/*
* Copyright (c) WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.identity.entitlement.common;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.impl.Constants;
import org.apache.xerces.util.SecurityManager;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.wso2.carbon.identity.entitlement.common.dto.PolicyEditorDataHolder;
import org.wso2.carbon.identity.entitlement.common.util.CarbonEntityResolver;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
/**
*
*/
public class InMemoryPersistenceManager implements DataPersistenceManager {
private static Log log = LogFactory.getLog(InMemoryPersistenceManager.class);
private Map<String, String> xmlConfig = new HashMap<String, String>();
private static final String SECURITY_MANAGER_PROPERTY = Constants.XERCES_PROPERTY_PREFIX +
Constants.SECURITY_MANAGER_PROPERTY;
private static final int ENTITY_EXPANSION_LIMIT = 0;
public static final String EXTERNAL_GENERAL_ENTITIES_URI = "http://xml.org/sax/features/external-general-entities";
@Override
public Map<String, PolicyEditorDataHolder> buildDataHolder() throws PolicyEditorException {
xmlConfig = this.getConfig();
Map<String, PolicyEditorDataHolder> holders = new HashMap<String, PolicyEditorDataHolder>();
for (String type : EntitlementConstants.PolicyEditor.EDITOR_TYPES) {
PolicyEditorDataHolder holder = buildDataHolder(type, xmlConfig.get(type));
if (holder != null) {
holders.put(type, holder);
}
}
return holders;
}
private PolicyEditorDataHolder buildDataHolder(String type, String xmlConfig) throws PolicyEditorException {
if (xmlConfig == null) {
return null;
}
PolicyEditorDataHolder holder = new PolicyEditorDataHolder();
DocumentBuilder builder;
ByteArrayInputStream inputStream;
Element root = null;
inputStream = new ByteArrayInputStream(xmlConfig.getBytes());
try {
builder = getSecuredDocumentBuilder();
Document doc = builder.parse(inputStream);
root = doc.getDocumentElement();
} catch (Exception e) {
log.error("DOM of request element can not be created from String", e);
} finally {
try {
inputStream.close();
} catch (IOException e) {
log.error("Error in closing input stream of XACML request");
}
}
if (root == null) {
return holder;
}
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if (node.getNodeName().equals("categories")) {
parseCategories(type, node, holder);
} else if (node.getNodeName().equals("ruleCombiningAlgorithm")) {
parseAlgorithm(node, holder, false);
} else if (node.getNodeName().equals("policyCombiningAlgorithm")) {
parseAlgorithm(node, holder, true);
} else if (node.getNodeName().equals("attributeIds")) {
parseAttributeIds(node, holder);
} else if (node.getNodeName().equals("dataTypes")) {
parseDataTypes(node, holder);
} else if (node.getNodeName().equals("functions")) {
parseFunctions(node, holder);
} else if (node.getNodeName().equals("preFunctions")) {
parsePreFunctions(node, holder);
} else if (node.getNodeName().equals("rule")) {
parseRule(node, holder);
} else if (node.getNodeName().equals("policyDescription")) {
if ("true".equals(node.getTextContent())) {
holder.setShowPolicyDescription(true);
}
}
}
return holder;
}
/**
* * This method provides a secured document builder which will secure XXE attacks.
