From 85b559f72916ab96dbb4e3b81e70735768b8016a Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Feb 2022 03:06:57 +0100 Subject: [PATCH 01/14] updating poms for 19.0.1-SNAPSHOT development --- pdp-cli/pom.xml | 8 ++++---- pdp-engine/pom.xml | 5 ++--- pdp-io-xacml-json/pom.xml | 2 +- pdp-testutils/pom.xml | 6 +++--- pom.xml | 2 +- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/pdp-cli/pom.xml b/pdp-cli/pom.xml index 36ea7c13..a8ca1315 100644 --- a/pdp-cli/pom.xml +++ b/pdp-cli/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-cli @@ -30,12 +30,12 @@ org.ow2.authzforce authzforce-ce-core-pdp-engine - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT org.testng @@ -49,7 +49,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-testutils - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT test diff --git a/pdp-engine/pom.xml b/pdp-engine/pom.xml index b25e48d1..12b1455e 100644 --- a/pdp-engine/pom.xml +++ b/pdp-engine/pom.xml @@ -1,10 +1,9 @@ - + 4.0.0 org.ow2.authzforce authzforce-ce-core - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-engine diff --git a/pdp-io-xacml-json/pom.xml b/pdp-io-xacml-json/pom.xml index 640900bb..3cb8c5f0 100644 --- a/pdp-io-xacml-json/pom.xml +++ b/pdp-io-xacml-json/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-io-xacml-json diff --git a/pdp-testutils/pom.xml b/pdp-testutils/pom.xml index bf21fe7e..a6919633 100644 --- a/pdp-testutils/pom.xml +++ b/pdp-testutils/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-testutils @@ -23,12 +23,12 @@ ${project.groupId} ${artifactId.prefix}-core-pdp-engine - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT compile diff --git a/pom.xml b/pom.xml index f051272a..4aa68b9d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 8.2.0 authzforce-ce-core - 18.0.1-SNAPSHOT + 19.0.1-SNAPSHOT pom ${project.groupId}:${project.artifactId} AuthzForce - XACML-compliant Core PDP Engine and associated test modules From 6fd4d67c5503f2f3cfa5f50defc50ddf8a972387 Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Feb 2022 03:25:22 +0100 Subject: [PATCH 02/14] updating develop poms to master versions to avoid merge conflicts --- pdp-cli/pom.xml | 8 ++++---- pdp-engine/pom.xml | 2 +- pdp-io-xacml-json/pom.xml | 2 +- pdp-testutils/pom.xml | 6 +++--- pom.xml | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pdp-cli/pom.xml b/pdp-cli/pom.xml index a8ca1315..bd25ce5e 100644 --- a/pdp-cli/pom.xml +++ b/pdp-cli/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 19.0.0 ../pom.xml authzforce-ce-core-pdp-cli @@ -30,12 +30,12 @@ org.ow2.authzforce authzforce-ce-core-pdp-engine - 19.0.1-SNAPSHOT + 19.0.0 org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.1-SNAPSHOT + 19.0.0 org.testng @@ -49,7 +49,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-testutils - 19.0.1-SNAPSHOT + 19.0.0 test diff --git a/pdp-engine/pom.xml b/pdp-engine/pom.xml index 12b1455e..b266a4bb 100644 --- a/pdp-engine/pom.xml +++ b/pdp-engine/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 19.0.0 ../pom.xml authzforce-ce-core-pdp-engine diff --git a/pdp-io-xacml-json/pom.xml b/pdp-io-xacml-json/pom.xml index 3cb8c5f0..fdeb57bb 100644 --- a/pdp-io-xacml-json/pom.xml +++ b/pdp-io-xacml-json/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 19.0.0 ../pom.xml authzforce-ce-core-pdp-io-xacml-json diff --git a/pdp-testutils/pom.xml b/pdp-testutils/pom.xml index a6919633..6591e0a0 100644 --- a/pdp-testutils/pom.xml +++ b/pdp-testutils/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 19.0.0 ../pom.xml authzforce-ce-core-pdp-testutils @@ -23,12 +23,12 @@ ${project.groupId} ${artifactId.prefix}-core-pdp-engine - 19.0.1-SNAPSHOT + 19.0.0 org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.1-SNAPSHOT + 19.0.0 compile diff --git a/pom.xml b/pom.xml index 4aa68b9d..f161509a 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 8.2.0 authzforce-ce-core - 19.0.1-SNAPSHOT + 19.0.0 pom ${project.groupId}:${project.artifactId} AuthzForce - XACML-compliant Core PDP Engine and associated test modules From b26e299caadd3fd8c1acb1af3d493a034288ef70 Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Feb 2022 03:25:23 +0100 Subject: [PATCH 03/14] Updating develop poms back to pre merge state --- pdp-cli/pom.xml | 8 ++++---- pdp-engine/pom.xml | 2 +- pdp-io-xacml-json/pom.xml | 2 +- pdp-testutils/pom.xml | 6 +++--- pom.xml | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pdp-cli/pom.xml b/pdp-cli/pom.xml index bd25ce5e..a8ca1315 100644 --- a/pdp-cli/pom.xml +++ b/pdp-cli/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.0 + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-cli @@ -30,12 +30,12 @@ org.ow2.authzforce authzforce-ce-core-pdp-engine - 19.0.0 + 19.0.1-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.0 + 19.0.1-SNAPSHOT org.testng @@ -49,7 +49,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-testutils - 19.0.0 + 19.0.1-SNAPSHOT test diff --git a/pdp-engine/pom.xml b/pdp-engine/pom.xml index b266a4bb..12b1455e 100644 --- a/pdp-engine/pom.xml +++ b/pdp-engine/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.0 + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-engine diff --git a/pdp-io-xacml-json/pom.xml b/pdp-io-xacml-json/pom.xml index fdeb57bb..3cb8c5f0 100644 --- a/pdp-io-xacml-json/pom.xml +++ b/pdp-io-xacml-json/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.0 + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-io-xacml-json diff --git a/pdp-testutils/pom.xml b/pdp-testutils/pom.xml index 6591e0a0..a6919633 100644 --- a/pdp-testutils/pom.xml +++ b/pdp-testutils/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.0 + 19.0.1-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-testutils @@ -23,12 +23,12 @@ ${project.groupId} ${artifactId.prefix}-core-pdp-engine - 19.0.0 + 19.0.1-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.0 + 19.0.1-SNAPSHOT compile diff --git a/pom.xml b/pom.xml index f161509a..4aa68b9d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 8.2.0 authzforce-ce-core - 19.0.0 + 19.0.1-SNAPSHOT pom ${project.groupId}:${project.artifactId} AuthzForce - XACML-compliant Core PDP Engine and associated test modules From a2a64f848f55f5907af5ff9d34f8aac4935668c9 Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Feb 2022 17:37:41 +0100 Subject: [PATCH 04/14] - Improved README on new features --- CONTRIBUTING.md | 23 ++++++++++++----------- README.md | 24 +++++++++++++++++++++++- pdp-engine/src/main/resources/pdp.xsd | 2 +- 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4ba59e20..ba982c33 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -23,7 +23,7 @@ You may build the project and generate the JAR as follows from your local copy o Note that you must use Java 8 to run Maven when building the project. ### Dependency management -1. No SNAPSHOT dependencies on "develop" and obviously "master" branches +No SNAPSHOT dependencies allowed on "develop" and "master" branches. ### Releasing 1. From the develop branch, prepare a release (example using an HTTP proxy): @@ -31,16 +31,17 @@ Note that you must use Java 8 to run Maven when building the project. $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-start 1. Update the CHANGELOG according to keepachangelog.com. -1. To perform the release (example using an HTTP proxy): -

+2. To perform the release (example using an HTTP proxy):
+   

     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-finish
-

+
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment: -

+   

     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 -DnoDeploy=true jgitflow:release-finish
-

