/*
* JBoss, Home of Professional Open Source.
* Copyright 2012, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.test.integration.security.xacml;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.text.StrSubstitutor;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.logging.Logger;
import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.core.model.context.ActionType;
import org.jboss.security.xacml.core.model.context.AttributeType;
import org.jboss.security.xacml.core.model.context.EnvironmentType;
import org.jboss.security.xacml.core.model.context.RequestType;
import org.jboss.security.xacml.core.model.context.ResourceType;
import org.jboss.security.xacml.core.model.context.SubjectType;
import org.jboss.security.xacml.factories.RequestAttributeFactory;
import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.security.xacml.jaxb.LocatorType;
import org.jboss.security.xacml.jaxb.LocatorsType;
import org.jboss.security.xacml.jaxb.PDP;
import org.jboss.security.xacml.jaxb.PoliciesType;
import org.jboss.security.xacml.jaxb.PolicySetType;
import org.jboss.security.xacml.locators.JBossPolicySetLocator;
import org.jboss.shrinkwrap.api.ArchivePaths;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.EmptyAsset;
import org.jboss.shrinkwrap.api.spec.JavaArchive;
import org.junit.Test;
import org.junit.runner.RunWith;
/**
* Testcases which test JBossPDP initialization a validates XACML Interoperability Use Cases. .
*
* @author Josef Cacek
*/
@RunWith(Arquillian.class)
public class JBossPDPInteroperabilityTestCase {
private static Logger LOGGER = Logger.getLogger(JBossPDPInteroperabilityTestCase.class);
@Inject
JBossPDPServiceBean pdpServiceBean;
// Public methods --------------------------------------------------------
/**
* Creates {@link JavaArchive} for the deployment.
*
* @return
*/
@Deployment
public static JavaArchive deployment() {
final JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "pdp-service-bean.jar");
jar.addAsManifestResource(EmptyAsset.INSTANCE, ArchivePaths.create("beans.xml"));
XACMLTestUtils.addCommonClassesToArchive(jar);
XACMLTestUtils.addJBossDeploymentStructureToArchive(jar);
XACMLTestUtils.addXACMLPoliciesToArchive(jar);
//we need this because of "in-container" testing
for (int i = 1; i <= 7; i++) {
jar.addAsResources(JBossPDPServletInitializationTestCase.class.getPackage(), XACMLTestUtils.TESTOBJECTS_REQUESTS
+ "/scenario2-testcase" + i + "-request.xml");
}
jar.addAsResource(JBossPDPServletInitializationTestCase.class.getPackage(), XACMLTestUtils.TESTOBJECTS_REQUESTS
+ "/med-example-request.xml");
return jar;
}
/**
* Validates the 7 Oasis XACML Interoperability Use Cases.
*
* @throws Exception
*/
@Test
public void testInteropTestWithXMLRequests() throws Exception {
assertNotNull("PDPServiceBean should be injected.", pdpServiceBean);
final PolicyDecisionPoint pdp = pdpServiceBean.getJBossPDP();
assertNotNull("JBossPDP should be not-null", pdp);
assertEquals("Case 1 should be deny", XACMLConstants.DECISION_DENY, getDecision(pdp, "scenario2-testcase1-request.xml"));
assertEquals("Case 2 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, "scenario2-testcase2-request.xml"));
assertEquals("Case 3 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, "scenario2-testcase3-request.xml"));
assertEquals("Case 4 should be deny", XACMLConstants.DECISION_DENY, getDecision(pdp, "scenario2-testcase4-request.xml"));
assertEquals("Case 5 should be deny", XACMLConstants.DECISION_DENY, getDecision(pdp, "scenario2-testcase5-request.xml"));
assertEquals("Case 6 should be deny", XACMLConstants.DECISION_DENY, getDecision(pdp, "scenario2-testcase6-request.xml"));
assertEquals("Case 7 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, "scenario2-testcase7-request.xml"));
}
/**
* Tests PDP evaluation of XACML requests provided as the objects (Oasis XACML Interoperability Use Cases).
