Пример #1
0
  public static void main(String... args) {
    try {
      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setNamespaceAware(true);
      DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();

      for (String fileName : args) {
        File filePolicy = new File(fileName);
        if (filePolicy.exists() && filePolicy.canRead()) {
          try {
            Document documentPolicy = documentBuilder.parse(filePolicy);
            if (documentPolicy.getFirstChild() == null) {
              System.err.println(fileName + ": Error: No PolicySet found");
            } else if (!XACML3.ELEMENT_POLICYSET.equals(
                documentPolicy.getFirstChild().getLocalName()))
              System.err.println(fileName + ": Error: Not a PolicySet document");
            else {
              PolicySet policySet =
                  DOMPolicySet.newInstance(documentPolicy.getFirstChild(), null, null);
              System.out.println(fileName + ": validate()=" + policySet.validate());
              System.out.println(StringUtils.prettyPrint(policySet.toString()));
            }
          } catch (Exception ex) {
            System.err.println("Exception processing policy set file \"" + fileName + "\"");
            ex.printStackTrace(System.err);
          }
        } else {
          System.err.println("Cannot read policy set file \"" + fileName + "\"");
        }
      }
    } catch (Exception ex) {
      ex.printStackTrace(System.err);
      System.exit(1);
    }
    System.exit(0);
  }
Пример #2
0
  /**
   * Creates a new <code>PolicySet</code> by parsing the given <code>Node</code> representing a
   * XACML PolicySet element.
   *
   * @param nodePolicySet the <code>Node</code> representing the XACML PolicySetelement
   * @param policyDefaultsParent the {@link com.att.research.xacmlatt.pdp.policy.PolicyDefaults}
   *     from the parent element
   * @return a new <code>PolicySet</code> parsed from the given <code>Node</code>
   * @throws DOMStructureException if there is an error parsing the <code>Node</code>
   */
  public static PolicySet newInstance(
      Node nodePolicySet, PolicySet policySetParent, PolicyDefaults policyDefaultsParent)
      throws DOMStructureException {
    Element elementPolicySet = DOMUtil.getElement(nodePolicySet);
    boolean bLenient = DOMProperties.isLenient();

    PolicySet domPolicySet = new PolicySet(policySetParent);

    Iterator<?> iterator;
    Identifier identifier;
    Integer integer;

    try {
      NodeList children = elementPolicySet.getChildNodes();
      int numChildren;
      if (children != null && (numChildren = children.getLength()) > 0) {
        /*
         * Run through once, quickly, to set the PolicyDefaults for the new DOMPolicySet
         */
        for (int i = 0; i < numChildren; i++) {
          Node child = children.item(i);
          if (DOMUtil.isNamespaceElement(child, XACML3.XMLNS)
              && XACML3.ELEMENT_POLICYDEFAULTS.equals(child.getLocalName())) {
            if (domPolicySet.getPolicyDefaults() != null && !bLenient) {
              throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
            }
            domPolicySet.setPolicyDefaults(
                DOMPolicyDefaults.newInstance(child, policyDefaultsParent));
          }
        }
        if (domPolicySet.getPolicyDefaults() == null) {
          domPolicySet.setPolicyDefaults(policyDefaultsParent);
        }