-1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
-1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish`
-1. Click the Release button to release to Maven Central.
-
-More info on jgitflow: http://jgitflow.bitbucket.org/
+
+ More info on jgitflow: http://jgitflow.bitbucket.org/ +3. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/ +4. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish` +5. Click the Release button to release to Maven Central. +6. Create a new Release on GitHub (copy-paste the description from previous releases and update the versions) +7. If the [PDP configuration XSD](pdp-engine/src/main/resources/pdp.xsd) has changed with the new release, publish the new schema document in HTML form on https://authzforce.github.io (example for XSD version 8.1) by following the instructions here: https://github.com/authzforce/authzforce.github.io#generating-documentation-for-pdp-configuration-xsd . diff --git a/README.md b/README.md index 10128f0c..814f3c04 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,9 @@ AuthzForce Core may be used in the following ways: * [XACML v3.0 - Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890) (`urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision`). *For further details on what is actually supported regarding the XACML specifications, please refer to the conformance tests [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md).* -* [GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic). +* Enhancements to the XACML standard: + * [GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic). + * Support `` (indirectly) in ``/`` elements: this feature is a workaround for a limitation in XACML schema which does not allow Variables (``) in `Match` elements; i.e. the feature allows policy writers to use an equivalent of ``s in `` elements (without changing the XACML schema) through a special kind of `` (specific `Category`, and `AttributeId` is used as `VariableId`). More details in the Usage section below. * Interfaces: * Java API: basically a library for instantiating and using a PDP engine from your Java (or any Java-compatible) code; * CLI (Command-Line Interface): basically an executable that you can run from the command-line to test the engine; @@ -224,6 +226,26 @@ Our PDP implementation uses SLF4J for logging, so you can use any SLF4J implemen For an example of using an AuthzForce PDP engine in a real-life use case, please refer to the JUnit test class [EmbeddedPdpBasedAuthzInterceptorTest](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptorTest.java) and the Apache CXF authorization interceptor [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java). The test class runs a test similar to @coheigea's [XACML 3.0 Authorization Interceptor test](https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-sts-xacml/src/test/java/org/apache/coheigea/cxf/sts/xacml/authorization/xacml3/XACML3AuthorizationTest.java) but using AuthzForce as PDP engine instead of OpenAZ. In this test, a web service client requests an Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java) that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision from a local PDP with these attributes, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it. For more information, see the Javadoc of [EmbeddedPdpBasedAuthzInterceptorTest](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptorTest.java). +### Providing current-dateTime, current-date and current-time attributes +By default, the PDP provides the standard environment attributes specified in XACML 3.0 Core specification §10.2.5 (current-time, current-date and current-dateTime) only if they are not provided in the request (from the PEP). This behavior is compliant with XACML 3.0 standard which says (§10.2.5): +>If + values for these + attributes are not present in + the decision request, + then their + values MUST be supplied + by the + context + handler. + +Note that it does **not** say *if and only if*, therefore it is also possible and XACML-compliant to make the PDP use its own current-* values (current-time, etc.) all the time, regardless of the request values. This option is referred to as the *override mode*, and it is particularly useful when you do not trust the PEPs (requesters) to provide their own current date/time. You can enable this override mode by configuring an `attributeProvider` of type `StdEnvAttributeProviderDescriptor` with `true` in the PDP configuration, as you can see in [this example (link)](pdp-testutils/src/test/resources/custom/StdEnvAttributeProvider.PDP_ONLY/pdp.xml). More information in the [PDP configuration schema](pdp-engine/src/main/resources/pdp.xsd) ( [HTML form - select the *tns:pdp* element](https://authzforce.github.io/pdp.xsd/8.1) ). + +### Using Variables (VariableReference) in Target/Match +In XACML policies (Policy or PolicySet), as defined by the XACML schema, a `` may only include an `AttributeValue` and an `AttributeDesignator` or `AttributeSelector`; `VariableReference`s are not allowed, which makes it a limitation when you want to match a Variable (from a `VariableDefinition`) in a `Target`. AuthzForce provides a XACML-compliant workaround for this, which consists in enabling a `XacmlVariableBasedAttributeProvider` with a defined Category (see the [PDP configuration XSD](pdp-engine/src/main/resources/pdp.xsd) ( [HTML form - select the *tns:pdp* element](https://authzforce.github.io/pdp.xsd/8.1) for the default Category). As a result, any `` in that Category is handled like a `VariableReference`, with the `AttributeId` used as `VariableId`. + +The configuration of the `XacmlVariableBasedAttributeProvider` in the PDP is shown in [this example (link)](pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/pdp.xml) (`attributeProvider` of type `XacmlVarBasedAttributeProviderDescriptor`), applied to some Category `urn:ow2:authzforce:attribute-category:vars`. Then in the [this policy sample (link)](pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/policies/policy.xml), you can see an `` which will be handled like ``. + + ## Extensions Experimental features (see [Features](#Features) section) are provided as extensions. If you want to use them, you need to use this Maven dependency (which depends on the `authzforce-ce-core-pdp-engine` already) instead: * groupId: `org.ow2.authzforce`; diff --git a/pdp-engine/src/main/resources/pdp.xsd b/pdp-engine/src/main/resources/pdp.xsd index eebffe96..682157f0 100644 --- a/pdp-engine/src/main/resources/pdp.xsd +++ b/pdp-engine/src/main/resources/pdp.xsd @@ -1033,7 +1033,7 @@

