Giter Site home page Giter Site logo

policy4j / xacml4j Goto Github PK

View Code? Open in Web Editor NEW
15.0 4.0 5.0 8.79 MB

Implementation of OASIS XACML 2.0 & 3.0 specification in Java programming language

License: GNU Lesser General Public License v3.0

Java 95.34% HTML 4.66%
abac access-control policy-as-code policy-enforcement-point policy-engine xacml xacml-policies xacml-standard

xacml4j's Introduction

Xacml4j XACML Access Control Policy Engine Implementation

XACML4j's reference implementation of the OASIS XACML 3.0 Standard. The framework represents the entire XACML 3.0 object set as a collection of Java interfaces and standard implementations of those interfaces. The PDP engine is built on top of this framework and represents a complete implementation of a XACML 3.0 PDP, including all of the multi-decision profiles. In addition, the framework also contains an implementation of the OASIS XACML 3.0 RESTful API v1.0 and XACML JSON Profile v1.0 WD 14. The PEP API includes annotation functionality, allowing application developers to simply annotate a Java class to provide attributes for a request. The annotation support removes the need for application developers to learn much of the API.

The ramework also includes interfaces and implementations to standardize development of PIP engines that are used by the PDP implementation, and can be used by other implementations built on top of the framework. The framework also includes interfaces and implementations for a PAP distributed cloud infrastructure of PDP nodes that includes support for policy distribution and pip configurations. This PAP infrastructure includes a web application administrative console that contains a XACML 3.0 policy editor, attribute dictionary support, and management of PDP RESTful node instances. In addition, there are tools available for policy simulation.

Currently Xacml4j is used in production: Xfinty Wifi Acccess Control, Xfinity TV Everywhere Access Control

Requirements

  • Java JDK 1.8

  • Apache Maven to compile, install and run the software.

Building the source code

From the directory you downloaded the source to, just type 'mvn clean install'.

Running the projects

Continuous Integration status on Travis CI: Build Status

Analytics

xacml4j's People

Contributors

dependabot[bot] avatar ilyaai avatar rolisv avatar trumpyla avatar valdas-s avatar vvaldas avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

artagon payen harshil-p mark-logs-code-hub marcusportmann

xacml4j's Issues

Marshalling to file results in com.sun.istack.internal.SAXException2

When I try to marshall a policy to a file I get a SAXException2 (see below.)

// read
InputStream policyIS;
PolicyUnmarshaller reader =
new XacmlPolicyUnmarshaller( FunctionProviderBuilder.builder().defaultFunctions().build(),
DecisionCombiningAlgorithmProviderBuilder.builder().withDefaultAlgorithms().create() );
CompositeDecisionRule compositeDecisionRule = reader.unmarshal( policyIS );

// write
PolicyMarshaller writer = new Xacml30PolicyMarshaller();
FileOutputStream policyOutstream = new FileOutputStream( new File( "policyout.xml" ) );
writer.marshal( compositeDecisionRule, policyOutstream ); // <=exception thrown here

Caused by: com.sun.istack.internal.SAXException2: Instance of "javax.xml.bind.JAXBElement" is substituting "java.lang.Object", but "javax.xml.bind.JAXBElement" is bound to an anonymous type.
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.reportError(XMLSerializer.java:237)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:652)
at com.sun.xml.internal.bind.v2.runtime.property.ArrayElementProperty.serializeListBody(ArrayElementProperty.java:154)
at com.sun.xml.internal.bind.v2.runtime.property.ArrayERProperty.serializeBody(ArrayERProperty.java:144)
at com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl.serializeBody(ClassBeanInfoImpl.java:343)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsXsiType(XMLSerializer.java:685)
at com.sun.xml.internal.bind.v2.runtime.property.SingleElementNodeProperty.serializeBody(SingleElementNodeProperty.java:143)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:145)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl$1.serializeBody(ElementBeanInfoImpl.java:115)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeBody(ElementBeanInfoImpl.java:317)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:324)
at com.sun.xml.internal.bind.v2.runtime.ElementBeanInfoImpl.serializeRoot(ElementBeanInfoImpl.java:60)
at com.sun.xml.internal.bind.v2.runtime.XMLSerializer.childAsRoot(XMLSerializer.java:483)
at com.sun.xml.internal.bind.v2.runtime.MarshallerImpl.write(MarshallerImpl.java:308)

Policy XML parsing failure.

XacmlPolicyUnmarshallerTest#testPolicy3 and XacmlPolicyUnmarshallerTest#testFeatures001Policy test cases are failing under jdk1.8. Failure happens during policy XML parsing when variable references (e.g. )are used.
Stack trace:
java.lang.IllegalStateException
at com.google.common.base.Preconditions.checkState(Preconditions.java:133)
at org.xacml4j.v30.marshal.jaxb.Xacml30PolicyFromJaxbToObjectModelMapper.parseExpression(Xacml30PolicyFromJaxbToObjectModelMapper.java:663)
at org.xacml4j.v30.marshal.jaxb.Xacml30PolicyFromJaxbToObjectModelMapper.createApply(Xacml30PolicyFromJaxbToObjectModelMapper.java:616)

and

java.lang.IllegalStateException
at com.google.common.base.Preconditions.checkState(Preconditions.java:133)
at org.xacml4j.v30.marshal.jaxb.Xacml20PolicyFromJaxbToObjectModelMapper.parseExpression(Xacml20PolicyFromJaxbToObjectModelMapper.java:408)
at org.xacml4j.v30.marshal.jaxb.Xacml20PolicyFromJaxbToObjectModelMapper.createApply(Xacml20PolicyFromJaxbToObjectModelMapper.java:655)

Delegated

I was testing the delegated policy rules with xacml4j but I guess there is no testing done for those attributes and their values also MaxDelegationDepth="xs:integer" and is not implemented.
Is there any way to work around to achieve Delegation with xacml4j.
Here I have attached the potential Delegation Policy with 1 PolicySet and 4 Policies and with Request and Response.

