You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openaz.apache.org by pd...@apache.org on 2015/04/13 17:38:48 UTC
[48/51] [partial] incubator-openaz git commit: Initial seed of merged
of AT&T and JP Morgan code
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/package.html
----------------------------------------------------------------------
diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/package.html b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/package.html
new file mode 100755
index 0000000..a9013f8
--- /dev/null
+++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/package.html
@@ -0,0 +1,1058 @@
+<html>
+<body>
+This package is the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/package-summary.html"
+>OpenAz reference "implementation"</a>
+of the OpenAz
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/pep/package-summary.html"
+>"PepApi interface package"</a>,
+and therefore generally contains implementation classes
+and only implementation-specific interfaces, also included is a
+<a href="#tutorial">PepApi tutorial</a> that describes the approach
+to building a PepApi implementation for a specific authorization
+provider, as well as a 2nd <a href="#tutorialmappers">Mapper tutorial</a>
+that describes the overall approach to writing mappers.
+<p>
+The goal of this package is twofold:
+<ul>
+<li>The primary goal is to provide a reference implementation of PepApi
+that uses an AzApi-based authorization provider, which in this case is the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/provider/SimpleConcreteSunXacmlService.html"
+>SimpleConcreteSunXacmlService</a>,
+which is the SunXacml PDP wrapped in an
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/package-summary.html"
+>implementation of the AzApi interface</a>.
+<li>The secondary goal is to provide a reference framework, which other
+providers can use as a model for implementation strategy of both AzApi
+and non-AzApi based authorization providers.
+</ul>
+
+In order to support the 2nd objective, the following is a high level
+"tutorial" about the PepApi and this implementation of it. At present,
+this tutorial is in preliminary form, however, even in the current
+state, the information may prove useful to anyone who is interested in
+developing an implementation of PepApi.
+
+<a name="tutorial"><H2>OpenAz PepApi Implementation Tutorial (v113)</H2></a>
+<H3>Contents</H3>
+<ul>
+<li><a href="#highleveloverview">High Level Overview</a>
+<li><a href="#sixlayerlist">List of Six OpenAz Layers</a>
+<li><a href="#separationapispi">Separation of PepApi to application API
+and provider SPI</a>
+<li><a href="#highlevelsepapispi">High Level Overview API/SPI Separation</a>
+<li><a href="#detailsepapispi">Detail list of API/SPI separated methods</a>
+<li><a href="#pepapilayer">Appl client PepApi "API LAYER"</a>
+<li><a href="#suggestedspiapproaches">Suggested approaches for XyzApi provider SPI implementation</a>
+<li><a href="#pepapiseqmodel">PepApi Object Sequence Model</a>
+<li><a href="#somediscussion">Some discussion items</a>
+<ul>
+<li><a href="#basicpattern">Basic Processing Pattern</a>
+<li><a href="#highlowinterfacHigh Level and Low Level Interface Layers</a>
+<li><a href="#basicpurpose">Basic Purpose of PepApi</a>
+<li><a href="#standardpdps">Standard PDPs</a>
+<li><a href="#xacmlreps">Representations of XACML</a>
+<li><a href="#openazreleases">OpenAz Release Philosophy</a>
+<li><a href="#thesixlayersdisc">The Six Layers</a>
+<li><a href="#layer5disc">Layer 5: AzApi Impl</a>
+<li><a href="#azapivssunxacml">AzApi vs SunXacml</a>
+<li><a href="#canonicalform">Canonical Form</a>
+</ul>
+<li><a href="#tutorialmappers">Part II: Mappers Tutorial</a>
+</ul>
+
+<a name="highleveloverview">
+<H3>High Level Overview: Appl, PepApi, AzApi, AzProvider</H3></a>
+<p>
+To understand the "top level" picture of what is currently provided
+for implementations in the OpenAz project, we can identify six layers
+of operational modules (including "interfaces" as a layer). Each layer
+description starts with the identifier of a jar file in the OpenAz project
+that contains an implementation of the functionality described in the layer.
+<p>
+In addition, experience with OpenAz has shown, the PepApi is best represented
+as having 2 portions: an application-oriented API, and a provider-oriented SPI,
+which will be noted in the following list and explained further below.
+<p>
+The PepApi provider is primarily concerned with implementing Layer 3 in the
+list below. The other layers are generally provided either from the OpenAz site
+(layers 2,4 for interfaces, layer 1 for test code, layers 5,6 for sample
+AzApi impl and PDP), or from customer application environments (layer 1,
+when customer is ready to implement PepApi client), or from PDP vendors
+(layers 5 and 6).
+<p>
+<a name="sixlayerlist"><H4>List of the Six OpenAz Module Layers</H4></a>
+<ul>
+<li><b>Layer 1:</b>
+"<top-of-project>\openaz\test\build\openliberty-openaz-test.jar"
+<br>
+This layer is implemented by a package that contains sample test programs,
+and may be thought of as the "application layer", and generally only
+uses the "API" portion of PepApi.
+For example, test.TestStyles, demonstrates various usage scenarios
+of PepApi.
+
+<li><b>Layer 2:</b> "<top-of-project>
+"<top-of-project>\openaz\azapi\build\openliberty-openaz-azapi.jar"
+<br>
+This layer is implemented by a package that contains the actual
+"PepApi interfaces" (API and SPI), and may be considered to be the second layer
+of "modules", which, while not having any executable code, do control
+what code can be compiled that is purported to "implement" the interface.
+(Note: Even though the jar file contains "azapi" in the name,
+it also contains the "pepapi".)
+
+<li><b>Layer 3:</b>
+"<top-of-project>\openaz\pep\build\openliberty-openaz-pep.jar"
+<br>
+This package contains an example implementation of the PepApi,
+and may be considered to be the "third layer" of OpenAz.
+It also contains an implementation of an "AzApi client", i.e. a
+module that uses AzApi directly to make authorization decisions.
+As such, this layer may be considered to both implement a PepApi
+provider, as well as, in this case, an AzApi client, or in the more
+general, case a client to any request-response oriented
+authorization provider.
+<br>
+In addition, this layer generally uses its own implementation of
+the SPI portion of PepApi, which facilitates its implementation
+of the API portion.
+
+<li><b>Layer 4:</b>
+"<top-of-project>\openaz\azapi\build\openliberty-openaz-azapi.jar"
+<br>
+This package contains the actual "interfaces" that comprise the AzApi,
+and, in the same sense as the layer 2 PepApi above, may be considered
+to be a layer of modules that control compatibility with other
+modules, esp in layer 5. (Note: this is the same jar file as used
+by layer 2, i.e. it contains both sets of interfaces.)
+
+<li><b>Layer 5:</b>
+"<top-of-project>\openaz\pdp\build\openliberty-openaz-pdp.jar"
+<br>
+This package contains an example implementation of AzApi, and may be
+considered to be the "fifth layer" of OpenAz. Similarly to Layer 3,
+this package also contains a client implementation, where the client
+in this case is to the SunXacml PDP provider.
+
+<li><b>Layer 6:</b>
+"<top-of-project>/pdp/lib/sunxacml.jar"
+<br>
+This jar file contains the SunXacml PDP impl, which may be considered
+as the sixth layer of modules in OpenAz.
+</ul>
+
+
+<a name="separationapispi">
+<H3>Separation of PepApi into API and SPI parts.</H3></a>
+This section first describes the approach at a high level, then
+provides a detailed review of the complete PepApi interface to
+designate the API and SPI parts of each PepApi interface.
+
+<a name="highlevelsepapispi">
+<H4>High level view of API/SPI separation</H4></a>
+The first thing that is probably useful to recognize is that the PepApi
+really consists of an application facing API plus an implementer's SPI
+(Service Provider Interface).
+If there is sufficient demand for a more formal separation, that will be
+considered in the future.
+<p>
+The following is a high level view of the API/SPI separation:
+<pre>
+ Consider the following functionality as being the main
+ part of each portion of the PepApi:
+
+ APPL API LAYER:
+
+ Use newPepRequest methods to build request
+ Use decide() method to make decision
+ Use allowed and next methods to look at results
+ Use getObligations, getObligationId, getStringValues to
+ look at obligations within each result
+
+ PROVIDER SPI LAYER:
+
+ Take Appl Api Request and
+ submit as Authorization Provider Request
+
+ Take Authorization Provider Response objects and
+ process and return them as Appl Api Response objects
+
+
+ Summary of architecture:
+
+ Appl Client Impl
+ PepApi Appl Client API
+ PepApi Provider SPI
+ PepApi Provider Impl
+ <AzProvider>API {AzProvider = Az | Xyz}
+ <AzProvider> Impl
+
+
+ Current AzApi strategy:
+
+ +--------------------+
+ | Appl client (impl) | <b><i>Layer 1</i></b>
+ +--------------------+
+ | ^
+ v |
+ +-----------------------------------+
+ | PepApi appl client api (intf) | <b><i>Layer 2</i></b>
+ | - - - - - - - - - - - - - - - - - |
+ | PepApi provider api/spi (impl) | <b><i>Layer 3</i></b>
+ | includes use of PepApi spi |
+ | plus AzApi Client |
+ +-----------------------------------+
+ | ^
+ v |
+ +-----------------------------------+
+ | AzApi client api (intf) | <b><i>Layer 4</i></b>
+ | - - - - - - - - - - - - - - - - - |
+ | AzApi provider (impl) | <b><i>Layer 5</i></b>
+ | plus SunXacml client |
+ +-----------------------------------+
+ | ^
+ v |
+ +----------------------------+
+ | SunXacml provider (impl) | <b><i>Layer 6</i></b>
+ +----------------------------+
+
+
+
+ Suggested strategy for an Xyz provider:
+
+ +--------------------+
+ | Appl client (impl) | <b><i>Layer 1</i></b>
+ +--------------------+
+ | ^
+ v |
+ +-----------------------------------+
+ | PepApi appl client api (intf) | <b><i>Layer 2</i></b>
+ | - - - - - - - - - - - - - - - - - |
+ | PepApi provider api/spi (impl) | <b><i>Layer 3</i></b>
+ | includes use of custom PepApi spi |
+ | plus XyzApi Client |
+ +-----------------------------------+
+ | ^
+ v |
+ +-----------------------------------+
+ | <i>XyzApi client api</i> (intf) | <b><i>Layer 4</i></b>
+ | - - - - - - - - - - - - - - - - - |
+ | XyzApi provider (impl) | <b><i>Layers 5,6</i></b>
+ +-----------------------------------+
+
+
+</pre>
+Note: because in the XyzApi provider case, the "standard" api is effectively
+the XyzApi, itself, there is no need for the impl to act as a client to a
+different interface, and so layers 5 and 6 are effectively consolidated to
+a single logical layer.
