Class RuleEvaluator
- java.lang.Object
-
- org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator
-
- All Implemented Interfaces:
org.ow2.authzforce.core.pdp.api.Decidable
public final class RuleEvaluator extends Object implements org.ow2.authzforce.core.pdp.api.Decidable
Evaluates a XACML Rule to a Decision.- Version:
- $Id: $
-
-
Constructor Summary
Constructors Constructor Description RuleEvaluator(oasis.names.tc.xacml._3_0.core.schema.wd_17.Rule ruleElt, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> xPathCompiler)
Instantiates rule from XACML RuleType
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description org.ow2.authzforce.core.pdp.api.DecisionResult
evaluate(org.ow2.authzforce.core.pdp.api.EvaluationContext context, Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
Evaluates the rule against the supplied context.oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType
getEffect()
Get evaluated rule Effect (Permit/Deny) when applicableString
getRuleId()
Get evaluated rule IDboolean
hasAnyPepAction()
Does the rule has any PEP action (obligation/advice) ?boolean
isAlwaysApplicable()
Is the rule always applicable, i.e.boolean
isEmptyEquivalent()
Is the rule (equivalent to) an empty rule? I.e.String
toString()
-
-
-
Constructor Detail
-
RuleEvaluator
public RuleEvaluator(oasis.names.tc.xacml._3_0.core.schema.wd_17.Rule ruleElt, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> xPathCompiler) throws IllegalArgumentException
Instantiates rule from XACML RuleType- Parameters:
ruleElt
- Rule element definitionxPathCompiler
- XPath compiler, defined if XPath support enabled (by PDP configuration and some enclosing Policy(Set) defines a XPathVersion according to XACML standard)expressionFactory
- Expression parser/factory- Throws:
IllegalArgumentException
- Invalid Target, Condition or Obligation/Advice expressions
-
-
Method Detail
-
getRuleId
public String getRuleId()
Get evaluated rule ID- Returns:
- evaluated rule ID
-
getEffect
public oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType getEffect()
Get evaluated rule Effect (Permit/Deny) when applicable- Returns:
- evaluated rule Effect
-
isAlwaysApplicable
public boolean isAlwaysApplicable()
Is the rule always applicable, i.e. applies to all requests, i.e. the rule's Target matches all, and the condition is undefined or always evaluates to True?Knowing that a rule is always applicable is useful for optimizing combining algorithm evaluators at initialization time, e.g. First-applicable algorithm.
- Returns:
- true iff it has no PEP action
-
hasAnyPepAction
public boolean hasAnyPepAction()
Does the rule has any PEP action (obligation/advice) ?Knowing that a rule has no PEP action is useful for optimizing combining algorithm evaluators at initialization time, e.g. deny-unless-permit/permit-unless-deny algorithms.
- Returns:
- true iff it has any PEP action
-
isEmptyEquivalent
public boolean isEmptyEquivalent()
Is the rule (equivalent to) an empty rule? I.e. the rule's Target matches all, the condition is undefined or always evaluates to True, and there is no PEP action (obligation/advice), in other words the rule always evaluates to the simple Permit/Deny decision corresponding to its Effect.Knowing that a rule is empty(-equivalent) is useful for optimizing combining algorithm evaluators at initialization time, e.g. (ordered-)permit-overrides/deny-overrides algorithms.
- Returns:
- true iff it is empty equivalent (empty rule or equivalent to an empty rule)
-
evaluate
public org.ow2.authzforce.core.pdp.api.DecisionResult evaluate(org.ow2.authzforce.core.pdp.api.EvaluationContext context, Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
Evaluates the rule against the supplied context. This will check that the target matches, and then try to evaluate the condition. If the target and condition apply, then the rule's effect is returned.Note that rules are not required to have targets. If no target is specified, then the rule inherits its parent's target. In the event that this
RuleEvaluator
has noTarget
then the match is assumed to be true, since evaluating a policy tree to this level required the parent's target to match. In debug level, this method logs the evaluation result before return. Indeterminate results are logged in warn level only (which "includes" debug level).- Specified by:
evaluate
in interfaceorg.ow2.authzforce.core.pdp.api.Decidable
-
-