Merge branch 'xacml4j-23' into 1.3.x

Backported fix for #23 into 1.3.x branch

README.md

@@ -5,3 +5,5 @@ Implementation of [OASIS eXtensible Access Control Markup Language (XACML)](http
 v2.0 and v3.0 specifications in Java programming language
 
 Continuous Integration status on Travis CI: [![Build Status](https://travis-ci.org/xacml4j/xacml4j.svg?branch=master)](https://travis-ci.org/xacml4j/xacml4j)
+
+[![Analytics](https://ga-beacon.appspot.com/UA-56218949-2/xacml4j/readme?pixel)](https://github.com/igrigorik/ga-beacon)

xacml-conformance-tests/pom.xml

@@ -10,7 +10,7 @@
  <name>Xacml4J Conformance Tests</name>
 
  <properties>
- <license.excludes>**/oasis-xacml20-compat-test/*,**/rsa2008-interop/XacmlPolicySet*</license.excludes>
+ <license.excludes>**/oasis-xacml20-compat-test/*,**/rsa2008-interop/XacmlPolicySet*,**/Example_*/*</license.excludes>
  </properties>
 
  <dependencies>

xacml-conformance-tests/src/test/java/org/xacml4j/v20/XacmlExampleTest.java

@@ -0,0 +1,92 @@
+package org.xacml4j.v20;
+
+/*
+ * #%L
+ * Xacml4J Conformance Tests
+ * %%
+ * Copyright (C) 2009 - 2014 Xacml4J.org
+ * %%
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Lesser Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Lesser Public
+ * License along with this program. If not, see
+ * <http:https://www.gnu.org/licenses/lgpl-3.0.html>.
+ * #L%
+ */
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Test;
+import org.xacml4j.v30.CompositeDecisionRule;
+import org.xacml4j.v30.XacmlPolicyTestSupport;
+import org.xacml4j.v30.pdp.PolicyDecisionPoint;
+import org.xacml4j.v30.pdp.PolicyDecisionPointBuilder;
+import org.xacml4j.v30.spi.combine.DecisionCombiningAlgorithmProviderBuilder;
+import org.xacml4j.v30.spi.function.FunctionProviderBuilder;
+import org.xacml4j.v30.spi.pip.PolicyInformationPointBuilder;
+import org.xacml4j.v30.spi.repository.InMemoryPolicyRepository;
+import org.xacml4j.v30.spi.repository.PolicyRepository;
+
+public class XacmlExampleTest extends XacmlPolicyTestSupport
+{
+ @Test
+ public void testXacmlExample1() throws Exception {
+ PolicyDecisionPoint pdp = buildPDP("Example_1/Rule_1.xml");
+ verifyXacml20Response(
+ pdp,
+ "Example_1/Request.xml",
+ "Example_1/Response.xml");
+ }
+
+ @Test
+ public void testXacmlExample2() throws Exception {
+ PolicyDecisionPoint pdp = buildPDP("Example_2/Policy_set.xml",
+ "Example_2/Rule_1.xml",
+ "Example_2/Rule_2.xml",
+ "Example_2/Rule_3.xml",
+ "Example_2/Rule_4.xml");
+ verifyXacml20Response(
+ pdp,
+ "Example_2/Request.xml",
+ "Example_2/Response.xml");
+ }
+
+ private PolicyDecisionPoint buildPDP(String ...policyResources) throws Exception
+ {
+ PolicyRepository repository = new InMemoryPolicyRepository(
+ "tes-repository",
+ FunctionProviderBuilder.builder()
+ .defaultFunctions()
+ .build(),
+ DecisionCombiningAlgorithmProviderBuilder.builder()
+ .withDefaultAlgorithms()
+ .create());
+
+ List<CompositeDecisionRule> policies = new ArrayList<CompositeDecisionRule>(policyResources.length);
+ for (String policyResource : policyResources) {
+ CompositeDecisionRule policy = repository.importPolicy(Xacml20TestUtility.getClasspathResource(policyResource));
+ log.info("Policy: {}", policy);
+ policies.add(policy);
+ }
+
+ return PolicyDecisionPointBuilder
+ .builder("testPdp")
+ .policyRepository(repository)
+ .pip(
+ PolicyInformationPointBuilder
+ .builder("testPip")
+ .defaultResolvers()
+ .build())
+ .rootPolicy(policies.get(0))
+ .build();
+ }
+}

