Java Code Examples for org.wso2.balana.AbstractPolicy#match()

The following examples show how to use org.wso2.balana.AbstractPolicy#match() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: DenyUnlessPermitPolicyAlg.java    From balana with Apache License 2.0 5 votes vote down vote up
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {

    List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
    List<Advice> denyAdvices = new ArrayList<Advice>();

    for (Object policyElement : policyElements) {
        AbstractPolicy policy = ((PolicyCombinerElement) (policyElement)).getPolicy();
        MatchResult match = policy.match(context);
        if (match.getResult() == MatchResult.MATCH) {
            AbstractResult result = policy.evaluate(context);
            int value = result.getDecision();
            // if there was a value of PERMIT, then regardless of what else
            // we've seen, we always return PERMIT
            if (value == AbstractResult.DECISION_PERMIT) {
                return result;
            } else if(value == AbstractResult.DECISION_DENY){
                denyObligations.addAll(result.getObligations());
                denyAdvices.addAll(result.getAdvices());
            }
        }
    }

    // if there is not any value of PERMIT. The return DENY
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, denyObligations,
                                                                        denyAdvices, context);
}
 
Example 2
Source File: PermitUnlessDenyPolicyAlg.java    From balana with Apache License 2.0 5 votes vote down vote up
@Override
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {

    List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
    List<Advice> permitAdvices= new ArrayList<Advice>();

    for (Object policyElement : policyElements) {
        AbstractPolicy policy = ((PolicyCombinerElement) (policyElement)).getPolicy();
        MatchResult match = policy.match(context);
        if (match.getResult() == MatchResult.MATCH) {
            AbstractResult result = policy.evaluate(context);
            int value = result.getDecision();

            // if there was a value of DENY, then regardless of what else
            // we've seen, we always return DENY
            if (value == AbstractResult.DECISION_DENY) {
                return result;
            } else if (value == AbstractResult.DECISION_PERMIT) {
                permitObligations.addAll(result.getObligations());
                permitAdvices.addAll(result.getAdvices());
            }
        }
    }

    // if there is not any value of DENY. The return PERMIT
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
                                                permitObligations, permitAdvices, context);
}
 
Example 3
Source File: FirstApplicablePolicyAlg.java    From balana with Apache License 2.0 5 votes vote down vote up
/**
 * Applies the combining rule to the set of policies based on the evaluation context.
 * 
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param policyElements the policies to combine
 * 
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
    Iterator it = policyElements.iterator();
    while (it.hasNext()) {
        AbstractPolicy policy = ((PolicyCombinerElement) (it.next())).getPolicy();

        // make sure that the policy matches the context
        MatchResult match = policy.match(context);

        if (match.getResult() == MatchResult.INDETERMINATE)
            return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE,
                    match.getStatus(), context);
        if (match.getResult() == MatchResult.MATCH) {
            // evaluate the policy
            AbstractResult result = policy.evaluate(context);
            int effect = result.getDecision();

            // in the case of PERMIT, DENY, or INDETERMINATE, we always
            // just return that result, so only on a rule that doesn't
            // apply do we keep going...
            if (effect != Result.DECISION_NOT_APPLICABLE && !context.isSearching()) {
                return result;
            }
        }
    }
    // if we got here, then none of the rules applied
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
 
Example 4
Source File: SimplePolicyCollection.java    From carbon-identity-framework with Apache License 2.0 4 votes vote down vote up
@Override
public AbstractPolicy getEffectivePolicy(EvaluationCtx context) throws EntitlementException {

    // setup a list of matching policies
    ArrayList<AbstractPolicy> list = new ArrayList<AbstractPolicy>();

    for (Map.Entry<URI, AbstractPolicy> entry : policyCollection.entrySet()) {

        AbstractPolicy policy = entry.getValue();

        // see if we match
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if there was an error, we stop right away
        if (result == MatchResult.INDETERMINATE) {
            log.error(match.getStatus().getMessage());
            throw new EntitlementException(match.getStatus().getMessage());
        }

        // if we matched, we keep track of the matching policy...
        if (result == MatchResult.MATCH) {
            // ...first checking if this is the first match and if
            // we automatically nest policies

            if (log.isDebugEnabled()) {
                log.debug("Matching XACML policy found " + policy.getId().toString());
            }

            if ((combiningAlg == null) && (list.size() > 0)) {
                log.error("Too many applicable top-level policies");
                throw new EntitlementException("Too many applicable top-level policies");
            }

            list.add(policy);
        }
    }

    // no errors happened during the search, so now take the right
    // action based on how many policies we found
    switch (list.size()) {
        case 0:
            if (log.isDebugEnabled()) {
                log.debug("No matching XACML policy found");
            }
            return null;
        case 1:
            return ((AbstractPolicy) (list.get(0)));
        default:
            return new PolicySet(parentId, combiningAlg, null, list);
    }

