Commit e4b7a8ef authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/7.0.0'

parents e1b3823b 3d3741fb
......@@ -3,3 +3,4 @@
/.settings/
/.README.md.html
/.CHANGELOG.md.html
/.pmd
......@@ -4,6 +4,30 @@ All notable changes to this project are documented in this file following the [K
Issues reported on [GitHub](https://github.com/authzforce/server/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
## 7.0.0
### Changed
- Version of AuthzForce dependencies:
- Parent project (authzforce-ce-parent): 5.0.0
- authzforce-ce-pap-dao-flat-file: 8.0.0
- authzforce-ce-core-pap-api: 6.3.0
- authzforce-ce-core: 7.1.0
- authzforce-ce-core-pdp-api: 9.0.0
-> API changes (non-backward compatible) for PDP extensions: DecisionCache, DecisionResultFilter
- Versions of third-party dependencies:
- SLF4J: 1.7.22
- Spring: 4.3.6
- Guava: 21.0
- CXF: 3.1.10
- Logback-classic: 1.1.9
### Added
- Class [RESTfulPdpBasedAuthzInterceptor](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptor): an example of PEP using PDP's REST API in the form of a CXF interceptor. More info on the test scenario in the associated test class [RESTfulPdpBasedAuthzInterceptorTest](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptorTest).
### Fixed
- [OW2-25] NullPointerException when parsing Apply expressions using invalid/unsupported Function ID. This is the final fix addressing higher-order functions. Initial fix in v7.0.0 only addressed first-order ones.
## 6.0.0
### Added
- [GH-8] JSON support on the REST API using [*mapped* convention](http://cxf.apache.org/docs/json-support.html) with configurable namespace-to-JSON-prefix mappings (new configuration file `xmlns-to-json-key-prefix-map.properties`)
......
......@@ -55,15 +55,25 @@ AuthzForce provides XACML PIP features in the form of *Attribute Providers*. Mor
* Optional policy version rolling (when the maximum of versions per policy has been reached, oldest versions are automatically removed to make place).
### REST API
* Defined in standard [Web Application Description Language and XML schema](https://github.com/authzforce/rest-api-model/tree/develop/src/main/resources) so that you can automatically generate client code.
* Provides access to all PAP/PDP features mentioned in previous sections.
* Provides access to all PAP/PDP features mentioned in previous sections with possibility to have PDP-only instances (i.e. without PAP features).
* Multi-tenant: allows to have multiple domains/tenants, each with its own PAP/PDP, in particular its own policy repository.
* Conformance with [REST Profile of XACML v3.0 Version 1.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html)
* [Fast Infoset](http://www.itu.int/en/ITU-T/asn1/Pages/Fast-Infoset.aspx) support for requests/responses.
* Supported data formats: JSON, XML, [Fast Infoset](http://www.itu.int/en/ITU-T/asn1/Pages/Fast-Infoset.aspx).
* Defined in standard [Web Application Description Language and XML schema](https://github.com/authzforce/rest-api-model/tree/develop/src/main/resources) so that you can automatically generate client code.
### High availability and load-balancing
* Integration with file synchronization tools (e.g. [csync2](http://oss.linbit.com/csync2/)) or distributed filesystems (e.g. NFS and CIFS) to build clusters of AuthZForce Servers.
## Distribution (downloads)
Every release is distributed as follows:
- Ubuntu/Debian package (recommended option): `.deb`;
- Other Linux distributions: `.tar.gz`;
- Docker image.
For download links, please go to the specific [release page](https://github.com/authzforce/server/releases).
## Documentation
For links to the documentation of a release, please go to the specific [release page](https://github.com/authzforce/server/releases).
## Support
Use the *Issues* tab on the Github repository page.
......@@ -84,16 +94,16 @@ The sources for the manuals are located in [fiware repository](http://github.com
### Releasing
1. From the develop branch, prepare a release (example using a HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-start
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
</code></pre>
1. Update the CHANGELOG according to keepachangelog.com.
1. To perform the release (example using a HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-finish
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
</code></pre>
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 -DnoDeploy=true jgitflow:release-finish
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
</code></pre>
More info on jgitflow: http://jgitflow.bitbucket.org/
1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
......