*
* @return DocumentBuilder
* @throws ParserConfigurationException
*/
private DocumentBuilder getSecuredDocumentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
documentBuilderFactory.setFeature(EXTERNAL_GENERAL_ENTITIES_URI, false);
SecurityManager securityManager = new SecurityManager();
securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setEntityResolver(new CarbonEntityResolver());
return documentBuilder;
}
@Override
public void persistConfig(String policyEditorType, String xmlConfig) throws PolicyEditorException {
// to verify
buildDataHolder(policyEditorType, xmlConfig);
this.xmlConfig.put(policyEditorType, xmlConfig);
}
@Override
public Map<String, String> getConfig() {
return xmlConfig;
}
private void parseCategories(String type, Node root, PolicyEditorDataHolder holder) throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("category".equals(node.getNodeName())) {
String name = null;
String uri = null;
Set<String> attributeIds = null;
Set<String> dataTypes = null;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("name".equals(child.getNodeName())) {
name = child.getTextContent();
if (EntitlementConstants.PolicyEditor.BASIC.equals(type) ||
(EntitlementConstants.PolicyEditor.RBAC.equals(type))) {
if (!Utils.isValidCategory(name)) {
throw new PolicyEditorException("Invalid Category : " + name
+ " Basic policy editor supports only for Subject, " +
"Resource, Action and Environment category names. " +
"But you can change the URI of them");
}
}
} else if ("uri".equals(child.getNodeName())) {
uri = child.getTextContent();
} else if ("supportedAttributeIds".equals(child.getNodeName())) {
attributeIds = new HashSet<String>();
NodeList list = child.getChildNodes();
for (int k = 0; k < list.getLength(); k++) {
Node nextChild = list.item(k);
if ("attributeId".equals(nextChild.getNodeName())) {
if (attributeIds.size() == 0) {
holder.getCategoryDefaultAttributeIdMap().
put(name, nextChild.getTextContent());
}
attributeIds.add(nextChild.getTextContent());
}
}
} else if ("supportedDataTypes".equals(child.getNodeName())) {
dataTypes = new HashSet<String>();
NodeList list = child.getChildNodes();
for (int k = 0; k < list.getLength(); k++) {
Node nextChild = list.item(k);
if ("dataType".equals(nextChild.getNodeName())) {
dataTypes.add(nextChild.getTextContent());
}
}
}
}
if (name != null) {
if (uri != null) {
holder.getCategoryMap().put(name, uri);
}
if (attributeIds != null) {
holder.getCategoryAttributeIdMap().put(name, attributeIds);
}
if (dataTypes != null) {
holder.getCategoryDataTypeMap().put(name, dataTypes);
}
}
}
}
}
private void parseAlgorithm(Node root, PolicyEditorDataHolder holder, boolean isPolicy)
throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("algorithms".equals(node.getNodeName())) {
String name = null;
String uri = null;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("algorithm".equals(child.getNodeName())) {
NodeList list = child.getChildNodes();
for (int k = 0; k < list.getLength(); k++) {
Node nextChild = list.item(k);
if ("name".equals(nextChild.getNodeName())) {
name = nextChild.getTextContent();
} else if ("uri".equals(nextChild.getNodeName())) {
uri = nextChild.getTextContent();
}
if (name != null && uri != null) {
if (!Utils.isValidRuleAlgorithm(uri, isPolicy)) {
throw new PolicyEditorException("Invalid Algorithm : " + uri);
}
if (isPolicy) {
holder.getPolicyCombiningAlgorithms().put(name, uri);
} else {
holder.getRuleCombiningAlgorithms().put(name, uri);
}
}
}
}
}
} else if ("display".equals(node.getNodeName())) {
if ("true".equals(node.getTextContent())) {
if (isPolicy) {
holder.setShowPolicyAlgorithms(true);
} else {
holder.setShowRuleAlgorithms(true);
}
}
} else if ("defaultAlgorithm".equals(node.getNodeName())) {
if (isPolicy) {
holder.setDefaultPolicyAlgorithm(node.getTextContent());
} else {
holder.setDefaultRuleAlgorithm(node.getTextContent());
}
}
}
}
private void parseAttributeIds(Node root, PolicyEditorDataHolder holder) {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("attributeId".equals(node.getNodeName())) {
String name = null;
String uri = null;
String dataType = null;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("name".equals(child.getNodeName())) {
name = child.getTextContent();
} else if ("uri".equals(child.getNodeName())) {
uri = child.getTextContent();
} else if ("dataType".equals(child.getNodeName())) {
dataType = child.getTextContent();
}
}
if (name != null) {
if (uri != null) {
holder.getAttributeIdMap().put(name, uri);
}
if (dataType != null) {
holder.getAttributeIdDataTypeMap().put(name, dataType);
}
}
}
}
}
private void parseDataTypes(Node root, PolicyEditorDataHolder holder) throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("dataType".equals(node.getNodeName())) {
String name = null;
String uri = null;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("name".equals(child.getNodeName())) {
name = child.getTextContent();
} else if ("uri".equals(child.getNodeName())) {
uri = child.getTextContent();
}
}
if (name != null && uri != null) {
if (!Utils.isValidDataType(uri)) {
throw new PolicyEditorException("Invalid DataType : " + uri);
}
holder.getDataTypeMap().put(name, uri);
}
}
if ("defaultDataTypes".equals(node.getNodeName())) {
holder.setDefaultDataType(node.getTextContent());
}
}
}
