From b6552b5183ce23da4fc125b40315d0ea8eccae10 Mon Sep 17 00:00:00 2001 From: Sangeeta Bellara Date: Mon, 7 Jul 2025 20:13:22 +0200 Subject: [PATCH] Policy XACML Native translator enhancement Issue-ID: POLICY-5313 Change-Id: I96a7862f2344b468c80baa4c43722e6fba42d8af Author: Sangeeta Bellara Signed-off-by: Sangeeta Bellara --- applications/native/pom.xml | 6 + .../nativ/NativePdpApplicationTranslator.java | 1323 ++++++++---- .../nativ/NativePdpApplicationTest.java | 142 +- .../resources/policies/bad.native.toscapolicy.yaml | 36 - .../bad.native.toscaxacml.policy.advice.yaml | 26 + .../bad.native.toscaxacml.policy.apply.yaml | 52 + .../bad.native.toscaxacml.policy.compareWith.yaml | 53 + .../bad.native.toscaxacml.policy.condition.yaml | 53 + .../bad.native.toscaxacml.policy.condition1.yaml | 27 + .../bad.native.toscaxacml.policy.decision.yaml | 53 + .../bad.native.toscaxacml.policy.expr.yaml | 50 + .../bad.native.toscaxacml.policy.expr1.yaml | 50 + .../bad.native.toscaxacml.policy.expr2.yaml | 50 + .../bad.native.toscaxacml.policy.function.yaml | 124 ++ .../bad.native.toscaxacml.policy.list.yaml | 50 + .../bad.native.toscaxacml.policy.nestedapply.yaml | 49 + .../bad.native.toscaxacml.policy.operator.yaml | 54 + .../bad.native.toscaxacml.policy.policyset.yaml | 50 + .../policies/bad.native.toscaxacml.policy.ref.yaml | 33 + ...ml => bad.native.toscaxacml.policy.target.yaml} | 37 +- .../policies/bad.native.toscaxacml.policy.yaml | 35 + .../resources/policies/native.toscapolicy.yaml | 1324 ------------ .../native.toscaxacml.policy.compareWith.yaml | 61 + .../policies/native.toscaxacml.policy.default.yaml | 32 + .../policies/native.toscaxacml.policy.expr.yaml | 56 + .../native.toscaxacml.policy.function.yaml | 124 ++ .../native.toscaxacml.policy.nestedapply.yaml | 49 + .../native.toscaxacml.policy.operators.yaml | 2104 ++++++++++++++++++++ .../policies/native.toscaxacml.policy.ref.yaml | 34 + .../policies/native.toscaxacml.policy.target.yaml | 61 + 30 files changed, 4441 insertions(+), 1757 deletions(-) delete mode 100644 applications/native/src/test/resources/policies/bad.native.toscapolicy.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.advice.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.apply.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.compareWith.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition1.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.decision.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr1.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr2.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.function.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.list.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.nestedapply.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.operator.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.policyset.yaml create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.ref.yaml rename applications/native/src/test/resources/policies/{bad.native.tosca.policy.target.yaml => bad.native.toscaxacml.policy.target.yaml} (66%) create mode 100644 applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.yaml delete mode 100644 applications/native/src/test/resources/policies/native.toscapolicy.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.compareWith.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.default.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.expr.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.function.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.nestedapply.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.operators.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.ref.yaml create mode 100644 applications/native/src/test/resources/policies/native.toscaxacml.policy.target.yaml diff --git a/applications/native/pom.xml b/applications/native/pom.xml index 6a07cd36..aa6a2b9e 100644 --- a/applications/native/pom.xml +++ b/applications/native/pom.xml @@ -96,6 +96,12 @@ slf4j-api provided + + org.junit.jupiter + junit-jupiter-params + ${version.jupiter} + test + diff --git a/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTranslator.java b/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTranslator.java index a7ad4349..240ba5f4 100644 --- a/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTranslator.java +++ b/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTranslator.java @@ -4,7 +4,7 @@ * ================================================================================ * Copyright (C) 2020-2021 AT&T Intellectual Property. All rights reserved. * Modifications Copyright (C) 2020, 2024 Nordix Foundation. - * Modifications Copyright (C) 2024 Deutsche Telekom AG. + * Modifications Copyright (C) 2025 Deutsche Telekom AG. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,10 +31,14 @@ import com.att.research.xacml.api.XACML3; import com.att.research.xacml.util.XACMLPolicyScanner; import java.io.ByteArrayInputStream; import java.io.IOException; +import java.io.StreamTokenizer; +import java.io.StringReader; import java.nio.charset.StandardCharsets; +import java.util.ArrayDeque; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; +import java.util.Deque; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -52,6 +56,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.ConditionType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.DefaultsType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.FunctionType; +import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.MatchType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.ObjectFactory; import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySetType; @@ -73,7 +78,10 @@ import org.slf4j.LoggerFactory; * This class implements one translator that interprets TOSCA policy and decision API request/response payload. * * @author Chenfei Gao (cgao@research.att.com) + * */ + + @NoArgsConstructor public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { @@ -87,18 +95,60 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { private static final String VALUE = "value"; + private static final String ACTION = "action"; + + private static final String VERSION = "version"; + private static final String APPLY = "apply"; + private static final String EXPRESSION = "expr"; + private static final String ONE_AND_ONLY = "-one-and-only"; private static final String DOUBLE = "double"; + private static final String CONVERSION_INTEGER = "integer("; + + private static final String CONVERSION_DOUBLE = "double("; + + private static final String CONVERSION_DOUBLE_ABS = "double-abs("; + + private static final String CONVERSION_INTEGER_ABS = "integer-abs("; + + private static final String CONVERSION_FLOOR = "floor("; + + private static final String CONVERSION_ROUND = "round("; + + private static final String POLICY_ID = "policy-id"; + + private static final String POLICY_VERSION = "policy-version"; + + private static final String DECISION = "decision"; + + private static final String OPERATOR = "operator"; + + private static final String FUNCTION = "function"; + + private static final String INTEGER = "integer"; + + private static final String BOOLEAN = "boolean"; + + private static final String POPPED = "Popped {}"; + + private static final String ERROR_TARGET = "POLICY-500: Invalid target format"; + + private static final String ERROR_TOKEN = "POLICY-500: Error parsing expr, could not get next token"; + private Map identifierMap; + private HashMap operatorPrecedenceMap; + @Override public Object convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { + if (TOSCA_XACML_POLICY_TYPE.equals(toscaPolicy.getType())) { setIdentifierMap(); + setOperatorPrecedenceMap(); return setPolicySetType(toscaPolicy); } else { // @@ -109,7 +159,8 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { try { decodedXacmlPolicy = new String(Base64.getDecoder().decode(encodedXacmlPolicy), StandardCharsets.UTF_8); } catch (IllegalArgumentException exc) { - throw new ToscaPolicyConversionException("error on Base64 decoding the native policy", exc); + LOGGER.error("POLICY-500: error on Base64 decoding the native policy"); + throw new ToscaPolicyConversionException("POLICY-500: error on Base64 decoding the native policy", exc); } LOGGER.debug("Decoded xacml policy {}", decodedXacmlPolicy); // @@ -121,11 +172,13 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { // Object policy = XACMLPolicyScanner.readPolicy(is); if (policy == null) { - throw new ToscaPolicyConversionException("Invalid XACML Policy"); + LOGGER.error("POLICY-500: Invalid XACML Policy"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid XACML Policy"); } return policy; - } catch (IOException exc) { - throw new ToscaPolicyConversionException("Failed to read policy", exc); + } catch (Exception exc) { + LOGGER.error("POLICY-500: Failed to read policy"); + throw new ToscaPolicyConversionException("POLICY-500: Failed to read policy", exc); } } } @@ -141,7 +194,7 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { @Override public Request convertRequest(DecisionRequest request) throws ToscaPolicyConversionException { - throw new ToscaPolicyConversionException("Do not call native convertRequest"); + throw new ToscaPolicyConversionException("POLICY-500: Do not call native convertRequest"); } @Override @@ -152,27 +205,52 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { return null; } - @Getter - public static class NativeDefinition { - @NotNull - @NotBlank - private String policy; - } - private PolicySetType setPolicySetType(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { PolicySetType policySetType = new PolicySetType(); - policySetType.setPolicySetId(String.valueOf(toscaPolicy.getMetadata().get("policy-id"))); - policySetType.setPolicyCombiningAlgId(XACML3.ID_POLICY_FIRST_APPLICABLE.stringValue()); - policySetType.setVersion(String.valueOf(toscaPolicy.getMetadata().get("policy-version"))); - policySetType.setDescription(String.valueOf(toscaPolicy.getMetadata().get(DESCRIPTION))); - policySetType.setTarget(setPolicySetTarget(toscaPolicy.getMetadata().get("action"))); - for (Map type : (List>) toscaPolicy.getProperties().get("policies")) { - ToscaPolicy policy = new ToscaPolicy(); - policy.setMetadata((Map) type.get("metadata")); - policy.setProperties((Map) type.get("properties")); - ObjectFactory objectFactory = new ObjectFactory(); - policySetType.getPolicySetOrPolicyOrPolicySetIdReference() - .add(objectFactory.createPolicy(convertPolicyXacml(policy))); + try { + final ObjectFactory objectFactory = new ObjectFactory(); + if (toscaPolicy.getMetadata().get(POLICY_ID) != null) { + policySetType.setPolicySetId(String.valueOf(toscaPolicy.getMetadata().get(POLICY_ID))); + } + policySetType.setPolicyCombiningAlgId(XACML3.ID_POLICY_FIRST_APPLICABLE.stringValue()); + if (toscaPolicy.getMetadata().get(POLICY_VERSION) != null) { + policySetType.setVersion(String.valueOf(toscaPolicy.getMetadata().get(POLICY_VERSION))); + } + if (toscaPolicy.getMetadata().get(DESCRIPTION) != null) { + policySetType.setDescription(String.valueOf(toscaPolicy.getMetadata().get(DESCRIPTION))); + } + if ((toscaPolicy.getMetadata().get(ACTION) != null)) { + policySetType.setTarget(setPolicySetTarget(toscaPolicy.getMetadata().get(ACTION))); + } + if (toscaPolicy.getProperties().get("policySetIdRefs") != null) { + for (Map type : (List>) toscaPolicy.getProperties() + .get("policySetIdRefs")) { + IdReferenceType ref = objectFactory.createIdReferenceType(); + if (type.get("id") == null || type.get(VERSION) == null + || type.get("id").isEmpty() || type.get(VERSION).isEmpty()) { + LOGGER.error("POLICY-500: Invalid policy set reference , missing ID or version"); + throw new ToscaPolicyConversionException( + "POLICY-500: Invalid policy set reference , missing ID or version"); + } + ref.setValue(type.get("id")); + ref.setVersion(type.get(VERSION)); + policySetType.getPolicySetOrPolicyOrPolicySetIdReference() + .add(objectFactory.createPolicySetIdReference(ref)); + } + } + if (toscaPolicy.getProperties().get("policies") != null) { + for (Map type : (List>) toscaPolicy.getProperties() + .get("policies")) { + ToscaPolicy policy = new ToscaPolicy(); + policy.setMetadata((Map) type.get("metadata")); + policy.setProperties((Map) type.get("properties")); + policySetType.getPolicySetOrPolicyOrPolicySetIdReference() + .add(objectFactory.createPolicy(convertPolicyXacml(policy))); + } + } + } catch (ToscaPolicyConversionException ex) { + LOGGER.error("POLICY-500: Invalid PolicySet structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid PolicySet structure"); } return policySetType; } @@ -202,14 +280,16 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { if (rule.get("condition") != null) { ruleType.setCondition(setConditionType((Map) rule.get("condition"))); } - if (rule.get("decision") == null) { - throw new ToscaPolicyConversionException("decision is mandatory in a rule"); + if (rule.get(DECISION) == null) { + LOGGER.error("POLICY-500: decision is mandatory in a rule"); + throw new ToscaPolicyConversionException("POLICY-500: decision is mandatory in a rule"); } setAdviceExpression(ruleType, rule); policyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(ruleType); } } catch (ToscaPolicyConversionException ex) { - throw new ToscaPolicyConversionException("Invalid rule format"); + LOGGER.error("POLICY-500: Invalid rule structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid rule structure"); } if (properties.get("default") != null) { setDefaultRule((String) properties.get("default"), policyType); @@ -218,36 +298,48 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { } private void setPolicyType(ToscaPolicy toscaPolicy, PolicyType policyType) throws ToscaPolicyConversionException { - policyType.setPolicyId(String.valueOf(toscaPolicy.getMetadata().get("policy-id"))); - policyType.setVersion(String.valueOf(toscaPolicy.getMetadata().get("policy-version"))); - policyType.setDescription(String.valueOf(toscaPolicy.getMetadata().get(DESCRIPTION))); - DefaultsType defaultsType = new DefaultsType(); - defaultsType.setXPathVersion("http://www.w3.org/TR/2007/REC-xpath20-20070123"); - policyType.setPolicyDefaults(defaultsType); - Map properties = toscaPolicy.getProperties(); - if (properties.get("combiningAlgo") != null) { - policyType.setRuleCombiningAlgId(validateFilterPropertyFunction((String) - properties.get("combiningAlgo")).stringValue()); - } else { - policyType.setRuleCombiningAlgId(XACML3.ID_RULE_FIRST_APPLICABLE.stringValue()); - } - if (properties.get(TARGET) != null) { - policyType.setTarget(setTargetType((Map) properties.get(TARGET))); - } else { - policyType.setTarget(new TargetType()); + try { + policyType.setPolicyId(String.valueOf(toscaPolicy.getMetadata().get(POLICY_ID))); + policyType.setVersion(String.valueOf(toscaPolicy.getMetadata().get(POLICY_VERSION))); + policyType.setDescription(String.valueOf(toscaPolicy.getMetadata().get(DESCRIPTION))); + DefaultsType defaultsType = new DefaultsType(); + policyType.setPolicyDefaults(defaultsType); + Map properties = toscaPolicy.getProperties(); + if (properties.get("combiningAlgo") != null) { + policyType.setRuleCombiningAlgId(validateFilterPropertyFunction((String) + properties.get("combiningAlgo")).stringValue()); + } else { + policyType.setRuleCombiningAlgId(XACML3.ID_RULE_FIRST_APPLICABLE.stringValue()); + } + if (properties.get(TARGET) != null) { + policyType.setTarget(setTargetType((Map) properties.get(TARGET))); + } else { + policyType.setTarget(new TargetType()); + } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid Policy structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid Policy structure"); } } private void setAdviceExpression(RuleType ruleType, Map rule) throws ToscaPolicyConversionException { - String decision = (String) rule.get("decision"); - if ("Deny".equalsIgnoreCase(decision)) { - ruleType.setEffect(EffectType.DENY); - } else { - ruleType.setEffect(EffectType.PERMIT); - } - if (rule.get("advice") != null) { - ruleType.setAdviceExpressions(setAdvice((Map) rule.get("advice"), decision)); + try { + String decision = "Deny"; + if (rule.get(DECISION) != null) { + decision = (String) rule.get(DECISION); + } + if ("Deny".equalsIgnoreCase(decision)) { + ruleType.setEffect(EffectType.DENY); + } else { + ruleType.setEffect(EffectType.PERMIT); + } + if (rule.get("advice") != null) { + ruleType.setAdviceExpressions(setAdvice((Map) rule.get("advice"), decision)); + } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid advice structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid advice structure"); } } @@ -266,34 +358,13 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { private TargetType setTargetType(Map appliesTo) throws ToscaPolicyConversionException { List listMatch = new ArrayList<>(); try { - List> allOffList = (List>) appliesTo.get("anyOne"); - for (Map allOff : allOffList) { - for (Map match : (List>) allOff.get("allOf")) { - var matchType = new MatchType(); - String operator = (String) match.get("operator"); - String datatype = getDatatype(operator); - matchType.setMatchId(validateFilterPropertyFunction(operator).stringValue()); - var valueType = setAttributeValueType(match.get(VALUE), - validateFilterPropertyFunction(datatype).stringValue()); - matchType.setAttributeValue(valueType); - String attribute = ""; - String category = ""; - if (((String) match.get("key")).contains("action")) { - attribute = validateFilterPropertyFunction((String) match - .get("key")).stringValue(); - category = XACML3.ID_ATTRIBUTE_CATEGORY_ACTION.stringValue(); - } else { - attribute = (String) match.get("key"); - category = XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE.stringValue(); - } - var designator = setAttributeDesignatorType(attribute, category, - validateFilterPropertyFunction(datatype).stringValue(), false); - matchType.setAttributeDesignator(designator); - listMatch.add(matchType); - } + if (appliesTo.get("anyOne") != null) { + List> allOffList = (List>) appliesTo.get("anyOne"); + processAllOfList(allOffList, listMatch); } - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid target format"); + } catch (Exception ex) { + LOGGER.error(ERROR_TARGET); + throw new ToscaPolicyConversionException(ERROR_TARGET); } var anyOfType = new AnyOfType(); MatchType[] matchTypes = new MatchType[listMatch.size()]; @@ -303,6 +374,57 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { return target; } + private void processAllOfList(List> allOffList, List listMatch) + throws ToscaPolicyConversionException { + try { + for (Map allOff : allOffList) { + if (allOff.get("allOf") != null) { + for (Map match : (List>) allOff.get("allOf")) { + processMatchObject(match, listMatch); + } + } + } + } catch (Exception ex) { + LOGGER.error(ERROR_TARGET); + throw new ToscaPolicyConversionException(ERROR_TARGET); + } + } + + private void processMatchObject(Map match, List listMatch) + throws ToscaPolicyConversionException { + try { + var matchType = new MatchType(); + String operator = ""; + if (match.get(OPERATOR) != null) { + operator = (String) match.get(OPERATOR); + } + String datatype = getDatatype(operator); + matchType.setMatchId(validateFilterPropertyFunction(operator).stringValue()); + var valueType = setAttributeValueType(match.get(VALUE), + validateFilterPropertyFunction(datatype).stringValue()); + matchType.setAttributeValue(valueType); + String attribute = ""; + String category = ""; + if (match.get("key") != null) { + if (((String) match.get("key")).contains(ACTION)) { + attribute = validateFilterPropertyFunction((String) match + .get("key")).stringValue(); + category = XACML3.ID_ATTRIBUTE_CATEGORY_ACTION.stringValue(); + } else { + attribute = (String) match.get("key"); + category = XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE.stringValue(); + } + } + var designator = setAttributeDesignatorType(attribute, category, + validateFilterPropertyFunction(datatype).stringValue(), false); + matchType.setAttributeDesignator(designator); + listMatch.add(matchType); + } catch (Exception ex) { + LOGGER.error(ERROR_TARGET); + throw new ToscaPolicyConversionException(ERROR_TARGET); + } + } + private TargetType setPolicySetTarget(Object value) { var matchType = new MatchType(); matchType.setMatchId(XACML3.ID_FUNCTION_STRING_EQUAL.stringValue()); @@ -321,81 +443,137 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { private ConditionType setConditionType(Map conditionMap) throws ToscaPolicyConversionException { var condition = new ConditionType(); + var factory = new ObjectFactory(); try { - Map applyMap = (Map) conditionMap.get(APPLY); - ApplyType parentApply = setApply(applyMap); - condition.setExpression(new ObjectFactory().createApply(parentApply)); - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid condition format"); + if (conditionMap.get(APPLY) != null) { + Map applyMap = (Map) conditionMap.get(APPLY); + ApplyType parentApply = setApply(applyMap); + condition.setExpression(factory.createApply(parentApply)); + } else if (conditionMap.get(EXPRESSION) != null) { + String expr = conditionMap.get(EXPRESSION).toString(); + ApplyType parentApply = convertToPrefixXacmlApply(expr, factory); + condition.setExpression(factory.createApply(parentApply)); + } else { + LOGGER.error("POLICY-500: Invalid condition structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid condition structure"); + } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid condition structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid condition structure"); } return condition; } private ApplyType setApply(Map applies) throws ToscaPolicyConversionException { var apply = new ApplyType(); - try { - List keys = (List) applies.get("keys"); - String operator = (String) applies.get("operator"); - String datatype = getDatatype(operator); - apply.setFunctionId(validateFilterPropertyFunction(operator).stringValue()); - var factory = new ObjectFactory(); - List keyList = new ArrayList<>(); - setApplyKeys(keyList, keys, datatype, factory, apply); - setAttributeAndDesignator(keyList, apply, factory); - boolean data = switch (operator) { - case "or", "and", "n-of", "not", "all-of", "any-of", "any-of-any", "all-of-any", "all-of-all", - "any-of-all" -> false; - default -> true; - }; - if (data && applies.get("compareWith") != null) { - setCompareWith(applies, apply, factory, getDatatype(operator)); - } - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid apply format"); + var factory = new ObjectFactory(); + if ((applies.get("keys") != null) && (applies.get(OPERATOR) != null)) { + try { + List keys = (List) applies.get("keys"); + String operator = (String) applies.get(OPERATOR); + String datatype = ""; + boolean isHigherOrder = switch (operator) { + case "all-of", "any-of", "any-of-any", "all-of-any", "all-of-all", + "any-of-all", "map" -> true; + default -> false; + }; + if (!(isHigherOrder)) { + datatype = getDatatype(operator); + } + apply.setFunctionId(validateFilterPropertyFunction(operator).stringValue()); + List keyList = new ArrayList<>(); + getApplyKeys(keyList, keys, datatype, factory); + setApplyKeys(keyList, apply, factory); + + if (applies.get("compareWith") != null) { + setCompareWith(applies, apply, factory, getDatatype(operator)); + } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid apply structure"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid apply structure"); + } + } else { + LOGGER.error("POLICY-500: Keys or operator missing in apply"); + throw new ToscaPolicyConversionException("POLICY-500: Keys or operator missing in apply"); } return apply; } - private void setApplyKeys(List keyList, List keys, String datatype, - ObjectFactory factory, ApplyType apply) throws ToscaPolicyConversionException { - for (Object keyObject : keys) { - if (keyObject instanceof Map) { - if (((Map) keyObject).get("list") != null) { - setBagApply(apply, (List) ((Map) keyObject).get("list"), datatype, factory); - } else if (((Map) keyObject).get("function") != null) { - setFunctionType(apply, ((Map) keyObject).get("function"), factory); - } else if (((Map) keyObject).get(APPLY) != null) { - keyList.add(setApply((Map) ((Map) keyObject).get(APPLY))); + private void getApplyKeys(List keyList, List keys, String datatype, + ObjectFactory factory) throws ToscaPolicyConversionException { + try { + for (Object keyObject : keys) { + if (keyObject instanceof Map && ((Map) keyObject).get(FUNCTION) != null) { + String fun = ((Map) keyObject).get(FUNCTION); + datatype = getDatatype(fun); + } + } + String originalDatatype = datatype; + for (int i = 0; i < keys.size(); i++) { + if (originalDatatype.equals("n-of")) { + if (i == 0) { + datatype = INTEGER; + } else { + datatype = BOOLEAN; + } + } + Object keyObject = keys.get(i); + if (keyObject instanceof Map) { + keyList = processKeyObject(keyObject, keyList, factory, datatype); } else { - throw new ToscaPolicyConversionException( - "Invalid key entry, object does not contain list, function or apply"); + setAttributes(keyObject, keyList, datatype, factory); } - } else { - setAttributes(keyObject, keyList, datatype, factory); } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid keys in apply"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid keys in apply"); } } - private void setAttributeAndDesignator(List keyList, ApplyType apply, ObjectFactory factory) { - keyList.stream() - .sorted((firstKey, secondKey) -> { - if (firstKey instanceof AttributeValueType) { - return -1; - } else if (firstKey instanceof ApplyType) { - return 1; - } - return 0; - }) - .forEach(key -> { - if (key instanceof AttributeValueType) { - apply.getExpression().add(factory.createAttributeValue((AttributeValueType) key)); - } - if (key instanceof ApplyType) { - apply.getExpression().add(factory.createApply((ApplyType) key)); - } - }); + private List processKeyObject(Object keyObject, List keyList, + ObjectFactory factory, String datatype) + throws ToscaPolicyConversionException { + if (((Map) keyObject).get("list") != null) { + keyList.add(setBagApply((List) ((Map) keyObject).get("list"), datatype, factory)); + } else if (((Map) keyObject).get(FUNCTION) != null) { + keyList.add(setFunctionType(((Map) keyObject).get(FUNCTION))); + } else if (((Map) keyObject).get(APPLY) != null) { + keyList.add(setApply((Map) ((Map) keyObject).get(APPLY))); + } else if (((Map) keyObject).get(EXPRESSION) != null) { + String expr = ((Map) keyObject).get(EXPRESSION); + ApplyType apply = convertToPrefixXacmlApply(expr, factory); + keyList.add(apply); + } else { + LOGGER.error("POLICY-500: Invalid key entry, object does not contain list, function, expr or apply"); + throw new ToscaPolicyConversionException( + "POLICY-500: Invalid key entry, object does not contain list, function, expr or apply"); + } + return keyList; } + private void setApplyKeys(List keyList, ApplyType apply, ObjectFactory factory) { + if (keyList != null) { + keyList.stream() + .forEach(key -> { + if (key instanceof AttributeValueType) { + apply.getExpression().add(factory.createAttributeValue((AttributeValueType) key)); + } + if (key instanceof ApplyType) { + apply.getExpression().add(factory.createApply((ApplyType) key)); + } + if (key instanceof FunctionType) { + apply.getExpression().add(factory.createFunction((FunctionType) key)); + } + }); + } + } + + /** + * Create AttributeValue if it is simple value. + * Create AttributeDesignator if it is an input parameter name. + * Differentiate between a simple string value and a parameter name by checking + * if the string is enclosed by single quote , which means it is a simple value + */ private void setAttributes(Object key, List keyList, String datatype, ObjectFactory factory) throws ToscaPolicyConversionException { try { @@ -418,12 +596,13 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { validateFilterPropertyFunction(datatype).stringValue()); keyList.add(attributeValue); } - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid string value format in keys"); + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid string value format in keys"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid string value format in keys"); } } - private void setBagApply(ApplyType apply, List list, String datatype, ObjectFactory factory) + private ApplyType setBagApply(List list, String datatype, ObjectFactory factory) throws ToscaPolicyConversionException { try { var bagApply = new ApplyType(); @@ -454,20 +633,22 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { bagApply.getExpression().add(factory.createAttributeValue(attributeValue)); } } - apply.getExpression().add(factory.createApply(bagApply)); - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid list format in keys"); + return bagApply; + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid list format in keys"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid list format in keys"); } } - private void setFunctionType(ApplyType apply, String function, ObjectFactory factory) + private FunctionType setFunctionType(String function) throws ToscaPolicyConversionException { try { var functionType = new FunctionType(); functionType.setFunctionId(validateFilterPropertyFunction(function).stringValue()); - apply.getExpression().add(factory.createFunction(functionType)); - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid function format in keys"); + return functionType; + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid function format in keys {}", function); + throw new ToscaPolicyConversionException("POLICY-500: Invalid function format in keys " + function); } } @@ -491,34 +672,31 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { keyApply.getExpression().add(factory.createAttributeDesignator(keyDesignator)); apply.getExpression().add(factory.createApply(keyApply)); } else { - throw new ToscaPolicyConversionException("compareWith does not contain apply, value or key"); + throw new ToscaPolicyConversionException("POLICY-500: compareWith does not " + + "contain apply, value or key"); } - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid compareWith format"); + } catch (Exception ex) { + LOGGER.error("POLICY-500: Invalid compareWith format"); + throw new ToscaPolicyConversionException("POLICY-500: Invalid compareWith format"); } } - private AdviceExpressionsType setAdvice(Map advice, String decision) - throws ToscaPolicyConversionException { - var adviceExpressions = new AdviceExpressionsType(); - try { - var adviceExpression = new AdviceExpressionType(); - adviceExpression.setAdviceId(UUID.randomUUID().toString()); - var value = setAttributeValueType(advice.get(VALUE), XACML3.ID_DATATYPE_STRING.stringValue()); - var assignment = new AttributeAssignmentExpressionType(); - assignment.setAttributeId("urn:oasis:names:tc:xacml:2.0:example:attribute:text"); - assignment.setCategory(XACML3.ID_SUBJECT_CATEGORY_ACCESS_SUBJECT.stringValue()); - assignment.setExpression(new ObjectFactory().createAttributeValue(value)); - adviceExpression.getAttributeAssignmentExpression().add(assignment); - if ("Deny".equalsIgnoreCase(decision)) { - adviceExpression.setAppliesTo(EffectType.DENY); - } else { - adviceExpression.setAppliesTo(EffectType.PERMIT); - } - adviceExpressions.getAdviceExpression().add(adviceExpression); - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid advice format"); + private AdviceExpressionsType setAdvice(Map advice, String decision) { + var adviceExpression = new AdviceExpressionType(); + adviceExpression.setAdviceId(UUID.randomUUID().toString()); + var value = setAttributeValueType(advice.get(VALUE), XACML3.ID_DATATYPE_STRING.stringValue()); + var assignment = new AttributeAssignmentExpressionType(); + assignment.setAttributeId("urn:oasis:names:tc:xacml:2.0:example:attribute:text"); + assignment.setCategory(XACML3.ID_SUBJECT_CATEGORY_ACCESS_SUBJECT.stringValue()); + assignment.setExpression(new ObjectFactory().createAttributeValue(value)); + adviceExpression.getAttributeAssignmentExpression().add(assignment); + if ("Deny".equalsIgnoreCase(decision)) { + adviceExpression.setAppliesTo(EffectType.DENY); + } else { + adviceExpression.setAppliesTo(EffectType.PERMIT); } + var adviceExpressions = new AdviceExpressionsType(); + adviceExpressions.getAdviceExpression().add(adviceExpression); return adviceExpressions; } @@ -539,6 +717,9 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { return attributeValue; } + // + // datatype of an attribute is derived from the operator + // private String getDatatype(String operator) throws ToscaPolicyConversionException { try { if (operator.contains("-to-")) { @@ -550,14 +731,15 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { if (operator.equals("round") || operator.equals("floor")) { return DOUBLE; } - List datatypes = Arrays.asList("string", "boolean", "integer", DOUBLE, "time", "date", "dateTime", + List