Coder Social home page Coder Social logo

policy4j / xacml4j Goto Github PK

View Code? Open in Web Editor NEW
15.0 15.0 5.0 8.79 MB

Implementation of OASIS XACML 2.0 & 3.0 specification in Java programming language

License: GNU Lesser General Public License v3.0

Java 95.34% HTML 4.66%
abac access-control policy-as-code policy-enforcement-point policy-engine xacml xacml-policies xacml-standard

xacml4j's People

Contributors

dependabot[bot] avatar ilyaai avatar rolisv avatar trumpyla avatar valdas-s avatar vvaldas avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

artagon payen harshil-p mark-logs-code-hub marcusportmann

xacml4j's Issues

Xacml30PolicyMarshaller fails with "unable to marshal type "java.lang.Long" as an element because it is missing an @XmlRootElement annotation"

Steps to reproduce overview:

  1. Using builders construct policy containing
  2. Serialize this policy to xml with Xacml30PolicyMarshaller
  3. Marshaller fails

Reproducing test:

import org.junit.Test;
import org.xacml4j.v30.Effect;
import org.xacml4j.v30.marshal.jaxb.Xacml30PolicyMarshaller;
import org.xacml4j.v30.pdp.Apply;
import org.xacml4j.v30.pdp.Policy;
import org.xacml4j.v30.pdp.Rule;
import org.xacml4j.v30.policy.combine.DenyOverridesRuleCombiningAlgorithm;
import org.xacml4j.v30.spi.function.FunctionProvider;
import org.xacml4j.v30.spi.function.FunctionProviderBuilder;
import org.xacml4j.v30.types.IntegerExp;
import org.xacml4j.v30.types.StringExp;

import java.io.IOException;
import java.io.StringWriter;
import java.io.Writer;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.IsNull.notNullValue;

public class MarshalAttributeValueTest {
    private final static FunctionProvider Funcs = FunctionProviderBuilder.builder()
        .defaultFunctions()
        .build();

    //
    // This test fails with error "unable to marshal type "java.lang.Long" as an element because it is missing an @XmlRootElement annotation"
    //
    @Test
    public void marshalIntegerAttributeValue() throws IOException {
        // arrange
        Rule rule = Rule.builder("rule", Effect.DENY)
            .condition(
                Apply.builder(Funcs.getFunction("urn:oasis:names:tc:xacml:1.0:function:integer-equal"))
                    .param(IntegerExp.of(0))
                    .param(IntegerExp.of(1))
                    .build()
            )
            .build();

        Policy policy = Policy.builder("policy")
            .combiningAlgorithm(new DenyOverridesRuleCombiningAlgorithm())
            .rule(rule)
            .build();

        // act
        Writer writer = new StringWriter();
        new Xacml30PolicyMarshaller().marshal(policy, writer);
        String xml = writer.toString();

        // assert
        assertThat(xml, notNullValue());
    }

    //
    // ...but this one is ok.
    //
    @Test
    public void marshalStringAttributeValue() throws IOException {
        // arrange
        Rule rule = Rule.builder("rule", Effect.DENY)
            .condition(
                Apply.builder(Funcs.getFunction("urn:oasis:names:tc:xacml:1.0:function:string-equal"))
                    .param(StringExp.of("a"))
                    .param(StringExp.of("b"))
                    .build()
            )
            .build();

        Policy policy = Policy.builder("policy")
            .combiningAlgorithm(new DenyOverridesRuleCombiningAlgorithm())
            .rule(rule)
            .build();

        // act
        Writer writer = new StringWriter();
        new Xacml30PolicyMarshaller().marshal(policy, writer);
        String xml = writer.toString();

        // assert
        assertThat(xml, notNullValue());
    }
}

Unify exception handling

Review current exception handling and implement consistent handling either using XacmlException hierarchy or Java's runtime exceptions.

Delegated

I was testing the delegated policy rules with xacml4j but I guess there is no testing done for those attributes and their values also MaxDelegationDepth="xs:integer" and is not implemented.
Is there any way to work around to achieve Delegation with xacml4j.
Here I have attached the potential Delegation Policy with 1 PolicySet and 4 Policies and with Request and Response.