I think still reduction of the policies are not performed in this solution

v30-policy-delegation-test.zip

2016-07-31 09:41:48,458-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.BaseCompositeDecisionRule] Evaluating composite decision rule with id="Policy1"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pip.DefaultPolicyInformationPoint] Trying to resolve designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pip.DefaultPolicyInformationPoint] No matching resolver found for designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}"
2016-07-31 09:41:48,461-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.DefaultEvaluationContextHandler] Resolved designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}" from PIP to value="null"
2016-07-31 09:41:48,462-0600 [671a803c1854251e-cb24f32c27c6c482][main] DEBUG [pdp.RootEvaluationContext] Resolved designator="AttributeDesignatorKey{Category=urn:oasis:names:tc:xacml:3.0:attribute-category:delegated:urn:oasis:names:tc:xacml:1.0:subject-category:access-subject, AttributeId=group, DataType=http://www.w3.org/2001/XMLSchema#string, Issuer=null}" to value="BagOfAttributeExp{DataType=http://www.w3.org/2001/XMLSchema#string, Values=[]}"

Refactor PolicyRepository abstraction

Policy repository needs to be split to the following components:

  1. In memory policy index with quick, no-lock query functionality
  2. PolicySource - a policy source can be immutable for example policies from class path and mutable for example policies stored in MongoDB or LDAP. Policy source should support some sort of pull or push to receive changes from the policy source

Implement Obligation AttributeAssignment evaluation

Obligation AttributeAssignment values are not evaluated when using any attribute designator using XACML 2.0.

Example

<AttributeAssignment
                    AttributeId="urn:oasis:names:tc:xacml:2.0:requester"
                    DataType="http://www.w3.org/2001/XMLSchema#string">
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</AttributeAssignment>

The above example will evaluate to an empty line when getting the obligation attribute value.

Xacml30PolicyMarshaller fails with "unable to marshal type "java.lang.Long" as an element because it is missing an @XmlRootElement annotation"

Steps to reproduce overview:

  1. Using builders construct policy containing
  2. Serialize this policy to xml with Xacml30PolicyMarshaller
  3. Marshaller fails

Reproducing test:

import org.junit.Test;
import org.xacml4j.v30.Effect;
import org.xacml4j.v30.marshal.jaxb.Xacml30PolicyMarshaller;
import org.xacml4j.v30.pdp.Apply;
import org.xacml4j.v30.pdp.Policy;
import org.xacml4j.v30.pdp.Rule;
import org.xacml4j.v30.policy.combine.DenyOverridesRuleCombiningAlgorithm;
import org.xacml4j.v30.spi.function.FunctionProvider;
import org.xacml4j.v30.spi.function.FunctionProviderBuilder;
import org.xacml4j.v30.types.IntegerExp;
import org.xacml4j.v30.types.StringExp;

import java.io.IOException;
import java.io.StringWriter;
import java.io.Writer;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.IsNull.notNullValue;

public class MarshalAttributeValueTest {
    private final static FunctionProvider Funcs = FunctionProviderBuilder.builder()
        .defaultFunctions()
        .build();

    //
    // This test fails with error "unable to marshal type "java.lang.Long" as an element because it is missing an @XmlRootElement annotation"
    //
    @Test
    public void marshalIntegerAttributeValue() throws IOException {
        // arrange
        Rule rule = Rule.builder("rule", Effect.DENY)
            .condition(
                Apply.builder(Funcs.getFunction("urn:oasis:names:tc:xacml:1.0:function:integer-equal"))
                    .param(IntegerExp.of(0))
                    .param(IntegerExp.of(1))
                    .build()
            )
            .build();

        Policy policy = Policy.builder("policy")
            .combiningAlgorithm(new DenyOverridesRuleCombiningAlgorithm())
            .rule(rule)
            .build();

        // act
        Writer writer = new StringWriter();
        new Xacml30PolicyMarshaller().marshal(policy, writer);
        String xml = writer.toString();

        // assert
        assertThat(xml, notNullValue());
    }

    //
    // ...but this one is ok.
    //
    @Test
    public void marshalStringAttributeValue() throws IOException {
        // arrange
        Rule rule = Rule.builder("rule", Effect.DENY)
            .condition(
                Apply.builder(Funcs.getFunction("urn:oasis:names:tc:xacml:1.0:function:string-equal"))
                    .param(StringExp.of("a"))
                    .param(StringExp.of("b"))
                    .build()
            )
            .build();

        Policy policy = Policy.builder("policy")
            .combiningAlgorithm(new DenyOverridesRuleCombiningAlgorithm())
            .rule(rule)
            .build();

        // act
        Writer writer = new StringWriter();
        new Xacml30PolicyMarshaller().marshal(policy, writer);
        String xml = writer.toString();

        // assert
        assertThat(xml, notNullValue());
    }
}

Unify exception handling

Review current exception handling and implement consistent handling either using XacmlException hierarchy or Java's runtime exceptions.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.