You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openaz.apache.org by pd...@apache.org on 2015/04/13 17:38:33 UTC
[33/51] [partial] incubator-openaz git commit: Initial seed of merged
of AT&T and JP Morgan code
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java
new file mode 100755
index 0000000..365c768
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderFactory.java
@@ -0,0 +1,224 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Properties;
+import java.util.UUID;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import com.att.research.xacml.std.IdentifierImpl;
+import com.att.research.xacml.std.StdStatusCode;
+import com.att.research.xacml.std.StdVersion;
+import com.att.research.xacml.std.dom.DOMStructureException;
+import com.att.research.xacml.util.FactoryException;
+import com.att.research.xacml.util.XACMLProperties;
+import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm;
+import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithmFactory;
+import com.att.research.xacmlatt.pdp.policy.Policy;
+import com.att.research.xacmlatt.pdp.policy.PolicyDef;
+import com.att.research.xacmlatt.pdp.policy.PolicyFinder;
+import com.att.research.xacmlatt.pdp.policy.PolicyFinderFactory;
+import com.att.research.xacmlatt.pdp.policy.PolicySet;
+import com.att.research.xacmlatt.pdp.policy.PolicySetChild;
+import com.att.research.xacmlatt.pdp.policy.Target;
+import com.att.research.xacmlatt.pdp.policy.dom.DOMPolicyDef;
+import com.att.research.xacmlatt.pdp.util.ATTPDPProperties;
+import com.google.common.base.Splitter;
+
+/**
+ * StdPolicyFinderFactory extends {@link com.att.research.xacmlatt.pdp.policy.PolicyFinderFactory} with the
+ * <code>getPolicyFinder</code> method to get a single instance of the {@link StdPolicyFinder}. The
+ * root {@link com.att.research.xacmlatt.pdp.policy.PolicyDef} is loaded from a file whose name is specified as a system property or
+ * in the $java.home/lib/xacml.properties property set.
+ *
+ * @author car
+ * @version $Revision: 1.3 $
+ */
+public class StdPolicyFinderFactory extends PolicyFinderFactory {
+ public static final String PROP_FILE = ".file";
+ public static final String PROP_URL = ".url";
+
+ private Log logger = LogFactory.getLog(this.getClass());
+ private List<PolicyDef> rootPolicies;
+ private List<PolicyDef> referencedPolicies;
+ private boolean needsInit = true;
+
+ /**
+ * Loads the <code>PolicyDef</code> for the given <code>String</code> identifier by looking first
+ * for a ".file" property associated with the ID and using that to load from a <code>File</code> and
+ * looking for a ".url" property associated with the ID and using that to load from a <code>URL</code>.
+ *
+ * @param policyId the <code>String</code> identifier for the policy
+ * @return a <code>PolicyDef</code> loaded from the given identifier
+ */
+ protected PolicyDef loadPolicyDef(String policyId, Properties properties) {
+ String propLocation = properties.getProperty(policyId + PROP_FILE);
+ if (propLocation != null) {
+ File fileLocation = new File(propLocation);
+ if (!fileLocation.exists()) {
+ this.logger.error("Policy file " + fileLocation.getAbsolutePath() + " does not exist.");
+ } else if (!fileLocation.canRead()) {
+ this.logger.error("Policy file " + fileLocation.getAbsolutePath() + " cannot be read.");
+ } else {
+ try {
+ this.logger.info("Loading policy file " + fileLocation);
+ PolicyDef policyDef = DOMPolicyDef.load(fileLocation);
+ if (policyDef != null) {
+ return policyDef;
+ }
+ } catch (DOMStructureException ex) {
+ this.logger.error("Error loading policy file " + fileLocation.getAbsolutePath() + ": " + ex.getMessage(), ex);
+ return new Policy(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, ex.getMessage());
+ }
+ }
+ }
+
+ if ((propLocation = properties.getProperty(policyId + PROP_URL)) != null) {
+ InputStream is = null;
+ try {
+ URL url = new URL(propLocation);
+ URLConnection urlConnection = url.openConnection();
+ this.logger.info("Loading policy file " + url.toString());
+ is = urlConnection.getInputStream();
+ PolicyDef policyDef = DOMPolicyDef.load(is);
+ if (policyDef != null) {
+ return policyDef;
+ }
+ } catch (MalformedURLException ex) {
+ this.logger.error("Invalid URL " + propLocation + ": " + ex.getMessage(), ex);
+ } catch (IOException ex) {
+ this.logger.error("IOException opening URL " + propLocation + ": " + ex.getMessage(), ex);
+ } catch (DOMStructureException ex) {
+ this.logger.error("Invalid Policy " + propLocation + ": " + ex.getMessage(), ex);
+ return new Policy(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, ex.getMessage());
+ } finally {
+ if (is != null) {
+ try {
+ is.close();
+ } catch (IOException e) {
+ this.logger.error("Exception closing InputStream for GET of url " + propLocation + " : " + e.getMessage() + " (May be memory leak)", e);
+ }
+ }
+ }
+ }
+
+ this.logger.error("No known location for Policy " + policyId);
+ return null;
+ }
+
+ /**
+ * Finds the identifiers for all of the policies referenced by the given property name in the
+ * <code>XACMLProperties</code> and loads them using the requested loading method.