*
* @throws Exception
*/
@Test
public void testInteropTestWithObjects() throws Exception {
assertNotNull("PDPServiceBean should be injected.", pdpServiceBean);
final PolicyDecisionPoint pdp = pdpServiceBean.getJBossPDP();
assertNotNull("JBossPDP should be not-null", pdp);
assertEquals("Case 1 should be deny", XACMLConstants.DECISION_DENY,
getDecision(pdp, getRequestContext("false", "false", 10)));
assertEquals("Case 2 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, getRequestContext("false", "false", 1)));
assertEquals("Case 3 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, getRequestContext("true", "false", 5)));
assertEquals("Case 4 should be deny", XACMLConstants.DECISION_DENY,
getDecision(pdp, getRequestContext("false", "false", 9)));
assertEquals("Case 5 should be deny", XACMLConstants.DECISION_DENY,
getDecision(pdp, getRequestContext("true", "false", 10)));
assertEquals("Case 6 should be deny", XACMLConstants.DECISION_DENY,
getDecision(pdp, getRequestContext("true", "false", 15)));
assertEquals("Case 7 should be permit", XACMLConstants.DECISION_PERMIT,
getDecision(pdp, getRequestContext("true", "true", 10)));
}
/**
* Tests loading XACML policies from a filesystem folder.
*
* @throws Exception
*/
@Test
public void testPoliciesLoadedFromDir() throws Exception {
//create temporary folder for policies
final File policyDir = new File("test-JBossPDP-Med-" + System.currentTimeMillis());
final InputStream requestIS = getClass().getResourceAsStream(
XACMLTestUtils.TESTOBJECTS_REQUESTS + "/med-example-request.xml");
try {
policyDir.mkdirs();
final JBossPDP pdp = createPDPForMed(policyDir);
final String requestTemplate = IOUtils.toString(requestIS, "UTF-8");
LOGGER.trace("REQUEST template: " + requestTemplate);
final Map<String, Object> substitutionMap = new HashMap<String, Object>();
substitutionMap.put(XACMLTestUtils.SUBST_SUBJECT_ID, "josef@med.example.com");
assertEquals("Decision for josef@med.example.com should be DECISION_PERMIT", XACMLConstants.DECISION_PERMIT,
getDecisionForStr(pdp, StrSubstitutor.replace(requestTemplate, substitutionMap)));
substitutionMap.put(XACMLTestUtils.SUBST_SUBJECT_ID, "guest@med.example.com");
assertEquals("Decision for guest@med.example.com should be DECISION_DENY", XACMLConstants.DECISION_DENY,
getDecisionForStr(pdp, StrSubstitutor.replace(requestTemplate, substitutionMap)));
substitutionMap.put(XACMLTestUtils.SUBST_SUBJECT_ID, "hs@simpsons.com");
assertEquals("Decision for hs@simpsons.com should be DECISION_DENY", XACMLConstants.DECISION_DENY,
getDecisionForStr(pdp, StrSubstitutor.replace(requestTemplate, substitutionMap)));
substitutionMap.put(XACMLTestUtils.SUBST_SUBJECT_ID, "bs@simpsons.com");
assertEquals("Decision for bs@simpsons.com should be DECISION_NOT_APPLICABLE",
XACMLConstants.DECISION_NOT_APPLICABLE,
getDecisionForStr(pdp, StrSubstitutor.replace(requestTemplate, substitutionMap)));
substitutionMap.put(XACMLTestUtils.SUBST_SUBJECT_ID, "admin@acme.com");
assertEquals("Decision for admin@acme.com should be DECISION_NOT_APPLICABLE",
XACMLConstants.DECISION_NOT_APPLICABLE,
getDecisionForStr(pdp, StrSubstitutor.replace(requestTemplate, substitutionMap)));
} finally {
FileUtils.deleteDirectory(policyDir);
requestIS.close();
}
}
// Private methods -------------------------------------------------------
/**
* Creates a {@link JBossPDP} instance filled with policies from Medical example (loaded from a directory in the
* filesystem).