private void parseFunctions(Node root, PolicyEditorDataHolder holder) throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("function".equals(node.getNodeName())) {
String name = null;
String uri = null;
boolean targetFunction = false;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("name".equals(child.getNodeName())) {
name = child.getTextContent();
} else if ("uri".equals(child.getNodeName())) {
uri = child.getTextContent();
} else if ("targetFunction".equals(child.getNodeName())) {
targetFunction = true;
}
}
if (name != null && uri != null) {
if (!Utils.isValidFunction(uri)) {
throw new PolicyEditorException("Invalid Function : " + uri);
}
holder.getFunctionMap().put(name, uri);
holder.getRuleFunctions().add(name);
if (targetFunction) {
holder.getTargetFunctions().add(name);
}
}
}
}
}
private void parsePreFunctions(Node root, PolicyEditorDataHolder holder) throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("preFunction".equals(node.getNodeName())) {
String name = null;
String uri = null;
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("name".equals(child.getNodeName())) {
name = child.getTextContent();
} else if ("uri".equals(child.getNodeName())) {
uri = child.getTextContent();
}
}
if (name != null && uri != null) {
if (!Utils.isValidPreFunction(uri)) {
throw new PolicyEditorException("Invalid PreFunction : " + uri);
}
holder.getPreFunctionMap().put(name, uri);
}
}
}
}
private void parseRule(Node root, PolicyEditorDataHolder holder) throws PolicyEditorException {
NodeList nodeList = root.getChildNodes();
for (int i = 0; i < nodeList.getLength(); i++) {
Node node = nodeList.item(i);
if ("ruleId".equals(node.getNodeName())) {
if ("true".equals(node.getTextContent())) {
holder.setShowRuleId(true);
}
} else if ("ruleEffect".equals(node.getNodeName())) {
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("display".equals(child.getNodeName())) {
if ("true".equals(child.getTextContent())) {
holder.setShowRuleEffect(true);
}
} else if ("defaultEffect".equals(child.getNodeName())) {
if (child.getTextContent() != null) {
String uri = child.getTextContent();
if (!Utils.isValidEffect(uri)) {
throw new PolicyEditorException("Invalid Rule Effect : " + uri);
}
holder.setDefaultEffect(child.getTextContent());
}
} else if ("effect".equals(child.getNodeName())) {
NodeList childList1 = child.getChildNodes();
String name = null;
String uri = null;
for (int k = 0; k < childList1.getLength(); k++) {
Node child1 = childList1.item(k);
if ("name".equals(child1.getNodeName())) {
if (child1.getTextContent() != null) {
name = child1.getTextContent();
}
} else if ("uri".equals(child1.getNodeName())) {
if (child1.getTextContent() != null) {
uri = child1.getTextContent();
}
}
}
if (name != null && uri != null) {
if (!Utils.isValidEffect(uri)) {
throw new PolicyEditorException("Invalid Rule Effect : " + uri);
}
holder.getRuleEffectMap().put(name, uri);
}
if (child.getTextContent() != null) {
holder.setDefaultEffect(child.getTextContent());
}
}
}
} else if ("lastRule".equals(node.getNodeName())) {
NodeList childList = node.getChildNodes();
for (int j = 0; j < childList.getLength(); j++) {
Node child = childList.item(j);
if ("add".equals(child.getNodeName())) {
if ("true".equals(child.getTextContent())) {
holder.setAddLastRule(true);
}
} else if ("effect".equals(child.getNodeName())) {
if (child.getTextContent() != null) {
String uri = child.getTextContent();
if (!Utils.isValidEffect(uri)) {
throw new PolicyEditorException("Invalid Rule Effect : " + uri);
}
holder.setLastRuleEffect(uri);
}
}
}
}
}
}
protected String getSimpleConfig() {
return " <policyEditor>\n" +
" <categories>\n" +
" <category>\n" +
" <name>Subject</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>UserName</attributeId>\n" +
" <attributeId>Email</attributeId>\n" +
" <attributeId>Role</attributeId>\n" +
" <attributeId>Age</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Resource</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>resource-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Action</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:action</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>action-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>Domain</attributeId>\n" +
"\t\t<attributeId>Date</attributeId>\n" +
"\t\t<attributeId>Time</attributeId>\n" +
"\t\t<attributeId>DateTime</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" </categories>\n" +
" <attributeIds>\n" +
" <attributeId>\n" +
" <name>resource-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:resource:resource-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>action-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:action:action-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>UserName</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject:subject-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Role</name>\n" +
" <uri>http://wso2.org/claims/role</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Email</name>\n" +