......@@ -2,3 +2,4 @@
/.classpath
/.project
/CHANGES.txt
/.pmd
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>6.0.0</version>
<version>7.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-dist</artifactId>
......
......@@ -4,21 +4,21 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>4.1.1</version>
<version>5.0.0</version>
</parent>
<artifactId>authzforce-ce-server</artifactId>
<!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model' dependency in 'rest-service' module -->
<version>6.0.0</version>
<version>7.0.0</version>
<packaging>pom</packaging>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce CE Server</description>
<url>https://github.com/authzforce/server</url>
<properties>
<git.url.base>https://github.com/authzforce/server</git.url.base>
<authzforce-ce-core.version>6.1.0</authzforce-ce-core.version>
<authzforce-ce-core-pap-api.version>6.2.0</authzforce-ce-core-pap-api.version>
<authzforce-ce-core.version>7.1.0</authzforce-ce-core.version>
<authzforce-ce-core-pap-api.version>6.3.0</authzforce-ce-core-pap-api.version>
<!-- Version must be compatible with authzforce-ce-core and authzforce-ce-core-pap-api versions above. -->
<authzforce-ce-pap-dao-flat-file.version>7.0.0</authzforce-ce-pap-dao-flat-file.version>
<authzforce-ce-pap-dao-flat-file.version>8.0.0</authzforce-ce-pap-dao-flat-file.version>
</properties>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
......
......@@ -4,7 +4,7 @@
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<!-- Version must be equal or higher than authzforce-ce-rest-api-model dependency -->
<version>6.0.0</version>
<version>7.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-rest-service</artifactId>
......
......@@ -51,7 +51,7 @@ import org.ow2.authzforce.core.pap.api.dao.ReadableDomainProperties;
import org.ow2.authzforce.core.pap.api.dao.ReadablePdpProperties;
import org.ow2.authzforce.core.pap.api.dao.TooManyPoliciesException;
import org.ow2.authzforce.core.pap.api.dao.WritablePdpProperties;
import org.ow2.authzforce.core.pdp.api.PDP;
import org.ow2.authzforce.core.pdp.api.PDPEngine;
import org.ow2.authzforce.rest.api.jaxrs.AttributeProvidersResource;
import org.ow2.authzforce.rest.api.jaxrs.DomainPropertiesResource;
import org.ow2.authzforce.rest.api.jaxrs.DomainResource;
......@@ -295,7 +295,7 @@ public class DomainResourceImpl<DAO extends DomainDAO<PolicyVersionResourceImpl,
@Override
public Response requestPolicyDecision(final Request request)
{
final PDP pdp = domainDAO.getPDP();
final PDPEngine<?> pdp = domainDAO.getPDP();
if (pdp == null)
{
throw NULL_PDP_INTERNAL_SERVER_ERROR_EXCEPTION;
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>6.0.0</version>
<version>7.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-upgrader</artifactId>
......
This diff is collapsed.
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.wss4j.common.ext.WSPasswordCallback;
public class CommonCallbackHandler implements CallbackHandler
{
@Override
public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
for (final Callback callback : callbacks)
{
if (callback instanceof WSPasswordCallback)
{ // CXF
final WSPasswordCallback pc = (WSPasswordCallback) callback;
if ("myclientkey".equals(pc.getIdentifier()))
{
pc.setPassword("ckpass");
break;
}
else if ("myservicekey".equals(pc.getIdentifier()))
{
pc.setPassword("skpass");
break;
}
else if ("alice".equals(pc.getIdentifier()))
{
pc.setPassword("security");
break;
}
else if ("bob".equals(pc.getIdentifier()))
{
pc.setPassword("security");
break;
}
else if ("mystskey".equals(pc.getIdentifier()))
{
pc.setPassword("stskpass");
break;
}
}
}
}
}
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import java.security.Principal;
import javax.annotation.Resource;
import javax.jws.WebService;
import javax.xml.ws.WebServiceContext;
import org.apache.cxf.feature.Features;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.Assert;
@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt",
serviceName = "DoubleItService",
endpointInterface = "org.example.contract.doubleit.DoubleItPortType")
@Features(features = "org.apache.cxf.feature.LoggingFeature")
public class DoubleItPortTypeImpl implements DoubleItPortType {
@Resource
WebServiceContext wsContext;
public int doubleIt(int numberToDouble) {
Principal pr = wsContext.getUserPrincipal();
Assert.assertNotNull("Principal must not be null", pr);
Assert.assertNotNull("Principal.getName() must not return null", pr.getName());
return numberToDouble * 2;
}
}
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import org.apache.cxf.rt.security.claims.Claim;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.sts.claims.ClaimsHandler;
import org.apache.cxf.sts.claims.ClaimsParameters;
import org.apache.cxf.sts.claims.ProcessedClaim;
import org.apache.cxf.sts.claims.ProcessedClaimCollection;
/**
* A ClaimsHandler implementation that works with Roles.
