Search in sources :

Example 1 with IndeterminateEvaluationException

use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.

the class MongoDbPolicyProvider method getPolicy.

@Override
public StaticTopLevelPolicyElementEvaluator getPolicy(final String policyId, final Optional<PolicyVersionPatterns> policyPolicyVersionPatterns) throws IndeterminateEvaluationException {
    /*
		 * TODO: use a policy cache and check it before requesting the database.
		 */
    final PolicyQueryResult xmlParsingResult = getJaxbPolicyElement(XACML3_POLICY_TYPE_ID, policyId, policyPolicyVersionPatterns);
    if (xmlParsingResult == null) {
        return null;
    }
    final PolicyPojo policyPOJO = xmlParsingResult.policyPojo;
    final Object jaxbPolicyOrPolicySetObj = xmlParsingResult.resultJaxbObj;
    final Map<String, String> nsPrefixUriMap = xmlParsingResult.xmlnsToPrefixMap;
    if (!(jaxbPolicyOrPolicySetObj instanceof Policy)) {
        throw new IndeterminateEvaluationException("PolicyProvider " + id + ": 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with its 'type' (expected: Policy). Actual content type: " + jaxbPolicyOrPolicySetObj.getClass() + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
    }
    final Policy jaxbPolicy = (Policy) jaxbPolicyOrPolicySetObj;
    final String contentPolicyId = jaxbPolicy.getPolicyId();
    if (!contentPolicyId.equals(policyPOJO.getId())) {
        throw new IndeterminateEvaluationException("PolicyProvider " + id + ": PolicyId in 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with 'id'. Actual PolicyId: " + contentPolicyId + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
    }
    final String contentPolicyVersion = jaxbPolicy.getVersion();
    if (!contentPolicyVersion.equals(policyPOJO.getVersion())) {
        throw new IndeterminateEvaluationException("PolicyProvider " + id + ": Version in 'content' of the policy document " + policyPOJO + " retrieved from database is not consistent with 'version'. Actual Version: " + contentPolicyVersion + " (corrupted database?).", XacmlStatusCode.PROCESSING_ERROR.value());
    }
    try {
        /*
                    XPath compiler shall be initialized in PolicyEvaluators#getInstance(...) based on PolicyDefaults/XPathVersion if present
                     */
        return PolicyEvaluators.getInstance(jaxbPolicy, expressionFactory, combiningAlgRegistry, Optional.empty(), nsPrefixUriMap);
    } catch (final IllegalArgumentException e) {
        throw new IllegalArgumentException("Invalid Policy in 'content' of the policy document " + policyPOJO + " retrieved from database", e);
    }
}
Also used : Policy(oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy) IndeterminateEvaluationException(org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException)

Example 2 with IndeterminateEvaluationException

use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.

the class BaseXacmlJsonRequestPreprocessor method process.

@Override
public final List<IndividualXacmlJsonRequest> process(final JSONObject request, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
    if (request == null) {
        throw NULL_REQUEST_ARGUMENT_EXCEPTION;
    }
    try {
        XacmlJsonUtils.REQUEST_SCHEMA.validate(request);
    } catch (final ValidationException e) {
        LOGGER.debug(e.toJSON().toString(4));
        throw new IndeterminateEvaluationException(INVALID_REQ_ERR_STATUS, e);
    }
    final JSONObject requestJsonObj = request.optJSONObject("Request");
    if (requestJsonObj == null) {
        throw MISSING_REQUEST_OBJECT_EXCEPTION;
    }
    /*
		 * No support for MultiRequests (ยง2.4 of Multiple Decision Profile).
		 */
    if (requestJsonObj.has("MultiRequests")) {
        /*
			 * According to 7.19.1 Unsupported functionality, return Indeterminate with syntax-error code for unsupported element
			 */
        throw UNSUPPORTED_MULTI_REQUESTS_EXCEPTION;
    }
    /*
		 * No support for CombinedDecision = true if result processor does not support it. (The use of the CombinedDecision attribute is specified in Multiple Decision Profile.)
		 */
    final boolean combinedDecisionRequested;
    if (requestJsonObj.optBoolean("CombinedDecision", false)) {
        if (!this.isCombinedDecisionSupported) {
            /*
				 * According to XACML core spec, 5.42, <i>If the PDP does not implement the relevant functionality in [Multiple Decision Profile], then the PDP must return an Indeterminate with a status
				 * code of urn:oasis:names:tc:xacml:1.0:status:processing-error if it receives a request with this attribute set to "true".</i>
				 */
            throw UNSUPPORTED_COMBINED_DECISION_EXCEPTION;
        }
        combinedDecisionRequested = true;
    } else {
        combinedDecisionRequested = false;
    }
    final boolean returnPolicyIdList = requestJsonObj.optBoolean("ReturnPolicyIdList", false);
    final Map<String, String> newNsPrefixToUriMap;
    final Optional<XPathCompilerProxy> xPathCompiler;
    if (requestJsonObj.has("XPathVersion")) {
        try {
            final XPathVersion xPathVersion = XPathVersion.fromURI(requestJsonObj.getString("XPathVersion"));
            xPathCompiler = Optional.of(new BasicImmutableXPathCompilerProxy(xPathVersion, namespaceURIsByPrefix));
            /*
				namespaceURIsByPrefix already held by xPathCompiler and retrievable from it with getDeclaredNamespacePrefixToUriMap().
				 */
            newNsPrefixToUriMap = Map.of();
        } catch (IllegalArgumentException e) {
            throw new IllegalArgumentException("Invalid/unsupported XPathVersion in JSON Request/XPathVersion", e);
        }
    } else {
        xPathCompiler = Optional.empty();
        newNsPrefixToUriMap = namespaceURIsByPrefix;
    }
    final SingleCategoryXacmlAttributesParser<JSONObject> xacmlAttrsParser = xacmlAttrsParserFactory.getInstance();
    return process(requestJsonObj.optJSONArray("Category"), xacmlAttrsParser, returnPolicyIdList, combinedDecisionRequested, xPathCompiler, newNsPrefixToUriMap);
}
Also used : ValidationException(org.everit.json.schema.ValidationException) JSONObject(org.json.JSONObject) BasicImmutableXPathCompilerProxy(org.ow2.authzforce.core.pdp.api.expression.BasicImmutableXPathCompilerProxy) BasicImmutableXPathCompilerProxy(org.ow2.authzforce.core.pdp.api.expression.BasicImmutableXPathCompilerProxy) XPathCompilerProxy(org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy) XPathVersion(org.ow2.authzforce.xacml.identifiers.XPathVersion)