" <uri>http://wso2.org/claims/emailaddress</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Domain</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Time</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-time</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#time</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Date</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-date</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#date</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>DateTime</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-dateTime</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#dateTime</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Age</name>\n" +
" <uri>http://wso2.org/claims/age</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#integer</dataType>\n" +
" </attributeId>\n" +
" </attributeIds>\n" +
" <dataTypes> \n" +
" </dataTypes>\n" +
" <ruleCombiningAlgorithm>\n" +
" <display>true</display>\n" +
" <defaultAlgorithm>urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable</defaultAlgorithm>\n" +
" <algorithms>\n" +
" <algorithm>\n" +
" <name>Deny Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>First Applicable</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Deny Unless Permit</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Unless Deny</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny</uri>\n" +
" </algorithm>\n" +
" </algorithms>\n" +
" </ruleCombiningAlgorithm>\n" +
" <dataTypes>\n" +
"\t<dataType>\n" +
"\t\t<name>String</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#string</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Boolean</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#boolean</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Integer</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#integer</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Double</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#double</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#time</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#date</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dateTime</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Year Month Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#yearMonthDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Any URI</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#anyURI</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Hex Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#hexBinary</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Base64 Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#base64Binary</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>DNS Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:dnsName</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>IP Address</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:ipAddress</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>RFC822 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>XPath</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>X500 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:x500Name</uri>\n" +
"\t</dataType> \n" +
" </dataTypes>\n" +
"</policyEditor>";
}
protected String getDefaultConfig() {
return "<policyEditor>\n" +
" <categories>\n" +
" <category>\n" +
" <name>Subject</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>UserName</attributeId>\n" +
" <attributeId>Email</attributeId>\n" +
" <attributeId>Role</attributeId>\n" +
" <attributeId>Age</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Resource</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>resource-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Action</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:action</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>action-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>Domain</attributeId>\n" +
"\t\t<attributeId>Date</attributeId>\n" +
"\t\t<attributeId>Time</attributeId>\n" +
"\t\t<attributeId>DateTime</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" </categories>\n" +
" <attributeIds>\n" +
" <attributeId>\n" +
" <name>resource-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:resource:resource-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>action-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:action:action-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>UserName</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject:subject-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Role</name>\n" +
" <uri>http://wso2.org/claims/role</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Email</name>\n" +
" <uri>http://wso2.org/claims/emailaddress</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Domain</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Time</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-time</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#time</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Date</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-date</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#date</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>DateTime</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-dateTime</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#dateTime</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Age</name>\n" +
" <uri>http://wso2.org/claims/age</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#integer</dataType>\n" +
" </attributeId>\n" +
" </attributeIds>\n" +
" <dataTypes> \n" +
" </dataTypes>\n" +