xacml-conformance-tests/src/test/resources/Example_1/Request.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Subject>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
+ <AttributeValue>
+ [email protected]
+ </AttributeValue>
+ </Attribute>
+ </Subject>
+ <Resource>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http:https://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>file:https://med/example/record/patient/BartSimpson</AttributeValue>
+ </Attribute>
+ </Resource>
+ <Action>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http:https://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>
+ read
+ </AttributeValue>
+ </Attribute>
+ </Action>
+ <Environment/>
+</Request>

xacml-conformance-tests/src/test/resources/Example_1/Response.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Result>
+ <Decision>NotApplicable</Decision>
+ <Status>
+ <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
+ </Status>
+ </Result>
+</Response>

xacml-conformance-tests/src/test/resources/Example_1/Rule_1.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" PolicyId="urn:oasis:names:tc:example:SimplePolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Med Example Corp access control policy
+ </Description>
+ <Target/>
+ <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1" Effect="Permit">
+ <Description>
+ Any subject with an e-mail name in the med.example.com domain
+ can perform any action on any resource.
+ </Description>
+ <Target>
+ <Subjects>
+ <Subject>
+ <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
+ <AttributeValue DataType="http:https://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
+ </SubjectMatch>
+ </Subject>
+ </Subjects>
+ </Target>
+ </Rule>
+</Policy>

xacml-conformance-tests/src/test/resources/Example_2/Barts_record.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<record xmlns="urn:med:example:schemas:record" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:med:example:schemas:record record.xsd">
+ <patient>
+ <patientName>
+ <first>Bartholomew</first>
+ <last>Simpson</last>
+ </patientName>
+ <patientContact>
+ <street>27 Shelbyville Road</street>
+ <city>Springfield</city>
+ <state>MA</state>
+ <zip>12345</zip>
+ <phone>555.123.4567</phone>
+ <fax/>
+ <email/>
+ </patientContact>
+ <patientDoB>1992-03-21</patientDoB>
+ <patientGender>male</patientGender>
+ <policyNumber>555555</policyNumber>
+ </patient>
+ <parentGuardian>
+ <parentGuardianName>
+ <first>Homer</first>
+ <last>Simpson</last>
+ </parentGuardianName>
+ <parentGuardianContact>
+ <street>27 Shelbyville Road</street>
+ <city>Springfield</city>
+ <state>MA</state>
+ <zip>12345</zip>
+ <phone>555.123.4567</phone>
+ <fax/>
+ <email>[email protected]</email>
+ </parentGuardianContact>
+ </parentGuardian>
+ <primaryCarePhysician>
+ <physicianName>
+ <first>Julius</first>
+ <last>Hibbert</last>
+ </physicianName>
+ <physicianContact>
+ <street>1 First St</street>
+ <city>Springfield</city>
+ <state>MA</state>
+ <zip>12345</zip>
+ <phone>555.123.9012</phone>
+ <fax>555.123.9013</fax>
+ <email/>
+ </physicianContact>
+ <registrationID>ABC123</registrationID>
+ </primaryCarePhysician>
+ <insurer>
+ <name>Blue Cross</name>
+ <street>1234 Main St</street>
+ <city>Springfield</city>
+ <state>MA</state>
+ <zip>12345</zip>
+ <phone>555.123.5678</phone>
+ <fax>555.123.5679</fax>
+ <email/>
+ </insurer>
+ <medical>
+ <treatment>
+ <drug>
+ <name>methylphenidate hydrochloride</name>
+ <dailyDosage>30mgs</dailyDosage>
+ <startDate>1999-01-12</startDate>
+ </drug>
+ <comment>patient exhibits side-effects of skin coloration and carpal degeneration</comment>
+ </treatment>
+ <result>
+ <test>blood pressure</test>
+ <value>120/80</value>
+ <date>2001-06-09</date>
+ <performedBy>Nurse Betty</performedBy>
+ </result>
+ </medical>
+</record>

