Commit ce305116 authored by Cyril Dangerville's avatar Cyril Dangerville

- Replaced Finder with Provider (more generic) in terms

AttributeFinder, PolicyFinder, etc. and also in schema files
- Restructured and improved/fixed unit tests
- Added unit tests for circular and undefined
PolicyIdReference/PolicySetIdReference/VariableReference
- Added HTML description for conformance tests
- Removed TestMatchAlg, replaced with official conformance test on
Target matching -> group II.B.
parent 640910b7
......@@ -12,7 +12,7 @@ Version | Date | Comment |
* [Prerequisites](#prerequisites)
* [Sun Java JDK](#sun-java-jdk)
* [Tomcat Installation](#tomcat-installation)
* [Installing the Authorization Server](#installing-the-authorisation-server)
* [Installing the Authorization Server](#installing-the-authorization-server)
* [Unitary Tests](#unitary-tests)
* [Conformance Tests](#conformance-tests)
* [Installation](#installation)
......@@ -33,13 +33,17 @@ Version | Date | Comment |
# Prerequisites
## Sun Java JDK
The authorization server run on Java, so it is prerequisite to have java running on the server. For compatibility reasons, it is highly recommended to use Sun java instead of the Open Java that is now default for some Linux distributions.
## Tomcat Installation
To run the Policy decision Point, you also need a Tomcat Server to deploy the AuthZForce-REST-[VERSION].war (Tomcat 6/0 was our testing version but tomcat 7 can be used too).
# Installing the Authorization Server
## Unitary Tests
TODO
## Conformance Tests
TODO
## Installation
* /etc/AuthZForce/conf Configuration files
* log4j.properties: PDP log4j configuration file
......@@ -50,6 +54,7 @@ TODO
* pdp-audit.log: Authorization decision audit logs
### Copy the default configuration file in this directory:
## Installation Checking
Start the server by running this command:
......@@ -132,6 +137,7 @@ Once you have created your own policy, you will need to change this path to poin
## Attribute Finder Configuration File
During an evaluation, the PDP may require other attributes that are not provided as part of the XACML request. To get those the PDP will ask the attribute finder(s) (configured below) to provide missing information. In this version, we provided two generic attribute finders that allow you to retrieve information from a LDAP directory and from a database.
### JDBC
```xml
<attributeFinderModule class="com.sun.xacml.finder.impl.AttributeDBFinder">
......@@ -173,6 +179,7 @@ overflowToDisk|if cache can write on the disk if the memory is full, true or fal
eternal|do we store eternally the elements, true or false|
timeToLiveSeconds|time to live of the stored elements, integer, (Optional)|
timeToIdleSeconds|time to idle for the stored elements, integer, (Optional) |
### LDAP
```xml
<attributeFinderModule class="com.sun.xacml.finder.impl.LdapAttributeFinder">
......
......@@ -62,9 +62,9 @@ import org.ow2.authzforce.core.value.DateValue;
import org.ow2.authzforce.core.value.TimeValue;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeId;
import org.ow2.authzforce.xacml.identifiers.XACMLCategory;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeFinder;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyFinder;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -72,7 +72,7 @@ import org.slf4j.LoggerFactory;
* This is the core class for the XACML engine, providing the starting point for request evaluation. To build an XACML policy engine, you start by instantiating
* this object.
* <p>
* This class implements {@link Closeable} because it depends on various modules - e.g. the root policy finder, an optional decision cache - that may very
* This class implements {@link Closeable} because it depends on various modules - e.g. the root policy Provider, an optional decision cache - that may very
* likely hold resources such as network resources and caches to get: the root policy or policies referenced by the root policy; or to get attributes used in
* the policies from remote sources when not provided in the Request; or to get cached decisions for requests already evaluated in the past, etc. Therefore, you
* are required to call {@link #close()} when you no longer need an instance - especially before replacing with a new instance - in order to make sure these
......@@ -133,7 +133,7 @@ public class PDP implements Closeable
};
private final RootPolicyEvaluator rootPolicyFinder;
private final RootPolicyEvaluator rootPolicyProvider;
private final DecisionCache decisionCache;
private final RequestFilter reqFilter;
private final IndividualDecisionRequestEvaluator individualReqEvaluator;
......@@ -210,8 +210,8 @@ public class PDP implements Closeable
* attribute value factory - mandatory
* @param functionRegistry
* function registry - mandatory
* @param jaxbAttributeFinderConfs
* XML/JAXB configurations of Attribute Finders for AttributeDesignator/AttributeSelector evaluation; may be null for static expression
* @param jaxbAttributeProviderConfs
* XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression
* evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* @param maxVariableReferenceDepth
* max depth of VariableReference chaining: VariableDefinition -> VariableDefinition ->... ('->' represents a VariableReference)
......@@ -223,43 +223,44 @@ public class PDP implements Closeable
* decision result filter (XACML Result processing after policy evaluation, before creating/returning final XACML Response)
* @param jaxbDecisionCacheConf
* decision response cache XML/JAXB configuration
* @param jaxbRootPolicyFinderConf
* root policy finder's XML/JAXB configuration - mandatory
* @param jaxbRootPolicyProviderConf
* root policy Provider's XML/JAXB configuration - mandatory
* @param combiningAlgRegistry
* XACML policy/rule combining algorithm registry - mandatory
* @param jaxbRefPolicyFinderConf
* policy-by-reference finder's XML/JAXB configuration, for resolving policies referred to by Policy(Set)IdReference in policies found by root
* policy finder
* @param jaxbRefPolicyProviderConf
* policy-by-reference Provider's XML/JAXB configuration, for resolving policies referred to by Policy(Set)IdReference in policies found by root
* policy Provider
* @param maxPolicySetRefDepth
* max allowed PolicySetIdReference chain: PolicySet1 (PolicySetIdRef1) -> PolicySet2 (PolicySetIdRef2) -> ...
