http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/pom.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/pom.xml b/openaz-pep/pom.xml new file mode 100755 index 0000000..bcf6443 --- /dev/null +++ b/openaz-pep/pom.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <parent> + <artifactId>openaz</artifactId> + <groupId>org.openliberty.openaz</groupId> + <version>0.0.1-SNAPSHOT</version> + </parent> + <modelVersion>4.0.0</modelVersion> + <artifactId>openaz-pep</artifactId> + + <dependencies> + <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>openaz-xacml</artifactId> + </dependency> + <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>openaz-xacml-pdp</artifactId> + </dependency> + <dependency> + <groupId>commons-logging</groupId> + <artifactId>commons-logging</artifactId> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + </dependency> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + </dependency> + </dependencies> + +</project> \ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Action.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Action.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Action.java new file mode 100755 index 0000000..cd7975d --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Action.java @@ -0,0 +1,62 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.XACML3; + +; + +/** + * Container class that maps attributes to predefined XACML Action category. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public class Action extends CategoryContainer { + + public static final String ACTION_ID_KEY = "ACTION_ID_KEY"; + + private String actionIdValue; + + private Action() { + super(XACML3.ID_ATTRIBUTE_CATEGORY_ACTION); + } + + /** + * Creates a new Action instance + * + * @return + */ + public static Action newInstance() { + return new Action(); + } + + /** + * Create a new Action instance containing a single default attribute with the given value + * + * @param actionIdValue + * @return + */ + public static Action newInstance(String actionIdValue) { + Action a = new Action(); + a.actionIdValue = actionIdValue; + a.addAttribute(ACTION_ID_KEY, actionIdValue); + return a; + } + + /** + * Get the value for default attribute. + * + * @return + */ + public String getActionIdValue() { + return actionIdValue; + } + + @Override + public String toString() { + StringBuilder builder = new StringBuilder(); + builder.append("action-id value: " + actionIdValue); + builder.append("\n"); + builder.append(super.toString()); + return builder.toString(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ActionResourcePair.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ActionResourcePair.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ActionResourcePair.java new file mode 100755 index 0000000..4d9cc8c --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ActionResourcePair.java @@ -0,0 +1,92 @@ +package org.openliberty.openaz.pepapi; + + +/** + * A convenient abstraction for an action - resource pair. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public final class ActionResourcePair { + + private final Object action; + + private final Object resource; + + /** + * Creates a new action - resource pair + * + * @param action an Object representing the action being performed. + * @param resource an Object representing the resource on which the action is being performed. + */ + public ActionResourcePair(Object action, Object resource){ + this.resource = resource; + this.action = action; + } + + /** + * Returns the resource associated with this action - resource pair + * + * @return an Object representing the resource. + */ + public Object getResource() { + return resource; + } + + /** + * Returns the action associated with this action - resource pair. + * + * @return an Object representing the action. + */ + public Object getAction() { + return action; + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((action == null) ? 0 : action.hashCode()); + result = prime * result + + ((resource == null) ? 0 : resource.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj == null) { + return false; + } + if (getClass() != obj.getClass()) { + return false; + } + ActionResourcePair other = (ActionResourcePair) obj; + if (action == null) { + if (other.action != null) + return false; + } else if (!action.equals(other.action)) { + return false; + } + + if (resource == null) { + if (other.resource != null) { + return false; + } + } else if (!resource.equals(other.resource)) { + return false; + } + return true; + } + + @Override + public String toString() { + StringBuilder builder = new StringBuilder(); + builder.append("\nAction: " + action.toString()); + builder.append("\nResource: " + resource.toString()); + return builder.toString(); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Advice.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Advice.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Advice.java new file mode 100755 index 0000000..46682d0 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Advice.java @@ -0,0 +1,21 @@ +package org.openliberty.openaz.pepapi; + +import java.util.Map; + +/** + * + */ +public interface Advice { + + /** + * + * @return + */ + public String getId(); + + /** + * + */ + public Map<String, Object[]> getAttributeMap(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Attribute.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Attribute.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Attribute.java new file mode 100755 index 0000000..c6c84bb --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Attribute.java @@ -0,0 +1,30 @@ +package org.openliberty.openaz.pepapi; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * + * Represents an Attribute match criterion, where an attribute with the given Id can take any of the values provided. + * If no value is available, then value matching is ignored. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +@Target({}) +@Retention(RetentionPolicy.CLASS) +public @interface Attribute { + + /** + * + * @return + */ + String id(); + + /** + * + * @return + */ + String[] anyValue() default {}; +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/CategoryContainer.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/CategoryContainer.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/CategoryContainer.java new file mode 100755 index 0000000..010bc6f --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/CategoryContainer.java @@ -0,0 +1,140 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.Identifier; + +import java.net.URI; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; +import java.util.Map.Entry; + +/** + * Abstraction for an attribute container of a specific XACML category. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public class CategoryContainer { + + private final Map<String, Object[]> attributeMap; + + private final Identifier categoryIdentifier; + + CategoryContainer(Identifier categoryIdentifier) { + this.categoryIdentifier = categoryIdentifier; + this.attributeMap = new HashMap<String, Object[]>(); + } + + private final void addToMap(String id, Object[] values) { + if (values != null && values.length > 0) { + attributeMap.put(id, values); + }else { + throw new IllegalArgumentException("Values cannot be null"); + } + } + + public Identifier getCategoryIdentifier() { + return this.categoryIdentifier; + } + + /** + * Returns all the contained attributes as a Map of key - value pairs. + * + * @return + */ + public Map<String, Object[]> getAttributeMap() { + return Collections.unmodifiableMap(attributeMap); + } + + /** + * Add a new attribute with the given id and one or more String values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, String... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more Long values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, Long... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more Integer values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, Integer... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more Double values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, Double... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more Boolean values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, Boolean... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more <code>java.util.Date</code> values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, Date... values) { + addToMap(id, values); + } + + /** + * Add a new attribute with the given id and one or more URI values + * + * @param id + * @param values + * @throws IllegalArgumentException, if values are null; + */ + public void addAttribute(String id, URI... values) { + addToMap(id, values); + } + + @Override + public String toString() { + StringBuilder builder = new StringBuilder(); + for(Entry<String, Object[]> e: attributeMap.entrySet()) { + builder.append("Attribute Id: " + e.getKey()); + builder.append(", Attribute Values: "); + for(Object o: e.getValue()) { + builder.append(o.toString() + ", "); + } + builder.append("\n"); + } + return builder.toString(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Environment.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Environment.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Environment.java new file mode 100755 index 0000000..42f8c64 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Environment.java @@ -0,0 +1,27 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.XACML3; + +/** + * + * Container class that maps attributes to predefined XACML Environment category. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public final class Environment extends CategoryContainer { + + private Environment() { + super(XACML3.ID_ATTRIBUTE_CATEGORY_ENVIRONMENT); + } + + /** + * Creates a new Environment instance + * + * @return + */ + public static Environment newInstance() { + return new Environment(); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/InvalidAnnotationException.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/InvalidAnnotationException.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/InvalidAnnotationException.java new file mode 100755 index 0000000..39a220b --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/InvalidAnnotationException.java @@ -0,0 +1,29 @@ +package org.openliberty.openaz.pepapi; + +/** + * RuntimeException thrown when a registered handler class does not contain one of the + * required annotations - <code>@MatchAnyObligation</code>, <code>@MatchAllObligationAttributes</code>. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +@SuppressWarnings("serial") +public class InvalidAnnotationException extends RuntimeException { + + public InvalidAnnotationException() { + super(); + } + + public InvalidAnnotationException(String message, Throwable cause) { + super(message, cause); + } + + public InvalidAnnotationException(String message) { + super(message); + } + + public InvalidAnnotationException(Throwable cause) { + super(cause); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MapperRegistry.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MapperRegistry.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MapperRegistry.java new file mode 100755 index 0000000..41ea381 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MapperRegistry.java @@ -0,0 +1,35 @@ +package org.openliberty.openaz.pepapi; + + +/** + * Container that holds <code>ObjectMapper</code> instances registered with the framework. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface MapperRegistry { + + /** + * Registers the provided ObjectMapper instance + * + * @param mapper + */ + public void registerMapper(ObjectMapper mapper); + + /** + * Registers the provided ObjectMapper instances + * + * @param mappers + */ + public void registerMappers(Iterable<? extends ObjectMapper> mappers); + + /** + * Returns the ObjectMapper instance registered for the given Class. + * + * @param clazz + * @return an ObjectMapper instance + * @throws org.openliberty.openaz.pepapi.PepException if no ObjectMapper could be found for class clazz; + */ + public ObjectMapper getMapper(Class<?> clazz); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAllObligationAttributes.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAllObligationAttributes.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAllObligationAttributes.java new file mode 100755 index 0000000..19f2859 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAllObligationAttributes.java @@ -0,0 +1,25 @@ +package org.openliberty.openaz.pepapi; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * Represents a union of Obligation Attribute match criterion. + * All attribute criterion supplied will be conjunctively matched by the framework. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +@Target(ElementType.TYPE) +@Retention(RetentionPolicy.RUNTIME) +public @interface MatchAllObligationAttributes { + + /** + * + * @return + */ + Attribute[] value(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAnyObligation.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAnyObligation.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAnyObligation.java new file mode 100755 index 0000000..502c3fd --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/MatchAnyObligation.java @@ -0,0 +1,25 @@ +package org.openliberty.openaz.pepapi; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * Represents an Obligation criteria that matches any of the supplied Obligation ids. + * If no ids are provided, then any Obligation will be matched(catch-all). + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +@Target(ElementType.TYPE) +@Retention(RetentionPolicy.RUNTIME) +public @interface MatchAnyObligation { + + /** + * + * @return + */ + String[] value() default {}; + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Matchable.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Matchable.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Matchable.java new file mode 100755 index 0000000..554523f --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Matchable.java @@ -0,0 +1,19 @@ +package org.openliberty.openaz.pepapi; + +/** + * Interface that abstracts an object that can be matched. Concrete implementations provide a match() function. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * @param <T> + */ +public interface Matchable<T> { + + /** + * Returns a boolean result after matching the given Object + * + * @param t + * @return a <code>boolean</code> value + */ + public boolean match(T t); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObjectMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObjectMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObjectMapper.java new file mode 100755 index 0000000..0af85d9 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObjectMapper.java @@ -0,0 +1,47 @@ +package org.openliberty.openaz.pepapi; + + + +/** + * Converts a Java Class (typically an application Domain Object) into request attributes of some Category. + * Applications are expected to provide only a single ObjectMapper instance per Domain Type. + * + * Typically, there is a one-to-one relationship between the Domain Type and Attribute Category. The interface, however, takes + * a general approach allowing a Domain Type to be mapped to multiple categories. + * + * The conversion for the most part involves obtaining a <code>CategoryAttributes</code> instance for a specific category from the + * request context and then mapping Object properties as name-value pairs using one of the overloaded <code>setAttribute</code> + * methods. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface ObjectMapper { + + /** + * Returns a Class that represents the mapped domain type. + * + * @return a Class object + */ + public Class<?> getMappedClass(); + + /** + * Maps Object properties to attributes + * + * @param o - an instance of the domain object to be mapped + * @param pepRequest - the current Request Context + */ + public void map(Object o, PepRequest pepRequest); + + /** + * + * @param mapperRegistry + */ + public void setMapperRegistry(MapperRegistry mapperRegistry); + + /** + * + * @param pepConfig + */ + public void setPepConfig(PepConfig pepConfig); +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Obligation.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Obligation.