Package org.ow2.authzforce.core.pdp.api

Interface NamedAttributeProvider

  • All Known Subinterfaces:
    CloseableNamedAttributeProvider
    All Known Implementing Classes:
    BaseNamedAttributeProvider
    public interface NamedAttributeProvider
    "Named" Attribute Provider, i.e. providing "named attribute(s)" as defined in ยง7.3 of XACML 3.0 specification (resolve AttributeDesignatorTypes in a specific way, e.g. from a specific attribute source):

    A named attribute is the term used for the criteria that the specific attribute designators use to refer to particular attributes in the elements of the request context.

    • Method Detail

      • getProvidedAttributes

        Set<oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType> getProvidedAttributes()
        Returns the non-null non-empty Set of AttributeDesignators provided/supported by this Attribute provider. Each AttributeDesignatorType.getCategory() must return a non-null/non-empty value If any AttributeDesignator in the set does not specify an AttributeId (getAttributeId() = null), the Attribute provider is considered a category-wide attribute provider for the category (returned by AttributeDesignatorType.getCategory() ), i.e. may provide any attribute in this category.
        Returns:
        a non-null non-empty Set of supported AttributeDesignatorTypes

      • beginMultipleDecisionRequest

        default void beginMultipleDecisionRequest​(EvaluationContext mdpContext)
        When the Multiple Decision Profile is used, the PDP engine calls this method before evaluating the Individual Decision Requests of a given Multiple Decision request if the Attribute Provider supports it as indicated by supportsBeginMultipleDecisionRequest().. This enables the attribute provider to set attributes and/or variables in the scope of the Multiple Decision Request, therefore reuse the same values in all its Individual Decision Requests. A typical use case is an AttributeProvider providing the current date/time which should be the same for all Individual Decision requests within the same Multiple Decision request in order to be consistent (e.g. AuthzForce built-in StandardEnvironmentAttributeProvider configured with override=true). In this case, the AttributeProvider may set the current date/time once and for all on the mdpContext for a given Multiple Decision request, and reuse it later for each Individual Decision context in get(AttributeFqn, Datatype, EvaluationContext, Optional) .
        Parameters:
        mdpContext - context of a Multiple Decision request evaluation, will be passed on as mdpContext argument of get(AttributeFqn, Datatype, EvaluationContext, Optional) when Individual Decision requests are evaluated.

      • beginIndividualDecisionRequest

        default void beginIndividualDecisionRequest​(EvaluationContext individualDecisionContext,
                                            Optional<EvaluationContext> mdpContext)
                                     throws IndeterminateEvaluationException
        The PDP engine calls this method before evaluating each Individual Decision Request (whether it is part of a Multiple Decision request or not) if the Attribute Provider supports it as indicated by supportsBeginIndividualDecisionRequest(). This enables the attribute provider to do some validation of the request (e.g. check dependency attributes) and/or set/override attributes or variables of the request before the policy evaluation begins, therefore reuse those values for its benefit during the evaluation. A typical use case is an AttributeProvider providing the current date/time, e.g. either overriding current-* attributes (override mode) of the request or checking that current-date and current-time are consistent with current-dateTime.
        Parameters:
        mdpContext - context of a Multiple Decision request evaluation, will be passed on as mdpContext argument of get(AttributeFqn, Datatype, EvaluationContext, Optional) when AttributeDesignator/AttributeSelector are evaluated for a given Individual Decision request.
        Throws:
        IndeterminateEvaluationException

      • get

        <AV extends AttributeValueAttributeBag<AV> get​(AttributeFqn attributeFQN,
                                                 Datatype<AV> datatype,
                                                 EvaluationContext individualDecisionContext,
                                                 Optional<EvaluationContext> mdpContext)
                                          throws IndeterminateEvaluationException
        Provides values of the attribute matching the given designator data. If no value found, but no other error occurred, an empty bag is returned.
        Parameters:
        attributeFQN - the global identifier (Category,Issuer,AttributeId) of the attribute to find, must match one of the AttributeDesignatorTypes returned by getProvidedAttributes()
        individualDecisionContext - the (Individual Decision) request context
        mdpContext - * the context of the Multiple Decision request that the individualDecisionContext belongs to if the Multiple Decision Profile is used; same as the mdpContext parameter of beginMultipleDecisionRequest(EvaluationContext).
        datatype - attribute datatype, must match the data-type of the AttributeDesignatorType matching attributeFQN in the getProvidedAttributes()'s result set
        Returns:
        the result of retrieving the attribute, which will be a bag of values of type defined by returnDatatype; empty bag iff no value found and no error occurred.
        Throws:
        UnsupportedOperationException - attributeFQN or returnDatatype are not supported (the PDP engine should try another attribute provider if any)
        IndeterminateEvaluationException - attributeFQN or returnDatatype are supported but some error occurred while trying to resolve the attribute value(s)