* @throws IllegalArgumentException
* if one of the mandatory arguments is null
* @throws IOException
* error closing the root policy finder when static resolution is to be used; or error closing the attribute finder modules created from
* {@code jaxbAttributeFinderConfs}, when and before an {@link IllegalArgumentException} is raised
* error closing the root policy Provider when static resolution is to be used; or error closing the attribute Provider modules created from
* {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
*
*/
public PDP(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeFinder> jaxbAttributeFinderConfs,
public PDP(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeProvider> jaxbAttributeProviderConfs,
int maxVariableReferenceDepth, boolean allowAttributeSelectors, CombiningAlgRegistry combiningAlgRegistry,
AbstractPolicyFinder jaxbRootPolicyFinderConf, AbstractPolicyFinder jaxbRefPolicyFinderConf, int maxPolicySetRefDepth, RequestFilter requestFilter,
DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf) throws IllegalArgumentException, IOException
AbstractPolicyProvider jaxbRootPolicyProviderConf, AbstractPolicyProvider jaxbRefPolicyProviderConf, int maxPolicySetRefDepth,
RequestFilter requestFilter, DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf)
throws IllegalArgumentException, IOException
{
if (requestFilter == null)
{
throw new IllegalArgumentException("Undefined RequestFilter for PDP");
}
final RootPolicyEvaluator.Base candidateRootPolicyFinder = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry, jaxbAttributeFinderConfs,
maxVariableReferenceDepth, allowAttributeSelectors, combiningAlgRegistry, jaxbRootPolicyFinderConf, jaxbRefPolicyFinderConf,
final RootPolicyEvaluator.Base candidateRootPolicyProvider = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry, jaxbAttributeProviderConfs,
maxVariableReferenceDepth, allowAttributeSelectors, combiningAlgRegistry, jaxbRootPolicyProviderConf, jaxbRefPolicyProviderConf,
maxPolicySetRefDepth);
// Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyFinder = candidateRootPolicyFinder.toStatic();
if (staticRootPolicyFinder == null)
final RootPolicyEvaluator staticRootPolicyProvider = candidateRootPolicyProvider.toStatic();
if (staticRootPolicyProvider == null)
{
this.rootPolicyFinder = candidateRootPolicyFinder;
this.rootPolicyProvider = candidateRootPolicyProvider;
} else
{
this.rootPolicyFinder = staticRootPolicyFinder;
this.rootPolicyProvider = staticRootPolicyProvider;
}
this.reqFilter = requestFilter;
......@@ -275,8 +276,8 @@ public class PDP implements Closeable
this.decisionCache = responseCacheStoreFactory.getInstance(jaxbDecisionCacheConf);
}
this.individualReqEvaluator = this.decisionCache == null ? new IndividualDecisionRequestEvaluator(rootPolicyFinder)
: new CachingIndividualRequestEvaluator(rootPolicyFinder, this.decisionCache);
this.individualReqEvaluator = this.decisionCache == null ? new IndividualDecisionRequestEvaluator(rootPolicyProvider)
: new CachingIndividualRequestEvaluator(rootPolicyProvider, this.decisionCache);
this.resultFilter = decisionResultFilter == null ? DEFAULT_RESULT_FILTER : decisionResultFilter;
}
......@@ -357,7 +358,7 @@ public class PDP implements Closeable
@Override
public void close() throws IOException
{
rootPolicyFinder.close();
rootPolicyProvider.close();
if (decisionCache != null)
{
decisionCache.close();
......
......@@ -24,7 +24,7 @@ public interface AttributeProviderModule
* anyURI [1], not in java.net.URI. [1] http://www.w3.org/TR/xmlschema-2/#anyURI
* </p>
*
* If this is an AttributeSelector-only finder module, always return null.