+
+<a name="detailsepapispi">
+<H4>Detail list of API/SPI separated methods</H4></a>
+The following list of interfaces and methods describe the API/SPI
+separation.
+<p>Note
+<ul>
+<li>There are only a few interfaces and methods involved with
+the application-facing API, namely:
+<ul>
+<li>PepRequestFactory
+<li>PepRequest
+<li>PepResponse
+<li>Obligation
+</ul>
+<li>All the PepApi interfaces are used and/or include methods that appear
+in the SPI portion.
+<li>Methods marked with "**" have AzApi-specific items in the interface
+that need to be addressed by non-AzApi implementations. In most cases,
+simply making the item null will satisfactorily address the situation for
+a non-AzApi implementation, however, it is likely that a corresponding
+element of the implementation will need to be used instead to fulfill
+the functional capability. For example, a non-AzApi impl will have no
+use for an AzRequestContext, however, it will likely have its own
+RequestContext that will need to be considered as an alternative which
+can be included in an extension class that has an additional provider-specific
+method.
+Note: items marked with "**" are followed by comment at end of line
+with number referring to the suggested approaches for these issues
+described at the end of the SPI detail section.
+</ul>
+
+<pre>
+ -------------------------------------------------------------------
+</pre>
+<a name="pepapilayer"><H4> APPL CLIENT PepApi "API LAYER":</H4></a>
+<pre>
+<a name="apipepreqfact"><H5>Interface PepRequestFactory</H5></a>
+ PepRequest newPepRequest(
+ Object subjectObj, Object actionObj,
+ Object resourceObj, Object environmentObj)
+ PepRequest newPepRequest(
+ Object subjectObj, Object actionResourceObject,
+ Object environmentObj)
+ PepRequest newPepRequest(
+ String subjectName, String actionId,
+ String resourceId)
+
+ PepRequest newBulkPepRequest(
+ Object subjectObj, List actionObjects,
+ List resourceObjects, Object environmentObj)
+ PepRequest newBulkPepRequest(
+ Object subjectObj, List actionResourceObjects,
+ Object environmentObj)
+
+ PepRequest newQueryPepRequest(
+ Object subjectObj, Object environmentObj,
+ String scope, PepRequestQueryType queryType)
+
+<a name="apipepreq"><H5>Interface PepRequest</H5></a>
+ PepResponse decide()
+
+<a name="apipeprsp"><H5>Interface PepResponse</H5></a>
+ boolean allowed()
+ Object getAction()
+ Object getResource()
+ Map<String,Obligation> getObligations()
+ boolean next()
+
+<a name="apiobligation"><H5>Interface Obligation</H5></a>
+ String getObligationId()
+ Map<String,String> getStringValues()
+
+ -------------------------------------------------------------------
+</pre>
+<a name="pepspilayer"><H4> PROVIDER PepApi "SPI LAYER":</H4></a>
+<pre>
+<a name="spipepreqfact"><H5>Interface PepRequestFactory</H5></a>
+ ** AzService getAzService() // (#1) return null for non-AzApi
+
+ String getContainerName()
+ String getProviderClassName()
+
+ RequestAttributesFactory<T> getRequestAttributesFactory(T t)
+ <T extends Enum<T> & AzCategoryId>
+ PepResponseFactory getResponseFactory()
+
+ DecisionHandler getDecisionHandler()
+ List<PostDecisionHandler> getPostDecisionHandlers()
+ List<PreDecisionHandler> getPreDecisionHandlers()
+
+<a name="spipepreq"><H5>Interface PepRequest</H5></a>
+ ** AzRequestContext getAzRequestContext() // return null for non-AzApi
+
+ PepRequestFactory getPepRequestFactory()
+
+ void setAccessSubject(Object subjectObject)
+ void setResourceAction(Object resource, Object action)
+ void setEnvironment(Object envObject)
+ void setBulkResourceActions(List resourceObjects, List actionObjects)
+
+ PepRequestOperation getOperation()
+ ** Object getActionObject(AzResourceActionAssociation azRaa) // (#3)
+ ** Object getResourceObject(AzResourceActionAssociation azRaa) // (#3)
+
+ void setScope(String scope)
+ String getScope()
+
+ void setQueryReturnAllowed(boolean queryReturnAllowed)
+ boolean isQueryForAllowedResults()
+
+<a name="spijavaobjmap"><H5>Interface JavaObjectMapper:</H5></a>
+ Set<Class> getSupportedClasses()
+
+ boolean canMapObject(Object obj)
+
+ <T extends Enum<T> & AzCategoryId>
+ RequestAttributes<T> map(
+ Object javaObject,
+ RequestAttributes<T> azWrapperObject)
+
+<a name="spireqattrfact">
+<H5>Interface RequestAttributesFactory<T extends Enum<T> & AzCategoryId></H5></a>
+ RequestAttributes<T> createObject(PepRequest ctx)
+ void setMappers(List<JavaObjectMapper> mappers)
+ List<JavaObjectMapper> getMappers()
+ Set<Class> getSupportedClasses()
+
+<a name="spiattr">
+<H5>Interface Attributes<T extends Enum<T> & AzCategoryId></H5></a>
+ ** AzEntity<T> getAzEntity() // (#1) return null for non-AzApi
+
+<a name="spireqattr">
+<H5>Interface RequestAttributes<T extends Enum<T> & AzCategoryId>
+ extends Attributes<T></H5></a>
+ PepRequest getPepRequest()
+
+ void setAttribute(String name, Boolean value)
+ void setAttribute(String name, Date date)
+ void setAttribute(String name, Integer value)
+ void setAttribute(String name, String value)
+
+<a name="spidechnd"><H5>Interface DecisionHandler</H5></a>
+ PepResponse decide(PepRequest request)
+<a name="spipredechnd"><H5>Interface PreDecisionHandler</H5></a>
+ void preDecide(PepRequest request)
+<a name="spipostdechnd"><H5>Interface PostDecisionHandler</H5></a>
+ void postDecide(PepRequest request, PepResponse response)
+
+<a name="spipepreqrspfact"><H5>Interface PepResponseFactory:</H5></a>
+ ** PepResponse createPepResponse(
+ AzResponseContext responseContext, // (#1) pass null for non-AzApi
+ PepRequest pepRequest,
+ PepRequestOperation operation)
+
+ ** PepResponse createPepResponse(
+ Set<AzResourceActionAssociation> actionResourceAssociations, // (#3)
+ PepRequest pepRequest,
+ boolean queryAllowed)
+
+ ObligationFactory getObligationFactory()
+
+ PepResponseBehavior getMissingAttributeBehavior()
+ PepResponseBehavior getNotApplicableBehavior()
+ PepResponseBehavior getProcessingErrorBehavior()
+ PepResponseBehavior getSyntaxErrorBehavior()
+
+ void setMissingAttributeBehavior(
+ PepResponseBehavior missingAttributeBehavior)
+ void setNotApplicableBehavior(
+ PepResponseBehavior notApplicableBehavior)
+ void setProcessingErrorBehavior(
+ PepResponseBehavior processingErrorBehavior)
+ void setSyntaxErrorBehavior(
+ PepResponseBehavior syntaxErrorBehavior)
+
+<a name="spipeprsp"><H5>Interface PepResponse</H5></a>
+ ** AzResponseContext getAzResponseContext() // (#1) return null for non-AzApi
+
+<a name="spioblfact"><H5>Interface ObligationFactory</H5></a>
+ ** Obligation createObject(AzEntity<AzCategoryIdObligation> entity) // (#2) pass null for non-AzApi
+
+<a name="spiobl"><H5>Interface Obligation
+ extends ResponseAttributes<AzCategoryIdObligation></H5></a>
+
+<a name="spirspattrfact">
+<H5>Interface ResponseAttributesFactory<T extends Enum<T> & AzCategoryId></H5></a>
+ ** ResponseAttributes<T> createObject(AzEntity<T> entity) // (#2) pass null for non-AzApi
+
+<a name="spirspattr">
+<H5>Interface ResponseAttributes<T extends Enum<T> & AzCategoryId>
+ extends Attributes<T></H5></a>
+
+ -------------------------------------------------------------------
+</pre>
+<a name="suggestedspiapproaches">
+<H4>Suggested approaches for XyzApi provider SPI implementation</H4></a>
+<pre>
+Note: these suggestions presume the Xyz provider is following the
+code structure in the org.openliberty.openaz.pep impl package
+and that the approach is to substitute Xyz request and response objects,
+and Xyz entity attribute collections for those provided by AzApi.
