Java Code Examples for org.wso2.balana.ctx.AbstractResult#DECISION_PERMIT
The following examples show how to use
org.wso2.balana.ctx.AbstractResult#DECISION_PERMIT .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: PolicySearch.java From carbon-identity-framework with Apache License 2.0 | 6 votes |
|
/**
* Helper method to get XACML decision
*
* @param requestAttributes XACML request attributes
* @return whether permit or deny
*/
private boolean getResponse(List<AttributeDTO> requestAttributes) {
ResponseCtx responseCtx;
AbstractRequestCtx requestCtx = EntitlementUtil.createRequestContext(requestAttributes);
responseCtx = EntitlementEngine.getInstance().evaluateByContext(requestCtx);
if (responseCtx != null) {
Set<AbstractResult> results = responseCtx.getResults();
for (AbstractResult result : results) {
if (result.getDecision() == AbstractResult.DECISION_PERMIT) {
return true;
}
}
}
return false;
}
Example 2
| Source File: PolicySearch.java From carbon-identity with Apache License 2.0 | 6 votes |
|
/**
* Helper method to get XACML decision
*
* @param requestAttributes XACML request attributes
* @return whether permit or deny
*/
private boolean getResponse(List<AttributeDTO> requestAttributes) {
ResponseCtx responseCtx;
AbstractRequestCtx requestCtx = EntitlementUtil.createRequestContext(requestAttributes);
responseCtx = EntitlementEngine.getInstance().evaluateByContext(requestCtx);
if (responseCtx != null) {
Set<AbstractResult> results = responseCtx.getResults();
for (AbstractResult result : results) {
if (result.getDecision() == AbstractResult.DECISION_PERMIT) {
return true;
}
}
}
return false;
}
Example 3
| Source File: PermitUnlessDenyRuleAlg.java From balana with Apache License 2.0 | 6 votes |
|
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
List<Advice> permitAdvices= new ArrayList<Advice>();
for (Object ruleElement : ruleElements) {
Rule rule = ((RuleCombinerElement) (ruleElement)).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of DENY, then regardless of what else
// we've seen, we always return DENY
if (value == AbstractResult.DECISION_DENY) {
return result;
} else if(value == AbstractResult.DECISION_PERMIT){
permitObligations.addAll(result.getObligations());
permitAdvices.addAll(result.getAdvices());
}
}
// if there is not any value of DENY. The return PERMIT
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
permitObligations, permitAdvices, context);
}
Example 4
| Source File: DenyUnlessPermitRuleAlg.java From balana with Apache License 2.0 | 6 votes |
|
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
List<Advice> denyAdvices = new ArrayList<Advice>();
for (Object ruleElement : ruleElements) {
Rule rule = ((RuleCombinerElement) (ruleElement)).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of PERMIT, then regardless of what else
// we've seen, we always return PERMIT
if (value == AbstractResult.DECISION_PERMIT) {
return result;
} else if(value == AbstractResult.DECISION_DENY){
denyObligations.addAll(result.getObligations());
denyAdvices.addAll(result.getAdvices());
}
}
// if there is not any value of PERMIT. The return DENY
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, denyObligations,
denyAdvices, context);
}
Example 5
| Source File: PDPController.java From balana with Apache License 2.0 | 5 votes |
|
/**
* Evaluates the request which was created based on KMarket sample.
*
* @param request is going to be converted to XACML Request.
* @return result of the Policy Decision Point.
* */
@PostMapping("/evaluate")
public ResponseObject evaluate(@RequestBody RequestObject request)
{
int totalAmount = 0;
Utilities.initData();
Utilities.initBalana();
totalAmount = Utilities.calculateTotal(request.getProductName(), request.getNumberOfProducts());
String xacmlRequest = Utilities.createXACMLRequest(
request.getUsername(), request.getProductName(), request.getNumberOfProducts(), totalAmount);
PDP pdp = Utilities.getPDPNewInstance();
String xacmlResponse = pdp.evaluate(xacmlRequest); //evaluates XACML request here.