* If this is an AttributeSelector-only Provider module, always return null.
*
* @param attributeGUID
* the global identifier (Category,Issuer,AttributeId) of the attribute to find
......
......@@ -28,7 +28,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* AttributeFinder working with sub-modules, each responsible of finding specific attributes in a specific way from a specific source. This attribute finder
* AttributeProvider working with sub-modules, each responsible of finding specific attributes in a specific way from a specific source. This attribute Provider
* tries to resolve attribute values in current evaluation context first, then if not there, query the sub-modules.
*/
public abstract class BaseAttributeProvider implements AttributeProvider
......@@ -48,24 +48,24 @@ public abstract class BaseAttributeProvider implements AttributeProvider
return contextBag;
}
// else attribute not found in context, ask the finder modules, if any
final AttributeProviderModule finderModule = getProvider(attributeGUID);
if (finderModule == null)
// else attribute not found in context, ask the Provider modules, if any
final AttributeProviderModule ProviderModule = getProvider(attributeGUID);
if (ProviderModule == null)
{
LOGGER.debug("No value found for required attribute {}, type={} in evaluation context and not supported by any attribute finder module",
LOGGER.debug("No value found for required attribute {}, type={} in evaluation context and not supported by any attribute Provider module",
attributeGUID, attributeDatatype);
throw new IndeterminateEvaluationException("Not in context and no attribute finder module supporting attribute: " + attributeGUID,
throw new IndeterminateEvaluationException("Not in context and no attribute Provider module supporting attribute: " + attributeGUID,
StatusHelper.STATUS_MISSING_ATTRIBUTE);
}
final Bag<AV> result = finderModule.get(attributeGUID, attributeDatatype, context);
final Bag<AV> result = ProviderModule.get(attributeGUID, attributeDatatype, context);
/*
* Cache the attribute value(s) in context to avoid waste of time querying the module twice for same attribute
*/
context.putAttributeDesignatorResultIfAbsent(attributeGUID, result);
LOGGER.debug("Values of attribute {}, type={} returned by attribute finder module #{} (cached in context): {}", attributeGUID, attributeDatatype,
finderModule, result);
LOGGER.debug("Values of attribute {}, type={} returned by attribute Provider module #{} (cached in context): {}", attributeGUID, attributeDatatype,
ProviderModule, result);
return result;
} catch (IndeterminateEvaluationException e)
{
......@@ -117,62 +117,62 @@ public abstract class BaseAttributeProvider implements AttributeProvider
protected abstract AttributeProviderModule getProvider(AttributeGUID attributeGUID);
/**
* Default implementation of AttributeFinder; non-closeable, as opposed to {@link CloseableAttributeFinder}
* Default implementation of AttributeProvider; non-closeable, as opposed to {@link CloseableAttributeProvider}
*
*/
public static class DefaultImpl extends BaseAttributeProvider
{
// AttributeDesignator finder modules by supported/provided attribute ID (global ID: category, issuer,
// AttributeDesignator Provider modules by supported/provided attribute ID (global ID: category, issuer,
// AttributeId)
protected final Map<AttributeGUID, AttributeProviderModule> designatorModsByAttrId;
/**
* Instantiates attribute finder that tries to find attribute values in evaluation context, then, if not there, query sub-modules providing the
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query sub-modules providing the
* requested attribute ID, if any.
*
* @param attributeFinderModulesByAttributeId
* attribute finder modules sorted by supported attribute ID; may be null if none
* @param attributeProviderModulesByAttributeId
* attribute Provider modules sorted by supported attribute ID; may be null if none
*/
public DefaultImpl(Map<AttributeGUID, AttributeProviderModule> attributeFinderModulesByAttributeId)
public DefaultImpl(Map<AttributeGUID, AttributeProviderModule> attributeProviderModulesByAttributeId)
{
this(attributeFinderModulesByAttributeId, null);
this(attributeProviderModulesByAttributeId, null);
}
/**
* Instantiates attribute finder that tries to find attribute values in evaluation context, then, if not there, query sub-modules providing the
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query sub-modules providing the
* requested attribute ID, if any.
*
* @param attributeFinderModulesByAttributeId
* attribute finder modules sorted by supported attribute ID; may be null if none
* @param attributeProviderModulesByAttributeId
* attribute Provider modules sorted by supported attribute ID; may be null if none
* @param selectedAttributeSupport
* selection of attributes to be supported, i.e. only attributes from this set may be supported/resolved by this attribute finder; therefore,
* only the part of {@code attributeFinderModulesByAttributeId} matching these attributes are to be used by this finder.