I think still reduction of the policies are not performed in this solution

v30-policy-delegation-test.zip

2016-07-31 09:41:48,458-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.BaseCompositeDecisionRule] Evaluating composite decision rule with id="Policy1"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pip.DefaultPolicyInformationPoint] Trying to resolve designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pip.DefaultPolicyInformationPoint] No matching resolver found for designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.DefaultEvaluationContextHandler] Resolved designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}" from PIP to value="null"
2016-07-31 09:41:48,462-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.RootEvaluationContext] Resolved designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}" to value="BagOfAttributeExp{DataType=http://www.w3.org/2001/XMLSchema#string, Values=[]}"

Marshalling to file results in com.sun.istack.internal.SAXException2

When I try to marshall a policy to a file I get a SAXException2 (see below.)

// read
InputStream policyIS;
PolicyUnmarshaller reader =
new XacmlPolicyUnmarshaller( FunctionProviderBuilder.builder().defaultFunctions().build(),
DecisionCombiningAlgorithmProviderBuilder.builder().withDefaultAlgorithms().create() );
CompositeDecisionRule compositeDecisionRule = reader.unmarshal( policyIS );

// write
PolicyMarshaller writer = new Xacml30PolicyMarshaller();
FileOutputStream policyOutstream = new FileOutputStream( new File( "policyout.xml" ) );
writer.marshal( compositeDecisionRule, policyOutstream ); // <=exception thrown here

Caused by: com.sun.istack.internal.SAXException2: Instance of "javax.xml.bind.JAXBElement" is substituting "java.lang.Object", but "javax.xml.bind.JAXBElement" is bound to an anonymous type.
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.reportError(XMLSerializer.java:237)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:652)
at com.sun.xml.internal.bind.v2.runtime.property.ArrayElementProperty.serializeListBody(ArrayElementProperty.java:154)
at com.sun.xml.internal.bind.v2.runtime.property.ArrayERProperty.serializeBody(ArrayERProperty.java:144)
at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:343)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:685)
at com.sun.xml.internal.bind.v2.runtime.property.SingleElementNodeProperty.serializeBody(SingleElementNodeProperty.java:143)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:145)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:115)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeBody(ElementBeanInfoImpl.java:317)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:324)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:60)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsRoot(XMLSerializer.java:483)
at com.sun.xml.internal.bind.v2.runtime.MarshallerImpl.write(MarshallerImpl.java:308)

Implement Obligation AttributeAssignment evaluation

Obligation AttributeAssignment values are not evaluated when using any attribute designator using XACML 2.0.

Example

<AttributeAssignment
                    AttributeId="urn:oasis:names:tc:xacml:2.0:requester"
                    DataType="http://www.w3.org/2001/XMLSchema#string">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</AttributeAssignment>

The above example will evaluate to an empty line when getting the obligation attribute value.

Policy XML parsing failure.

XacmlPolicyUnmarshallerTest#testPolicy3 and XacmlPolicyUnmarshallerTest#testFeatures001Policy test cases are failing under jdk1.8. Failure happens during policy XML parsing when variable references (e.g. )are used.
Stack trace:
java.lang.IllegalStateException
at com.google.common.base.Preconditions.checkState(Preconditions.java:133)
at org.xacml4j.v30.marshal.jaxb.Xacml30PolicyFromJaxbToObjectModelMapper.parseExpression(Xacml30PolicyFromJaxbToObjectModelMapper.java:663)
at org.xacml4j.v30.marshal.jaxb.Xacml30PolicyFromJaxbToObjectModelMapper.createApply(Xacml30PolicyFromJaxbToObjectModelMapper.java:616)

and

java.lang.IllegalStateException
at com.google.common.base.Preconditions.checkState(Preconditions.java:133)
at org.xacml4j.v30.marshal.jaxb.Xacml20PolicyFromJaxbToObjectModelMapper.parseExpression(Xacml20PolicyFromJaxbToObjectModelMapper.java:408)
at org.xacml4j.v30.marshal.jaxb.Xacml20PolicyFromJaxbToObjectModelMapper.createApply(Xacml20PolicyFromJaxbToObjectModelMapper.java:655)

Refactor PolicyRepository abstraction

Policy repository needs to be split to the following components:

  1. In memory policy index with quick, no-lock query functionality
  2. PolicySource - a policy source can be immutable for example policies from class path and mutable for example policies stored in MongoDB or LDAP. Policy source should support some sort of pull or push to receive changes from the policy source

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.