Examples with XPathCompilerProxy org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy used on opensource projects

Example 6 with XPathCompilerProxy

use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core by authzforce.

the class ConditionEvaluators method getInstance.

/**
 * Instantiates a Condition evaluator from XACML-Schema-derived <code>Condition</code>
 *
 * @param condition
 *            XACML-schema-derived JAXB Condition element
 * @param expressionFactory
 *            expression factory
 * @param xPathCompiler
 *            XPath compiler, defined if XPath support enabled (by PDP configuration and some enclosing Policy(Set) defines a XPathVersion according to XACML standard)
 * @return instance of Condition evaluator
 * @throws java.lang.IllegalArgumentException
 *             if the expression is not a valid boolean Expression
 */
public static BooleanEvaluator getInstance(final Condition condition, final ExpressionFactory expressionFactory, final Optional<XPathCompilerProxy> xPathCompiler) throws IllegalArgumentException {
    if (condition == null) {
        return TRUE_CONDITION;
    }
    /*
		 * condition != null -> condition's Expression is not null (by definition of XACML schema), therefore expressionFactory is needed
		 */
    final ExpressionType exprElt = condition.getExpression().getValue();
    if (expressionFactory == null) {
        throw NULL_EXPR_FACTORY_ARGUMENT_EXCEPTION;
    }
    final Expression<?> expr = expressionFactory.getInstance(exprElt, null, xPathCompiler);
    // make sure it's a boolean expression...
    if (!(expr.getReturnType().equals(StandardDatatypes.BOOLEAN))) {
        throw new IllegalArgumentException("Invalid return datatype (" + expr.getReturnType() + ") for Expression (" + expr.getClass().getSimpleName() + ") in Condition. Expected: Boolean.");
    }
    // WARNING: unchecked cast
    final Expression<BooleanValue> evaluableExpression = (Expression<BooleanValue>) expr;
    /*
		 * Check whether the expression is constant
		 */
    final Optional<BooleanValue> constant = evaluableExpression.getValue();
    if (constant.isPresent()) {
        if (constant.get().getUnderlyingValue()) {
            // constant TRUE
            LOGGER.warn("Condition's expression is equivalent to constant True -> optimization: replacing with constant True condition");
            return TRUE_CONDITION;
        }
        // constant False -> unacceptable
        throw INVALID_CONSTANT_FALSE_EXPRESSION_EXCEPTION;
    }
    // constant == null
    LOGGER.debug("Condition's Expression is not constant (evaluation without context failed)");
    return new BooleanExpressionEvaluator(evaluableExpression);
}

Example 7 with XPathCompilerProxy

use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core-pdp-api by authzforce.

the class BaseXacmlJaxbRequestPreprocessor method process.

@Override
public final List<IndividualXacmlJaxbRequest> process(final Request jaxbRequest, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
    if (jaxbRequest == null) {
        throw NULL_REQUEST_EXCEPTION;
    }
    /*
         * No support for MultiRequests (§2.4 of Multiple Decision Profile).
         */
    if (jaxbRequest.getMultiRequests() != null) {
        /*
             * According to 7.19.1 Unsupported functionality, return Indeterminate with syntax-error code for unsupported element
             */
        throw UNSUPPORTED_MULTI_REQUESTS_EXCEPTION;
    }
    /*
         * No support for CombinedDecision = true if no decisionCombiner defined. (The use of the CombinedDecision attribute is specified in Multiple Decision Profile.)
         */
    if (jaxbRequest.isCombinedDecision() && !this.isCombinedDecisionSupported) {
        /*
             * According to XACML core spec, 5.42, <i>If the PDP does not implement the relevant functionality in [Multiple Decision Profile], then the PDP must return an Indeterminate with a status
             * code of urn:oasis:names:tc:xacml:1.0:status:processing-error if it receives a request with this attribute set to "true"</i>.
             */
        throw UNSUPPORTED_COMBINED_DECISION_EXCEPTION;
    }
    final RequestDefaults jaxbReqDefaults = jaxbRequest.getRequestDefaults();
    final Optional<XPathCompilerProxy> xPathCompiler;
    final Map<String, String> newNsPrefixToUriMap;
    if (jaxbReqDefaults == null) {
        xPathCompiler = Optional.empty();
        newNsPrefixToUriMap = namespaceURIsByPrefix;
    } else {
        try {
            final XPathVersion xPathVersion = XPathVersion.fromURI(jaxbReqDefaults.getXPathVersion());
            xPathCompiler = Optional.of(new BasicImmutableXPathCompilerProxy(xPathVersion, namespaceURIsByPrefix));
            /*
				namespaceURIsByPrefix already held by xPathCompiler and retrievable from it with getDeclaredNamespacePrefixToUriMap().
				 */
            newNsPrefixToUriMap = Map.of();
        } catch (IllegalArgumentException e) {
            throw new IllegalArgumentException("Invalid/unsupported XPathVersion in Request/RequestDefaults", e);
        }
    }
    final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser = xacmlAttrsParserFactory.getInstance();
    return process(jaxbRequest.getAttributes(), xacmlAttrsParser, jaxbRequest.isReturnPolicyIdList(), jaxbRequest.isCombinedDecision(), xPathCompiler, newNsPrefixToUriMap);
}