* selection of attributes to be supported, i.e. only attributes from this set may be supported/resolved by this attribute Provider; therefore,
* only the part of {@code attributeProviderModulesByAttributeId} matching these attributes are to be used by this Provider.
*/
public DefaultImpl(Map<AttributeGUID, AttributeProviderModule> attributeFinderModulesByAttributeId,
public DefaultImpl(Map<AttributeGUID, AttributeProviderModule> attributeProviderModulesByAttributeId,
Set<AttributeDesignatorType> selectedAttributeSupport)
{
if (attributeFinderModulesByAttributeId == null || selectedAttributeSupport == null)
if (attributeProviderModulesByAttributeId == null || selectedAttributeSupport == null)
{
designatorModsByAttrId = attributeFinderModulesByAttributeId;
designatorModsByAttrId = attributeProviderModulesByAttributeId;
} else
{
designatorModsByAttrId = new HashMap<>(selectedAttributeSupport.size());
for (final AttributeDesignatorType requiredAttr : selectedAttributeSupport)
{
final AttributeGUID requiredAttrGUID = new AttributeGUID(requiredAttr);
final AttributeProviderModule requiredAttrFinderMod = attributeFinderModulesByAttributeId.get(requiredAttrGUID);
// requiredAttrFinderMod = null means it should be provided by the request
final AttributeProviderModule requiredAttrProviderMod = attributeProviderModulesByAttributeId.get(requiredAttrGUID);
// requiredAttrProviderMod = null means it should be provided by the request
// context (in the initial request from PEP)
if (requiredAttrFinderMod != null)
if (requiredAttrProviderMod != null)
{
designatorModsByAttrId.put(requiredAttrGUID, requiredAttrFinderMod);
designatorModsByAttrId.put(requiredAttrGUID, requiredAttrProviderMod);
}
}
}
}
/**
* Instantiates attribute finder that tries to find attribute values in evaluation context only (no sub-modules). Equivalent to
* Instantiates attribute Provider that tries to find attribute values in evaluation context only (no sub-modules). Equivalent to
* {@link #DefaultImpl(Map)} with null argument.
*
*/
......@@ -184,7 +184,7 @@ public abstract class BaseAttributeProvider implements AttributeProvider
@Override
protected AttributeProviderModule getProvider(AttributeGUID attributeGUID)
{
LOGGER.debug("Requesting attribute {} from finder modules (by provided attribute ID): {}", attributeGUID, designatorModsByAttrId);
LOGGER.debug("Requesting attribute {} from Provider modules (by provided attribute ID): {}", attributeGUID, designatorModsByAttrId);
return designatorModsByAttrId == null ? null : designatorModsByAttrId.get(attributeGUID);
}
}
......
......@@ -19,56 +19,56 @@ import java.util.List;
import org.ow2.authzforce.core.expression.AttributeGUID;
import org.ow2.authzforce.core.value.DatatypeFactoryRegistry;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeFinder;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Closeable AttributeFinder
* Closeable AttributeProvider
* <p>
* The sub-modules may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore,
* you are required to call {@link #close()} when you no longer need an instance - especially before replacing with a new instance (with different modules) - in
* order to make sure these resources are released properly by each underlying module (e.g. close the attribute caches).
*
*/
public final class CloseableAttributeFinder extends BaseAttributeProvider implements Closeable
public final class CloseableAttributeProvider extends BaseAttributeProvider implements Closeable
{
private static final Logger LOGGER = LoggerFactory.getLogger(CloseableAttributeFinder.class);
private static final Logger LOGGER = LoggerFactory.getLogger(CloseableAttributeProvider.class);
// AttributeDesignator finder modules by supported/provided attribute ID (global ID: category, issuer,
// AttributeDesignator Provider modules by supported/provided attribute ID (global ID: category, issuer,
// AttributeId)
protected final BaseAttributeProviderModule.Map designatorModsByAttrId;
/**
* Instantiates attribute finder that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* requested attribute ID, if any.
*
* @param attributeFactory
* (mandatory) attribute value factory
*
* @param jaxbAttributeFinderConfs
* (optional) XML/JAXB configurations of Attribute Finders for AttributeDesignator/AttributeSelector evaluation; may be null for static
* @param jaxbAttributeProviderConfs
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static
* expression evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* @throws IllegalArgumentException
* If any of attribute finder modules created from {@code jaxbAttributeFinderConfs} does not provide any attribute; or it is in conflict with
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict with
* another one already registered to provide the same or part of the same attributes.
