Package org.ow2.authzforce.core.pdp.impl.policy

Class PolicyEvaluators

  • public final class PolicyEvaluators
extends Object
    This class consists exclusively of static methods that operate on or return PolicyEvaluators
    Version:
    $Id: $

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  PolicyEvaluators.BaseCombiningAlgParameter<T extends org.ow2.authzforce.core.pdp.api.Decidable>
      Represents a set of CombinerParameters to a combining algorithm that may or may not be associated with a policy/rule

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator getInstance​(oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy policyElement, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgRegistry, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler, Map<String,​String> namespacePrefixToUriMap)
      Creates Policy handler from XACML Policy element
      static org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator getInstance​(oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet policyElement, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgorithmRegistry, org.ow2.authzforce.core.pdp.api.policy.PolicyProvider<?> refPolicyProvider, Deque<String> ancestorPolicySetRefChain, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler, Map<String,​String> namespacePrefixToUriMap)
      Creates PolicySet handler from XACML PolicySet element with additional check of duplicate Policy(Set)Ids against a list of Policy(Set)s parsed during the PDP initialization so far
      static org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.PolicyRefEvaluator getInstance​(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType refPolicyType, oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType idRef, org.ow2.authzforce.core.pdp.api.policy.PolicyProvider<?> refPolicyProvider, Deque<String> policySetRefChainWithIdRefIfPolicySet)
      Instantiates Policy(Set) Reference evaluator from XACML Policy(Set)IdReference
      static org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator getInstanceStatic​(oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet policyElement, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgorithmRegistry, org.ow2.authzforce.core.pdp.api.policy.StaticPolicyProvider refPolicyProvider, Deque<String> policySetRefChainWithPolicyElementIfRefTarget, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler, Map<String,​String> namespacePrefixToUriMap)
      Creates statically defined PolicySet handler from XACML PolicySet element
      static org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.StaticPolicyRefEvaluator getInstanceStatic​(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType refPolicyType, oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType idRef, org.ow2.authzforce.core.pdp.api.policy.StaticPolicyProvider refPolicyProvider, Deque<String> ancestorPolicySetRefChain)
      Instantiates Static Policy(Set) Reference evaluator from XACML Policy(Set)IdReference, "static" meaning that given idRef and refPolicyType, the returned policy is always the same statically defined policy

    • Constructor Detail

      • PolicyEvaluators

        public PolicyEvaluators()

    • Method Detail

      • getInstance

        public static org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator getInstance​(oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy policyElement,
                                                                                                      org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory,
                                                                                                      org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgRegistry,
                                                                                                      Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler,
                                                                                                      Map<String,​String> namespacePrefixToUriMap)
                                                                                               throws IllegalArgumentException
        Creates Policy handler from XACML Policy element
        Parameters:
        policyElement - Policy (XACML)
        parentDefaultXPathCompiler - XPath compiler corresponding to parent PolicyDefaults/XPathVersion; undefined if this Policy has no parent Policy (root), or none defined in parent, or XPath disabled by PDP configuration
        namespacePrefixToUriMap - namespace prefix-URI mappings from the original XACML Policy (XML) document, to be used for namespace-aware XPath evaluation; empty iff XPath support disabled or: parentDefaultXPathCompiler.isPresent() and they can be retrieved already from parentDefaultXPathCompiler.get().getDeclaredNamespacePrefixToUriMap()
        expressionFactory - Expression factory/parser
        combiningAlgRegistry - rule/policy combining algorithm registry
        Returns:
        instance
        Throws:
        IllegalArgumentException - if any argument is invalid

      • getInstance

        public static org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.PolicyRefEvaluator getInstance​(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType refPolicyType,
                                                                                                      oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType idRef,
                                                                                                      org.ow2.authzforce.core.pdp.api.policy.PolicyProvider<?> refPolicyProvider,
                                                                                                      Deque<String> policySetRefChainWithIdRefIfPolicySet)
                                                                                               throws IllegalArgumentException
        Instantiates Policy(Set) Reference evaluator from XACML Policy(Set)IdReference
        Parameters:
        idRef - Policy(Set)IdReference
        refPolicyProvider - Policy(Set)IdReference resolver/Provider
        refPolicyType - type of policy referenced, i.e. whether it refers to Policy or PolicySet
        policySetRefChainWithIdRefIfPolicySet - null if refPolicyType == TopLevelPolicyElementType.POLICY; else it is the chain of PolicySets linked via PolicySetIdReferences, from the root PolicySet up to this reference target (last item is the idRef value). Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for ancestorPolicySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        instance of PolicyReference
        Throws:
        IllegalArgumentException - if refPolicyProvider undefined, or there is no policy of type refPolicyType matching idRef to be found by refPolicyProvider, or PolicySetIdReference loop detected or PolicySetIdReference depth exceeds the max enforced by policyProvider