datatypes = Arrays.asList("string", BOOLEAN, INTEGER, DOUBLE, "time", "date", "dateTime", "dayTimeDuration", "yearMonthDuration", "anyURI", "hexBinary", "rfc822Name", "base64Binary", "x500Name", "ipAddress", "dnsName"); if (datatypes.stream().anyMatch(operator::contains)) { return operator.split("-")[0]; } - } catch (NullPointerException ex) { - throw new ToscaPolicyConversionException("Invalid operator"); + } catch (Exception ex) { + LOGGER.error("POLICY-500: Unexpected operator {}", operator); + throw new ToscaPolicyConversionException("POLICY-500: Invalid operator " + operator); } return operator; } @@ -583,21 +765,14 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("double-greater-than-or-equal", XACML3.ID_FUNCTION_DOUBLE_GREATER_THAN_OR_EQUAL); identifierMap.put("double-less-than", XACML3.ID_FUNCTION_DOUBLE_LESS_THAN); identifierMap.put("double-less-than-or-equal", XACML3.ID_FUNCTION_DOUBLE_LESS_THAN_OR_EQUAL); - identifierMap.put("datetime-add-daytimeduration", XACML3.ID_FUNCTION_DATETIME_ADD_DAYTIMEDURATION); - identifierMap.put("datetime-add-yearmonthduration", XACML3.ID_FUNCTION_DATETIME_ADD_YEARMONTHDURATION); - identifierMap.put("datetime-subtract-daytimeturation", XACML3.ID_FUNCTION_DATETIME_SUBTRACT_DAYTIMEDURATION); - identifierMap.put("datetime-subtract-yearmonthduration", - XACML3.ID_FUNCTION_DATETIME_SUBTRACT_YEARMONTHDURATION); - identifierMap.put("date-add-yearmonthduration", XACML3.ID_FUNCTION_DATE_ADD_YEARMONTHDURATION); - identifierMap.put("date-subtract-yearmonthduration", XACML3.ID_FUNCTION_DATE_SUBTRACT_YEARMONTHDURATION); identifierMap.put("time-greater-than", XACML3.ID_FUNCTION_TIME_GREATER_THAN); identifierMap.put("time-greater-than-or-equal", XACML3.ID_FUNCTION_TIME_GREATER_THAN_OR_EQUAL); identifierMap.put("time-less-than", XACML3.ID_FUNCTION_TIME_LESS_THAN); identifierMap.put("time-less-than-or-equal", XACML3.ID_FUNCTION_TIME_LESS_THAN_OR_EQUAL); - identifierMap.put("datetime-greater-than", XACML3.ID_FUNCTION_DATETIME_GREATER_THAN); - identifierMap.put("datetime-greater-than-or-equal", XACML3.ID_FUNCTION_DATETIME_GREATER_THAN_OR_EQUAL); - identifierMap.put("datetime-less-than", XACML3.ID_FUNCTION_DATETIME_LESS_THAN); - identifierMap.put("datetime-less-than-or-equal", XACML3.ID_FUNCTION_DATETIME_LESS_THAN_OR_EQUAL); + identifierMap.put("dateTime-greater-than", XACML3.ID_FUNCTION_DATETIME_GREATER_THAN); + identifierMap.put("dateTime-greater-than-or-equal", XACML3.ID_FUNCTION_DATETIME_GREATER_THAN_OR_EQUAL); + identifierMap.put("dateTime-less-than", XACML3.ID_FUNCTION_DATETIME_LESS_THAN); + identifierMap.put("dateTime-less-than-or-equal", XACML3.ID_FUNCTION_DATETIME_LESS_THAN_OR_EQUAL); identifierMap.put("date-greater-than", XACML3.ID_FUNCTION_DATE_GREATER_THAN); identifierMap.put("date-greater-than-or-equal", XACML3.ID_FUNCTION_DATE_GREATER_THAN_OR_EQUAL); identifierMap.put("date-less-than", XACML3.ID_FUNCTION_DATE_LESS_THAN); @@ -619,21 +794,19 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("integer-abs", XACML3.ID_FUNCTION_INTEGER_ABS); identifierMap.put("double-abs", XACML3.ID_FUNCTION_DOUBLE_ABS); identifierMap.put("integer-to-double", XACML3.ID_FUNCTION_INTEGER_TO_DOUBLE); - identifierMap.put("yearmonthduration-equal", XACML3.ID_FUNCTION_YEARMONTHDURATION_EQUAL); - identifierMap.put("anyuri-equal", XACML3.ID_FUNCTION_ANYURI_EQUAL); - identifierMap.put("hexbinary-equal", XACML3.ID_FUNCTION_HEXBINARY_EQUAL); - identifierMap.put("rfc822name-equal", XACML3.ID_FUNCTION_RFC822NAME_EQUAL); - identifierMap.put("x500name-equal", XACML3.ID_FUNCTION_X500NAME_EQUAL); - identifierMap.put("string-from-ipaddress", XACML3.ID_FUNCTION_STRING_FROM_IPADDRESS); - identifierMap.put("string-from-dnsname", XACML3.ID_FUNCTION_STRING_FROM_DNSNAME); - + identifierMap.put("yearMonthDuration-equal", XACML3.ID_FUNCTION_YEARMONTHDURATION_EQUAL); + identifierMap.put("anyURI-equal", XACML3.ID_FUNCTION_ANYURI_EQUAL); + identifierMap.put("hexBinary-equal", XACML3.ID_FUNCTION_HEXBINARY_EQUAL); + identifierMap.put("rfc822Name-equal", XACML3.ID_FUNCTION_RFC822NAME_EQUAL); + identifierMap.put("x500Name-equal", XACML3.ID_FUNCTION_X500NAME_EQUAL); + identifierMap.put("string-from-dnsName", XACML3.ID_FUNCTION_STRING_FROM_DNSNAME); identifierMap.put("boolean-equal", XACML3.ID_FUNCTION_BOOLEAN_EQUAL); identifierMap.put("double-equal", XACML3.ID_FUNCTION_DOUBLE_EQUAL); identifierMap.put("date-equal", XACML3.ID_FUNCTION_DATE_EQUAL); identifierMap.put("time-equal", XACML3.ID_FUNCTION_TIME_EQUAL); - identifierMap.put("datetime-equal", XACML3.ID_FUNCTION_DATETIME_EQUAL); - identifierMap.put("daytimeduration-equal", XACML3.ID_FUNCTION_DAYTIMEDURATION_EQUAL); - identifierMap.put("base64binary-equal", XACML3.ID_FUNCTION_BASE64BINARY_EQUAL); + identifierMap.put("dateTime-equal", XACML3.ID_FUNCTION_DATETIME_EQUAL); + identifierMap.put("dayTimeDuration-equal", XACML3.ID_FUNCTION_DAYTIMEDURATION_EQUAL); + identifierMap.put("base64Binary-equal", XACML3.ID_FUNCTION_BASE64BINARY_EQUAL); identifierMap.put("round", XACML3.ID_FUNCTION_ROUND); identifierMap.put("floor", XACML3.ID_FUNCTION_FLOOR); identifierMap.put("string-normalize-space", XACML3.ID_FUNCTION_STRING_NORMALIZE_SPACE); @@ -651,40 +824,40 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("date-bag-size", XACML3.ID_FUNCTION_DATE_BAG_SIZE); identifierMap.put("date-is-in", XACML3.ID_FUNCTION_DATE_IS_IN); identifierMap.put("date-bag", XACML3.ID_FUNCTION_DATE_BAG); - identifierMap.put("datetime-bag-size", XACML3.ID_FUNCTION_DATETIME_BAG_SIZE); - identifierMap.put("datetime-is-in", XACML3.ID_FUNCTION_DATETIME_IS_IN); - identifierMap.put("datetime-bag", XACML3.ID_FUNCTION_DATETIME_BAG); - identifierMap.put("anyuri-bag-size", XACML3.ID_FUNCTION_ANYURI_BAG_SIZE); - identifierMap.put("anyuri-is-in", XACML3.ID_FUNCTION_ANYURI_IS_IN); - identifierMap.put("anyuri-bag", XACML3.ID_FUNCTION_ANYURI_BAG); - identifierMap.put("hexbinary-bag-size", XACML3.ID_FUNCTION_HEXBINARY_BAG_SIZE); - identifierMap.put("hexbinary-is-in", XACML3.ID_FUNCTION_HEXBINARY_IS_IN); - identifierMap.put("hexbinary-bag", XACML3.ID_FUNCTION_HEXBINARY_BAG); - identifierMap.put("base64binary-bag-size", XACML3.ID_FUNCTION_BASE64BINARY_BAG_SIZE); - identifierMap.put("base64binary-is-in", XACML3.ID_FUNCTION_BASE64BINARY_IS_IN); - identifierMap.put("base64binary-bag", XACML3.ID_FUNCTION_BASE64BINARY_BAG); - identifierMap.put("daytimeduration-bag-size", XACML3.ID_FUNCTION_DAYTIMEDURATION_BAG_SIZE); - identifierMap.put("daytimeduration-is-in", XACML3.ID_FUNCTION_DAYTIMEDURATION_IS_IN); - identifierMap.put("daytimeduration-bag", XACML3.ID_FUNCTION_DAYTIMEDURATION_BAG); - identifierMap.put("yearmonthduration-bag-size", XACML3.ID_FUNCTION_YEARMONTHDURATION_BAG_SIZE); - identifierMap.put("yearmonthduration-is-in", XACML3.ID_FUNCTION_YEARMONTHDURATION_IS_IN); - identifierMap.put("yearmonthduration-bag", XACML3.ID_FUNCTION_YEARMONTHDURATION_BAG); - identifierMap.put("x500name-one-and-only", XACML3.ID_FUNCTION_X500NAME_ONE_AND_ONLY); - identifierMap.put("x500name-bag-size", XACML3.ID_FUNCTION_X500NAME_BAG_SIZE); - identifierMap.put("x500name-is-in", XACML3.ID_FUNCTION_X500NAME_IS_IN); - identifierMap.put("x500name-bag", XACML3.ID_FUNCTION_X500NAME_BAG); - identifierMap.put("rfc822name-one-and-only", XACML3.ID_FUNCTION_RFC822NAME_ONE_AND_ONLY); - identifierMap.put("rfc822name-bag-size", XACML3.ID_FUNCTION_RFC822NAME_BAG_SIZE); - identifierMap.put("rfc822name-is-in", XACML3.ID_FUNCTION_RFC822NAME_IS_IN); - identifierMap.put("rfc822name-bag", XACML3.ID_FUNCTION_RFC822NAME_BAG); - identifierMap.put("ipaddress-one-and-only", XACML3.ID_FUNCTION_IPADDRESS_ONE_AND_ONLY); - identifierMap.put("ipaddress-bag-size", XACML3.ID_FUNCTION_IPADDRESS_BAG_SIZE); - identifierMap.put("ipaddress-is-in", XACML3.ID_FUNCTION_IPADDRESS_IS_IN); - identifierMap.put("ipaddress-bag", XACML3.ID_FUNCTION_IPADDRESS_BAG); - identifierMap.put("dnsname-one-and-only", XACML3.ID_FUNCTION_DNSNAME_ONE_AND_ONLY); - identifierMap.put("dnsname-bag-size", XACML3.ID_FUNCTION_DNSNAME_BAG_SIZE); - identifierMap.put("dnsname-is-in", XACML3.ID_FUNCTION_DNSNAME_IS_IN); - identifierMap.put("dnsname-bag", XACML3.ID_FUNCTION_DNSNAME_BAG); + identifierMap.put("dateTime-bag-size", XACML3.ID_FUNCTION_DATETIME_BAG_SIZE); + identifierMap.put("dateTime-is-in", XACML3.ID_FUNCTION_DATETIME_IS_IN); + identifierMap.put("dateTime-bag", XACML3.ID_FUNCTION_DATETIME_BAG); + identifierMap.put("anyURI-bag-size", XACML3.ID_FUNCTION_ANYURI_BAG_SIZE); + identifierMap.put("anyURI-is-in", XACML3.ID_FUNCTION_ANYURI_IS_IN); + identifierMap.put("anyURI-bag", XACML3.ID_FUNCTION_ANYURI_BAG); + identifierMap.put("hexBinary-bag-size", XACML3.ID_FUNCTION_HEXBINARY_BAG_SIZE); + identifierMap.put("hexBinary-is-in", XACML3.ID_FUNCTION_HEXBINARY_IS_IN); + identifierMap.put("hexBinary-bag", XACML3.ID_FUNCTION_HEXBINARY_BAG); + identifierMap.put("base64Binary-bag-size", XACML3.ID_FUNCTION_BASE64BINARY_BAG_SIZE); + identifierMap.put("base64Binary-is-in", XACML3.ID_FUNCTION_BASE64BINARY_IS_IN); + identifierMap.put("base64Binary-bag", XACML3.ID_FUNCTION_BASE64BINARY_BAG); + identifierMap.put("dayTimeDuration-bag-size", XACML3.ID_FUNCTION_DAYTIMEDURATION_BAG_SIZE); + identifierMap.put("dayTimeDuration-is-in", XACML3.ID_FUNCTION_DAYTIMEDURATION_IS_IN); + identifierMap.put("dayTimeDuration-bag", XACML3.ID_FUNCTION_DAYTIMEDURATION_BAG); + identifierMap.put("yearMonthDuration-bag-size", XACML3.ID_FUNCTION_YEARMONTHDURATION_BAG_SIZE); + identifierMap.put("yearMonthDuration-is-in", XACML3.ID_FUNCTION_YEARMONTHDURATION_IS_IN); + identifierMap.put("yearMonthDuration-bag", XACML3.ID_FUNCTION_YEARMONTHDURATION_BAG); + identifierMap.put("x500Name-one-and-only", XACML3.ID_FUNCTION_X500NAME_ONE_AND_ONLY); + identifierMap.put("x500Name-bag-size", XACML3.ID_FUNCTION_X500NAME_BAG_SIZE); + identifierMap.put("x500Name-is-in", XACML3.ID_FUNCTION_X500NAME_IS_IN); + identifierMap.put("x500Name-bag", XACML3.ID_FUNCTION_X500NAME_BAG); + identifierMap.put("rfc822Name-one-and-only", XACML3.ID_FUNCTION_RFC822NAME_ONE_AND_ONLY); + identifierMap.put("rfc822Name-bag-size", XACML3.ID_FUNCTION_RFC822NAME_BAG_SIZE); + identifierMap.put("rfc822Name-is-in", XACML3.ID_FUNCTION_RFC822NAME_IS_IN); + identifierMap.put("rfc822Name-bag", XACML3.ID_FUNCTION_RFC822NAME_BAG); + identifierMap.put("ipAddress-one-and-only", XACML3.ID_FUNCTION_IPADDRESS_ONE_AND_ONLY); + identifierMap.put("ipAddress-bag-size", XACML3.ID_FUNCTION_IPADDRESS_BAG_SIZE); + identifierMap.put("ipAddress-is-in", XACML3.ID_FUNCTION_IPADDRESS_IS_IN); + identifierMap.put("ipAddress-bag", XACML3.ID_FUNCTION_IPADDRESS_BAG); + identifierMap.put("dnsName-one-and-only", XACML3.ID_FUNCTION_DNSNAME_ONE_AND_ONLY); + identifierMap.put("dnsName-bag-size", XACML3.ID_FUNCTION_DNSNAME_BAG_SIZE); + identifierMap.put("dnsName-is-in", XACML3.ID_FUNCTION_DNSNAME_IS_IN); + identifierMap.put("dnsName-bag", XACML3.ID_FUNCTION_DNSNAME_BAG); identifierMap.put("string-concatenate", XACML3.ID_FUNCTION_STRING_CONCATENATE); identifierMap.put("boolean-from-string", XACML3.ID_FUNCTION_BOOLEAN_FROM_STRING); identifierMap.put("string-from-boolean", XACML3.ID_FUNCTION_STRING_FROM_BOOLEAN); @@ -696,33 +869,34 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("string-from-time", XACML3.ID_FUNCTION_STRING_FROM_TIME); identifierMap.put("date-from-string", XACML3.ID_FUNCTION_DATE_FROM_STRING); identifierMap.put("string-from-date", XACML3.ID_FUNCTION_STRING_FROM_DATE); - identifierMap.put("datetime-from-string", XACML3.ID_FUNCTION_DATETIME_FROM_STRING); - identifierMap.put("string-from-datetime", XACML3.ID_FUNCTION_STRING_FROM_DATETIME); - identifierMap.put("anyuri-from-string", XACML3.ID_FUNCTION_ANYURI_FROM_STRING); - identifierMap.put("string-from-anyuri", XACML3.ID_FUNCTION_STRING_FROM_ANYURI); - identifierMap.put("daytimeduration-from-string", XACML3.ID_FUNCTION_DAYTIMEDURATION_FROM_STRING); - identifierMap.put("string-from-daytimeturation", XACML3.ID_FUNCTION_STRING_FROM_DAYTIMEDURATION); - identifierMap.put("yearmonthduration-from-string", XACML3.ID_FUNCTION_YEARMONTHDURATION_FROM_STRING); - identifierMap.put("string-from-yearmonthduration", XACML3.ID_FUNCTION_STRING_FROM_YEARMONTHDURATION); - identifierMap.put("x500name-from-string", XACML3.ID_FUNCTION_X500NAME_FROM_STRING); - identifierMap.put("string-from-x500name", XACML3.ID_FUNCTION_STRING_FROM_X500NAME); - identifierMap.put("rfc822name-from-string", XACML3.ID_FUNCTION_RFC822NAME_FROM_STRING); - identifierMap.put("string-from-rfc822name", XACML3.ID_FUNCTION_STRING_FROM_RFC822NAME); - identifierMap.put("ipaddress-from-string", XACML3.ID_FUNCTION_IPADDRESS_FROM_STRING); - identifierMap.put("dnsname-from-string", XACML3.ID_FUNCTION_DNSNAME_FROM_STRING); - identifierMap.put("anyuri-starts-with", XACML3.ID_FUNCTION_ANYURI_STARTS_WITH); - identifierMap.put("anyuri-ends-with", XACML3.ID_FUNCTION_ANYURI_ENDS_WITH); - identifierMap.put("anyuri-contains", XACML3.ID_FUNCTION_ANYURI_CONTAINS); + identifierMap.put("dateTime-from-string", XACML3.ID_FUNCTION_DATETIME_FROM_STRING); + identifierMap.put("string-from-dateTime", XACML3.ID_FUNCTION_STRING_FROM_DATETIME); + identifierMap.put("anyURI-from-string", XACML3.ID_FUNCTION_ANYURI_FROM_STRING); + identifierMap.put("string-from-anyURI", XACML3.ID_FUNCTION_STRING_FROM_ANYURI); + identifierMap.put("dayTimeDuration-from-string", XACML3.ID_FUNCTION_DAYTIMEDURATION_FROM_STRING); + identifierMap.put("string-from-daytimeDuration", XACML3.ID_FUNCTION_STRING_FROM_DAYTIMEDURATION); + identifierMap.put("yearMonthDuration-from-string", XACML3.ID_FUNCTION_YEARMONTHDURATION_FROM_STRING); + identifierMap.put("string-from-yearMonthDuration", XACML3.ID_FUNCTION_STRING_FROM_YEARMONTHDURATION); + identifierMap.put("x500Name-from-string", XACML3.ID_FUNCTION_X500NAME_FROM_STRING); + identifierMap.put("string-from-x500Name", XACML3.ID_FUNCTION_STRING_FROM_X500NAME); + identifierMap.put("rfc822Name-from-string", XACML3.ID_FUNCTION_RFC822NAME_FROM_STRING); + identifierMap.put("string-from-rfc822Name", XACML3.ID_FUNCTION_STRING_FROM_RFC822NAME); + identifierMap.put("ipAddress-from-string", XACML3.ID_FUNCTION_IPADDRESS_FROM_STRING); + identifierMap.put("dnsName-from-string", XACML3.ID_FUNCTION_DNSNAME_FROM_STRING); + identifierMap.put("anyURI-starts-with", XACML3.ID_FUNCTION_ANYURI_STARTS_WITH); + identifierMap.put("anyURI-ends-with", XACML3.ID_FUNCTION_ANYURI_ENDS_WITH); + identifierMap.put("anyURI-contains", XACML3.ID_FUNCTION_ANYURI_CONTAINS); identifierMap.put("string-substring", XACML3.ID_FUNCTION_STRING_SUBSTRING); - identifierMap.put("anyuri-substring", XACML3.ID_FUNCTION_ANYURI_SUBSTRING); + identifierMap.put("anyURI-substring", XACML3.ID_FUNCTION_ANYURI_SUBSTRING); identifierMap.put("map", XACML3.ID_FUNCTION_MAP); - identifierMap.put("x500name-match", XACML3.ID_FUNCTION_X500NAME_MATCH); - identifierMap.put("rfc822name-match", XACML3.ID_FUNCTION_RFC822NAME_MATCH); - identifierMap.put("anyuri-regexp-match", XACML3.ID_FUNCTION_ANYURI_REGEXP_MATCH); - identifierMap.put("ipaddress-regexp-match", XACML3.ID_FUNCTION_IPADDRESS_REGEXP_MATCH); - identifierMap.put("dnsname-regexp-match", XACML3.ID_FUNCTION_DNSNAME_REGEXP_MATCH); - identifierMap.put("rfc822name-regexp-match", XACML3.ID_FUNCTION_RFC822NAME_REGEXP_MATCH); - identifierMap.put("x500name-regexp-match", XACML3.ID_FUNCTION_X500NAME_REGEXP_MATCH); + identifierMap.put("n-of", XACML3.ID_FUNCTION_N_OF); + identifierMap.put("x500Name-match", XACML3.ID_FUNCTION_X500NAME_MATCH); + identifierMap.put("rfc822Name-match", XACML3.ID_FUNCTION_RFC822NAME_MATCH); + identifierMap.put("anyURI-regexp-match", XACML3.ID_FUNCTION_ANYURI_REGEXP_MATCH); + identifierMap.put("ipAddress-regexp-match", XACML3.ID_FUNCTION_IPADDRESS_REGEXP_MATCH); + identifierMap.put("dnsName-regexp-match", XACML3.ID_FUNCTION_DNSNAME_REGEXP_MATCH); + identifierMap.put("rfc822Name-regexp-match", XACML3.ID_FUNCTION_RFC822NAME_REGEXP_MATCH); + identifierMap.put("x500Name-regexp-match", XACML3.ID_FUNCTION_X500NAME_REGEXP_MATCH); identifierMap.put("xpath-node-count", XACML3.ID_FUNCTION_XPATH_NODE_COUNT); identifierMap.put("xpath-node-equal", XACML3.ID_FUNCTION_XPATH_NODE_EQUAL); identifierMap.put("xpath-node-match", XACML3.ID_FUNCTION_XPATH_NODE_MATCH); @@ -756,66 +930,75 