String responseMessage = "";
try {
ResponseCtx responseCtx = ResponseCtx.getInstance(Utilities.getXacmlResponse(xacmlResponse));
AbstractResult result = responseCtx.getResults().iterator().next();
if(AbstractResult.DECISION_PERMIT == result.getDecision()){
responseMessage = "\n" + request.getUsername() + " is authorized to perform this purchase\n\n";
} else {
//if it is not PERMIT, DENY is going to be returned to client user.
responseMessage += "\n" + request.getUsername() + " is NOT authorized to perform this purchase\n";
List<Advice> advices = result.getAdvices();
for(Advice advice : advices){
List<AttributeAssignment> assignments = advice.getAssignments();
for(AttributeAssignment assignment : assignments){
responseMessage += "Advice : " + assignment.getContent() +"\n\n";
}
}
}
} catch (ParsingException e) {
e.printStackTrace();
}
return new ResponseObject(responseMessage);
}
Example 6
| Source File: DenyUnlessPermitPolicyAlg.java From balana with Apache License 2.0 | 5 votes |
|
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
List<Advice> denyAdvices = new ArrayList<Advice>();
for (Object policyElement : policyElements) {
AbstractPolicy policy = ((PolicyCombinerElement) (policyElement)).getPolicy();
MatchResult match = policy.match(context);
if (match.getResult() == MatchResult.MATCH) {
AbstractResult result = policy.evaluate(context);
int value = result.getDecision();
// if there was a value of PERMIT, then regardless of what else
// we've seen, we always return PERMIT
if (value == AbstractResult.DECISION_PERMIT) {
return result;
} else if(value == AbstractResult.DECISION_DENY){
denyObligations.addAll(result.getObligations());
denyAdvices.addAll(result.getAdvices());
}
}
}
// if there is not any value of PERMIT. The return DENY
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, denyObligations,
denyAdvices, context);
}
Example 7
| Source File: PermitUnlessDenyPolicyAlg.java From balana with Apache License 2.0 | 5 votes |
|
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
List<Advice> permitAdvices= new ArrayList<Advice>();
for (Object policyElement : policyElements) {
AbstractPolicy policy = ((PolicyCombinerElement) (policyElement)).getPolicy();
MatchResult match = policy.match(context);
if (match.getResult() == MatchResult.MATCH) {
AbstractResult result = policy.evaluate(context);
int value = result.getDecision();
// if there was a value of DENY, then regardless of what else
// we've seen, we always return DENY
if (value == AbstractResult.DECISION_DENY) {
return result;
} else if (value == AbstractResult.DECISION_PERMIT) {
permitObligations.addAll(result.getObligations());
permitAdvices.addAll(result.getAdvices());
}
}
}
// if there is not any value of DENY. The return PERMIT
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
permitObligations, permitAdvices, context);
}
Example 8
| Source File: Main.java From balana with Apache License 2.0 | 4 votes |
|
public static void main(String[] args){
Console console;
String userName = "none";
String content = "foo";
initBalana();
if ((console = System.console()) != null){
userName = console.readLine("Enter User name [bob, peter, alice] : ");
if(userName == null || userName.trim().length() < 1 ){
System.err.println("\nUser name can not be empty\n");
return;
}
}
String request = createXACMLRequest(userName, content);
PDP pdp = getPDPNewInstance();
System.out.println("\n======================== XACML Request ====================");
System.out.println(request);
System.out.println("===========================================================");
String response = pdp.evaluate(request);
System.out.println("\n======================== XACML Response ===================");
System.out.println(response);
System.out.println("===========================================================");
try {
ResponseCtx responseCtx = ResponseCtx.getInstance(getXacmlResponse(response));
AbstractResult result = responseCtx.getResults().iterator().next();
if(AbstractResult.DECISION_PERMIT == result.getDecision()){
System.out.println("\n" + userName + " is authorized to perform this access\n\n");
} else {
System.out.println("\n" + userName + " is NOT authorized to perform this access\n");
}
} catch (ParsingException e) {
e.printStackTrace();
}
}
Example 9
| Source File: KMarketAccessControl.java From balana with Apache License 2.0 | 4 votes |
|
public static void main(String[] args){
Console console;
String userName = null;
String productName = null;
int numberOfProducts = 1;
int totalAmount = 0;
printDescription();
initData();
initBalana();
System.out.println("\nYou can select one of following item for your shopping chart : \n");
System.out.println(products);
if ((console = System.console()) != null){
userName = console.readLine("Enter User name : ");