" <ruleCombiningAlgorithm>\n" +
" <display>true</display>\n" +
" <defaultAlgorithm>urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable</defaultAlgorithm>\n" +
" <algorithms>\n" +
" <algorithm>\n" +
" <name>Deny Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>First Applicable</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Deny Unless Permit</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Unless Deny</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny</uri>\n" +
" </algorithm>\n" +
" </algorithms>\n" +
" </ruleCombiningAlgorithm>\n" +
" <dataTypes>\n" +
"\t<dataType>\n" +
"\t\t<name>String</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#string</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Boolean</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#boolean</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Integer</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#integer</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Double</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#double</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#time</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#date</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dateTime</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Year Month Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#yearMonthDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Any URI</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#anyURI</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Hex Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#hexBinary</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Base64 Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#base64Binary</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>DNS Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:dnsName</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>IP Address</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:ipAddress</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>RFC822 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>XPath</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>X500 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:x500Name</uri>\n" +
"\t</dataType> \n" +
" </dataTypes>\n" +
" <functions>\n" +
" <function>\n" +
" <name>equal</name>\n" +
" <uri>equal</uri>\n" +
" <targetFunction>true</targetFunction>\n" +
" </function>\n" +
" <function>\n" +
" <name>equals-with-regexp-match</name>\n" +
" <uri>regexp-match</uri>\n" +
"\t <targetFunction>true</targetFunction>\n" +
" </function>\n" +
" <function>\n" +
" <name>at-least-one-member-of</name>\n" +
" <uri>at-least-one-member-of</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>is-in</name>\n" +
" <uri>is-in</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>set-equals</name>\n" +
" <uri>set-equals</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>greater-than</name>\n" +
" <uri>greater-than</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>less-than</name>\n" +
" <uri>less-than</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>greater-than-and-less-than</name>\n" +
" <uri>greater-than-and-less-than</uri>\n" +
" </function>\n" +
" </functions>\n" +
" <preFunctions>\n" +
" <preFunction>\n" +
" <name>is/are</name>\n" +
" <uri>is</uri>\n" +
" </preFunction>\n" +
" <preFunction>\n" +
" <name>is not/are not</name>\n" +
" <uri>not</uri>\n" +
" </preFunction>\n" +
" </preFunctions>\n" +
" <policyDescription>\n" +
" <display>true</display>\n" +
" </policyDescription>\n" +
" <rule>\n" +
" <ruleId>true</ruleId>\n" +
" <ruleEffect>\n" +
" <display>true</display>\n" +
" <defaultEffect>Permit</defaultEffect>\n" +
"\t \t<effect>\n" +
" \t\t<name>Permit</name>\n" +
" \t\t<uri>Permit</uri>\n" +
"\t\t</effect>\n" +
"\t \t<effect>\n" +
" \t\t<name>Deny</name>\n" +
" \t\t<uri>Deny</uri>\n" +
"\t\t</effect>\t\n" +
" </ruleEffect>\n" +
" <lastRule>\n" +
" <add>false</add>\n" +
" <effect>Deny</effect>\n" +
" </lastRule>\n" +
" </rule>\n" +
"</policyEditor>\n";
}
protected String getDefaultSetConfig() {
return "<policyEditor>\n" +
" <categories>\n" +
" <category>\n" +
" <name>Subject</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>UserName</attributeId>\n" +
" <attributeId>Email</attributeId>\n" +
" <attributeId>Role</attributeId>\n" +
" <attributeId>Age</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Resource</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>resource-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Action</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:action</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>action-id</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" <category>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</uri>\n" +
" <supportedAttributeIds>\n" +
" <attributeId>Domain</attributeId>\n" +
"\t\t<attributeId>Date</attributeId>\n" +
"\t\t<attributeId>Time</attributeId>\n" +
"\t\t<attributeId>DateTime</attributeId>\n" +
" </supportedAttributeIds>\n" +
" </category>\n" +
" </categories>\n" +
" <attributeIds>\n" +
" <attributeId>\n" +