Example 3 with IndeterminateEvaluationException

use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.

the class MongoDbPolicyProviderTest method testGetPolicySetWithValidIdWithoutVersionPattern.

@Test
public void testGetPolicySetWithValidIdWithoutVersionPattern() throws IllegalArgumentException, IndeterminateEvaluationException {
    // Valid ID, no version pattern
    final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY_SET, "root-rbac-policyset", Optional.empty(), null, null, Optional.empty());
    assertNotNull(policyEvaluator);
    assertEquals(TopLevelPolicyElementType.POLICY_SET, policyEvaluator.getPolicyElementType());
    assertEquals("root-rbac-policyset", policyEvaluator.getPolicyId());
}
Also used : TopLevelPolicyElementEvaluator(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator) XacmlXmlPdpTest(org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest)

Example 4 with IndeterminateEvaluationException

use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.

the class MongoDbPolicyProviderTest method testGetPolicyWithValidIdAndLiteralVersion.

@Test
public void testGetPolicyWithValidIdAndLiteralVersion() throws IllegalArgumentException, IndeterminateEvaluationException {
    // Valid ID, valid literal version pattern (a PolicySet with same version and id also exists, make sure the right policy type is returned)
    final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY, "permit-all", Optional.of(new PolicyVersionPatterns("0.1.0", null, null)), null, null, Optional.empty());
    assertNotNull(policyEvaluator);
    assertEquals(TopLevelPolicyElementType.POLICY, policyEvaluator.getPolicyElementType());
    assertEquals("permit-all", policyEvaluator.getPolicyId());
    assertEquals("0.1.0", policyEvaluator.getPolicyVersion().toString());
}
Also used : TopLevelPolicyElementEvaluator(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator) PolicyVersionPatterns(org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns) XacmlXmlPdpTest(org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest)

Example 5 with IndeterminateEvaluationException

use of org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException in project core by authzforce.

the class MongoDbPolicyProviderTest method testGetPolicyWithValidIdWithoutVersionPattern.

@Test
public void testGetPolicyWithValidIdWithoutVersionPattern() throws IllegalArgumentException, IndeterminateEvaluationException {
    // Valid ID, no version pattern
    final TopLevelPolicyElementEvaluator policyEvaluator = POLICY_PROVIDER_MODULE.get(TopLevelPolicyElementType.POLICY, "permit-all", Optional.empty(), null, null, Optional.empty());
    assertNotNull(policyEvaluator);
    assertEquals(TopLevelPolicyElementType.POLICY, policyEvaluator.getPolicyElementType());
    assertEquals("permit-all", policyEvaluator.getPolicyId());
}
Also used : TopLevelPolicyElementEvaluator(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator) XacmlXmlPdpTest(org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest)

Aggregations

TopLevelPolicyElementEvaluator (org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator)12 XacmlXmlPdpTest (org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest)12 IndeterminateEvaluationException (org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException)11 PolicyVersionPatterns (org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns)8 XdmNode (net.sf.saxon.s9api.XdmNode)3 XPathCompilerProxy (org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy)3 AttributeValue (org.ow2.authzforce.core.pdp.api.value.AttributeValue)3 Attributes (oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes)2 JSONObject (org.json.JSONObject)2 BasicImmutableXPathCompilerProxy (org.ow2.authzforce.core.pdp.api.expression.BasicImmutableXPathCompilerProxy)2 AttributeBag (org.ow2.authzforce.core.pdp.api.value.AttributeBag)2 XPathVersion (org.ow2.authzforce.xacml.identifiers.XPathVersion)2 ImmutableList (com.google.common.collect.ImmutableList)1 Serializable (java.io.Serializable)1 StringReader (java.io.StringReader)1 java.util (java.util)1 Deque (java.util.Deque)1 Collectors (java.util.stream.Collectors)1 JAXBException (javax.xml.bind.JAXBException)1 Unmarshaller (javax.xml.bind.Unmarshaller)1