*/
public class RolesClaimsHandler implements ClaimsHandler {
public static final URI ROLE =
URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
public ProcessedClaimCollection retrieveClaimValues(
ClaimCollection claims, ClaimsParameters parameters) {
if (claims != null && claims.size() > 0) {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
for (Claim requestClaim : claims) {
ProcessedClaim claim = new ProcessedClaim();
claim.setClaimType(requestClaim.getClaimType());
if (ROLE.equals(requestClaim.getClaimType())) {
claim.setIssuer("STS");
if ("alice".equals(parameters.getPrincipal().getName())) {
claim.addValue("boss");
claim.addValue("employee");
} else if ("bob".equals(parameters.getPrincipal().getName())) {
claim.addValue("employee");
}
}
claimCollection.add(claim);
}
return claimCollection;
}
return null;
}
public List<URI> getSupportedClaimTypes() {
List<URI> list = new ArrayList<URI>();
list.add(ROLE);
return list;
}
}
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import java.net.URL;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
public class STSServer extends AbstractBusTestServerBase {
public STSServer() {
}
protected void run() {
URL busFile = STSServer.class.getResource("cxf-sts.xml");
Bus busLocal = new SpringBusFactory().createBus(busFile);
BusFactory.setDefaultBus(busLocal);
setBus(busLocal);
try {
new STSServer();
} catch (Exception e) {
e.printStackTrace();
}
}
}
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import javax.xml.ws.BindingProvider;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.trust.STSClient;
public final class TokenTestUtils {
private TokenTestUtils() {
// complete
}
public static void updateSTSPort(BindingProvider p, String port) {
STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
if (stsClient != null) {
String location = stsClient.getWsdlLocation();
if (location != null && location.contains("8080")) {
stsClient.setWsdlLocation(location.replace("8080", port));
} else if (location != null && location.contains("8443")) {
stsClient.setWsdlLocation(location.replace("8443", port));
}
}
stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct");
if (stsClient != null) {
String location = stsClient.getWsdlLocation();
if (location.contains("8080")) {
stsClient.setWsdlLocation(location.replace("8080", port));
} else if (location.contains("8443")) {
stsClient.setWsdlLocation(location.replace("8443", port));
}
}
}
}
......@@ -42,7 +42,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import org.ow2.authzforce.core.pdp.impl.PdpModelHandler;
import org.ow2.authzforce.core.test.utils.TestUtils;
import org.ow2.authzforce.core.pdp.impl.test.utils.TestUtils;
import org.ow2.authzforce.core.xmlns.pdp.Pdp;
import org.ow2.authzforce.core.xmlns.pdp.StaticRefBasedRootPolicyProvider;
import org.ow2.authzforce.pap.dao.flatfile.FlatFileDAOUtils;
......