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("date-union", XACML3.ID_FUNCTION_DATE_UNION); identifierMap.put("date-subset", XACML3.ID_FUNCTION_DATE_SUBSET); identifierMap.put("date-set-equals", XACML3.ID_FUNCTION_DATE_SET_EQUALS); - identifierMap.put("datetime-intersection", XACML3.ID_FUNCTION_DATETIME_INTERSECTION); - identifierMap.put("datetime-at-least-one-member-of", XACML3.ID_FUNCTION_DATETIME_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("datetime-union", XACML3.ID_FUNCTION_DATETIME_UNION); - identifierMap.put("datetime-subset", XACML3.ID_FUNCTION_DATETIME_SUBSET); - identifierMap.put("datetime-set-equals", XACML3.ID_FUNCTION_DATETIME_SET_EQUALS); - - identifierMap.put("anyuri-intersection", XACML3.ID_FUNCTION_ANYURI_INTERSECTION); - identifierMap.put("anyuri-at-least-one-member-of", XACML3.ID_FUNCTION_ANYURI_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("anyuri-union", XACML3.ID_FUNCTION_ANYURI_UNION); - identifierMap.put("anyuri-subset", XACML3.ID_FUNCTION_ANYURI_SUBSET); - identifierMap.put("anyuri-set-equals", XACML3.ID_FUNCTION_ANYURI_SET_EQUALS); - identifierMap.put("hexbinary-intersection", XACML3.ID_FUNCTION_HEXBINARY_INTERSECTION); - identifierMap.put("hexbinary-at-least-one-member-of", XACML3.ID_FUNCTION_HEXBINARY_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("hexbinary-union", XACML3.ID_FUNCTION_HEXBINARY_UNION); - identifierMap.put("hexbinary-subset", XACML3.ID_FUNCTION_HEXBINARY_SUBSET); - identifierMap.put("hexbinary-set-equals", XACML3.ID_FUNCTION_HEXBINARY_SET_EQUALS); - identifierMap.put("base64binary-intersection", XACML3.ID_FUNCTION_BASE64BINARY_INTERSECTION); - identifierMap.put("base64binary-at-least-one-member-of", + identifierMap.put("dateTime-intersection", XACML3.ID_FUNCTION_DATETIME_INTERSECTION); + identifierMap.put("dateTime-at-least-one-member-of", XACML3.ID_FUNCTION_DATETIME_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("dateTime-union", XACML3.ID_FUNCTION_DATETIME_UNION); + identifierMap.put("dateTime-subset", XACML3.ID_FUNCTION_DATETIME_SUBSET); + identifierMap.put("dateTime-set-equals", XACML3.ID_FUNCTION_DATETIME_SET_EQUALS); + identifierMap.put("anyURI-intersection", XACML3.ID_FUNCTION_ANYURI_INTERSECTION); + identifierMap.put("anyURI-at-least-one-member-of", XACML3.ID_FUNCTION_ANYURI_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("anyURI-union", XACML3.ID_FUNCTION_ANYURI_UNION); + identifierMap.put("anyURI-subset", XACML3.ID_FUNCTION_ANYURI_SUBSET); + identifierMap.put("anyURI-set-equals", XACML3.ID_FUNCTION_ANYURI_SET_EQUALS); + identifierMap.put("hexBinary-intersection", XACML3.ID_FUNCTION_HEXBINARY_INTERSECTION); + identifierMap.put("hexBinary-at-least-one-member-of", XACML3.ID_FUNCTION_HEXBINARY_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("hexBinary-union", XACML3.ID_FUNCTION_HEXBINARY_UNION); + identifierMap.put("hexBinary-subset", XACML3.ID_FUNCTION_HEXBINARY_SUBSET); + identifierMap.put("hexBinary-set-equals", XACML3.ID_FUNCTION_HEXBINARY_SET_EQUALS); + identifierMap.put("base64Binary-intersection", XACML3.ID_FUNCTION_BASE64BINARY_INTERSECTION); + identifierMap.put("string-from-dayTimeDuration", XACML3.ID_FUNCTION_STRING_FROM_DAYTIMEDURATION); + identifierMap.put("string-from-ipAddress", XACML3.ID_FUNCTION_STRING_FROM_IPADDRESS); + identifierMap.put("base64Binary-at-least-one-member-of", XACML3.ID_FUNCTION_BASE64BINARY_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("base64binary-union", XACML3.ID_FUNCTION_BASE64BINARY_UNION); - identifierMap.put("base64binary-subset", XACML3.ID_FUNCTION_BASE64BINARY_SUBSET); - identifierMap.put("base64binary-set-equals", XACML3.ID_FUNCTION_BASE64BINARY_SET_EQUALS); - identifierMap.put("daytimeduration-intersection", XACML3.ID_FUNCTION_DAYTIMEDURATION_INTERSECTION); - identifierMap.put("daytimeduration-at-least-one-member-of", + identifierMap.put("base64Binary-union", XACML3.ID_FUNCTION_BASE64BINARY_UNION); + identifierMap.put("base64Binary-subset", XACML3.ID_FUNCTION_BASE64BINARY_SUBSET); + identifierMap.put("base64Binary-set-equals", XACML3.ID_FUNCTION_BASE64BINARY_SET_EQUALS); + identifierMap.put("dayTimeDuration-intersection", XACML3.ID_FUNCTION_DAYTIMEDURATION_INTERSECTION); + identifierMap.put("dayTimeDuration-at-least-one-member-of", XACML3.ID_FUNCTION_DAYTIMEDURATION_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("daytimeduration-union", XACML3.ID_FUNCTION_DAYTIMEDURATION_UNION); - identifierMap.put("daytimeduration-subset", XACML3.ID_FUNCTION_DAYTIMEDURATION_SUBSET); - identifierMap.put("daytimeduration-set-equals", XACML3.ID_FUNCTION_DAYTIMEDURATION_SET_EQUALS); - identifierMap.put("yearmonthduration-intersection", XACML3.ID_FUNCTION_YEARMONTHDURATION_INTERSECTION); - identifierMap.put("yearmonthduration-at-least-one-member-of", + identifierMap.put("dayTimeDuration-union", XACML3.ID_FUNCTION_DAYTIMEDURATION_UNION); + identifierMap.put("dayTimeDuration-subset", XACML3.ID_FUNCTION_DAYTIMEDURATION_SUBSET); + identifierMap.put("dayTimeDuration-set-equals", XACML3.ID_FUNCTION_DAYTIMEDURATION_SET_EQUALS); + identifierMap.put("yearMonthDuration-intersection", XACML3.ID_FUNCTION_YEARMONTHDURATION_INTERSECTION); + identifierMap.put("yearMonthDuration-at-least-one-member-of", XACML3.ID_FUNCTION_YEARMONTHDURATION_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("yearmonthduration-union", XACML3.ID_FUNCTION_YEARMONTHDURATION_UNION); - identifierMap.put("yearmonthduration-subset", XACML3.ID_FUNCTION_YEARMONTHDURATION_SUBSET); - identifierMap.put("yearmonthduration-set-equals", XACML3.ID_FUNCTION_YEARMONTHDURATION_SET_EQUALS); - identifierMap.put("x500name-intersection", XACML3.ID_FUNCTION_X500NAME_INTERSECTION); - identifierMap.put("x500name-at-least-one-member-of", XACML3.ID_FUNCTION_X500NAME_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("x500name-union", XACML3.ID_FUNCTION_X500NAME_UNION); - identifierMap.put("x500name-subset", XACML3.ID_FUNCTION_X500NAME_SUBSET); - identifierMap.put("x500name-set-equals", XACML3.ID_FUNCTION_X500NAME_SET_EQUALS); - identifierMap.put("rfc822name-intersection", XACML3.ID_FUNCTION_RFC822NAME_INTERSECTION); - identifierMap.put("rfc822name-at-least-one-member-of", XACML3.ID_FUNCTION_RFC822NAME_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("rfc822name-union", XACML3.ID_FUNCTION_RFC822NAME_UNION); - identifierMap.put("rfc822name-subset", XACML3.ID_FUNCTION_RFC822NAME_SUBSET); - identifierMap.put("rfc822name-set-equals", XACML3.ID_FUNCTION_RFC822NAME_SET_EQUALS); - identifierMap.put("ipaddress-intersection", XACML3.ID_FUNCTION_IPADDRESS_INTERSECTION); - identifierMap.put("ipaddress-at-least-one-member-of", XACML3.ID_FUNCTION_IPADDRESS_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("ipaddress-union", XACML3.ID_FUNCTION_IPADDRESS_UNION); - identifierMap.put("ipaddress-subset", XACML3.ID_FUNCTION_IPADDRESS_SUBSET); - identifierMap.put("ipaddress-set-equals", XACML3.ID_FUNCTION_IPADDRESS_SET_EQUALS); - identifierMap.put("dnsname-intersection", XACML3.ID_FUNCTION_DNSNAME_INTERSECTION); - identifierMap.put("dnsname-at-least-one-member-of", XACML3.ID_FUNCTION_DNSNAME_AT_LEAST_ONE_MEMBER_OF); - identifierMap.put("dnsname-union", XACML3.ID_FUNCTION_DNSNAME_UNION); - identifierMap.put("dnsname-subset", XACML3.ID_FUNCTION_DNSNAME_SUBSET); - identifierMap.put("dnsname-set-equals", XACML3.ID_FUNCTION_DNSNAME_SET_EQUALS); + identifierMap.put("yearMonthDuration-union", XACML3.ID_FUNCTION_YEARMONTHDURATION_UNION); + identifierMap.put("yearMonthDuration-subset", XACML3.ID_FUNCTION_YEARMONTHDURATION_SUBSET); + identifierMap.put("yearMonthDuration-set-equals", XACML3.ID_FUNCTION_YEARMONTHDURATION_SET_EQUALS); + identifierMap.put("x500Name-intersection", XACML3.ID_FUNCTION_X500NAME_INTERSECTION); + identifierMap.put("x500Name-at-least-one-member-of", XACML3.ID_FUNCTION_X500NAME_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("x500Name-union", XACML3.ID_FUNCTION_X500NAME_UNION); + identifierMap.put("x500Name-subset", XACML3.ID_FUNCTION_X500NAME_SUBSET); + identifierMap.put("x500Name-set-equals", XACML3.ID_FUNCTION_X500NAME_SET_EQUALS); + identifierMap.put("rfc822Name-intersection", XACML3.ID_FUNCTION_RFC822NAME_INTERSECTION); + identifierMap.put("rfc822Name-at-least-one-member-of", XACML3.ID_FUNCTION_RFC822NAME_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("rfc822Name-union", XACML3.ID_FUNCTION_RFC822NAME_UNION); + identifierMap.put("rfc822Name-subset", XACML3.ID_FUNCTION_RFC822NAME_SUBSET); + identifierMap.put("rfc822Name-set-equals", XACML3.ID_FUNCTION_RFC822NAME_SET_EQUALS); + identifierMap.put("ipAddress-intersection", XACML3.ID_FUNCTION_IPADDRESS_INTERSECTION); + identifierMap.put("ipAddress-at-least-one-member-of", XACML3.ID_FUNCTION_IPADDRESS_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("ipAddress-union", XACML3.ID_FUNCTION_IPADDRESS_UNION); + identifierMap.put("ipAddress-subset", XACML3.ID_FUNCTION_IPADDRESS_SUBSET); + identifierMap.put("ipAddress-set-equals", XACML3.ID_FUNCTION_IPADDRESS_SET_EQUALS); + identifierMap.put("dnsName-intersection", XACML3.ID_FUNCTION_DNSNAME_INTERSECTION); + identifierMap.put("dnsName-at-least-one-member-of", XACML3.ID_FUNCTION_DNSNAME_AT_LEAST_ONE_MEMBER_OF); + identifierMap.put("dnsName-union", XACML3.ID_FUNCTION_DNSNAME_UNION); + identifierMap.put("dnsName-subset", XACML3.ID_FUNCTION_DNSNAME_SUBSET); + identifierMap.put("dnsName-set-equals", XACML3.ID_FUNCTION_DNSNAME_SET_EQUALS); identifierMap.put("access-permitted", XACML3.ID_FUNCTION_ACCESS_PERMITTED); - - // function condition + identifierMap.put("string-one-and-only", XACML3.ID_FUNCTION_STRING_ONE_AND_ONLY); + identifierMap.put("integer-one-and-only", XACML3.ID_FUNCTION_INTEGER_ONE_AND_ONLY); + identifierMap.put("double-one-and-only", XACML3.ID_FUNCTION_DOUBLE_ONE_AND_ONLY); + identifierMap.put("time-one-and-only", XACML3.ID_FUNCTION_TIME_ONE_AND_ONLY); + identifierMap.put("date-one-and-only", XACML3.ID_FUNCTION_DATE_ONE_AND_ONLY); + identifierMap.put("dateTime-one-and-only", XACML3.ID_FUNCTION_DATETIME_ONE_AND_ONLY); + identifierMap.put("anyURI-one-and-only", XACML3.ID_FUNCTION_ANYURI_ONE_AND_ONLY); + identifierMap.put("hexBinary-one-and-only", XACML3.ID_FUNCTION_HEXBINARY_ONE_AND_ONLY); + identifierMap.put("base64Binary-one-and-only", XACML3.ID_FUNCTION_BASE64BINARY_ONE_AND_ONLY); + identifierMap.put("dayTimeDuration-one-and-only", XACML3.ID_FUNCTION_DAYTIMEDURATION_ONE_AND_ONLY); + identifierMap.put("yearMonthDuration-one-and-only", XACML3.ID_FUNCTION_YEARMONTHDURATION_ONE_AND_ONLY); identifierMap.put("or", XACML3.ID_FUNCTION_OR); identifierMap.put("and", XACML3.ID_FUNCTION_AND); - identifierMap.put("n-of", XACML3.ID_FUNCTION_N_OF); identifierMap.put("not", XACML3.ID_FUNCTION_NOT); identifierMap.put("any-of", XACML3.ID_FUNCTION_ANY_OF); identifierMap.put("all-of", XACML3.ID_FUNCTION_ALL_OF); @@ -823,19 +1006,14 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { identifierMap.put("all-of-any", XACML3.ID_FUNCTION_ALL_OF_ANY); identifierMap.put("any-of-all", XACML3.ID_FUNCTION_ANY_OF_ALL); identifierMap.put("all-of-all", XACML3.ID_FUNCTION_ALL_OF_ALL); - - // function ids - identifierMap.put("string-one-and-only", XACML3.ID_FUNCTION_STRING_ONE_AND_ONLY); - identifierMap.put("integer-one-and-only", XACML3.ID_FUNCTION_INTEGER_ONE_AND_ONLY); - identifierMap.put("double-one-and-only", XACML3.ID_FUNCTION_DOUBLE_ONE_AND_ONLY); - identifierMap.put("time-one-and-only", XACML3.ID_FUNCTION_TIME_ONE_AND_ONLY); - identifierMap.put("date-one-and-only", XACML3.ID_FUNCTION_DATE_ONE_AND_ONLY); - identifierMap.put("datetime-one-and-only", XACML3.ID_FUNCTION_DATETIME_ONE_AND_ONLY); - identifierMap.put("anyuri-one-and-only", XACML3.ID_FUNCTION_ANYURI_ONE_AND_ONLY); - identifierMap.put("hexbinary-one-and-only", XACML3.ID_FUNCTION_HEXBINARY_ONE_AND_ONLY); - identifierMap.put("base64binary-one-and-only", XACML3.ID_FUNCTION_BASE64BINARY_ONE_AND_ONLY); - identifierMap.put("daytimeduration-one-and-only", XACML3.ID_FUNCTION_DAYTIMEDURATION_ONE_AND_ONLY); - identifierMap.put("yearmonthduration-one-and-only", XACML3.ID_FUNCTION_YEARMONTHDURATION_ONE_AND_ONLY); + identifierMap.put("dateTime-add-dayTimeDuration", XACML3.ID_FUNCTION_DATETIME_ADD_DAYTIMEDURATION); + identifierMap.put("dateTime-add-yearMonthDuration", XACML3.ID_FUNCTION_DATETIME_ADD_YEARMONTHDURATION); + identifierMap.put("dateTime-subtract-yearMonthDuration", + XACML3.ID_FUNCTION_DATETIME_SUBTRACT_YEARMONTHDURATION); + identifierMap.put("dateTime-subtract-dayTimeDuration", + XACML3.ID_FUNCTION_DATETIME_SUBTRACT_DAYTIMEDURATION); + identifierMap.put("date-add-yearMonthDuration", XACML3.ID_FUNCTION_DATE_ADD_YEARMONTHDURATION); + identifierMap.put("date-subtract-yearMonthDuration", XACML3.ID_FUNCTION_DATE_SUBTRACT_YEARMONTHDURATION); //attribute ids identifierMap.put("action-id", XACML3.ID_ACTION_ACTION_ID); @@ -848,22 +1026,21 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { // data types identifierMap.put("string", XACML3.ID_DATATYPE_STRING); - identifierMap.put("boolean", XACML3.ID_DATATYPE_BOOLEAN); - identifierMap.put("integer", XACML3.ID_DATATYPE_INTEGER); + identifierMap.put(BOOLEAN, XACML3.ID_DATATYPE_BOOLEAN); + identifierMap.put(INTEGER, XACML3.ID_DATATYPE_INTEGER); identifierMap.put(DOUBLE, XACML3.ID_DATATYPE_DOUBLE); identifierMap.put("time", XACML3.ID_DATATYPE_TIME); identifierMap.put("date", XACML3.ID_DATATYPE_DATE); - identifierMap.put("datetime", XACML3.ID_DATATYPE_DATETIME); - identifierMap.put("daytimeduration", XACML3.ID_DATATYPE_DAYTIMEDURATION); - identifierMap.put("yearmonthduration", XACML3.ID_DATATYPE_YEARMONTHDURATION); - identifierMap.put("anyuri", XACML3.ID_DATATYPE_ANYURI); - identifierMap.put("hexbinary", XACML3.ID_DATATYPE_HEXBINARY); - identifierMap.put("base64binary", XACML3.ID_DATATYPE_BASE64BINARY); - identifierMap.put("rfc822name", XACML3.ID_DATATYPE_RFC822NAME); - identifierMap.put("x500name", XACML3.ID_DATATYPE_X500NAME); - identifierMap.put("ipaddress", XACML3.ID_DATATYPE_IPADDRESS); - identifierMap.put("dnsname", XACML3.ID_DATATYPE_DNSNAME); - + identifierMap.put("dateTime", XACML3.ID_DATATYPE_DATETIME); + identifierMap.put("dayTimeDuration", XACML3.ID_DATATYPE_DAYTIMEDURATION); + identifierMap.put("yearMonthDuration", XACML3.ID_DATATYPE_YEARMONTHDURATION); + identifierMap.put("anyURI", XACML3.ID_DATATYPE_ANYURI); + identifierMap.put("hexBinary", XACML3.ID_DATATYPE_HEXBINARY); + identifierMap.put("base64Binary", XACML3.ID_DATATYPE_BASE64BINARY); + identifierMap.put("rfc822Name", XACML3.ID_DATATYPE_RFC822NAME); + identifierMap.put("x500Name", XACML3.ID_DATATYPE_X500NAME); + identifierMap.put("ipAddress", XACML3.ID_DATATYPE_IPADDRESS); + identifierMap.put("dnsName", XACML3.ID_DATATYPE_DNSNAME); identifierMap.put("string-bag", XACML3.ID_FUNCTION_STRING_BAG); identifierMap.put("boolean-bag", XACML3.ID_FUNCTION_BOOLEAN_BAG); identifierMap.put("integer-bag", XACML3.ID_FUNCTION_INTEGER_BAG); @@ -871,10 +1048,484 @@ public class NativePdpApplicationTranslator implements ToscaPolicyTranslator { } private Identifier validateFilterPropertyFunction(String operator) throws ToscaPolicyConversionException { - if (identifierMap.containsKey(operator.toLowerCase())) { - return identifierMap.get(operator.toLowerCase()); + if (identifierMap.containsKey(operator)) { + return identifierMap.get(operator); } else { - throw new ToscaPolicyConversionException("Unexpected value " + operator); + LOGGER.error("POLICY-500: Unsupported operator {}", operator); + throw new ToscaPolicyConversionException("POLICY-500: Unexpected operator " + operator); + } + } + + private void setOperatorPrecedenceMap() { + operatorPrecedenceMap = new HashMap<>(); + operatorPrecedenceMap.put("*", 4); // Multiplication + operatorPrecedenceMap.put("/", 4); // Division same as multiplication + operatorPrecedenceMap.put("+", 3); // Addition + operatorPrecedenceMap.put("-", 3); // Subtraction same as addition + operatorPrecedenceMap.put("(", 1); // Parentheses + operatorPrecedenceMap.put(")", 2); // Closing parentheses same level + operatorPrecedenceMap.put("<", 1); // Less than + operatorPrecedenceMap.put("<=", 1); // Less than or equal + operatorPrecedenceMap.put(">", 1); // Greater than + operatorPrecedenceMap.put(">=", 1); // Greater than or equal + operatorPrecedenceMap.put("==", 1); // Equal to + operatorPrecedenceMap.put("!