if(userName == null || userName.trim().length() < 1 ){
System.err.println("\nUser name can not be empty\n");
return;
}
String productId = console.readLine("Enter Product Id : ");
if(productId == null || productId.trim().length() < 1 ){
System.err.println("\nProduct Id can not be empty\n");
return;
} else {
productName = idMap.get(productId);
if(productName == null){
System.err.println("\nEnter valid product Id\n");
return;
}
}
String productAmount = console.readLine("Enter No of Products : ");
if(productAmount == null || productAmount.trim().length() < 1 ){
numberOfProducts = 1;
} else {
numberOfProducts = Integer.parseInt(productAmount);
}
}
totalAmount = calculateTotal(productName, numberOfProducts);
System.err.println("\nTotal Amount is : " + totalAmount + "\n");
String request = createXACMLRequest(userName, productName, numberOfProducts, totalAmount);
//String request = createXACMLRequest("bob", "Food", 2, 40);
PDP pdp = getPDPNewInstance();
System.out.println("\n======================== XACML Request ====================");
System.out.println(request);
System.out.println("===========================================================");
String response = pdp.evaluate(request);
System.out.println("\n======================== XACML Response ===================");
System.out.println(response);
System.out.println("===========================================================");
try {
ResponseCtx responseCtx = ResponseCtx.getInstance(getXacmlResponse(response));
AbstractResult result = responseCtx.getResults().iterator().next();
if(AbstractResult.DECISION_PERMIT == result.getDecision()){
System.out.println("\n" + userName + " is authorized to perform this purchase\n\n");
} else {
System.out.println("\n" + userName + " is NOT authorized to perform this purchase\n");
List<Advice> advices = result.getAdvices();
for(Advice advice : advices){
List<AttributeAssignment> assignments = advice.getAssignments();
for(AttributeAssignment assignment : assignments){
System.out.println("Advice : " + assignment.getContent() +"\n\n");
}
}
}
} catch (ParsingException e) {
e.printStackTrace();
}
}
Example 10
| Source File: PermitOverridesRuleAlg.java From balana with Apache License 2.0 | 4 votes |
|
/**
* Applies the combining rule to the set of rules based on the evaluation context.
*
* @param context the context from the request
* @param parameters a (possibly empty) non-null <code>List</code> of
* <code>CombinerParameter<code>s
* @param ruleElements the rules to combine
*
* @return the result of running the combining algorithm
*/
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
boolean atLeastOneErrorD = false;
boolean atLeastOneErrorP = false;
boolean atLeastOneDeny = false;
AbstractResult firstIndeterminateResultD = null;
AbstractResult firstIndeterminateResultP = null;
List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
List<Advice> denyAdvices = new ArrayList<Advice>();
Iterator it = ruleElements.iterator();
while (it.hasNext()) {
Rule rule = ((RuleCombinerElement) (it.next())).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of PERMIT, then regardless of what
// else we've seen, we always return PERMIT
if (value == AbstractResult.DECISION_PERMIT){
return result;
}
if(value == AbstractResult.DECISION_NOT_APPLICABLE){
continue;
}
// keep track of whether we had at least one rule that
// actually pertained to the request
if (value == AbstractResult.DECISION_DENY){
atLeastOneDeny = true;
denyAdvices.addAll(result.getAdvices());
denyObligations.addAll(result.getObligations());
} else {
// if it was INDETERMINATE, check extended results
if (value == AbstractResult.DECISION_INDETERMINATE_DENY){
atLeastOneErrorD = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if(firstIndeterminateResultD == null){
firstIndeterminateResultD = result;
}
} else if (value== AbstractResult.DECISION_INDETERMINATE_PERMIT){
atLeastOneErrorP = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if(firstIndeterminateResultP == null){
firstIndeterminateResultP = result;
}
}
}
}
if (atLeastOneErrorP && (atLeastOneErrorD || atLeastOneDeny)){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT,
firstIndeterminateResultP.getStatus(), context);
}
if(atLeastOneErrorP){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE_PERMIT,
firstIndeterminateResultP.getStatus(), context);
}
if (atLeastOneDeny) {
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY,
denyObligations, denyAdvices, context);
}
// if we hit this point, then none of the rules actually applied
// to us, so we return NOT_APPLICABLE
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
Example 11
| Source File: DenyOverridesRuleAlg.java From balana with Apache License 2.0 | 4 votes |
|
/**
* Applies the combining rule to the set of rules based on the evaluation context.