+The basic idea would be to have a parallel impl, for example:
+org.openliberty.openaz.xyz, with basically the same set of classes,
+but with some of the following modifications considered.
+
+ 1. return null for getAz<object>() in:
+ PepRequestFactory.getAzService()
+ PepRequest.getAzRequestContext()
+ Attributes<T>.getAzEntity()
+ PepResponse.getAzResponseContext()
+
+ 2. Pass null for az<object> parameter in:
+ PepResponseFactory.createPepResponse(azResponseContext, ...)
+ ResponseAttributesFactory.createObject(azEntity)
+ ObligationFactory.createObject(azEntity)
+
+ 3. Consider extending AzResourceActionAssociation as
+ XyzResourceActionAssociation and use in the following:
+
+ PepRequest.getActionObject(AzResourceActionAssociation azRaa)
+ PepRequest.getResourceObject(AzResourceActionAssociation azRaa)
+
+ PepResponseFactory.createPepResponse(
+ Set<AzResourceActionAssociation> azRaas,
+ PepRequest pepRequest,
+ boolean queryAllowed)
+
+ AzResourceActionAssociation javadoc is here:
+ http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/AzResourceActionAssociation.html
+
+ Within XyzResourceActionAssociation extension return null for the
+ following AzApi-dependent methods:
+
+ AzResourceActionAssociation.getAzAction()
+ AzResourceActionAssociation.getAzResource()
+ AzResourceActionAssociation.getAzResourceActionAssociationId()
+
+ Add new XyzResourceActionAssociation method to return
+ action and resource objects:
+
+ XyzObject getXyzAction()
+ XyzObject getXyzResource()
+
+ Then the XyzResourceActionAssociation object can be used
+ for correlation based on the XyzObject references for
+ action and resource in the XyzPepRequestImpl that
+ implement PepRequest, i.e.
+
+ PepRequest.getActionObject(XyzResourceActionAssociation xyzRaa)
+ PepRequest.getResourceObject(XyzResourceActionAssociation xyzRaa)
+
+ Similarly for creating a collection of return objects
+ in response to a query, the XyzPepResponseFactoryImpl
+ should be able to pass:
+
+ PepResponseFactory.createPepResponse(
+ Set<XyzResourceActionAssociation> xyzRaas,
+ PepRequest pepRequest,
+ boolean queryAllowed)
+
+ although one needs to check if generics will allow this pass
+ of a Set of subclasses of the class for which the interface
+ is defined.
+
+</pre>
+<a name="pepapiseqmodel"><H3>PepApi Object sequence model</H3></a>
+The following section contains a quasi-sequence diagram that shows the
+relations between the components of the PepApi in approximate order of
+their invocation at runtime.
+<pre>
+
+ +------------------------------------------+
+ | PepRequestFactory |
+ | PepReqFactImpl(azSvc) // impl azSvc set |
+ | pr = newPepRequest |
+ | | (sObj,aObj,rObj,eObj) |
+ | | newPEPRequest(op) |
+ | | azReqCtx = azSvc.createAzReqCtx() |
+ | | new PepReqImpl(azReqCtx, this, op) |
+ | | setAccessSubject(sObj) |
+ +---|--------------------------------------+
+ |
+ V
+ +---------------------------------------------------------------+
+ | PepRequest |
+ | PepReqImpl(azReqCtx, this, op) // set values from params |
+ | setAccessSubject(subjObj) |
+ | createAccessSubject(subjObj) //'Subject' implies <T> |
+ | subjFact = getPepReqFact.getReqAttrFact(catId<T>) |
+ | +<-- subjInit = subjFact.createObj(this) |
+ | | subjMapd = mapJavObject(subjObj, subjInit, subjFact) |
+ | | mapJavaObject(subjObj, subjInit, subjFact) |
+ | +<---- mapper = subjFact.getMappers().next() |
+ | | | mapper.map(subjObj, subjInit) |
+ |+<--- decide() |
+ +|-|-|----------------------------------------------------------+
+ | | |
+ | | V
+ | | +-----------------------------------------------------------+
+ | | | SubjectFactory |
+ | | | createObject(pr) |
+ | | | azReqCtx = pr.getAzReqCtx() |
+ | | | azSubjInit = azReqCtx.createAzEntity(catIdSubj) |
+ | | | azReqCtx.addAzEntity(azSubjInit) |
+ | | | +<- return new Subject(azSubjInit, pr, this) |
+ | | +-|---------------------------------------------------------+
+ | | |
+ | | V
+ | | +-----------------------------------------------------------+
+ | | | Subject |
+ | | | Subject(azSubjInit, pr, subjFact) |
+ | | | +<- super[RequestAttributes](azSubjInit, pr, subjFact) |
+ | | +-|---------------------------------------------------------+
+ | | |
+ | | V
+ | | +-----------------------------------------------------------+
+ | | | RequestAttributes |
+ | | | RequestAttributes(azSubjInit, pr, subjFact) |
+ | | | set this.pr, this.subjFact |
+ | | | +<- super[Attributes](azSubjInit) |
+ | | +-|---------------------------------------------------------+
+ | | |
+ | | V
+ | | +-----------------------------------------------------------+
+ | | | Attributes |
+ | | | Attributes(azSubjInit) |
+ | | | this.azEntity = azSubjInit |
+ | | +-----------------------------------------------------------+
+ | |
+ | V
+ | +-----------------------------------------------------------+
+ | | JavaObjectMapper |
+ | | map(subjObj, reqAttrSubjInit) |
+ | | convertObj(subjObj, reqAttrSubjInit) |
+ | | attrId = getVocab(subjObj) |
+ | | +<- reqAttrSubjInit.setAttribute(attrId, subjObj) |
+ | +---|-------------------------------------------------------+
+ | |
+ | V
+ | +-----------------------------------------------------------+
+ | | RequestAttributes |
+ | | setAttribute(attrId, subjObj) |
+ | | azEntity.createAzAttribute(issuer, attrId, |
+ | | azEntity.createAzAttributeValue(azDataTyp, subjObj) |
+ | +-----------------------------------------------------------+
+ |
+ V
+ +----------------------------------------------------------+
+ | DecisionHandler |
+ | decide(pepReq) |
+ | azRspCtx = azSvc.decide(pepReq.getAzReqCtx() |
+ | +<- pepRspFact = pepReq.getPepReqFact.getRspFact() |
+ | | pepRsp = pepRspFact.createPepRsp(azRspCtx,pepReq,op) | |
+ | | return pepRsp |
+ +-|--------------------------------------------------------+
+ |
+ V
+ +----------------------------------------------------------+
+ | PepResponseFactory |
+ | createPepRsp(azRspCtx,pepReq,op) |
+ | +<- pepRsp = new PepRspImpl(azRspCtx, pepReq, this, op) |
+ | | return pepRsp |
+ +-|--------------------------------------------------------+
+ |
+ V
+ +----------------------------------------------------------+
+ | PepResponse |
+ | PepRspImpl(azRspCtx,pepReq,pepRspFact,op) |
+ | set this.azRspCtx,this.pepReq,this.pepRspFact,this.op |
+ | this.azResultIterator = azRspCtx.getRslts.iterator() |
+ | allowed() |
+ | next() // point to next azResult |
+ | curAzResult = azResultIterator.next() |
+ | getResource(), getAction() |
+ | azRaa = this.getAzResourceActionAssociation() |
+ | resObj = this.getPepReq.getResourceObject(azRaa) |
+ | return resObj |
+ | getObligations() |
+ | curAzObls = curAzResult.getAzObligations() |
+ | curAzObl = curAzObls.next() |
+ | oblFact = this.getRspFact.getOblFact() |
+ | Obligation pepObl = oblFact.createObject(curAzObl) |
+ +-|--------------------------------------------------------+
+ |
+ V
+ +----------------------------------------------------------+
+ | ObligationFactory |
+ | createObject(azObligation) |
+ | +<- return new Obligation(azObligation) |
+ +----------------------------------------------------------+
+ |
+ V
+ +-----------------------------------------------------------+
+ | Obligation |
+ | Obligation(azObligaion) |
+ | +<- super[ResponseAttributes](azObligation) |
+ +-|---------------------------------------------------------+
+ |
+ V
+ +-----------------------------------------------------------+
+ | ResponseAttributes |
+ | ResponseAttributes(azObligation) |
+ | +<- super[Attributes](azObligation) |
+ +-|---------------------------------------------------------+
+ |
+ V
+ +-----------------------------------------------------------+
+ | Attributes |
+ | Attributes(azObligation) |
+ | this.azEntity = azObligation |
+ +-----------------------------------------------------------+
+
+
+</pre>
+
+<a name="somediscussion"><h3>Some discussion items</h3></a>
+
+<a name="basicpattern"><h4>Basic Processing Pattern</h4></a>
+The basic pattern is that the "container" of applications provides
+both checking requests before the application receives them, and
+checking requests in the process of application execution, where
+it is necessary to determine if the current user has sufficient
+authorization established to continue the current operation.