* @throws IOException
* error closing the attribute finder modules created from {@code jaxbAttributeFinderConfs}, when and before an {@link IllegalArgumentException}
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException}
* is raised
*/
public CloseableAttributeFinder(List<AbstractAttributeFinder> jaxbAttributeFinderConfs, DatatypeFactoryRegistry attributeFactory) throws IOException
public CloseableAttributeProvider(List<AbstractAttributeProvider> jaxbAttributeProviderConfs, DatatypeFactoryRegistry attributeFactory) throws IOException
{
if (jaxbAttributeFinderConfs == null)
if (jaxbAttributeProviderConfs == null)
{
designatorModsByAttrId = null;
} else
{
designatorModsByAttrId = new BaseAttributeProviderModule.Map(jaxbAttributeFinderConfs.size());
for (final AbstractAttributeFinder jaxbAttrFinder : jaxbAttributeFinderConfs)
designatorModsByAttrId = new BaseAttributeProviderModule.Map(jaxbAttributeProviderConfs.size());
for (final AbstractAttributeProvider jaxbAttrProvider : jaxbAttributeProviderConfs)
{
try
{
this.designatorModsByAttrId.addModule(jaxbAttrFinder, attributeFactory);
this.designatorModsByAttrId.addModule(jaxbAttrProvider, attributeFactory);
} catch (IllegalArgumentException e)
{
this.designatorModsByAttrId.close();
......@@ -91,7 +91,7 @@ public final class CloseableAttributeFinder extends BaseAttributeProvider implem
@Override
protected AttributeProviderModule getProvider(AttributeGUID attributeGUID)
{
LOGGER.debug("Requesting attribute {} from finder modules (by provided attribute ID): {}", attributeGUID, designatorModsByAttrId);
LOGGER.debug("Requesting attribute {} from Provider modules (by provided attribute ID): {}", attributeGUID, designatorModsByAttrId);
return designatorModsByAttrId == null ? null : designatorModsByAttrId.get(attributeGUID);
}
}
\ No newline at end of file
......@@ -103,17 +103,17 @@ public class PdpConfigurationParser
* elementFormDefault="qualified" attributeFormDefault="unqualified">
*
* <xs:import
* namespace="http://thalesgroup.com/authzforce/model/3.0/finder/attribute/rest"
* namespace="http://thalesgroup.com/authzforce/model/3.0/Provider/attribute/rest"
* schemaLocation=
* "com.thalesgroup.authzforce.model._3_0.finder.attribute.rest.RESTfulAttributeFinder.xsd"
* "com.thalesgroup.authzforce.model._3_0.Provider.attribute.rest.RESTfulAttributeProvider.xsd"
* />
*
* </xs:schema>
* }
* </pre>
*
* In this example, 'com.thalesgroup.authzforce.model._3_0.finder.attribute.rest.RESTfulAttributeFinde r ' is the JAXB-annotated class bound to
* XML type 'RESTfulAttributeFinder'. We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeFinder'
* In this example, 'com.thalesgroup.authzforce.model._3_0.Provider.attribute.rest.RESTfulAttributeFinde r ' is the JAXB-annotated class bound to
* XML type 'RESTfulAttributeProvider'. We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider'
* (that extends 'AbstractPdpExtension' like all other extension base types) in this case.
*
* @param catalogLocation
......@@ -153,17 +153,17 @@ public class PdpConfigurationParser
* elementFormDefault="qualified" attributeFormDefault="unqualified">
*
* <xs:import
* namespace="http://thalesgroup.com/authzforce/model/3.0/finder/attribute/rest"
* namespace="http://thalesgroup.com/authzforce/model/3.0/Provider/attribute/rest"
* schemaLocation=
* "com.thalesgroup.authzforce.model._3_0.finder.attribute.rest.RESTfulAttributeFinder.xsd"
* "com.thalesgroup.authzforce.model._3_0.Provider.attribute.rest.RESTfulAttributeProvider.xsd"
* />
*
* </xs:schema>
* }
* </pre>
*
* In this example, 'com.thalesgroup.authzforce.model._3_0.finder.attribute.rest.RESTfulAttributeFinde r ' is the JAXB-annotated class bound to
* XML type 'RESTfulAttributeFinder'. We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeFinder'
* In this example, 'com.thalesgroup.authzforce.model._3_0.Provider.attribute.rest.RESTfulAttributeFinde r ' is the JAXB-annotated class bound to
* XML type 'RESTfulAttributeProvider'. We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider'
* (that extends 'AbstractPdpExtension' like all other extension base types) in this case.
