Interface PolicyProvider<PE extends TopLevelPolicyElementEvaluator>
-
- Type Parameters:
PE
- type of returned PolicyEvaluator
- All Known Subinterfaces:
CloseablePolicyProvider<PE>
,CloseableStaticPolicyProvider
,StaticPolicyProvider
- All Known Implementing Classes:
BaseStaticPolicyProvider
public interface PolicyProvider<PE extends TopLevelPolicyElementEvaluator>
Policy provider, used by the PDP to get policies given a Policy(Set)IdReference (e.g. in PolicySets).
-
-
Field Summary
Fields Modifier and Type Field Description static IllegalArgumentException
NULL_POLICYREF_CHAIN1_ARGUMENT_EXCEPTION
Exception thrown if first arg tojoinPolicyRefChains(Deque, List, int)
is nullstatic int
UNLIMITED_POLICY_REF_DEPTH
Constant for unlimited depth of policy reference
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description PE
get(TopLevelPolicyElementType policyType, String policyId, Optional<PolicyVersionPatterns> policyVersionConstraints, Deque<String> policySetRefChain, EvaluationContext evaluationCtx, Optional<EvaluationContext> mdpContext)
Finds a policy based on an ID reference.default Optional<PrimaryPolicyMetadata>
getCandidateRootPolicy()
Returns the policy that may be used by the PDP as root of evaluation, if any defined/identified by this Policy Provider.Deque<String>
joinPolicyRefChains(Deque<String> policyRefChain1, List<String> policyRefChain2)
Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.static Deque<String>
joinPolicyRefChains(Deque<String> policyRefChain1, List<String> policyRefChain2, int maxPolicyRefDepth)
Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.
-
-
-
Field Detail
-
NULL_POLICYREF_CHAIN1_ARGUMENT_EXCEPTION
static final IllegalArgumentException NULL_POLICYREF_CHAIN1_ARGUMENT_EXCEPTION
Exception thrown if first arg tojoinPolicyRefChains(Deque, List, int)
is null
-
UNLIMITED_POLICY_REF_DEPTH
static final int UNLIMITED_POLICY_REF_DEPTH
Constant for unlimited depth of policy reference- See Also:
- Constant Field Values
-
-
Method Detail
-
joinPolicyRefChains
static Deque<String> joinPolicyRefChains(Deque<String> policyRefChain1, List<String> policyRefChain2, int maxPolicyRefDepth) throws IllegalArgumentException
Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.policyRefChain1
andpolicyRefChain2
are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for
policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)- Parameters:
policyRefChain1
- mandatory/non-null first part of the joined chainpolicyRefChain2
- chain (list of policy identifiers) to append topolicyRefChain1
(typically a result ofPolicyEvaluator.getPolicyRefsMetadata(EvaluationContext, Optional)
(#getLongestPolicyRefChain) to create the joined chainmaxPolicyRefDepth
- max policy reference (e.g. XACML PolicySetIdReference) depth, i.e. max length of the chain of policy references- Returns:
- new joined chain that is
policyRefChain1
ifpolicyRefChain2 == null || policyRefChain2.isEmpty()
, elsepolicyRefChain2
appended topolicyRefChain1
- Throws:
IllegalArgumentException
-policyRefChain1 == null
, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater thanmaxPolicyRefDepth
-
joinPolicyRefChains
Deque<String> joinPolicyRefChains(Deque<String> policyRefChain1, List<String> policyRefChain2) throws IllegalArgumentException
Join chains of policy references, after checking whether the joined chain does not result in a circular reference (loop) or excessive length.policyRefChain1
andpolicyRefChain2
are chains of PolicySets linked via PolicySetIdReferences. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.Beware that we only keep the IDs in the chain, and not the versions, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for
policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)- Parameters:
policyRefChain1
- mandatory/non-null first part of the joined chainpolicyRefChain2
- chain (list of policy identifiers) to append topolicyRefChain1
(typically a result ofPolicyEvaluator.getPolicyRefsMetadata(EvaluationContext, Optional)
(#getLongestPolicyRefChain) to create the joined chain- Returns:
- new joined chain that is
policyRefChain1
ifpolicyRefChain2 == null || policyRefChain2.isEmpty()
, elsepolicyRefChain2
appended topolicyRefChain1
- Throws:
IllegalArgumentException
-policyRefChain1 == null
, or circular reference (same ID in both chains) detected or resulting length (sum of the lengths of the two chains) is greater thanmaxPolicyRefDepth
-
get
PE get(TopLevelPolicyElementType policyType, String policyId, Optional<PolicyVersionPatterns> policyVersionConstraints, Deque<String> policySetRefChain, EvaluationContext evaluationCtx, Optional<EvaluationContext> mdpContext) throws IllegalArgumentException, IndeterminateEvaluationException
Finds a policy based on an ID reference. This may involve using the reference as indexing data to look up a policy.- Parameters:
policyId
- the identifier used to resolve the policy by its Policy(Set)IdWARNING: java.net.URI cannot be used here, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.
[1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.
See also:
https://java.net/projects/jaxb/lists/users/archive/2011-07/ message/16
From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor".
policyType
- type of policy element requested (policy or policySet)policyVersionConstraints
- any optional constraints on the version of the referenced policy, matched against its Version attributepolicySetRefChain
- null iff this is not called to resolve a PolicySetIdReference; else (policyType == TopLevelPolicyElementType#POLICY_SET
) this is the chain of PolicySets linked via PolicySetIdReference(s), from the root PolicySet up to (and including)policyId
. Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.
(Do not use a Queue for
policySetRefChain
as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)evaluationCtx
- Individual Decision evaluation context; the policy may be resolved dynamically for each evaluation request. Still, the implementation must guarantee that the same reference (samerefPolicyType
,policyIdRef
,constraints
arguments) always resolves to the same policy in the same evaluation context (for the same request) to preserve evaluation consistency. Therefore, it is recommended that the implementation caches the resolved policy matching given Policy(Set)IdReference parameters (policy type, ID, version constraints) in the request contextevaluationCtx
once and for all usingEvaluationContext.putOther(String, Object)
, and retrieves it in the same context usingEvaluationContext.getOther(String)
if necessary.mdpContext
- the context of the Multiple Decision request that theevaluationCtx
belongs to if the Multiple Decision Profile is used.- Returns:
- the policy matching the policy reference; or null if no match
- Throws:
IllegalArgumentException
- The resolved policy is invalid. The policy Provider module may parse policies lazily or on the fly, i.e. only when the policy is requested/looked for.IndeterminateEvaluationException
- if error determining a matching policy of typepolicyType
-
getCandidateRootPolicy
default Optional<PrimaryPolicyMetadata> getCandidateRootPolicy()
Returns the policy that may be used by the PDP as root of evaluation, if any defined/identified by this Policy Provider. For example, if the policy repository is made of one and only one static policy document, this is obviously the one possible candidate for root policy to be returned by this method.- Returns:
- (metadata of) the candidate root policy. The
get(TopLevelPolicyElementType, String, Optional, Deque, EvaluationContext, Optional)
method can then be used to retrieve the actual policy evaluator for evaluation.
-
-