+<p>
+
+<a name="highlowinterfaces">
+<h4>High Level and Low Level Interface Layers</h4></a>
+PepApi is a "high level interface" intended to be totally flexible
+in terms of the applications and containers that can use it, and
+to also be "easy to use", comparable to existing platform-specific
+authorization models, such as J2SE checkPermission and WebLogic
+isAccessAllowed.
+<p>
+By contrast, AzApi is a "low level interface" intended to provide
+a Java binding to the more general platform independent XACML
+authorization model, which provides a general interface consisting
+of a collection of collections of "canonical" Attributes that contain
+both Attribute metadata and AttributeValues.
+<p>
+
+<a name="basicpurpose"><h4>Basic Purpose of PepApi</h4></a>
+Therefore, the intended purpose of a PepApi Impl, for example,
+this package ({@link org.openliberty.openaz.pep}), is
+to provide a "mapping" from the simple, application-friendly, PepApi
+that the applications (and containers) use, to the more complex
+AzApi, that the container would then typically use
+to submit requests to standard XACML PDPs.
+<p>
+
+<a name="standardpdps"><h4>Standard PDPs</h4></a>
+"Standard XACML PDPs" are accessed using the XACML
+Request/Response protocol, which is described in the XACML
+specifications using XML to represent the details. However,
+implementations are not required to use XML, but they are
+required to maintain the semantics of XACML, which are normatively
+defined in the specifications using the XML representation.
+<p>
+
+<a name="xacmlreps"><h4>Representations of XACML</h4></a>
+Furthermore, the XACML specifications do not specify what
+representation is required in the PEP-PDP connection, so it is
+possible that one end is expecting to use XML and the other
+end is expecting to use some other serialization format of the
+same information. Therefore, interoperability is somewhat
+dependent on the "bindings" that XACML PEP and XACML PDPs have
+provided for support. In the absence of a match, it would be
+up to the vendors and/or enterprise system developers to either
+provide a translation module or to simply select another
+product that would be compatible.
+<p>
+It is not a goal of either the XACML Technical Committee nor
+of the OpenAz project to attempt to resolve this issue, except
+on an as-needed basis to serve the purposes of implementations
+that are used within or want to integrate with the OpenAz Project.
+<p>
+So, for example, the initial release of OpenAz has, effectively,
+two "providers" for AzApi, the top level classes of which are:
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/provider/SimpleConcreteDummyService.html">
+<b>SimpleConcreteDummyService</b></a> and
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/provider/SimpleConcreteSunXacmlService.html">
+<b>SimpleConcreteSunXacmlService</b></a>.
+The former, the "dummy service",
+simply gives canned responses, and should be regarded as no more than
+a test tool, however, its existence as an independent "provider" may
+be useful for some types of demos.
+<p>
+
+<a name="openazreleases"><h4>OpenAz Release Philosophy</h4></a>
+To understand the working example in the "initial release of OpenAz"
+(which is the current release, which should be considered to be
+using the interfaces, i.e. AzApi and PepApi, in their "final form".
+The "final form" is "final" in the sense that until there is a critical
+mass (for example 3 implementations, including the current ref impl),
+fixes to "bugs" found in either API should be considered fair game.
+However, any "functionality" above and beyond what is currently
+represented as the functionality of those interfaces, should be
+considered candidates for a "second" or "next" release.)
+
+<a name="thesixlayersdisc"><H4>The Six Layers</H4></a>
+One may think of the 6 layers as kind of a "stepladder" of mapping
+the Objects from the local form within the application (Layer 1) to the
+canonical form within AzApi (Layer 5).
+<p>
+
+<a name="layer5disc"><H5>Layer 5: AzApi Impl</H5></a>
+Then, from the AzApi impl (layer 5) the canonical form objects may
+be mapped a 2nd time into the local object form required by the
+XACML PDP.
+
+From the perspective of the six layers, we can examine some of the
+possible "usage scenarios" for OpenAz. It turns out that there
+really are two major pieces of standardization that OpenAz facilitates:
+
+<ul>
+<li> First is the upper level "PepApi" (layer two), which provides
+a standard Java interface to application environments, regardless
+of the specific Objects the applications pass to PepApi.
+
+<ul>
+<li>Note: It is "standard" in the sense that
+applications do not have to be aware that
+what is done with the Objects when they are passed to PepApi.
+is that the Objects are "mapped" by the
+layer 3 PepApi Impl to be used as input to the layer 4 AzApi
+interface.
+</ul>
+
+<li> Second is the lower level "AzApi" (layer four), which provides
+a standard Java interface to XACML PDPs.
+
+<ul>
+<li>Note: Again that the layer 5 AzApi Impl needs to generally
+"map" the AzApi objects to those of the XACML Impl.
+</ul>
+</ul>
+
+The reason that layer 5 may need to do mapping is the existing
+XACML implementations, in general, will not yet be using AzApi,
+and so the most effective path to use AzApi is to implement a
+mapping to the current objects used by the XACML PDP.
+<ul>
+<li> In fact, this is exactly what is done in the OpenAz layer five,
+where the AzApi top level impl,
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pdp/provider/SimpleConcreteSunXacmlService.html">
+<b>SimpleConcreteSunXacmlService</b></a>,
+wraps the SunXacml PDP, which has its own interface,
+<ul>
+<li> <a href="http://sunxacml.sourceforge.net/javadoc/com/sun/xacml/PDP.html#evaluate(com.sun.xacml.ctx.RequestCtx)">
+ResponseCtx response = PDP.evaluate(RequestCtx request)</a>
+</ul>
+</ul>
+
+<a name="azapivssunxacml"><H4>AzApi vs SunXacml</H4></a>
+
+<p>
+While the SunXacml interface is "similar" to the AzApi interface,
+particularly the AzApi "decide()" call
+<p>
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/AzService.html#decide(org.openliberty.openaz.azapi.AzRequestContext)">
+<b>AzService.decide</b></a>
+(
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/AzRequestContext.html">
+<b>AzRequestContext</b></a>
+};
+
+<ul>
+<li> AzResponseContext azRspCtx = AzService.decide(AzRequestContext azReqCtx)
+</ul>
+
+<p>
+there is still a "mapping" required to go from the AzApi implementation
+objects to the SunXacml implementation objects. i.e. one must map the
+AzApi
+<a href="http://sunxacml.sourceforge.net/javadoc/com/sun/xacml/ctx/RequestCtx.html">
+<b>RequestCtx</b></a>
+to the SunXacml and on the return, map the SunXacml
+<a href="http://sunxacml.sourceforge.net/javadoc/com/sun/xacml/ctx/ResponseCtx.html">
+<b>ResponseCtx</b></a> to the AzApi
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/AzResponseContext.html">
+<b>AzResponseContext</b></a>
+
+
+<a name="canonicalform"><H4>Canonical Form</H4></a>
+Given the above description, one may ask why map to the canonical form
+at all? Why not have layer 3 map directly to the local form of the
+PDP, and therefore skip layers 4 and 5?
+
+<ul>
+<li>In fact, the architecture is designed so that is a perfectly
+legitimate strategy to take. However, the major drawback to this strategy
+is that if the enterprise has a mix of PDPs from multiple vendors,
+then configuration may begin to become complex, as one must keep track
+of which vendor's PDP is servicing which application, so as to ensure
+that the proper mappers are in place to map from the application
+objects to the specific PDP vendor objects.
+
+<li>From a purely technical engineering for performance perspective,
+it may appear that the benefit of an intermediate canonical form in
+the runtime path, as kind of a standard "clearinghouse" is not
+compelling enough on its own to justify the effort to achieve it.
+
+<li>However, there are additional considerations. Security Policy
+is an all-encompassing concern for an enterprise that generally
+applies to every activity conducted by the enterprise, whether
+for concern of privacy, risk-avoidance, compliance, integrity, etc.,
+there needs to be a way to integrate security Policy to any activity.
+
+<li>In order to effectively manage security Policy, there needs to
+be standard representations of the information in those Policies,
+as well as a method to relate that information to the corresponding
+representation of information in the enterprise that is collected
+and assembled to a Request to be evaluated by Policy.
+</ul>
+
+<a name="tutorialmappers"><H2>OpenAz Mappers Writing Tutorial (v114)</H2></a>
+<H3>Contents</H3>
+<ul>
+<li><a href="#highleveloverviewmappers">High Level Overview: Mappers</a>
+<li><a href="#structuremappers">Mapper structure</a>
+<li><a href="#methodimplmappers">Mapper method implementation</a>
+<li><a href="#permissionmappers">Permission Mapper</a>
+
+</ul>
+</ul>
+
+<a name="highleveloverviewmappers">
+<H3>High Level Overview: Mappers</H3></a>
+At the most fundamental level, the philosophy of OpenAz and PepApi/AzApi
+that the process of authorization can be abstracted as Policy defined in
+terms of "entities" represented as collections of "attributes", where the
+entities and attributes can be represented by a common standard such
+as XACML. Therefore, in theory, all that is required at runtime when an
+authorization check is required is to look at the entities involved and
+evaluate the Policy to determine if the attributes of the entities meet
+the Policy criteria for granting access.