*
* @param policyDir
* @return
* @throws IOException
*/
private JBossPDP createPDPForMed(final File policyDir) throws IOException {
final File policySetFile = new File(policyDir, XACMLTestUtils.MED_EXAMPLE_POLICY_SET);
final File policySetFile2 = new File(policyDir, XACMLTestUtils.MED_EXAMPLE_POLICY_SET2);
//copy policy files to the temporary folder
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Copying policies to the " + policyDir.getAbsolutePath());
}
FileUtils.copyInputStreamToFile(
getClass().getResourceAsStream(
XACMLTestUtils.TESTOBJECTS_POLICIES + "/" + XACMLTestUtils.MED_EXAMPLE_POLICY_SET), policySetFile);
FileUtils.copyInputStreamToFile(
getClass().getResourceAsStream(
XACMLTestUtils.TESTOBJECTS_POLICIES + "/" + XACMLTestUtils.MED_EXAMPLE_POLICY_SET2), policySetFile2);
//create XML configuration for the PDP
final PDP pdp = new PDP();
final PoliciesType policies = new PoliciesType();
final PolicySetType policySet = new PolicySetType();
policySet.setLocation(policyDir.toURI().getPath());
policies.getPolicySet().add(policySet);
pdp.setPolicies(policies);
final LocatorType locator = new LocatorType();
locator.setName(JBossPolicySetLocator.class.getName());
final LocatorsType locators = new LocatorsType();
locators.getLocator().add(locator);
pdp.setLocators(locators);
return new JBossPDP(new JAXBElement<PDP>(new QName("urn:jboss:xacml:2.0", "jbosspdp"), PDP.class, pdp));
}
/**
* Get the decision from the given PDP for the given request string (XML as a String).
*
* @param pdp
* @param requestStr
* @return
* @throws Exception
*/
private int getDecisionForStr(PolicyDecisionPoint pdp, String requestStr) throws Exception {
final RequestContext request = RequestResponseContextFactory.createRequestCtx();
request.readRequest(IOUtils.toInputStream(requestStr));
return getDecision(pdp, request);
}
/**
* Get the decision from the PDP.
*
* @param pdp
* @param requestFileLoc a file where the xacml request is stored
* @return
* @throws Exception
*/
private int getDecision(PolicyDecisionPoint pdp, String requestFileLoc) throws Exception {
final RequestContext request = RequestResponseContextFactory.createRequestCtx();
LOGGER.trace("Creating request from " + requestFileLoc);
final InputStream requestStream = JBossPDPInteroperabilityTestCase.class
.getResourceAsStream(XACMLTestUtils.TESTOBJECTS_REQUESTS + "/" + requestFileLoc);
if (requestStream == null) {
LOGGER.warn("INPUT IS NULL");
}
request.readRequest(requestStream);
return getDecision(pdp, request);
}
/**
* Gets the decision from the PDP.
*
* @param pdp
* @param request
* @return
*/
private static int getDecision(PolicyDecisionPoint pdp, RequestContext request) {
return pdp.evaluate(request).getDecision();
}
/**
* Creates a single XACML request (instance of {@link RequestType}) with given parameters (subject's attribute values).
*
* @param reqTradeAppr
* @param reqCreditAppr
* @param buyPrice
* @return
* @throws Exception
*/
private RequestContext getRequestContext(String reqTradeAppr, String reqCreditAppr, int buyPrice) throws Exception {
final RequestType request = new RequestType();
request.getSubject().add(createSubject(reqTradeAppr, reqCreditAppr, buyPrice));
request.getResource().add(createResource());
request.setAction(createAction());
request.setEnvironment(new EnvironmentType());
final RequestContext requestCtx = RequestResponseContextFactory.createRequestCtx();
requestCtx.setRequest(request);
return requestCtx;
}
/**
* Creates a {@link SubjectType} with given attribute values. Some of the attribute values (as "subject-id" for instance)
* are fixed.