Provides the standard environment attributes specified in XACML 3.0 Core specification, §10.2.5: current-time, current-date and current-dateTime. - By default, the PDP engine does not set these attributes on its own and only takes the ones from the request. Therefore, you need to enable this AttributeProvider for strict compliance with XACML 3.0 standard (§10.2.5): If + By default, the PDP engine does not set these attributes on its own and only takes the ones from the request. This AttributeProvider is enabled with override='false' whenever standardAttributeProvidersEnabled='true', ensuring strict compliance with XACML 3.0 standard (§10.2.5): If values for these attributes are not present in the decision request, From 7b8f875cdc74d111450f3d14f743db5a54002f28 Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Feb 2022 18:28:05 +0100 Subject: [PATCH 05/14] - Fixed typo in CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07a81f7e..26199330 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,7 +43,7 @@ All notable changes to this project are documented in this file following the [K - [GH-62]: Refactored the provisioning of standard environment attributes `current-dateTime`, `current-date` and `current-time`: - Now implemented by a new built-in AttributeProvider (`StandardEnvironmentAttributeProvider` class) which can be customized (to override or not the request values) in the PDP configuration with an `attributeProvider` of type `StdEnvAttributeProviderDescriptor`. - `authzforce-ce-core-pdp-testutils` module: upgraded jongo dependency to 1.5.0, mongo-java-driver to 3.12.10 -- `authzforce-ce-core-pdp-cli` module: upgraded picocli to 4.6.2, testng to 7.5 +- `authzforce-ce-core-pdp-cli` module: upgraded picocli to 4.6.2, testng to 6.14.3 - `authzforce-ce-parent` upgraded to 8.1.0 ### Added From 5714f760504dcb1a59c7c25f7275825a871e21ef Mon Sep 17 00:00:00 2001 From: cdanger Date: Tue, 8 Feb 2022 02:36:38 +0100 Subject: [PATCH 06/14] - Fixed license issues reported by FOSSA --- ...org.ow2.authzforce.core.product.properties | 19 --------------- .../xacml/common/CommonCallbackHandler.java | 23 +------------------ pdp-testutils/src/test/resources.json/ivy.xml | 20 ---------------- .../xacml-common-xml-to-json.xsl | 15 ++++++++---- .../xacml-request-xml-to-json.xsl | 16 +++++++++---- .../xacml-response-xml-to-json.xsl | 16 +++++++++---- 6 files changed, 36 insertions(+), 73 deletions(-) diff --git a/pdp-cli/src/org.ow2.authzforce.core.product.properties b/pdp-cli/src/org.ow2.authzforce.core.product.properties index b7220329..e6f44c63 100644 --- a/pdp-cli/src/org.ow2.authzforce.core.product.properties +++ b/pdp-cli/src/org.ow2.authzforce.core.product.properties @@ -1,21 +1,2 @@ -# -# Copyright (C) 2012-2017 Thales Services SAS. -# -# This file is part of AuthzForce CE. -# -# AuthzForce CE is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# AuthzForce CE is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with AuthzForce CE. If not, see . -# - version=${project.version} diff --git a/pdp-testutils/src/test/java/org/apache/coheigea/cxf/sts/xacml/common/CommonCallbackHandler.java b/pdp-testutils/src/test/java/org/apache/coheigea/cxf/sts/xacml/common/CommonCallbackHandler.java index ab18d051..b72d3e63 100644 --- a/pdp-testutils/src/test/java/org/apache/coheigea/cxf/sts/xacml/common/CommonCallbackHandler.java +++ b/pdp-testutils/src/test/java/org/apache/coheigea/cxf/sts/xacml/common/CommonCallbackHandler.java @@ -1,30 +1,9 @@ -/** - * Copyright (C) 2012-2017 Thales Services SAS. - * - * This file is part of AuthZForce CE. - * - * AuthZForce CE is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * AuthZForce CE is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with AuthZForce CE. If not, see . - */ package org.apache.coheigea.cxf.sts.xacml.common; -import java.io.IOException; +import org.apache.wss4j.common.ext.WSPasswordCallback; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.UnsupportedCallbackException; - -import org.apache.wss4j.common.ext.WSPasswordCallback; public class CommonCallbackHandler implements CallbackHandler { diff --git a/pdp-testutils/src/test/resources.json/ivy.xml b/pdp-testutils/src/test/resources.json/ivy.xml index 07c7f80d..d9873abe 100644 --- a/pdp-testutils/src/test/resources.json/ivy.xml +++ b/pdp-testutils/src/test/resources.json/ivy.xml @@ -1,24 +1,4 @@ - - + diff --git a/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl b/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl index 4723c97a..10a6a948 100644 --- a/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl +++ b/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl @@ -1,8 +1,16 @@ - + diff --git a/pdp-testutils/src/test/resources.json/xacml-response-xml-to-json.xsl b/pdp-testutils/src/test/resources.json/xacml-response-xml-to-json.xsl index 278b841e..2f6039fd 100644 --- a/pdp-testutils/src/test/resources.json/xacml-response-xml-to-json.xsl +++ b/pdp-testutils/src/test/resources.json/xacml-response-xml-to-json.xsl @@ -1,8 +1,16 @@ - + From 89a08017870567618a5abf88c397ec3dff33a894 Mon Sep 17 00:00:00 2001 From: Cyril Dangerville <1372580+cdanger@users.noreply.github.com> Date: Fri, 18 Feb 2022 15:43:16 +0100 Subject: [PATCH 07/14] Added XACML 2.0 to 3.0 migration instructions --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 814f3c04..cecf2512 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,17 @@ AuthzForce Core may be used in the following ways: ## Limitations + +### XACML 2.0 support and migrating to XACML 3.0 +As mentioned in the Features section, we do not support XACML 2.0 but only XACML 3.0, and we strongly recommend you migrate to XACML 3.0 as XACML 2.0 has become obsolete. In order to help you in the migration from XACML 2.0 to 3.0, we provide a way to migrate all your XACML 2.0 policies to XACML 3.0 automatically by applying the XSLT stylesheets in the [migration](migration folder). First download the stylesheets `xacml2To3Policy.xsl` and `xacml3-policy-c14n.xsl` from that folder, then apply them to your XACML 2.0 policy files using any XSLT engine supporting XSLT 2.0. For example, using [SAXON-HE 9.x or later](https://www.saxonica.com/download/java.xml), you may do it as follows: + +```shell +$ XACML_20_POLICY_FILE="policy.xml" +$ java -jar /path/to/Saxon-HE-10.3.jar -xsl:xacml2To3Policy.xsl -s:$XACML_20_POLICY_FILE -o:/tmp/${XACML_20_POLICY_FILE}.new +$ java -jar /path/to/Saxon-HE-10.3.jar -xsl:xacml3-policy-c14n.xsl -s:/tmp/${XACML_20_POLICY_FILE}.new -o:$XACML_20_POLICY_FILE.new +``` + +### Optional XACML 3.0 features The following optional features from [XACML v3.0 Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) are not supported: * Elements `AttributesReferences`, `MultiRequests` and `RequestReference`; * Functions `urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal`, `urn:oasis:names:tc:xacml:3.0:function:xpath-node-match` and `urn:oasis:names:tc:xacml:3.0:function:access-permitted`; From bac064d6106803960381a84275fef32a4129ca07 Mon Sep 17 00:00:00 2001 From: cdanger Date: Fri, 25 Feb 2022 02:45:07 +0100 Subject: [PATCH 08/14] - Fixed license issues - Added SPIF-to-XACML XSLT stylesheet --- migration/pdp-xsd-v7.xsl | 19 +- migration/spif-nato-example.xml | 274 ++++++++++++++++++ migration/spif2xacml.xsl | 163 +++++++++++ migration/xacml2To3Policy.xsl | 27 +- migration/xacml3-policy-c14n.xsl | 25 +- .../AttributeSelectorExpressions.java | 2 +- .../DepthLimitingExpressionFactory.java | 2 +- pdp-engine/src/main/resources/pdp.xsd | 2 +- ...g.ow2.authzforce.core.pdp.testutil.ext.xsd | 2 +- .../xacml-request-xml-to-json.xsl | 4 +- .../xacml-response-xml-to-json.xsl | 4 +- 11 files changed, 481 insertions(+), 43 deletions(-) create mode 100644 migration/spif-nato-example.xml create mode 100644 migration/spif2xacml.xsl diff --git a/migration/pdp-xsd-v7.xsl b/migration/pdp-xsd-v7.xsl index e95a5e24..a610d23f 100644 --- a/migration/pdp-xsd-v7.xsl +++ b/migration/pdp-xsd-v7.xsl @@ -1,10 +1,17 @@ - - - + + + + + + + + + + + + + + + + NATO UNCLASSIFIED + NATO RESTRICTED + + + NATO UNCLASSIFIED + NATO RESTRICTED + + + + + + + + + + NATO UNCLASSIFIED + + + NATO UNCLASSIFIED + + + NATO UNCLASSIFIED + + + NATO UNCLASSIFIED + + + + + + + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + noNameDisplay + + + + + + noNameDisplay + + + + + noNameDisplay + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/migration/spif2xacml.xsl b/migration/spif2xacml.xsl new file mode 100644 index 00000000..e7ea13ed --- /dev/null +++ b/migration/spif2xacml.xsl @@ -0,0 +1,163 @@ + + + + + + + + + + + + + + + Translated from SPIF: v. + Both PolicyIdentifiers from confidentiality clearance (subject) and label (resource) must match the SPIF's. + + + http://www.w3.org/TR/2007/REC-xpath20-20070123 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + READ + + + + + + + + + + + + + + + + + + + + + + + + WRITE + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of + + urn:oasis:names:tc:xacml:1.0:function:string-subset + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/migration/xacml2To3Policy.xsl b/migration/xacml2To3Policy.xsl index faff9409..62254f75 100644 --- a/migration/xacml2To3Policy.xsl +++ b/migration/xacml2To3Policy.xsl @@ -1,29 +1,26 @@ - + + diff --git a/migration/xacml3-policy-c14n.xsl b/migration/xacml3-policy-c14n.xsl index f22585b8..bd5f5a19 100644 --- a/migration/xacml3-policy-c14n.xsl +++ b/migration/xacml3-policy-c14n.xsl @@ -1,25 +1,22 @@ + diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/AttributeSelectorExpressions.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/AttributeSelectorExpressions.java index bc8005ca..20f58d09 100644 --- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/AttributeSelectorExpressions.java +++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/AttributeSelectorExpressions.java @@ -208,7 +208,7 @@ private ExtensibleAttributeSelectorExpression(final String attrSelectorCategory, // error messages/exceptions this.missingAttributeBecauseNullContextException = new IndeterminateEvaluationException("Missing request context for evaluating AttributeSelector '" + this.attributeSelectorId + "'", XacmlStatusCode.PROCESSING_ERROR.value()); - this.missingAttributesContentException = new IndeterminateEvaluationException(this + ": No element found in Attributes of Category=" + attributeCategory, + this.missingAttributesContentException = new IndeterminateEvaluationException(this + ": No element found in Attributes of Category='" + attributeCategory + "'", XacmlStatusCode.SYNTAX_ERROR.value()); this.mustBePresent = mustBePresent; diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java index 0cfc6c34..a2e2ba18 100644 --- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java +++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java @@ -250,7 +250,7 @@ private CompositeSingleNamedAttributeProvider(final AttributeFqn attributeName, private static final IllegalArgumentException MISSING_ATTRIBUTE_DESIGNATOR_ISSUER_EXCEPTION = new IllegalArgumentException( "Missing Issuer that is required on AttributeDesignators by PDP configuration"); - private static final IllegalArgumentException UNSUPPORTED_ATTRIBUTE_SELECTOR_EXCEPTION = new IllegalArgumentException("Unsupported Expression type (optional XACML feature): AttributeSelector"); + private static final IllegalArgumentException UNSUPPORTED_ATTRIBUTE_SELECTOR_EXCEPTION = new IllegalArgumentException("Unsupported Expression type (optional XACML feature): AttributeSelector. (Set xPathEnabled='true' in PDP configuration if you wish to enable this feature)."); private static final IllegalArgumentException NULL_FUNCTION_REGISTRY_EXCEPTION = new IllegalArgumentException("Undefined function registry"); diff --git a/pdp-engine/src/main/resources/pdp.xsd b/pdp-engine/src/main/resources/pdp.xsd index 682157f0..03c68667 100644 --- a/pdp-engine/src/main/resources/pdp.xsd +++ b/pdp-engine/src/main/resources/pdp.xsd @@ -142,7 +142,7 @@

