[jboss-cvs] JBossAS SVN: r86268 - in projects/security/security-xacml/trunk/jboss-sunxacml/src: test/java/org/jboss/test/security/sunxacml/policy and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Mar 24 13:40:32 EDT 2009
Author: anil.saldhana at jboss.com
Date: 2009-03-24 13:40:32 -0400 (Tue, 24 Mar 2009)
New Revision: 86268
Added:
projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml
Modified:
projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java
projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
Log:
SECURITY-397: HigherOrderFunction type check on evaluatables
Modified: projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java 2009-03-24 16:38:32 UTC (rev 86267)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java 2009-03-24 17:40:32 UTC (rev 86268)
@@ -51,9 +51,13 @@
import org.jboss.security.xacml.sunxacml.EvaluationCtx;
import org.jboss.security.xacml.sunxacml.Indenter;
+import org.jboss.security.xacml.sunxacml.attr.AnyURIAttribute;
import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
import org.jboss.security.xacml.sunxacml.attr.BooleanAttribute;
+import org.jboss.security.xacml.sunxacml.attr.DNSNameAttribute;
+import org.jboss.security.xacml.sunxacml.attr.IPAddressAttribute;
+import org.jboss.security.xacml.sunxacml.attr.StringAttribute;
/**
@@ -416,11 +420,14 @@
Evaluatable eval1 = (Evaluatable)(list[1]);
Evaluatable eval2 = (Evaluatable)(list[2]);
- // make sure the two args are of the same type
- if (! eval1.getType().equals(eval2.getType()))
+ // make sure the two args are of the same type
+ if(StringAttribute.identifier.equals(eval1.getType().toString()))
+ this.checkType(eval2.getType().toString());
+ else
+ if (! eval1.getType().equals(eval2.getType()))
throw new IllegalArgumentException("input types to the any/all " +
- "functions must match");
-
+ "functions must match");
+
// the first arg might be a bag
if (secondIsBag && (! eval1.returnsBag()))
throw new IllegalArgumentException("first arg has to be a bag");
@@ -576,6 +583,20 @@
PrintStream out = new PrintStream(output);
out.println(indenter.makeString() + "<Function FunctionId=\"" +
getIdentifier().toString() + "\"/>");
+ }
+
+ /**
+ * SECURITY-397: XACML 2.0 reg exp matching functions have varying
+ * evaluatable second types (anyURI etc) when the first type is
+ * String
+ * @param type
+ */
+ private void checkType(String type)
+ {
+ if(!(type.equals(StringAttribute.identifier) ||
+ type.equals(AnyURIAttribute.identifier) ||
+ type.equals(IPAddressAttribute.identifier) ||
+ type.equals(DNSNameAttribute.identifier)))
+ throw new IllegalArgumentException("type is invalid:" + type);
}
-
}
Modified: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java 2009-03-24 16:38:32 UTC (rev 86267)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java 2009-03-24 17:40:32 UTC (rev 86268)
@@ -43,12 +43,18 @@
}
- public void testFunctionMatch() throws Exception
+ public void testFunctionMatch_01() throws Exception
{
String fileName = "src/test/resources/policies/function-match/function-match-policy-01.xml";
readPolicyIntoPDP(fileName);
}
+ public void testFunctionMatch_02() throws Exception
+ {
+ String fileName = "src/test/resources/policies/function-match/function-match-policy-02.xml";
+ readPolicyIntoPDP(fileName);
+ }
+
public void testHimmss09_01() throws Exception
{
String fileName = "src/test/resources/policies/himss09/himss-policy-01.xml";
Added: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml 2009-03-24 17:40:32 UTC (rev 86268)
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
+ PolicySetId="PolicySet:test-1"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd">
+ <Description>
+ policy demonstrating bug in jboss-sunxacml 2.0.2 / 2.0.3
+ (org.jboss.security.xacml.sunxacml.cond.HighOrderFunction#checkInputs(List)
+ -> error msg "input types to the any/all functions must match")
+
+ bag-function "any-of" must not check on equality of parameter types
+ -> function "anyURI-regexp-match" needs 1. parameter "string" 2. parameter "anyURI"
+ </Description>
+ <Target/>
+ <Policy PolicyId="policy:test-higher-order"
+ RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target/>
+ <Rule Effect="Permit" RuleId="rule:higher-order-function">
+ <Target/>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"/>
+ <AttributeValue
+ DataType="http://www.w3.org/2001/XMLSchema#string">.*100101</AttributeValue>
+ <SubjectAttributeDesignator
+ DataType="http://www.w3.org/2001/XMLSchema#anyURI"
+ AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule Effect="Deny" RuleId="rule:no:permission">
+ <Description>If no rule applied above then set Deny by default.</Description>
+ </Rule>
+ </Policy>
+</PolicySet>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list