[jboss-cvs] JBossAS SVN: r86268 - in projects/security/security-xacml/trunk/jboss-sunxacml/src: test/java/org/jboss/test/security/sunxacml/policy and 1 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Mar 24 13:40:32 EDT 2009 

Author: anil.saldhana at jboss.com
Date: 2009-03-24 13:40:32 -0400 (Tue, 24 Mar 2009)
New Revision: 86268

Added:
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml
Modified:
   projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java
   projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
Log:
SECURITY-397: HigherOrderFunction type check on evaluatables

Modified: projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java	2009-03-24 16:38:32 UTC (rev 86267)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/cond/HigherOrderFunction.java	2009-03-24 17:40:32 UTC (rev 86268)
@@ -51,9 +51,13 @@
 
 import org.jboss.security.xacml.sunxacml.EvaluationCtx;
 import org.jboss.security.xacml.sunxacml.Indenter;
+import org.jboss.security.xacml.sunxacml.attr.AnyURIAttribute;
 import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
 import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
 import org.jboss.security.xacml.sunxacml.attr.BooleanAttribute;
+import org.jboss.security.xacml.sunxacml.attr.DNSNameAttribute;
+import org.jboss.security.xacml.sunxacml.attr.IPAddressAttribute;
+import org.jboss.security.xacml.sunxacml.attr.StringAttribute;
 
 
 /**
@@ -416,11 +420,14 @@
         Evaluatable eval1 = (Evaluatable)(list[1]);
         Evaluatable eval2 = (Evaluatable)(list[2]);
 
-        // make sure the two args are of the same type
-        if (! eval1.getType().equals(eval2.getType()))
+        // make sure the two args are of the same type 
+        if(StringAttribute.identifier.equals(eval1.getType().toString()))
+           this.checkType(eval2.getType().toString());
+        else
+          if (! eval1.getType().equals(eval2.getType()))
             throw new IllegalArgumentException("input types to the any/all " +
-                                               "functions must match");
-
+                                                 "functions must match"); 
+        
         // the first arg might be a bag
         if (secondIsBag && (! eval1.returnsBag()))
             throw new IllegalArgumentException("first arg has to be a bag");
@@ -576,6 +583,20 @@
         PrintStream out = new PrintStream(output);
         out.println(indenter.makeString() + "<Function FunctionId=\"" +
                     getIdentifier().toString() + "\"/>");
+    } 
+    
+    /**
+     * SECURITY-397: XACML 2.0 reg exp matching functions have varying
+     * evaluatable second types (anyURI etc) when the first type is
+     * String
+     * @param type
+     */
+    private void checkType(String type)
+    {
+       if(!(type.equals(StringAttribute.identifier) ||
+             type.equals(AnyURIAttribute.identifier) || 
+             type.equals(IPAddressAttribute.identifier) ||
+             type.equals(DNSNameAttribute.identifier)))
+          throw new IllegalArgumentException("type is invalid:" + type);
     }
-
 }

Modified: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java	2009-03-24 16:38:32 UTC (rev 86267)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/policy/PolicyReadUnitTestCase.java	2009-03-24 17:40:32 UTC (rev 86268)
@@ -43,12 +43,18 @@
    }
    
    
-   public void testFunctionMatch() throws Exception
+   public void testFunctionMatch_01() throws Exception
    {   
       String fileName = "src/test/resources/policies/function-match/function-match-policy-01.xml";
       readPolicyIntoPDP(fileName);
    }
    
+   public void testFunctionMatch_02() throws Exception
+   {   
+      String fileName = "src/test/resources/policies/function-match/function-match-policy-02.xml";
+      readPolicyIntoPDP(fileName);
+   }
+   
    public void testHimmss09_01() throws Exception
    {
       String fileName = "src/test/resources/policies/himss09/himss-policy-01.xml";

Added: projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml	                        (rev 0)
+++ projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/policies/function-match/function-match-policy-02.xml	2009-03-24 17:40:32 UTC (rev 86268)
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+        PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" 
+        PolicySetId="PolicySet:test-1" 
+        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd">
+    <Description>
+        policy demonstrating bug in jboss-sunxacml 2.0.2 / 2.0.3
+        (org.jboss.security.xacml.sunxacml.cond.HighOrderFunction#checkInputs(List)
+         -> error msg "input types to the any/all functions must match")
+        
+        bag-function "any-of" must not check on equality of parameter types
+        -> function "anyURI-regexp-match" needs 1. parameter "string" 2. parameter "anyURI"
+    </Description>
+    <Target/>
+    <Policy PolicyId="policy:test-higher-order" 
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+        <Target/>
+        <Rule Effect="Permit" RuleId="rule:higher-order-function">
+            <Target/>
+            <Condition>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+                    <Function FunctionId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"/>
+                    <AttributeValue 
+                        DataType="http://www.w3.org/2001/XMLSchema#string">.*100101</AttributeValue>
+                    <SubjectAttributeDesignator 
+                        DataType="http://www.w3.org/2001/XMLSchema#anyURI" 
+                        AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"/>
+                </Apply>
+            </Condition>
+        </Rule>
+        <Rule Effect="Deny" RuleId="rule:no:permission">
+            <Description>If no rule applied above then set Deny by default.</Description>
+        </Rule>
+    </Policy>
+</PolicySet>
\ No newline at end of file

More information about the jboss-cvs-commits mailing list