/**
* Validates the given policy XML files against the standard XACML policies.
*
* @param policy Policy to validate
* @return return false, If validation failed or XML parsing failed or any IOException occurs
*/
public static boolean validatePolicy(PolicyDTO policy) {
try {
if (!"true"
.equalsIgnoreCase(
(String)
EntitlementServiceComponent.getEntitlementConfig()
.getEngineProperties()
.get(EntitlementExtensionBuilder.PDP_SCHEMA_VALIDATION))) {
return true;
}
// there may be cases where you only updated the policy meta data in PolicyDTO not the
// actual XACML policy String
if (policy.getPolicy() == null || policy.getPolicy().trim().length() < 1) {
return true;
}
// get policy version
String policyXMLNS = getPolicyVersion(policy.getPolicy());
Map<String, Schema> schemaMap =
EntitlementServiceComponent.getEntitlementConfig().getPolicySchemaMap();
// load correct schema by version
Schema schema = schemaMap.get(policyXMLNS);
if (schema != null) {
// build XML document
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
InputStream stream = new ByteArrayInputStream(policy.getPolicy().getBytes());
Document doc = documentBuilder.parse(stream);
// Do the DOM validation
DOMSource domSource = new DOMSource(doc);
DOMResult domResult = new DOMResult();
Validator validator = schema.newValidator();
validator.validate(domSource, domResult);
if (log.isDebugEnabled()) {
log.debug("XACML Policy validation succeeded with the Schema");
}
return true;
} else {
log.error("Invalid Namespace in policy");
}
} catch (SAXException e) {
log.error("XACML policy is not valid according to the schema :" + e.getMessage());
} catch (IOException e) {
// ignore
} catch (ParserConfigurationException e) {
// ignore
}
return false;
}
/**
* This method persists a new XACML policy, which was read from filesystem, in the registry
*
* @param policyDTO PolicyDTO object
* @param registry Registry
* @param promote where policy must be promote PDP or not
* @return returns whether True/False
* @throws org.wso2.carbon.identity.entitlement.EntitlementException throws if policy with same id
* is exist
*/
public static boolean addFilesystemPolicy(PolicyDTO policyDTO, Registry registry, boolean promote)
throws EntitlementException {
PAPPolicyStoreManager policyAdmin;
AbstractPolicy policyObj;
if (policyDTO.getPolicy() != null) {
policyDTO.setPolicy(policyDTO.getPolicy().replaceAll(">\\s+<", "><"));
}
policyObj = getPolicy(policyDTO.getPolicy());
if (policyObj != null) {
PAPPolicyStore policyStore = new PAPPolicyStore(registry);
policyAdmin = new PAPPolicyStoreManager();
policyDTO.setPolicyId(policyObj.getId().toASCIIString());
policyDTO.setActive(true);
if (isPolicyExists(policyDTO.getPolicyId(), registry)) {
throw new EntitlementException("An Entitlement Policy with the given ID already exists");
}
policyDTO.setPromote(true);
policyAdmin.addOrUpdatePolicy(policyDTO);
PAPPolicyStoreReader reader = new PAPPolicyStoreReader(policyStore);
policyDTO = reader.readPolicyDTO(policyDTO.getPolicyId());
PolicyStoreDTO policyStoreDTO = new PolicyStoreDTO();
policyStoreDTO.setPolicyId(policyDTO.getPolicyId());
policyStoreDTO.setPolicy(policyDTO.getPolicy());
policyStoreDTO.setPolicyOrder(policyDTO.getPolicyOrder());
policyStoreDTO.setAttributeDTOs(policyDTO.getAttributeDTOs());
if (promote) {
addPolicyToPDP(policyStoreDTO);
}
policyAdmin.addOrUpdatePolicy(policyDTO);
return true;
} else {
throw new EntitlementException("Invalid Entitlement Policy");
}
}