*
* @param catalogLocation
......@@ -269,7 +269,7 @@ public class PdpConfigurationParser
* @throws IllegalArgumentException
* invalid PDP configuration
* @throws IOException
* if any error occurred closing already created {@link Closeable} modules (policy finders, attribute finders, decision cache)
* if any error occurred closing already created {@link Closeable} modules (policy Providers, attribute Providers, decision cache)
*/
public static PDP getPDP(Pdp pdpJaxbConf) throws IllegalArgumentException, IOException
{
......@@ -339,8 +339,8 @@ public class PdpConfigurationParser
// decision cache
final AbstractDecisionCache jaxbDecisionCache = pdpJaxbConf.getDecisionCache();
return new PDP(attributeFactory, functionRegistry, pdpJaxbConf.getAttributeFinders(), pdpJaxbConf.getMaxVariableRefDepth(),
pdpJaxbConf.isEnableAttributeSelectors(), combiningAlgRegistry, pdpJaxbConf.getRootPolicyFinder(), pdpJaxbConf.getRefPolicyFinder(),
return new PDP(attributeFactory, functionRegistry, pdpJaxbConf.getAttributeProviders(), pdpJaxbConf.getMaxVariableRefDepth(),
pdpJaxbConf.isEnableAttributeSelectors(), combiningAlgRegistry, pdpJaxbConf.getRootPolicyProvider(), pdpJaxbConf.getRefPolicyProvider(),
pdpJaxbConf.getMaxPolicySetRefDepth(), requestFilter, decisionResultFilter, jaxbDecisionCache);
}
......
......@@ -14,7 +14,7 @@
package org.ow2.authzforce.core;
/**
* Marker Interface for all kinds of PDP extension (Attribute datatypes, functions, combining algorithms, AttributeFinderModule, RootPolicyFinderModule...)
* Marker Interface for all kinds of PDP extension (Attribute datatypes, functions, combining algorithms, AttributeProviderModule, RootPolicyProviderModule...)
*
*
*/
......
......@@ -163,7 +163,7 @@ public class PdpExtensionLoader
* Get XML/JAXB-bound extension
*
* @param extensionType
* type of extension, e.g. {@link org.ow2.authzforce.core.policy.RootPolicyFinderModule.Factory}, etc.
* type of extension, e.g. {@link org.ow2.authzforce.core.policy.RootPolicyProviderModule.Factory}, etc.
* @param jaxbPdpExtensionClass
* JAXB class representing XML configuration type that the extension must support
* @return PDP extension instance of class {@code extensionType} and such that its method {@link JaxbBoundPdpExtension#getClass()} returns
......@@ -185,7 +185,7 @@ public class PdpExtensionLoader
}
/**
* Create instance of PDP extension (AttributeFinder, ReferencedPolicyFinder...) with input configuration. The extension implementation class has been
* Create instance of PDP extension (AttributeProvider, ReferencedPolicyProvider...) with input configuration. The extension implementation class has been
* discovered by {@link ServiceLoader} from files 'META-INF/services/com.thalesgroup.authzforce.core.IPdpExtensionFactory' on the classpath, in the format
* described by {@link ServiceLoader} API documentation. Such class must have a constructor matching {@code constructorArgs} that is called to instantiate
* the extension, or a default constructor that is called instead if none matching such parameters; and it must implement {@code IPdpExtensionFactory} and
......
......@@ -79,7 +79,7 @@ public class PdpModelHandler
* xmlns:tns="http://thalesgroup.com/authzforce/model/3.0"
* elementFormDefault="qualified" attributeFormDefault="unqualified">
* <xs:import
* namespace="http://thalesgroup.com/authzforce/model/3.0/finder/attribute/rest" />
* namespace="http://thalesgroup.com/authzforce/model/3.0/Provider/attribute/rest" />
* </xs:schema>
* }
* </pre>
......
......@@ -49,7 +49,7 @@ import org.ow2.authzforce.xacml.identifiers.XACMLResourceScope;
* Individual Decision Request. At the end, the results (one per Individual Decision Request) may be combined by a {@link DecisionResultFilter}.
*
* <p>
* This replaces and supersedes the former, now obsolete, ResourceFinder, which used to correspond to one mode of the Multiple Decision Profile for requesting
* This replaces and supersedes the former, now obsolete, ResourceProvider, which used to correspond to one mode of the Multiple Decision Profile for requesting
* multiple decisions.
* </p>
*
......