If the configuration parameter - enableXPath + xPathEnabled is true, it is the responsibility of the Request preprocessor to parse XACML Request/Attributes/Content diff --git a/pdp-testutils/src/main/resources/org.ow2.authzforce.core.pdp.testutil.ext.xsd b/pdp-testutils/src/main/resources/org.ow2.authzforce.core.pdp.testutil.ext.xsd index df988ab7..d86d18f2 100644 --- a/pdp-testutils/src/main/resources/org.ow2.authzforce.core.pdp.testutil.ext.xsd +++ b/pdp-testutils/src/main/resources/org.ow2.authzforce.core.pdp.testutil.ext.xsd @@ -1,5 +1,5 @@ - + diff --git a/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl b/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl index 10a6a948..e2ec4adb 100644 --- a/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl +++ b/pdp-testutils/src/test/resources.json/xacml-request-xml-to-json.xsl @@ -1,6 +1,6 @@ - + + + + + + + + + + + ${PARENT_DIR}/policies/*.xml + + diff --git a/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml b/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml new file mode 100644 index 00000000..d723b511 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml @@ -0,0 +1,76 @@ + + + + + Purpose: Test XPath expressions using XACML VariableReferences as XPath variables (non-standard feature). + + + http://www.w3.org/TR/2007/REC-xpath20-20070123 + + + + + + + + + + + + + + + + + + ACME + + + + ACME + + + + READ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/pdp-testutils/src/test/resources/custom/XPath2.0/request.xml b/pdp-testutils/src/test/resources/custom/XPath2.0/request.xml new file mode 100644 index 00000000..58356a60 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XPath2.0/request.xml @@ -0,0 +1,56 @@ + + + + + + + ACME + + PUBLIC + CONFIDENTIAL + INTERNAL + + + + + + + + + + ACME + INTERNAL + + + + alan.ross@reach.nato.int + 2017-03-14T09:00:00 + + + + + + READ + + + + diff --git a/pdp-testutils/src/test/resources/custom/XPath2.0/response.xml b/pdp-testutils/src/test/resources/custom/XPath2.0/response.xml new file mode 100644 index 00000000..614a3336 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XPath2.0/response.xml @@ -0,0 +1,12 @@ + + + + Permit + + + 3 + 3 + + + + diff --git a/pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/pdp.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/pdp.xml similarity index 100% rename from pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/pdp.xml rename to pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/pdp.xml diff --git a/pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/policies/policy.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/policies/policy.xml similarity index 100% rename from pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/policies/policy.xml rename to pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/policies/policy.xml diff --git a/pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/request.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/request.xml similarity index 100% rename from pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/request.xml rename to pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/request.xml diff --git a/pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/response.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/response.xml similarity index 100% rename from pdp-testutils/src/test/resources/custom/XacmlVarBasedAttributeProvider/response.xml rename to pdp-testutils/src/test/resources/custom/XacmlVariableBasedAttributeProvider/response.xml diff --git a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/pdp.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/pdp.xml new file mode 100644 index 00000000..20966d66 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/pdp.xml @@ -0,0 +1,9 @@ + + + + + ${PARENT_DIR}/policies/*.xml + + diff --git a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml new file mode 100644 index 00000000..bc894ec6 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml @@ -0,0 +1,88 @@ + + + + + Purpose: Test XPath expressions using XACML VariableReferences as XPath variables (non-standard feature). + + + http://www.w3.org/TR/2007/REC-xpath20-20070123 + + + + + + + + + + + + + + + + + + + + + + + + ACME + + + + ACME + + + + READ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/request.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/request.xml new file mode 100644 index 00000000..58356a60 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/request.xml @@ -0,0 +1,56 @@ + + + + + + + ACME + + PUBLIC + CONFIDENTIAL + INTERNAL + + + + + + + + + + ACME + INTERNAL + + + + alan.ross@reach.nato.int + 2017-03-14T09:00:00 + + + + + + READ + + + + diff --git a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/response.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/response.xml new file mode 100644 index 00000000..614a3336 --- /dev/null +++ b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/response.xml @@ -0,0 +1,12 @@ + + + + Permit + + + 3 + 3 + + + + diff --git a/pom.xml b/pom.xml index 4aa68b9d..8920cc52 100644 --- a/pom.xml +++ b/pom.xml @@ -33,7 +33,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-api - 20.0.0 + 21.1.0 From 629cb21dd85abbd53c9e1365300fc168b15de47f Mon Sep 17 00:00:00 2001 From: cdanger Date: Mon, 7 Mar 2022 23:41:41 +0100 Subject: [PATCH 10/14] - Added SPIF-to-XACML conversion stylesheets: - `spif2xacml-for-xpath-1.0.xsl`: SPIF-to-XACML policy transformation XSLT using XPath 1.0, more verbose and less efficient than the XPath 2.0 version below. - `spif2xacml-for-xpath-2.0.xsl`: SPIF-to-XACML policy transformation XSLT using XPath 2.0 features (not available in 1.0), with the option to enable AuthzForce optimizations (XSLT parameter `authzforce_optimized`) for further enhancements. - Used generated policies from sample ACME SPIF with above stylesheets to custom pdp tests XPath2.0 and XacmlVariablesAsXPathVariables. --- MIGRATION.md | 2 +- README.md | 20 + .../pdp/impl/expression/ApplyExpressions.java | 4 +- .../custom/XPath2.0/policies/policy.xml | 197 +++- .../policies/policy.xml | 216 ++-- spif-utils/ACME-SPIF-example.xml | 137 +++ .../NATO-SPIF-example.xml | 0 spif-utils/spif.xsd | 980 ++++++++++++++++++ .../spif2xacml-for-xpath-1.0.xsl | 7 +- spif-utils/spif2xacml-for-xpath-2.0.xsl | 259 +++++ spif-utils/xml.xsd | 146 +++ 11 files changed, 1850 insertions(+), 118 deletions(-) create mode 100644 spif-utils/ACME-SPIF-example.xml rename migration/spif-nato-example.xml => spif-utils/NATO-SPIF-example.xml (100%) create mode 100644 spif-utils/spif.xsd rename migration/spif2xacml.xsl => spif-utils/spif2xacml-for-xpath-1.0.xsl (96%) create mode 100644 spif-utils/spif2xacml-for-xpath-2.0.xsl create mode 100644 spif-utils/xml.xsd diff --git a/MIGRATION.md b/MIGRATION.md index 0876e0b6..30f4bb10 100644 --- a/MIGRATION.md +++ b/MIGRATION.md @@ -3,7 +3,7 @@ ```shell $ PDP_XML_FILE="pdp.xml" $ mv $PDP_XML_FILE{,.old} -$ java -jar ~/.m2/repository/net/sf/saxon/Saxon-HE/10.3/Saxon-HE-10.3.jar -xsl:migration/pdp-xsd-v7.xsl -s:$PDP_XML_FILE.old -o:$PDP_XML_FILE +$ java -jar Saxon-HE-10.3.jar -xsl:migration/pdp-xsd-v7.xsl -s:$PDP_XML_FILE.old -o:$PDP_XML_FILE ``` ## Migration from version 16.x to 17.x diff --git a/README.md b/README.md index cecf2512..c9d5c96b 100644 --- a/README.md +++ b/README.md @@ -270,6 +270,26 @@ If you are using the Java API with extensions configured by XML (Policy Provider 1. *extensionXsdLocation*: location of the PDP extensions schema file: contains imports of namespaces corresponding to XML schemas of all XML-schema-defined PDP extensions to be used in the configuration file. Used for validation of PDP extensions configuration. The actual schema locations are resolved by the XML catalog parameter. You may use the [pdp-ext.xsd](pdp-testutils/src/test/resources/pdp-ext.xsd) in the sources as an example. +## Integration with other Security Policy models, languages, formats, etc. +### SPIF (Security Policy Information File) +A SPIF (Security Policy Information File) defines a security labeling policy in a XML document (based on the [SPIF XML schema](spif-utils/spif.xsd)). More info on the [Open XML SPIF website](http://www.xmlspif.org/). + +[NATO ADatP-4774.1](https://nso.nato.int/nso/nsdd/main/standards/srd-details/222/EN) - related to [STANAG 4774](https://nso.nato.int/nso/nsdd/main/standards/stanag-details/8612/EN) - gives implementation guidance on how to generate a XACML policy from a SPIF, including an example of XSLT stylesheet. Considering the latest XACML 3.0 enhancements, AuthzForce optimizations and our aim to differentiate a READ from a WRITE action in accordance to the Bell-Lapadula model, we made a few improvements to the stylesheet and made it available in the [spif-utils](spif-utils) folder in two versions: + +- `spif2xacml-for-xpath-1.0.xsl`: SPIF-to-XACML policy transformation XSLT using XPath 1.0, more verbose and less efficient than the XPath 2.0 version below, available mostly for historical reasons (no longer maintained except bug fixing). +- `spif2xacml-for-xpath-2.0.xsl`: SPIF-to-XACML policy transformation XSLT using XPath 2.0 features (not available in 1.0), with the option to enable AuthzForce optimizations (XSLT parameter `authzforce_optimized`) for further enhancements. Disable this option if you want strict XACML 3.0 compliance (less optimized). + +For example, you may generate the XACML policy from the sample [ACME SPIF](spif-utils/ACME-SPIF-example.xml) (from ADatP-4774.1) using XSLT engine of [SAXON-HE 9.x or later](https://www.saxonica.com/download/java.xml) on the command line as follows + +```shell +$ java -jar Saxon-HE-10.3.jar -xsl:spif-utils/spif2xacml-for-xpath-2.0.xsl -s:spif-utils/ACME-SPIF-example.xml -o:/tmp/ACME-XACML-policy.xml +``` + +Same example but without AuthzForce optimizations: +```shell +$ java -jar Saxon-HE-10.3.jar authzforce_optimized=false -xsl:spif-utils/spif2xacml-for-xpath-2.0.xsl -s:spif-utils/ACME-SPIF-example.xml -o:/tmp/ACME-XACML-policy.xml +``` + ## Support You should use [AuthzForce users' mailing list](https://mail.ow2.org/wws/info/authzforce-users) as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc. diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/ApplyExpressions.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/ApplyExpressions.java index 1fa2b2dc..1fcb1507 100644 --- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/ApplyExpressions.java +++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/ApplyExpressions.java @@ -173,7 +173,7 @@ public static Expression newInstance(final ApplyType xacmlApply, final Expres { final Optional subFunc = ((FunctionExpression) xpr0).getValue(); assert subFunc.isPresent(); - final Datatype subFuncReturnType = subFunc.get().getReturnType(); + final Datatype subFuncReturnType = subFunc.get().getReturnType(); if (subFuncReturnType.getTypeParameter().isPresent() || subFuncReturnType == StandardDatatypes.FUNCTION) { throw new IllegalArgumentException("Error parsing Apply[description=" + applyDesc + "]: Invalid return type (" + subFuncReturnType @@ -183,7 +183,7 @@ public static Expression newInstance(final ApplyType xacmlApply, final Expres /* * FIXME: is there a cleaner way to cast? */ - subFuncPrimReturnType = subFuncReturnType; + subFuncPrimReturnType = (Datatype) subFuncReturnType; } else { subFuncPrimReturnType = null; diff --git a/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml b/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml index d723b511..197f6cec 100644 --- a/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml +++ b/pdp-testutils/src/test/resources/custom/XPath2.0/policies/policy.xml @@ -1,34 +1,23 @@ - - - - Purpose: Test XPath expressions using XACML VariableReferences as XPath variables (non-standard feature). - - + + Generated from SPIF: ACME v1. See also NATO ADatP-4774.1 Implementation Guidance. + http://www.w3.org/TR/2007/REC-xpath20-20070123 - - - - - - - - - - - - - + + + + + Both PolicyIdentifiers from confidentiality clearance (subject) and label (resource) must match the SPIF's. + Then match the categories against each other (hierarchical ones aka classifications, and non-hierarchical ones). + @@ -46,31 +35,135 @@ but dealing with classifications only for this test (other categories ignored). DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> - - READ - - - - - - + + + + + + + + - - - - - - - - - - - - - + + + Bell-Lapadula: allow READ if and only if subject level ≥ object (resource) level + + + + + READ + + + + + + + + + + + + + + Bell-Lapadula: allow WRITE if and only if subject level ≤ object (resource) level + + + + + WRITE + + + + + + + + + + + + + + Match other (non-hierarchical) categories: + for each category Cn, + (resource has no C1 value OR subject/resource C1 values match) AND (resource has no C2 value OR subject/resource C2 values match) AND ... + + The 'has no value' is translated to: the AttributeSelector returns an empty bag (size 0). + The 'match' function depends on whether the category is permissive (at least one value must match, i.e. 'at-least-one-member-of' function) or restrictive (all must match, i.e. 'subset' function). + + + + + + + + + 0 + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + + + + diff --git a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml index bc894ec6..66a76fb7 100644 --- a/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml +++ b/pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable/policies/policy.xml @@ -3,44 +3,22 @@ retrievable from https://nso.nato.int/nso/nsdd/main/standards/stanag-details/8612/EN, but dealing with classifications only for this test (other categories ignored). --> - - - Purpose: Test XPath expressions using XACML VariableReferences as XPath variables (non-standard feature). - - + + Generated from SPIF: ACME v1. See also NATO ADatP-4774.1 Implementation Guidance. + http://www.w3.org/TR/2007/REC-xpath20-20070123 - - - - - - - - - - - - - - - - - - - + + + + + Both PolicyIdentifiers from confidentiality clearance (subject) and label (resource) must match the SPIF's. + Then match the categories against each other (hierarchical ones aka classifications, and non-hierarchical ones). + @@ -58,31 +36,147 @@ but dealing with classifications only for this test (other categories ignored). DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> - - READ - - - - - - + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + Bell-Lapadula: allow READ if and only if subject level ≥ object (resource) level + + + + + READ + + + + + + + + + + + + + + Bell-Lapadula: allow WRITE if and only if subject level ≤ object (resource) level + + + + + WRITE + + + + + + + + + + + + + + Match other (non-hierarchical) categories: + for each category Cn, + (resource has no C1 value OR subject/resource C1 values match) AND (resource has no C2 value OR subject/resource C2 values match) AND ... + + The 'has no value' is translated to: the AttributeSelector returns an empty bag (size 0). + The 'match' function depends on whether the category is permissive (at least one value must match, i.e. 'at-least-one-member-of' function) or restrictive (all must match, i.e. 'subset' function). + + + + + + + + + 0 + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + + + + diff --git a/spif-utils/ACME-SPIF-example.xml b/spif-utils/ACME-SPIF-example.xml new file mode 100644 index 00000000..169e7aef --- /dev/null +++ b/spif-utils/ACME-SPIF-example.xml @@ -0,0 +1,137 @@ + + + + + + + documentStart + + + + + + documentStart + + + + + + + + + + + documentStart + + + + + + + + + + documentStart + + + documentStart + + PUBLIC + INTERNAL + + + + + documentStart + + + documentStart + + PUBLIC + INTERNAL + + + + + + + + + + + + PUBLIC + CONFIDENTIAL + + + PUBLIC + CONFIDENTIAL + + + PUBLIC + CONFIDENTIAL + + + PUBLIC + CONFIDENTIAL + + + + + + + + + + + documentStart + + + documentStart + + PUBLIC + CONFIDENTIAL + + + + documentStart + + + documentStart + + PUBLIC + CONFIDENTIAL + + + + + + + + + + + diff --git a/migration/spif-nato-example.xml b/spif-utils/NATO-SPIF-example.xml similarity index 100% rename from migration/spif-nato-example.xml rename to spif-utils/NATO-SPIF-example.xml diff --git a/spif-utils/spif.xsd b/spif-utils/spif.xsd new file mode 100644 index 00000000..849c4f8b --- /dev/null +++ b/spif-utils/spif.xsd @@ -0,0 +1,980 @@ + + + + + + + +

