Package org.ow2.authzforce.core.pdp.api.policy

Class BaseStaticPolicyProvider

    • Constructor Detail

      • BaseStaticPolicyProvider

        public BaseStaticPolicyProvider​(int maxPolicySetRefDepth)
        Creates RefPolicyProvider instance
        Parameters:
        maxPolicySetRefDepth - max policy reference (e.g. XACML PolicySetIdReference) depth, i.e. max length of the chain of policy references

    • Method Detail

      • joinPolicyRefChains

        public final Deque<String> joinPolicyRefChains​(Deque<String> policyRefChain1,
                                               List<String> policyRefChain2)
                                        throws IllegalArgumentException
        Description copied from interface: PolicyProvider
        Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.

        policyRefChain1 and policyRefChain2 are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Specified by:
        joinPolicyRefChains in interface PolicyProvider<StaticTopLevelPolicyElementEvaluator>
        Parameters:
        policyRefChain1 - mandatory/non-null first part of the joined chain
        policyRefChain2 - chain (list of policy identifiers) to append to policyRefChain1 (typically a result of PolicyEvaluator.getPolicyRefsMetadata(EvaluationContext) (#getLongestPolicyRefChain) to create the joined chain
        Returns:
        new joined chain that is policyRefChain1 if policyRefChain2 == null || policyRefChain2.isEmpty(), else policyRefChain2 appended to policyRefChain1
        Throws:
        IllegalArgumentException - policyRefChain1 == null, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater than maxPolicyRefDepth

      • getPolicySet

        protected abstract StaticTopLevelPolicyElementEvaluator getPolicySet​(String policyIdRef,
                                                                     Optional<PolicyVersionPatterns> constraints,
                                                                     Deque<String> policySetRefChainWithPolicyIdRef)
                                                              throws IndeterminateEvaluationException
        Resolve reference to PolicySet, e.g. PolicySetIdReference. This may involve using the reference as indexing data to lookup a policy.
        Parameters:
        policyIdRef - the target PolicySetId

        WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.

        [1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.

        See also:

        https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16

        From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.

        constraints - any optional constraints on the version of the target policy, matched against its Version attribute
        policySetRefChainWithPolicyIdRef - null iff this is not called to resolve a PolicySetIdReference; else this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including) policyIdRef. Each item in the chain is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        the policySet matching the policySet reference; or null if no match
        Throws:
        IndeterminateEvaluationException - if error determining a matching policy of type policyType

      • get

        public final StaticTopLevelPolicyElementEvaluator get​(TopLevelPolicyElementType refPolicyType,
                                                      String policyIdRef,
                                                      Optional<PolicyVersionPatterns> constraints,
                                                      Deque<String> policySetRefChain)
                                               throws IndeterminateEvaluationException
        Description copied from interface: StaticPolicyProvider
        Finds a policy based on an ID reference. This may involve using the reference as indexing data to lookup a policy.
        Specified by:
        get in interface StaticPolicyProvider
        Parameters:
        refPolicyType - type of requested policy element (Policy or PolicySet)
        policyIdRef - the requested Policy(Set)Id

        WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.

        [1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.

        See also:

        https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16

        From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.

        constraints - any optional constraints on the version of the referenced policy, matched against its Version attribute
        policySetRefChain - null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET) this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including) policyId. Each item in the chain is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        the policy matching the policy reference; or null if no match
        Throws:
        IndeterminateEvaluationException - error resolving the policy

      • get

        public final StaticTopLevelPolicyElementEvaluator get​(TopLevelPolicyElementType policyType,
                                                      String policyId,
                                                      Optional<PolicyVersionPatterns> policyVersionConstraints,
                                                      Deque<String> policySetRefChain,
                                                      EvaluationContext evaluationCtx)
                                               throws IllegalArgumentException,
                                                      IndeterminateEvaluationException
        Description copied from interface: PolicyProvider
        Finds a policy based on an ID reference. This may involve using the reference as indexing data to lookup a policy.
        Specified by:
        get in interface PolicyProvider<StaticTopLevelPolicyElementEvaluator>
        Specified by:
        get in interface StaticPolicyProvider
        Parameters:
        policyType - type of policy element requested (policy or policySet)
        policyId - the identifier used to resolve the policy by its Policy(Set)Id

        WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.

        [1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.

        See also:

        https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16

        From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.

        policyVersionConstraints - any optional constraints on the version of the referenced policy, matched against its Version attribute
        policySetRefChain - null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET) this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including) policyId. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        evaluationCtx - evaluation context; the policy may be resolved dynamically for each evaluation request. Still, the implementation must guarantee that the same reference (same refPolicyType, policyIdRef, constraints arguments) always resolves to the same policy in the same evaluation context (for the same request) to preserve evaluation consistency. Therefore, it is recommended that the implementation caches the resolved policy matching given Policy(Set)IdReference parameters (policy type, ID, version constraints) in the request context evaluationCtx once and for all using EvaluationContext.putOther(String, Object), and retrieves it in the same context using EvaluationContext.getOther(String) if necessary.
        Returns:
        the policy matching the policy reference; or null if no match
        Throws:
        IllegalArgumentException - The resolved policy is invalid. The policy Provider module may parse policies lazily or on the fly, i.e. only when the policy is requested/looked for.
        IndeterminateEvaluationException - if error determining a matching policy of type policyType