......@@ -42,11 +42,11 @@ public class AttributeDesignator<AV extends AttributeValue> extends AttributeDes
private static final IllegalArgumentException NULL_CATEGORY_EXCEPTION = new IllegalArgumentException("Undefined attribute designator category");
private static final IllegalArgumentException NULL_DATATYPE_EXCEPTION = new IllegalArgumentException("Undefined attribute designator datatype");
private static final IllegalArgumentException NULL_ATTRIBUTE_ID_EXCEPTION = new IllegalArgumentException("Undefined attribute designator AttribtueId");
private static final IllegalArgumentException NULL_ATTRIBUTE_FINDER_EXCEPTION = new IllegalArgumentException("Undefined attribute finder");
private static final IllegalArgumentException NULL_ATTRIBUTE_Provider_EXCEPTION = new IllegalArgumentException("Undefined attribute Provider");
private final transient String missingAttributeMessage;
private final AttributeGUID attrGUID;
private final transient AttributeProvider attrFinder;
private final transient AttributeProvider attrProvider;
private final transient BagDatatype<AV> returnType;
private final transient IndeterminateEvaluationException missingAttributeForUnknownReasonException;
private final transient IndeterminateEvaluationException missingAttributeBecauseNullContextException;
......@@ -128,10 +128,10 @@ public class AttributeDesignator<AV extends AttributeValue> extends AttributeDes
* the AttributeDesignatorType we want to convert
* @param resultDatatype
* expected datatype of the result of evaluating this AttributeDesignator ( {@code AV is the expected type of every element in the bag})
* @param attrFinder
* Attribute Finder responsible for finding the attribute designated by this in a given evaluation context at runtime
* @param attrProvider
* Attribute Provider responsible for finding the attribute designated by this in a given evaluation context at runtime
*/
public AttributeDesignator(AttributeDesignatorType attrDesignator, BagDatatype<AV> resultDatatype, AttributeProvider attrFinder)
public AttributeDesignator(AttributeDesignatorType attrDesignator, BagDatatype<AV> resultDatatype, AttributeProvider attrProvider)
{
final String categoryURI = attrDesignator.getCategory();
if (categoryURI == null)
......@@ -151,9 +151,9 @@ public class AttributeDesignator<AV extends AttributeValue> extends AttributeDes
throw NULL_ATTRIBUTE_ID_EXCEPTION;
}
if (attrFinder == null)
if (attrProvider == null)
{
throw NULL_ATTRIBUTE_FINDER_EXCEPTION;
throw NULL_ATTRIBUTE_Provider_EXCEPTION;
}
// JAXB attributes
......@@ -167,7 +167,7 @@ public class AttributeDesignator<AV extends AttributeValue> extends AttributeDes
this.attrGUID = new AttributeGUID(category, issuer, id);
this.returnType = resultDatatype;
this.attributeType = resultDatatype.getElementType();
this.attrFinder = attrFinder;
this.attrProvider = attrProvider;
// error messages/exceptions
this.missingAttributeMessage = this + " not found in context";
......@@ -194,7 +194,7 @@ public class AttributeDesignator<AV extends AttributeValue> extends AttributeDes
throw missingAttributeBecauseNullContextException;
}
final Bag<AV> bag = attrFinder.get(attrGUID, attributeType, context);
final Bag<AV> bag = attrProvider.get(attrGUID, attributeType, context);
if (bag == null)
{
throw this.missingAttributeForUnknownReasonException;
......
......@@ -25,7 +25,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
/**
* Attribute's Globally unique identifier, as opposed to AttributeId which is local to a specific category and/or issuer. Why not use AttributeDesignator?
* Because we don't care about MustBePresent or Datatype for lookup here. This is used for example as key in a map to retrieve corresponding AttributeValue or
* AttributeFinder module.
* AttributeProvider module.
* <p>
* WARNING: java.net.URI cannot be used here for XACML category and ID, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1],
* not in java.net.URI.
......
......@@ -66,8 +66,8 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
// private static final Logger LOGGER = LoggerFactory.getLogger(AttributeSelector.class);
private static final IllegalArgumentException NULL_XACML_ATTRIBUTE_SELECTOR_EXCEPTION = new IllegalArgumentException(
"AttributeSelector's input XACML/JAXB AttributeSelector element undefined");
private static final IllegalArgumentException NULL_ATTRIBUTE_FINDER_BUT_NON_NULL_CONTEXT_SELECTOR_ID_EXCEPTION = new IllegalArgumentException(
"Attribute finder undefined but required for non-null ContextSelectorId in AttributeSelector");
private static final IllegalArgumentException NULL_ATTRIBUTE_Provider_BUT_NON_NULL_CONTEXT_SELECTOR_ID_EXCEPTION = new IllegalArgumentException(
"Attribute Provider undefined but required for non-null ContextSelectorId in AttributeSelector");
private static final IllegalArgumentException NULL_XPATH_COMPILER_EXCEPTION = new IllegalArgumentException(
"XPath version/compiler undefined but required for AttributeSelector evaluation");
private static final IllegalArgumentException NULL_ATTRIBUTE_FACTORY_EXCEPTION = new IllegalArgumentException(
......@@ -148,7 +148,7 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
private final transient String missingAttributeMessage;