*
* @param context the context from the request
* @param parameters a (possibly empty) non-null <code>List</code> of
* <code>CombinerParameter<code>s
* @param ruleElements the rules to combine
*
* @return the result of running the combining algorithm
*/
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
boolean atLeastOneErrorD = false;
boolean atLeastOneErrorP = false;
boolean atLeastOnePermit = false;
AbstractResult firstIndeterminateResultD = null;
AbstractResult firstIndeterminateResultP = null;
List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
List<Advice> permitAdvices = new ArrayList<Advice>();
Iterator it = ruleElements.iterator();
while (it.hasNext()) {
Rule rule = ((RuleCombinerElement) (it.next())).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of DENY, then regardless of what else
// we've seen, we always return DENY
if (value == AbstractResult.DECISION_DENY){
return result;
}
if(value == AbstractResult.DECISION_NOT_APPLICABLE){
continue;
}
// keep track of whether we had at least one rule that
// actually pertained to the request
if (value == AbstractResult.DECISION_PERMIT){
atLeastOnePermit = true;
permitAdvices.addAll(result.getAdvices());
permitObligations.addAll(result.getObligations());
} else {
// if it was INDETERMINATE, check extended results
if (value == AbstractResult.DECISION_INDETERMINATE_DENY){
atLeastOneErrorD = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if(firstIndeterminateResultD == null){
firstIndeterminateResultD = result;
}
} else if (value== AbstractResult.DECISION_INDETERMINATE_PERMIT){
atLeastOneErrorP = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if(firstIndeterminateResultP == null){
firstIndeterminateResultP = result;
}
}
}
}
if (atLeastOneErrorD && (atLeastOneErrorP || atLeastOnePermit)){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT,
firstIndeterminateResultD.getStatus(), context);
}
if(atLeastOneErrorD){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE_DENY,
firstIndeterminateResultD.getStatus(), context);
}
if (atLeastOnePermit) {
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
permitObligations, permitAdvices, context);
}
if (atLeastOneErrorP){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE_PERMIT,
firstIndeterminateResultP.getStatus(), context);
}
// if we hit this point, then none of the rules actually applied
// to us, so we return NOT_APPLICABLE
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
Example 12
| Source File: PermitOverridesRuleAlg.java From balana with Apache License 2.0 | 4 votes |
|
/**
* Applies the combining rule to the set of rules based on the evaluation context.
*
* @param context the context from the request
* @param parameters a (possibly empty) non-null <code>List</code> of
* <code>CombinerParameter<code>s
* @param ruleElements the rules to combine
*
* @return the result of running the combining algorithm
*/
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
boolean atLeastOneError = false;
boolean potentialPermit = false;
boolean atLeastOneDeny = false;
AbstractResult firstIndeterminateResult = null;
List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
List<Advice> denyAdvices = new ArrayList<Advice>();
Iterator it = ruleElements.iterator();
while (it.hasNext()) {
Rule rule = ((RuleCombinerElement) (it.next())).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of PERMIT, then regardless of what
// else we've seen, we always return PERMIT
if (value == AbstractResult.DECISION_PERMIT){
return result;
}
// if it was INDETERMINATE, then we couldn't figure something
// out, so we keep track of these cases...
