public abstract class BaseStaticPolicyProvider extends Object implements CloseableStaticPolicyProvider
CloseableStaticPolicyProvider
implementationsCloseablePolicyProvider.Factory<CONF_T extends org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider>
NULL_POLICYREF_CHAIN1_ARGUMENT_EXCEPTION, UNLIMITED_POLICY_REF_DEPTH
Constructor and Description |
---|
BaseStaticPolicyProvider(int maxPolicySetRefDepth)
Creates RefPolicyProvider instance
|
Modifier and Type | Method and Description |
---|---|
StaticTopLevelPolicyElementEvaluator |
get(TopLevelPolicyElementType refPolicyType,
String policyIdRef,
Optional<PolicyVersionPatterns> constraints,
Deque<String> policySetRefChain)
Finds a policy based on an ID reference.
|
StaticTopLevelPolicyElementEvaluator |
get(TopLevelPolicyElementType policyType,
String policyId,
Optional<PolicyVersionPatterns> policyVersionConstraints,
Deque<String> policySetRefChain,
EvaluationContext evaluationCtx)
Finds a policy based on an ID reference.
|
protected abstract StaticTopLevelPolicyElementEvaluator |
getPolicy(String policyIdRef,
Optional<PolicyVersionPatterns> constraints)
Resolve reference to Policy, e.g.
|
protected abstract StaticTopLevelPolicyElementEvaluator |
getPolicySet(String policyIdRef,
Optional<PolicyVersionPatterns> constraints,
Deque<String> policySetRefChainWithPolicyIdRef)
Resolve reference to PolicySet, e.g.
|
Deque<String> |
joinPolicyRefChains(Deque<String> policyRefChain1,
List<String> policyRefChain2)
Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.
|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getCandidateRootPolicy, joinPolicyRefChains
public BaseStaticPolicyProvider(int maxPolicySetRefDepth)
maxPolicySetRefDepth
- max policy reference (e.g. XACML PolicySetIdReference) depth, i.e. max length of the chain of policy referencespublic final Deque<String> joinPolicyRefChains(Deque<String> policyRefChain1, List<String> policyRefChain2) throws IllegalArgumentException
PolicyProvider
policyRefChain1
and policyRefChain2
are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item
(except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops
(circular references) and prevent exceeding reference depth.
Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)
joinPolicyRefChains
in interface PolicyProvider<StaticTopLevelPolicyElementEvaluator>
policyRefChain1
- mandatory/non-null first part of the joined chainpolicyRefChain2
- chain (list of policy identifiers) to append to policyRefChain1
(typically a result of PolicyEvaluator.getPolicyRefsMetadata(EvaluationContext)
(#getLongestPolicyRefChain) to create the joined chainpolicyRefChain1
if policyRefChain2 == null || policyRefChain2.isEmpty()
, else policyRefChain2
appended to policyRefChain1
IllegalArgumentException
- policyRefChain1 == null
, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater than
maxPolicyRefDepth
protected abstract StaticTopLevelPolicyElementEvaluator getPolicy(String policyIdRef, Optional<PolicyVersionPatterns> constraints) throws IndeterminateEvaluationException
policyIdRef
- target PolicyIdconstraints
- policy version match rulesIndeterminateEvaluationException
- error resolving policyprotected abstract StaticTopLevelPolicyElementEvaluator getPolicySet(String policyIdRef, Optional<PolicyVersionPatterns> constraints, Deque<String> policySetRefChainWithPolicyIdRef) throws IndeterminateEvaluationException
policyIdRef
- the target PolicySetId
WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.
[1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.
See also:
https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16
From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.
constraints
- any optional constraints on the version of the target policy, matched against its Version attributepolicySetRefChainWithPolicyIdRef
- null iff this is not called to resolve a PolicySetIdReference; else this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including)
policyIdRef
. Each item in the chain is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references
the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference
depth.
Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)
IndeterminateEvaluationException
- if error determining a matching policy of type policyType
public final StaticTopLevelPolicyElementEvaluator get(TopLevelPolicyElementType refPolicyType, String policyIdRef, Optional<PolicyVersionPatterns> constraints, Deque<String> policySetRefChain) throws IndeterminateEvaluationException
StaticPolicyProvider
get
in interface StaticPolicyProvider
refPolicyType
- type of requested policy element (Policy or PolicySet)policyIdRef
- the requested Policy(Set)Id
WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.
[1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.
See also:
https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16
From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.
constraints
- any optional constraints on the version of the referenced policy, matched against its Version attributepolicySetRefChain
- null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET
) this is the chain of PolicySets linked via
PolicySetIdReference(s), from the root PolicySet up to (and including) policyId
. Each item in the chain is a PolicySetId of a PolicySet that is referenced by the previous
item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to
detect loops (circular references) and prevent exceeding reference depth.
Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)
IndeterminateEvaluationException
public final StaticTopLevelPolicyElementEvaluator get(TopLevelPolicyElementType policyType, String policyId, Optional<PolicyVersionPatterns> policyVersionConstraints, Deque<String> policySetRefChain, EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException
PolicyProvider
get
in interface PolicyProvider<StaticTopLevelPolicyElementEvaluator>
get
in interface StaticPolicyProvider
policyType
- type of policy element requested (policy or policySet)policyId
- the identifier used to resolve the policy by its Policy(Set)Id
WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.
[1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.
See also:
https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16
From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.
policyVersionConstraints
- any optional constraints on the version of the referenced policy, matched against its Version attributepolicySetRefChain
- null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET
) this is the chain of PolicySets linked via
PolicySetIdReference(s), from the root PolicySet up to (and including) policyId
. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the
first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops
(circular references) and prevent exceeding reference depth.
Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)
evaluationCtx
- evaluation context; the policy may be resolved dynamically for each evaluation request. Still, the implementation must guarantee that the same reference (same refPolicyType
,
policyIdRef
, constraints
arguments) always resolves to the same policy in the same evaluation context (for the same request) to preserve evaluation consistency.
Therefore, it is recommended that the implementation caches the resolved policy matching given Policy(Set)IdReference parameters (policy type, ID, version constraints) in the request
context evaluationCtx
once and for all using EvaluationContext.putOther(String, Object)
, and retrieves it in the same context using
EvaluationContext.getOther(String)
if necessary.IllegalArgumentException
- The resolved policy is invalid. The policy Provider module may parse policies lazily or on the fly, i.e. only when the policy is requested/looked for.IndeterminateEvaluationException
- if error determining a matching policy of type policyType
Copyright © 2012–2020. All rights reserved.