @param namedAttributes
* named Attributes (no extra Content element)
* @param extraContentNodesByCategory
* extra XML Content elements by attribute Category
* @param includedInResult
* attributes to be include in the final Result
* @param returnApplicablePolicies
* return list of applicable policy identifiers; equivalent of XACML Request's ReturnPolicyIdList flag
*/
ImmutablePdpDecisionRequest(final Map<AttributeGUID, Bag<?>> namedAttributes, final Map<String, XdmNode> extraContentNodesByCategory, final boolean returnApplicablePolicies)
{
// these maps/lists may be updated later by put(...) method defined in this class
attributes = namedAttributes == null ? null : HashCollections.newImmutableMap(namedAttributes);
extraContentsByCategory = extraContentNodesByCategory == null ? null : HashCollections.newImmutableMap(extraContentNodesByCategory);
this.isApplicablePolicyListReturned = returnApplicablePolicies;
}
/*
* (non-Javadoc)
*
* @see org.ow2.authzforce.core.IndividualDecisionRequest#getNamedAttributes()
*/
@Override
public Map<AttributeGUID, Bag<?>> getNamedAttributes()
{
return attributes;
}
/*
* (non-Javadoc)
*
* @see org.ow2.authzforce.core.IndividualDecisionRequest#getExtraContentsByCategory()
*/
@Override
public Map<String, XdmNode> getExtraContentsByCategory()
{
return this.extraContentsByCategory;
}
/**
* @return the returnApplicablePolicyIdList
*/
@Override
public boolean isApplicablePolicyIdListReturned()
{
return isApplicablePolicyListReturned;
}
/*
* (non-Javadoc)
*
* @see java.lang.Object#toString()
*/
@Override
public String toString()
{
return "[namedAttributes=" + attributes + ", extraContentsByCategory=" + extraContentsByCategory + ", returnApplicablePolicyIdList=" + isApplicablePolicyListReturned + "]";
}
}
......@@ -25,28 +25,30 @@ import java.util.Map.Entry;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.AttributeFQN;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.ImmutablePdpDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndividualXACMLRequest;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import com.google.common.collect.ImmutableList;
/**
* Mutable Individual Decision Request
* (Mutable) Individual Decision Request builder, used only by {@link MultiDecisionRequestFilter}, to build an immutable decision request
*
* @version $Id: $
*/
public final class MutableIndividualDecisionRequest implements IndividualDecisionRequest
final class IndividualXACMLRequestBuilder
{
private static final IllegalArgumentException UNDEF_ATTRIBUTES_EXCEPTION = new IllegalArgumentException("Undefined attributes");
private static final IllegalArgumentException UNDEF_ATTRIBUTE_CATEGORY_EXCEPTION = new IllegalArgumentException("Undefined attribute category");
private final Map<AttributeGUID, Bag<?>> namedAttributes;
// initialized not null by constructors
private final Map<String, XdmNode> extraContentsByCategory;
private final Map<AttributeFQN, AttributeBag<?>> namedAttributes;
private final Map<String, XdmNode> contentNodesByCategory;
private final List<Attributes> attributesToIncludeInResult;
private final boolean returnApplicablePolicyIdList;
private final boolean isApplicablePolicyIdListReturned;
/**
* Creates empty request (no attribute)
......@@ -54,13 +56,13 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
* @param returnPolicyIdList
* equivalent of XACML ReturnPolicyIdList
*/
public MutableIndividualDecisionRequest(final boolean returnPolicyIdList)
IndividualXACMLRequestBuilder(final boolean returnPolicyIdList)
{
// these maps/lists may be updated later by put(...) method defined in this class
namedAttributes = HashCollections.newUpdatableMap();
extraContentsByCategory = HashCollections.newUpdatableMap();
contentNodesByCategory = HashCollections.newUpdatableMap();
attributesToIncludeInResult = new ArrayList<>();
returnApplicablePolicyIdList = returnPolicyIdList;
isApplicablePolicyIdListReturned = returnPolicyIdList;
}
/**
......@@ -69,16 +71,15 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
* @param baseRequest
* replicated existing request. Further changes to it are not reflected back to this new instance.