+ *
+ * @param propertyName the <code>String</code> name of the property containing the list of policy identifiers
+ * @return a <code>List</code> of <code>PolicyDef</code>s loaded from the given property name
+ */
+ protected List<PolicyDef> getPolicyDefs(String propertyName, Properties properties) {
+ String policyIds = properties.getProperty(propertyName);
+ if (policyIds == null || policyIds.length() == 0) {
+ return null;
+ }
+
+ Iterable<String> policyIdArray = Splitter.on(',').trimResults().omitEmptyStrings().split(policyIds);
+ if (policyIdArray == null) {
+ return null;
+ }
+
+ List<PolicyDef> listPolicyDefs = new ArrayList<PolicyDef>();
+ for (String policyId : policyIdArray) {
+ PolicyDef policyDef = this.loadPolicyDef(policyId, properties);
+ if (policyDef != null) {
+ listPolicyDefs.add(policyDef);
+ }
+ }
+ return listPolicyDefs;
+ }
+
+ protected synchronized void init(Properties properties) {
+ if (this.needsInit) {
+ //
+ // Check for property that combines root policies into one policyset
+ //
+ String combiningAlgorithm = properties.getProperty(ATTPDPProperties.PROP_POLICYFINDERFACTORY_COMBINEROOTPOLICIES);
+ if (combiningAlgorithm != null) {
+ try {
+ logger.info("Combining root policies with " + combiningAlgorithm);
+ //
+ // Find the combining algorithm
+ //
+ CombiningAlgorithm<PolicySetChild> algorithm = CombiningAlgorithmFactory.newInstance().getPolicyCombiningAlgorithm(new IdentifierImpl(combiningAlgorithm));
+ //
+ // Create our root policy
+ //
+ PolicySet root = new PolicySet();
+ root.setIdentifier(new IdentifierImpl(UUID.randomUUID().toString()));
+ root.setVersion(StdVersion.newInstance("1.0"));
+ root.setTarget(new Target());
+ //
+ // Set the algorithm
+ //
+ root.setPolicyCombiningAlgorithm(algorithm);
+ //
+ // Load all our root policies
+ //
+ for (PolicyDef policy : this.getPolicyDefs(XACMLProperties.PROP_ROOTPOLICIES, properties)) {
+ root.addChild(policy);
+ }
+ //
+ // Set this policy as the root
+ //
+ this.rootPolicies = new ArrayList<>();
+ this.rootPolicies.add(root);
+ } catch (FactoryException | ParseException e) {
+ logger.error("Failed to load Combining Algorithm Factory: " + e.getLocalizedMessage());
+ }
+ } else {
+ this.rootPolicies = this.getPolicyDefs(XACMLProperties.PROP_ROOTPOLICIES, properties);
+ }
+
+ this.referencedPolicies = this.getPolicyDefs(XACMLProperties.PROP_REFERENCEDPOLICIES, properties);
+ this.needsInit = false;
+ }
+ }
+
+ public StdPolicyFinderFactory() {
+ }
+
+ public StdPolicyFinderFactory(Properties properties) {
+ }
+
+ @Override
+ public PolicyFinder getPolicyFinder() throws FactoryException {
+ try {
+ this.init(XACMLProperties.getProperties());
+ } catch (IOException e) {
+ throw new FactoryException(e);
+ }
+ return new StdPolicyFinder(this.rootPolicies, this.referencedPolicies);
+ }
+
+ @Override
+ public PolicyFinder getPolicyFinder(Properties properties) throws FactoryException {
+ this.init(properties);
+ return new StdPolicyFinder(this.rootPolicies, this.referencedPolicies, properties);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java
new file mode 100755
index 0000000..0749a8e
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdPolicyFinderResult.java
@@ -0,0 +1,52 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std;
+
+import com.att.research.xacml.api.Status;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacmlatt.pdp.policy.PolicyDef;
+import com.att.research.xacmlatt.pdp.policy.PolicyFinderResult;
+
+/**
+ * StdPolicyFinderResult implements the {@link com.att.research.xacmlatt.pdp.policy.PolicyFinderResult} interface.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ * @param <T> the java class extending {@link com.att.research.xacmlatt.pdp.policy.PolicyDef} held by the <code>StdPolicyFinderResult</code>
+ */
+public class StdPolicyFinderResult<T extends PolicyDef> implements PolicyFinderResult<T> {
+ private Status status;
+ private T policyDef;
+
+ public StdPolicyFinderResult(Status statusIn, T policyDefIn) {
+ this.status = (statusIn == null ? StdStatus.STATUS_OK : statusIn);
+ this.policyDef = policyDefIn;
+ }
+
+ public StdPolicyFinderResult(Status statusIn) {
+ this(statusIn, null);
+ }
+
+ public StdPolicyFinderResult(T policyDefIn) {
+ this(null, policyDefIn);
+ }
+
+ @Override
+ public Status getStatus() {
+ return this.status;
+ }
+
+ @Override
+ public T getPolicyDef() {
+ return this.policyDef;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java
new file mode 100755
index 0000000..ff394ee
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/StdProperties.java
@@ -0,0 +1,19 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std;
+
+import com.att.research.xacmlatt.pdp.util.ATTPDPProperties;
+
+public class StdProperties extends ATTPDPProperties {
+ protected StdProperties() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java
new file mode 100755
index 0000000..c24d2c2
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombinedPermitOverrides.java
@@ -0,0 +1,117 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2015 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * @author pameladragosh
+ *
+ * This algorithm was created to support combining a collection of policies in which the permit's are combined into one decision. PermitOverrides
+ * itself will stop once a Permit is found. However, some policy makers want every policy in a policy set to be visited by the PDP engine.
+ * The result of all the Permits that were found are then combined and returned. If no Permits were found then the result is the same semantics as
+ * the PermitOverrides combining algorithm.
+ *
+ * @param <T>
+ */
+public class CombinedPermitOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public CombinedPermitOverrides(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext,
+ List<CombiningElement<T>> elements,
+ List<CombinerParameter> combinerParameters)
+ throws EvaluationException {
+ boolean atLeastOneDeny = false;
+ boolean atLeastOnePermit = false;
+
+ EvaluationResult combinedResultDeny = new EvaluationResult(Decision.DENY);
+ EvaluationResult combinedResultPermit = new EvaluationResult(Decision.PERMIT);
+
+ EvaluationResult firstIndeterminateD = null;
+ EvaluationResult firstIndeterminateP = null;
+ EvaluationResult firstIndeterminateDP = null;
+
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ atLeastOneDeny = true;
+ combinedResultDeny.merge(evaluationResultElement);
+ break;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ if (firstIndeterminateDP == null) {
+ firstIndeterminateDP = evaluationResultElement;
+ } else {
+ firstIndeterminateDP.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_DENY:
+ if (firstIndeterminateD == null) {
+ firstIndeterminateD = evaluationResultElement;
+ } else {
+ firstIndeterminateD.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_PERMIT:
+ if (firstIndeterminateP == null) {
+ firstIndeterminateP = evaluationResultElement;
+ } else {
+ firstIndeterminateP.merge(evaluationResultElement);
+ }
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ atLeastOnePermit = true;
+ combinedResultPermit.merge(evaluationResultElement);
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (atLeastOnePermit) {
+ return combinedResultPermit;
+ }
+ if (firstIndeterminateDP != null) {
+ return firstIndeterminateDP;
+ } else if (firstIndeterminateP != null && (firstIndeterminateD != null || atLeastOneDeny)) {
+ return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus());
+ } else if (firstIndeterminateP != null) {
+ return firstIndeterminateP;
+ } else if (atLeastOneDeny) {
+ return combinedResultDeny;
+ } else if (firstIndeterminateD != null) {
+ return firstIndeterminateD;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java
new file mode 100755
index 0000000..4993a98
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/CombiningAlgorithmBase.java
@@ -0,0 +1,40 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm;
+
+public abstract class CombiningAlgorithmBase<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> implements CombiningAlgorithm<T> {
+ private Identifier id;
+
+ public CombiningAlgorithmBase(Identifier identifierIn) {
+ this.id = identifierIn;
+ }
+
+ @Override
+ public Identifier getId() {
+ return this.id;
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder stringBuilder = new StringBuilder("{");
+
+ Object objectToDump;
+ if ((objectToDump = this.getId()) != null) {
+ stringBuilder.append("id=");
+ stringBuilder.append(objectToDump.toString());
+ }
+ stringBuilder.append('}');
+ return stringBuilder.toString();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java
new file mode 100755
index 0000000..207ec61
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyOverrides.java
@@ -0,0 +1,105 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * DenyOverrides implements the XACML 3.0 "deny-overrides" combining algorithm for both policies and rules.