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Obligation.java new file mode 100755 index 0000000..76f3656 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Obligation.java @@ -0,0 +1,44 @@ +package org.openliberty.openaz.pepapi; + +import java.util.Map; + +/** + * The Obligation interface provides access to an Obligation + * object implementation that contains a set of zero or more + * Attributes. + * <p> + * The Obligation has an id: {@link #getId()} + * <p> + * Each attribute has an id, as well, which are used as the key Strings + * of the Maps returned by method: + * <ul> + * <li>{@link #getAttributeMap()}</li> + * </ul> + * Each key String has an associated value, which can be an + * an array of Objects. + * <p> + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public interface Obligation { + + /** + * Return the Id for this Obligation. + * + * @return a string containing the Id of this Obligation + */ + public String getId(); + + /** + * Returns a Map of Obligation Attribute name,object-value-array pairs, + * indexed by name, where name is the AttributeId and the value + * is an array of one or more Object values of the "attribute" + * (where an array with length > 1 indicates a multi-valued attribute). + * <p> + * @return a Map of String (AttributeId name), Object array + * (Attribute values) pairs + */ + public Map<String, Object[]> getAttributeMap(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandler.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandler.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandler.java new file mode 100755 index 0000000..13cd008 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandler.java @@ -0,0 +1,11 @@ +package org.openliberty.openaz.pepapi; + + +/** + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface ObligationHandler extends Matchable<Obligation>, ObligationStoreAware { + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandlerRegistry.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandlerRegistry.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandlerRegistry.java new file mode 100755 index 0000000..a76733f --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationHandlerRegistry.java @@ -0,0 +1,20 @@ +package org.openliberty.openaz.pepapi; + + +import java.util.Map; + +/** + * Abstraction for a Obligation Handler registration mechanism. Subclasses provide specific implementations. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + */ +public interface ObligationHandlerRegistry { + + /** + * Returns a Map of <code>Matchable</code> implementations keyed by handler Class. + * + * @return + */ + public Map<Class<?>, Matchable<Obligation>> getRegisteredHandlerMap(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationRouter.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationRouter.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationRouter.java new file mode 100755 index 0000000..1d3b368 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationRouter.java @@ -0,0 +1,18 @@ +package org.openliberty.openaz.pepapi; + +import java.util.Map; + +/** + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface ObligationRouter { + + /** + * + * @param obligationMap + */ + public void routeObligations(Map<String, Obligation> obligationMap); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStore.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStore.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStore.java new file mode 100755 index 0000000..9b65f95 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStore.java @@ -0,0 +1,27 @@ +package org.openliberty.openaz.pepapi; + +import java.util.Set; + +/** + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface ObligationStore { + + /** + * + * @param oHandlerClass + * @return + */ + public Set<Obligation> getHandlerObligations(Class<?> oHandlerClass); + + /** + * + * @param oHandlerClass + * @param obligationId + * @return + */ + public Obligation getHandlerObligationById(Class<?> oHandlerClass, String obligationId); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStoreAware.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStoreAware.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStoreAware.java new file mode 100755 index 0000000..99a65a2 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/ObligationStoreAware.java @@ -0,0 +1,17 @@ +package org.openliberty.openaz.pepapi; + + +/** + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface ObligationStoreAware { + + /** + * + * @param oStore + */ + public void setObligationStore(ObligationStore oStore); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgent.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgent.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgent.java new file mode 100755 index 0000000..20b95fb --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgent.java @@ -0,0 +1,89 @@ +package org.openliberty.openaz.pepapi; + +import java.util.List; + +/** + * + * Serves as the main entry point into the PepAPI framework. It coordinates authorization request creation, execution and + * response assemblage. Applications typically work with a single instance of PepAgent which is thread-safe. + * + * The <code>decide()</code> method, which provides the most general mechanism for authorization, accepts a collection of application Domain Objects, + * each with it's own <code>ObjectMapper</code> defined. The client application thus passes these Domain Objects directly, <code>decide()</code> uses + * reflection to determine their type, and then finds a type-specific mapper. + * + * This mechanism relies on application defined library of Object Mappers, one for each Domain Object that the client + * program expects to use in an authorization call. + * + * It is important to note that Java Primitives/Wrappers and other standard types(except Collections) are not supported out of the box. + * This is primarily because there is no sensible default mapping between a Java Standard Type and a XACML category and hence + * it's impossible for the framework to make a mapping decision at runtime. However, client applications may enforce their own rules as + * they see fit by providing Custom ObjectMapper(s) for these types. + * + * <code>simpleDecide()</code> method addresses the simplest of use cases where attributes involved are simple userId, actionId and resourceId Strings. + * + * <code>bulkDecide()</code> provides an abstraction for a MultiRequest, where in client applications may provide collection of Domain Object + * bindings/associations each of which map to individual requests. The method separates out Domain Object associations with multiple cardinality + * from the ones shared across requests. + * + * Thus, in a <code>bulkDecide()</code> call applications provide two sets of arguments: + * - a List of Domain Object bindings, each of which map to an individual request. + * - a collection of common Domain Objects shared across all requests. + * + * Specific AzService implementations(PDP Providers) may implement bulkDecide() as a XACML MultiRequest (Note: XACML Multi Decision Profile is optional) + * or as individual requests executed iteratively. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface PepAgent { + + + /** + * Returns a authorization decision for the given subjectId, actionId, + * resourceId Strings. + * + * @param subjectId + * @param actionId + * @param resourceId + * @return + * @throws PepException + * - if an appropriate ObjectMapper cannot be found. + * - if the underlying AzService instance/PDP throws an exception + * - if the PepAgent is configured to throw PepExceptions for "Indeterminate" or "Not Applicable" decisions. + * @throws IllegalArgumentException if any of the arguments are null + */ + public PepResponse simpleDecide(String subjectId, String actionId, String resourceId); + + /** + * Returns an authorization decision for the given collection of Domain Objects each with it's own + * ObjectMapper instance. Java Primitives/Wrappers or other Standard types (except Collections) are not supported + * out of the box. However, client applications may enforce their own rules as they see fit by providing Custom ObjectMapper(s) + * for these types. + * + * @param objects + * @return + * @throws PepException + * - if an appropriate ObjectMapper cannot be found. + * - if the underlying AzService instance/PDP throws an exception + * - if the PepAgent is configured to throw PepException for "Indeterminate" or "Not Applicable" decisions. + * @throws IllegalArgumentException if any of the arguments are null + */ + public PepResponse decide(Object... objects); + + /** + * Returns a PepResponse instance representing a collection of decisions, each of which corresponds to + * an association. Each association represents a specific instance of Domain Object binding. A typical example for an association + * would be an Action-Resource pair. + * + * @param associations a list of Domain Object bindings, each of which maps to a individual Request. + * @param objects a collection of common Domain Objects shared across all Requests. + * @return + * @throws PepException + * - if an appropriate ObjectMapper cannot be found. + * - if the underlying AzService instance/PDP throws an exception + * - if the PepAgent is configured to throw PepExceptions for "Indeterminate" or "Not Applicable" decisions. + * @throws IllegalArgumentException if any of the arguments are null + */ + public List<PepResponse> bulkDecide(List<?> associations, Object... objects); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgentFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgentFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgentFactory.java new file mode 100755 index 0000000..3cb7601 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepAgentFactory.java @@ -0,0 +1,16 @@ +package org.openliberty.openaz.pepapi; + +/** + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public interface PepAgentFactory { + + /** + * Returns a PepAgent instance + * + * @return + */ + public PepAgent getPepAgent(); +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepConfig.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepConfig.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepConfig.java new file mode 100755 index 0000000..897c2f1 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepConfig.java @@ -0,0 +1,51 @@ +package org.openliberty.openaz.pepapi; + +import java.util.List; + +/** + * @authors Ajith Nair, David Laurance, Darshak Kothari + */ +public interface PepConfig { + + /** + * + * @return + */ + public String getIssuer(); + + /** + * + * @return + */ + public String getDefaultSubjectId(); + + /** + * + * @return + */ + public String getDefaultResourceId(); + + /** + * + * @return + */ + public String getDefaultActionId(); + + /** + * + * @return + */ + public PepResponseBehavior getIndeterminateBehavior(); + + /** + * + * @return + */ + public PepResponseBehavior getNotApplicableBehavior(); + + /** + * + * @return + */ + public List<String> getMapperClassNames(); +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepException.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepException.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepException.java new file mode 100755 index 0000000..6f141d6 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepException.java @@ -0,0 +1,66 @@ +/** + * Copyright 2009-2011 Oracle, Inc. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Authors: + * 1.1 (2011): Rich Levinson, Prateek Mishra (Oracle) + * 1.0 (2009): Josh Bregman, Rich Levinson, Prateek Mishra (Oracle) + * Contributor: + * Rich Levinson (Oracle) + */ +package org.openliberty.openaz.pepapi; + +/** + * The PepException is used to provide additional + * information to callers of the PepApi when + * exception conditions occur. + * <p> + * PepApi 1.1: now extends RuntimeException in order + * that users do not require try/catch blocks + * when using PepApi 1.1. + * <p> + * @author Josh Bregman, Rich Levinson, Prateek Mishra + */ +public class PepException extends RuntimeException { + + private static final long serialVersionUID = 1L; + + /** + * Create a PepException containing a Throwable that + * specifies the cause of this PepException. + * @param cause + */ + public PepException(Throwable cause) { + super(cause); + } + + /** + * Create a PepException containing the message provided + * and a Throwable containing further information as to + * the cause of the PepException. + * @param message + * @param cause + */ + public PepException(String message, Throwable cause) { + super(message, cause); + } + + /** + * Create a PepException containing the message provided. + * @param message + */ + public PepException(String message) { + super(message); + } + + public PepException() {super();} +} + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequest.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequest.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequest.java new file mode 100755 index 0000000..fe7391c --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequest.java @@ -0,0 +1,46 @@ +/** + * Copyright 2009-2011 Oracle, Inc. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Authors: + * (2014): Ajith Nair, David Laurance + * 1.1 (2011): Rich Levinson, Prateek Mishra (Oracle) + * 1.0 (2009): Josh Bregman, Rich Levinson, Prateek Mishra (Oracle) + * Contributor: + * Rich Levinson (Oracle) + */ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Request; + +/** + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public interface PepRequest { + + /** + * Returns a PepRequestAttributes instance that represents the attribute category identified + * by the categoryIdentfier parameter. + * + * @param categoryIdentifier an identifier for a category + */ + public PepRequestAttributes getPepRequestAttributes(Identifier categoryIdentifier); + + /** + * + * @return + */ + public Request getWrappedRequest(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestAttributes.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestAttributes.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestAttributes.java new file mode 100755 index 0000000..b011e9b --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestAttributes.java @@ -0,0 +1,128 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.RequestAttributes; + +import java.net.URI; +import java.util.Date; + +/** + * Convenient wrapper around a RequestAttributes{@link com.att.research.xacml.api.RequestAttributes} instance, + * representing a collection of request attributes that belong to a particular category. + * + */ +public interface PepRequestAttributes { + + /** + * Returns an Indentifier representing the attribute category that the PepRequestAttributes encapsulates + * + * @return Identifier + */ + public Identifier getCategory(); + + /** + * Returns an id representing the xml:id + * + * @return Identifier + */ + public String getId(); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * Date array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * a Date array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, Date... values); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * String array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * a String array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, String... values); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * Integer array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * an Integer array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, Integer... values); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * Boolean array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * a Boolean array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, Boolean... values); + + + /** + * Creates and adds an attribute with the name as the AttributeId, + * Long array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * a Long array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, Long... values); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * Double array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string with a name to be used as AttributeId + * @param values + * a Double array to be used as AttributeValue(s) + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, Double... values); + + /** + * Creates and adds an attribute with the name as the AttributeId, + * URI array elements as AttributeValue(s) into the underlying attribute collection. + * The attribute will NOT be returned by the PDP in the response after request evaluation. + * + * @param name + * a string AttributeId of the attribute being set + * @param values + * a URI array to be used as AttributeValue(s + * @throws IllegalArgumentException if the array is null + */ + public void addAttribute(String name, URI... values); + + /** + * + * @return + */ + public RequestAttributes getWrappedRequestAttributes(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestFactory.java new file mode 100755 index 0000000..5b9a2ee --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepRequestFactory.java @@ -0,0 +1,48 @@ +/** + * Copyright 2009-2011 Oracle, Inc. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Authors: + * 1.1 (2011): Rich Levinson, Prateek Mishra (Oracle) + * 1.0 (2009): Josh Bregman, Rich Levinson, Prateek Mishra (Oracle) + * Contributor: + * Rich Levinson (Oracle) + */ +package org.openliberty.openaz.pepapi; + +import java.util.List; + +/** + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public interface PepRequestFactory { + + /** + * + * @return + * @throws org.openliberty.openaz.pepapi.PepException, if no ObjectMappers found. + * @throws IllegalArgumentException,, if any argument is null. + */ + public PepRequest newPepRequest(Object[] objects); + + /** + * + * @param associations + * @param objects + * @return + * @throws org.openliberty.openaz.pepapi.PepException, if ObjectMappers are not found. + * @throws IllegalArgumentException,, if the arguments are null. + */ + public PepRequest newBulkPepRequest(List<?> associations, Object[] objects); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponse.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponse.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponse.java new file mode 100755 index 0000000..b27ea6b --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponse.java @@ -0,0 +1,72 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.Attribute; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Result; + +import java.util.Collection; +import java.util.Map; + +/** + * @author Josh Bregman, Rich Levinson, Prateek Mishra + */ +public interface PepResponse { + + /** + * Returns the decision associated with the current result. + * @return true if the user was granted access to the resource, + * otherwise false + * @throws PepException if the {@link PepResponseBehavior} + * configured in the {@link PepResponseFactory} + * indicates that for the response should be thrown + */ + public boolean allowed() throws PepException; + + /** + * Return the set of {@link org.openliberty.openaz.pepapi.Obligation}s associated with the + * current result indexed by ObligationId. + * @return a Map of ObligationId, Obligation pairs + * @throws PepException + * @see org.openliberty.openaz.pepapi.Obligation#getId() + */ + public Map<String, Obligation> getObligations() throws PepException; + + /** + * Return the set of {@link org.openliberty.openaz.pepapi.Advice}s associated with the + * current result indexed by adviceId. + * @return a Map of adviceId, Advice pairs + * @throws PepException + * @see org.openliberty.openaz.pepapi.Advice#getId() + */ + public Map<String, Advice> getAdvices() throws PepException; + + /** + * Return the object association that is tied to the current + * result. The association is the same object that was + * used to create the PepRequest and may be used to + * correlate the PepResponse results with the association + * pairs that were used to create the PepRequest. + * @return an object that was used as the action-resource in the PepRequest + * @throws PepException + */ + public Object getAssociation() throws PepException; + + /** + * + * @return + */ + public Collection<Attribute> getAttributes(); + + /** + * + * @return + */ + public Map<Identifier, Collection<Attribute>> getAttributesByCategory(); + + /** + * + * @return + */ + public Result getWrappedResult(); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseBehavior.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseBehavior.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseBehavior.java new file mode 100755 index 0000000..ad1c70d --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseBehavior.java @@ -0,0 +1,22 @@ +package org.openliberty.openaz.pepapi; + +/** + * This enum provides the options that can be set using the + * {@link org.openliberty.openaz.pepapi.PepResponseFactory} to determine the behavior when + * {@link org.openliberty.openaz.pepapi.PepResponse#allowed()} is called AND the + * decision is either Indeterminate or NotApplicable. + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public enum PepResponseBehavior { + + /** The behavior is to allow (Permit) access by returning true when the condition for which this behavior is assigned occurs */ + RETURN_YES, + + /** The behavior is to disallow (Deny) access by returning false when the condition for which this behavior is assigned occurs */ + RETURN_NO, + + /** The behavior is to disallow (Deny) access by throwing a PepException when the condition for which this behavior is assigned occurs */ + THROW_EXCEPTION +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseFactory.java new file mode 100755 index 0000000..82b92c7 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseFactory.java @@ -0,0 +1,51 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.Result; + +/** + * Factory for creating and configuring <code>PepResponse</code>. + * <br> + * This class creates {@link org.openliberty.openaz.pepapi.PepResponse} objects and configures + * the behavior of how the <code>PepResponse</code> interprets the + * results from the AzService or any other PDP that is supported + * by an implementation of PepApi (org.openliberty.openaz.azapi.pep.*). + * <br> + * The {@link PepResponseBehavior} that is invoked when + * {@link org.openliberty.openaz.pepapi.PepResponse#allowed()} is called and the associated status code + * has been returned by the PDP and is being handled by the PepResponse + * provider impl, can be configured to be one of: + * <ul> + * <li> + * {@link org.openliberty.openaz.pepapi.PepResponse#allowed()} returns true (PERMIT: {@link PepResponseBehavior#RETURN_YES}), + * <li> + * {@link org.openliberty.openaz.pepapi.PepResponse#allowed()} returns false (DENY: {@link PepResponseBehavior#RETURN_NO}), + * <li> + * or{@link org.openliberty.openaz.pepapi.PepResponse#allowed()} throws an exception (DENY: {@link PepResponseBehavior#THROW_EXCEPTION}). + * </ul> + * <p> + * In general, a Permit returns true, and a Deny returns false, + * but there are also other types of returns, including + * NotApplicable and Indeterminate. The configuration is to + * specify for each of the 4 xacml-defined conditions, what + * the behavior will be. i.e. for each of the "special" + * conditions there is a choice to return either true (Permit), + * false (Deny), or throw an Exception. + * <p> + * In addition, PDP-specific status codes can be specified, such + * that when the impl detects one of the configured status codes + * has been returned, then the {@link PepResponseBehavior} configured + * for that status code will be returned. + * <p> + * Finally, a default {@link PepResponseBehavior} may be configured + * for any status code that has not been explicitly configured + * or does not have its own default provided by the impl. The + * default if the statusCode default has not been configured is + * {@link PepResponseBehavior#THROW_EXCEPTION}. + * <p> + * @author Josh Bregman, Rich Levinson, Prateek Mishra + */ +public interface PepResponseFactory { + + public PepResponse newPepResponse(Result result); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseType.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseType.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseType.java new file mode 100755 index 0000000..09b6203 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PepResponseType.java @@ -0,0 +1,25 @@ +package org.openliberty.openaz.pepapi; + +/** + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + */ +public enum PepResponseType { + /** The PepResponse returned for this query type will contain + * only the list of resource action associations that are + * allowed. + */ + ONLY_ALLOWED_RESULTS, + /** + * The PepResponse returned for this query type will contain + * only the list of resource action associations that are + * denied. + */ + ONLY_DENIED_RESULTS, + /** The PepResponse returned for this query type will contain + * the complete list of results for each resource action association + * that was requested, including allowed, denied, notapplicable, + * and indeterminate. + */ + ALL_RESULTS; +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PostDecisionHandler.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PostDecisionHandler.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PostDecisionHandler.java new file mode 100755 index 0000000..851f3a1 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PostDecisionHandler.java @@ -0,0 +1,24 @@ +package org.openliberty.openaz.pepapi; + +/** + * An interface that may be implemented to process the + * PepResponse that is returned from the main decide() + * call before the final results are returned to the user. + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public interface PostDecisionHandler { + + /** + * This method is used to apply post-decision custom + * processing to the {@link org.openliberty.openaz.pepapi.PepResponse} after it has + * been returned. + * + * @param request + * @throws org.openliberty.openaz.pepapi.PepException + */ + public void postDecide(PepRequest request, PepResponse response) + throws PepException; + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PreDecisionHandler.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PreDecisionHandler.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PreDecisionHandler.java new file mode 100755 index 0000000..472c9e8 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/PreDecisionHandler.java @@ -0,0 +1,23 @@ +package org.openliberty.openaz.pepapi; + +/** + * An interface that can be used for preliminary processing + * of a PepRequest before it is actually submitted to the + * main decide() method. + * + * @author Josh Bregman, Rich Levinson, Prateek Mishra + * + */ +public interface PreDecisionHandler { + + /** + * This method is used to apply preliminary custom + * processing to the {@link org.openliberty.openaz.pepapi.PepRequest} prior to its + * being submitted. + * + * @param request + * @throws org.openliberty.openaz.pepapi.PepException + */ + public void preDecide(PepRequest request) + throws PepException; +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Resource.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Resource.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Resource.java new file mode 100755 index 0000000..aa878d1 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Resource.java @@ -0,0 +1,129 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.XACML3; + +import java.net.URI; +import java.util.Date; + +/** + * Container class that maps attributes to predefined XACML Resource category. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public final class Resource extends CategoryContainer { + + public static final String RESOURCE_ID_KEY = "RESOURCE_ID_KEY"; + + private Object resourceIdValue; + + private Resource(){ + super(XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE); + } + + /** + * Creates a new Resource instance + * + * @return + */ + public static Resource newInstance() { + return new Resource(); + } + + /** + * Creates a new Resource instance containing a single default attribute with the given String value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(String resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Creates a new Resource instance containing a single default attribute with the given URI value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(URI resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Creates a new Resource instance containing a single default attribute with the given Long value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(Long resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Creates a new Resource instance containing a single default attribute with the given Double value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(Double resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Creates a new Resource instance containing a single default attribute with the given Boolean value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(Boolean resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Creates a new Resource instance containing a single default attribute with the given <code>java.util.Date</code> value. + * + * @param resourceIdValue + * @return + */ + public static Resource newInstance(Date resourceIdValue) { + Resource r = new Resource(); + r.resourceIdValue = resourceIdValue; + r.addAttribute(RESOURCE_ID_KEY, resourceIdValue); + return r; + } + + /** + * Returns the value of the default resourceIdValue attribute + * + * @return + */ + public Object getResourceIdValue() { + return resourceIdValue; + } + + + @Override + public String toString() { + StringBuilder builder = new StringBuilder(); + builder.append("resource-id value : " + resourceIdValue); + builder.append("\n"); + builder.append(super.toString()); + return builder.toString(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Subject.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Subject.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Subject.java new file mode 100755 index 0000000..011be09 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/Subject.java @@ -0,0 +1,60 @@ +package org.openliberty.openaz.pepapi; + +import com.att.research.xacml.api.XACML3; + +/** + * Container class that maps attributes to predefined XACML AccessSubject category. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public class Subject extends CategoryContainer { + + public static final String SUBJECT_ID_KEY = "SUBJECT_ID_KEY"; + + private String subjectIdValue; + + private Subject() { + super(XACML3.ID_SUBJECT_CATEGORY_ACCESS_SUBJECT); + } + + /** + * Creates a new Subject instance + * + * @return + */ + public static Subject newInstance() { + return new Subject(); + } + + /** + * Creates a new Subject instance containing a single default attribute with the given String value. + * + * @param subjectIdValue + * @return + */ + public static Subject newInstance(String subjectIdValue) { + Subject s = new Subject(); + s.subjectIdValue = subjectIdValue; + s.addAttribute(SUBJECT_ID_KEY, subjectIdValue); + return s; + } + + /** + * Returns the value of the default subjectIdValue attribute + * + * @return + */ + public String getSubjectIdValue() { + return subjectIdValue; + } + + @Override + public String toString() { + StringBuilder builder = new StringBuilder(); + builder.append("subject-id value : " + subjectIdValue); + builder.append("\n"); + builder.append(super.toString()); + return builder.toString(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/UnhandleableObligationException.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/UnhandleableObligationException.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/UnhandleableObligationException.java new file mode 100755 index 0000000..7c52cb6 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/UnhandleableObligationException.java @@ -0,0 +1,27 @@ +package org.openliberty.openaz.pepapi; + +/** + * Runtime Exception thrown when the framework cannot find a registered handler to deal with the obligation. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +@SuppressWarnings("serial") +public class UnhandleableObligationException extends RuntimeException { + + public UnhandleableObligationException() { + super(); + } + + public UnhandleableObligationException(String message, Throwable cause) { + super(message, cause); + } + + public UnhandleableObligationException(String message) { + super(message); + } + + public UnhandleableObligationException(Throwable cause) { + super(cause); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/package.html ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/package.html b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/package.html new file mode 100755 index 0000000..40d15ff --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/package.html @@ -0,0 +1,75 @@ +<html> +<body> +The goal of this +<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/pep/package-summary.html"; +>"PepApi interface package"</a> +is to provide a set of interfaces that provide a framework +that will simplify the creation of Policy Enforcement Points (PEPs) +that use an underlying authorization provider that is accessed through the +<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/package-summary.html"; +>"AzApi"</a> package. +<p> +To accomplish this goal, the PepApi interface package provides a common +interface that applications and containers can use to make authorization +calls to possibly any kind of authorization provider that uses a +request/response interface. +<p> +To keep the common interface both flexible and easy to use, this +PepApi package makes some simplifying assumptions: + +<P> +<ul> + <li>An authorization request context can be one of three varieties: + <ul> + <li>A single request for authorization of a single action on + a single resource + <li>A bulk request that consists of multiple single requests. + <li>A query request that returns (in minimal or verbose form) + the set of decisions on all resources and actions within a "scope" + </ul> + <li>An authorization request consists of a single subject, + a single action, and a single resource, with an optional environment + <li>Most applications can represent the subject,action,resource as Strings. + <li>Most applications need the Date, Boolean, Double, Integer, String, Time and DateTime types of XACML + <li>All attributes have a single issuer + <li>Some applications need to represent the subject,action,resource as an object with attributes (i.e a Map) + <li>Some frameworks and containers needs to represent the subject,action,resources as native objects, and want to + use the same API as their applications. + <li>An authorization response is primarily a yes/no decision + <li>Applications use obligations, and want to consume the attributes of the obligation as Strings. + +</ul> +</P> +The pep package is a simple layer on top of the azapi package. +All of the state is held inside of the classes in the azapi package. +This was done for both simplicity and to accommodate the creation of PEPs +that can benefit from the simpler API but may need a little more than the +above assumptions allow. +This additional capability is accomplished by being able to retrieve the +AzApiRequestContext from the PepRequest and being able to retrieve the +AzApiResponseContext from the PepResponse. +Since all of the state is in the azapi package, PEPs can just grab a +handle and continue building the request or processing the response. +<p> +Note: the "scope" of the PepApi has been conceptually expanded to +include non-AzApi authorization providers as well as AzApi-based +providers. This change has not impacted the PepApi, but it has impacted +how to most effectively conceptualize the implementations of PepApi. +<p> +The primary concept is to consider the +<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/package-summary.html"; +>reference impl</a> +to be an application of a general framework, where this particular +instance the framework is being applied to an AzApi-packaged authorization +provider. In fact, the +<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/provider/SimpleConcreteSunXacmlService.html"; +>"reference AzApi SunXacml PDP impl"</a>, +may be considered to be just such an "AzApi-packaged" provider. +<p> +There is a tutorial provided with the +<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/package-summary.html#package_description"; +>PepApiImpl</a> +package javadoc page that provides general guidelines for implementing a +non-AzApi provider to be used by PepApi. +</body> +</html> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionMapper.java new file mode 100755 index 0000000..be24376 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionMapper.java @@ -0,0 +1,22 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Action; + +/** + * Created by ajith on 12/11/14. + */ +public class ActionMapper extends CategoryContainerMapper { + + public ActionMapper() { + super(Action.class); + } + + @Override + protected String resolveAttributeId(String attributeId) { + if(attributeId.equals(Action.ACTION_ID_KEY)) { + return getPepConfig().getDefaultActionId(); + } + return attributeId; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionResourcePairMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionResourcePairMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionResourcePairMapper.java new file mode 100755 index 0000000..ff97b85 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ActionResourcePairMapper.java @@ -0,0 +1,35 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.*; + +public final class ActionResourcePairMapper implements ObjectMapper { + + private MapperRegistry mapperRegistry; + + private PepConfig pepConfig; + + @Override + public Class<?> getMappedClass() { + return ActionResourcePair.class; + } + + @Override + public void map(Object o, PepRequest pepRequest) { + ActionResourcePair actionResource = (ActionResourcePair)o; + Object action = actionResource.getAction(); + Object resource = actionResource.getResource(); + mapperRegistry.getMapper(action.getClass()).map(action, pepRequest); + mapperRegistry.getMapper(resource.getClass()).map(resource, pepRequest); + } + + @Override + public void setMapperRegistry(MapperRegistry mapperRegistry) { + this.mapperRegistry = mapperRegistry; + } + + @Override + public void setPepConfig(PepConfig pepConfig) { + this.pepConfig = pepConfig; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ArrayMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ArrayMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ArrayMapper.java new file mode 100755 index 0000000..b614b15 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ArrayMapper.java @@ -0,0 +1,46 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + + +public final class ArrayMapper implements ObjectMapper { + + private static final Log logger = LogFactory.getLog(ArrayMapper.class); + + private PepConfig pepConfig; + + private MapperRegistry mapperRegistry; + + @Override + public Class<Object[]> getMappedClass() { + return Object[].class; + } + + @Override + public void map(Object o, PepRequest pepRequest) { + Object[] array = (Object[])o; + if(array != null && array.length > 0) { + ObjectMapper mapper = mapperRegistry.getMapper(array[0].getClass()); + if(mapper != null) { + for(Object item: array) { + mapper.map(item, pepRequest); + } + }else { + logger.error("Can't map an Object of class: " + array[0].getClass().getName()); + throw new PepException("Can't map an Object of class: " + array[0].getClass().getName()); + } + } + } + + @Override + public void setMapperRegistry(MapperRegistry mapperRegistry) { + this.mapperRegistry = mapperRegistry; + } + + @Override + public void setPepConfig(PepConfig pepConfig) { + this.pepConfig = pepConfig; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CategoryContainerMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CategoryContainerMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CategoryContainerMapper.java new file mode 100755 index 0000000..115368f --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CategoryContainerMapper.java @@ -0,0 +1,95 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + +import java.net.URI; +import java.util.Date; +import java.util.Map; +import java.util.Map.Entry; + + +public class CategoryContainerMapper implements ObjectMapper { + + private static final Log logger = LogFactory.getLog(CategoryContainerMapper.class); + + private Class<?> mappedClass; + + private MapperRegistry mapperRegistry; + + private PepConfig pepConfig; + + public CategoryContainerMapper(Class<?> mappedClass) { + this.mappedClass = mappedClass; + } + + @Override + public Class<?