예제 #1
0
  /**
   * Validates the given policy XML files against the standard XACML policies.
   *
   * @param policy Policy to validate
   * @return return false, If validation failed or XML parsing failed or any IOException occurs
   */
  public static boolean validatePolicy(PolicyDTO policy) {
    try {

      if (!"true"
          .equalsIgnoreCase(
              (String)
                  EntitlementServiceComponent.getEntitlementConfig()
                      .getEngineProperties()
                      .get(EntitlementExtensionBuilder.PDP_SCHEMA_VALIDATION))) {
        return true;
      }

      // there may be cases where you only updated the policy meta data in PolicyDTO not the
      // actual XACML policy String
      if (policy.getPolicy() == null || policy.getPolicy().trim().length() < 1) {
        return true;
      }

      // get policy version
      String policyXMLNS = getPolicyVersion(policy.getPolicy());

      Map<String, Schema> schemaMap =
          EntitlementServiceComponent.getEntitlementConfig().getPolicySchemaMap();
      // load correct schema by version
      Schema schema = schemaMap.get(policyXMLNS);

      if (schema != null) {
        // build XML document
        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        documentBuilderFactory.setNamespaceAware(true);
        DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
        InputStream stream = new ByteArrayInputStream(policy.getPolicy().getBytes());
        Document doc = documentBuilder.parse(stream);
        // Do the DOM validation
        DOMSource domSource = new DOMSource(doc);
        DOMResult domResult = new DOMResult();
        Validator validator = schema.newValidator();
        validator.validate(domSource, domResult);
        if (log.isDebugEnabled()) {
          log.debug("XACML Policy validation succeeded with the Schema");
        }
        return true;
      } else {
        log.error("Invalid Namespace in policy");
      }
    } catch (SAXException e) {
      log.error("XACML policy is not valid according to the schema :" + e.getMessage());
    } catch (IOException e) {
      // ignore
    } catch (ParserConfigurationException e) {
      // ignore
    }
    return false;
  }
예제 #2
0
  /**
   * This method persists a new XACML policy, which was read from filesystem, in the registry
   *
   * @param policyDTO PolicyDTO object
   * @param registry Registry
   * @param promote where policy must be promote PDP or not
   * @return returns whether True/False
   * @throws org.wso2.carbon.identity.entitlement.EntitlementException throws if policy with same id
   *     is exist
   */
  public static boolean addFilesystemPolicy(PolicyDTO policyDTO, Registry registry, boolean promote)
      throws EntitlementException {

    PAPPolicyStoreManager policyAdmin;
    AbstractPolicy policyObj;

    if (policyDTO.getPolicy() != null) {
      policyDTO.setPolicy(policyDTO.getPolicy().replaceAll(">\\s+<", "><"));
    }

    policyObj = getPolicy(policyDTO.getPolicy());

    if (policyObj != null) {
      PAPPolicyStore policyStore = new PAPPolicyStore(registry);
      policyAdmin = new PAPPolicyStoreManager();
      policyDTO.setPolicyId(policyObj.getId().toASCIIString());
      policyDTO.setActive(true);

      if (isPolicyExists(policyDTO.getPolicyId(), registry)) {
        throw new EntitlementException("An Entitlement Policy with the given ID already exists");
      }

      policyDTO.setPromote(true);
      policyAdmin.addOrUpdatePolicy(policyDTO);

      PAPPolicyStoreReader reader = new PAPPolicyStoreReader(policyStore);
      policyDTO = reader.readPolicyDTO(policyDTO.getPolicyId());

      PolicyStoreDTO policyStoreDTO = new PolicyStoreDTO();
      policyStoreDTO.setPolicyId(policyDTO.getPolicyId());
      policyStoreDTO.setPolicy(policyDTO.getPolicy());
      policyStoreDTO.setPolicyOrder(policyDTO.getPolicyOrder());
      policyStoreDTO.setAttributeDTOs(policyDTO.getAttributeDTOs());

      if (promote) {
        addPolicyToPDP(policyStoreDTO);
      }

      policyAdmin.addOrUpdatePolicy(policyDTO);

      return true;
    } else {
      throw new EntitlementException("Invalid Entitlement Policy");
    }
  }