+ *
+ * @author car
+ *
+ * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable}
+ * @param <U> the java class for the identifier
+ */
+public class DenyOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public DenyOverrides(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ boolean atLeastOnePermit = false;
+
+ EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT);
+
+ EvaluationResult firstIndeterminateD = null;
+ EvaluationResult firstIndeterminateP = null;
+ EvaluationResult firstIndeterminateDP = null;
+
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ return evaluationResultElement;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ if (firstIndeterminateDP == null) {
+ firstIndeterminateDP = evaluationResultElement;
+ } else {
+ firstIndeterminateDP.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_DENY:
+ if (firstIndeterminateD == null) {
+ firstIndeterminateD = evaluationResultElement;
+ } else {
+ firstIndeterminateD.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_PERMIT:
+ if (firstIndeterminateP == null) {
+ firstIndeterminateP = evaluationResultElement;
+ } else {
+ firstIndeterminateP.merge(evaluationResultElement);
+ }
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ atLeastOnePermit = true;
+ combinedResult.merge(evaluationResultElement);
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (firstIndeterminateDP != null) {
+ return firstIndeterminateDP;
+ } else if (firstIndeterminateD != null && (firstIndeterminateP != null || atLeastOnePermit)) {
+ return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus());
+ } else if (firstIndeterminateD != null) {
+ return firstIndeterminateD;
+ } else if (atLeastOnePermit) {
+ return combinedResult;
+ } else if (firstIndeterminateP != null) {
+ return firstIndeterminateP;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java
new file mode 100755
index 0000000..4c241e6
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/DenyUnlessPermit.java
@@ -0,0 +1,68 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * DenyUnlessPermit implements the XACML 3.0 "deny-unless-permit" combining algorithm for both policies and rules.
+ *
+ * @author car
+ *
+ * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable}
+ * @param <U> the java class for the identifier
+ */
+public class DenyUnlessPermit<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public DenyUnlessPermit(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ EvaluationResult combinedResult = new EvaluationResult(Decision.DENY);
+
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ combinedResult.merge(evaluationResultElement);
+ break;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_PERMIT:
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ return evaluationResultElement;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ return combinedResult;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java
new file mode 100755
index 0000000..02402a5
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/FirstApplicable.java
@@ -0,0 +1,58 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * PermitOverrides extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the
+ * XACML 1.0 "first-applicable" combining algorithm for policies and rules.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ *
+ * @param <T> the java class of the object to be combined
+ */
+public class FirstApplicable<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public FirstApplicable(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext,
+ List<CombiningElement<T>> elements,
+ List<CombinerParameter> combinerParameters)
+ throws EvaluationException {
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ if (evaluationResultElement.getDecision() != Decision.NOTAPPLICABLE) {
+ return evaluationResultElement;
+ }
+ }
+
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java
new file mode 100755
index 0000000..e990b6a
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesPolicy.java
@@ -0,0 +1,78 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+import com.att.research.xacmlatt.pdp.policy.PolicySetChild;
+
+/**
+ * DenyOverrides implements the XACML 1.0 "deny-overrides" combining algorithm for policies and policy sets.
+ *
+ * @author car
+ *
+ * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable}
+ * @param <U> the java class for the identifier
+ */
+public class LegacyDenyOverridesPolicy extends CombiningAlgorithmBase<PolicySetChild> {
+
+ public LegacyDenyOverridesPolicy(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<PolicySetChild>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ boolean atLeastOnePermit = false;
+
+ EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT);
+
+ Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<PolicySetChild> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ return evaluationResultElement;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_PERMIT:
+ return new EvaluationResult(Decision.DENY, StdStatus.STATUS_OK);
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ atLeastOnePermit = true;
+ combinedResult.merge(evaluationResultElement);
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (atLeastOnePermit) {
+ return combinedResult;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java
new file mode 100755
index 0000000..68e156a
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyDenyOverridesRule.java
@@ -0,0 +1,91 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+import com.att.research.xacmlatt.pdp.policy.Rule;
+import com.att.research.xacmlatt.pdp.policy.RuleEffect;
+
+/**
+ * DenyOverrides implements the XACML 1.0 "deny-overrides" combining algorithm for rules.