if (value == AbstractResult.DECISION_INDETERMINATE ||
value == AbstractResult.DECISION_INDETERMINATE_DENY ||
value == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
value == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
atLeastOneError = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if (firstIndeterminateResult == null){
firstIndeterminateResult = result;
}
// if the Rule's effect is PERMIT, then we can't let this
// alg return DENY, since this Rule might have permitted
// if it could do its stuff
if (rule.getEffect() == AbstractResult.DECISION_PERMIT){
potentialPermit = true;
}
} else {
// keep track of whether we had at least one rule that
// actually pertained to the request
if (value == AbstractResult.DECISION_DENY)
atLeastOneDeny = true;
denyAdvices.addAll(result.getAdvices());
denyObligations.addAll(result.getObligations());
}
}
// we didn't explicitly PERMIT, but we might have had some Rule
// been evaluated, so we have to return INDETERMINATE
if (potentialPermit){
return firstIndeterminateResult;
}
// some Rule said DENY, so since nothing could have permitted,
// we return DENY
if (atLeastOneDeny){
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, denyObligations,
denyAdvices, context);
}
// we didn't find anything that said DENY, but if we had a
// problem with one of the Rules, then we're INDETERMINATE
if (atLeastOneError){
return firstIndeterminateResult;
}
// if we hit this point, then none of the rules actually applied
// to us, so we return NOT_APPLICABLE
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
Example 13
| Source File: DenyOverridesRuleAlg.java From balana with Apache License 2.0 | 4 votes |
|
/**
* Applies the combining rule to the set of rules based on the evaluation context.
*
* @param context the context from the request
* @param parameters a (possibly empty) non-null <code>List</code> of
* <code>CombinerParameter<code>s
* @param ruleElements the rules to combine
*
* @return the result of running the combining algorithm
*/
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
boolean atLeastOneError = false;
boolean potentialDeny = false;
boolean atLeastOnePermit = false;
AbstractResult firstIndeterminateResult = null;
List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
List<Advice> permitAdvices = new ArrayList<Advice>();
Iterator it = ruleElements.iterator();
while (it.hasNext()) {
Rule rule = ((RuleCombinerElement) (it.next())).getRule();
AbstractResult result = rule.evaluate(context);
int value = result.getDecision();
// if there was a value of DENY, then regardless of what else
// we've seen, we always return DENY
if (value == AbstractResult.DECISION_DENY){ // TODO -- i changed
return result;
}
// if it was INDETERMINATE, then we couldn't figure something
// out, so we keep track of these cases...
if (value == AbstractResult.DECISION_INDETERMINATE ||
value == AbstractResult.DECISION_INDETERMINATE_DENY ||
value == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
value == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
atLeastOneError = true;
// there are no rules about what to do if multiple cases
// cause errors, so we'll just return the first one
if (firstIndeterminateResult == null){
firstIndeterminateResult = result;
}
// if the Rule's effect is DENY, then we can't let this
// alg return PERMIT, since this Rule might have denied
// if it could do its stuff
if (rule.getEffect() == AbstractResult.DECISION_DENY){
potentialDeny = true;
}
} else {
// keep track of whether we had at least one rule that
// actually pertained to the request
if (value == AbstractResult.DECISION_PERMIT){
atLeastOnePermit = true;
permitAdvices.addAll(result.getAdvices());
permitObligations.addAll(result.getObligations());
}
}
}
// we didn't explicitly DENY, but we might have had some Rule
// been evaluated, so we have to return INDETERMINATE
if (potentialDeny){
return firstIndeterminateResult;
}
// some Rule said PERMIT, so since nothing could have denied,
// we return PERMIT
if (atLeastOnePermit) {
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
permitObligations, permitAdvices, context);
}
// we didn't find anything that said PERMIT, but if we had a
// problem with one of the Rules, then we're INDETERMINATE
if (atLeastOneError){
return firstIndeterminateResult;
}
// if we hit this point, then none of the rules actually applied
// to us, so we return NOT_APPLICABLE
//return new Result(Result.DECISION_NOT_APPLICABLE, context.getResourceId().encode());
return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