+<p>
+The "entities" involved in a typical access check include:
+<ul>
+<li>A User Entity, or "Subject", where the Subject is the entity that
+is requesting access.
+<li>A Resource Entity, where the Resource is the entity to which the
+User Entity is requesting access.
+<li>An Action Entity, where the action specifies the explicit operations
+that the User Entity is requesting to apply to the Resource Entity.
+<li>An optional Environment Entity, where the "environment" is generally
+to be considered system conditions, such as time of day, that may factor
+into the decision making process. All such attributes are generally
+collected in an Environment Entity collection of Attributes.
+</li>
+</ul>
+In the XACML Specification, all attributes are of a specific XACML
+DataType, which means, as described in XACML Specification Section A.2:
+<pre>
+ A.2. Data-types
+
+ Although XML instances represent all data-types as strings,
+ an XACML PDP must reason about types of data that, while they
+ have string representations, are not just strings.
+
+ Types such as Boolean, integer and double MUST be converted:
+
+ - from their XML string representations
+ - to values that can be compared with values in their domain
+ of discourse, such as numbers.
+</pre>
+(Note: the XACML Specification uses both the term "data-type" and the
+term "DataType", where the former refers to a generic notion of a
+"data type", but within the XACML context, thus also implicitly
+referring to the latter term, "DataType", which is the name of the
+"XML attribute" used to specify the specific instance of XACML
+data-type to be used in conjunction with the XACML Attribute element
+that contains both the DataType attribute and AttributeValue element.
+OpenAz will not make such a distinction and simply use the term "DataType"
+or "datatype" interchangeably to in any of these contexts.)
+<p>
+In OpenAz, the "lower level" AzApi contains a separate interface for each
+of the Xacml DataTypes and a specific Java Object Type is also associated
+with each Xacml DataType. The collection of
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/AzAttributeValue.html"
+>AzAttributeValue subinterfaces</a>
+along with the associated list of "Known Implementing Classes" that reference
+the reference impl implementations of these interfaces, effectively can
+be considered the specification of the "AzApi Java Language Binding".
+<p>
+As such, in order to make an AzRequest to a XACML PDP, one needs to
+collect the attributes associated with each entity (where the entities
+are distinguished by
+<a href ="">AzCategoryId</a> and submit the Java objects containing the
+attribute values thru these standard interfaces.
+<p>
+The purpose of the lower level AzApi interface is to provide a
+well-structured framework that has a standard representation of all
+information that may ultimately prove necessary to submit a complete
+authorization request.
+<p>
+However, in general, information in the runtime environment is not
+in any particular standard form, so, in order to enable minimal impact
+on existing runtime development practices, the PepApi was developed to
+enable applications to submit whatever information objects are preferred
+to be used in a particular application environment.
+<p>
+In order to make this strategy work the PepApi implementation needs to
+"map" the information in the objects supplied by the application from
+that environment-specific form to the AzApi standard form, which will
+then enable seamless submission to a XACML PDP.
+<p>
+However, as described in the first tutorial above, the same strategy
+will work with almost any PDP. This second tutorial will explain how
+the reference impl mappers are designed, and it is expected that the
+same design strategy can be applied to mapping to other PDP APIs,
+as well, where instead of mapping application objects to azapi objects,
+the mapping would be to the non-Xacml-PDP-specific objects.
+<H3>How to build a Mapper</H3>
+Probably the most straight-forward way to explain how to build a mapper
+is to explain how the existing mappers provided in PepApi work.
+<a name="structuremappers"><h4>Mapper structure</h4></a>
+Looking at the javadoc for
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/SimpleJavaObjectMapper.html"
+>org.openliberty.openaz.pep.SimpleJavaObjectMapper</a> as a
+typical example, we can make the following observations about its structure:
+<ul>
+<li>It implements the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/pep/JavaObjectMapper.html"
+>org.openliberty.openaz.azapi.pep.JavaObjectMapper</a>
+interface.
+<li>The javadoc says that it supports 3 objects: String, Date, and HashMap,
+and that it maps those objects into RequestAttributes.
+<li>The 3 JavaObjectMapper interface methods: canMapObject(), map(), and
+getSupportedObjects() appear in the Method Summary for the
+SimpleJavaObjectMapper.
+<li>There are additional methods used within the implementation:
+convertDate, convertString, convertMap. These methods do the actual
+conversion of the application input object to the AzAttribute structures.
+</ul>
+<a name="methodimplmappers"><h4>Mapper method implementation</h4></a>
+<h5>getSupportedObjects</h5>
+Implementation of getSupportedObjects() in SimpleJavaObjectMapper is
+to simply create a set containing a class object for each class that
+the mapper supports. This is simply a hard-coded set which can be used
+when configuring mappers to preliminarily determine object types supported.
+<p>
+For the SimpleJavaObjectMapper, this consists of a list of 3 class types:
+String, Date, HashMap.
+<h5>canMapObject</h5>
+Implementation of canMapObject(Object obj) should be straight-forward.
+In SimpleJavaObjectMapper there is simply a sequence of "if statements"
+that use "instanceof" to test whether the obj parameter is an "instanceof"
+one of the supported object classes. If there is a match then true
+is returned, otherwise false is returned.
+<h5>map</h5>
+Implementation of the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/pep/JavaObjectMapper.html#map(java.lang.Object,%20org.openliberty.openaz.azapi.pep.RequestAttributes)"
+>map(Object obj, RequestAttributes<T> reqAttrs)</a> method is the
+only place where there might be some non-trivial complexity to work thru.
+<p>
+In SimpleJavaObjectMapper, map(obj,reqAttrs) dispatches to a conversion
+method for one of the supported object types by going thru a similar
+sequence of "if instanceof" test and dispatching when a matching object
+class is found.
+<p>
+Within the conversion methods, the first thing considered is the AzCategoryId
+of the RequestAttributes target object, which for AzApi is an AzEntity
+AzAttribute collection. When the Mapper.map method is invoked, the caller
+needs to determine which AzCategoryId to pass to the method as the
+generic parameter T of the RequestAttributes<T> object being passed.
+<p>
+Generally, this will be implicitly determined by the entity for which
+the object being converted is intended. In the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/azapi/pep/PepRequestFactory.html"
+>PepApi PepRequestFactory.newPepRequest(*) methods</a>,
+the objects passed are in an order that determines whether the object is
+to be considered a Subject, Action, Resource, or Environment as
+described in the signature to the newPepRequest methods.
+<p>
+One can get a rough idea of how this is implemented by following the
+<a href="#pepapiseqmodel">PepApi sequence model</a> in the first tutorial
+above. In particular, starting with PepRequestFactoryImpl call to
+setAccessSubject(sObj), one can follow the diagram logic down to
+the RequestAttributes.setAttribute(attrId, subjObj) method where the
+Mapper has been invoked and the convertObject method within the Mapper
+is setting the attribute on the AzEntity.
+<a name="permissionmappers"><H4>Permission Mapper</H4></a>
+A slightly more interesting case is the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/SimpleJavaPermissionMapper.html">SimpleJavaPermissionMapper</a>
+<p>
+As described in the javadoc for
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/org/openliberty/openaz/pep/SimpleJavaPermissionMapper.html#map(java.lang.Object,%20org.openliberty.openaz.azapi.pep.RequestAttributes)"
+>SimpleJavaPermissionMapper.map()</a>
+a Permission or any subclass of Permission can be processed and effectively
+serialized into 3 String parameters, where the Permission subclass is assumed
+to be a "resource-type", the name parameter is assumed to be the "resource-id",
+and the action is assumed to be the "action-id", where resource-id and action-id
+are as defined in Xacml, and resource-type is an OpenAz identifier used to
+name a resource type.
+<p>
+Therefore these 3 parameters can be passed to the Xacml PDP and generally
+policies will contain regular expression conditions on resource name in order
+to create scopes of resources and actions subject to the policy. Some examples
+demonstrating this technique are included in the test program
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/doc/test/TestStyles.html"
+>TestStyles</a>
+where the code and javadoc of the testStyle* methods describe some of
+the test cases, and the
+<a href="http://openaz.svn.sourceforge.net/viewvc/openaz/test/src/test/"
+>code from the project</a>
+ may be examined.
