http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java new file mode 100755 index 0000000..365c768 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java @@ -0,0 +1,224 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std; + +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.URLConnection; +import java.text.ParseException; +import java.util.ArrayList; +import java.util.List; +import java.util.Properties; +import java.util.UUID; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import com.att.research.xacml.std.IdentifierImpl; +import com.att.research.xacml.std.StdStatusCode; +import com.att.research.xacml.std.StdVersion; +import com.att.research.xacml.std.dom.DOMStructureException; +import com.att.research.xacml.util.FactoryException; +import com.att.research.xacml.util.XACMLProperties; +import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm; +import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithmFactory; +import com.att.research.xacmlatt.pdp.policy.Policy; +import com.att.research.xacmlatt.pdp.policy.PolicyDef; +import com.att.research.xacmlatt.pdp.policy.PolicyFinder; +import com.att.research.xacmlatt.pdp.policy.PolicyFinderFactory; +import com.att.research.xacmlatt.pdp.policy.PolicySet; +import com.att.research.xacmlatt.pdp.policy.PolicySetChild; +import com.att.research.xacmlatt.pdp.policy.Target; +import com.att.research.xacmlatt.pdp.policy.dom.DOMPolicyDef; +import com.att.research.xacmlatt.pdp.util.ATTPDPProperties; +import com.google.common.base.Splitter; + +/** + * StdPolicyFinderFactory extends {@link com.att.research.xacmlatt.pdp.policy.PolicyFinderFactory} with the + * <code>getPolicyFinder</code> method to get a single instance of the {@link StdPolicyFinder}. The + * root {@link com.att.research.xacmlatt.pdp.policy.PolicyDef} is loaded from a file whose name is specified as a system property or + * in the $java.home/lib/xacml.properties property set. + * + * @author car + * @version $Revision: 1.3 $ + */ +public class StdPolicyFinderFactory extends PolicyFinderFactory { + public static final String PROP_FILE = ".file"; + public static final String PROP_URL = ".url"; + + private Log logger = LogFactory.getLog(this.getClass()); + private List<PolicyDef> rootPolicies; + private List<PolicyDef> referencedPolicies; + private boolean needsInit = true; + + /** + * Loads the <code>PolicyDef</code> for the given <code>String</code> identifier by looking first + * for a ".file" property associated with the ID and using that to load from a <code>File</code> and + * looking for a ".url" property associated with the ID and using that to load from a <code>URL</code>. + * + * @param policyId the <code>String</code> identifier for the policy + * @return a <code>PolicyDef</code> loaded from the given identifier + */ + protected PolicyDef loadPolicyDef(String policyId, Properties properties) { + String propLocation = properties.getProperty(policyId + PROP_FILE); + if (propLocation != null) { + File fileLocation = new File(propLocation); + if (!fileLocation.exists()) { + this.logger.error("Policy file " + fileLocation.getAbsolutePath() + " does not exist."); + } else if (!fileLocation.canRead()) { + this.logger.error("Policy file " + fileLocation.getAbsolutePath() + " cannot be read."); + } else { + try { + this.logger.info("Loading policy file " + fileLocation); + PolicyDef policyDef = DOMPolicyDef.load(fileLocation); + if (policyDef != null) { + return policyDef; + } + } catch (DOMStructureException ex) { + this.logger.error("Error loading policy file " + fileLocation.getAbsolutePath() + ": " + ex.getMessage(), ex); + return new Policy(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, ex.getMessage()); + } + } + } + + if ((propLocation = properties.getProperty(policyId + PROP_URL)) != null) { + InputStream is = null; + try { + URL url = new URL(propLocation); + URLConnection urlConnection = url.openConnection(); + this.logger.info("Loading policy file " + url.toString()); + is = urlConnection.getInputStream(); + PolicyDef policyDef = DOMPolicyDef.load(is); + if (policyDef != null) { + return policyDef; + } + } catch (MalformedURLException ex) { + this.logger.error("Invalid URL " + propLocation + ": " + ex.getMessage(), ex); + } catch (IOException ex) { + this.logger.error("IOException opening URL " + propLocation + ": " + ex.getMessage(), ex); + } catch (DOMStructureException ex) { + this.logger.error("Invalid Policy " + propLocation + ": " + ex.getMessage(), ex); + return new Policy(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, ex.getMessage()); + } finally { + if (is != null) { + try { + is.close(); + } catch (IOException e) { + this.logger.error("Exception closing InputStream for GET of url " + propLocation + " : " + e.getMessage() + " (May be memory leak)", e); + } + } + } + } + + this.logger.error("No known location for Policy " + policyId); + return null; + } + + /** + * Finds the identifiers for all of the policies referenced by the given property name in the + * <code>XACMLProperties</code> and loads them using the requested loading method. + * + * @param propertyName the <code>String</code> name of the property containing the list of policy identifiers + * @return a <code>List</code> of <code>PolicyDef</code>s loaded from the given property name + */ + protected List<PolicyDef> getPolicyDefs(String propertyName, Properties properties) { + String policyIds = properties.getProperty(propertyName); + if (policyIds == null || policyIds.length() == 0) { + return null; + } + + Iterable<String> policyIdArray = Splitter.on(',').trimResults().omitEmptyStrings().split(policyIds); + if (policyIdArray == null) { + return null; + } + + List<PolicyDef> listPolicyDefs = new ArrayList<PolicyDef>(); + for (String policyId : policyIdArray) { + PolicyDef policyDef = this.loadPolicyDef(policyId, properties); + if (policyDef != null) { + listPolicyDefs.add(policyDef); + } + } + return listPolicyDefs; + } + + protected synchronized void init(Properties properties) { + if (this.needsInit) { + // + // Check for property that combines root policies into one policyset + // + String combiningAlgorithm = properties.getProperty(ATTPDPProperties.PROP_POLICYFINDERFACTORY_COMBINEROOTPOLICIES); + if (combiningAlgorithm != null) { + try { + logger.info("Combining root policies with " + combiningAlgorithm); + // + // Find the combining algorithm + // + CombiningAlgorithm<PolicySetChild> algorithm = CombiningAlgorithmFactory.newInstance().getPolicyCombiningAlgorithm(new IdentifierImpl(combiningAlgorithm)); + // + // Create our root policy + // + PolicySet root = new PolicySet(); + root.setIdentifier(new IdentifierImpl(UUID.randomUUID().toString())); + root.setVersion(StdVersion.newInstance("1.0")); + root.setTarget(new Target()); + // + // Set the algorithm + // + root.setPolicyCombiningAlgorithm(algorithm); + // + // Load all our root policies + // + for (PolicyDef policy : this.getPolicyDefs(XACMLProperties.PROP_ROOTPOLICIES, properties)) { + root.addChild(policy); + } + // + // Set this policy