private final transient AttributeProvider attrFinder;
private final transient AttributeProvider attrProvider;
private final transient AttributeGUID contextSelectorGUID;
......@@ -240,18 +240,18 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
* @param xPathCompiler
* XPATH compiler used for compiling {@code attrSelectorElement.getPath()} and XPath given by {@code attrSelectorElement.getContextSelectorId()}
* if not null
* @param attrFinder
* AttributeFinder for finding value of the attribute identified by ContextSelectorId in {@code attrSelectorElement}; may be null if
* @param attrProvider
* AttributeProvider for finding value of the attribute identified by ContextSelectorId in {@code attrSelectorElement}; may be null if
* ContextSelectorId not specified
* @param attrFactory
* attribute factory to create the AttributeValue(s) from the XML node(s) resolved by XPath
* @throws XPathExpressionException
* if the Path could not be compiled to an XPath expression (using <code>namespaceContextNode</code> if non-null)
* @throws IllegalArgumentException
* if {@code attrSelectorElement}, {@code xpathCompiler} or {@code attrFactory} is null; or ContextSelectorId is not null but {@code attrFinder}
* if {@code attrSelectorElement}, {@code xpathCompiler} or {@code attrFactory} is null; or ContextSelectorId is not null but {@code attrProvider}
* is null
*/
public AttributeSelectorExpression(AttributeSelectorType attrSelectorElement, XPathCompiler xPathCompiler, AttributeProvider attrFinder,
public AttributeSelectorExpression(AttributeSelectorType attrSelectorElement, XPathCompiler xPathCompiler, AttributeProvider attrProvider,
DatatypeFactory<AV> attrFactory) throws XPathExpressionException, IllegalArgumentException
{
if (attrSelectorElement == null)
......@@ -280,19 +280,19 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
if (contextSelectorId == null)
{
this.contextSelectorGUID = null;
this.attrFinder = null;
this.attrProvider = null;
this.missingContextSelectorAttributeExceptionMessage = null;
this.xpathEvalExceptionMessage = this + ": Error evaluating XPath against XML node from Content of Attributes Category='" + category + "'";
this.xpathCompiler = null;
} else
{
if (attrFinder == null)
if (attrProvider == null)
{
throw NULL_ATTRIBUTE_FINDER_BUT_NON_NULL_CONTEXT_SELECTOR_ID_EXCEPTION;
throw NULL_ATTRIBUTE_Provider_BUT_NON_NULL_CONTEXT_SELECTOR_ID_EXCEPTION;
}
this.contextSelectorGUID = new AttributeGUID(category, null, contextSelectorId);
this.attrFinder = attrFinder;
this.attrProvider = attrProvider;
this.missingContextSelectorAttributeExceptionMessage = this + ": No value found for attribute designated by Category=" + category
+ " and ContextSelectorId=" + contextSelectorId;
this.xpathEvalExceptionMessage = this + ": Error evaluating XPath against XML node from Content of Attributes Category='" + category
......@@ -337,9 +337,9 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
}
/**
* Invokes the <code>AttributeFinder</code> used by the given <code>EvaluationContext</code> to try to resolve an attribute value. If the selector is
* Invokes the <code>AttributeProvider</code> used by the given <code>EvaluationContext</code> to try to resolve an attribute value. If the selector is
* defined with MustBePresent as true, then failure to find a matching value will result in Indeterminate, otherwise it will result in an empty bag. To
* support the com.thalesgroup.authzforce.core.test.basic selector functionality defined in the XACML specification, use a finder that has only the
* support the com.thalesgroup.authzforce.core.test.basic selector functionality defined in the XACML specification, use a Provider that has only the
* <code>SelectorModule</code> as a module that supports selector finding.
*
* @param context
......@@ -380,7 +380,7 @@ public class AttributeSelectorExpression<AV extends AttributeValue> extends Attr
contextNode = contentNode;
} else
{
final Bag<XPathValue> bag = attrFinder.get(contextSelectorGUID, DatatypeConstants.XPATH.TYPE, context);
final Bag<XPathValue> bag = attrProvider.get(contextSelectorGUID, DatatypeConstants.XPATH.TYPE, context);
if (bag == null)
{
throw this.missingAttributeForUnknownReasonException;
......
......@@ -8,7 +8,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DefaultsType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.ExpressionType;
import org.ow2.authzforce.core.CloseableAttributeFinder;
import org.ow2.authzforce.core.CloseableAttributeProvider;
import org.ow2.authzforce.core.value.Datatype;
import com.sun.xacml.Function;
......@@ -18,8 +18,8 @@ import com.sun.xacml.UnknownIdentifierException;
/**
* Expression factory for parsing XACML {@link ExpressionType}s: AttributeDesignator, AttributeSelector, Apply, etc.
* <p>
* Extends {@link Closeable} because it may use an {@link CloseableAttributeFinder} to resolve AttributeDesignators for attributes not provided in the request;
* and that attribute finder needs to be closed by calling {@link #close()} (in order to call {@link CloseableAttributeFinder#close()}) when it is no longer
* Extends {@link Closeable} because it may use an {@link CloseableAttributeProvider} to resolve AttributeDesignators for attributes not provided in the request;