+ *
+ * @author car
+ *
+ * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable}
+ * @param <U> the java class for the identifier
+ */
+public class LegacyDenyOverridesRule extends CombiningAlgorithmBase<Rule> {
+
+ public LegacyDenyOverridesRule(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<Rule>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ boolean atLeastOnePermit = false;
+ boolean potentialDeny = false;
+
+ EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT);
+ EvaluationResult evaluationResultIndeterminate = null;
+
+ Iterator<CombiningElement<Rule>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<Rule> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ return evaluationResultElement;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_PERMIT:
+ if (evaluationResultIndeterminate == null) {
+ evaluationResultIndeterminate = evaluationResultElement;
+ } else {
+ evaluationResultIndeterminate.merge(evaluationResultElement);
+ }
+ if (combiningElement.getEvaluatable().getRuleEffect() == RuleEffect.DENY) {
+ potentialDeny = true;
+ }
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ atLeastOnePermit = true;
+ combinedResult.merge(evaluationResultElement);
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (potentialDeny) {
+ return evaluationResultIndeterminate;
+ } else if (atLeastOnePermit) {
+ return combinedResult;
+ } else if (evaluationResultIndeterminate != null) {
+ return evaluationResultIndeterminate;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java
new file mode 100755
index 0000000..43ed569
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesPolicy.java
@@ -0,0 +1,85 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+import com.att.research.xacmlatt.pdp.policy.PolicySetChild;
+
+/**
+ * LegacyPermitOverridesPolicy extends {@link com.att.research.xacmlatt.pdp.policy.combiners.CombiningAlgorithmBase} for
+ * {@link com.att.research.xacmlatt.pdp.policy.PolicySetChild} elements implementing the XACML 1.0 permit-overrides policy combining algorithm.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ */
+public class LegacyPermitOverridesPolicy extends CombiningAlgorithmBase<PolicySetChild> {
+
+ public LegacyPermitOverridesPolicy(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<PolicySetChild>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ boolean atLeastOneDeny = false;
+
+ EvaluationResult evaluationResultCombined = new EvaluationResult(Decision.DENY);
+ EvaluationResult evaluationResultIndeterminate = null;
+
+ Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<PolicySetChild> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ atLeastOneDeny = true;
+ evaluationResultCombined.merge(evaluationResultElement);
+ break;
+ case INDETERMINATE:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_PERMIT:
+ if (evaluationResultIndeterminate == null) {
+ evaluationResultIndeterminate = evaluationResultElement;
+ } else {
+ evaluationResultIndeterminate.merge(evaluationResultElement);
+ }
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ return evaluationResultElement;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+
+ }
+
+ if (atLeastOneDeny) {
+ return evaluationResultCombined;
+ } else if (evaluationResultIndeterminate != null) {
+ return evaluationResultIndeterminate;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java
new file mode 100755
index 0000000..446ff35
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/LegacyPermitOverridesRule.java
@@ -0,0 +1,91 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+import com.att.research.xacmlatt.pdp.policy.Rule;
+import com.att.research.xacmlatt.pdp.policy.RuleEffect;
+
+/**
+ * LegacyPermitOverridesRule extends {@link com.att.research.xacmlatt.pdp.policy.combiners.CombiningAlgorithmBase} for
+ * {@link com.att.research.xacmlatt.pdp.policy.Rule}s to implement the XACML 1.0 permit-overrides rule combining algorithm.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ */
+public class LegacyPermitOverridesRule extends CombiningAlgorithmBase<Rule> {
+
+ public LegacyPermitOverridesRule(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<Rule>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ boolean atLeastOneDeny = false;
+ boolean potentialPermit = false;
+
+ EvaluationResult evaluationResultCombined = new EvaluationResult(Decision.DENY);
+ EvaluationResult evaluationResultIndeterminate = null;
+
+ Iterator<CombiningElement<Rule>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<Rule> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ atLeastOneDeny = true;
+ evaluationResultCombined.merge(evaluationResultElement);
+ break;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_PERMIT:
+ if (evaluationResultIndeterminate == null) {
+ evaluationResultIndeterminate = evaluationResultElement;
+ } else {
+ evaluationResultIndeterminate.merge(evaluationResultElement);
+ }
+ if (combiningElement.getEvaluatable().getRuleEffect() == RuleEffect.PERMIT) {
+ potentialPermit = true;
+ }
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ return evaluationResultElement;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (potentialPermit) {
+ return evaluationResultIndeterminate;
+ } else if (atLeastOneDeny) {
+ return evaluationResultCombined;
+ } else if (evaluationResultIndeterminate != null) {
+ return evaluationResultIndeterminate;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java
new file mode 100755
index 0000000..f5f8f35
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/OnlyOneApplicable.java
@@ -0,0 +1,78 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacml.std.StdStatusCode;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.eval.MatchResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+import com.att.research.xacmlatt.pdp.policy.PolicySetChild;
+
+/**
+ * OnlyOneApplicable extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the
+ * XACML 1.0 "only-one-applicable" combining algorithm for policies and rules.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ *
+ * @param <T> the java class of the object to be combined
+ */
+public class OnlyOneApplicable extends CombiningAlgorithmBase<PolicySetChild> {
+
+ public OnlyOneApplicable(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext,
+ List<CombiningElement<PolicySetChild>> elements,
+ List<CombinerParameter> combinerParameters)
+ throws EvaluationException {
+ Iterator<CombiningElement<PolicySetChild>> iterElements = elements.iterator();
+ PolicySetChild policySetChildApplicable = null;
+ while (iterElements.hasNext()) {
+ CombiningElement<PolicySetChild> combiningElement = iterElements.next();
+ MatchResult matchResultElement = combiningElement.getEvaluatable().match(evaluationContext);
+
+ switch(matchResultElement.getMatchCode()) {
+ case INDETERMINATE:
+ return new EvaluationResult(Decision.INDETERMINATE, matchResultElement.getStatus());
+ case MATCH:
+ if (policySetChildApplicable == null) {
+ policySetChildApplicable = combiningElement.getEvaluatable();
+ } else {
+ return new EvaluationResult(Decision.INDETERMINATE, new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "More than one applicable policy"));
+ }
+ break;
+ case NOMATCH:
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + matchResultElement.getMatchCode().toString());
+ }
+ }
+
+ if (policySetChildApplicable != null) {
+ return policySetChildApplicable.evaluate(evaluationContext);
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java
new file mode 100755
index 0000000..ef34403
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitOverrides.java
@@ -0,0 +1,109 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * PermitOverrides extends {@link com.att.research.xacmlatt.pdp.std.combiners.CombiningAlgorithmBase} to implement the
+ * XACML 3.0 Permit-overrides combining algorithm for policies and rules.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ *
+ * @param <T> the java class of the object to be combined
+ */
+public class PermitOverrides<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public PermitOverrides(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext,
+ List<CombiningElement<T>> elements,
+ List<CombinerParameter> combinerParameters)
+ throws EvaluationException {
+ boolean atLeastOneDeny = false;
+
+ EvaluationResult combinedResult = new EvaluationResult(Decision.DENY);
+
+ EvaluationResult firstIndeterminateD = null;
+ EvaluationResult firstIndeterminateP = null;
+ EvaluationResult firstIndeterminateDP = null;
+
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ atLeastOneDeny = true;
+ combinedResult.merge(evaluationResultElement);
+ break;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ if (firstIndeterminateDP == null) {
+ firstIndeterminateDP = evaluationResultElement;
+ } else {
+ firstIndeterminateDP.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_DENY:
+ if (firstIndeterminateD == null) {
+ firstIndeterminateD = evaluationResultElement;
+ } else {
+ firstIndeterminateD.merge(evaluationResultElement);
+ }
+ break;
+ case INDETERMINATE_PERMIT:
+ if (firstIndeterminateP == null) {
+ firstIndeterminateP = evaluationResultElement;
+ } else {
+ firstIndeterminateP.merge(evaluationResultElement);
+ }
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ return evaluationResultElement;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ if (firstIndeterminateDP != null) {
+ return firstIndeterminateDP;
+ } else if (firstIndeterminateP != null && (firstIndeterminateD != null || atLeastOneDeny)) {
+ return new EvaluationResult(Decision.INDETERMINATE_DENYPERMIT, firstIndeterminateD.getStatus());
+ } else if (firstIndeterminateP != null) {
+ return firstIndeterminateP;
+ } else if (atLeastOneDeny) {
+ return combinedResult;
+ } else if (firstIndeterminateD != null) {
+ return firstIndeterminateD;
+ } else {
+ return new EvaluationResult(Decision.NOTAPPLICABLE);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java
new file mode 100755
index 0000000..b1b0ee0
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/PermitUnlessDeny.java
@@ -0,0 +1,69 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+import java.util.Iterator;
+import java.util.List;
+
+import com.att.research.xacml.api.Decision;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.eval.EvaluationException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationResult;
+import com.att.research.xacmlatt.pdp.policy.CombinerParameter;
+import com.att.research.xacmlatt.pdp.policy.CombiningElement;
+
+/**
+ * PermitUnlessDeny implements the XACML 3.0 "permit-unless-deny" combining algorithm for both policies and rules.
