Package org.ow2.authzforce.core.pdp.impl.rule

Class RuleEvaluator

  • All Implemented Interfaces:
    org.ow2.authzforce.core.pdp.api.Decidable
    public final class RuleEvaluator
extends Object
implements org.ow2.authzforce.core.pdp.api.Decidable
    Evaluates a XACML Rule to a Decision.
    Version:
    $Id: $

    • Constructor Summary

      Constructors 
      Constructor Description
      RuleEvaluator​(oasis.names.tc.xacml._3_0.core.schema.wd_17.Rule ruleElt, org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory, Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> xPathCompiler)
      Instantiates rule from XACML RuleType

    • Constructor Detail

      • RuleEvaluator

        public RuleEvaluator​(oasis.names.tc.xacml._3_0.core.schema.wd_17.Rule ruleElt,
                     org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory expressionFactory,
                     Optional<org.ow2.authzforce.core.pdp.api.expression.XPathCompilerProxy> xPathCompiler)
              throws IllegalArgumentException
        Instantiates rule from XACML RuleType
        Parameters:
        ruleElt - Rule element definition
        xPathCompiler - XPath compiler, defined if XPath support enabled (by PDP configuration and some enclosing Policy(Set) defines a XPathVersion according to XACML standard)
        expressionFactory - Expression parser/factory
        Throws:
        IllegalArgumentException - Invalid Target, Condition or Obligation/Advice expressions

    • Method Detail

      • getRuleId

        public String getRuleId()
        Get evaluated rule ID
        Returns:
        evaluated rule ID

      • getEffect

        public oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType getEffect()
        Get evaluated rule Effect (Permit/Deny) when applicable
        Returns:
        evaluated rule Effect

      • isAlwaysApplicable

        public boolean isAlwaysApplicable()
        Is the rule always applicable, i.e. applies to all requests, i.e. the rule's Target matches all, and the condition is undefined or always evaluates to True?

        Knowing that a rule is always applicable is useful for optimizing combining algorithm evaluators at initialization time, e.g. First-applicable algorithm.

        Returns:
        true iff it has no PEP action

      • hasAnyPepAction

        public boolean hasAnyPepAction()
        Does the rule has any PEP action (obligation/advice) ?

        Knowing that a rule has no PEP action is useful for optimizing combining algorithm evaluators at initialization time, e.g. deny-unless-permit/permit-unless-deny algorithms.

        Returns:
        true iff it has any PEP action

      • isEmptyEquivalent

        public boolean isEmptyEquivalent()
        Is the rule (equivalent to) an empty rule? I.e. the rule's Target matches all, the condition is undefined or always evaluates to True, and there is no PEP action (obligation/advice), in other words the rule always evaluates to the simple Permit/Deny decision corresponding to its Effect.

        Knowing that a rule is empty(-equivalent) is useful for optimizing combining algorithm evaluators at initialization time, e.g. (ordered-)permit-overrides/deny-overrides algorithms.

        Returns:
        true iff it is empty equivalent (empty rule or equivalent to an empty rule)

      • evaluate

        public org.ow2.authzforce.core.pdp.api.DecisionResult evaluate​(org.ow2.authzforce.core.pdp.api.EvaluationContext context,
                                                               Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
        Evaluates the rule against the supplied context. This will check that the target matches, and then try to evaluate the condition. If the target and condition apply, then the rule's effect is returned.

        Note that rules are not required to have targets. If no target is specified, then the rule inherits its parent's target. In the event that this RuleEvaluator has no Target then the match is assumed to be true, since evaluating a policy tree to this level required the parent's target to match. In debug level, this method logs the evaluation result before return. Indeterminate results are logged in warn level only (which "includes" debug level).

        Specified by:
        evaluate in interface org.ow2.authzforce.core.pdp.api.Decidable