*/
public MutableIndividualDecisionRequest(final IndividualDecisionRequest baseRequest)
IndividualXACMLRequestBuilder(final IndividualXACMLRequestBuilder baseRequest)
{
assert baseRequest != null;
// these maps/lists may be updated later by put(...) method defined in this class
final Map<AttributeGUID, Bag<?>> baseNamedAttributes = baseRequest.getNamedAttributes();
final Map<String, XdmNode> baseExtraContentsByCategory = baseRequest.getExtraContentsByCategory();
final List<Attributes> baseReturnedAttributes = baseRequest.getReturnedAttributes();
namedAttributes = baseNamedAttributes == null ? HashCollections.<AttributeGUID, Bag<?>> newUpdatableMap() : HashCollections.newUpdatableMap(baseNamedAttributes);
extraContentsByCategory = baseExtraContentsByCategory == null ? HashCollections.<String, XdmNode> newUpdatableMap() : HashCollections.newUpdatableMap(baseExtraContentsByCategory);
attributesToIncludeInResult = baseReturnedAttributes == null ? new ArrayList<>() : new ArrayList<>(baseRequest.getReturnedAttributes());
returnApplicablePolicyIdList = baseRequest.isApplicablePolicyIdListReturned();
namedAttributes = HashCollections.newUpdatableMap(baseRequest.namedAttributes);
contentNodesByCategory = HashCollections.newUpdatableMap(baseRequest.contentNodesByCategory);
isApplicablePolicyIdListReturned = baseRequest.isApplicablePolicyIdListReturned;
attributesToIncludeInResult = new ArrayList<>(baseRequest.attributesToIncludeInResult);
}
/**
......@@ -89,7 +90,7 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
* @param categorySpecificAttributes
* attributes in category {@code categoryName}
* @throws java.lang.IllegalArgumentException
* if {@code categoryName == null || attributes == null} or duplicate attribute category ({@link #put(String, SingleCategoryAttributes)} already called with same {@code categoryName}
* if {@code categoryName == null || categorySpecificAttributes == null} or duplicate attribute category (this method was already called with same {@code categoryName})
*/
public void put(final String categoryName, final SingleCategoryAttributes<?> categorySpecificAttributes) throws IllegalArgumentException
{
......@@ -104,11 +105,11 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
}
// extraContentsByCategory initialized not null by constructors
assert extraContentsByCategory != null;
assert contentNodesByCategory != null;
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryName, newContentNode);
final XdmNode duplicate = contentNodesByCategory.putIfAbsent(categoryName, newContentNode);
if (duplicate != null)
{
throw new IllegalArgumentException("Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
......@@ -121,7 +122,7 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
for (final Entry<AttributeGUID, Bag<?>> attrEntry : categorySpecificAttributes)
for (final Entry<AttributeFQN, AttributeBag<?>> attrEntry : categorySpecificAttributes)
{
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
......@@ -134,47 +135,10 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
}
/*
* (non-Javadoc)
*
* @see org.ow2.authzforce.core.IndividualDecisionRequest#getNamedAttributes()
*/
/** {@inheritDoc} */
@Override
public Map<AttributeGUID, Bag<?>> getNamedAttributes()
{
return namedAttributes;
}
/*
* (non-Javadoc)
*
* @see org.ow2.authzforce.core.IndividualDecisionRequest#getAttributesIncludedInResult()
*/
/** {@inheritDoc} */
@Override
public List<Attributes> getReturnedAttributes()
{
return this.attributesToIncludeInResult;
}
/*
* (non-Javadoc)
*
* @see org.ow2.authzforce.core.IndividualDecisionRequest#getExtraContentsByCategory()
*/
/** {@inheritDoc} */
@Override
public Map<String, XdmNode> getExtraContentsByCategory()
{
return this.extraContentsByCategory;
}
/** {@inheritDoc} */
@Override
public boolean isApplicablePolicyIdListReturned()
public IndividualXACMLRequest build()
{
return returnApplicablePolicyIdList;
return new IndividualXACMLRequest(ImmutablePdpDecisionRequest.getInstance(this.namedAttributes, this.contentNodesByCategory, this.isApplicablePolicyIdListReturned),
ImmutableList.copyOf(this.attributesToIncludeInResult));
}
}
......@@ -114,7 +114,7 @@ public final class MatchEvaluator
throw new IllegalArgumentException("Unsupported function '" + StandardFunction.ANY_OF.getId() + "' required for Match evaluation");
}
final Function<BooleanValue> anyOfFunc = funcExp.getValue();
final Function<BooleanValue> anyOfFunc = funcExp.getValue().get();
final List<Expression<?>> anyOfFuncInputs = Arrays.<Expression<?>> asList(matchFunction, attrValueExpr, bagExpression);
try
{
......
