Adding the initial version of EntitlementServices API support

sample/src/main/resources/application.properties

@@ -1,8 +1,10 @@
 spring.thymeleaf.cache=false
 #logging.level.web=debug
 xacml.pdp.url.authorize=https://localhost:9443/api/identity/entitlement/decision/pdp
-xacml.pdp.url.resourceList=https://localhost:9443/api/identity/entitlement/decision/home
+xacml.pdp.url.resource.list=https://localhost:9443/api/identity/entitlement/decision/home
+xacml.pdp.url.entitlement.service=https://localhost:9443/services/EntitlementService
 xacml.pdp.trustStore=truststore
 xacml.pdp.trustStore.password=password
 xacml.pdp.keyStore=keystore
-xacml.pdp.keyStore.password=password
+xacml.pdp.keyStore.password=password
+xacml.pdp.keyStore.cert.alias=randika-client

sdk/pom.xml

@@ -16,10 +16,7 @@
  <version>1.0-SNAPSHOT</version>
 
  <dependencies>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-actuator</artifactId>
- </dependency>
+
  <dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
@@ -62,8 +59,41 @@
  <artifactId>httpclient</artifactId>
  </dependency>
 
- </dependencies>
+ <dependency>
+ <groupId>org.springframework.ws</groupId>
+ <artifactId>spring-ws-core</artifactId>
+ </dependency>
 
+ <dependency>
+ <groupId>javax.xml.bind</groupId>
+ <artifactId>jaxb-api</artifactId>
+ </dependency>
+
+ </dependencies>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.jvnet.jaxb2.maven2</groupId>
+ <artifactId>maven-jaxb2-plugin</artifactId>
+ <version>0.13.1</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>generate</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <schemaLanguage>WSDL</schemaLanguage>
+ <generatePackage>org.wso2.spring.security.abac.soaputils.wsdl</generatePackage>
+ <schemaDirectory>src/main/resources</schemaDirectory>
+ <schemaIncludes>
+ <include>EntitlementService.wsdl</include>
+ </schemaIncludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
  <properties>
  <commons-io.version>2.6</commons-io.version>
  <org.json.version>20180813</org.json.version>

sdk/src/main/java/org/wso2/spring/security/abac/AttributeHandler.java

@@ -1,8 +1,10 @@
 package org.wso2.spring.security.abac;
 
 import org.json.JSONObject;
+import org.wso2.spring.security.abac.soaputils.wsdl.EntitledResultSetDTO;
 
 import java.util.Optional;
+import javax.xml.bind.JAXBElement;
 
 /**
  * @author Randika Navagamuwa
@@ -12,4 +14,7 @@ public interface AttributeHandler {
  boolean authorize(String policyRequest);
 
  Optional<JSONObject> getApiResourceList();
+
+ JAXBElement<EntitledResultSetDTO> getEntitledAttributes(String subjectName, String resourceName, String subjectId, String action,
+ boolean enableChildSearch);
 }

sdk/src/main/java/org/wso2/spring/security/abac/XacmlAttributeHandler.java

@@ -1,33 +1,47 @@
 package org.wso2.spring.security.abac;
 
+import org.apache.http.Header;
 import org.apache.http.client.HttpClient;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.HttpClients;
+import org.apache.http.message.BasicHeader;
 import org.apache.http.ssl.SSLContextBuilder;
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.core.io.FileSystemResource;
 import org.springframework.core.io.support.PropertiesLoaderUtils;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.oxm.jaxb.Jaxb2Marshaller;
 import org.springframework.util.ResourceUtils;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.ws.transport.http.HttpComponentsMessageSender;
 import org.wso2.spring.security.abac.cache.CacheManager;
 import org.wso2.spring.security.abac.cache.EhCacheManager;
 import org.wso2.spring.security.abac.exception.AttributeEvaluatorException;
+import org.wso2.spring.security.abac.soaputils.CustomSSLHttpClientFactory;
+import org.wso2.spring.security.abac.soaputils.EntitlementServiceClient;
+import org.wso2.spring.security.abac.soaputils.wsdl.EntitledResultSetDTO;
 
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 import java.util.Properties;
 import javax.net.ssl.SSLContext;
+import javax.xml.bind.JAXBElement;
 
 /**
  * @author Randika Navagamuwa
@@ -37,26 +51,34 @@ public class XacmlAttributeHandler implements AttributeHandler {
 
  private static String XACML_PDP_AUTHORIZE_URL;
  private static String XACML_PDP_RESOURCE_LIST_URL;
+ private static String XACML_PDP_ENTITLEMENT_SERVICE_URL;
  private static String TRUST_STORE;
  private static String TRUST_STORE_PASSWORD;
  private static String KEY_STORE;
  private static String KEY_STORE_PASSWORD;
+ private static String CERT_ALIAS;
 
  private CacheManager responseCacheManager;
  private SSLContext sslContext;
- private HttpHeaders headers;
+ private HttpHeaders restHeaders;
+ private List<Header> soapHeaders;
+ private CustomSSLHttpClientFactory customSSLHttpClientFactory;
+ private EntitlementServiceClient entitlementServiceClient;
 