+</body>
+</html>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPI.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPI.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPI.java
new file mode 100755
index 0000000..f2173a8
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPI.java
@@ -0,0 +1,81 @@
+package org.openliberty.openaz.pepapi.std.test;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.openliberty.openaz.pepapi.*;
+import org.openliberty.openaz.pepapi.std.StdPepAgentFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+public class TestAPI {
+
+ private PepAgentFactory pepAgentFactory;
+
+ @Before
+ public void setup() {
+ pepAgentFactory = new StdPepAgentFactory("/properties/testapi.xacml.properties");
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testPepAgent() {
+ Assert.assertNotNull(getPepAgent());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testPermit(){
+ PepResponse response = getPepAgent().simpleDecide("Julius Hibbert",
+ "read", "http://medico.com/record/patient/BartSimpson");
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testNotApplicable(){
+ PepResponse response = getPepAgent().simpleDecide("Julius Hibbert",
+ "read","http://medico.com/record/patient/JohnSmith");
+ Assert.assertNotNull(response);
+ Assert.assertEquals(false, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testMultiRequest() {
+ List<Action> actions = new ArrayList<Action>();
+ actions.add(Action.newInstance("read"));
+ actions.add(Action.newInstance("write"));
+ actions.add(Action.newInstance("update"));
+ actions.add(Action.newInstance("delete"));
+
+ List<PepResponse> responses = getPepAgent().bulkDecide(actions,
+ Subject.newInstance("Julius Hibbert"),
+ Resource.newInstance("http://medico.com/record/patient/BartSimpson"));
+ Assert.assertNotNull(responses);
+ Assert.assertEquals(true, responses.get(0).allowed());
+ Assert.assertEquals(true, responses.get(1).allowed());
+ Assert.assertEquals(false, responses.get(2).allowed());
+ Assert.assertEquals(false, responses.get(3).allowed());
+
+ }
+
+ public PepAgent getPepAgent() {
+ return pepAgentFactory.getPepAgent();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPIWithPIP.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPIWithPIP.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPIWithPIP.java
new file mode 100755
index 0000000..90cef8e
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAPIWithPIP.java
@@ -0,0 +1,98 @@
+package org.openliberty.openaz.pepapi.std.test;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.openliberty.openaz.pepapi.*;
+import org.openliberty.openaz.pepapi.std.StdPepAgentFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+public class TestAPIWithPIP {
+
+ private static final Log log = LogFactory.getLog(TestAPIWithPIP.class);
+
+ private PepAgentFactory pepAgentFactory;
+
+ @Before
+ public void setup() {
+ pepAgentFactory = new StdPepAgentFactory("xacml.properties");
+ }
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testPepAgent() {
+ Assert.assertNotNull(getPepAgent());
+ }
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testPermit() {
+ PepResponse response = getPepAgent()
+ .simpleDecide("John Doe",
+ "read",
+ "http://medico.com/record/patient/BartSimpson");
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testNotApplicable() {
+ PepResponse response = getPepAgent()
+ .simpleDecide("John Smith",
+ "read",
+ "http://medico.com/record/patient/BartSimpson");
+ Assert.assertNotNull(response);
+ Assert.assertEquals(false, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testMultiRequest() {
+ List<Action> actions = new ArrayList<Action>();
+ actions.add(Action.newInstance("read"));
+ actions.add(Action.newInstance("update"));
+ actions.add(Action.newInstance("write"));
+ actions.add(Action.newInstance("modify"));
+
+ Resource resource = Resource.newInstance("http://medico.com/record/patient/BartSimpson");
+ Subject subject = Subject.newInstance("John Doe");
+
+ List<PepResponse> responses = getPepAgent().bulkDecide(actions, resource, subject);
+ Assert.assertNotNull(responses);
+ Assert.assertEquals(actions.size(), responses.size());
+ Assert.assertEquals(true, responses.get(0).allowed());
+ Assert.assertEquals(false, responses.get(1).allowed());
+ Assert.assertEquals(true, responses.get(2).allowed());
+ Assert.assertEquals(false, responses.get(3).allowed());
+ for(PepResponse response: responses) {
+ log.debug(response.getAssociation());
+ }
+ }
+
+ public PepAgent getPepAgent() {
+ return pepAgentFactory.getPepAgent();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAnnotatedHandlerRegistration.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAnnotatedHandlerRegistration.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAnnotatedHandlerRegistration.java
new file mode 100755
index 0000000..830d28e
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestAnnotatedHandlerRegistration.java
@@ -0,0 +1,72 @@
+package org.openliberty.openaz.pepapi.std.test;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.openliberty.openaz.pepapi.*;
+import org.openliberty.openaz.pepapi.std.StdPepAgentFactory;
+import org.openliberty.openaz.pepapi.std.test.obligation.AnnotatedCatchAllObligationHandler;
+import org.openliberty.openaz.pepapi.std.test.obligation.AnnotatedFilteringObligationHandler;
+import org.openliberty.openaz.pepapi.std.test.obligation.AnnotatedRedactionObligationHandler;
+
+
+public class TestAnnotatedHandlerRegistration {
+
+ @SuppressWarnings("unused")
+ private static Log log = LogFactory.getLog(TestAnnotatedHandlerRegistration.class);
+
+ private PepAgentFactory pepAgentFactory;
+
+ //TODO: Need to wire
+ private AnnotatedFilteringObligationHandler filterHandler;
+
+ //TODO: Need to wire
+ private AnnotatedRedactionObligationHandler redactionHandler;
+
+ //TODO: Need to wire
+ private AnnotatedCatchAllObligationHandler catchAllHandler;
+
+
+ @Before
+ public void setup() {
+ pepAgentFactory = new StdPepAgentFactory("xacml.properties");
+ }
+
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testPepAgent() {
+ Assert.assertNotNull(getPepAgent());
+ }
+
+
+
+ /**
+ *
+ */
+ @Ignore
+ @Test
+ public void testRegistration() {
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:age", "45");
+ PepResponse response = getPepAgent().decide(subject, Action.newInstance("view"),
+ Resource.newInstance("resource1"));
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ filterHandler.enforce();
+ redactionHandler.enforce();
+ catchAllHandler.enforce();
+ }
+
+ public PepAgent getPepAgent() {
+ return pepAgentFactory.getPepAgent();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestDataTypes.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestDataTypes.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestDataTypes.java
new file mode 100755
index 0000000..40a39da
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestDataTypes.java
@@ -0,0 +1,85 @@
+package org.openliberty.openaz.pepapi.std.test;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.openliberty.openaz.pepapi.*;
+import org.openliberty.openaz.pepapi.std.StdPepAgentFactory;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+
+
+public class TestDataTypes {
+
+ private PepAgentFactory pepAgentFactory;
+
+ @Before
+ public void setup() {
+ /*System.setProperty("xacml.properties" ,
+ getClass().getClassLoader().getResource("properties/testdatatypes.xacml.properties").getPath());*/
+ pepAgentFactory = new StdPepAgentFactory("/properties/testdatatypes.xacml.properties");
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testPepAgent() {
+ Assert.assertNotNull(getPepAgent());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testPermitWithURIResource() {
+ Subject subject = Subject.newInstance("John Smith");
+ Action action = Action.newInstance("view");
+ Resource resource = Resource.newInstance(URI.create("file://repository/classified/abc"));
+ PepResponse response = getPepAgent().decide(subject, action, resource);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testPermitWithIntegerResource() {
+ Subject subject = Subject.newInstance("John Smith");
+ Action action = Action.newInstance("view");
+ Resource resource = Resource.newInstance(101L);
+ PepResponse response = getPepAgent().decide(subject, action, resource);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+
+ /**
+ *
+ */
+ @Test
+ public void testMultiRequestWithURI() {
+ List<Resource> resources = new ArrayList<Resource>();
+ resources.add(Resource.newInstance(URI.create("file://repository/classified/abc")));
+ resources.add(Resource.newInstance(URI.create("file://repository/classified/xyz")));
+
+ Subject subject = Subject.newInstance("John Smith");
+ Action action = Action.newInstance("view");
+
+ List<PepResponse> responses = getPepAgent().bulkDecide(resources, action, subject);
+ Assert.assertNotNull(responses);
+ for(PepResponse response: responses) {
+ Assert.assertEquals(true, response.allowed());
+ }
+ }
+
+ public PepAgent getPepAgent() {
+ return pepAgentFactory.getPepAgent();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestMapper.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestMapper.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestMapper.java
new file mode 100755
index 0000000..0c4c50e
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/TestMapper.java
@@ -0,0 +1,123 @@
+package org.openliberty.openaz.pepapi.std.test;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.openliberty.openaz.pepapi.*;
+import org.openliberty.openaz.pepapi.std.StdPepAgentFactory;
+import org.openliberty.openaz.pepapi.std.test.mapper.BusinessRequestContext;
+import org.openliberty.openaz.pepapi.std.test.mapper.Client;
+import org.openliberty.openaz.pepapi.std.test.mapper.Document;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+public class TestMapper {
+
+ @SuppressWarnings("unused")
+ private static Log logger = LogFactory.getLog(TestMapper.class);
+
+ private PepAgentFactory pepAgentFactory;
+
+ @Before
+ public void setup() {
+ this.pepAgentFactory = new StdPepAgentFactory("/properties/testmapper.xacml.properties");
+ }
+
+ /**
+ *
+ */
+ @Test
+ public void testPepAgent() {
+ Assert.assertNotNull(getPepAgent());
+ }
+
+ /**
+ *
+ */
+ @Test
+ public void testPermit() {
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:role-id", "ROLE_DOCUMENT_WRITER");
+
+ Action action = Action.newInstance("write");
+
+ Document doc = new Document(1, "OnBoarding Document", "ABC Corporation", "John Smith");
+ PepResponse response = getPepAgent().decide(subject, action, doc);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+ /**
+ *
+ */
+ @Test
+ public void testNotApplicable(){
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:role-id", "ROLE_DOCUMENT_WRITER");
+
+ Action action = Action.newInstance("write");
+ Document doc = new Document(2, "OnBoarding Document", "XYZ Corporation", "Jim Doe");
+ PepResponse response = getPepAgent().decide(subject, action, doc);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(false, response.allowed());
+ }
+
+ @Test(expected=PepException.class)
+ public void testMix(){
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:role-id", "ROLE_DOCUMENT_WRITER");
+
+ Action action = Action.newInstance("write");
+
+ Document doc1 = new Document(1, "OnBoarding Document", "ABC Corporation", "John Smith");
+ Document doc2 = new Document(2, "OnBoarding Document", "XYZ Corporation", "Jim Doe");
+ List<Object> resourceList = new ArrayList<Object>();
+ resourceList.add(doc1);
+ resourceList.add(doc2);
+
+ PepResponse response = getPepAgent().decide(subject, action, resourceList);
+ Assert.assertNotNull(response);
+ response.allowed();
+ }
+
+ @Test
+ public void testVarArgsPermit(){
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:role-id", "ROLE_DOCUMENT_READER");
+ BusinessRequestContext bc = new BusinessRequestContext("USA", "05:00 EST");
+
+ Action action = Action.newInstance("read");
+ List<Object> resources = new ArrayList<Object>();
+ resources.add(new Document(1, "OnBoarding Document", "XYZ Corporation", "Jim Doe"));