+

About the SPIF namespace

+ +
+

+ This schema document describes the Security Policy Information File (SPIF) namespace, in a form + suitable for import by other schema documents. +

+

A SPIF describes a security labelling policy including:

+
    +
  • Policy - its name and other unique identifers
    • +
  • Classifications - the valid classifications within the policy and their associated values for use within a security label and to support the access control decision function
    • +
  • Security Categories - the valid categories with the policy and their associated values for use within a security label and to support the access control decision function
    • +
  • Relationships - the relationships (e.g. required, excluded) between categories and classification and other categories
    • +
  • Equivalency - the equivalent values of classifications and categories in another policy
    • +
  • Marking - instructions how to generate a marking from classification and category values
    • +
  • Input - directions for how the user may enter free-form category values
    • +
+

A SPIF can be used to promote the consistent use of security labels and marking and may be used, for example, to

+
    +
  • generate a semantically valid security label
    • +
  • generate a semantically valid clearance
    • +
  • verify the validity of a security label
    • +
  • generate an corresponding marking
    • +
  • generate a equivalent security label in an alternate policy
    • +
+

+ See http://www.xmlspif.org for further information. +

+
+
+ + + + + + + + + +
+

The version of the schema:

+
    +
  • 1.0 - the original schema derived from SDN.801
    • +
  • + 2.0 - updated to support for: +
      +
    • Validity period for the whole SPIF and individual category values
      • +
    • MarkingData and MarkingQualifier for privacyMark
      • +
    • MarkingData and MarkingQualifier for privacyMarks
      • +
    • MarkingData and MarkingQualifier for securityClassifications
      • +
    • Constrain the number of privacy mark values that can be selected
      • +
    • MarkingQualifier with tagCategory
      • +
    • Better contraints for the number of allowed tags from a tagset
      • +
    • DateFormat for Date category values
      • +
    • MarkingData and MarkingQualifier for an ObjectIDData
      • +
    • MarkingData and MarkingQualifier for a SPIF
      • +
    • Required categories for an equivalentPolicy
      • +
    • Required categories for an equivalentClassification
      • +
    • Equivalency between tag sets and allow required categories for a equivalentTagSet
      • +
    +
    • +
  • + 2.1 - small update for : +
      +
    • Additional markingCode for policy annotation.
      • +
    • Additional schema constraints
      • +
    +
    • +
+
+ + + + + + + + + + + + +
+

An Object IDentifier as a string, for example 1.3.26.1.