  public XacmlAttributeHandler() {
 
  try {
  Properties properties = PropertiesLoaderUtils
  .loadAllProperties("application.properties");
  XACML_PDP_AUTHORIZE_URL = properties.getProperty("xacml.pdp.url.authorize");
- XACML_PDP_RESOURCE_LIST_URL = properties.getProperty("xacml.pdp.url.resourceList");
+ XACML_PDP_RESOURCE_LIST_URL = properties.getProperty("xacml.pdp.url.resource.list");
+ XACML_PDP_ENTITLEMENT_SERVICE_URL = properties.getProperty("xacml.pdp.url.entitlement.service");
  TRUST_STORE = properties.getProperty("xacml.pdp.trustStore");
  TRUST_STORE_PASSWORD = properties.getProperty("xacml.pdp.trustStore.password");
  KEY_STORE = properties.getProperty("xacml.pdp.keyStore");
  KEY_STORE_PASSWORD = properties.getProperty("xacml.pdp.keyStore.password");
+ CERT_ALIAS = properties.getProperty("xacml.pdp.keyStore.cert.alias");
+
  } catch (IOException e) {
 
  //todo stop the whole app
@@ -75,18 +97,46 @@ public XacmlAttributeHandler() {
  .loadTrustMaterial(ResourceUtils.getFile("classpath:".concat(TRUST_STORE)),
  TRUST_STORE_PASSWORD.toCharArray())
  .build();
+
+ this.customSSLHttpClientFactory = new CustomSSLHttpClientFactory(
+ new FileSystemResource(ResourceUtils.getFile("classpath:".concat(KEY_STORE))),
+ KEY_STORE_PASSWORD,
+ "JKS",
+ new FileSystemResource(ResourceUtils.getFile("classpath:".concat(TRUST_STORE))),
+ TRUST_STORE_PASSWORD,
+ new String[]{"TLSv1"},
+ CERT_ALIAS);
+
+ this.soapHeaders = new ArrayList<>();
+ //todo use mutual SSL
+ soapHeaders.add(new BasicHeader("Authorization", "Basic YWRtaW46YWRtaW4="));
+
+ this.responseCacheManager = new EhCacheManager();
+
+ Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
+ marshaller.setContextPath("org.wso2.spring.security.abac.soaputils.wsdl");
+
+ this.entitlementServiceClient = new EntitlementServiceClient(XACML_PDP_ENTITLEMENT_SERVICE_URL);
+ this.entitlementServiceClient.setMarshaller(marshaller);
+ this.entitlementServiceClient.setUnmarshaller(marshaller);
+ this.entitlementServiceClient.setMessageSender(new HttpComponentsMessageSender(
+ HttpClientBuilder
+ .create()
+ .setSSLSocketFactory(new SSLConnectionSocketFactory(this.sslContext, NoopHostnameVerifier.INSTANCE))
+ .addInterceptorFirst(new HttpComponentsMessageSender.RemoveSoapHeadersInterceptor())
+ .setDefaultHeaders(this.soapHeaders)
+ .build()));
  } catch (Exception e) {
 
  //todo stop the whole app
  throw new AttributeEvaluatorException("Failed to read keystore or truststore", e);
  }
 
- this.headers = new HttpHeaders();
- this.headers.setContentType(MediaType.APPLICATION_JSON);
- this.headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
- this.headers.set("WSO2-Identity-User", "admin");
+ this.restHeaders = new HttpHeaders();
+ this.restHeaders.setContentType(MediaType.APPLICATION_JSON);
+ this.restHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
+ this.restHeaders.set("WSO2-Identity-User", "admin");
 
- this.responseCacheManager = new EhCacheManager();
  }
 
  @Override
@@ -104,7 +154,7 @@ public boolean authorize(String authRequest) {
  new HttpComponentsClientHttpRequestFactory(client));
  RestTemplate rt = restTemplateBuilder.build();
 
- HttpEntity<String> entity = new HttpEntity<>(authRequest, this.headers);
+ HttpEntity<String> entity = new HttpEntity<>(authRequest, this.restHeaders);
 
  ResponseEntity response = rt.postForEntity(XACML_PDP_AUTHORIZE_URL, entity, String.class);
  if (response.getStatusCode() != HttpStatus.OK || response.getBody() == null) {
@@ -145,7 +195,7 @@ public Optional<JSONObject> getApiResourceList() {
  new HttpComponentsClientHttpRequestFactory(client));
  RestTemplate rt = restTemplateBuilder.build();
 
- HttpEntity<String> entity = new HttpEntity<>(this.headers);
+ HttpEntity<String> entity = new HttpEntity<>(this.restHeaders);
 
  ResponseEntity response = rt.getForEntity(XACML_PDP_RESOURCE_LIST_URL, String.class, entity);
 
@@ -159,6 +209,16 @@ public Optional<JSONObject> getApiResourceList() {
  return Optional.of(new JSONObject(cachedResponse));
  }
 
+ @Override
+ public JAXBElement<EntitledResultSetDTO> getEntitledAttributes(String subjectName, String resourceName,
+ String subjectId, String action,
+ boolean enableChildSearch) {
+
+ return this.entitlementServiceClient.
+ getEntitledAttributes(subjectName, resourceName, subjectId, action, enableChildSearch).getReturn();
+
+ }
+
  private KeyStore loadPfx(String file, char[] password) throws Exception {
 
  KeyStore keyStore = KeyStore.getInstance("JKS");