=", 1); // Not equal to + operatorPrecedenceMap.put(CONVERSION_DOUBLE, 1); // Conversion low precedence + operatorPrecedenceMap.put(CONVERSION_INTEGER, 1); // Conversion low precedence + operatorPrecedenceMap.put(CONVERSION_DOUBLE_ABS, 1); // Absolute low precedence + operatorPrecedenceMap.put(CONVERSION_INTEGER_ABS, 1); // Absolute low precedence + operatorPrecedenceMap.put(CONVERSION_FLOOR, 1); // Floor low precedence + operatorPrecedenceMap.put(CONVERSION_ROUND, 1); // Round low precedence + } + + private Identifier getOperatorXacmlMap(String operator) throws ToscaPolicyConversionException { + if (operator.equals("*")) { + return XACML3.ID_FUNCTION_DOUBLE_MULTIPLY; + } else if (operator.equals("/")) { + return XACML3.ID_FUNCTION_DOUBLE_DIVIDE; + } else if (operator.equals("+")) { + return XACML3.ID_FUNCTION_DOUBLE_ADD; + } else if (operator.equals("-")) { + return XACML3.ID_FUNCTION_DOUBLE_SUBTRACT; + } else if (operator.equals("<")) { + return XACML3.ID_FUNCTION_DOUBLE_LESS_THAN; + } else if (operator.equals("<=")) { + return XACML3.ID_FUNCTION_DOUBLE_LESS_THAN_OR_EQUAL; + } else if (operator.equals(">")) { + return XACML3.ID_FUNCTION_DOUBLE_GREATER_THAN; + } else if (operator.equals(">=")) { + return XACML3.ID_FUNCTION_DOUBLE_GREATER_THAN_OR_EQUAL; + } else if (operator.equals("==")) { + return XACML3.ID_FUNCTION_DOUBLE_EQUAL; + } else if (operator.equals(CONVERSION_DOUBLE)) { + return XACML3.ID_FUNCTION_INTEGER_TO_DOUBLE; + } else if (operator.equals(CONVERSION_INTEGER)) { + return XACML3.ID_FUNCTION_DOUBLE_TO_INTEGER; + } else { + LOGGER.error("POLICY-500: Unsupported operator {}", operator); + throw new ToscaPolicyConversionException("POLICY-500: Unsupported operator " + operator); + } + } + + private Boolean singleOperandExpression(String expression) { + return expression.equals(CONVERSION_INTEGER) + || expression.equals(CONVERSION_DOUBLE) + || expression.equals(CONVERSION_INTEGER_ABS) + || expression.equals(CONVERSION_DOUBLE_ABS) + || expression.equals(CONVERSION_FLOOR) + || expression.equals(CONVERSION_ROUND); + } + + private ApplyType convertToPrefixXacmlApply(String expression, ObjectFactory factory) + throws ToscaPolicyConversionException { + LOGGER.debug("Got expression to parse : {}", expression); + StreamTokenizer tokenizer = new StreamTokenizer(new StringReader(expression)); + tokenizer.eolIsSignificant(true); + tokenizer.wordChars('.', '_'); + tokenizer.ordinaryChar('('); + tokenizer.ordinaryChar(')'); + tokenizer.ordinaryChar('+'); + tokenizer.ordinaryChar('-'); + tokenizer.ordinaryChar('*'); + tokenizer.ordinaryChar('/'); + tokenizer.ordinaryChar('='); + tokenizer.ordinaryChar('<'); + tokenizer.ordinaryChar('>'); + + Deque operators = new ArrayDeque<>(); + Deque operands = new ArrayDeque<>(); + + try { + int tokenType = tokenizer.nextToken(); + parseTokens(tokenType, tokenizer, operators, operands, factory); + + } catch (java.io.IOException ex) { + LOGGER.error("POLICY-500: convertToPrefixXACMLApply: Error while parsing expr"); + throw new ToscaPolicyConversionException("POLICY-500: Error while parsing expr "); + } + return getFinalApply(operands); + } + + private ApplyType getFinalApply(Deque operands) throws ToscaPolicyConversionException { + Object operand = null; + if (!(operands.isEmpty())) { + operand = operands.pop(); + if (operand instanceof String) { + LOGGER.error("POLICY-500: convertToPrefixXACMLApply: Extra operands. {}", operand); + throw new ToscaPolicyConversionException("POLICY-500: convertToPrefixXACMLApply: Extra operands."); + } else { + LOGGER.debug("Popped operand {} ", ((ApplyType) operand).getFunctionId()); + } + } + return (ApplyType) operand; + } + + private void parseTokens(int tokenType, StreamTokenizer tokenizer, + Deque operators, Deque operands, + ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + while (tokenType != StreamTokenizer.TT_EOF) { + LOGGER.debug("Current token {}", tokenType); + Boolean isWordOperator = false; + Boolean isOperand = false; + Object token = null; + if (tokenType == StreamTokenizer.TT_WORD) { + token = tokenizer.sval; + LOGGER.debug("String token {}", token); + if (Boolean.TRUE.equals(checkIfWordOperator(token, tokenizer))) { + isWordOperator = true; + token = createWordOperator(token); + } else { + isOperand = checkIfOperand(token, operands); + } + } else if (tokenType == StreamTokenizer.TT_NUMBER) { + token = Double.valueOf(tokenizer.nval); + LOGGER.debug("Pushing Number token {}", token); + operands.push(token); + isOperand = true; + } + if (Boolean.FALSE.equals(isOperand)) { + checkOperatorToken(tokenType, token, isWordOperator, tokenizer, + operators, operands, factory); + } + LOGGER.debug("Finished processing current token, going to next"); + tokenType = tokenizer.nextToken(); + } + LOGGER.debug("Last token {}", tokenType); + while (Boolean.FALSE.equals(operators.isEmpty())) { + LOGGER.debug( + //when TT_EOF, process remaining tokens in stack + "Tokens are processed, now processing remaining operators"); + processOperator(operators, operands, factory); + } + } catch (Exception e) { + LOGGER.error(ERROR_TOKEN); + throw new ToscaPolicyConversionException(ERROR_TOKEN); + } + } + + private Object createWordOperator(Object token) { + return token.toString().equals(DOUBLE) ? CONVERSION_DOUBLE : CONVERSION_INTEGER; + } + + private Boolean checkIfWordOperator(Object token, StreamTokenizer tokenizer) + throws ToscaPolicyConversionException { + Boolean isWordOperator = false; + try { + if (token.toString().equals(DOUBLE) || token.toString().equals(INTEGER)) { + if (tokenizer.nextToken() == '(') { + isWordOperator = true; + } else { + tokenizer.pushBack(); + LOGGER.error(ERROR_TOKEN); + throw new + ToscaPolicyConversionException("POLICY-500: ( should follow double or integer."); + } + } + } catch (Exception e) { + LOGGER.error(ERROR_TOKEN); + throw new + ToscaPolicyConversionException(ERROR_TOKEN); } + return isWordOperator; } + + private Boolean checkIfOperand(Object token, Deque operands) { + Boolean isOperand = false; + if (Boolean.FALSE.equals(token.toString().equals("/"))) { + LOGGER.debug("Pushing String token into operand stack {}", token); + operands.push(token); + isOperand = true; + } + return isOperand; + } + + private void checkOperatorToken(int tokenType, Object token, Boolean isWordOperator, + StreamTokenizer tokenizer, Deque operators, + Deque operands, ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + Boolean isProcessed = false; + if (Boolean.FALSE.equals(isWordOperator)) { + token = Character.valueOf((char) tokenType); + LOGGER.debug("Char token {}", token); + char value = ((Character) token).charValue(); + if (Boolean.TRUE.equals(isComparisonOperator(value))) { + token = addEqualIfPresent(tokenizer, token); + } else { + isProcessed = checkBracketToken(token, value, operators, operands, factory); + } + } + if (Boolean.FALSE.equals(isProcessed) + && Boolean.TRUE.equals(isValidToken(token))) { + while (Boolean.FALSE.equals(operators.isEmpty()) + && Boolean.FALSE.equals(isPreviousOpLeftPar(operators)) + && (getPrecedence(operators.peek()) >= getPrecedence(token))) { + processOperator(operators, operands, factory); + } + operators.push(token); + LOGGER.debug("Pushing Character token into operator stack {}", token); + } + } catch (Exception e) { + LOGGER.error(ERROR_TOKEN); + throw new ToscaPolicyConversionException(ERROR_TOKEN); + } + } + + private Boolean checkBracketToken(Object token, + char value, + Deque operators, + Deque operands, + ObjectFactory factory) throws ToscaPolicyConversionException { + Boolean isProcessed = false; + try { + if (value == '(') { + operators.push(token); + LOGGER.debug("Pushing Character token into operator stack {}", token); + isProcessed = true; + } else if (value == ')') { + processExpression(operators, operands, factory); + isProcessed = true; + } + } catch (Exception e) { + LOGGER.error("POLICY-500: Error parsing expr, no operator."); + throw new + ToscaPolicyConversionException("POLICY-500: Error parsing expr, no operator."); + } + return isProcessed; + } + + private Boolean isComparisonOperator(char value) { + return (value == '<' || value == '>' || value == '=' || value == '!'); + } + + private Object addEqualIfPresent(StreamTokenizer tokenizer, Object token) + throws ToscaPolicyConversionException { + try { + Boolean doubleOp = false; + int checkNextToken = tokenizer.nextToken(); + if (checkNextToken != StreamTokenizer.TT_NUMBER + && checkNextToken != StreamTokenizer.TT_WORD) { + if ((char) checkNextToken == '=') { + token = token + "="; + } + doubleOp = true; + } + if (Boolean.FALSE.equals(doubleOp)) { + tokenizer.pushBack(); + } + } catch (Exception e) { + LOGGER.error(ERROR_TOKEN); + throw new + ToscaPolicyConversionException(ERROR_TOKEN); + } + return token; + } + + private void processExpression(Deque operators, + Deque operands, + ObjectFactory factory) throws ToscaPolicyConversionException { + try { + Boolean single = Boolean.TRUE.equals(singleOperandExpression(operators.peek().toString())); + while (Boolean.FALSE.equals(operators.isEmpty()) + && Boolean.FALSE.equals((isPreviousOpLeftPar(operators)))) { + processOperator(operators, operands, factory); + } + if (Boolean.FALSE.equals(operators.isEmpty()) + && Boolean.FALSE.equals(single)) { + LOGGER.debug("Popping ("); + operators.pop(); // Remove "(" + } + } catch (Exception e) { + LOGGER.error(ERROR_TOKEN); + throw new ToscaPolicyConversionException(ERROR_TOKEN); + } + } + + private Boolean isPreviousOpLeftPar(Deque operators) { + Object nextOp = operators.peek(); + if (nextOp instanceof Character && ((Character) nextOp).charValue() == '(') { + LOGGER.debug("Previous operator is ("); + return true; + } + return false; + } + + private Boolean isValidToken(Object token) { + String key = ""; + if (token instanceof Character) { + key = ((Character) token).toString(); + } else if (token instanceof String) { + key = token.toString(); + } + return (operatorPrecedenceMap.containsKey(key)); + } + + private Integer getPrecedence(Object token) { + String key = ""; + if (token instanceof Character) { + key = ((Character) token).toString(); + } else if (token instanceof String) { + key = token.toString(); + } + Integer precedence = operatorPrecedenceMap.get(key); + LOGGER.debug("Precedence of operator {} is {}", key, precedence); + return (precedence); + } + + private void processOperator(Deque operators, Deque operands, ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + String op = ""; + Object opObj = operators.pop(); + if (opObj instanceof Character) { + op = ((Character) opObj).toString(); + } else if (opObj instanceof String) { + op = opObj.toString(); + } + LOGGER.debug("Process Operator {}", op); + if (Boolean.TRUE.equals(singleOperandExpression(op))) { + processSingleOperandExpr(operands, op, factory); + } else { + processDoubleOperandExpr(operands, op, factory); + } + } catch (Exception ex) { + LOGGER.error("POLICY-500: Error while processing operator and operands in expr"); + throw new ToscaPolicyConversionException("POLICY-500: Error while " + + "processing operator and operands in expr"); + } + } + + private void processSingleOperandExpr(Deque operands, String op, ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + LOGGER.debug("processOperator: singleOperandExpression operator {}", op); + Object val = operands.pop(); + if (val instanceof ApplyType) { + LOGGER.debug(POPPED, ((ApplyType) val).getFunctionId()); + } + var opApply = new ApplyType(); + if (val instanceof String) { + LOGGER.debug("processOperator: singleOperandExpression operand {}", val); + if (op.equals(CONVERSION_DOUBLE)) { + opApply = + createIntegerPropertyToDoubleConversionExpression(val.toString(), opApply, op, factory); + } else if (op.equals(CONVERSION_INTEGER)) { + opApply = + createDoublePropertyToIntegerConversionExpression(val.toString(), opApply, op, factory); + } + } else { + opApply = createApplyExpression(val, opApply, op, factory); + } + opApply.setFunctionId(getOperatorXacmlMap(op).stringValue()); + operands.push(opApply); + LOGGER.debug("Pushing operand {}", opApply.getFunctionId()); + } catch (Exception ex) { + LOGGER.error("POLICY-500: Error while processing single operand expr"); + throw new ToscaPolicyConversionException("POLICY-500: Error while processing single operand expr"); + } + } + + private void processDoubleOperandExpr(Deque operands, String op, ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + LOGGER.debug("processOperator: twoOperandExpression operator {}", op); + Object val2 = operands.pop(); + if (val2 instanceof ApplyType) { + LOGGER.debug(POPPED, ((ApplyType) val2).getFunctionId()); + } + Object val1 = operands.pop(); + if (val1 instanceof ApplyType) { + LOGGER.debug(POPPED, ((ApplyType) val1).getFunctionId()); + } + var opApply = new ApplyType(); + opApply = createApplyExpression(val1, opApply, op, factory); + opApply = createApplyExpression(val2, opApply, op, factory); + opApply.setFunctionId(getOperatorXacmlMap(op).stringValue()); + operands.push(opApply); + LOGGER.debug("Pushing operand {}", opApply.getFunctionId()); + } catch (Exception ex) { + LOGGER.error("POLICY-500: Error while processing double operand expr"); + throw new ToscaPolicyConversionException("POLICY-500: Error while processing double operand expr"); + } + } + + private ApplyType createIntegerPropertyToDoubleConversionExpression(String val, ApplyType opApply, String op, + ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + var oneAndOnlyApply = new ApplyType(); + var designator = setAttributeDesignatorType(val, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE.stringValue(), + XACML3.ID_DATATYPE_INTEGER.stringValue(), false); + oneAndOnlyApply.getExpression().add(factory.createAttributeDesignator(designator)); + oneAndOnlyApply.setFunctionId(validateFilterPropertyFunction(INTEGER + ONE_AND_ONLY).stringValue()); + opApply.getExpression().add(factory.createApply(oneAndOnlyApply)); + opApply.setFunctionId(getOperatorXacmlMap(op).stringValue()); + } catch (ToscaPolicyConversionException ex) { + LOGGER.error("POLICY-500: Invalid integer property to double conversion, operator {} , value {}", op, val); + throw new ToscaPolicyConversionException( + "POLICY-500: Error while parsing expr: invalid integer property to double conversion, operator " + + op + + ", value " + + val); + } + return opApply; + } + + private ApplyType createDoublePropertyToIntegerConversionExpression(String val, ApplyType opApply, String op, + ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + var oneAndOnlyApply = new ApplyType(); + var designator = setAttributeDesignatorType(val, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE.stringValue(), + XACML3.ID_DATATYPE_DOUBLE.stringValue(), false); + oneAndOnlyApply.getExpression().add(factory.createAttributeDesignator(designator)); + oneAndOnlyApply.setFunctionId(validateFilterPropertyFunction(DOUBLE + ONE_AND_ONLY).stringValue()); + opApply.getExpression().add(factory.createApply(oneAndOnlyApply)); + opApply.setFunctionId(getOperatorXacmlMap(op).stringValue()); + } catch (ToscaPolicyConversionException ex) { + LOGGER.error("POLICY-500: Invalid integer property to double conversion, operator {} , value {}", op, val); + throw new ToscaPolicyConversionException( + "POLICY-500: Error while parsing expr: invalid double property to integer conversion, operator " + + op + + ", value " + + val); + } + return opApply; + } + + private ApplyType createApplyExpression(Object val, ApplyType opApply, String op, ObjectFactory factory) + throws ToscaPolicyConversionException { + try { + if (val instanceof String) { + var designator = + setAttributeDesignatorType((String) val, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE.stringValue(), + XACML3.ID_DATATYPE_DOUBLE.stringValue(), false); + var oneAndOnlyApply = new ApplyType(); + oneAndOnlyApply.setFunctionId(validateFilterPropertyFunction(DOUBLE + ONE_AND_ONLY).stringValue()); + oneAndOnlyApply.getExpression().add(factory.createAttributeDesignator(designator)); + opApply.getExpression().add(factory.createApply(oneAndOnlyApply)); + } else if (val instanceof Double) { + var attributeValue = setAttributeValueType(val, XACML3.ID_DATATYPE_DOUBLE.stringValue()); + opApply.getExpression().add(factory.createAttributeValue(attributeValue)); + } else { + opApply.getExpression().add(factory.createApply((ApplyType) val)); + } + opApply.setFunctionId(getOperatorXacmlMap(op).stringValue()); + } catch (ToscaPolicyConversionException ex) { + LOGGER.error("POLICY-500: Error while parsing expr: creation of apply type in expr, operator {}", op); + throw new ToscaPolicyConversionException( + "POLICY-500: Error while parsing expr: creation of apply type in expr, operator " + op); + } + return opApply; + } + + @Getter + public static class NativeDefinition { + @NotNull + @NotBlank + private String policy; + } + } \ No newline at end of file diff --git a/applications/native/src/test/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTest.java b/applications/native/src/test/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTest.java index 04fe1fe8..ec8d4ca5 100644 --- a/applications/native/src/test/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTest.java +++ b/applications/native/src/test/java/org/onap/policy/xacml/pdp/application/nativ/NativePdpApplicationTest.java @@ -41,6 +41,8 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySetType; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.io.TempDir; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; import org.onap.policy.common.utils.coder.CoderException; import org.onap.policy.common.utils.coder.StandardYamlCoder; import org.onap.policy.common.utils.resources.ResourceUtils; @@ -83,12 +85,12 @@ class NativePdpApplicationTest { // XacmlPolicyUtils.FileCreator myCreator = (String filename) -> policyFolder.resolve(filename).toFile(); propertiesFile = XacmlPolicyUtils.copyXacmlPropertiesContents("src/test/resources/xacml.properties", - properties, myCreator); + properties, myCreator); // // Load service // ServiceLoader applicationLoader = - ServiceLoader.load(XacmlApplicationServiceProvider.class); + ServiceLoader.load(XacmlApplicationServiceProvider.class); // // Find the native application and save for use in all the tests // @@ -134,11 +136,11 @@ class NativePdpApplicationTest { NativePdpApplication application = new NativePdpApplication(); assertThat(application.canSupportPolicyType(new ToscaConceptIdentifier( - "onap.policies.native.Xacml", "1.0.0"))).isTrue(); + "onap.policies.native.Xacml", "1.0.0"))).isTrue(); assertThat(application.canSupportPolicyType(new ToscaConceptIdentifier( - "onap.policies.native.ToscaXacml", "1.0.0"))).isTrue(); + "onap.policies.native.ToscaXacml", "1.0.0"))).isTrue(); assertThat(application.canSupportPolicyType(new ToscaConceptIdentifier( - "onap.policies.native.SomethingElse", "1.0.0"))).isFalse(); + "onap.policies.native.SomethingElse", "1.0.0"))).isFalse(); assertThat(application.actionDecisionsSupported()).contains("native"); } @@ -172,7 +174,7 @@ class NativePdpApplicationTest { } else if ("bad.policy".equals(policy.getName())) { assertThatExceptionOfType(ToscaPolicyConversionException.class).isThrownBy(() -> translator.convertPolicy(policy) - ).as(policy.getName()).withMessageContaining("Invalid XACML Policy"); + ).as(policy.getName()).withMessageContaining("Failed to read policy"); } } } @@ -194,39 +196,85 @@ class NativePdpApplicationTest { } @Test - void testNativeToscaXacmlPolicy() throws Exception { + void testNestedApplyNativeToscaXacmlPolicy() throws Exception { String policySetTypeYaml = ResourceUtils - .getResourceAsString("src/test/resources/policies/native.toscapolicy.yaml"); - checkPolicySetType(policySetTypeYaml); + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.nestedapply.yaml"); + checkPolicySetType(policySetTypeYaml, "nestedapply.policy.set"); } @Test - void testBadToscaXacmlPolicyRule() throws Exception { - NativePdpApplicationTranslator translator = new NativePdpApplicationTranslator(); - String policyYaml = ResourceUtils - .getResourceAsString("src/test/resources/policies/bad.native.toscapolicy.yaml"); + void testOperatorsNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.operators.yaml"); + checkPolicySetType(policySetTypeYaml, "operators.policy.set"); + } - ToscaServiceTemplate serviceTemplate = yamlCoder.decode(policyYaml, ToscaServiceTemplate.class); - JpaToscaServiceTemplate jtst = new JpaToscaServiceTemplate(); - jtst.fromAuthorative(serviceTemplate); - ToscaServiceTemplate completedJtst = jtst.toAuthorative(); + @Test + void testExprNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.expr.yaml"); + checkPolicySetType(policySetTypeYaml, "expr.check.set"); + } - for (Map policies : completedJtst.getToscaTopologyTemplate().getPolicies()) { - for (ToscaPolicy policy : policies.values()) { - assertThatExceptionOfType(ToscaPolicyConversionException.class).isThrownBy(() -> - translator.convertPolicy(policy) - ).as((String) policy.getMetadata().get("policy-id")) - .withMessageContaining("Invalid rule format"); - } - } + @Test + void testFunctionNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.function.yaml"); + checkPolicySetType(policySetTypeYaml, "function.list.check.set"); } @Test - void testBadToscaXacmlPolicyTarget() throws Exception { + void testCompareWithNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.compareWith.yaml"); + checkPolicySetType(policySetTypeYaml, "compareWith.policy.set"); + } + + @Test + void testRefNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.ref.yaml"); + checkPolicySetType(policySetTypeYaml, "ref.policy.set"); + } + + @Test + void testDefaultNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.default.yaml"); + checkPolicySetType(policySetTypeYaml, "default.policy.set"); + } + + @Test + void testTargetNativeToscaXacmlPolicy() throws Exception { + String policySetTypeYaml = ResourceUtils + .getResourceAsString("src/test/resources/policies/native.toscaxacml.policy.target.yaml"); + checkPolicySetType(policySetTypeYaml, "target.policy.set"); + } + + @ParameterizedTest + @ValueSource(strings = { + "src/test/resources/policies/bad.native.toscaxacml.policy.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.compareWith.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.expr.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.expr1.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.expr2.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.nestedapply.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.operator.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.target.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.apply.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.condition.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.condition1.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.decision.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.ref.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.advice.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.function.yaml", + "src/test/resources/policies/bad.native.toscaxacml.policy.list.yaml" + }) + void testBadToscaXacmlPolicyRule(String filename) throws Exception { + LOGGER.debug("Testing {}", filename); NativePdpApplicationTranslator translator = new NativePdpApplicationTranslator(); String policyYaml = ResourceUtils - .getResourceAsString("src/test/resources/policies/bad.native.tosca.policy.target.yaml"); - + .getResourceAsString(filename); ToscaServiceTemplate serviceTemplate = yamlCoder.decode(policyYaml, ToscaServiceTemplate.class); JpaToscaServiceTemplate jtst = new JpaToscaServiceTemplate(); jtst.fromAuthorative(serviceTemplate); @@ -234,22 +282,28 @@ class NativePdpApplicationTest { for (Map policies : completedJtst.getToscaTopologyTemplate().getPolicies()) { for (ToscaPolicy policy : policies.values()) { - if ("bad.tosca.policy.test".equals(policy.getName())) { - assertThatExceptionOfType(ToscaPolicyConversionException.class).isThrownBy(() -> - translator.convertPolicy(policy) - ).as((String) policy.getMetadata().get("policy-id")) - .withMessageContaining("Invalid operator"); - } - if ("bad.tosca.policy.target.test".equals(policy.getName())) { - assertThatExceptionOfType(ToscaPolicyConversionException.class).isThrownBy(() -> - translator.convertPolicy(policy) - ).as((String) policy.getMetadata().get("policy-id")) - .withMessageContaining("Invalid target format"); - } + assertThatExceptionOfType(Exception.class).isThrownBy(() -> + translator.convertPolicy(policy) + ).as((String) policy.getMetadata().get("policy-id")).withMessageContaining("POLICY-500"); + } } } + @ParameterizedTest + @ValueSource(strings = { + "src/test/resources/policies/bad.native.toscaxacml.policy.policyset.yaml" + }) + void testBadToscaXacmlPolicySet(String filename) throws Exception { + LOGGER.debug("Testing {}", filename); + String policyYaml = ResourceUtils + .getResourceAsString(filename); + ToscaServiceTemplate serviceTemplate = yamlCoder.decode(policyYaml, ToscaServiceTemplate.class); + JpaToscaServiceTemplate jtst = new JpaToscaServiceTemplate(); + assertThatExceptionOfType(Exception.class).isThrownBy(() -> + jtst.fromAuthorative(serviceTemplate)); + } + /** * Request a decision and check that it matches expectation. * @@ -282,7 +336,9 @@ class NativePdpApplicationTest { LOGGER.info("Xacml response we received {}", DOMResponse.toString(response)); } - private void checkPolicySetType(String policySetTypeYaml) throws ToscaPolicyConversionException, CoderException { + private void checkPolicySetType(String policySetTypeYaml, String name) + throws ToscaPolicyConversionException, CoderException { + LOGGER.debug("Testing {}", name); NativePdpApplicationTranslator translator = new NativePdpApplicationTranslator(); ToscaServiceTemplate serviceTemplate = yamlCoder.decode(policySetTypeYaml, ToscaServiceTemplate.class); JpaToscaServiceTemplate jtst = new JpaToscaServiceTemplate(); @@ -297,9 +353,7 @@ class NativePdpApplicationTest { } PolicySetType policySetType = (PolicySetType) translator.convertPolicy(policy); assertThat(policySetType).isNotNull(); - assertThat(policySetType.getPolicySetId()).isEqualTo("tosca.policy.test"); - assertThat(policySetType.getPolicyCombiningAlgId()) - .isEqualTo("urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"); + assertThat(policySetType.getPolicySetId()).isEqualTo(name); } } } diff --git a/applications/native/src/test/resources/policies/bad.native.toscapolicy.yaml b/applications/native/src/test/resources/policies/bad.native.toscapolicy.yaml deleted file mode 100644 index d19f0854..00000000 --- a/applications/native/src/test/resources/policies/bad.native.toscapolicy.yaml +++ /dev/null @@ -1,36 +0,0 @@ -tosca_definitions_version: tosca_simple_yaml_1_1_0 -topology_template: - inputs: {} - policies: - - bad.tosca.policy.test: - type: onap.policies.native.ToscaXacml - type_version: 1.0.0 - properties: - policies: - - properties: - description: Policy that allows minimum number of available cells for - a slice to be feasible, prio=1 - rules: - - condition: - apply: - keys: - - feasibleCellsForSlice - operator: integ - compareWith: - value: 2 - decision: Permit - advice: - value: Slice is feasible since minumum number of cells are available - metadata: - policy-id: bad.tosca.policy.test.1 - policy-version: 1.0.0 - name: bad.tosca.policy.test - version: 3.0.0 - metadata: - action: sfc-policy - description: This policy set specifies the conditions for slice feasibility - based on availability of cells - policy-id: tnap.policy.slice.sfc.set - policy-version: 3.0.0 -name: ToscaServiceTemplateSimple -version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.advice.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.advice.yaml new file mode 100644 index 00000000..465526cf --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.advice.yaml @@ -0,0 +1,26 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - advice.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid advice format + rules: + - decision: Deny + advice: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: advice.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: advice.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.apply.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.apply.yaml new file mode 100644 index 00000000..a28e57c6 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.apply.yaml @@ -0,0 +1,52 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid apply format + rules: + - condition: + apply: + operator: double-greater-than-or-equal + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.compareWith.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.compareWith.yaml new file mode 100644 index 00000000..95c07c64 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.compareWith.yaml @@ -0,0 +1,53 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid compareWith + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition.yaml new file mode 100644 index 00000000..5af3c12b --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition.yaml @@ -0,0 +1,53 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid condition + rules: + - condition: + apply: + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition1.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition1.yaml new file mode 100644 index 00000000..b52a6ca5 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.condition1.yaml @@ -0,0 +1,27 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid condition + rules: + - condition: + function: map + decision: Permit + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.decision.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.decision.yaml new file mode 100644 index 00000000..ea4e1b6a --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.decision.yaml @@ -0,0 +1,53 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid decision + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Allow + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr.yaml new file mode 100644 index 00000000..287703f4 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr.yaml @@ -0,0 +1,50 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - expr.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid expr + rules: + - condition: + expr: double / dLThptPerSliceSubnet > 30 + decision: Deny + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + - properties: + description: Policy uses mathematical expressions (alternative to nested apply) + rules: + - condition: + apply: + operator: or + keys: + - expr: >- + ( input1 / (input2 - 90) ^ 2) > 30 + - expr: >- + ( input1 + / ( input2 - 0.9 * input1 ) + * 100) > 30 + decision: Deny + metadata: + policy-id: 2 + policy-version: 1.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + name: expr.check.set + version: 1.0.0 + metadata: + action: expr-check-set + description: >- + Policy uses mathematical expressions (alternative to nested apply) + policy-id: expr.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 + diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr1.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr1.yaml new file mode 100644 index 00000000..e4ec2ceb --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr1.yaml @@ -0,0 +1,50 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - expr.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid expr + rules: + - condition: + expr: totalDLThptPerSliceSubnet / > 30 + decision: Deny + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + - properties: + description: Policy uses mathematical expressions (alternative to nested apply) + rules: + - condition: + apply: + operator: or + keys: + - expr: >- + ( input1 / (input2 - 90) ^ 2) > 30 + - expr: >- + ( input1 + / ( input2 - 0.9 * input1 ) + * 100) > 30 + decision: Deny + metadata: + policy-id: 2 + policy-version: 1.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + name: expr.check.set + version: 1.0.0 + metadata: + action: expr-check-set + description: >- + Policy uses mathematical expressions (alternative to nested apply) + policy-id: expr.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 + diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr2.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr2.yaml new file mode 100644 index 00000000..3f21ae49 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.expr2.yaml @@ -0,0 +1,50 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - expr.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid expr + rules: + - condition: + expr: totalDLThptPerSliceSubnet != 30 + decision: Deny + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + - properties: + description: Policy uses mathematical expressions (alternative to nested apply) + rules: + - condition: + apply: + operator: or + keys: + - expr: >- + ( input1 / (input2 - 90) ^ 2) > 30 + - expr: >- + ( input1 + / ( input2 - 0.9 * input1 ) + * 100) > 30 + decision: Deny + metadata: + policy-id: 2 + policy-version: 1.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + name: expr.check.set + version: 1.0.0 + metadata: + action: expr-check-set + description: >- + Policy uses mathematical expressions (alternative to nested apply) + policy-id: expr.