+ *
+ * @author car
+ *
+ * @param <T> the java class for the {@link com.att.research.xacmlatt.pdp.eval.Evaluatable}
+ * @param <U> the java class for the identifier
+ */
+public class PermitUnlessDeny<T extends com.att.research.xacmlatt.pdp.eval.Evaluatable> extends CombiningAlgorithmBase<T> {
+
+ public PermitUnlessDeny(Identifier identifierIn) {
+ super(identifierIn);
+ }
+
+ @Override
+ public EvaluationResult combine(EvaluationContext evaluationContext, List<CombiningElement<T>> elements, List<CombinerParameter> combinerParameters) throws EvaluationException {
+ EvaluationResult combinedResult = new EvaluationResult(Decision.PERMIT);
+
+ Iterator<CombiningElement<T>> iterElements = elements.iterator();
+ while (iterElements.hasNext()) {
+ CombiningElement<T> combiningElement = iterElements.next();
+ EvaluationResult evaluationResultElement = combiningElement.evaluate(evaluationContext);
+
+ assert(evaluationResultElement != null);
+ switch(evaluationResultElement.getDecision()) {
+ case DENY:
+ return evaluationResultElement;
+ case INDETERMINATE:
+ case INDETERMINATE_DENYPERMIT:
+ case INDETERMINATE_DENY:
+ case INDETERMINATE_PERMIT:
+ break;
+ case NOTAPPLICABLE:
+ break;
+ case PERMIT:
+ combinedResult.merge(evaluationResultElement);
+ break;
+ default:
+ throw new EvaluationException("Illegal Decision: \"" + evaluationResultElement.getDecision().toString());
+ }
+ }
+
+ return combinedResult;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java
new file mode 100755
index 0000000..db6b8f4
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/combiners/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+
+package com.att.research.xacmlatt.pdp.std.combiners;
+
+/**
+ * com.att.research.xacmlatt.pdp.std.combiners contains implementations of the {@link com.att.research.xacmlatt.pdp.policy.CombiningAlgorithm}
+ * interface.
+ *
+ * @author car
+ * @version $Revision: 1.1 $
+ */
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java
new file mode 100755
index 0000000..9b81539
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/ConvertedArgument.java
@@ -0,0 +1,204 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.functions;
+
+import com.att.research.xacml.api.AttributeValue;
+import com.att.research.xacml.api.DataType;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacml.api.Status;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacml.std.StdStatusCode;
+import com.att.research.xacmlatt.pdp.policy.Bag;
+import com.att.research.xacmlatt.pdp.policy.FunctionArgument;
+
+/**
+ * A ConvertedArgument is the result of processing an {@link com.att.research.xacmlatt.pdp.policy.FunctionArgument}
+ * to validate its correctness and to convert it into an object of the required type.
+ * It is returned by the <code>validateArguments</code> method in
+ * {@link com.att.research.xacmlatt.pdp.std.functions.FunctionDefinitionHomogeneousSimple}
+ * and should only be used by other Functions in that same package.
+ * This is a data holder with no processing.
+ * It contains two elements:
+ * <UL>
+ * <LI>
+ * A {@link com.att.research.xacml.api.Status} object, and
+ * <LI>
+ * An object containing the value of the FunctionArgument processed by validateArguments.
+ * This object will only exist if status.isOk() (or the isOk() method in this class that calls status.isOk()) is true.
+ * </UL>
+ *
+ *
+ * @author glenngriffin
+ *
+ */
+public class ConvertedArgument<I> {
+
+ // When status != Status.OK, the value is null
+ private Status status;
+
+ // This is non-null when status == Status.OK
+ private I value = null;
+
+ /**
+ * Constructor ensures we have a non-null status, though value will be null if status is not ok.
+ *
+ * @param s
+ * @param v
+ */
+ public ConvertedArgument(Status s, I v) {
+ status = s;
+ if (s == null) {
+ throw new IllegalArgumentException("Status of argument cannot be null");
+ }
+ if (s.isOk()) {
+ // only set value if status is ok
+ value = v;
+ }
+ }
+
+ /**
+ * Get the Status object
+ *
+ * @return
+ */
+ public Status getStatus() {
+ return status;
+ }
+
+
+ /**
+ * Convenience method that directly returns the isOk() state from the status object.
+ *
+ * @return
+ */
+ public boolean isOk() {
+ return status.isOk();
+ }
+
+
+ /**
+ * Get the value object. This may be a Bag.
+ *
+ * @return
+ */
+ public I getValue() {
+ return value;
+ }
+
+
+ /**
+ * Get the value as a Bag. (convenience method)
+ *
+ * @return
+ */
+ public Bag getBag() {
+ return (Bag)value;
+ }
+
+
+ /**
+ * Returns a shortened version of the given DataType Id, primarily for use with error messages to prevent them from becoming too long.
+ * This is a simple convenience method to reduce code bloat.
+ *
+ * @param identifier expected to have '#' in it, and if no '#' should have ":data-type:"
+ * @return
+ */
+ public String getShortDataTypeId(Identifier identifier) {
+ String idString = identifier.stringValue();
+ int index = idString.indexOf("#");
+ if (index < 0) {
+ index = idString.indexOf(":data-type:");
+ if (index < 0) {
+ return idString;
+ } else {
+ return idString.substring(index + 11);
+ }
+ } else {
+ return idString.substring(index+1);
+ }
+ }
+
+
+
+ /**
+ * Evaluates the given <code>FunctionArgument</code> and validates that it has the correct <code>DataType</code>.
+ * The returned object will be either:
+ * <UL>
+ * <LI>
+ * A Status Object indicating an error condition, or
+ * <LI>
+ * An Object of the appropriate type containing the value of the function.
+ * In this case the caller should assume that the Status is Status.OK.
+ * Note that the object may be a bag if that is what the caller expected.
+ * </UL>
+ *
+ *
+ * @param listFunctionArguments the <code>List</code> of <code>FunctionArgument</code>s to validate
+ * @param convertedValues the <code>List</code> of <code>U</code> that the converted value is added to.