+

+ For further information see X.680 or www.oid-info.com +

+
+ + + + + + + + + + + + +
+

The Label and Certificate Value as an integer member type.

+
+ + + + + + + + + +
+

The Label and Certificate Value as an string member type.

+

Typically used for category values rather than classifications.

+
+ + + + + + + + + + +
+

The Label and Certificate Value type, which is the union of the lacvInt and lacvString types.

+

This value is encoded within the classification and security categories in a security label or a security clearance (which may be held within a certificate).

+
+ + + + + + + + + +
+

The selection integer member type, which allows the specification of the maximum number of selections to be made.

+
+ + + + + + + +
+

The selection string member type, which have specific values:

+
    +
  • unbounded - any number of selections can be made.
    • +
+
+ + + + + + + + + +
+

The selection type, which is the union of the selectionInt and selectionString types, allows the specification of the maximum number of category values that can be made.

+
+ + + + + + + +
+

The equivalencyAction type indicates the action to be performed on a category value when mapping a security label to an equivalent policy.

+

The values are:

+
    +
  • discard - it is acceptable that the original category value has no mapping. The tagSetId and lacv will not be used.
    • +
+
+ + + + + + + + + + + +
+

+ The operation type indicates how many of the categories within an optionalCategoryGroup are required. +

+

The values are:

+
    +
  • onlyOne - only one of the values identified within the optionalCategoryGroup are required.
    • +
  • onlyOne - one or more of the values identified within the optionalCategoryGroup are required.
    • +
  • all - all of the values identified within the optionalCategoryGroup are required.
    • +
+
+ + + + + + + + + + + + +
+

+ The format of a tagCategory value that can be entered by the user. +

+

The values are:

+
    +
  • string - an aribtrary string
    • +
  • integer - an unsigned integer
    • +
  • date - a date in the format defined by the dateFormat attribute.
    • +
+
+ + + + + + + + + + + + +
+

+ The hierarchy type represents the hierarchical value of a classification, as opposed to the value that will be placed into a security label or certificate (the lacv). +

+

+ The hierachy value is used to determine the dominance of classification values, for example, when making an access control decision. +

+
+ + + + + + + + +
+

Classification name - the name of a classification (limited to a maximum of 256 characters).

+

The classification name is the default marking phrase for the classification.

+

The classificaiton name is also used to identify any classifications that are excluded by a tagCategory.

+
+ + + + + + + + + + + +
+

Policy name - the name of a policy (limited to a maximum of 256 characters).

+

The policy name is also used to identify the policy for equivalent policies, classifications and categoryTags.

+
+ + + + + + + + + + +
+

Marking phrase - a string (limited to a maximum of 256 characters) that will be used in generation a marking from a security label.

+

Multiple marking phrases may be concatenated to generate the final marking, and different marking phrases may be used in different locations.

+
+ + + + + + + + + + +
+

Tag Set Name - the name (limited to a maximum of 256 characters) of a set of tags (or categories).

+
+ + + + + + + + + + +
+

Generalised Time - a string (limited to a maximum of 256 characters) that represents a time.

+

It may take one of three forms:

+
    +
  • Local time - `YYYYMMDDHH[MM[SS[.fff]]]', where the optional fff is accurate to three decimal places.
    • +
  • Universal time (UTC time, or Zulu time) - `YYYYMMDDHH[MM[SS[.fff]]]Z'.
    • +
  • Offset from Universal time. `YYYYMMDDHH[MM[SS[.fff]]]+-HHMM'
    • +
+

Note that these formats are not currently enforced within the type.

+
+ + + + + + + + +
+

Marking Code - the location to display a marking phrase.

+

The values are:

+
    +
  • pageTop - Display on top of the page or viewing area e.g. header.
    • +
  • pageBottom - Display on bottom of the page or viewing area e.g. footer.
    • +
  • pageTopBottom - Display on top and bottom of the page or viewing area e.g. header and footer.
    • +
  • documentStart - Display at the start of document e.g. cover page
    • +
  • documentEnd - Display at the end of document e.g. end page
    • +
  • noNameDisplay - Do not display of the classification or security category name; only display the marking phrase.
    • +
  • noMarkingDisplay - Do not display marking phrase on output; display marking phrase only during operator input
    • +
  • suppressClassName - Do not display of the classification name, but display security category.
    • +
  • firstLineOfText - Display on the first line of the body text e.g. the body text of an email message.
    • +
  • lastLineOfText - Display on the last line of the body text e.g. the body text of an email message.
    • +
  • subject - The subject of an email message.
    • +
  • xHeader - The header of an email message. The actual header name is held within the prefix qualifier.
    • +
  • portionMarking - Display on a portion of a document
    • +
  • inputTitle - Display a title, or label, on a GUI element. The title will be held within the prefix qualifier.
    • +
  • waterMark - Display as a watermark behind the main text of a document.
    • +
  • replacePolicy - Replace the policy marking phrase.
    • +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Tag Type - the type of tag category.

+

The values are:

+
    +
  • notApplicable - not applicable
    • +
  • restrictive - bit set of tag categories where all of the selected tag categories are required in the clearance.
    • +
  • enumerated - integer set of tag categories, with tag further refined by the enumType.
    • +
  • permissive - bit set of tag categories where at least one of the selected tag categories are required in the clearance
    • +
  • tagType7 - (or informative) tag categories that are not used for access control.
    • +
+
+ + + + + + + + + + + + + + +
+

Enum Type - the type of an enumerated tag category.

+

The values are:

+
    +
  • restrictive - tag categories where all of the selected tag categories are required in the clearance.
    • +
  • permissive - tag categories where at least one of the selected tag categories are required in the clearance
    • +
+
+ + + + + + + + + + + +
+

Tag7 Encoding - the type of tagType7 (informative) tagType.

+

The same value must be used for all tagType7 tag categories within a catgeory tag set.

+

The values are:

+
    +
  • bitSetAttributes - bit set values
    • +
  • securityAttributes - integer set value c.f. enumerated permissive or restrictive
    • +
+
+ + + + + + + + + + + +
+

Qualifier Code - indicates how a markingQualifier is to be applied

+

The values are:

+
    +
  • prefix - as a prefix to the values
    • +
  • suffix - as a suffix to the values
    • +
  • separator - as a separator between the values
    • +
+
+ + + + + + + + + + + + +
+

Use this value to indicate that the equivalency may be applied when considering the clearance of the recipient.

+

The values are:

+
    +
  • encrypt - by the originator (e.g. before sending an email to the recipient)
    • +
  • decrypt - by the recipient (e.g. before opening an email)
    • +
  • both - by both the originator (e.g. before sending an email to the recipient) and recipient (e.g. before opening an email)
    • +
+
+ + + + + + + + + + + + +
+

The color W3C member type, which allows the specification of a color using a standard W3C color name.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+

The color RGB member type, which allows the specification of a color using Red Green Blue (RGB) values.

+
+ + + + + + + + + + +
+

The color type, which is the union of the colorW3C and colorRGB types, allows the specification of a color.

+
+ + + + + + + + +
+

A group of attributes that determine the period in which the associated elementy is valid

+
+ + + + + + + + + + Categories associated with specific classification or category. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Consolidates all equivalent policies in the SPIF + + + + + + + + + + + + + + + + + + + + + + + + A privacy mark that may be used in the label. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

The markingData identifies the marking information attached to the data object

+

It consists of:

+
    +
  • phrase - the marking phrase
    • +
  • code - a sequence of marking codes which identifies where the marking phrase is physically applied.
    • +
+

If the markingPhrase is absent, then the markingCode applies to the SecurityClassification classificationName, TagCategories secCategoryName or SPIF securityPolicyId name, depending on which component includes the markingData.

+
+ + + + + + + + + + + + + Security Classification + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Format as defined in ISO 8601 + + + + + + + + + + + + + + + + + + +
+

The markingQualifier qualifies the markingData associated with a data object (e.g. it specifies a suffix or a prefix).

+

It consists of:

+
    +
  • qualifier - a qualifier (e.g. a suffix, prefix or separator)
    • +
  • markingCode - a code which identifies where the phrase is to be physically applied.
    • +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A set of vendor-specific extensions + + + + + + + + + + +
+

The complete Security Policy Information.

