Package org.ow2.authzforce.core.pdp.api.policy

Interface PolicyProvider<PE extends TopLevelPolicyElementEvaluator>

    • Method Detail

      • joinPolicyRefChains

        static Deque<String> joinPolicyRefChains​(Deque<String> policyRefChain1,
                                         List<String> policyRefChain2,
                                         int maxPolicyRefDepth)
                                  throws IllegalArgumentException
        Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.

        policyRefChain1 and policyRefChain2 are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Parameters:
        policyRefChain1 - mandatory/non-null first part of the joined chain
        policyRefChain2 - chain (list of policy identifiers) to append to policyRefChain1 (typically a result of PolicyEvaluator.getPolicyRefsMetadata(EvaluationContext) (#getLongestPolicyRefChain) to create the joined chain
        maxPolicyRefDepth - max policy reference (e.g. XACML PolicySetIdReference) depth, i.e. max length of the chain of policy references
        Returns:
        new joined chain that is policyRefChain1 if policyRefChain2 == null || policyRefChain2.isEmpty(), else policyRefChain2 appended to policyRefChain1
        Throws:
        IllegalArgumentException - policyRefChain1 == null, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater than maxPolicyRefDepth

      • joinPolicyRefChains

        Deque<String> joinPolicyRefChains​(Deque<String> policyRefChain1,
                                  List<String> policyRefChain2)
                           throws IllegalArgumentException
        Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.

        policyRefChain1 and policyRefChain2 are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Parameters:
        policyRefChain1 - mandatory/non-null first part of the joined chain
        policyRefChain2 - chain (list of policy identifiers) to append to policyRefChain1 (typically a result of PolicyEvaluator.getPolicyRefsMetadata(EvaluationContext) (#getLongestPolicyRefChain) to create the joined chain
        Returns:
        new joined chain that is policyRefChain1 if policyRefChain2 == null || policyRefChain2.isEmpty(), else policyRefChain2 appended to policyRefChain1
        Throws:
        IllegalArgumentException - policyRefChain1 == null, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater than maxPolicyRefDepth

      • get

        PE get​(TopLevelPolicyElementType policyType,
       String policyId,
       Optional<PolicyVersionPatterns> policyVersionConstraints,
       Deque<String> policySetRefChain,
       EvaluationContext evaluationCtx)
throws IllegalArgumentException,
       IndeterminateEvaluationException
        Finds a policy based on an ID reference. This may involve using the reference as indexing data to lookup a policy.
        Parameters:
        policyId - the identifier used to resolve the policy by its Policy(Set)Id

        WARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.

        [1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.

        See also:

        https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16

        From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor.

        policyType - type of policy element requested (policy or policySet)
        policyVersionConstraints - any optional constraints on the version of the referenced policy, matched against its Version attribute
        policySetRefChain - null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET) this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including) policyId. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for policySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        evaluationCtx - evaluation context; the policy may be resolved dynamically for each evaluation request. Still, the implementation must guarantee that the same reference (same refPolicyType, policyIdRef, constraints arguments) always resolves to the same policy in the same evaluation context (for the same request) to preserve evaluation consistency. Therefore, it is recommended that the implementation caches the resolved policy matching given Policy(Set)IdReference parameters (policy type, ID, version constraints) in the request context evaluationCtx once and for all using EvaluationContext.putOther(String, Object), and retrieves it in the same context using EvaluationContext.getOther(String) if necessary.
        Returns:
        the policy matching the policy reference; or null if no match
        Throws:
        IllegalArgumentException - The resolved policy is invalid. The policy Provider module may parse policies lazily or on the fly, i.e. only when the policy is requested/looked for.
        IndeterminateEvaluationException - if error determining a matching policy of type policyType

      • getCandidateRootPolicy

        default Optional<PrimaryPolicyMetadata> getCandidateRootPolicy()
        Returns the policy that may be used by the PDP as root of evaluation, if any defined/identified by this Policy Provider. For example, if the policy repository is made of one and only one static policy document, this is obviously the one possible candidate for root policy to be returned by this method.
        Returns:
        (metadata of) the candidate root policy. The get(TopLevelPolicyElementType, String, Optional, Deque, EvaluationContext) method can then be used to retrieve the actual policy evaluator for evaluation.