}
 
Example 5
Source File: DefaultPolicyCollection.java    From carbon-identity-framework with Apache License 2.0 4 votes vote down vote up
/**
 * Attempts to retrieve a policy based on the given context. If multiple policies match then
 * this will either throw an exception or wrap the policies under a new PolicySet (depending on
 * how this instance was constructed). If no policies match, then this will return null. See the
 * comment in the class header about how this behaves when multiple versions of the same policy
 * exist.
 *
 * @param context
 * @return
 * @throws EntitlementException
 */
public AbstractPolicy getEffectivePolicy(EvaluationCtx context) throws EntitlementException {
    // setup a list of matching policies
    ArrayList<AbstractPolicy> list = new ArrayList<AbstractPolicy>();
    // get an iterator over all the identifiers
    Iterator<TreeSet<AbstractPolicy>> it = policies.values().iterator();

    while (it.hasNext()) {
        // for each identifier, get only the most recent policy
        AbstractPolicy policy = it.next().first();

        // see if we match
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if there was an error, we stop right away
        if (result == MatchResult.INDETERMINATE) {
            log.error(match.getStatus().getMessage());
            throw new EntitlementException(match.getStatus().getMessage());
        }

        // if we matched, we keep track of the matching policy...
        if (result == MatchResult.MATCH) {
            // ...first checking if this is the first match and if
            // we automatically nest policies

            if (log.isDebugEnabled()) {
                log.debug("Matching XACML policy found " + policy.getId().toString());
            }

            if ((combiningAlg == null) && (list.size() > 0)) {
                ArrayList<String> code = new ArrayList<String>();
                code.add(Status.STATUS_PROCESSING_ERROR);
                Status status = new Status(code, "too many applicable top-level policies");
                //throw new EntitlementException(status);     // TODO
            }

            list.add(policy);
        }
    }

    // no errors happened during the search, so now take the right
    // action based on how many policies we found
    switch (list.size()) {
        case 0:
            if (log.isDebugEnabled()) {
                log.debug("No matching XACML policy found");
            }
            return null;
        case 1:
            return ((AbstractPolicy) (list.get(0)));
        default:
            return new PolicySet(parentId, combiningAlg, null, list);
    }
}
 
Example 6
Source File: SimplePolicyCollection.java    From carbon-identity with Apache License 2.0 4 votes vote down vote up
@Override
public AbstractPolicy getEffectivePolicy(EvaluationCtx context) throws EntitlementException {

    // setup a list of matching policies
    ArrayList<AbstractPolicy> list = new ArrayList<AbstractPolicy>();

    for (Map.Entry<URI, AbstractPolicy> entry : policyCollection.entrySet()) {

        AbstractPolicy policy = entry.getValue();

        // see if we match
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if there was an error, we stop right away
        if (result == MatchResult.INDETERMINATE) {
            log.error(match.getStatus().getMessage());
            throw new EntitlementException(match.getStatus().getMessage());
        }

        // if we matched, we keep track of the matching policy...
        if (result == MatchResult.MATCH) {
            // ...first checking if this is the first match and if
            // we automatically nest policies

            if (log.isDebugEnabled()) {
                log.debug("Matching XACML policy found " + policy.getId().toString());
            }

            if ((combiningAlg == null) && (list.size() > 0)) {
                log.error("Too many applicable top-level policies");
                throw new EntitlementException("Too many applicable top-level policies");
            }

            list.add(policy);
        }
    }

    // no errors happened during the search, so now take the right
    // action based on how many policies we found
    switch (list.size()) {
        case 0:
            if (log.isDebugEnabled()) {
                log.debug("No matching XACML policy found");
            }
            return null;
        case 1:
            return ((AbstractPolicy) (list.get(0)));
        default:
            return new PolicySet(parentId, combiningAlg, null, list);
    }

}
 
Example 7
Source File: DefaultPolicyCollection.java    From carbon-identity with Apache License 2.0 4 votes vote down vote up
/**
 * Attempts to retrieve a policy based on the given context. If multiple policies match then
 * this will either throw an exception or wrap the policies under a new PolicySet (depending on
 * how this instance was constructed). If no policies match, then this will return null. See the
 * comment in the class header about how this behaves when multiple versions of the same policy
 * exist.
 *
 * @param context
 * @return
 * @throws EntitlementException
 */
public AbstractPolicy getEffectivePolicy(EvaluationCtx context) throws EntitlementException {
    // setup a list of matching policies
    ArrayList<AbstractPolicy> list = new ArrayList<AbstractPolicy>();
    // get an iterator over all the identifiers
    Iterator<TreeSet<AbstractPolicy>> it = policies.values().iterator();

    while (it.hasNext()) {
        // for each identifier, get only the most recent policy
        AbstractPolicy policy = it.next().first();

