use of org.ow2.authzforce.core.pdp.api.value.AttributeBag in project core by authzforce.
the class StandardJavaTypeToXacmlAttributeDatatypeConversionTest method test.
@Test
public void test() {
if (rawValues == null || rawValues.isEmpty()) {
try {
attValFactories.newAttributeBag(rawValues);
Assert.fail("Should have raised IllegalArgumentException because of invalid rawValues");
} catch (final Exception e) {
Assert.assertTrue("Unexpected error: " + e, expectedExceptionClass != null && expectedExceptionClass.isInstance(e));
}
return;
}
// rawValues has at least one value
if (rawValues.size() == 1) {
final Serializable rawVal = rawValues.iterator().next();
if (rawVal == null) {
/*
* Instantiate using expected datatype to check if null is spotted as invalid value
*/
try {
attValFactories.newExpression(expectedAttributeDatatypeId, Collections.singletonList(null), null, null);
Assert.assertNull("Parsing raw value into AttributeValue did not throw exception as expected", expectedExceptionClass);
} catch (final Exception e) {
Assert.assertTrue("Unexpected error: " + e, expectedExceptionClass != null && expectedExceptionClass.isInstance(e));
}
} else {
try {
final AttributeValueFactory<?> attValFactory = attValFactories.getCompatibleFactory(rawVal.getClass());
final String actualDatatypeId = attValFactory.getDatatype().getId();
Assert.assertEquals("Invalid datatype for created attribute value", actualDatatypeId, expectedAttributeDatatypeId);
attValFactories.newAttributeValue(rawVal);
Assert.assertNull("Parsing raw value into AttributeValue did not throw exception as expected", expectedExceptionClass);
} catch (final Exception e) {
Assert.assertTrue("Unexpected error: " + e, expectedExceptionClass != null && expectedExceptionClass.isInstance(e));
}
}
}
try {
final AttributeBag<?> attBag = attValFactories.newAttributeBag(rawValues);
Assert.assertEquals("Invalid datatype for created attribute values", attBag.getElementDatatype().getId(), expectedAttributeDatatypeId);
/*
* Marshall to XACML and try to unmarshall to original Java value to make sure marshalling is OK
*/
final List<AttributeValueType> outXacmlAttVals = attBag.elements().stream().map(attVal -> new AttributeValueType(attVal.getContent(), attBag.getElementDatatype().getId(), attVal.getXmlAttributes())).collect(Collectors.toList());
final Attribute outXacmlAtt = new Attribute(outXacmlAttVals, testId.toString(), null, false);
final Marshaller marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
final StringWriter strWriter = new StringWriter();
marshaller.marshal(outXacmlAtt, strWriter);
final String outStr = strWriter.toString();
final Unmarshaller unmarshaller = Xacml3JaxbHelper.createXacml3Unmarshaller();
final Attribute inXacmlAtt = (Attribute) unmarshaller.unmarshal(new StringReader(outStr));
final List<AttributeValueType> inXacmlAttVals = inXacmlAtt.getAttributeValues();
if (inXacmlAttVals.isEmpty()) {
Assert.fail("Marshalling/unmarshalling failed: no AttributeValue after unmarshalling: " + outStr);
return;
}
final AttributeValueType inXacmlAttVal0 = inXacmlAttVals.get(0);
final AttributeValueFactory<?> attValFactory = this.attValFactories.getExtension(inXacmlAttVal0.getDataType());
final List<AttributeValue> inAttVals = inXacmlAttVals.stream().map(inputXacmlAttValue -> attValFactory.getInstance(inputXacmlAttValue.getContent(), inputXacmlAttValue.getOtherAttributes(), null)).collect(Collectors.toList());
Assert.assertEquals("AttributeValues after unmarshalling do not match original AttributeValues before marshalling: " + outStr, attBag.elements(), ImmutableMultiset.copyOf(inAttVals));
Assert.assertNull("Parsing raw value into AttributeValue did not throw exception as expected", expectedExceptionClass);
} catch (final Exception e) {
Assert.assertTrue("Unexpected error: " + e, expectedExceptionClass != null && expectedExceptionClass.isInstance(e));
}
}
use of org.ow2.authzforce.core.pdp.api.value.AttributeBag in project core by authzforce.
the class SingleDecisionXacmlJsonRequestPreprocessor method process.
