use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.
the class MongoDbPolicyProvider method getPolicy.
@Override
public StaticTopLevelPolicyElementEvaluator getPolicy(final String policyId, final Optional<PolicyVersionPatterns> policyPolicyVersionPatterns) throws IndeterminateEvaluationException {
/*
* TODO: use a policy cache and check it before requesting the database.
*/
final PolicyQueryResult xmlParsingResult = getJaxbPolicyElement(XACML3_POLICY_TYPE_ID, policyId, policyPolicyVersionPatterns);
if (xmlParsingResult == null) {
return null;
}
final PolicyPojo policyPOJO = xmlParsingResult.policyPojo;
final Object jaxbPolicyOrPolicySetObj = xmlParsingResult.resultJaxbObj;
final Map<String, String> nsPrefixUriMap = xmlParsingResult.xmlnsToPrefixMap;
if (!(jaxbPolicyOrPolicySetObj instanceof Policy)) {
throw new IndeterminateEvaluationException("PolicyProvider " + id + ": 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with its 'type' (expected: Policy). Actual content type: " + jaxbPolicyOrPolicySetObj.getClass() + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
}
final Policy jaxbPolicy = (Policy) jaxbPolicyOrPolicySetObj;
final String contentPolicyId = jaxbPolicy.getPolicyId();
if (!contentPolicyId.equals(policyPOJO.getId())) {
throw new IndeterminateEvaluationException("PolicyProvider " + id + ": PolicyId in 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with 'id'. Actual PolicyId: " + contentPolicyId + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
}
final String contentPolicyVersion = jaxbPolicy.getVersion();
if (!contentPolicyVersion.equals(policyPOJO.getVersion())) {
throw new IndeterminateEvaluationException("PolicyProvider " + id + ": Version in 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with 'version'. Actual Version: " + contentPolicyVersion + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
}
try {
/*
XPath compiler shall be initialized in PolicyEvaluators#getInstance(...) based on PolicyDefaults/XPathVersion if present
*/
return PolicyEvaluators.getInstance(jaxbPolicy, expressionFactory, combiningAlgRegistry, Optional.empty(), nsPrefixUriMap);
} catch (final IllegalArgumentException e) {
throw new IllegalArgumentException("Invalid Policy in 'content' of the policy document " + policyPOJO + " retrieved from database", e);
}
}
use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.
the class BaseXacmlJsonRequestPreprocessor method process.
@Override
public final List<IndividualXacmlJsonRequest> process(final JSONObject request, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
if (request == null) {
throw NULL_REQUEST_ARGUMENT_EXCEPTION;
}
try {
XacmlJsonUtils.REQUEST_SCHEMA.validate(request);
} catch (final ValidationException e) {
LOGGER.debug(e.toJSON().toString(4));
throw new IndeterminateEvaluationException(INVALID_REQ_ERR_STATUS, e);
}
final JSONObject requestJsonObj = request.optJSONObject("Request");
if (requestJsonObj == null) {
throw MISSING_REQUEST_OBJECT_EXCEPTION;
}
/*
* No support for MultiRequests (ยง2.4 of Multiple Decision Profile).
*/
if (requestJsonObj.has("MultiRequests")) {
/*
* According to 7.19.1 Unsupported functionality, return Indeterminate with syntax-error code for unsupported element
*/
throw UNSUPPORTED_MULTI_REQUESTS_EXCEPTION;
}
/*
* No support for CombinedDecision = true if result processor does not support it. (The use of the CombinedDecision attribute is specified in Multiple Decision Profile.)
*/
final boolean combinedDecisionRequested;
if (requestJsonObj.optBoolean("CombinedDecision", false)) {
if (!this.isCombinedDecisionSupported) {
/*
* According to XACML core spec, 5.42, <i>If the PDP does not implement the relevant functionality in [Multiple Decision Profile], then the PDP must return an Indeterminate with a status
* code of urn:oasis:names:tc:xacml:1.0:status:processing-error if it receives a request with this attribute set to "true".</i>
*/
throw UNSUPPORTED_COMBINED_DECISION_EXCEPTION;
}
combinedDecisionRequested = true;
} else {
combinedDecisionRequested = false;
}
final boolean returnPolicyIdList = requestJsonObj.optBoolean("ReturnPolicyIdList", false);
final Map<String, String> newNsPrefixToUriMap;
final Optional<XPathCompilerProxy> xPathCompiler;
if (requestJsonObj.has("XPathVersion")) {
try {
final XPathVersion xPathVersion = XPathVersion.fromURI(requestJsonObj.getString("XPathVersion"));
xPathCompiler = Optional.of(new BasicImmutableXPathCompilerProxy(xPathVersion, namespaceURIsByPrefix));
/*
namespaceURIsByPrefix already held by xPathCompiler and retrievable from it with getDeclaredNamespacePrefixToUriMap().
*/
newNsPrefixToUriMap = Map.of();
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("Invalid/unsupported XPathVersion in JSON Request/XPathVersion", e);
}
} else {
xPathCompiler = Optional.empty();
newNsPrefixToUriMap = namespaceURIsByPrefix;
}
final SingleCategoryXacmlAttributesParser<JSONObject> xacmlAttrsParser = xacmlAttrsParserFactory.getInstance();
return process(requestJsonObj.optJSONArray("Category"), xacmlAttrsParser, returnPolicyIdList, combinedDecisionRequested, xPathCompiler, newNsPrefixToUriMap);
}
use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.
the class MongoDbPolicyProviderTest method testGetPolicySetWithValidIdWithoutVersionPattern.
@Test
public void testGetPolicySetWithValidIdWithoutVersionPattern() throws IllegalArgumentException, IndeterminateEvaluationException {
// Valid ID, no version pattern
final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY_SET, "root-rbac-policyset", Optional.empty(), null, null, Optional.empty());
assertNotNull(policyEvaluator);
assertEquals(TopLevelPolicyElementType.POLICY_SET, policyEvaluator.getPolicyElementType());
assertEquals("root-rbac-policyset", policyEvaluator.getPolicyId());
}
use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.
the class MongoDbPolicyProviderTest method testGetPolicyWithValidIdAndLiteralVersion.
@Test
public void testGetPolicyWithValidIdAndLiteralVersion() throws IllegalArgumentException, IndeterminateEvaluationException {
// Valid ID, valid literal version pattern (a PolicySet with same version and id also exists, make sure the right policy type is returned)
final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY, "permit-all", Optional.of(new PolicyVersionPatterns("0.1.0", null, null)), null, null, Optional.empty());
assertNotNull(policyEvaluator);
assertEquals(TopLevelPolicyElementType.POLICY, policyEvaluator.getPolicyElementType());
assertEquals("permit-all", policyEvaluator.getPolicyId());
assertEquals("0.1.0", policyEvaluator.getPolicyVersion().toString());
}
use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.
the class MongoDbPolicyProviderTest method testGetPolicyWithValidIdWithoutVersionPattern.
@Test
public void testGetPolicyWithValidIdWithoutVersionPattern() throws IllegalArgumentException, IndeterminateEvaluationException {
// Valid ID, no version pattern
final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY, "permit-all", Optional.empty(), null, null, Optional.empty());
assertNotNull(policyEvaluator);
assertEquals(TopLevelPolicyElementType.POLICY, policyEvaluator.getPolicyElementType());
assertEquals("permit-all", policyEvaluator.getPolicyId());
}
Aggregations