*
* @param reqTradeAppr
* @param reqCreditAppr
* @param buyPrice
* @return
*/
private SubjectType createSubject(String reqTradeAppr, String reqCreditAppr, int buyPrice) {
// Create a subject type
SubjectType subject = new SubjectType();
subject.setSubjectCategory("urn:oasis:names:tc:xacml:1.0:subject-category:access-subject");
// create the subject attributes
AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
"urn:oasis:names:tc:xacml:1.0:subject:subject-id", "xacml20.interop.com", "123456");
subject.getAttribute().add(attSubjectID);
AttributeType attUserName = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:subject:user-name", "xacml20.interop.com", "John Smith");
subject.getAttribute().add(attUserName);
AttributeType attBuyNumShares = RequestAttributeFactory.createIntegerAttributeType(
"urn:xacml:2.0:interop:example:subject:buy-num-shares", "xacml20.interop.com", 1000);
subject.getAttribute().add(attBuyNumShares);
AttributeType attBuyOfferShare = RequestAttributeFactory.createIntegerAttributeType(
"urn:xacml:2.0:interop:example:subject:buy-offer-price", "xacml20.interop.com", buyPrice);
subject.getAttribute().add(attBuyOfferShare);
AttributeType attRequestExtCred = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:subject:req-credit-ext-approval", "xacml20.interop.com", reqCreditAppr);
subject.getAttribute().add(attRequestExtCred);
AttributeType attRequestTradeApproval = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:subject:req-trade-approval", "xacml20.interop.com", reqTradeAppr);
subject.getAttribute().add(attRequestTradeApproval);
return subject;
}
/**
* Creates a {@link ResourceType} with several attributes.
*
* @return
*/
private ResourceType createResource() {
ResourceType resourceType = new ResourceType();
AttributeType attResourceID = RequestAttributeFactory.createStringAttributeType(
"urn:oasis:names:tc:xacml:1.0:resource:resource-id", "xacml20.interop.com", "CustomerAccount");
resourceType.getAttribute().add(attResourceID);
AttributeType attOwnerID = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:resource:owner-id", "xacml20.interop.com", "123456");
resourceType.getAttribute().add(attOwnerID);
AttributeType attOwnerName = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:resource:owner-name", "xacml20.interop.com", "John Smith");
resourceType.getAttribute().add(attOwnerName);
AttributeType attAccountStatus = RequestAttributeFactory.createStringAttributeType(
"urn:xacml:2.0:interop:example:resource:account-status", "xacml20.interop.com", "Active");
resourceType.getAttribute().add(attAccountStatus);
AttributeType attCreditLine = RequestAttributeFactory.createIntegerAttributeType(
"urn:xacml:2.0:interop:example:resource:credit-line", "xacml20.interop.com", 15000);
resourceType.getAttribute().add(attCreditLine);
AttributeType attCurrentCredit = RequestAttributeFactory.createIntegerAttributeType(
"urn:xacml:2.0:interop:example:resource:current-credit", "xacml20.interop.com", 10000);
resourceType.getAttribute().add(attCurrentCredit);
AttributeType attTradeLimit = RequestAttributeFactory.createIntegerAttributeType(
"urn:xacml:2.0:interop:example:resource:trade-limit", "xacml20.interop.com", 10000);
resourceType.getAttribute().add(attTradeLimit);
return resourceType;
}
/**
* Creates a simple {@link ActionType} with a single attribute - action-id=Buy.
*
* @return
*/
private ActionType createAction() {
final ActionType actionType = new ActionType();
final AttributeType attActionID = RequestAttributeFactory.createStringAttributeType(
"urn:oasis:names:tc:xacml:1.0:action:action-id", "xacml20.interop.com", "Buy");
actionType.getAttribute().add(attActionID);
return actionType;
}
}