        /*
         * Now process the other elements so we can pull up the parent policy defaults
         */
        for (int i = 0; i < numChildren; i++) {
          Node child = children.item(i);
          if (DOMUtil.isElement(child)) {
            if (DOMUtil.isInNamespace(child, XACML3.XMLNS)) {
              String childName = child.getLocalName();
              if (XACML3.ELEMENT_DESCRIPTION.equals(childName)) {
                if (domPolicySet.getDescription() != null && !bLenient) {
                  throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
                }
                domPolicySet.setDescription(child.getTextContent());
              } else if (XACML3.ELEMENT_POLICYISSUER.equals(childName)) {
                if (domPolicySet.getPolicyIssuer() != null && !bLenient) {
                  throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
                }
                domPolicySet.setPolicyIssuer(DOMPolicyIssuer.newInstance(child));
              } else if (XACML3.ELEMENT_POLICYSETDEFAULTS.equals(childName)) {
              } else if (XACML3.ELEMENT_TARGET.equals(childName)) {
                if (domPolicySet.getTarget() != null && !bLenient) {
                  throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
                }
                domPolicySet.setTarget(DOMTarget.newInstance(child));
              } else if (XACML3.ELEMENT_POLICYSET.equals(childName)) {
                domPolicySet.addChild(
                    DOMPolicySet.newInstance(
                        child, domPolicySet, domPolicySet.getPolicyDefaults()));
              } else if (XACML3.ELEMENT_POLICY.equals(childName)) {
                domPolicySet.addChild(
                    DOMPolicy.newInstance(child, domPolicySet, domPolicySet.getPolicyDefaults()));
              } else if (XACML3.ELEMENT_POLICYIDREFERENCE.equals(childName)) {
                domPolicySet.addChild(DOMPolicyIdReference.newInstance(child, domPolicySet));
              } else if (XACML3.ELEMENT_POLICYSETIDREFERENCE.equals(childName)) {
                domPolicySet.addChild(DOMPolicySetIdReference.newInstance(child, domPolicySet));
              } else if (XACML3.ELEMENT_COMBINERPARAMETERS.equals(childName)) {
                domPolicySet.addCombinerParameters(DOMCombinerParameter.newList(child));
              } else if (XACML3.ELEMENT_POLICYCOMBINERPARAMETERS.equals(childName)) {
                domPolicySet.addPolicyCombinerParameter(
                    DOMPolicyCombinerParameter.newInstance(child));
              } else if (XACML3.ELEMENT_POLICYSETCOMBINERPARAMETERS.equals(childName)) {
                domPolicySet.addPolicyCombinerParameter(
                    DOMPolicySetCombinerParameter.newInstance(child));
              } else if (XACML3.ELEMENT_OBLIGATIONEXPRESSIONS.equals(childName)) {
                if ((iterator = domPolicySet.getObligationExpressions()) != null
                    && iterator.hasNext()
                    && !bLenient) {
                  throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
                }
                domPolicySet.setObligationExpressions(DOMObligationExpression.newList(child, null));
              } else if (XACML3.ELEMENT_ADVICEEXPRESSIONS.equals(childName)) {
                if ((iterator = domPolicySet.getAdviceExpressions()) != null
                    && iterator.hasNext()
                    && !bLenient) {
                  throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
                }
                domPolicySet.setAdviceExpressions(DOMAdviceExpression.newList(child, null));
              } else if (!bLenient) {
                throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
              }
            } else if (!bLenient) {
              throw DOMUtil.newUnexpectedElementException(child, nodePolicySet);
            }
          }
        }
      }
      if (domPolicySet.getTarget() == null && !bLenient) {
        throw DOMUtil.newMissingElementException(
            nodePolicySet, XACML3.XMLNS, XACML3.ELEMENT_TARGET);
      }

      /*
       * Get the attributes
       */
      domPolicySet.setIdentifier(
          DOMUtil.getIdentifierAttribute(
              elementPolicySet, XACML3.ATTRIBUTE_POLICYSETID, !bLenient));
      domPolicySet.setVersion(
          DOMUtil.getVersionAttribute(elementPolicySet, XACML3.ATTRIBUTE_VERSION, !bLenient));

      identifier =
          DOMUtil.getIdentifierAttribute(
              elementPolicySet, XACML3.ATTRIBUTE_POLICYCOMBININGALGID, !bLenient);
      CombiningAlgorithm<PolicySetChild> combiningAlgorithm = null;
      try {
        combiningAlgorithm =
            CombiningAlgorithmFactory.newInstance().getPolicyCombiningAlgorithm(identifier);
      } catch (FactoryException ex) {
        if (!bLenient) {
          throw new DOMStructureException("Failed to get CombinginAlgorithm", ex);
        }
      }
      if (combiningAlgorithm == null && !bLenient) {
        throw new DOMStructureException(
            elementPolicySet,
            "Unknown policy combining algorithm \""
                + identifier
                + "\" in \""
                + DOMUtil.getNodeLabel(nodePolicySet));
      } else {
        domPolicySet.setPolicyCombiningAlgorithm(combiningAlgorithm);
      }

      if ((integer =
              DOMUtil.getIntegerAttribute(elementPolicySet, XACML3.ATTRIBUTE_MAXDELEGATIONDEPTH))
          != null) {
        domPolicySet.setMaxDelegationDepth(integer);
      }
    } catch (DOMStructureException ex) {
      domPolicySet.setStatus(StdStatusCode.STATUS_CODE_SYNTAX_ERROR, ex.getMessage());
      if (DOMProperties.throwsExceptions()) {
        throw ex;
      }
    }

    return domPolicySet;
  }
Пример #3
0
  public static boolean repair(Node nodePolicySet) throws DOMStructureException {
    Element elementPolicySet = DOMUtil.getElement(nodePolicySet);
    boolean result = false;