as the root + // + this.rootPolicies = new ArrayList<>(); + this.rootPolicies.add(root); + } catch (FactoryException | ParseException e) { + logger.error("Failed to load Combining Algorithm Factory: " + e.getLocalizedMessage()); + } + } else { + this.rootPolicies = this.getPolicyDefs(XACMLProperties.PROP_ROOTPOLICIES, properties); + } + + this.referencedPolicies = this.getPolicyDefs(XACMLProperties.PROP_REFERENCEDPOLICIES, properties); + this.needsInit = false; + } + } + + public StdPolicyFinderFactory() { + } + + public StdPolicyFinderFactory(Properties properties) { + } + + @Override + public PolicyFinder getPolicyFinder() throws FactoryException { + try { + this.init(XACMLProperties.getProperties()); + } catch (IOException e) { + throw new FactoryException(e); + } + return new StdPolicyFinder(this.rootPolicies, this.referencedPolicies); + } + + @Override + public PolicyFinder getPolicyFinder(Properties properties) throws FactoryException { + this.init(properties); + return new StdPolicyFinder(this.rootPolicies, this.referencedPolicies, properties); + } +}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java new file mode 100755 index 0000000..0749a8e --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java @@ -0,0 +1,52 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std; + +import com.att.research.xacml.api.Status; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacmlatt.pdp.policy.PolicyDef; +import com.att.research.xacmlatt.pdp.policy.PolicyFinderResult; + +/** + * StdPolicyFinderResult implements the {@link com.att.research.xacmlatt.pdp.policy.PolicyFinderResult} interface. + * + * @author car + * @version $Revision: 1.1 $ + * @param <T> the java class extending {@link com.att.research.xacmlatt.pdp.policy.PolicyDef} held by the <code>StdPolicyFinderResult</code> + */ +public class StdPolicyFinderResult<T extends PolicyDef> implements PolicyFinderResult<T> { + private Status status; + private T policyDef; + + public StdPolicyFinderResult(Status statusIn, T policyDefIn) { + this.status = (statusIn == null ? StdStatus.STATUS_OK : statusIn); + this.policyDef = policyDefIn; + } + + public StdPolicyFinderResult(Status statusIn) { + this(statusIn, null); + } + + public StdPolicyFinderResult(T policyDefIn) { + this(null, policyDefIn); + } + + @Override + public Status getStatus() { + return this.status; + } + + @Override + public T getPolicyDef() { + return this.policyDef; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java new file mode 100755 index 0000000..ff394ee --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java @@ -0,0 +1,19 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std; + +import com.att.research.xacmlatt.pdp.util.ATTPDPProperties; + +public class StdProperties extends ATTPDPProperties { + protected StdProperties() { + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java new file mode 100755 index 0000000..c24d2c2 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java @@ -0,0 +1,117 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2015 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * @author pameladragosh + * + * This algorithm was created to support combining a collection of policies in which the permit's are combined into one decision. PermitOverrides + * itself will stop once a Permit is found. However, some policy makers want every policy in a policy set to be visited by the PDP engine. + * The result of all the Permits that were found are then combined and returned. If no Permits were found then the result is the same semantics as + * the PermitOverrides combining algorithm. + * + * @param <T> + */ +public class CombinedPermitOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public CombinedPermitOverrides(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, + List<CombiningElement<T>> elements, + List<CombinerParameter> combinerParameters) + throws EvaluationException { + boolean atLeastOneDeny = false; + boolean atLeastOnePermit = false; + + EvaluationResult combinedResultDeny = new EvaluationResult(Decision.DENY); + EvaluationResult combinedResultPermit = new EvaluationResult(Decision.PERMIT); + + EvaluationResult firstIndeterminateD = null; + EvaluationResult firstIndeterminateP = null; + EvaluationResult firstIndeterminateDP = null; + + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + atLeastOneDeny = true; + combinedResultDeny.merge(evaluationResultElement); + break; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + if (firstIndeterminateDP == null) { + firstIndeterminateDP = evaluationResultElement; + } else { + firstIndeterminateDP.merge(evaluationResultElement); + } + break; + case INDETERMINATE_DENY: + if (firstIndeterminateD == null) { + firstIndeterminateD = evaluationResultElement; + } else { + firstIndeterminateD.merge(evaluationResultElement); + } + break; + case INDETERMINATE_PERMIT: + if (firstIndeterminateP == null) { + firstIndeterminateP = evaluationResultElement; + } else { + firstIndeterminateP.merge(evaluationResultElement); + } + break; + case NOTAPPLICABLE: + break; + case PERMIT: + atLeastOnePermit = true; + combinedResultPermit.merge(evaluationResultElement); + break; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (atLeastOnePermit) { + return combinedResultPermit; + } + if (firstIndeterminateDP != null) { + return firstIndeterminateDP; + } else if (firstIndeterminateP != null && (firstIndeterminateD != null || atLeastOneDeny)) { + return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus()); + } else if (firstIndeterminateP != null) { + return firstIndeterminateP; + } else if (atLeastOneDeny) { + return combinedResultDeny; + } else if (firstIndeterminateD != null) { + return firstIndeterminateD; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java new file mode 100755 index 0000000..4993a98 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java @@ -0,0 +1,40 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm; + +public abstract class CombiningAlgorithmBase<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> implements CombiningAlgorithm<T> { + private Identifier id; + + public CombiningAlgorithmBase(Identifier identifierIn) { + this.id = identifierIn; + } + + @Override + public Identifier getId() { + return this.id; + } + + @Override + public String toString() { + StringBuilder stringBuilder = new StringBuilder("{"); + + Object objectToDump; + if ((objectToDump = this.getId()) != null) { + stringBuilder.append("id="); + stringBuilder.append(objectToDump.toString()); + } + stringBuilder.append('}'); + return stringBuilder.toString(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java new file mode 100755 index 0000000..207ec61 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java @@ -0,0 +1,105 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * DenyOverrides implements the XACML 3.0 "deny-overrides" combining algorithm for both policies and rules. + * + * @author car + * + * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable} + * @param <U> the java class for the