+

It contains:

+
    +
  • defaultSecurityPolicyId - identifies the security policy which will apply if data is received without a security label
    • +
  • securityPolicyId - identifies the security policy to which the SPIF applies
    • +
  • updateInfo - not currently used
    • +
  • securityClassifications - the set of security classifications defined within the policy, together with their equivalency mappings
    • +
  • securityCategoryTagSets - the set of security category tags defined within the policy, together with their equivalency mappings
    • +
  • privacyMarks - the set of privacy marks defined within the policy, together with their equivalency mappings
    • +
  • equivalentPolicies - consolidated list of all equivalent policies used within the SPIF
    • +
  • markingData
    • +
  • markingQualifer
    • +
  • extensions - provides a mechanism to include additional capabilities as future requirements are identified.
    • +
  • schemaVersion - the version of the schema being used
    • +
  • version - the version of the SPIF. Changes to the SPIF will generally update the version.
    • +
  • creationDate - the date the SPIF was created/updated
    • +
  • originatorDN - the distinguished name (DN) of creator of the SPIF, using an LDAP encoding as defined in RFC 4514.
    • +
  • keyIdentifier identifies the key used to sign the SPIF.
    • +
  • privilegeId - identifies the syntax that is included in the clearance attribute security category of relying certificates
    • +
  • rbacId - identifies the syntax of the security category that is used in conjunction with the SPIF
    • +
  • userRefURI - a reference to a document that provides further information on the use of the values defined within the SPIF.
    • +
  • docRefURI - a reference to a document that provides information on the values defined within the SPIF.
    • +
  • validity - the validaty of the SPIF (e.g. it may only be used for a specific exercise)
    • +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/migration/spif2xacml.xsl b/spif-utils/spif2xacml-for-xpath-1.0.xsl similarity index 96% rename from migration/spif2xacml.xsl rename to spif-utils/spif2xacml-for-xpath-1.0.xsl index e7ea13ed..8e81666f 100644 --- a/migration/spif2xacml.xsl +++ b/spif-utils/spif2xacml-for-xpath-1.0.xsl @@ -125,7 +125,9 @@ limitations under the License. - + + + @@ -137,7 +139,7 @@ limitations under the License. - urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of + urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of urn:oasis:names:tc:xacml:1.0:function:string-subset @@ -146,6 +148,7 @@ limitations under the License. + diff --git a/spif-utils/spif2xacml-for-xpath-2.0.xsl b/spif-utils/spif2xacml-for-xpath-2.0.xsl new file mode 100644 index 00000000..d29cbca2 --- /dev/null +++ b/spif-utils/spif2xacml-for-xpath-2.0.xsl @@ -0,0 +1,259 @@ + + + + + + + + + + + + + true + + + + + + Generated from SPIF: v. See also NATO ADatP-4774.1 Implementation Guidance. + + + http://www.w3.org/TR/2007/REC-xpath20-20070123 + + + + + + Both PolicyIdentifiers from confidentiality clearance (subject) and label (resource) must match the SPIF's. + Then match the categories against each other (hierarchical ones aka classifications, and non-hierarchical ones). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + $resource_classif_name + + + //*:Classification + + + + + + + + + + if ( + + = ' + ') then + + else + + 0 + + + + + + + + + $subject_classif_name + + + //*:Classification + + + + + + + + + + if ( + + = ' + ') then + + else + + 0 + + + + + + + Bell-Lapadula: allow READ if and only if subject level ≥ object (resource) level + + + + + READ + + + + + + + + + + + + + + + Bell-Lapadula: allow WRITE if and only if subject level ≤ object (resource) level + + + + + WRITE + + + + + + + + + + + + + + + Match other (non-hierarchical) categories: + for each category Cn, + (resource has no C1 value OR subject/resource C1 values match) AND (resource has no C2 value OR subject/resource C2 values match) AND ... + + The 'has no value' is translated to: the AttributeSelector returns an empty bag (size 0). + The 'match' function depends on whether the category is permissive (at least one value must match, i.e. 'at-least-one-member-of' function) or restrictive (all must match, i.e. 'subset' function). + + + + + + + + + + + + + + + 0 + + + + + urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of + + urn:oasis:names:tc:xacml:1.0:function:string-subset + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/spif-utils/xml.xsd b/spif-utils/xml.xsd new file mode 100644 index 00000000..da5cd713 --- /dev/null +++ b/spif-utils/xml.xsd @@ -0,0 +1,146 @@ + + + + + + See http://www.w3.org/XML/1998/namespace.html and + http://www.w3.org/TR/REC-xml for information about this namespace. + + This schema document describes the XML namespace, in a form + suitable for import by other schema documents. + + Note that local names in this namespace are intended to be defined + only by the World Wide Web Consortium or its subgroups. The + following names are currently defined in this namespace and should + not be used with conflicting semantics by any Working Group, + specification, or document instance: + + base (as an attribute name): denotes an attribute whose value + provides a URI to be used as the base for interpreting any + relative URIs in the scope of the element on which it + appears; its value is inherited. This name is reserved + by virtue of its definition in the XML Base specification. + + id (as an attribute name): denotes an attribute whose value + should be interpreted as if declared to be of type ID. + The xml:id specification is not yet a W3C Recommendation, + but this attribute is included here to facilitate experimentation + with the mechanisms it proposes. Note that it is _not_ included + in the specialAttrs attribute group. + + lang (as an attribute name): denotes an attribute whose value + is a language code for the natural language of the content of + any element; its value is inherited. This name is reserved + by virtue of its definition in the XML specification. + + space (as an attribute name): denotes an attribute whose + value is a keyword indicating what whitespace processing + discipline is intended for the content of the element; its + value is inherited. This name is reserved by virtue of its + definition in the XML specification. + + Father (in any context at all): denotes Jon Bosak, the chair of + the original XML Working Group. This name is reserved by + the following decision of the W3C XML Plenary and + XML Coordination groups: + + In appreciation for his vision, leadership and dedication + the W3C XML Plenary on this 10th day of February, 2000 + reserves for Jon Bosak in perpetuity the XML name + xml:Father + + + + + This schema defines attributes and an attribute group + suitable for use by + schemas wishing to allow xml:base, xml:lang, xml:space or xml:id + attributes on elements they define. + + To enable this, such a schema must import this schema + for the XML namespace, e.g. as follows: + <schema . . .> + . . . + <import namespace="http://www.w3.org/XML/1998/namespace" + schemaLocation="http://www.w3.org/2001/xml.xsd"/> + + Subsequently, qualified reference to any of the attributes + or the group defined below will have the desired effect, e.g. + + <type . . .> + . . . + <attributeGroup ref="xml:specialAttrs"/> + + will define a type which will schema-validate an instance + element with any of those attributes + + + + In keeping with the XML Schema WG's standard versioning + policy, this schema document will persist at + http://www.w3.org/2005/08/xml.xsd. + At the date of issue it can also be found at + http://www.w3.org/2001/xml.xsd. + The schema document at that URI may however change in the future, + in order to remain compatible with the latest version of XML Schema + itself, or with the XML namespace itself. In other words, if the XML + Schema or XML namespaces change, the version of this document at + http://www.w3.org/2001/xml.xsd will change + accordingly; the version at + http://www.w3.org/2005/08/xml.xsd will not change. + + + + + + Attempting to install the relevant ISO 2- and 3-letter + codes as the enumerated possible values is probably never + going to be a realistic possibility. See + RFC 3066 at http://www.ietf.org/rfc/rfc3066.txt and the IANA registry + at http://www.iana.org/assignments/lang-tag-apps.htm for + further information. + + The union allows for the 'un-declaration' of xml:lang with + the empty string. + + + + + + + + + + + + + + + + + + + + + + + + See http://www.w3.org/TR/xmlbase/ for + information about this attribute. + + + + + + See http://www.w3.org/TR/xml-id/ for + information about this attribute. + + + + + + + + + + From 44bb76684546c6a9517276d82fb1a3d063e97521 Mon Sep 17 00:00:00 2001 From: cdanger Date: Wed, 9 Mar 2022 00:14:02 +0100 Subject: [PATCH 