      • getInstanceStatic

        public static org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.StaticPolicyRefEvaluator getInstanceStatic​(org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType refPolicyType,
                                                                                                                  oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType idRef,
                                                                                                                  org.ow2.authzforce.core.pdp.api.policy.StaticPolicyProvider refPolicyProvider,
                                                                                                                  Deque<String> ancestorPolicySetRefChain)
                                                                                                           throws IllegalArgumentException
        Instantiates Static Policy(Set) Reference evaluator from XACML Policy(Set)IdReference, "static" meaning that given idRef and refPolicyType, the returned policy is always the same statically defined policy
        Parameters:
        idRef - Policy(Set)IdReference
        refPolicyProvider - Policy(Set)IdReference resolver/Provider
        refPolicyType - type of policy referenced, i.e. whether it refers to Policy or PolicySet
        ancestorPolicySetRefChain - chain of ancestor PolicySets linked via PolicySetIdReferences, from the root PolicySet up to the Policy(Set) reference being resolved by this method (excluded). Null/empty if policyElement this method is used to resolve the root PolicySet (no ancestor). Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for ancestorPolicySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        instance of PolicyReference
        Throws:
        IllegalArgumentException - if refPolicyProvider undefined, or there is no policy of type refPolicyType matching idRef to be found by refPolicyProvider, or PolicySetIdReference loop detected or PolicySetIdReference depth exceeds the max enforced by policyProvider

      • getInstanceStatic

        public static org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator getInstanceStatic​(oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet policyElement,
                                                                                                            org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory,
                                                                                                            org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgorithmRegistry,
                                                                                                            org.ow2.authzforce.core.pdp.api.policy.StaticPolicyProvider refPolicyProvider,
                                                                                                            Deque<String> policySetRefChainWithPolicyElementIfRefTarget,
                                                                                                            Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler,
                                                                                                            Map<String,​String> namespacePrefixToUriMap)
                                                                                                     throws IllegalArgumentException
        Creates statically defined PolicySet handler from XACML PolicySet element
        Parameters:
        policyElement - PolicySet (XACML) without any dynamic policy references
        parentDefaultXPathCompiler - XPath compiler corresponding to parent PolicySet's default XPath version, or null if either no parent or no default XPath version defined in parent
        namespacePrefixToUriMap - namespace prefix-URI mappings from the original XACML PolicySet (XML) document, to be used for namespace-aware XPath evaluation; null or empty iff XPath support disabled
        expressionFactory - Expression factory/parser
        combiningAlgorithmRegistry - policy/rule combining algorithm registry
        refPolicyProvider - static policy-by-reference (Policy(Set)IdReference) Provider - all references statically resolved - to find references used in this policyset
        policySetRefChainWithPolicyElementIfRefTarget - null/empty if policyElement is a root PolicySet; else it is the chain of top-level (as opposed to nested inline) PolicySets linked via PolicySetIdReferences, from the root PolicySet up to - and including - the top-level PolicySet that encloses or is a policyElement (i.e. a reference's target). Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for ancestorPolicySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        instance
        Throws:
        IllegalArgumentException - if any argument (e.g. policyElement) is invalid

      • getInstance

        public static org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator getInstance​(oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet policyElement,
                                                                                                org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory,
                                                                                                org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry combiningAlgorithmRegistry,
                                                                                                org.ow2.authzforce.core.pdp.api.policy.PolicyProvider<?> refPolicyProvider,
                                                                                                Deque<String> ancestorPolicySetRefChain,
                                                                                                Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> parentDefaultXPathCompiler,
                                                                                                Map<String,​String> namespacePrefixToUriMap)
                                                                                         throws IllegalArgumentException
        Creates PolicySet handler from XACML PolicySet element with additional check of duplicate Policy(Set)Ids against a list of Policy(Set)s parsed during the PDP initialization so far
        Parameters:
        policyElement - PolicySet (XACML)
        parentDefaultXPathCompiler - XPath compiler corresponding to parent PolicySet's default XPath version, or null if either no parent or no default XPath version defined in parent
        namespacePrefixToUriMap - namespace prefix-URI mappings from the original XACML PolicySet (XML) document, to be used for namespace-aware XPath evaluation; null or empty iff XPath support disabled
        expressionFactory - Expression factory/parser
        combiningAlgorithmRegistry - policy/rule combining algorithm registry
        refPolicyProvider - policy-by-reference (Policy(Set)IdReference) Provider to find references used in this policyset
        ancestorPolicySetRefChain - chain of ancestor PolicySets linked via PolicySetIdReferences, from the root PolicySet up to policyElement (excluded). Null/empty if policyElement is the root PolicySet (no ancestor). Each item is a PolicySetId of a PolicySet that is referenced by the previous item (except the first item which is the root policy) and references the next one. This chain is used to control PolicySetIdReferences found within the result policy, in order to detect loops (circular references) and prevent exceeding reference depth.

        Beware that we only keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what the version is.

        (Do not use a Queue for ancestorPolicySetRefChain as it is FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as well.)

        Returns:
        instance
        Throws:
        IllegalArgumentException - if any argument (e.g. policyElement) is invalid