    NodeList children = elementPolicySet.getChildNodes();
    int numChildren;
    boolean sawDescription = false;
    boolean sawPolicyIssuer = false;
    boolean sawPolicyDefaults = false;
    boolean sawTarget = false;
    boolean sawObligationExprs = false;
    boolean sawAdviceExprs = false;

    if (children != null && (numChildren = children.getLength()) > 0) {
      /*
       * Now process the other elements so we can pull up the parent policy defaults
       */
      for (int i = 0; i < numChildren; i++) {
        Node child = children.item(i);
        if (DOMUtil.isElement(child)) {
          if (DOMUtil.isInNamespace(child, XACML3.XMLNS)) {
            String childName = child.getLocalName();
            if (XACML3.ELEMENT_DESCRIPTION.equals(childName)) {
              if (sawDescription) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawDescription = true;
              }
            } else if (XACML3.ELEMENT_POLICYISSUER.equals(childName)) {
              if (sawPolicyIssuer) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawPolicyIssuer = true;
                result = DOMPolicyIssuer.repair(child) || result;
              }
            } else if (XACML3.ELEMENT_POLICYSETDEFAULTS.equals(childName)) {
              if (sawPolicyDefaults) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawPolicyDefaults = true;
                result = DOMPolicyDefaults.repair(child) || result;
              }
            } else if (XACML3.ELEMENT_TARGET.equals(childName)) {
              if (sawTarget) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawTarget = true;
                result = DOMTarget.repair(child) || result;
              }
            } else if (XACML3.ELEMENT_POLICYSET.equals(childName)) {
              result = DOMPolicySet.repair(child) || result;
            } else if (XACML3.ELEMENT_POLICY.equals(childName)) {
              result = DOMPolicy.repair(child) || result;
            } else if (XACML3.ELEMENT_POLICYIDREFERENCE.equals(childName)) {
              result = DOMPolicyIdReference.repair(child) || result;
            } else if (XACML3.ELEMENT_POLICYSETIDREFERENCE.equals(childName)) {
              result = DOMPolicySetIdReference.repair(child) || result;
            } else if (XACML3.ELEMENT_COMBINERPARAMETERS.equals(childName)) {
              result = DOMCombinerParameter.repair(child) || result;
            } else if (XACML3.ELEMENT_POLICYCOMBINERPARAMETERS.equals(childName)) {
              result = DOMPolicyCombinerParameter.repair(child) || result;
            } else if (XACML3.ELEMENT_POLICYSETCOMBINERPARAMETERS.equals(childName)) {
              result = DOMPolicySetCombinerParameter.repair(child) || result;
            } else if (XACML3.ELEMENT_OBLIGATIONEXPRESSIONS.equals(childName)) {
              if (sawObligationExprs) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawObligationExprs = true;
                result = DOMObligationExpression.repairList(child) || result;
              }
            } else if (XACML3.ELEMENT_ADVICEEXPRESSIONS.equals(childName)) {
              if (sawAdviceExprs) {
                logger.warn("Unexpected element " + child.getNodeName());
                elementPolicySet.removeChild(child);
                result = true;
              } else {
                sawAdviceExprs = true;
                result = DOMAdviceExpression.repairList(child) || result;
              }
            } else {
              logger.warn("Unexpected element " + child.getNodeName());
              elementPolicySet.removeChild(child);
              result = true;
            }
          } else {
            logger.warn("Unexpected element " + child.getNodeName());
            elementPolicySet.removeChild(child);
            result = true;
          }
        }
      }
    }
    if (!sawTarget) {
      throw DOMUtil.newMissingElementException(nodePolicySet, XACML3.XMLNS, XACML3.ELEMENT_TARGET);
    }

    /*
     * Get the attributes
     */
    result =
        DOMUtil.repairIdentifierAttribute(elementPolicySet, XACML3.ATTRIBUTE_POLICYSETID, logger)
            || result;
    result =
        DOMUtil.repairVersionAttribute(elementPolicySet, XACML3.ATTRIBUTE_VERSION, logger)
            || result;
    result =
        DOMUtil.repairIdentifierAttribute(
                elementPolicySet,
                XACML3.ATTRIBUTE_POLICYCOMBININGALGID,
                XACML3.ID_POLICY_DENY_OVERRIDES,
                logger)
            || result;

    Identifier identifier =
        DOMUtil.getIdentifierAttribute(elementPolicySet, XACML3.ATTRIBUTE_POLICYCOMBININGALGID);
    CombiningAlgorithm<PolicySetChild> combiningAlgorithm = null;
    try {
      combiningAlgorithm =
          CombiningAlgorithmFactory.newInstance().getPolicyCombiningAlgorithm(identifier);
    } catch (FactoryException ex) {
      combiningAlgorithm = null;
    }
    if (combiningAlgorithm == null) {
      logger.warn(
          "Setting invalid "
              + XACML3.ATTRIBUTE_POLICYCOMBININGALGID
              + " attribute "
              + identifier.stringValue()
              + " to "
              + XACML3.ID_POLICY_DENY_OVERRIDES.stringValue());
      elementPolicySet.setAttribute(
          XACML3.ATTRIBUTE_POLICYCOMBININGALGID, XACML3.ID_POLICY_DENY_OVERRIDES.stringValue());
      result = true;
    }

    return result;
  }