+ resources.add(new Client("XYZ Corporation", "USA"));
+
+ PepResponse response = getPepAgent().decide(subject, action, resources, bc);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(true, response.allowed());
+ }
+
+ @Test
+ public void testVarArgsDeny(){
+ Subject subject = Subject.newInstance("John Smith");
+ subject.addAttribute("urn:oasis:names:tc:xacml:1.0:subject:role-id", "ROLE_DOCUMENT_READER");
+ BusinessRequestContext bc = new BusinessRequestContext("INDIA", "05:00 IST");
+
+ List<Object> resources = new ArrayList<Object>();
+ resources.add(new Document(2, "OnBoarding Document", "XYZ Corporation", "Jim Doe"));
+ resources.add(new Client("XYZ Corporation", "USA"));
+
+ Action action = Action.newInstance("write");
+
+ PepResponse response = getPepAgent().decide(subject, action, resources, bc);
+ Assert.assertNotNull(response);
+ Assert.assertEquals(false, response.allowed());
+ }
+
+ public PepAgent getPepAgent() {
+ return pepAgentFactory.getPepAgent();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContext.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContext.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContext.java
new file mode 100755
index 0000000..1820428
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContext.java
@@ -0,0 +1,21 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+public class BusinessRequestContext {
+
+ private final String requestCountry;
+
+ private final String requestTime;
+
+ public BusinessRequestContext(String country, String time){
+ this.requestCountry = country;
+ this.requestTime = time;
+ }
+
+ public String getRequestCountry() {
+ return requestCountry;
+ }
+
+ public String getRequestTime() {
+ return requestTime;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContextMapper.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContextMapper.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContextMapper.java
new file mode 100755
index 0000000..3b1c93a
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/BusinessRequestContextMapper.java
@@ -0,0 +1,34 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+import com.att.research.xacml.api.XACML3;
+import org.openliberty.openaz.pepapi.*;
+
+public class BusinessRequestContextMapper implements ObjectMapper {
+
+ private MapperRegistry mapperRegistry;
+
+ private PepConfig pepConfig;
+
+ @Override
+ public Class<?> getMappedClass() {
+ return BusinessRequestContext.class;
+ }
+
+ @Override
+ public void map(Object o, PepRequest pepRequest) {
+ BusinessRequestContext bc = (BusinessRequestContext)o;
+ PepRequestAttributes envAttributes = pepRequest.getPepRequestAttributes(XACML3.ID_ATTRIBUTE_CATEGORY_ENVIRONMENT);
+ envAttributes.addAttribute("jpmc:request-context:country", bc.getRequestCountry());
+ envAttributes.addAttribute("jpmc:request-context:time", bc.getRequestTime());
+ }
+
+ @Override
+ public void setMapperRegistry(MapperRegistry mapperRegistry) {
+ this.mapperRegistry = mapperRegistry;
+ }
+
+ @Override
+ public void setPepConfig(PepConfig pepConfig) {
+ this.pepConfig = pepConfig;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Client.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Client.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Client.java
new file mode 100755
index 0000000..9c2ca08
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Client.java
@@ -0,0 +1,20 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+public class Client {
+
+ private final String name;
+
+ private final String countryOfDomicile;
+
+ public Client(String name, String countryOfDomicile){
+ this.name = name;
+ this.countryOfDomicile = countryOfDomicile;
+ }
+
+ public String getName() {
+ return name;
+ }
+ public String getCountryOfDomicile() {
+ return countryOfDomicile;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/ClientMapper.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/ClientMapper.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/ClientMapper.java
new file mode 100755
index 0000000..b482a44
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/ClientMapper.java
@@ -0,0 +1,34 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+import com.att.research.xacml.api.XACML3;
+import org.openliberty.openaz.pepapi.*;
+
+public class ClientMapper implements ObjectMapper {
+
+ private MapperRegistry mapperRegistry;
+
+ private PepConfig pepConfig;
+
+ @Override
+ public Class<?> getMappedClass() {
+ return Client.class;
+ }
+
+ @Override
+ public void map(Object o, PepRequest pepRequest) {
+ Client c = (Client)o;
+ PepRequestAttributes resAttributes = pepRequest.getPepRequestAttributes(XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
+ resAttributes.addAttribute("jpmc:client:name", c.getName());
+ resAttributes.addAttribute("jpmc:client:country-of-domicile", c.getCountryOfDomicile());
+ }
+
+ @Override
+ public void setMapperRegistry(MapperRegistry mapperRegistry) {
+ this.mapperRegistry = mapperRegistry;
+ }
+
+ @Override
+ public void setPepConfig(PepConfig pepConfig) {
+ this.pepConfig = pepConfig;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Document.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Document.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Document.java
new file mode 100755
index 0000000..cd36245
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/Document.java
@@ -0,0 +1,32 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+public class Document {
+
+ private final Integer documentId;
+ private final String documentName;
+ private final String clientName;
+ private final String documentOwner;
+
+ public Document(Integer documentId, String documentName, String clientName, String documentOwner){
+ this.documentId = documentId;
+ this.documentName = documentName;
+ this.clientName = clientName;
+ this.documentOwner = documentOwner;
+ }
+
+ public Integer getDocumentId() {
+ return documentId;
+ }
+
+ public String getDocumentName() {
+ return documentName;
+ }
+
+ public String getDocumentOwner() {
+ return documentOwner;
+ }
+
+ public String getClientName() {
+ return clientName;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/DocumentMapper.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/DocumentMapper.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/DocumentMapper.java
new file mode 100755
index 0000000..498d3ee
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/DocumentMapper.java
@@ -0,0 +1,37 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+import com.att.research.xacml.api.XACML3;
+import org.openliberty.openaz.pepapi.*;
+
+public class DocumentMapper implements ObjectMapper {
+
+ private MapperRegistry mapperRegistry;
+
+ private PepConfig pepConfig;
+
+ @Override
+ public Class<?> getMappedClass() {
+ return Document.class;
+ }
+
+ @Override
+ public void map(Object o, PepRequest pepRequest) {
+ Document d = (Document)o;
+ PepRequestAttributes resourceAttributes = pepRequest.getPepRequestAttributes(XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
+ resourceAttributes.addAttribute("urn:oasis:names:tc:xacml:1.0:resource:resource-id", d.getDocumentId());
+ resourceAttributes.addAttribute("urn:oasis:names:tc:xacml:1.0:resource:resource-type", "Document");
+ resourceAttributes.addAttribute("jpmc:document:document-name", d.getDocumentName());
+ resourceAttributes.addAttribute("jpmc:document:client-name", d.getClientName());
+ resourceAttributes.addAttribute("jpmc:document:document-owner", d.getDocumentOwner());
+ }
+
+ @Override
+ public void setMapperRegistry(MapperRegistry mapperRegistry) {
+ this.mapperRegistry = mapperRegistry;
+ }
+
+ @Override
+ public void setPepConfig(PepConfig pepConfig) {
+ this.pepConfig = pepConfig;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecord.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecord.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecord.java
new file mode 100755
index 0000000..6a7b317
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecord.java
@@ -0,0 +1,37 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class MedicalRecord {
+
+ private String id;
+
+ private List<String> accessUserGroup;
+
+ public MedicalRecord(String id){
+ this.id = id;
+ accessUserGroup = new ArrayList<String>();
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public List<String> getAccessUserGroup() {
+ return accessUserGroup;
+ }
+
+ public void setAccessUserGroup(List<String> accessUserGroup) {
+ this.accessUserGroup = accessUserGroup;
+ }
+
+ public void addUserToAccessGroup(String user) {
+ this.accessUserGroup.add(user);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecordMapper.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecordMapper.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecordMapper.java
new file mode 100755
index 0000000..9882d30
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/mapper/MedicalRecordMapper.java
@@ -0,0 +1,36 @@
+package org.openliberty.openaz.pepapi.std.test.mapper;
+
+import com.att.research.xacml.api.XACML3;
+import org.openliberty.openaz.pepapi.*;
+
+public class MedicalRecordMapper implements ObjectMapper {
+
+ private MapperRegistry mapperRegistry;
+
+ private PepConfig pepConfig;
+
+ @Override
+ public Class<?> getMappedClass() {
+ return MedicalRecord.class;
+ }
+
+ @Override
+ public void map(Object o, PepRequest pepRequest) {
+ MedicalRecord md = (MedicalRecord) o;
+ PepRequestAttributes resourceAttributes = pepRequest.getPepRequestAttributes(XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
+ resourceAttributes.addAttribute("urn:oasis:names:tc:xacml:1.0:resource:resource-type", "PatientMedicalRecord");
+ resourceAttributes.addAttribute("urn:oasis:names:tc:xacml:1.0:resource:resource-id", md.getId());
+ for(String accessUser: md.getAccessUserGroup()) {
+ resourceAttributes.addAttribute("urn:oasis:names:tc:xacml:1.0:resource:resource-access-group", accessUser);
+ }
+ }
+ @Override
+ public void setMapperRegistry(MapperRegistry mapperRegistry) {
+ this.mapperRegistry = mapperRegistry;
+ }
+
+ @Override
+ public void setPepConfig(PepConfig pepConfig) {
+ this.pepConfig = pepConfig;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AccessRestrictionObligationHandler.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AccessRestrictionObligationHandler.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AccessRestrictionObligationHandler.java
new file mode 100755
index 0000000..2fd5b9a
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AccessRestrictionObligationHandler.java
@@ -0,0 +1,56 @@
+package org.openliberty.openaz.pepapi.std.test.obligation;
+
+import junit.framework.Assert;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.openliberty.openaz.pepapi.Obligation;
+import org.openliberty.openaz.pepapi.ObligationHandler;
+import org.openliberty.openaz.pepapi.ObligationStore;
+
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+
+public class AccessRestrictionObligationHandler implements ObligationHandler {
+
+ private static Log log = LogFactory.getLog(AccessRestrictionObligationHandler.class);
+
+ private ObligationStore obligationStore;
+
+ public void enforce() {
+ Set<Obligation> accessOblgSet = obligationStore.getHandlerObligations(this.getClass());
+ Assert.assertEquals(true, accessOblgSet.size() == 1);
+ for(Obligation oblg: accessOblgSet) {
+ Map<String, Object[]> attributeMap = oblg.getAttributeMap();
+ Assert.assertNotNull(attributeMap);
+ for(Entry<String, Object[]> e: attributeMap.entrySet()){
+ if(e.getKey().equals("urn:oasis:names:tc:xacml:1.0:subject:subject-id")){
+ Assert.assertNotNull(e.getValue());
+ }
+ if(e.getKey().equals("urn:oasis:names:tc:xacml:1.0:resource:resource-access-group")){
+ Object[] values = e.getValue();
+ Assert.assertNotNull(values);
+ Assert.assertEquals(3, values.length);
+ }
+ }
+ }
+ Obligation accessGroupOblg = obligationStore.getHandlerObligationById(
+ this.getClass(),
+ "urn:oasis:names:tc:xacml:2.0:obligation:access-restriction");
+ Assert.assertNotNull(accessGroupOblg);
+ log.info(accessGroupOblg.getId());
+ }
+
+ @Override
+ public boolean match(Obligation obligation) {
+ return obligation.getId().