Example 8 with XPathCompilerProxy

use of org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy in project core-pdp-api by authzforce.

the class NonIssuedLikeIssuedStrictXacmlAttributeParser method parseNamedAttribute.

/**
 * "Strict" parsing method, that parse all the values of a given attribute in one call. In short, this method will reject multiple calls on the same Attribute identifier (same metadata).
 *
 * @param attributeMap
 *            request attribute map to be updated by the result of parsing {@code inputXacmlAttribute}
 * @param inputXacmlAttribute
 *            input attribute object (not yet parsed into AuthzForce internal model), typically from original XACML request
 * @param xPathCompiler
 *            XPath compiler for compiling/evaluating XPath expressions in values, such as XACML xpathExpressions. Undefined if XPath support disabled.
 *
 * @throws IllegalArgumentException
 *             if parsing of the {@code inputXacmlAttribute} because of invalid datatype or mixing of different datatypes; or if there are already existing values for the same attribute
 *             (repetition of same attribute is not allowed in strict mode)
 */
@Override
public void parseNamedAttribute(final String attributeCategoryId, final INPUT_ATTRIBUTE inputXacmlAttribute, final Optional<XPathCompilerProxy> xPathCompiler, final Map<AttributeFqn, AttributeBag<?>> attributeMap) throws IllegalArgumentException {
    final NamedXacmlAttributeParsingResult<?> attParsingResult = parseNamedAttribute(attributeCategoryId, inputXacmlAttribute, xPathCompiler);
    final AttributeBag<?> attBag = newAttributeBag(attParsingResult);
    /*
		 * If there is any existing values for the same attribute name (<Attribute> with same meta-data) in the map, it will be rejected. This behavior is not fully compliant with XACML (see the
		 * Javadoc of this class), however it is faster than the compliant alternative.
		 */
    final AttributeFqn attName = attParsingResult.getAttributeName();
    final Bag<?> duplicate = attributeMap.putIfAbsent(attName, attBag);
    if (duplicate != null) {
        throw new IllegalArgumentException("Illegal syntax in strict mode: duplicate <Attribute> with metadata: " + attParsingResult.getAttributeName());
    }
    /*
		 * Check if it is a resource-scope.
		 */
    validateResourceScope(attName, attBag);
/*
		 * In this implementation, we do not comply fully with XACML 3.0, §5.29, since we handle Attribute(s) without Issuer exactly like the ones with an Issuer. In other words, an undefined issuer
		 * is handled like the special "null" Issuer. Therefore, an AttributeDesignators without Issuer will not match the request attributes with matching Category, AttributeId... but a defined
		 * therefore different Issuer. It will only match the request attribute without Issuer. In a compliant implementation, we would check if the attribute has an Issuer, and if it does, also
		 * update the attribute variant with same meta-data except no Issuer.
		 */
}