......@@ -62,10 +62,10 @@ import org.apache.cxf.jaxrs.client.ClientConfiguration;
import org.apache.cxf.jaxrs.client.WebClient;
import org.ow2.authzforce.core.pdp.impl.DefaultRequestFilter;
import org.ow2.authzforce.core.pdp.impl.MultiDecisionRequestFilter;
import org.ow2.authzforce.core.test.custom.TestCombinedDecisionResultFilter;
import org.ow2.authzforce.core.test.custom.TestDNSNameValueEqualFunction;
import org.ow2.authzforce.core.test.custom.TestDNSNameWithPortValue;
import org.ow2.authzforce.core.test.custom.TestOnPermitApplySecondCombiningAlg;
import org.ow2.authzforce.core.pdp.impl.test.custom.TestCombinedDecisionResultFilter;
import org.ow2.authzforce.core.pdp.impl.test.custom.TestDNSNameValueEqualFunction;
import org.ow2.authzforce.core.pdp.impl.test.custom.TestDNSNameWithPortValue;
import org.ow2.authzforce.core.pdp.impl.test.custom.TestOnPermitApplySecondCombiningAlg;
import org.ow2.authzforce.core.xmlns.test.TestAttributeProvider;
import org.ow2.authzforce.pap.dao.flatfile.FlatFileBasedDomainsDAO;
import org.ow2.authzforce.pap.dao.flatfile.FlatFileBasedDomainsDAO.PdpCoreFeature;
......@@ -86,7 +86,7 @@ import org.ow2.authzforce.rest.api.xmlns.PdpProperties;
import org.ow2.authzforce.rest.api.xmlns.PdpPropertiesUpdate;
import org.ow2.authzforce.rest.api.xmlns.ResourceContent;
import org.ow2.authzforce.rest.api.xmlns.Resources;
import org.ow2.authzforce.xacml.identifiers.XACMLCategory;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeCategory;
import org.ow2.authzforce.xacml.identifiers.XPATHVersion;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.slf4j.Logger;
......@@ -1494,7 +1494,7 @@ public class DomainMainTestWithoutAutoSyncOrVersionRolling extends RestServiceTe
* This test is mostly for enablePdpOnly=true
*/
final Request xacmlReq = new Request(new RequestDefaults(XPATHVersion.V2_0.getURI()), Collections.singletonList(new Attributes(null, Collections.<Attribute> emptyList(),
XACMLCategory.XACML_1_0_SUBJECT_CATEGORY_ACCESS_SUBJECT.value(), null)), null, false, false);
XACMLAttributeCategory.XACML_1_0_ACCESS_SUBJECT.value(), null)), null, false, false);
testDomain.getPdpResource().requestPolicyDecision(xacmlReq);
}
......
/**
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.ow2.authzforce.web.test;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import javax.xml.stream.FactoryConfigurationError;
import javax.xml.stream.XMLEventReader;
import javax.xml.stream.XMLEventWriter;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.transform.stax.StAXSource;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Validator;
import org.codehaus.jettison.mapped.MappedXMLOutputFactory;
import org.ow2.authzforce.core.pdp.api.JaxbXACMLUtils;
import org.xml.sax.ErrorHandler;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;
public class XacmlToJsonConversion
{
public static void main(final String[] args) throws XMLStreamException, FactoryConfigurationError, SAXException, IOException
{
final String xmlDocFilepath = "src/test/resources/xacml.samples/policy.xml";
/*
* replace new StreamSource(new File(xmlDocFilepath)) with new StringReader(xml) if input xml is XML string
*/
final XMLEventReader reader = XMLInputFactory.newInstance().createXMLEventReader(new StreamSource(new File(xmlDocFilepath)));
final Validator validator = JaxbXACMLUtils.XACML_3_0_SCHEMA.newValidator();
validator.validate(new StAXSource(reader));
validator.setErrorHandler(new ErrorHandler()
{
@Override
public void warning(final SAXParseException exception) throws SAXException
{
System.out.println(exception);
}
@Override
public void fatalError(final SAXParseException exception) throws SAXException
{
System.out.println(exception);
}
@Override
public void error(final SAXParseException exception) throws SAXException
{
System.out.println(exception);
}
});
final XMLEventWriter writer = new MappedXMLOutputFactory(Collections.emptyMap()).createXMLEventWriter(System.out);
writer.add(reader);
writer.close();
reader.close();
}
}