+ equals("urn:oasis:names:tc:xacml:2.0:obligation:access-restriction");
+ }
+
+ @Override
+ public void setObligationStore(ObligationStore oStore) {
+ this.obligationStore = oStore;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AgeRestrictionObligationHandler.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AgeRestrictionObligationHandler.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AgeRestrictionObligationHandler.java
new file mode 100755
index 0000000..6239412
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AgeRestrictionObligationHandler.java
@@ -0,0 +1,52 @@
+package org.openliberty.openaz.pepapi.std.test.obligation;
+
+import junit.framework.Assert;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.openliberty.openaz.pepapi.Obligation;
+import org.openliberty.openaz.pepapi.ObligationHandler;
+import org.openliberty.openaz.pepapi.ObligationStore;
+import org.openliberty.openaz.pepapi.std.test.util.HasResult;
+
+import java.util.Map;
+import java.util.Set;
+
+public class AgeRestrictionObligationHandler implements ObligationHandler, HasResult {
+
+ private static Log log = LogFactory.getLog(AgeRestrictionObligationHandler.class);
+
+ private ObligationStore obligationStore;
+
+ public String enforce() {
+ Set<Obligation> ageOblgSet = obligationStore.getHandlerObligations(this.getClass());
+ Assert.assertEquals(true, ageOblgSet.size() == 1);
+ Obligation ageOblg = obligationStore.getHandlerObligationById(this.getClass(),
+ "urn:oasis:names:tc:xacml:2.0:obligation:age-restriction");
+ Assert.assertNotNull(ageOblg);
+ String value = null;
+ log.info(ageOblg.getId());
+ //Enforcement Logic
+ Map<String, Object[]> attributeMap = ageOblg.getAttributeMap();
+ Object[] values = attributeMap.get("urn:oasis:names:tc:xacml:1.0:subject:age");
+ if(values != null) {
+ value = (String)values[0];
+ }
+ return value;
+ }
+
+ @Override
+ public boolean match(Obligation obligation) {
+ return obligation.getId().
+ equals("urn:oasis:names:tc:xacml:2.0:obligation:age-restriction");
+ }
+
+ @Override
+ public void setObligationStore(ObligationStore obligationStore) {
+ this.obligationStore = obligationStore;
+ }
+
+ @Override
+ public String getResult() {
+ return enforce();
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAccessRestrictionObligationHandler.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAccessRestrictionObligationHandler.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAccessRestrictionObligationHandler.java
new file mode 100755
index 0000000..d717acb
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAccessRestrictionObligationHandler.java
@@ -0,0 +1,44 @@
+package org.openliberty.openaz.pepapi.std.test.obligation;
+
+import junit.framework.Assert;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.openliberty.openaz.pepapi.Obligation;
+import org.openliberty.openaz.pepapi.ObligationStore;
+import org.openliberty.openaz.pepapi.ObligationStoreAware;
+import org.openliberty.openaz.pepapi.MatchAnyObligation;
+
+import java.util.Map.Entry;
+
+@MatchAnyObligation("urn:oasis:names:tc:xacml:2.0:obligation:access-restriction")
+public class AnnotatedAccessRestrictionObligationHandler implements ObligationStoreAware {
+
+ private static Log log = LogFactory.getLog(AnnotatedAccessRestrictionObligationHandler.class);
+
+ private ObligationStore obligationStore;
+
+ public void enforce() {
+ Obligation accessGroupOblg = obligationStore.getHandlerObligationById(
+ this.getClass(),
+ "urn:oasis:names:tc:xacml:2.0:obligation:access-restriction");
+ Assert.assertEquals("urn:oasis:names:tc:xacml:2.0:obligation:access-restriction",
+ accessGroupOblg.getId());
+ log.info(accessGroupOblg.getId());
+ for(Entry<String, Object[]> e: accessGroupOblg.getAttributeMap().entrySet()){
+ if(e.getKey().equals("urn:oasis:names:tc:xacml:1.0:subject:subject-id")){
+ Assert.assertNotNull(e.getValue());
+ }
+ if(e.getKey().equals("urn:oasis:names:tc:xacml:1.0:resource:resource-access-group")){
+ Object[] values = e.getValue();
+ Assert.assertNotNull(values);
+ Assert.assertEquals(3, values.length);
+ }
+ }
+ //Enforcement Logic
+ }
+
+ @Override
+ public void setObligationStore(ObligationStore obligationStore) {
+ this.obligationStore = obligationStore;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAgeRestrictionObligationHandler.java
----------------------------------------------------------------------
diff --git a/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAgeRestrictionObligationHandler.java b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAgeRestrictionObligationHandler.java
new file mode 100755
index 0000000..9a10cfc
--- /dev/null
+++ b/openaz-pep/src/test/java/org/openliberty/openaz/pepapi/std/test/obligation/AnnotatedAgeRestrictionObligationHandler.java
@@ -0,0 +1,46 @@
+package org.openliberty.openaz.pepapi.std.test.obligation;
+
+import junit.framework.Assert;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.openliberty.openaz.pepapi.Obligation;
+import org.openliberty.openaz.pepapi.ObligationStore;
+import org.openliberty.openaz.pepapi.ObligationStoreAware;
+import org.openliberty.openaz.pepapi.MatchAnyObligation;
+import org.openliberty.openaz.pepapi.std.test.util.HasResult;
+
+import java.util.Map;
+
+@MatchAnyObligation("urn:oasis:names:tc:xacml:2.0:obligation:age-restriction")
+public class AnnotatedAgeRestrictionObligationHandler implements ObligationStoreAware, HasResult {
+
+ private static Log log = LogFactory.getLog(AnnotatedAgeRestrictionObligationHandler.class);
+
+ private ObligationStore obligationStore;
+
+ public String enforce() {
+ Obligation ageOblg = obligationStore.getHandlerObligationById(
+ this.getClass(),
+ "urn:oasis:names:tc:xacml:2.0:obligation:age-restriction");
+ String value = null;
+ Assert.assertEquals("urn:oasis:names:tc:xacml:2.0:obligation:age-restriction", ageOblg.getId());
+ log.info(ageOblg.getId());
+ //Enforcement Logic
+ Map<String, Object[]> attributeMap = ageOblg.getAttributeMap();
+ Object[] values = attributeMap.get("urn:oasis:names:tc:xacml:1.0:subject:age");
+ if(values != null) {
+ value = (String)values[0];
+ }
+ return value;
+ }
+
+ @Override
+ public void setObligationStore(ObligationStore obligationStore) {
+ this.obligationStore = obligationStore;
+ }
+
+ @Override
+ public String getResult() {
+ return enforce();
+ }
+}
\ No newline at end of file