        // see if we match
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if there was an error, we stop right away
        if (result == MatchResult.INDETERMINATE) {
            log.error(match.getStatus().getMessage());
            throw new EntitlementException(match.getStatus().getMessage());
        }

        // if we matched, we keep track of the matching policy...
        if (result == MatchResult.MATCH) {
            // ...first checking if this is the first match and if
            // we automatically nest policies

            if (log.isDebugEnabled()) {
                log.debug("Matching XACML policy found " + policy.getId().toString());
            }

            if ((combiningAlg == null) && (list.size() > 0)) {
                ArrayList<String> code = new ArrayList<String>();
                code.add(Status.STATUS_PROCESSING_ERROR);
                Status status = new Status(code, "too many applicable top-level policies");
                //throw new EntitlementException(status);     // TODO
            }

            list.add(policy);
        }
    }

    // no errors happened during the search, so now take the right
    // action based on how many policies we found
    switch (list.size()) {
        case 0:
            if (log.isDebugEnabled()) {
                log.debug("No matching XACML policy found");
            }
            return null;
        case 1:
            return ((AbstractPolicy) (list.get(0)));
        default:
            return new PolicySet(parentId, combiningAlg, null, list);
    }
}
 
Example 8
Source File: FileBasedPolicyFinderModule.java    From balana with Apache License 2.0 4 votes vote down vote up
@Override
public PolicyFinderResult findPolicy(EvaluationCtx context) {

    ArrayList<AbstractPolicy> selectedPolicies = new ArrayList<AbstractPolicy>();
    Set<Map.Entry<URI, AbstractPolicy>> entrySet = policies.entrySet();

    // iterate through all the policies we currently have loaded
    for (Map.Entry<URI, AbstractPolicy> entry : entrySet) {

        AbstractPolicy policy = entry.getValue();
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if target matching was indeterminate, then return the error
        if (result == MatchResult.INDETERMINATE)
            return new PolicyFinderResult(match.getStatus());

        // see if the target matched
        if (result == MatchResult.MATCH) {

            if ((combiningAlg == null) && (selectedPolicies.size() > 0)) {
                // we found a match before, so this is an error
                ArrayList<String> code = new ArrayList<String>();
                code.add(Status.STATUS_PROCESSING_ERROR);
                Status status = new Status(code, "too many applicable "
                        + "top-level policies");
                return new PolicyFinderResult(status);
            }

            // this is the first match we've found, so remember it
            selectedPolicies.add(policy);
        }
    }

    // no errors happened during the search, so now take the right
    // action based on how many policies we found
    switch (selectedPolicies.size()) {
        case 0:
            if (log.isDebugEnabled()) {
                log.debug("No matching XACML policy found");
            }
            return new PolicyFinderResult();
        case 1:
            return new PolicyFinderResult((selectedPolicies.get(0)));
        default:
            return new PolicyFinderResult(new PolicySet(null, combiningAlg, null, selectedPolicies));
    }
}
 
Example 9
Source File: OnlyOneApplicablePolicyAlg.java    From balana with Apache License 2.0 4 votes vote down vote up
/**
 * Applies the combining rule to the set of policies based on the evaluation context.
 * 
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param policyElements the policies to combine
 * 
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
    boolean atLeastOne = false;
    AbstractPolicy selectedPolicy = null;
    Iterator it = policyElements.iterator();

    while (it.hasNext()) {
        AbstractPolicy policy = ((PolicyCombinerElement) (it.next())).getPolicy();

        // see if the policy matches the context
        MatchResult match = policy.match(context);
        int result = match.getResult();

        // if there is an error in trying to match any of the targets,
        // we always return INDETERMINATE immediately
        if (result == MatchResult.INDETERMINATE){
            return ResultFactory.getFactory().getResult(AbstractResult.DECISION_INDETERMINATE,
                    match.getStatus(),context);
        }
        if (result == MatchResult.MATCH) {
            // if this isn't the first match, then this is an error
            if (atLeastOne) {
                List code = new ArrayList();
                code.add(Status.STATUS_PROCESSING_ERROR);
                String message = "Too many applicable policies";
                    return ResultFactory.getFactory().
                            getResult(AbstractResult.DECISION_INDETERMINATE,
                                    new Status(code, message), context);                     
            }

            // if this was the first applicable policy in the set, then
            // remember it for later
            atLeastOne = true;
            selectedPolicy = policy;
        }
    }

    // if we got through the loop and found exactly one match, then
    // we return the evaluation result of that policy
    if (atLeastOne){
        return selectedPolicy.evaluate(context);
    }
    // if we didn't find a matching policy, then we don't apply
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}