+ * @return a {@link com.att.research.xacml.api.Status} indication with an error if the arguments are not valid,
+ * or an object of the correct DataType containing the value.
+ */
+ @SuppressWarnings("unchecked") // to suppress warning on bag conversion
+ public ConvertedArgument(FunctionArgument functionArgument, DataType<I> expectedDataType, boolean expectBag) {
+
+ if (functionArgument == null ) {
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Got null argument");
+ return;
+ }
+ if ( ! functionArgument.isOk()) {
+ status = functionArgument.getStatus();
+ return;
+ }
+
+ // bags are valid arguments for some functions
+ if (expectBag) {
+ if ( ! functionArgument.isBag()) {
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected a bag, saw a simple value");
+ return;
+ }
+
+ Bag bag = functionArgument.getBag();
+ value = (I) bag;
+ status = StdStatus.STATUS_OK;
+ return;
+ }
+
+ // argument should not be a bag
+ if (functionArgument.isBag()) {
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected a simple value, saw a bag");
+ return;
+ }
+ AttributeValue<?> attributeValue = functionArgument.getValue();
+ if (attributeValue == null || attributeValue.getValue() == null) {
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Got null attribute");
+ return;
+ }
+ if ( ! attributeValue.getDataTypeId().equals(expectedDataType.getId())) {
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, "Expected data type '" +
+ getShortDataTypeId(expectedDataType.getId()) + "' saw '" + getShortDataTypeId(attributeValue.getDataTypeId()) + "'");
+ return;
+ }
+
+ try {
+ value = expectedDataType.convert(attributeValue.getValue());
+ status = StdStatus.STATUS_OK;
+ } catch (Exception e) {
+ String message = e.getMessage();
+ if (e.getCause() != null) {
+ message = e.getCause().getMessage();
+ }
+ status = new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, message);
+ }
+ }
+
+
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java
new file mode 100755
index 0000000..c8109ce
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionAccessPermitted.java
@@ -0,0 +1,198 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.functions;
+
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.net.URI;
+import java.util.List;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Node;
+
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacml.api.Request;
+import com.att.research.xacml.api.RequestAttributes;
+import com.att.research.xacml.std.StdRequest;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacml.std.StdStatusCode;
+import com.att.research.xacml.std.datatypes.DataTypes;
+import com.att.research.xacml.std.dom.DOMRequestAttributes;
+import com.att.research.xacml.std.dom.DOMStructureException;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.policy.ExpressionResult;
+import com.att.research.xacmlatt.pdp.policy.FunctionArgument;
+
+/**
+ * FunctionDefinitionAccessPermitted implements {@link com.att.research.xacmlatt.pdp.policy.FunctionDefinition} to
+ * implement the XACML access-permitted predicate.
+ *
+ * WARNING: This code is unfinished. Initially we did not complete the implementation because we did not understand how to handle XML Namespaces
+ * (from the <Request> or <Policy>).
+ * Later we understood that any Namespaces used within this function must be explicitly listed in <Content> XML elemement passed to this function.
+ * However, it is not clear that anyone needs this function.
+ * The only use anyone has mentioned is in a recursive operation which requires a loop counter of some kind, which we do not have implemented.
+ * Therefore we have chosen to leave this unimplemented for now.
+ *
+ * In the first implementation of XACML we had separate files for each XACML Function.
+ * This release combines multiple Functions in fewer files to minimize code duplication.
+ * This file supports the following XACML codes:
+ * access-permitted
+ *
+ *
+ * @author glenngriffin
+ * @version $Revision: 1.1 $
+ *
+ */
+public class FunctionDefinitionAccessPermitted extends FunctionDefinitionBase<Boolean, URI> {
+
+
+
+
+ /**
+ * Constructor - need dataTypeArgs input because of java Generic type-erasure during compilation.
+ *
+ * @param idIn
+ * @param dataTypeArgsIn
+ */
+ public FunctionDefinitionAccessPermitted(Identifier idIn) {
+ super(idIn, DataTypes.DT_BOOLEAN, DataTypes.DT_ANYURI, false);
+ }
+
+ @Override
+ public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) {
+ if (arguments == null || arguments.size() != 2) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +
+ " Expected 2 arguments, got " +
+ ((arguments == null) ? "null" : arguments.size()) ));
+ }
+
+ // first arg is URI
+ FunctionArgument functionArgument = arguments.get(0);
+ ConvertedArgument<URI> convertedArgument0 = new ConvertedArgument<URI>(functionArgument, DataTypes.DT_ANYURI, false);
+ if ( ! convertedArgument0.isOk()) {
+ return ExpressionResult.newError(getFunctionStatus(convertedArgument0.getStatus()));
+ }
+ URI attributesURI = convertedArgument0.getValue();
+ // this must be a urn of an attribute category
+ if ( ! attributesURI.toString().startsWith("urn:") || ! attributesURI.toString().contains(":attribute-category:")) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() +
+ " First argument must be a urn for an attribute-category, not '" + attributesURI.toString() ));
+ }
+
+ // second argument is of input type
+ functionArgument = arguments.get(1);
+ ConvertedArgument<String> convertedArgument1 = new ConvertedArgument<String>(functionArgument, DataTypes.DT_STRING, false);
+ if ( ! convertedArgument1.isOk()) {
+ return ExpressionResult.newError(getFunctionStatus(convertedArgument1.getStatus()));
+ }
+ // get the Duration object from the argument which includes all fields, even if the incoming argument does not include them all
+ String xmlContent = convertedArgument1.getValue();
+
+ // The spec is fuzzy on whether this string includes the "<Content>" tags or not, so handle it either way
+ if ( ! xmlContent.trim().toLowerCase().startsWith("<content>") ) {
+ // incomming is not surrounded by <content> tags, so ad them
+ xmlContent = "<Content>" + xmlContent + "</Content>";
+ }
+
+//TODO - the next block needs to be uncommented and fixed
+//Request req = evaluationContext.getRequest();
+//List<String> xmlAttrList = req.getRequestXMLAttributes();
+//String attrString = " ";
+//for (String attr : xmlAttrList) {
+// attrString += " " + attr;
+//}
+//
+// // add the Attributes XML element
+// xmlContent = "<Attributes Category=\"" + attributesURI + "\" " + attrString + " >" + xmlContent + "</Attributes>";
+
+//java.util.Iterator<RequestAttributes> rait = req.getRequestAttributes();
+//while (rait.hasNext()) {
+// RequestAttributes ra = rait.next();
+// System.out.println(ra);
+//}
+
+
+
+ // convert the xmlContent into XML Nodes
+ Node newContentNode = null;
+//TODO - need to get Namespace info from original Request? How can I recover the original Namespace from the EvaluationContext?
