use of org.ow2.authzforce.core.pdp.api.io.IndividualXacmlJaxbRequest in project core by authzforce.
the class SingleDecisionXacmlJaxbRequestPreprocessor method process.
@Override
public List<IndividualXacmlJaxbRequest> process(final List<Attributes> attributesList, final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final Optional<XPathCompilerProxy> xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
final Map<AttributeFqn, AttributeBag<?>> namedAttributes = HashCollections.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashCollections.newUpdatableMap(attributesList.size());
/*
* attributesToIncludeInResult.size() <= attributesList.size()
*/
final List<Attributes> attributesToIncludeInResult = new ArrayList<>(attributesList.size());
for (final Attributes jaxbAttributes : attributesList) {
final SingleCategoryAttributes<?, Attributes> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
if (categorySpecificAttributes == null) {
// skip this empty Attributes
continue;
}
final String categoryId = categorySpecificAttributes.getCategoryId();
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null) {
final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryId, newContentNode);
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
*/
if (duplicate != null) {
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryId + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", XacmlStatusCode.SYNTAX_ERROR.value());
}
}
/*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* mandated by the XACML spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
for (final Entry<AttributeFqn, AttributeBag<?>> attrEntry : categorySpecificAttributes) {
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null) {
attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult);
}
}
return Collections.singletonList(new IndividualXacmlJaxbRequest(reqFactory.getInstance(namedAttributes, extraContentsByCategory, isApplicablePolicyIdListReturned), ImmutableList.copyOf(attributesToIncludeInResult)));
}
use of org.ow2.authzforce.core.pdp.api.io.IndividualXacmlJaxbRequest in project core-pdp-api by authzforce.
the class BaseXacmlJaxbRequestPreprocessor method process.
@Override
public final List<IndividualXacmlJaxbRequest> process(final Request jaxbRequest, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
if (jaxbRequest == null) {
throw NULL_REQUEST_EXCEPTION;
}
/*
* No support for MultiRequests (ยง2.4 of Multiple Decision Profile).
*/
if (jaxbRequest.getMultiRequests() != null) {
/*
* According to 7.19.1 Unsupported functionality, return Indeterminate with syntax-error code for unsupported element
*/
throw UNSUPPORTED_MULTI_REQUESTS_EXCEPTION;
}
/*
* No support for CombinedDecision = true if no decisionCombiner defined. (The use of the CombinedDecision attribute is specified in Multiple Decision Profile.)
*/
if (jaxbRequest.isCombinedDecision() && !this.isCombinedDecisionSupported) {
/*
* According to XACML core spec, 5.42, <i>If the PDP does not implement the relevant functionality in [Multiple Decision Profile], then the PDP must return an Indeterminate with a status
* code of urn:oasis:names:tc:xacml:1.0:status:processing-error if it receives a request with this attribute set to "true"</i>.
*/
throw UNSUPPORTED_COMBINED_DECISION_EXCEPTION;
}
final RequestDefaults jaxbReqDefaults = jaxbRequest.getRequestDefaults();
final Optional<XPathCompilerProxy> xPathCompiler;
final Map<String, String> newNsPrefixToUriMap;
if (jaxbReqDefaults == null) {
xPathCompiler = Optional.empty();
newNsPrefixToUriMap = namespaceURIsByPrefix;
} else {
try {
final XPathVersion xPathVersion = XPathVersion.fromURI(jaxbReqDefaults.getXPathVersion());
xPathCompiler = Optional.of(new BasicImmutableXPathCompilerProxy(xPathVersion, namespaceURIsByPrefix));
/*
namespaceURIsByPrefix already held by xPathCompiler and retrievable from it with getDeclaredNamespacePrefixToUriMap().
*/
newNsPrefixToUriMap = Map.of();
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("Invalid/unsupported XPathVersion in Request/RequestDefaults", e);
}
}
final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser = xacmlAttrsParserFactory.getInstance();
return process(jaxbRequest.getAttributes(), xacmlAttrsParser, jaxbRequest.isReturnPolicyIdList(), jaxbRequest.isCombinedDecision(), xPathCompiler, newNsPrefixToUriMap);
}
use of org.ow2.authzforce.core.pdp.api.io.IndividualXacmlJaxbRequest in project core-pdp-api by authzforce.
the class BaseXacmlJaxbResultPostprocessor method convert.
/**
* Convert AuthzForce-specific {@link DecisionResult} to XACML {@link Result}
*
* @param request
* request corresponding to result; iff null, some content from it, esp. the list of {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes}, is included in {@code result}
* @param result
* native policy decision result
* @return XACML Result
*/
public static Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result) {
final ImmutableList<PepAction> pepActions = result.getPepActions();
assert pepActions != null;
final List<Obligation> xacmlObligations;
final List<Advice> xacmlAdvices;
if (pepActions.isEmpty()) {
xacmlObligations = null;
xacmlAdvices = null;
} else {
xacmlObligations = new ArrayList<>(pepActions.size());
xacmlAdvices = new ArrayList<>(pepActions.size());
pepActions.forEach(pepAction -> {
final String pepActionId = pepAction.getId();
final List<AttributeAssignment> xacmlAttAssignments = convert(pepAction.getAttributeAssignments());
if (pepAction.isMandatory()) {
xacmlObligations.add(new Obligation(xacmlAttAssignments, pepActionId));
} else {
xacmlAdvices.add(new Advice(xacmlAttAssignments, pepActionId));
}
});
}
final ImmutableList<PrimaryPolicyMetadata> applicablePolicies = result.getApplicablePolicies();
final PolicyIdentifierList jaxbPolicyIdentifiers;
if (applicablePolicies == null || applicablePolicies.isEmpty()) {
jaxbPolicyIdentifiers = null;
} else {
final List<JAXBElement<IdReferenceType>> jaxbPolicyIdRefs = new ArrayList<>(applicablePolicies.size());
for (final PrimaryPolicyMetadata applicablePolicy : applicablePolicies) {
final IdReferenceType jaxbIdRef = new IdReferenceType(applicablePolicy.getId(), applicablePolicy.getVersion().toString(), null, null);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY ? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicyIdReference(jaxbIdRef) : Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
jaxbPolicyIdRefs.add(jaxbPolicyIdRef);
}
jaxbPolicyIdentifiers = new PolicyIdentifierList(jaxbPolicyIdRefs);
}
return new Result(result.getDecision(), result.getStatus().orElse(null), xacmlObligations == null || xacmlObligations.isEmpty() ? null : new Obligations(xacmlObligations), xacmlAdvices == null || xacmlAdvices.isEmpty() ? null : new AssociatedAdvice(xacmlAdvices), request == null ? null : request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
}
Aggregations