@Override
public List<IndividualXacmlJsonRequest> process(final JSONArray jsonArrayOfRequestAttributeCategoryObjects, final SingleCategoryXacmlAttributesParser<JSONObject> xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final Optional<XPathCompilerProxy> xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
final Map<AttributeFqn, AttributeBag<?>> namedAttributes = HashCollections.newUpdatableMap(jsonArrayOfRequestAttributeCategoryObjects.length());
/*
* TODO: Content object not supported yet (optional in XACML)
*/
final Map<String, XdmNode> extraContentsByCategory = Collections.emptyMap();
/*
* requestAttributeCategoryObjectsIncludedInResult.size() <= jsonArrayOfRequestAttributeCategoryObjects.size()
*/
final List<JSONObject> requestAttributeCategoryObjectsIncludedInResult = new ArrayList<>(jsonArrayOfRequestAttributeCategoryObjects.length());
for (final Object requestAttributeCategoryObject : jsonArrayOfRequestAttributeCategoryObjects) {
if (!(requestAttributeCategoryObject instanceof JSONObject)) {
throw INVALID_REQUEST_CATEGORY_ARRAY_ELEMENT_TYPE_EXCEPTION;
}
final JSONObject requestAttCatJsonObj = (JSONObject) requestAttributeCategoryObject;
final SingleCategoryAttributes<?, JSONObject> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(requestAttCatJsonObj, xPathCompiler);
if (categorySpecificAttributes == null) {
// skip this empty Attributes
continue;
}
/*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* mandated by the XACML spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
for (final Entry<AttributeFqn, AttributeBag<?>> attrEntry : categorySpecificAttributes) {
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
final JSONObject catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null) {
requestAttributeCategoryObjectsIncludedInResult.add(catSpecificAttrsToIncludeInResult);
}
}
final ImmutableDecisionRequest pdpEngineReq = reqFactory.getInstance(namedAttributes, extraContentsByCategory, isApplicablePolicyIdListReturned);
return Collections.singletonList(new IndividualXacmlJsonRequest(pdpEngineReq, ImmutableList.copyOf(requestAttributeCategoryObjectsIncludedInResult)));
}
use of org.ow2.authzforce.core.pdp.api.value.AttributeBag in project core by authzforce.
the class SingleDecisionXacmlJaxbRequestPreprocessor method process.
@Override
public List<IndividualXacmlJaxbRequest> process(final List<Attributes> attributesList, final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final Optional<XPathCompilerProxy> xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException {
final Map<AttributeFqn, AttributeBag<?>> namedAttributes = HashCollections.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashCollections.newUpdatableMap(attributesList.size());
/*
* attributesToIncludeInResult.size() <= attributesList.size()
*/
final List<Attributes> attributesToIncludeInResult = new ArrayList<>(attributesList.size());
for (final Attributes jaxbAttributes : attributesList) {
final SingleCategoryAttributes<?, Attributes> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
if (categorySpecificAttributes == null) {
// skip this empty Attributes
continue;
}
final String categoryId = categorySpecificAttributes.getCategoryId();
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null) {
final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryId, newContentNode);
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
*/
if (duplicate != null) {
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryId + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", XacmlStatusCode.SYNTAX_ERROR.value());
}
}
/*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* mandated by the XACML spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
for (final Entry<AttributeFqn, AttributeBag<?>> attrEntry : categorySpecificAttributes) {
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null) {
attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult);
}
}
return Collections.singletonList(new IndividualXacmlJaxbRequest(reqFactory.getInstance(namedAttributes, extraContentsByCategory, isApplicablePolicyIdListReturned), ImmutableList.copyOf(attributesToIncludeInResult)));
}
use of org.ow2.authzforce.core.pdp.api.value.AttributeBag in project core-pdp-api by authzforce.
the class NonIssuedLikeIssuedStrictXacmlAttributeParser method parseNamedAttribute.
/**
* "Strict" parsing method, that parse all the values of a given attribute in one call. In short, this method will reject multiple calls on the same Attribute identifier (same metadata).
*
* @param attributeMap
* request attribute map to be updated by the result of parsing {@code inputXacmlAttribute}
* @param inputXacmlAttribute
* input attribute object (not yet parsed into AuthzForce internal model), typically from original XACML request
* @param xPathCompiler
* XPath compiler for compiling/evaluating XPath expressions in values, such as XACML xpathExpressions. Undefined if XPath support disabled.
*
* @throws IllegalArgumentException
* if parsing of the {@code inputXacmlAttribute} because of invalid datatype or mixing of different datatypes; or if there are already existing values for the same attribute
* (repetition of same attribute is not allowed in strict mode)
*/
@Override
public void parseNamedAttribute(final String attributeCategoryId, final INPUT_ATTRIBUTE inputXacmlAttribute, final Optional<XPathCompilerProxy> xPathCompiler, final Map<AttributeFqn, AttributeBag<?>> attributeMap) throws IllegalArgumentException {
final NamedXacmlAttributeParsingResult<?> attParsingResult = parseNamedAttribute(attributeCategoryId, inputXacmlAttribute, xPathCompiler);
final AttributeBag<?> attBag = newAttributeBag(attParsingResult);
/*
* If there is any existing values for the same attribute name (<Attribute> with same meta-data) in the map, it will be rejected. This behavior is not fully compliant with XACML (see the
* Javadoc of this class), however it is faster than the compliant alternative.
*/
final AttributeFqn attName = attParsingResult.getAttributeName();
final Bag<?> duplicate = attributeMap.putIfAbsent(attName, attBag);
if (duplicate != null) {
throw new IllegalArgumentException("Illegal syntax in strict mode: duplicate <Attribute> with metadata: " + attParsingResult.getAttributeName());
}
/*
* Check if it is a resource-scope.
*/
validateResourceScope(attName, attBag);
/*
* In this implementation, we do not comply fully with XACML 3.0, ยง5.29, since we handle Attribute(s) without Issuer exactly like the ones with an Issuer. In other words, an undefined issuer
* is handled like the special "null" Issuer. Therefore, an AttributeDesignators without Issuer will not match the request attributes with matching Category, AttributeId... but a defined
* therefore different Issuer. It will only match the request attribute without Issuer. In a compliant implementation, we would check if the attribute has an Issuer, and if it does, also
* update the attribute variant with same meta-data except no Issuer.
*/
}
Aggregations