+ try (InputStream is = new ByteArrayInputStream(xmlContent.getBytes())) {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setNamespaceAware(true);
+
+ newContentNode = docBuilderFactory
+ .newDocumentBuilder()
+ .parse(is)
+ .getDocumentElement();
+ } catch (Exception e) {
+ String message = e.getMessage();
+ if (e.getCause() != null) {
+ message = e.getCause().getMessage();
+ }
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() +
+ " Parsing of XML string failed. Cause='" + message + "'" ));
+ }
+ // convert the XML Node into a RequestAttributes object
+//TODO - If this code is ever completed, the following variable will be used. The annotation is to avoid warnings.
+@SuppressWarnings("unused")
+ RequestAttributes newRequestAttributes = null;
+ try {
+ newRequestAttributes = DOMRequestAttributes.newInstance(newContentNode);
+ } catch (DOMStructureException e) {
+ String message = e.getMessage();
+ if (e.getCause() != null) {
+ message = e.getCause().getMessage();
+ }
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, this.getShortFunctionId() +
+ " Conversion of XML to RequestAttributes failed. Cause='" + message + "'" ));
+ }
+
+
+ // check the evaluationContext and Request for null
+ if (evaluationContext == null) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +
+ " Got null EvaluationContext"));
+ }
+ if (evaluationContext.getRequest() == null) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +
+ " Got null Request in EvaluationContext"));
+ }
+
+ // Create a new Request by:
+ // - copying the current request,
+ // - Dropping the Attributes section identified by the attributesURI argument
+ // - adding a new Attributes section identified by the attributesURI arg and with a Content section containing the xmlContent argument
+ Request originalRequest = evaluationContext.getRequest();
+
+//TODO - If this code is ever completed, the following variable will be used. The annotation is to avoid warnings.
+@SuppressWarnings("unused")
+ Request newRequest = new StdRequest(originalRequest);
+
+
+
+// ???? nameingContext????
+
+ // Now create a new EvaluationContext matching the one passed to this method except for the Request
+//TODO
+
+ // Run the PDP on the new EvaluationContext
+//TODO
+
+
+return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +
+ " Not Implemented"));
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java
new file mode 100755
index 0000000..03bd34f
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionArithmetic.java
@@ -0,0 +1,196 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.functions;
+
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.List;
+
+import com.att.research.xacml.api.AttributeValue;
+import com.att.research.xacml.api.DataType;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacml.api.Status;
+import com.att.research.xacml.api.XACML;
+import com.att.research.xacml.std.StdAttributeValue;
+import com.att.research.xacml.std.StdStatus;
+import com.att.research.xacml.std.StdStatusCode;
+import com.att.research.xacml.std.datatypes.DataTypes;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.policy.ExpressionResult;
+import com.att.research.xacmlatt.pdp.policy.FunctionArgument;
+
+/**
+ * FunctionDefinitionArithmetic extends {@link com.att.research.xacmlatt.pdp.std.functions.FunctionDefinitionHomogeneousSimple} to
+ * implement the XACML Arithmetic predicates as functions taking one or two arguments of the same data type and returning a single value of the same type.
+ *
+ * In Java there is no way to do arithmetic operations generically, so we need to have individual code for each operation on each class within this class.
+ *
+ * In the first implementation of XACML we had separate files for each XACML Function.
+ * This release combines multiple Functions in fewer files to minimize code duplication.
+ * This file supports the following XACML codes:
+ * integer-add
+ * double-add
+ * integer-subtract
+ * double-subtract
+ * integer-multiply
+ * double-multiply
+ * integer-divide
+ * double-divide
+ * integer-mod
+ * integer-abs
+ * double-abs
+ * round
+ * floor
+ *
+ * @author glenngriffin
+ * @version $Revision: 1.1 $
+ *
+ * @param <T> the java class for the data type of the function arguments
+ */
+public class FunctionDefinitionArithmetic<T extends Number> extends FunctionDefinitionHomogeneousSimple<T,T> {
+
+ /**
+ * List of arithmetic operations.
+ *
+ * @author glenngriffin
+ *
+ */
+ public enum OPERATION {ADD, SUBTRACT, MULTIPLY, DIVIDE, MOD, ABS, ROUND, FLOOR };
+
+ // operation to be used in this instance of the Arightmetic class
+ private final OPERATION operation;
+
+ // result variables used by all functions, one for each type
+ private AttributeValue<BigInteger> integerResult;
+ private AttributeValue<Double> doubleResult;
+
+ /**
+ * Constructor
+ *
+ * @param idIn
+ * @param dataTypeArgsIn
+ * @param op
+ */
+ public FunctionDefinitionArithmetic(Identifier idIn, DataType<T> dataTypeArgsIn, OPERATION op, int nArgs) {
+ // for Arithmetic functions, the output type is the same as the input type (no mixing of Ints and Doubles!)
+ super(idIn, dataTypeArgsIn, dataTypeArgsIn, nArgs);
+
+ // save the operation to be used in this instance
+ operation = op;
+ }
+
+
+ @Override
+ public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) {
+ List<T> convertedArguments = new ArrayList<T>();
+ Status status = this.validateArguments(arguments, convertedArguments);
+
+ /*
+ * If the function arguments are not correct, just return an error status immediately
+ */
+ if (!status.getStatusCode().equals(StdStatusCode.STATUS_CODE_OK)) {
+ return ExpressionResult.newError(getFunctionStatus(status));
+ }
+
+ /*
+ * Now perform the requested operation.