......@@ -24,6 +24,7 @@ import java.util.Map;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import org.ow2.authzforce.core.pdp.api.ImmutablePdpDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.PDPEngine;
import org.ow2.authzforce.core.pdp.api.PdpDecisionRequestBuilder;
......
......@@ -314,7 +314,7 @@ public final class PdpExtensionLoader
/**
* Get Attribute Provider Module factory builder
*
* @param jaxbAttributeProviderConf
* @param jaxbDecisionCacheConf
* module configuration (instance of JAXB-annotated class derived from XML instance)
* @return Attribute Provider Module factory builder
* @throws java.lang.IllegalArgumentException
......
......@@ -21,7 +21,8 @@ import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.AttributeFQN;
import org.ow2.authzforce.core.pdp.api.AttributeFQNs;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeCategory;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeId;
......@@ -38,23 +39,23 @@ public enum StandardEnvironmentAttribute
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-time
*/
CURRENT_TIME(new AttributeGUID(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value())),
CURRENT_TIME(AttributeFQNs.newInstance(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value())),
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-date
*/
CURRENT_DATE(new AttributeGUID(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value())),
CURRENT_DATE(AttributeFQNs.newInstance(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value())),
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-dateTime
*/
CURRENT_DATETIME(new AttributeGUID(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value()));
CURRENT_DATETIME(AttributeFQNs.newInstance(XACMLAttributeCategory.XACML_3_0_ENVIRONMENT.value(), Optional.empty(), XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value()));
private final AttributeGUID attributeGUID;
private final AttributeFQN attributeFQN;
private StandardEnvironmentAttribute(final AttributeGUID attributeGUID)
private StandardEnvironmentAttribute(final AttributeFQN attributeFQN)
{
this.attributeGUID = attributeGUID;
this.attributeFQN = attributeFQN;
}
/**
......@@ -62,20 +63,20 @@ public enum StandardEnvironmentAttribute
*
* @return attribute GUID (AttributeId, Issuer, Category)
*/
public AttributeGUID getGUID()
public AttributeFQN getFQN()
{
return this.attributeGUID;
return this.attributeFQN;
}
private static final Map<AttributeGUID, StandardEnvironmentAttribute> ID_TO_STD_ATTR_MAP = Maps.uniqueIndex(Arrays.asList(StandardEnvironmentAttribute.values()),
new com.google.common.base.Function<StandardEnvironmentAttribute, AttributeGUID>()
private static final Map<AttributeFQN, StandardEnvironmentAttribute> ID_TO_STD_ATTR_MAP = Maps.uniqueIndex(Arrays.asList(StandardEnvironmentAttribute.values()),
new com.google.common.base.Function<StandardEnvironmentAttribute, AttributeFQN>()
{
@Override
public AttributeGUID apply(final StandardEnvironmentAttribute input)
public AttributeFQN apply(final StandardEnvironmentAttribute input)
{
assert input != null;
return input.getGUID();
return input.getFQN();
}
});
......@@ -83,12 +84,12 @@ public enum StandardEnvironmentAttribute
/**
* Get the standard environment attribute corresponding to the given ID
*
* @param attributeGUID
* @param attributeFQN
* standard attribute ID
* @return StandardEnvironmentAttribute corresponding to given ID, or null if there is no standard environment attribute with such ID
*/
public static StandardEnvironmentAttribute getInstance(final AttributeGUID attributeGUID)
public static StandardEnvironmentAttribute getInstance(final AttributeFQN attributeFQN)
{
return ID_TO_STD_ATTR_MAP.get(attributeGUID);
return ID_TO_STD_ATTR_MAP.get(attributeFQN);
}