xacml-conformance-tests/src/test/resources/Example_2/Policy_set.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance"
+ PolicySetId="urn:oasis:names:tc:xacml:2.0:example:policysetid:1"
+ PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
+ <Description>
+ Example policy set.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http:https://www.w3.org/2001/XMLSchema#string">urn:med:example:schemas:record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <PolicyIdReference>urn:oasis:names:tc:xacml:2.0:example:policyid:3</PolicyIdReference>
+ <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:example:policyid:2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Policy for any medical record in the urn:med:example:schemas:record namespace
+ </Description>
+ <Target/>
+ <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:1" Effect="Permit"/>
+ <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:2" Effect="Permit"/>
+ <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:4" Effect="Deny"/>
+ </Policy>
+</PolicySet>

xacml-conformance-tests/src/test/resources/Example_2/Request.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Subject>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category" DataType="http:https://www.w3.org/2001/XMLSchema#anyURI" Issuer="med.example.com">
+ <AttributeValue>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http:https://www.w3.org/2001/XMLSchema#string" Issuer="med.example.com">
+ <AttributeValue>CN=Julius Hibbert</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:name-format" DataType="http:https://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:oasis:names:tc:xacml:1.0:datatype:x500name</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:role" DataType="http:https://www.w3.org/2001/XMLSchema#string" Issuer="med.example.com">
+ <AttributeValue>physician</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:physician-id" DataType="http:https://www.w3.org/2001/XMLSchema#string" Issuer="med.example.com">
+ <AttributeValue>jh1234</AttributeValue>
+ </Attribute>
+ </Subject>
+ <Resource>
+ <ResourceContent>
+ <md:record xmlns:md="urn:med:example:schemas:record" xsi:schemaLocation="urn:med:example:schemas:record record.xsd">
+ <md:patient>
+ <md:patientDoB>1992-03-21</md:patientDoB>
+ <md:patient-number>555555</md:patient-number>
+ </md:patient>
+ </md:record>
+ </ResourceContent>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http:https://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>//med.example.com/records/bart-simpson.xml#xmlns(md=urn:med:example:schemas:record)xpointer(/md:record/md:patient/md:patientDoB)</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" DataType="http:https://www.w3.org/2001/XMLSchema#anyURI">
+ <AttributeValue>urn:med:example:schemas:record</AttributeValue>
+ </Attribute>
+ </Resource>
+ <Action>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http:https://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>read</AttributeValue>
+ </Attribute>
+ </Action>
+ <Environment/>
+</Request>

xacml-conformance-tests/src/test/resources/Example_2/Response.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Result>
+ <Decision>NotApplicable</Decision>
+ <Status>
+ <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
+ </Status>
+ </Result>
+</Response>

xacml-conformance-tests/src/test/resources/Example_2/Rule_1.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:policy:schema:os http:https://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd" xmlns:md="http:https://www.med.example.com/schemas/record.xsd" PolicyId="urn:oasis:names:tc:xacml:2.0:example:policyid:1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <PolicyDefaults>
+ <XPathVersion>http:https://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
+ </PolicyDefaults>
+ <Target/>
+ <VariableDefinition VariableId="17590034">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:patient-number" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <AttributeSelector RequestContextPath="//xacml-context:Resource/xacml-context:ResourceContent/md:record/md:patient/md:patient-number/text()" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </VariableDefinition>
+ <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:1" Effect="Permit">
+ <Description>
+ A person may read any medical record in the
+ http:https://www.med.example.com/schemas/record.xsd namespace
+ for which he or she is the designated patient
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http:https://www.w3.org/2001/XMLSchema#string">http:https://www.med.example.com/schemas/record.xsd</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-node-match">
+ <AttributeValue DataType="http:https://www.w3.org/2001/XMLSchema#string">/md:record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ <Actions>
+ <Action>
+ <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http:https://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
+ <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http:https://www.w3.org/2001/XMLSchema#string"/>
+ </ActionMatch>
+ </Action>
+ </Actions>
+ </Target>
+ <Condition>
+ <VariableReference VariableId="17590034"/>
+ </Condition>
+ </Rule>
+</Policy>