+ */
+ ExpressionResult expressionResult = null;
+
+ try {
+ switch (operation) {
+ case ADD:
+ if (this.getDataType() == DataTypes.DT_INTEGER) {
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).add( (BigInteger)convertedArguments.get(1)) );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ } else {
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) + (Double)convertedArguments.get(1));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ }
+ break;
+ case SUBTRACT:
+ if (this.getDataType() == DataTypes.DT_INTEGER) {
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).subtract( (BigInteger)convertedArguments.get(1)) );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ } else {
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) - (Double)convertedArguments.get(1));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ }
+ break;
+ case MULTIPLY:
+ if (this.getDataType() == DataTypes.DT_INTEGER) {
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).multiply((BigInteger)convertedArguments.get(1)) );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ } else {
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) * (Double)convertedArguments.get(1));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ }
+ break;
+ case DIVIDE:
+ if (this.getDataType() == DataTypes.DT_INTEGER) {
+ if ( ((BigInteger)convertedArguments.get(1)).equals(new BigInteger("0")) ) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+
+ arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString()));
+ }
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).divide((BigInteger)convertedArguments.get(1)) );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ } else {
+ if ((Double)convertedArguments.get(1) == 0) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+
+ arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString()));
+ }
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (Double)convertedArguments.get(0) / (Double)convertedArguments.get(1));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ }
+ break;
+ case MOD:
+ if ( ((BigInteger)convertedArguments.get(1)).equals(new BigInteger("0")) ) {
+ return ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() +" Divide by 0 error: "+
+ arguments.get(0).getValue().getValue().toString() + ", " + arguments.get(1).getValue().getValue().toString()));
+ }
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).remainder((BigInteger)convertedArguments.get(1)) );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ break;
+ case ABS:
+ if (this.getDataType() == DataTypes.DT_INTEGER) {
+ integerResult = new StdAttributeValue<BigInteger>(XACML.ID_DATATYPE_INTEGER, ((BigInteger)convertedArguments.get(0)).abs() );
+ expressionResult = ExpressionResult.newSingle(integerResult);
+ } else {
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, Math.abs((Double)convertedArguments.get(0)));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ }
+ break;
+ case ROUND:
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, (double)(Math.round((Double)convertedArguments.get(0))) );
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ break;
+ case FLOOR:
+ doubleResult = new StdAttributeValue<Double>(XACML.ID_DATATYPE_DOUBLE, Math.floor((Double)convertedArguments.get(0)));
+ expressionResult = ExpressionResult.newSingle(doubleResult);
+ break;
+ }
+ } catch (Exception e) {
+ String message = e.getMessage();
+ if (e.getCause() != null) {
+ message = e.getCause().getMessage();
+ }
+ String args = arguments.get(0).getValue().toString();
+ if (arguments.size() > 1) {
+ args += ", " + arguments.get(1).getValue().toString();
+ }
+ expressionResult = ExpressionResult.newError(new StdStatus(StdStatusCode.STATUS_CODE_PROCESSING_ERROR, this.getShortFunctionId() + " " + message +
+ " args: " + args + " " + e.getMessage() ));
+ }
+
+ return expressionResult;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java
----------------------------------------------------------------------
diff --git a/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java
new file mode 100755
index 0000000..cbdb406
--- /dev/null
+++ b/openaz-xacml-pdp/src/main/java/com/att/research/xacmlatt/pdp/std/functions/FunctionDefinitionBag.java
@@ -0,0 +1,107 @@
+/*
+ * AT&T - PROPRIETARY
+ * THIS FILE CONTAINS PROPRIETARY INFORMATION OF
+ * AT&T AND IS NOT TO BE DISCLOSED OR USED EXCEPT IN
+ * ACCORDANCE WITH APPLICABLE AGREEMENTS.
+ *
+ * Copyright (c) 2013 AT&T Knowledge Ventures
+ * Unpublished and Not for Publication
+ * All Rights Reserved
+ */
+package com.att.research.xacmlatt.pdp.std.functions;
+
+import java.util.List;
+
+import com.att.research.xacml.api.DataType;
+import com.att.research.xacml.api.Identifier;
+import com.att.research.xacmlatt.pdp.eval.EvaluationContext;
+import com.att.research.xacmlatt.pdp.policy.Bag;
+import com.att.research.xacmlatt.pdp.policy.ExpressionResult;
+import com.att.research.xacmlatt.pdp.policy.FunctionArgument;
+
+/**
+ * FunctionDefinitionBag implements {@link com.att.research.xacmlatt.pdp.policy.FunctionDefinition} to
+ * implement the XACML 'type'-bag predicates as functions taking 0, 1 or multiple arguments of the same data type and returning a <code>Bag</code>.
+ *
+ * In the first implementation of XACML we had separate files for each XACML Function.
+ * This release combines multiple Functions in fewer files to minimize code duplication.
+ * This file supports the following XACML codes:
+ * string-bag
+ * boolean-bag
+ * integer-bag
+ * double-bag
+ * time-bag
+ * date-bag
+ * dateTime-bag
+ * anyURI-bag
+ * hexBinary-bag
+ * base64Binary-bag
+ * dayTimeDuration-bag (version 1 and3)
+ * yearMonthDuration-bag (version 1 and 3)
+ * x500Name-bag
+ * rfc822Name-bag
+ * ipAddress-bag
+ * dnsName-bag
+ *
+ *
+ * @author glenngriffin
+ * @version $Revision: 1.1 $
+ *
+ * @param <I> the java class for the data type of the function Input arguments,
+ * which is also the "type" of the returned bag
+ */
+public class FunctionDefinitionBag<I> extends FunctionDefinitionBase<I, I> {
+
+
+ /**
+ * Constructor - need dataType input because of java Generic type-erasure during compilation.
+ *
+ * @param idIn
+ * @param dataTypeArgsIn
+ */
+ public FunctionDefinitionBag(Identifier idIn, DataType<I> dataTypeArgsIn) {
+ super(idIn, dataTypeArgsIn, dataTypeArgsIn, true);
+ }
+
+ /**
+ * Evaluates this <code>FunctionDefinition</code> on the given <code>List</code> of{@link com.att.research.xacmlatt.pdp.policy.FunctionArgument}s.
+ *
+ * @param evaluationContext the {@link com.att.research.xacmlatt.pdp.eval.EvaluationContext} to use in the evaluation
+ * @param arguments the <code>List</code> of <code>FunctionArgument</code>s for the evaluation
+ * @return an {@link com.att.research.xacmlatt.pdp.policy.ExpressionResult} with the results of the call
+ */
+ @Override
+ public ExpressionResult evaluate(EvaluationContext evaluationContext, List<FunctionArgument> arguments) {
+
+ // create a list to put the values into
+ Bag elementBag = new Bag();
+
+ // see if we have arguments
+ if (arguments != null && arguments.size() > 0) {
+
+ // for each arg, evaluate it, check type, and put on the list
+ for (FunctionArgument argument : arguments) {
+ // get the argument, evaluate it and check status
+ ConvertedArgument<I> convertedArgument = new ConvertedArgument<I>(argument, this.getDataTypeArgs(), false);
+
+ // check the status
+ if ( ! convertedArgument.isOk()) {
+ return ExpressionResult.newError(getFunctionStatus(convertedArgument.getStatus()));
+ }
+
+ // Special case: Most methods want the value contained in the AttributeValue object inside the FunctionArgument.
+ // This one wants the AttributeValue itself.
+ // We use the ConvertedArgument constructor to validate that the argument is ok, then use the AttributeValue
+ // from the FunctionArgument.
+ elementBag.add(argument.getValue());
+ }
+ }
+
+ // return it
+ return ExpressionResult.newBag(elementBag);
+ }
+
+
+
+
+}