> getMappedClass() { + return this.mappedClass; + } + + @Override + public void map(Object o, PepRequest pepRequest) { + CategoryContainer a = (CategoryContainer)o; + PepRequestAttributes pepRequestAttributes = pepRequest.getPepRequestAttributes(a.getCategoryIdentifier()); + Map<String, Object[]> aMap = a.getAttributeMap(); + if(aMap != null) { + for(Entry<String, Object[]> e: aMap.entrySet()) { + String attributeId = resolveAttributeId(e.getKey()); + Object[] values = e.getValue(); + if(values != null && values.length > 0) { + map(pepRequestAttributes, attributeId, values); + } else { + logger.error("No value assigned for attribute : " + attributeId); + throw new IllegalArgumentException("No or null value for attribute : " + attributeId); + } + } + } + } + + @Override + public void setMapperRegistry(MapperRegistry mapperRegistry) { + this.mapperRegistry = mapperRegistry; + } + + @Override + public void setPepConfig(PepConfig pepConfig) { + this.pepConfig = pepConfig; + } + + protected String resolveAttributeId(String attributeId) { + return attributeId; + } + + private final void map(PepRequestAttributes pepRequestAttributes, String key, Object... values) { + Object value = values[0]; + if (value instanceof String) { + pepRequestAttributes.addAttribute(key, (String[]) values); + } else if (value instanceof Long) { + pepRequestAttributes.addAttribute(key, (Long[]) values); + } else if (value instanceof Integer) { + pepRequestAttributes.addAttribute(key, (Integer[]) values); + } else if (value instanceof Double) { + pepRequestAttributes.addAttribute(key, (Double[]) values); + } else if (value instanceof Boolean) { + pepRequestAttributes.addAttribute(key, (Boolean[]) values); + } else if (value instanceof URI) { + pepRequestAttributes.addAttribute(key, (URI[]) values); + } else if (value instanceof Date) { + pepRequestAttributes.addAttribute(key, (Date[]) values); + }else { + logger.error("Type: " + value.getClass().getName() + " cannot be mapped for attribute: " + key); + throw new PepException("Can't map an object of class: " + value.getClass().getName()); + } + } + + protected PepConfig getPepConfig() { + return this.pepConfig; + } + + protected MapperRegistry getMapperRegistry() { + return this.mapperRegistry; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CollectionMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CollectionMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CollectionMapper.java new file mode 100755 index 0000000..dd6df7b --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/CollectionMapper.java @@ -0,0 +1,46 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + +import java.util.Collection; + + +public final class CollectionMapper implements ObjectMapper { + + private static final Log logger = LogFactory.getLog(CollectionMapper.class); + + private MapperRegistry mapperRegistry; + + private PepConfig pepConfig; + + @Override + public Class<?> getMappedClass() { + return Collection.class; + } + + @Override + public void map(Object o, PepRequest pepRequest) { + Collection<?> collection = (Collection<?>)o; + for(Object item: collection) { + ObjectMapper mapper = mapperRegistry.getMapper(item.getClass()); + if(mapper != null) { + mapper.map(item, pepRequest); + }else { + logger.error("Can't map an Object of class: " + item.getClass().getName()); + throw new PepException("Can't map an Object of class: " + item.getClass().getName()); + } + } + } + + @Override + public void setMapperRegistry(MapperRegistry mapperRegistry) { + this.mapperRegistry = mapperRegistry; + } + + @Override + public void setPepConfig(PepConfig pepConfig) { + this.pepConfig = pepConfig; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MatchAnyCriterion.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MatchAnyCriterion.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MatchAnyCriterion.java new file mode 100755 index 0000000..9c11151 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MatchAnyCriterion.java @@ -0,0 +1,13 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Obligation; + +public final class MatchAnyCriterion implements ObligationCriterion { + + @Override + public boolean match(Obligation obligation) { + return true; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MultiRequest.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MultiRequest.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MultiRequest.java new file mode 100755 index 0000000..f19836e --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/MultiRequest.java @@ -0,0 +1,123 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Request; +import com.att.research.xacml.api.RequestReference; +import com.att.research.xacml.std.StdMutableRequest; +import com.att.research.xacml.std.StdMutableRequestReference; +import com.att.research.xacml.std.StdRequestAttributesReference; +import org.openliberty.openaz.pepapi.*; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.concurrent.atomic.AtomicInteger; + +/** + * + */ +final class MultiRequest implements PepRequest { + + private static final String REQUEST_ATTR_ID_PREFIX = "attributes"; + + private final Map<Identifier, PepRequestAttributes> pepRequestAttributesMapByCategory; + + private final MapperRegistry mapperRegistry; + + private final PepConfig pepConfig; + + private final Object[] sharedRequestObjects; + + private List<?> associations; + + private final AtomicInteger idCounter; + + private final StdMutableRequest wrappedRequest; + + private StdMutableRequestReference currentRequestReference; + + private RequestReference sharedRequestReference; + + static MultiRequest newInstance(PepConfig pepConfig, MapperRegistry mapperRegistry, List<?> associations, Object[] sharedRequestObjects) { + MultiRequest m = new MultiRequest(pepConfig, mapperRegistry, associations, sharedRequestObjects); + m.mapSharedRequestObjects(); + m.mapAssociations(); + return m; + } + + private MultiRequest(PepConfig pepConfig, MapperRegistry mapperRegistry, List<?> associations, Object[] sharedRequestObjects) { + this.pepRequestAttributesMapByCategory = new HashMap<Identifier, PepRequestAttributes>(); + this.sharedRequestObjects = sharedRequestObjects; + this.associations = associations; + this.mapperRegistry = mapperRegistry; + this.pepConfig = pepConfig; + this.idCounter = new AtomicInteger(1); + this.wrappedRequest = new StdMutableRequest(); + this.currentRequestReference = new StdMutableRequestReference(); + } + + private void mapSharedRequestObjects() { + if(sharedRequestObjects == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + for(Object o: sharedRequestObjects) { + if(o == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + ObjectMapper mapper = mapperRegistry.getMapper(o.getClass()); + if(mapper == null) { + throw new IllegalArgumentException("No mappers found for class: " + o.getClass().getName()); + } + mapper.map(o, this); + } + //Collect + sharedRequestReference = currentRequestReference; + } + + private void mapAssociations() { + if(associations == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + for(Object association: associations) { + if(association == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + + //Prepare + pepRequestAttributesMapByCategory.clear(); + currentRequestReference = new StdMutableRequestReference(sharedRequestReference.getAttributesReferences()); + wrappedRequest.add(currentRequestReference); + + //Map + ObjectMapper mapper = mapperRegistry.getMapper(association.getClass()); + if(mapper == null) { + throw new IllegalArgumentException("No mappers found for class: " + association.getClass().getName()); + } + mapper.map(association, this); + } + } + + @Override + public PepRequestAttributes getPepRequestAttributes(Identifier categoryIdentifier) { + PepRequestAttributes pepRequestAttributes = pepRequestAttributesMapByCategory.get(categoryIdentifier); + if(pepRequestAttributes == null) { + String xmlId = generateRequestAttributesXmlId(); + StdPepRequestAttributes p = new StdPepRequestAttributes(xmlId, categoryIdentifier); + p.setIssuer(pepConfig.getIssuer()); + pepRequestAttributes = p; + pepRequestAttributesMapByCategory.put(categoryIdentifier, pepRequestAttributes); + wrappedRequest.add(pepRequestAttributes.getWrappedRequestAttributes()); + currentRequestReference.add(new StdRequestAttributesReference(xmlId)); + } + return pepRequestAttributes; + } + + private String generateRequestAttributesXmlId() { + return REQUEST_ATTR_ID_PREFIX + idCounter.getAndIncrement(); + } + + @Override + public Request getWrappedRequest() { + return wrappedRequest; + } +}