identifier + */ +public class DenyOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public DenyOverrides(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + boolean atLeastOnePermit = false; + + EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT); + + EvaluationResult firstIndeterminateD = null; + EvaluationResult firstIndeterminateP = null; + EvaluationResult firstIndeterminateDP = null; + + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + return evaluationResultElement; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + if (firstIndeterminateDP == null) { + firstIndeterminateDP = evaluationResultElement; + } else { + firstIndeterminateDP.merge(evaluationResultElement); + } + break; + case INDETERMINATE_DENY: + if (firstIndeterminateD == null) { + firstIndeterminateD = evaluationResultElement; + } else { + firstIndeterminateD.merge(evaluationResultElement); + } + break; + case INDETERMINATE_PERMIT: + if (firstIndeterminateP == null) { + firstIndeterminateP = evaluationResultElement; + } else { + firstIndeterminateP.merge(evaluationResultElement); + } + break; + case NOTAPPLICABLE: + break; + case PERMIT: + atLeastOnePermit = true; + combinedResult.merge(evaluationResultElement); + break; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (firstIndeterminateDP != null) { + return firstIndeterminateDP; + } else if (firstIndeterminateD != null && (firstIndeterminateP != null || atLeastOnePermit)) { + return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus()); + } else if (firstIndeterminateD != null) { + return firstIndeterminateD; + } else if (atLeastOnePermit) { + return combinedResult; + } else if (firstIndeterminateP != null) { + return firstIndeterminateP; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java new file mode 100755 index 0000000..4c241e6 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java @@ -0,0 +1,68 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * DenyUnlessPermit implements the XACML 3.0 "deny-unless-permit" combining algorithm for both policies and rules. + * + * @author car + * + * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable} + * @param <U> the java class for the identifier + */ +public class DenyUnlessPermit<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public DenyUnlessPermit(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + EvaluationResult combinedResult = new EvaluationResult(Decision.DENY); + + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + combinedResult.merge(evaluationResultElement); + break; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_DENY: + case INDETERMINATE_PERMIT: + case NOTAPPLICABLE: + break; + case PERMIT: + return evaluationResultElement; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + return combinedResult; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java new file mode 100755 index 0000000..02402a5 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java @@ -0,0 +1,58 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * PermitOverrides extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the + * XACML 1.0 "first-applicable" combining algorithm for policies and rules. + * + * @author car + * @version $Revision: 1.1 $ + * + * @param <T> the java class of the object to be combined + */ +public class FirstApplicable<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public FirstApplicable(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, + List<CombiningElement<T>> elements, + List<CombinerParameter> combinerParameters) + throws EvaluationException { + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + if (evaluationResultElement.getDecision() != Decision.NOTAPPLICABLE) { + return evaluationResultElement; + } + } + + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java new file mode 100755 index 0000000..e990b6a --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java @@ -0,0 +1,78 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; +import com.att.research.xacmlatt.pdp.policy.PolicySetChild; + +/** + * DenyOverrides implements the XACML 1.0 "deny-overrides" combining algorithm for policies and policy sets. + * + * @author car + * + * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable} + * @param <U> the java class for the identifier + */ +public class LegacyDenyOverridesPolicy extends CombiningAlgorithmBase<PolicySetChild> { + + public LegacyDenyOverridesPolicy(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<PolicySetChild>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + boolean atLeastOnePermit = false; + + EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT); + + Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<PolicySetChild> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + return evaluationResultElement; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_DENY: + case INDETERMINATE_PERMIT: + return new EvaluationResult(Decision.DENY, StdStatus.STATUS_OK); + case NOTAPPLICABLE: + break; + case PERMIT: + atLeastOnePermit = true; + combinedResult.merge(evaluationResultElement); + break; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (atLeastOnePermit) { + return combinedResult; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java new file mode 100755 index 0000000..68e156a --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java @@ -0,0 +1,91 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; +import com.att.research.xacmlatt.pdp.policy.Rule; +import com.att.research.xacmlatt.pdp.policy.RuleEffect; + +/** + * DenyOverrides implements the XACML 1.0 "deny-overrides" combining algorithm for rules. + * + * @author car + * + * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable} + * @param <U> the java class for the identifier + */ +public class LegacyDenyOverridesRule extends CombiningAlgorithmBase<Rule> { + + public LegacyDenyOverridesRule(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<Rule>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + boolean atLeastOnePermit = false; + boolean potentialDeny = false; + + EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT); + EvaluationResult evaluationResultIndeterminate = null; + + Iterator<CombiningElement<Rule>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<Rule> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + return evaluationResultElement; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_DENY: + case INDETERMINATE_PERMIT: + if (evaluationResultIndeterminate == null) { + evaluationResultIndeterminate = evaluationResultElement; + } else { + evaluationResultIndeterminate.merge(evaluationResultElement); + } + if (combiningElement.getEvaluatable().getRuleEffect() == RuleEffect.DENY) { + potentialDeny = true; + } + case NOTAPPLICABLE: + break; + case PERMIT: + atLeastOnePermit = true; + combinedResult.merge(evaluationResultElement); + break; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (potentialDeny) { + return evaluationResultIndeterminate; + } else if (atLeastOnePermit) { + return combinedResult; + } else if (evaluationResultIndeterminate != null) { + return evaluationResultIndeterminate; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java new file mode 100755 index 0000000..43ed569 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java @@ -0,0 +1,85 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; +import com.att.research.xacmlatt.pdp.policy.PolicySetChild; + +/** + * LegacyPermitOverridesPolicy extends {@link com.att.research.xacmlatt.pdp.policy.combiners.CombiningAlgorithmBase} for + * {@link com.att.research.xacmlatt.pdp.policy.PolicySetChild} elements implementing the XACML 1.0 permit-overrides policy combining algorithm. + * + * @author car + * @version $Revision: 1.1 $ + */ +public class LegacyPermitOverridesPolicy extends CombiningAlgorithmBase<PolicySetChild> { + + public LegacyPermitOverridesPolicy(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<PolicySetChild>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + boolean atLeastOneDeny = false; + + EvaluationResult evaluationResultCombined = new EvaluationResult(Decision.DENY); + EvaluationResult evaluationResultIndeterminate = null; + + Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<PolicySetChild> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + atLeastOneDeny = true; + evaluationResultCombined.merge(evaluationResultElement); + break; + case INDETERMINATE: + case INDETERMINATE_DENY: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_PERMIT: + if (evaluationResultIndeterminate == null) { + evaluationResultIndeterminate = evaluationResultElement; + } else { + evaluationResultIndeterminate.merge(evaluationResultElement); + } + break; + case NOTAPPLICABLE: + break; + case PERMIT: + return evaluationResultElement; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + + } + + if (atLeastOneDeny) { + return evaluationResultCombined; + } else if (evaluationResultIndeterminate != null) { + return evaluationResultIndeterminate; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java new file mode 100755 index 0000000..446ff35 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java @@ -0,0 +1,91 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; +import com.att.research.xacmlatt.pdp.policy.Rule; +import com.att.research.xacmlatt.pdp.policy.RuleEffect; + +/** + * LegacyPermitOverridesRule extends {@link com.att.research.xacmlatt.pdp.policy.combiners.CombiningAlgorithmBase} for + * {@link com.att.research.xacmlatt.pdp.policy.Rule}s to implement the XACML 1.0 permit-overrides rule combining algorithm. + * + * @author car + * @version $Revision: 1.1 $ + */ +public class LegacyPermitOverridesRule extends CombiningAlgorithmBase<Rule> { + + public LegacyPermitOverridesRule(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<Rule>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + boolean atLeastOneDeny = false; + boolean potentialPermit = false; + + EvaluationResult evaluationResultCombined = new EvaluationResult(Decision.DENY); + EvaluationResult evaluationResultIndeterminate = null; + + Iterator<CombiningElement<Rule>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<Rule> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + atLeastOneDeny = true; + evaluationResultCombined.merge(evaluationResultElement); + break; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_DENY: + case INDETERMINATE_PERMIT: + if (evaluationResultIndeterminate == null) { + evaluationResultIndeterminate = evaluationResultElement; + } else { + evaluationResultIndeterminate.merge(evaluationResultElement); + } + if (combiningElement.getEvaluatable().getRuleEffect() == RuleEffect.PERMIT) { + potentialPermit = true; + } + break; + case NOTAPPLICABLE: + break; + case PERMIT: + return evaluationResultElement; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (potentialPermit) { + return evaluationResultIndeterminate; + } else if (atLeastOneDeny) { + return evaluationResultCombined; + } else if (evaluationResultIndeterminate != null) { + return evaluationResultIndeterminate; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java new file mode 100755 index 0000000..f5f8f35 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java @@ -0,0 +1,78 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacml.std.StdStatusCode; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.eval.MatchResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; +import com.att.research.xacmlatt.pdp.policy.PolicySetChild; + +/** + * OnlyOneApplicable extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the + * XACML 1.0 "only-one-applicable" combining algorithm for policies and rules. + * + * @author car + * @version $Revision: 1.1 $ + * + * @param <T> the java class of the object to be combined + */ +public class OnlyOneApplicable extends CombiningAlgorithmBase<PolicySetChild> { + + public OnlyOneApplicable(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, + List<CombiningElement<PolicySetChild>> elements, + List<CombinerParameter> combinerParameters) + throws EvaluationException { + Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator(); + PolicySetChild policySetChildApplicable = null; + while (iterElements.hasNext()) { + CombiningElement<PolicySetChild> combiningElement = iterElements.next(); + MatchResult matchResultElement = combiningElement.getEvaluatable().match(evaluationContext); + + switch(matchResultElement.getMatchCode()) { + case INDETERMINATE: + return new EvaluationResult(Decision.INDETERMINATE, matchResultElement.getStatus()); + case MATCH: + if (policySetChildApplicable == null) { + policySetChildApplicable = combiningElement.getEvaluatable(); + } else { + return new EvaluationResult(Decision.INDETERMINATE, new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "More than one applicable policy")); + } + break; + case NOMATCH: + break; + default: + throw new EvaluationException("Illegal Decision: \"" + matchResultElement.getMatchCode().toString()); + } + } + + if (policySetChildApplicable != null) { + return policySetChildApplicable.evaluate(evaluationContext); + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java new file mode 100755 index 0000000..ef34403 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java @@ -0,0 +1,109 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * PermitOverrides extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the + * XACML 3.0 Permit-overrides combining algorithm for policies and rules. + * + * @author car + * @version $Revision: 1.1 $ + * + * @param <T> the java class of the object to be combined + */ +public class PermitOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public PermitOverrides(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, + List<CombiningElement<T>> elements, + List<CombinerParameter> combinerParameters) + throws EvaluationException { + boolean atLeastOneDeny = false; + + EvaluationResult combinedResult = new EvaluationResult(Decision.DENY); + + EvaluationResult firstIndeterminateD = null; + EvaluationResult firstIndeterminateP = null; + EvaluationResult firstIndeterminateDP = null; + + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + atLeastOneDeny = true; + combinedResult.merge(evaluationResultElement); + break; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + if (firstIndeterminateDP == null) { + firstIndeterminateDP = evaluationResultElement; + } else { + firstIndeterminateDP.merge(evaluationResultElement); + } + break; + case INDETERMINATE_DENY: + if (firstIndeterminateD == null) { + firstIndeterminateD = evaluationResultElement; + } else { + firstIndeterminateD.merge(evaluationResultElement); + } + break; + case INDETERMINATE_PERMIT: + if (firstIndeterminateP == null) { + firstIndeterminateP = evaluationResultElement; + } else { + firstIndeterminateP.merge(evaluationResultElement); + } + break; + case NOTAPPLICABLE: + break; + case PERMIT: + return evaluationResultElement; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + if (firstIndeterminateDP != null) { + return firstIndeterminateDP; + } else if (firstIndeterminateP != null && (firstIndeterminateD != null || atLeastOneDeny)) { + return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus()); + } else if (firstIndeterminateP != null) { + return firstIndeterminateP; + } else if (atLeastOneDeny) { + return combinedResult; + } else if (firstIndeterminateD != null) { + return firstIndeterminateD; + } else { + return new EvaluationResult(Decision.NOTAPPLICABLE); + } + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java new file mode 100755 index 0000000..b1b0ee0 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java @@ -0,0 +1,69 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.combiners; + +import java.util.Iterator; +import java.util.List; + +import com.att.research.xacml.api.Decision; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.eval.EvaluationException; +import com.att.research.xacmlatt.pdp.eval.EvaluationResult; +import com.att.research.xacmlatt.pdp.policy.CombinerParameter; +import com.att.research.xacmlatt.pdp.policy.CombiningElement; + +/** + * PermitUnlessDeny implements the XACML 3.0 "permit-unless-deny" combining algorithm for both policies and rules. + * + * @author car + * + * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable} + * @param <U> the java class for the identifier + */ +public class PermitUnlessDeny<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> { + + public PermitUnlessDeny(Identifier identifierIn) { + super(identifierIn); + } + + @Override + public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException { + EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT); + + Iterator<CombiningElement<T>> iterElements = elements.iterator(); + while (iterElements.hasNext()) { + CombiningElement<T> combiningElement = iterElements.next(); + EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext); + + assert(evaluationResultElement != null); + switch(evaluationResultElement.getDecision()) { + case DENY: + return evaluationResultElement; + case INDETERMINATE: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_DENY: + case INDETERMINATE_PERMIT: + break; + case NOTAPPLICABLE: + break; + case PERMIT: + combinedResult.merge(evaluationResultElement); + break; + default: + throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString()); + } + } + + return combinedResult; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java new file mode 100755 index 0000000..db6b8f4 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java @@ -0,0 +1,20 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ + +package com.att.research.xacmlatt.pdp.std.combiners; + +/** + * com.att.research.xacmlatt.pdp.std.combiners contains implementations of the {@link com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm} + * interface. + * + * @author car + * @version $Revision: 1.1 $ + */ http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java new file mode 100755 index 0000000..9b81539 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java @@ -0,0 +1,204 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.functions; + +import com.att.research.xacml.api.AttributeValue; +import com.att.research.xacml.api.DataType; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Status; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacml.std.StdStatusCode; +import com.att.research.xacmlatt.pdp.policy.Bag; +import com.att.research.xacmlatt.pdp.policy.FunctionArgument; + +/** + * A ConvertedArgument is the result of processing an {@link com.att.research.xacmlatt.pdp.policy.FunctionArgument} + * to validate its correctness and to convert it into an object of the required type. + * It is returned by the <code>validateArguments</code> method in + * {@link com.att.research.xacmlatt.pdp.std.functions.FunctionDefinitionHomogeneousSimple} + * and should only be used by other Functions in that same package. + * This is a data holder with no processing. + * It contains two elements: + * <UL> + * <LI> + * A {@link com.att.research.xacml.api.Status} object, and + * <LI> + * An object containing the value of the FunctionArgument processed by validateArguments. + * This object will only exist if status.isOk() (or the isOk() method in this class that calls status.isOk()) is true. + * </UL> + * + * + * @author glenngriffin + * + */ +public class ConvertedArgument<I> { + + // When status != Status.OK, the value is null + private Status status; + + // This is non-null when status == Status.OK + private I value = null; + + /** + * Constructor ensures we have a non-null status, though value will be null if status is not ok. + * + * @param s + * @param v + */ + public ConvertedArgument(Status s, I v) { + status = s; + if (s == null) { + throw new IllegalArgumentException("Status of argument cannot be null"); + } + if (s.isOk()) { + // only set value if status is ok + value = v; + } + } + + /** + * Get the Status object + * + * @return + */ + public Status getStatus() { + return status; + } + + + /** + * Convenience method that directly returns the isOk() state from the status object. + * + * @return + */ + public boolean isOk() { + return status.isOk(); + } + + + /** + * Get the value object. This may be a Bag. + * + * @return + */ + public I getValue() { + return value; + } + + + /** + * Get the value as a Bag. (convenience method) + * + * @return + */ + public Bag getBag() { + return (Bag)value; + } + + + /** + * Returns a shortened version of the given DataType Id, primarily for use with error messages to prevent them from becoming too long. + * This is a simple convenience method to reduce code bloat. + * + * @param identifier expected to have '#' in it, and if no '#' should have ":data-type:" + * @return + */ + public String getShortDataTypeId(Identifier identifier) { + String idString = identifier.stringValue(); + int index = idString.indexOf("#"); + if (index < 0) { + index = idString.indexOf(":data-type:"); + if (index < 0) { + return idString; + } else { + return idString.substring(index + 11); + } + } else { + return idString.substring(index+1); + } + } + + + + /** + * Evaluates the given <code>FunctionArgument</code> and validates that it has the correct <code>DataType</code>. + * The returned object will be either: + * <UL> + * <LI> + * A Status Object indicating an error condition, or + * <LI> + * An Object of the appropriate type containing the value of the function. + * In this case the caller should assume that the Status is Status.OK. + * Note that the object may be a bag if that is what the caller expected. + * </UL> + * + * + * @param listFunctionArguments the <code>List</code> of <code>FunctionArgument</code>s to validate + * @param convertedValues the <code>List</code> of <code>U</code> that the converted value is added to. + * @return a {@link com.att.research.xacml.api.Status} indication with an error if the arguments are not valid, + * or an object of the correct DataType containing the value. + */ + @SuppressWarnings("unchecked") // to suppress warning on bag conversion + public ConvertedArgument(FunctionArgument functionArgument, DataType<I> expectedDataType, boolean expectBag) { + + if (functionArgument == null ) { + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Got null argument"); + return; + } + if ( ! functionArgument.isOk()) { + status = functionArgument.getStatus(); + return; + } + + // bags are valid arguments for some functions + if (expectBag) { + if ( ! functionArgument.isBag()) { + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected a bag, saw a simple value"); + return; + } + + Bag bag = functionArgument.getBag(); + value = (I) bag; + status = StdStatus.STATUS_OK; + return; + } + + // argument should not be a bag + if (functionArgument.isBag()) { + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected a simple value, saw a bag"); + return; + } + AttributeValue<?> attributeValue = functionArgument.getValue(); + if (attributeValue == null || attributeValue.getValue() == null) { + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Got null attribute"); + return; + } + if ( ! attributeValue.getDataTypeId().equals(expectedDataType.getId())) { + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected data type '" + + getShortDataTypeId(expectedDataType.getId()) + "' saw '" + getShortDataTypeId(attributeValue.getDataTypeId()) + "'"); + return; + } + + try { + value = expectedDataType.convert(attributeValue.getValue()); + status = StdStatus.STATUS_OK; + } catch (Exception e) { + String message = e.getMessage(); + if (e.getCause() != null) { + message = e.getCause().getMessage(); + } + status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, message); + } + } + + + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java new file mode 100755 index 0000000..c8109ce --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java @@ -0,0 +1,198 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.functions; + + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.net.URI; +import java.util.List; + +import javax.xml.parsers.DocumentBuilderFactory; + +import org.w3c.dom.Node; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Request; +import com.att.research.xacml.api.RequestAttributes; +import com.att.research.xacml.std.StdRequest; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacml.std.StdStatusCode; +import com.att.research.xacml.std.datatypes.DataTypes; +import com.att.research.xacml.std.dom.DOMRequestAttributes; +import com.att.research.xacml.std.dom.DOMStructureException; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.policy.ExpressionResult; +import com.att.research.xacmlatt.pdp.policy.FunctionArgument; + +/** + * FunctionDefinitionAccessPermitted implements {@link com.att.research.xacmlatt.pdp.policy.FunctionDefinition} to + * implement the XACML access-permitted predicate. + * + * WARNING: This code is unfinished. Initially we did not complete the implementation because we did not understand how to handle XML Namespaces + * (from the <Request> or <Policy>). + * Later we understood that any Namespaces used within this function must be explicitly listed in <Content> XML elemement passed to this function. + * However, it is not clear that anyone needs this function. + * The only use anyone has mentioned is in a recursive operation which requires a loop counter of some kind, which we do not have implemented. + * Therefore we have chosen to leave this unimplemented for now. + * + * In the first implementation of XACML we had separate files for each XACML Function. + * This release combines multiple Functions in fewer files to minimize code duplication. + * This file supports the following XACML codes: + * access-permitted + * + * + * @author glenngriffin + * @version $Revision: 1.1 $ + * + */ +public class FunctionDefinitionAccessPermitted extends FunctionDefinitionBase<Boolean, URI> { + + + + + /** + * Constructor - need dataTypeArgs input because of java Generic type-erasure during compilation. + * + * @param idIn + * @param dataTypeArgsIn + */ + public FunctionDefinitionAccessPermitted(Identifier idIn) { + super(idIn, DataTypes.DT_BOOLEAN, DataTypes.DT_ANYURI, false); + } + + @Override + public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) { + if (arguments == null || arguments.size() != 2) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + + " Expected 2 arguments, got " + + ((arguments == null) ? "null" : arguments.size()) )); + } + + // first arg is URI + FunctionArgument functionArgument = arguments.get(0); + ConvertedArgument<URI> convertedArgument0 = new ConvertedArgument<URI>(functionArgument, DataTypes.DT_ANYURI, false); + if ( ! convertedArgument0.isOk()) { + return ExpressionResult.newError(getFunctionStatus(convertedArgument0.getStatus())); + } + URI attributesURI = convertedArgument0.getValue(); + // this must be a urn of an attribute category + if ( ! attributesURI.toString().startsWith("urn:") || ! attributesURI.toString().contains(":attribute-category:")) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() + + " First argument must be a urn for an attribute-category, not '" + attributesURI.toString() )); + } + + // second argument is of input type + functionArgument = arguments.get(1); + ConvertedArgument<String> convertedArgument1 = new ConvertedArgument<String>(functionArgument, DataTypes.DT_STRING, false); + if ( ! convertedArgument1.isOk()) { + return ExpressionResult.newError(getFunctionStatus(convertedArgument1.getStatus())); + } + // get the Duration object from the argument which includes all fields, even if the incoming argument does not include them all + String xmlContent = convertedArgument1.getValue(); + + // The spec is fuzzy on whether this string includes the "<Content>" tags or not, so handle it either way + if ( ! xmlContent.trim().toLowerCase().startsWith("<content>") ) { + // incomming is not surrounded by <content> tags, so ad them + xmlContent = "<Content>" + xmlContent + "</Content>"; + } + +//TODO - the next block needs to be uncommented and fixed +//Request req = evaluationContext.getRequest(); +//List<String> xmlAttrList = req.getRequestXMLAttributes(); +//String attrString = " "; +//for (String attr : xmlAttrList) { +// attrString += " " + attr; +//} +// +// // add the Attributes XML element +// xmlContent = "<Attributes Category=\"" + attributesURI + "\" " + attrString + " >" + xmlContent + "</Attributes>"; + +//java.util.Iterator<RequestAttributes> rait = req.getRequestAttributes(); +//while (rait.hasNext()) { +// RequestAttributes ra = rait.next(); +// System.out.println(ra); +//} + + + + // convert the xmlContent into XML Nodes + Node newContentNode = null; +//TODO - need to get Namespace info from original Request? How can I recover the original Namespace from the EvaluationContext? + try (InputStream is = new ByteArrayInputStream(xmlContent.getBytes())) { + DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + docBuilderFactory.setNamespaceAware(true); + + newContentNode = docBuilderFactory + .newDocumentBuilder() + .parse(is) + .getDocumentElement(); + } catch (Exception e) { + String message = e.getMessage(); + if (e.getCause() != null) { + message = e.getCause().getMessage(); + } + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() + + " Parsing of XML string failed. Cause='" + message + "'" )); + } + // convert the XML Node into a RequestAttributes object +//TODO - If this code is ever completed, the following variable will be used. The annotation is to avoid warnings. +@SuppressWarnings("unused") + RequestAttributes newRequestAttributes = null; + try { + newRequestAttributes = DOMRequestAttributes.newInstance(newContentNode); + } catch (DOMStructureException e) { + String message = e.getMessage(); + if (e.getCause() != null) { + message = e.getCause().getMessage(); + } + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() + + " Conversion of XML to RequestAttributes failed. Cause='" + message + "'" )); + } + + + // check the evaluationContext and Request for null + if (evaluationContext == null) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + + " Got null EvaluationContext")); + } + if (evaluationContext.getRequest() == null) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + + " Got null Request in EvaluationContext")); + } + + // Create a new Request by: + // - copying the current request, + // - Dropping the Attributes section identified by the attributesURI argument + // - adding a new Attributes section identified by the attributesURI arg and with a Content section containing the xmlContent argument + Request originalRequest = evaluationContext.getRequest(); + +//TODO - If this code is ever completed, the following variable will be used. The annotation is to avoid warnings. +@SuppressWarnings("unused") + Request newRequest = new StdRequest(originalRequest); + + + +// ???? nameingContext???? + + // Now create a new EvaluationContext matching the one passed to this method except for the Request +//TODO + + // Run the PDP on the new EvaluationContext +//TODO + + +return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + + " Not Implemented")); + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java new file mode 100755 index 0000000..03bd34f --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java @@ -0,0 +1,196 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.functions; + +import java.math.BigInteger; +import java.util.ArrayList; +import java.util.List; + +import com.att.research.xacml.api.AttributeValue; +import com.att.research.xacml.api.DataType; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Status; +import com.att.research.xacml.api.XACML; +import com.att.research.xacml.std.StdAttributeValue; +import com.att.research.xacml.std.StdStatus; +import com.att.research.xacml.std.StdStatusCode; +import com.att.research.xacml.std.datatypes.DataTypes; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.policy.ExpressionResult; +import com.att.research.xacmlatt.pdp.policy.FunctionArgument; + +/** + * FunctionDefinitionArithmetic extends {@link com.att.research.xacmlatt.pdp.std.functions.FunctionDefinitionHomogeneousSimple} to + * implement the XACML Arithmetic predicates as functions taking one or two arguments of the same data type and returning a single value of the same type. + * + * In Java there is no way to do arithmetic operations generically, so we need to have individual code for each operation on each class within this class. + * + * In the first implementation of XACML we had separate files for each XACML Function. + * This release combines multiple Functions in fewer files to minimize code duplication. + * This file supports the following XACML codes: + * integer-add + * double-add + * integer-subtract + * double-subtract + * integer-multiply + * double-multiply + * integer-divide + * double-divide + * integer-mod + * integer-abs + * double-abs + * round + * floor + * + * @author glenngriffin + * @version $Revision: 1.1 $ + * + * @param <T> the java class for the data type of the function arguments + */ +public class FunctionDefinitionArithmetic<T extends Number> extends FunctionDefinitionHomogeneousSimple<T,T> { + + /** + * List of arithmetic operations. + * + * @author glenngriffin + * + */ + public enum OPERATION {ADD, SUBTRACT, MULTIPLY, DIVIDE, MOD, ABS, ROUND, FLOOR }; + + // operation to be used in this instance of the Arightmetic class + private final OPERATION operation; + + // result variables used by all functions, one for each type + private AttributeValue<BigInteger> integerResult; + private AttributeValue<Double> doubleResult; + + /** + * Constructor + * + * @param idIn + * @param dataTypeArgsIn + * @param op + */ + public FunctionDefinitionArithmetic(Identifier idIn, DataType<T> dataTypeArgsIn, OPERATION op, int nArgs) { + // for Arithmetic functions, the output type is the same as the input type (no mixing of Ints and Doubles!) + super(idIn, dataTypeArgsIn, dataTypeArgsIn, nArgs); + + // save the operation to be used in this instance + operation = op; + } + + + @Override + public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) { + List<T> convertedArguments = new ArrayList<T>(); + Status status = this.validateArguments(arguments, convertedArguments); + + /* + * If the function arguments are not correct, just return an error status immediately + */ + if (!status.getStatusCode().equals(StdStatusCode.STATUS_CODE_OK)) { + return ExpressionResult.newError(getFunctionStatus(status)); + } + + /* + * Now perform the requested operation. + */ + ExpressionResult expressionResult = null; + + try { + switch (operation) { + case ADD: + if (this.getDataType() == DataTypes.DT_INTEGER) { + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).add( (BigInteger)convertedArguments.get(1)) ); + expressionResult = ExpressionResult.newSingle(integerResult); + } else { + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) + (Double)convertedArguments.get(1)); + expressionResult = ExpressionResult.newSingle(doubleResult); + } + break; + case SUBTRACT: + if (this.getDataType() == DataTypes.DT_INTEGER) { + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).subtract( (BigInteger)convertedArguments.get(1)) ); + expressionResult = ExpressionResult.newSingle(integerResult); + } else { + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) - (Double)convertedArguments.get(1)); + expressionResult = ExpressionResult.newSingle(doubleResult); + } + break; + case MULTIPLY: + if (this.getDataType() == DataTypes.DT_INTEGER) { + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).multiply((BigInteger)convertedArguments.get(1)) ); + expressionResult = ExpressionResult.newSingle(integerResult); + } else { + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) * (Double)convertedArguments.get(1)); + expressionResult = ExpressionResult.newSingle(doubleResult); + } + break; + case DIVIDE: + if (this.getDataType() == DataTypes.DT_INTEGER) { + if ( ((BigInteger)convertedArguments.get(1)).equals(new BigInteger("0")) ) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+ + arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString())); + } + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).divide((BigInteger)convertedArguments.get(1)) ); + expressionResult = ExpressionResult.newSingle(integerResult); + } else { + if ((Double)convertedArguments.get(1) == 0) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+ + arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString())); + } + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) / (Double)convertedArguments.get(1)); + expressionResult = ExpressionResult.newSingle(doubleResult); + } + break; + case MOD: + if ( ((BigInteger)convertedArguments.get(1)).equals(new BigInteger("0")) ) { + return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+ + arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString())); + } + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).remainder((BigInteger)convertedArguments.get(1)) ); + expressionResult = ExpressionResult.newSingle(integerResult); + break; + case ABS: + if (this.getDataType() == DataTypes.DT_INTEGER) { + integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).abs() ); + expressionResult = ExpressionResult.newSingle(integerResult); + } else { + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, Math.abs((Double)convertedArguments.get(0))); + expressionResult = ExpressionResult.newSingle(doubleResult); + } + break; + case ROUND: + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (double)(Math.round((Double)convertedArguments.get(0))) ); + expressionResult = ExpressionResult.newSingle(doubleResult); + break; + case FLOOR: + doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, Math.floor((Double)convertedArguments.get(0))); + expressionResult = ExpressionResult.newSingle(doubleResult); + break; + } + } catch (Exception e) { + String message = e.getMessage(); + if (e.getCause() != null) { + message = e.getCause().getMessage(); + } + String args = arguments.get(0).getValue().toString(); + if (arguments.size() > 1) { + args += ", " + arguments.get(1).getValue().toString(); + } + expressionResult = ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + " " + message + + " args: " + args + " " + e.getMessage() )); + } + + return expressionResult; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java ---------------------------------------------------------------------- diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java new file mode 100755 index 0000000..cbdb406 --- /dev/null +++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java @@ -0,0 +1,107 @@ +/* + * AT&T - PROPRIETARY + * THIS FILE CONTAINS PROPRIETARY INFORMATION OF + * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN + * ACCORDANCE WITH APPLICABLE AGREEMENTS. + * + * Copyright (c) 2013 AT&T Knowledge Ventures + * Unpublished and Not for Publication + * All Rights Reserved + */ +package com.att.research.xacmlatt.pdp.std.functions; + +import java.util.List; + +import com.att.research.xacml.api.DataType; +import com.att.research.xacml.api.Identifier; +import com.att.research.xacmlatt.pdp.eval.EvaluationContext; +import com.att.research.xacmlatt.pdp.policy.Bag; +import com.att.research.xacmlatt.pdp.policy.ExpressionResult; +import com.att.research.xacmlatt.pdp.policy.FunctionArgument; + +/** + * FunctionDefinitionBag implements {@link com.att.research.xacmlatt.pdp.policy.FunctionDefinition} to + * implement the XACML 'type'-bag predicates as functions taking 0, 1 or multiple arguments of the same data type and returning a <code>Bag</code>. + * + * In the first implementation of XACML we had separate files for each XACML Function. + * This release combines multiple Functions in fewer files to minimize code duplication. + * This file supports the following XACML codes: + * string-bag + * boolean-bag + * integer-bag + * double-bag + * time-bag + * date-bag + * dateTime-bag + * anyURI-bag + * hexBinary-bag + * base64Binary-bag + * dayTimeDuration-bag (version 1 and3) + * yearMonthDuration-bag (version 1 and 3) + * x500Name-bag + * rfc822Name-bag + * ipAddress-bag + * dnsName-bag + * + * + * @author glenngriffin + * @version $Revision: 1.1 $ + * + * @param <I> the java class for the data type of the function Input arguments, + * which is also the "type" of the returned bag + */ +public class FunctionDefinitionBag<I> extends FunctionDefinitionBase<I, I> { + + + /** + * Constructor - need dataType input because of java Generic type-erasure during compilation. + * + * @param idIn + * @param dataTypeArgsIn + */ + public FunctionDefinitionBag(Identifier idIn, DataType<I> dataTypeArgsIn) { + super(idIn, dataTypeArgsIn, dataTypeArgsIn, true); + } + + /** + * Evaluates this <code>FunctionDefinition</code> on the given <code>List</code> of{@link com.att.research.xacmlatt.pdp.policy.FunctionArgument}s. + * + * @param evaluationContext the {@link com.att.research.xacmlatt.pdp.eval.EvaluationContext} to use in the evaluation + * @param arguments the <code>List</code> of <code>FunctionArgument</code>s for the evaluation + * @return an {@link com.att.research.xacmlatt.pdp.policy.ExpressionResult} with the results of the call + */ + @Override + public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) { + + // create a list to put the values into + Bag elementBag = new Bag(); + + // see if we have arguments + if (arguments != null && arguments.size() > 0) { + + // for each arg, evaluate it, check type, and put on the list + for (FunctionArgument argument : arguments) { + // get the argument, evaluate it and check status + ConvertedArgument<I> convertedArgument = new ConvertedArgument<I>(argument, this.getDataTypeArgs(), false); + + // check the status + if ( ! convertedArgument.isOk()) { + return ExpressionResult.newError(getFunctionStatus(convertedArgument.getStatus())); + } + + // Special case: Most methods want the value contained in the AttributeValue object inside the FunctionArgument. + // This one wants the AttributeValue itself. + // We use the ConvertedArgument constructor to validate that the argument is ok, then use the AttributeValue + // from the FunctionArgument. + elementBag.add(argument.getValue()); + } + } + + // return it + return ExpressionResult.newBag(elementBag); + } + + + + +}