11/14] - Upgraded authzforce-ce-core-pdp-api to v21.1.1 - Fixed bug when having multiple XPath expressions (e.g. AttributeSelectors) with XPath variables in the same Policy (the list of declared variables on Saxon XPathCompiler is internally saved and not reinitialized after each call to `XPathCompiler#compile(String)` having side effects when reusing the same XPathCompiler instance). --- .../DepthLimitingExpressionFactory.java | 9 ++++++ .../pdp/impl/policy/PolicyEvaluators.java | 32 ++++--------------- pom.xml | 2 +- 3 files changed, 16 insertions(+), 27 deletions(-) diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java index 93f55925..57c1c475 100644 --- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java +++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/expression/DepthLimitingExpressionFactory.java @@ -213,6 +213,15 @@ private DynamicVariableReference(final String varId, final Expression varExpr XacmlStatusCode.PROCESSING_ERROR.value()); } + @Override + public String toString() + { + return "VariableReference{" + + "variableId='" + variableId + '\'' + + ", expression=" + expression + + '}'; + } + /** * {@inheritDoc} * diff --git a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java index 5dea6a1a..d6c214a3 100644 --- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java +++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java @@ -64,9 +64,6 @@ public final class PolicyEvaluators private static final class ImmutableXPathCompiler extends BaseXPathCompilerProxy { - private static final UnsupportedOperationException UNSUPPORTED_EVALUATE_OPERATION_EXCEPTION = new UnsupportedOperationException("XPathCompiler#evaluate(String, XdmItem) not supported"); - private static final UnsupportedOperationException UNSUPPORTED_EVALUATE_SINGLE_OPERATION_EXCEPTION = new UnsupportedOperationException("XPathCompiler#evaluateSingle(String, XdmItem) not supported"); - private static final UnsupportedOperationException UNSUPPORTED_COMPILE_PATTERN_OPERATION_EXCEPTION = new UnsupportedOperationException("XPathCompiler#compilePattern(String) not supported"); private final ImmutableList> allowedXPathVariables; @@ -75,11 +72,6 @@ private ImmutableXPathCompiler(final XPathVersion xpathVersion, final Map xpathVarsIterator = xpathExec.iterateExternalVariables(); if(xpathVarsIterator.hasNext()) { if(this.allowedXPathVariables.isEmpty()) { @@ -121,23 +118,6 @@ XPath variable(s) found, we need to validate them against allowedXPathVariables return xpathExec; } - @Override - public XdmValue evaluate(String expression, XdmItem contextItem) - { - throw UNSUPPORTED_EVALUATE_OPERATION_EXCEPTION; - } - - @Override - public XdmItem evaluateSingle(String expression, XdmItem contextItem) - { - throw UNSUPPORTED_EVALUATE_SINGLE_OPERATION_EXCEPTION; - } - - @Override - public XPathExecutable compilePattern(String source) - { - throw UNSUPPORTED_COMPILE_PATTERN_OPERATION_EXCEPTION; - } } /** diff --git a/pom.xml b/pom.xml index 8920cc52..197e1af1 100644 --- a/pom.xml +++ b/pom.xml @@ -33,7 +33,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-api - 21.1.0 + 21.1.1 From 6232e65956c01d872eb0dbfd9a78474402071df4 Mon Sep 17 00:00:00 2001 From: cdanger Date: Wed, 9 Mar 2022 01:02:40 +0100 Subject: [PATCH 12/14] updating poms for 20.0.0 branch with snapshot versions --- pdp-cli/pom.xml | 8 ++++---- pdp-engine/pom.xml | 2 +- pdp-io-xacml-json/pom.xml | 2 +- pdp-testutils/pom.xml | 6 +++--- pom.xml | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pdp-cli/pom.xml b/pdp-cli/pom.xml index a8ca1315..2932a44b 100644 --- a/pdp-cli/pom.xml +++ b/pdp-cli/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-cli @@ -30,12 +30,12 @@ org.ow2.authzforce authzforce-ce-core-pdp-engine - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT org.testng @@ -49,7 +49,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-testutils - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT test diff --git a/pdp-engine/pom.xml b/pdp-engine/pom.xml index 12b1455e..c6e6b9b4 100644 --- a/pdp-engine/pom.xml +++ b/pdp-engine/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-engine diff --git a/pdp-io-xacml-json/pom.xml b/pdp-io-xacml-json/pom.xml index 3cb8c5f0..447470ec 100644 --- a/pdp-io-xacml-json/pom.xml +++ b/pdp-io-xacml-json/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-io-xacml-json diff --git a/pdp-testutils/pom.xml b/pdp-testutils/pom.xml index c6bdcffc..8a5d2aa7 100644 --- a/pdp-testutils/pom.xml +++ b/pdp-testutils/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT ../pom.xml authzforce-ce-core-pdp-testutils @@ -23,12 +23,12 @@ ${project.groupId} ${artifactId.prefix}-core-pdp-engine - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT compile diff --git a/pom.xml b/pom.xml index 197e1af1..edcea70d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 8.2.0 authzforce-ce-core - 19.0.1-SNAPSHOT + 20.0.0-SNAPSHOT pom ${project.groupId}:${project.artifactId} AuthzForce - XACML-compliant Core PDP Engine and associated test modules From 6cdef2203c0a4e00b04fe45b84897341ca8dc6c2 Mon Sep 17 00:00:00 2001 From: cdanger Date: Wed, 9 Mar 2022 01:39:35 +0100 Subject: [PATCH 13/14] Prepared changelog for next release --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26199330..d9f34806 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,20 @@ All notable changes to this project are documented in this file following the [K - Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number. +## 20.0.0 +### Added +- New feature: XPath variables in AttributeSelectors' and `xPathExpression` `AttributeValues`s' XPath expressions can now be defined by XACML VariableDefinitions (variable name used as XACML VariableId), which means XACML Variables can be used as XPath variables there. + +### Changed +- Upgraded dependency `authzforce-ce-core-pdp-api` to 21.1.1 + + - Changed Datatype extension interface (`AttributeValueFactory`) in support of the new feature above: + + - `getInstance(...)` `XPathCompiler` parameter replaced with `Optional`, where XPathCompilerProxy is a immutable version of `XPathCompiler` class with extra methods; the parameter is optional because XPath support may be disabled by PDP configuration or missing Policy(Set)Defaults/XPathVersion in XACML Policy(Set) + - `Datatype` interface: added `ItemType getXPathItemType()` method used to declare Variable types on Saxon XPath evaluator when compiling XPath expressions with variables + - `AttributeValue` must now implement `getXdmItem()` to return a XPath-compatible (XDM) value to be used as variables in XPath expressions, in order to support the new Feature mentioned above. + + ## 19.0.0 ### Changed - Parent project `authzforce-ce-parent` upgraded to 8.2.0: upgraded following dependencies: From ba32ad33eac469fd1670d92f9e0148f9d261c8ce Mon Sep 17 00:00:00 2001 From: cdanger Date: Wed, 9 Mar 2022 01:39:47 +0100 Subject: [PATCH 14/14] updating poms for branch'release/20.0.0' with non-snapshot versions --- pdp-cli/pom.xml | 8 ++++---- pdp-engine/pom.xml | 2 +- pdp-io-xacml-json/pom.xml | 2 +- pdp-testutils/pom.xml | 6 +++--- pom.xml | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pdp-cli/pom.xml b/pdp-cli/pom.xml index 2932a44b..d5853edd 100644 --- a/pdp-cli/pom.xml +++ b/pdp-cli/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 20.0.0-SNAPSHOT + 20.0.0 ../pom.xml authzforce-ce-core-pdp-cli @@ -30,12 +30,12 @@ org.ow2.authzforce authzforce-ce-core-pdp-engine - 20.0.0-SNAPSHOT + 20.0.0 org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 20.0.0-SNAPSHOT + 20.0.0 org.testng @@ -49,7 +49,7 @@ org.ow2.authzforce authzforce-ce-core-pdp-testutils - 20.0.0-SNAPSHOT + 20.0.0 test diff --git a/pdp-engine/pom.xml b/pdp-engine/pom.xml index c6e6b9b4..6b96a2c4 100644 --- a/pdp-engine/pom.xml +++ b/pdp-engine/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 20.0.0-SNAPSHOT + 20.0.0 ../pom.xml authzforce-ce-core-pdp-engine diff --git a/pdp-io-xacml-json/pom.xml b/pdp-io-xacml-json/pom.xml index 447470ec..ba73c55e 100644 --- a/pdp-io-xacml-json/pom.xml +++ b/pdp-io-xacml-json/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 20.0.0-SNAPSHOT + 20.0.0 ../pom.xml authzforce-ce-core-pdp-io-xacml-json diff --git a/pdp-testutils/pom.xml b/pdp-testutils/pom.xml index 8a5d2aa7..02a49cab 100644 --- a/pdp-testutils/pom.xml +++ b/pdp-testutils/pom.xml @@ -3,7 +3,7 @@ org.ow2.authzforce authzforce-ce-core - 20.0.0-SNAPSHOT + 20.0.0 ../pom.xml authzforce-ce-core-pdp-testutils @@ -23,12 +23,12 @@ ${project.groupId} ${artifactId.prefix}-core-pdp-engine - 20.0.0-SNAPSHOT + 20.0.0 org.ow2.authzforce authzforce-ce-core-pdp-io-xacml-json - 20.0.0-SNAPSHOT + 20.0.0 compile diff --git a/pom.xml b/pom.xml index edcea70d..2e416e5d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ 8.2.0 authzforce-ce-core - 20.0.0-SNAPSHOT + 20.0.0 pom ${project.groupId}:${project.artifactId} AuthzForce - XACML-compliant Core PDP Engine and associated test modules