" <name>resource-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:resource:resource-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>action-id</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:action:action-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>UserName</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:subject:subject-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Role</name>\n" +
" <uri>http://wso2.org/claims/role</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Email</name>\n" +
" <uri>http://wso2.org/claims/emailaddress</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Environment</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Domain</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:environment-id</uri>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Time</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-time</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#time</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Date</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-date</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#date</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>DateTime</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:environment:current-dateTime</uri>\n" +
"\t <dataType>http://www.w3.org/2001/XMLSchema#dateTime</dataType>\n" +
" </attributeId>\n" +
" <attributeId>\n" +
" <name>Age</name>\n" +
" <uri>http://wso2.org/claims/age</uri>\n" +
" <dataType>http://www.w3.org/2001/XMLSchema#integer</dataType>\n" +
" </attributeId>\n" +
" </attributeIds>\n" +
" <dataTypes> \n" +
" </dataTypes>\n" +
" <policyCombiningAlgorithm>\n" +
" <display>true</display>\n" +
" <defaultAlgorithm>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides</defaultAlgorithm>\n" +
" <algorithms>\n" +
" <algorithm>\n" +
" <name>Deny Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>First Applicable</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Deny Unless Permit</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Permit Unless Deny</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Only One Applicable</name>\n" +
" <uri>urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Ordered Permit Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides</uri>\n" +
" </algorithm>\n" +
" <algorithm>\n" +
" <name>Ordered Deny Overrides</name>\n" +
" <uri>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides</uri>\n" +
" </algorithm>\n" +
" </algorithms>\n" +
" </policyCombiningAlgorithm>\n" +
" <dataTypes>\n" +
"\t<dataType>\n" +
"\t\t<name>String</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#string</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Boolean</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#boolean</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Integer</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#integer</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Double</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#double</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#time</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#date</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Date Time</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dateTime</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Day Time Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#dayTimeDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Year Month Duration</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#yearMonthDuration</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Any URI</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#anyURI</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Hex Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#hexBinary</uri>\n" +
"\t</dataType>\n" +
"\t<dataType>\n" +
"\t\t<name>Base64 Binary</name>\n" +
"\t\t<uri>http://www.w3.org/2001/XMLSchema#base64Binary</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>DNS Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:dnsName</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>IP Address</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:2.0:data-type:ipAddress</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>RFC822 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>XPath</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression</uri>\n" +
"\t</dataType> \n" +
"\t<dataType>\n" +
"\t\t<name>X500 Name</name>\n" +
"\t\t<uri>urn:oasis:names:tc:xacml:1.0:data-type:x500Name</uri>\n" +
"\t</dataType> \n" +
" </dataTypes>\n" +
" <functions>\n" +
" <function>\n" +
" <name>equal</name>\n" +
" <uri>equal</uri>\n" +
" <targetFunction>true</targetFunction>\n" +
" </function>\n" +
" <function>\n" +
" <name>equals-with-regexp-match</name>\n" +
" <uri>regexp-match</uri>\n" +
"\t <targetFunction>true</targetFunction>\n" +
" </function>\n" +
" <function>\n" +
" <name>at-least-one-member-of</name>\n" +
" <uri>at-least-one-member-of</uri>\n" +
" </function>\n" +
" <function>\n" +
" <name>set-equals</name>\n" +
" <uri>set-equals</uri>\n" +
" </function>\n" +
" </functions>\n" +
" <preFunctions>\n" +
" <preFunction>\n" +
" <name>is/are</name>\n" +
" <uri>is</uri>\n" +
" </preFunction>\n" +
" <preFunction>\n" +
" <name>is not/are not</name>\n" +
" <uri>not</uri>\n" +
" </preFunction>\n" +
" </preFunctions>\n" +
" <policyDescription>\n" +
" <display>true</display>\n" +
" </policyDescription>\n" +
"</policyEditor>\n";
}
}