use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core by authzforce.
the class ConditionEvaluators method getInstance.
/**
* Instantiates a Condition evaluator from XACML-Schema-derived <code>Condition</code>
*
* @param condition
* XACML-schema-derived JAXB Condition element
* @param expressionFactory
* expression factory
* @param xPathCompiler
* XPath compiler, defined if XPath support enabled (by PDP configuration and some enclosing Policy(Set) defines a XPathVersion according to XACML standard)
* @return instance of Condition evaluator
* @throws java.lang.IllegalArgumentException
* if the expression is not a valid boolean Expression
*/
public static BooleanEvaluator getInstance(final Condition condition, final ExpressionFactory expressionFactory, final Optional<XPathCompilerProxy> xPathCompiler) throws IllegalArgumentException {
if (condition == null) {
return TRUE_CONDITION;
}
/*
* condition != null -> condition's Expression is not null (by definition of XACML schema), therefore expressionFactory is needed
*/
final ExpressionType exprElt = condition.getExpression().getValue();
if (expressionFactory == null) {
throw NULL_EXPR_FACTORY_ARGUMENT_EXCEPTION;
}
final Expression<?> expr = expressionFactory.getInstance(exprElt, null, xPathCompiler);
// make sure it's a boolean expression...
if (!(expr.getReturnType().equals(StandardDatatypes.BOOLEAN))) {
throw new IllegalArgumentException("Invalid return datatype (" + expr.getReturnType() + ") for Expression (" + expr.getClass().getSimpleName() + ") in Condition. Expected: Boolean.");
}
// WARNING: unchecked cast
final Expression<BooleanValue> evaluableExpression = (Expression<BooleanValue>) expr;
/*
* Check whether the expression is constant
*/
final Optional<BooleanValue> constant = evaluableExpression.getValue();
if (constant.isPresent()) {
if (constant.get().getUnderlyingValue()) {
// constant TRUE
LOGGER.warn("Condition's expression is equivalent to constant True -> optimization: replacing with constant True condition");
return TRUE_CONDITION;
}
// constant False -> unacceptable
throw INVALID_CONSTANT_FALSE_EXPRESSION_EXCEPTION;
}
// constant == null
LOGGER.debug("Condition's Expression is not constant (evaluation without context failed)");
return new BooleanExpressionEvaluator(evaluableExpression);
}
use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core-pdp-api by authzforce.
the class BaseXacmlJaxbRequestPreprocessor method process.
@Override
public final List<IndividualXacmlJaxbRequest> process(final Request jaxbRequest, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
if (jaxbRequest == null) {
throw NULL_REQUEST_EXCEPTION;
}
/*
* No support for MultiRequests (§2.4 of Multiple Decision Profile).
*/
if (jaxbRequest.getMultiRequests() != null) {
/*
* According to 7.19.1 Unsupported functionality, return Indeterminate with syntax-error code for unsupported element
*/
throw UNSUPPORTED_MULTI_REQUESTS_EXCEPTION;
}
/*
* No support for CombinedDecision = true if no decisionCombiner defined. (The use of the CombinedDecision attribute is specified in Multiple Decision Profile.)
*/
if (jaxbRequest.isCombinedDecision() && !this.isCombinedDecisionSupported) {
/*
* According to XACML core spec, 5.42, <i>If the PDP does not implement the relevant functionality in [Multiple Decision Profile], then the PDP must return an Indeterminate with a status
* code of urn:oasis:names:tc:xacml:1.0:status:processing-error if it receives a request with this attribute set to "true"</i>.
*/
throw UNSUPPORTED_COMBINED_DECISION_EXCEPTION;
}
final RequestDefaults jaxbReqDefaults = jaxbRequest.getRequestDefaults();
final Optional<XPathCompilerProxy> xPathCompiler;
final Map<String, String> newNsPrefixToUriMap;
if (jaxbReqDefaults == null) {
xPathCompiler = Optional.empty();
newNsPrefixToUriMap = namespaceURIsByPrefix;
} else {
try {
final XPathVersion xPathVersion = XPathVersion.fromURI(jaxbReqDefaults.getXPathVersion());
xPathCompiler = Optional.of(new BasicImmutableXPathCompilerProxy(xPathVersion, namespaceURIsByPrefix));
/*
namespaceURIsByPrefix already held by xPathCompiler and retrievable from it with getDeclaredNamespacePrefixToUriMap().
*/
newNsPrefixToUriMap = Map.of();
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("Invalid/unsupported XPathVersion in Request/RequestDefaults", e);
}
}
final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser = xacmlAttrsParserFactory.getInstance();
return process(jaxbRequest.getAttributes(), xacmlAttrsParser, jaxbRequest.isReturnPolicyIdList(), jaxbRequest.isCombinedDecision(), xPathCompiler, newNsPrefixToUriMap);
}
use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core-pdp-api by authzforce.
the class NonIssuedLikeIssuedStrictXacmlAttributeParser method parseNamedAttribute.
/**
* "Strict" parsing method, that parse all the values of a given attribute in one call. In short, this method will reject multiple calls on the same Attribute identifier (same metadata).
*
* @param attributeMap
* request attribute map to be updated by the result of parsing {@code inputXacmlAttribute}
* @param inputXacmlAttribute
* input attribute object (not yet parsed into AuthzForce internal model), typically from original XACML request
* @param xPathCompiler
* XPath compiler for compiling/evaluating XPath expressions in values, such as XACML xpathExpressions. Undefined if XPath support disabled.
*
* @throws IllegalArgumentException
* if parsing of the {@code inputXacmlAttribute} because of invalid datatype or mixing of different datatypes; or if there are already existing values for the same attribute
* (repetition of same attribute is not allowed in strict mode)
*/
@Override
public void parseNamedAttribute(final String attributeCategoryId, final INPUT_ATTRIBUTE inputXacmlAttribute, final Optional<XPathCompilerProxy> xPathCompiler, final Map<AttributeFqn, AttributeBag<?>> attributeMap) throws IllegalArgumentException {
final NamedXacmlAttributeParsingResult<?> attParsingResult = parseNamedAttribute(attributeCategoryId, inputXacmlAttribute, xPathCompiler);
final AttributeBag<?> attBag = newAttributeBag(attParsingResult);
/*
* If there is any existing values for the same attribute name (<Attribute> with same meta-data) in the map, it will be rejected. This behavior is not fully compliant with XACML (see the
* Javadoc of this class), however it is faster than the compliant alternative.
*/
final AttributeFqn attName = attParsingResult.getAttributeName();
final Bag<?> duplicate = attributeMap.putIfAbsent(attName, attBag);
if (duplicate != null) {
throw new IllegalArgumentException("Illegal syntax in strict mode: duplicate <Attribute> with metadata: " + attParsingResult.getAttributeName());
}
/*
* Check if it is a resource-scope.
*/
validateResourceScope(attName, attBag);
/*
* In this implementation, we do not comply fully with XACML 3.0, §5.29, since we handle Attribute(s) without Issuer exactly like the ones with an Issuer. In other words, an undefined issuer
* is handled like the special "null" Issuer. Therefore, an AttributeDesignators without Issuer will not match the request attributes with matching Category, AttributeId... but a defined
* therefore different Issuer. It will only match the request attribute without Issuer. In a compliant implementation, we would check if the attribute has an Issuer, and if it does, also
* update the attribute variant with same meta-data except no Issuer.
*/
}
Aggregations