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 + diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.function.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.function.yaml new file mode 100644 index 00000000..ece5fc34 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.function.yaml @@ -0,0 +1,124 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - function.list.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Policy which checks a function over a list and applies a higher-order set function + rules: + - condition: + apply: + operator: any-of + keys: + - function: string-is-in + - "'ABC'" + - list: + - "'ABC'" + - "'xyz'" + - parameterName + decision: Deny + - condition: + apply: + operator: any-of + keys: + - function: xyz + - "'ABC'" + - list: + - "'ABC'" + - "'xyz'" + - parameterName + decision: Permit + - condition: + apply: + operator: all-of + keys: + - function: integer-greater-than + - 10 + - list: + - 6 + - 1 + - parameterName + decision: Permit + - condition: + apply: + operator: any-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: any-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: map + keys: + - function: string-normalize-to-lower-case + - list: + - Hello + - World! + decision: Permit + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy which checks a function over a list + name: function.list.check.set + version: 1.0.0 + metadata: + action: function.list-check-policy + description: >- + Policy which checks a function over a list + policy-id: function.list.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple \ No newline at end of file diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.list.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.list.yaml new file mode 100644 index 00000000..75853cbf --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.list.yaml @@ -0,0 +1,50 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.example.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid operator + rules: + - condition: + apply: + operator: double-greater-than-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: string-is-in + keys: + - input1 + - list: "1, 2, 3" + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.example.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.example.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.nestedapply.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.nestedapply.yaml new file mode 100644 index 00000000..1ff6c701 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.nestedapply.yaml @@ -0,0 +1,49 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - nestedapply.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid key under apply + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - apply: + operator: double-multiply + keys: + - apply: + operator: double-divide + keys: + - applies: + operator: integer-to-double + keys: + - input1 + - apply: + operator: integer-to-double + keys: + - input2 + - 100 + compareWith: + value: 50 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: nestedapply.example.policy + policy-version: 1.0.0 + name: nestedapply.policy.set + version: 1.0.0 + metadata: + action: check-nestedapply-policy + description: policy set for nested apply + policy-id: nestedapply.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.operator.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.operator.yaml new file mode 100644 index 00000000..23f06997 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.operator.yaml @@ -0,0 +1,54 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.example.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid operator + rules: + - condition: + apply: + operator: double-greater-than-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.example.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.example.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.policyset.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.policyset.yaml new file mode 100644 index 00000000..78c8704f --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.policyset.yaml @@ -0,0 +1,50 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set1: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid policyset + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-version: 1.0.0 + name: compareWith.policy + metadata: + action: check-compareWith-policy + description: policy set for nested apply +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.ref.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.ref.yaml new file mode 100644 index 00000000..c9270856 --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.ref.yaml @@ -0,0 +1,33 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - ref.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: invalid policy set ID reference + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + metadata: + policy-id: ref.example.policy + policy-version: 1.0.0 + policySetIdRefs: + - id: example.policy.set + name: ref.policy.set + version: 1.0.0 + metadata: + description: policy set with referenced policy set + policy-id: ref.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/bad.native.tosca.policy.target.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.target.yaml similarity index 66% rename from applications/native/src/test/resources/policies/bad.native.tosca.policy.target.yaml rename to applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.target.yaml index 2d2d966e..772a180b 100644 --- a/applications/native/src/test/resources/policies/bad.native.tosca.policy.target.yaml +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.target.yaml @@ -8,44 +8,48 @@ topology_template: properties: policies: - properties: - description: Policy that allows minimum number of available cells for - a slice to be feasible, prio=1 + description: invalid target target: anyOne: - allOf: - key: action-id operator: - value: "1" + value: "test" rules: - - condition: + - target: + anyOne: + - allOf: + - key: input1 + operator: integer-equal + value: 5 + description: test rule + condition: apply: keys: - - feasibleCellsForSlice + - count operator: integer-equal compareWith: value: 2 decision: Permit advice: - value: Slice is feasible since minumum number of cells are available + value: test policy metadata: policy-id: bad.tosca.policy.test.1 policy-version: 1.0.0 name: bad.tosca.policy.test version: 3.0.0 metadata: - action: sfc-policy - description: This policy set specifies the conditions for slice feasibility - based on availability of cells + action: test-policy-set + description: Test policy set policy-id: bad.tosca.policy.test - policy-version: 3.0.0 + policy-version: 1.0.0 - bad.tosca.policy.target.test: type: onap.policies.native.ToscaXacml type_version: 1.0.0 properties: policies: - properties: - description: Policy that allows minimum number of available cells for - a slice to be feasible, prio=1 + description: test policy target: anyOne: - allOf: @@ -56,22 +60,21 @@ topology_template: - condition: apply: keys: - - feasibleCellsForSlice + - count operator: integer-equal compareWith: value: 2 decision: Permit advice: - value: Slice is feasible since minumum number of cells are available + value: test policy metadata: policy-id: bad.tosca.policy.test.1 policy-version: 1.0.0 name: bad.tosca.policy.target.test version: 3.0.0 metadata: - action: sfc-policy - description: This policy set specifies the conditions for slice feasibility - based on availability of cells + action: test-policy + description: Test policy policy-id: bad.tosca.policy.target.test policy-version: 3.0.0 name: ToscaServiceTemplateSimple diff --git a/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.yaml b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.yaml new file mode 100644 index 00000000..32d7c0cd --- /dev/null +++ b/applications/native/src/test/resources/policies/bad.native.toscaxacml.policy.yaml @@ -0,0 +1,35 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - example.policy.test: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Policy that checks if a parameter is a specific value + rules: + - condition: + apply: + operator: string-equal + compareWith: + value: '448903300002' + decision: Permit + advice: + value: Cell ID is valid + default: Deny + metadata: + policy-id: 1 + policy-version: 1.0.0 + name: example.policy.test + version: 1.0.0 + metadata: + action: policy-test + description: Policy that checks if a parameter is a specific value + policy-id: example.policy.test + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 + + diff --git a/applications/native/src/test/resources/policies/native.toscapolicy.yaml b/applications/native/src/test/resources/policies/native.toscapolicy.yaml deleted file mode 100644 index d4858366..00000000 --- a/applications/native/src/test/resources/policies/native.toscapolicy.yaml +++ /dev/null @@ -1,1324 +0,0 @@ ---- -tosca_definitions_version: tosca_simple_yaml_1_1_0 -topology_template: - inputs: {} - policies: - - tosca.policy.test: - type: onap.policies.native.ToscaXacml - type_version: 1.0.0 - properties: - policies: - - properties: - description: Policy that allows minimum number of available cells for a slice to - be feasible, prio=1 - combiningAlgo: first-applicable - target: - anyOne: - - allOf: - - key: action-id - operator: string-less-than - value: "1" - - allOf: - - key: action-id - operator: string-ends-with - value: "2" - - allOf: - - key: action-id - operator: time-greater-than-or-equal - value: "19:00:00 05:00" - - allOf: - - key: action-id - operator: string-less-than - value: "4" - - allOf: - - key: action-id - operator: yearmonthduration-one-and-only - value: "P16Y" - - allOf: - - key: action-id - operator: boolean-equal - value: "1" - rules: - - target: - anyOne: - - allOf: - - key: action-id - operator: string-equal-ignore-case - value: "1" - - allOf: - - key: action-id - operator: string-starts-with - value: "1" - - allOf: - - key: action-id - operator: time-greater-than - value: "19:00:00 05:00" - - allOf: - - key: action-id - operator: daytimeduration-one-and-only - value: "1" - - allOf: - - key: action-id - operator: double-equal - value: "1" - description : Policy that allows minimum number of available cells for a slice to - condition: - apply: - keys: - - feasibleCellsForSlice - - apply: - operator: string-is-in - keys: - - apply: - operator: double-divide - keys: - - function: any-of - - apply: - operator: double-divide - keys: - - feasibleCellsForSlice - - apply: - operator: integer-mod - keys: - - totalCellsForSlice - - "'100'" - - apply: - keys: - - function: string-less-than-or-equal - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - keys: - - function: string-greater-than-or-equal - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - keys: - - function: any-of-any - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - keys: - - function: string-less-than-or-equal - - "'90'" - operator: yearMonthDuration-equal - compareWith: - value: "30" - apply: - keys: - - "'90'" - operator: anyURI-equal - compareWith: - value: "30" - - apply: - keys: - - function: hexBinary-equal - - total-resource-usage-UL - operator: hexBinary-equal - compareWith: - value: "30" - apply: - keys: - - "'90'" - operator: rfc822Name-equal - compareWith: - value: "30" - - apply: - keys: - - function: any-of-any - - "'90'" - operator: x500Name-equal - compareWith: - value: "30" - apply: - keys: - - "'90'" - operator: string-from-ipAddress - compareWith: - value: "30" - - apply: - keys: - - function: string-less-than-or-equal - - "'90'" - operator: string-from-dnsName - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - keys: - - function: string-greater-than-or-equal - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - keys: - - function: any-of-any - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - operator: time-equal - keys: - - apply: - operator: datetime-equal - keys: - - apply: - operator: daytimeduration-equal - keys: - - "19:00:00 05:00" - - apply: - operator: base64binary-equal - keys: - - 100 - - "'100'" - - apply: - keys: - - function: string-normalize-space - - total-resource-usage-UL - operator: round - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: floor - compareWith: - value: "30" - - apply: - operator: string-normalize-to-lower-case - keys: - - apply: - operator: time-one-and-only - keys: - - apply: - operator: double-to-integer - keys: - - 02 - - apply: - operator: present - keys: - - 30 - - "'100'" - - apply: - keys: - - function: time-in-range - - total-resource-usage-UL - operator: double-add - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: string-bag-size - compareWith: - value: "30" - - apply: - operator: boolean-bag-size - keys: - - apply: - operator: integer-bag-size - keys: - - apply: - operator: double-bag-size - keys: - - "'30'" - - apply: - operator: time-bag-size - keys: - - "19:00:00 05:00" - - "'100'" - - apply: - keys: - - function: time-is-in - - total-resource-usage-UL - operator: time-bag - compareWith: - value: "19:00:00 05:00" - apply: - keys: - - "'30'" - operator: date-bag-size - compareWith: - value: "30" - - apply: - operator: rfc822name-is-in - keys: - - apply: - operator: rfc822name-bag - keys: - - apply: - operator: ipaddress-one-and-only - keys: - - "'30'" - - apply: - operator: ipaddress-bag-size - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: ipaddress-is-in - - "'30'" - operator: ipaddress-bag - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: dnsname-one-and-only - compareWith: - value: "30" - - apply: - operator: dnsname-bag-size - keys: - - apply: - operator: dnsname-is-in - keys: - - apply: - operator: dnsname-bag - keys: - - "'30'" - - apply: - operator: string-concatenate - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: boolean-from-string - - "'30'" - operator: string-from-boolean - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: integer-from-string - compareWith: - value: "30" - - apply: - operator: string-from-integer - keys: - - apply: - operator: double-from-string - keys: - - apply: - operator: string-from-double - keys: - - "'30'" - - apply: - operator: time-from-string - keys: - - "19:00:00 05:00" - - "'100'" - - apply: - keys: - - function: time-is-in - - "19:00:00 05:00" - operator: time-bag - compareWith: - value: "19:00:00 05:00" - apply: - keys: - - "'30'" - operator: date-bag-size - compareWith: - value: "30" - - apply: - operator: date-is-in - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: date-bag - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: anyuri-from-string - keys: - - apply: - operator: string-from-anyuri - keys: - - feasibleCellsForSlice - - apply: - operator: daytimeduration-from-string - keys: - - 100 - - "'100'" - - apply: - keys: - - function: string-from-daytimeturation - - "19:00:00 05:00" - operator: yearmonthduration-from-string - compareWith: - value: "P16Y" - apply: - keys: - - total-resource-usage-DL - operator: string-from-yearmonthduration - compareWith: - value: "P16Y" - - apply: - operator: x500name-from-string - keys: - - apply: - operator: string-from-x500name - keys: - - apply: - operator: rfc822name-from-string - keys: - - 02 - - apply: - operator: string-from-rfc822name - keys: - - 30 - - "'100'" - - apply: - keys: - - function: dnsname-from-string - - "'30'" - operator: anyuri-starts-with - compareWith: - value: "30" - apply: - keys: - - "'100'" - operator: anyuri-ends-with - compareWith: - value: "30" - - apply: - operator: anyuri-contains - keys: - - apply: - operator: string-substring - keys: - - apply: - operator: anyuri-substring - keys: - - "'30'" - - apply: - operator: map - keys: - - "'30'" - - "'100'" - - apply: - operator: ipaddress-from-string - keys: - - apply: - operator: double-intersection - keys: - - apply: - operator: anyuri-subset - keys: - - "'30'" - - apply: - operator: base64binary-at-least-one-member-of - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: x500name-match - - "'30'" - operator: rfc822name-match - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: anyuri-regexp-match - compareWith: - value: "30" - - apply: - operator: ipaddress-regexp-match - keys: - - apply: - operator: dnsname-regexp-match - keys: - - apply: - operator: rfc822name-regexp-match - keys: - - "'30'" - - apply: - operator: x500name-regexp-match - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: xpath-node-count - - "'30'" - operator: xpath-node-equal - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: xpath-node-match - compareWith: - value: "30" - - apply: - operator: string-intersection - keys: - - apply: - operator: string-at-least-one-member-of - keys: - - apply: - operator: string-union - keys: - - "'30'" - - apply: - operator: string-subset - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: string-set-equals - - "'30'" - operator: boolean-intersection - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: boolean-at-least-one-member-of - compareWith: - value: "30" - - apply: - operator: boolean-union - keys: - - apply: - operator: boolean-subset - keys: - - apply: - operator: boolean-set-equals - keys: - - "'30'" - - apply: - operator: integer-intersection - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: integer-at-least-one-member-of - - "'30'" - operator: integer-union - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: integer-subset - compareWith: - value: "30" - - apply: - operator: integer-set-equals - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: double-intersection - - apply: - operator: double-at-least-one-member-of - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - operator: string-equal - compareWith: - value: "2" - decision: Deny - advice: - value: Slice is feasible since minumum number of cells are available - default: Deny - metadata: - policy-id: tosca.policy.test.1 - policy-version: 1.0.0 - - properties: - description: Policy that allows minimum percentage of available cells for a - slice to be feasible, prio=2 - rules: - - target: - anyOne: - - allOf: - - key: sst - operator: integer-greater-than - value: "1" - - allOf: - - key: sst - operator: string-greater-than - value: "1" - - allOf: - - key: sst - operator: date-add-yearmonthduration - value: "P16Y" - - allOf: - - key: sst - operator: time-less-than - value: "19:00:00 05:00" - - allOf: - - key: sst - operator: hexbinary-one-and-only - value: "1" - - allOf: - - key: sst - operator: datetime-bag-size - value: "1" - - allOf: - - key: sst - operator: double-union - value: "1" - condition: - apply: - operator: double-greater-than-or-equal - keys: - - apply: - operator: double-multiply - keys: - - function: all-of-any - - apply: - operator: double-divide - keys: - - apply: - operator: integer-to-double - keys: - - feasibleCellsForSlice - - apply: - operator: integer-to-double - keys: - - totalCellsForSlice - - "'100'" - - apply: - keys: - - function: integer-greater-than-or-equal - - total-resource-usage-UL - operator: integer-less-than - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: integer-less-than - compareWith: - value: "30" - - apply: - operator: integer-is-in - keys: - - function: all-of-all - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: boolean-is-in - keys: - - function: all-of - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: integer-divide - keys: - - apply: - operator: double-divide - keys: - - apply: - operator: double-divide - keys: - - feasibleCellsForSlice - - apply: - operator: integer-mod - keys: - - totalCellsForSlice - - "'100'" - - apply: - keys: - - function: string-less-than-or-equal - - total-resource-usage-UL - operator: integer-abs - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-abs - compareWith: - value: "30" - - apply: - operator: string-contains - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: string-regexp-match - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: datetime-subtract-daytimeturation - keys: - - function: not - - apply: - operator: datetime-add-yearmonthduration - keys: - - apply: - operator: datetime-add-daytimeduration - keys: - - "P16Y" - - apply: - operator: double-less-than-or-equal - keys: - - totalCellsForSlice - - "'100'" - - apply: - keys: - - function: string-equal - - total-resource-usage-UL - operator: double-less-than - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: double-greater-than - compareWith: - value: "30" - - apply: - operator: integer-less-than-or-equal - keys: - - function: n-of - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: integer-equal - keys: - - function: and - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: date-less-than - keys: - - apply: - operator: date-greater-than-or-equal - keys: - - function: or - - apply: - operator: date-greater-than - keys: - - feasibleCellsForSlice - - apply: - operator: datetime-less-than-or-equal - keys: - - totalCellsForSlice - - "'100'" - - apply: - keys: - - function: datetime-less-than - - total-resource-usage-UL - operator: datetime-greater-than-or-equal - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: datetime-greater-than - compareWith: - value: "30" - - apply: - operator: boolean-bag - keys: - - function: any-of-all - - list: - - jkjd - - lll - - "'90'" - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: integer-bag - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: datetime-one-and-only - keys: - - apply: - operator: time-one-and-only - keys: - - apply: - operator: integer-multiply - keys: - - feasibleCellsForSlice - - apply: - operator: double-subtract - keys: - - totalCellsForSlice - - "19:00:00 05:00" - - apply: - keys: - - function: integer-subtract - - total-resource-usage-UL - operator: double-add - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: integer-add - compareWith: - value: "30" - - apply: - operator: double-is-in - keys: - - list: - - jkjd - - lll - - 90 - - "'89'" - compareWith: - key: total-resource-usage-UL - - apply: - operator: string-is-in - keys: - - list: - - jkjd - - lll - - "'90'" - - "'89'" - - apply: - operator: base64binary-union - keys: - - apply: - operator: base64binary-subset - keys: - - apply: - operator: base64binary-set-equals - keys: - - "'100'" - - apply: - operator: daytimeduration-intersection - keys: - - 100 - - "'100'" - - apply: - keys: - - function: daytimeduration-at-least-one-member-of - - total-resource-usage-UL - operator: daytimeduration-union - compareWith: - value: "30" - apply: - keys: - - total-resource-usage-DL - operator: daytimeduration-subset - compareWith: - value: "30" - - apply: - operator: daytimeduration-set-equals - keys: - - apply: - operator: yearmonthduration-intersection - keys: - - apply: - operator: yearmonthduration-at-least-one-member-of - keys: - - 02 - - apply: - operator: yearmonthduration-union - keys: - - 30 - - "'100'" - - apply: - keys: - - function: yearmonthduration-subset - - "'30'" - operator: yearmonthduration-set-equals - compareWith: - value: "30" - apply: - keys: - - "'100'" - operator: x500name-intersection - compareWith: - value: "30" - - apply: - operator: x500name-at-least-one-member-of - keys: - - apply: - operator: x500name-union - keys: - - apply: - operator: x500name-subset - keys: - - "'30'" - - apply: - operator: x500name-set-equals - keys: - - "'30'" - - "'100'" - - apply: - operator: rfc822name-intersection - keys: - - apply: - operator: rfc822name-at-least-one-member-of - keys: - - apply: - operator: rfc822name-union - keys: - - "'30'" - - apply: - operator: rfc822name-subset - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: rfc822name-set-equals - - "'30'" - operator: ipaddress-intersection - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: ipaddress-at-least-one-member-of - compareWith: - value: "30" - - apply: - operator: ipaddress-union - keys: - - apply: - operator: ipaddress-subset - keys: - - apply: - operator: ipaddress-set-equals - keys: - - "'30'" - - apply: - operator: dnsname-intersection - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: dnsname-at-least-one-member-of - - "'30'" - operator: dnsname-union - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: dnsname-subset - compareWith: - value: "30" - - apply: - operator: dnsname-set-equals - keys: - - apply: - operator: access-permitted - keys: - - apply: - operator: string-union - keys: - - "'30'" - - apply: - operator: string-subset - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: string-set-equals - - "'30'" - operator: boolean-intersection - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: boolean-at-least-one-member-of - compareWith: - value: "30" - - apply: - operator: boolean-union - keys: - - apply: - operator: boolean-subset - keys: - - apply: - operator: boolean-set-equals - keys: - - "'30'" - - apply: - operator: integer-intersection - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: integer-at-least-one-member-of - - "'30'" - operator: integer-union - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: integer-subset - compareWith: - value: "30" - - apply: - operator: datetime-one-and-only - keys: - - apply: - operator: datetime-bag - keys: - - apply: - operator: anyuri-bag-size - keys: - - "'30'" - - apply: - operator: anyuri-is-in - keys: - - "'30'" - - "19:00:00 05:00" - - apply: - keys: - - function: anyuri-bag - - "'30'" - operator: hexbinary-bag-size - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: hexbinary-is-in - compareWith: - value: "30" - - apply: - operator: hexbinary-bag - keys: - - apply: - operator: base64binary-bag-size - keys: - - apply: - operator: base64binary-is-in - keys: - - "'30'" - - apply: - operator: base64binary-bag - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: daytimeduration-bag-size - - "'30'" - operator: daytimeduration-is-in - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: daytimeduration-bag - compareWith: - value: "30" - - apply: - operator: yearmonthduration-bag-size - keys: - - apply: - operator: yearmonthduration-is-in - keys: - - apply: - operator: yearmonthduration-bag - keys: - - "'30'" - - apply: - operator: x500name-one-and-only - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: x500name-bag-size - - "'30'" - operator: x500name-is-in - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: x500name-bag - compareWith: - value: "30" - - apply: - operator: rfc822name-bag-size - keys: - - apply: - operator: string-from-time - keys: - - apply: - operator: date-from-string - keys: - - "'30'" - - apply: - operator: string-from-date - keys: - - "'30'" - - apply: - keys: - - "'30'" - operator: rfc822name-one-and-only - compareWith: - value: "30" - - apply: - operator: double-set-equals - keys: - - apply: - operator: time-intersection - keys: - - apply: - operator: time-at-least-one-member-of - keys: - - "19:00:00 05:00" - - apply: - operator: time-union - keys: - - "19:00:00 05:00" - - "'100'" - - apply: - keys: - - function: time-subset - - "'30'" - operator: time-set-equals - compareWith: - value: "19:00:00 05:00" - apply: - keys: - - "'30'" - operator: date-intersection - compareWith: - value: "30" - - apply: - operator: date-at-least-one-member-of - keys: - - apply: - operator: date-union - keys: - - apply: - operator: date-subset - keys: - - "'30'" - - apply: - operator: date-set-equals - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: datetime-intersection - - "'30'" - operator: datetime-at-least-one-member-of - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: datetime-union - compareWith: - value: "30" - - apply: - operator: datetime-subset - keys: - - apply: - operator: datetime-set-equals - keys: - - apply: - operator: anyuri-intersection - keys: - - "'30'" - - apply: - operator: anyuri-at-least-one-member-of - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: anyuri-union - - "'30'" - operator: anyuri-set-equals - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: hexbinary-intersection - compareWith: - value: "30" - - apply: - operator: hexbinary-at-least-one-member-of - keys: - - apply: - operator: hexbinary-union - keys: - - apply: - operator: hexbinary-subset - keys: - - "'30'" - - apply: - operator: hexbinary-set-equals - keys: - - "'30'" - - apply: - keys: - - "'30'" - operator: base64binary-intersection - compareWith: - value: "30" - - apply: - operator: datetime-subtract-yearmonthduration - keys: - - apply: - operator: date-subtract-yearmonthduration - keys: - - apply: - operator: time-less-than-or-equal - keys: - - "19:00:00 05:00" - - apply: - operator: date-less-than-or-equal - keys: - - "'30'" - - "'100'" - - apply: - operator: date-equal - keys: - - apply: - operator: datetime-is-in - keys: - - apply: - operator: datetime-from-string - keys: - - "'30'" - - apply: - operator: string-from-datetime - keys: - - "'30'" - - "'100'" - - apply: - keys: - - function: double-subset - - "'30'" - operator: base64binary-one-and-only - compareWith: - value: "30" - apply: - keys: - - "'30'" - operator: hexbinary-intersection - compareWith: - value: "30" - compareWith: - value: "50" - decision: Permit - advice: - value: Slice is feasible since minimum percentage of cells is available - default: Permit - metadata: - policy-id: tosca.policy.test.2 - policy-version: 1.0.0 - name: tosca.policy.test - version: 2.0.0 - metadata: - action: sfc-policy - description: This policy set specifies the conditions for slice feasibility - based on availability of cells - policy-id: tosca.policy.test - policy-version: 2.0.0 -name: ToscaServiceTemplateSimple -version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.compareWith.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.compareWith.yaml new file mode 100644 index 00000000..b026b370 --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.compareWith.yaml @@ -0,0 +1,61 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - compareWith.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: compareWith ensures the value/parameter/expression is last in the order of expressions + rules: + - target: + anyOne: + - allOf: + - key: input1 + operator: integer-equal + value: 5 + description: test rule + condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: compareWith.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: compareWith.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.default.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.default.yaml new file mode 100644 index 00000000..5f67af82 --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.default.yaml @@ -0,0 +1,32 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - default.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Default rule if no other rule applies + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + default: Deny + metadata: + policy-id: default.example.policy + policy-version: 1.0.0 + name: default.policy.set + version: 1.0.0 + metadata: + description: policy set with default rule + policy-id: default.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.expr.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.expr.yaml new file mode 100644 index 00000000..8ca3f547 --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.expr.yaml @@ -0,0 +1,56 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - expr.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Policy uses mathematical expressions (alternative to nested apply) + rules: + - condition: + expr: (totalDLThptPerSliceSubnet / dLThptPerSliceSubnet) == 30 + decision: Deny + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + - properties: + description: Policy uses mathematical expressions (alternative to nested apply) + rules: + - condition: + apply: + operator: or + keys: + - expr: >- + ( double(input1) / (input2 - 90) * 100) > 30 + - expr: >- + ( integer(input1) + / ( integer(input2) - 0.9 * input1 ) + * 100) <= 30 + - expr: >- + (input1 - input2) == 30 + - expr: >- + (input1 + input2) >= 30 + - expr: >- + input1 < 30 + decision: Deny + metadata: + policy-id: 2 + policy-version: 1.0.0 + description: >- + Policy uses mathematical expressions (alternative to nested apply) + name: expr.check.set + version: 1.0.0 + metadata: + action: expr-check-set + description: >- + Policy uses mathematical expressions (alternative to nested apply) + policy-id: expr.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 + diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.function.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.function.yaml new file mode 100644 index 00000000..9b499c40 --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.function.yaml @@ -0,0 +1,124 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - function.list.check.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Policy which checks a function over a list and applies a higher-order set function + rules: + - condition: + apply: + operator: any-of + keys: + - function: string-is-in + - "'ABC'" + - list: + - "'ABC'" + - "'xyz'" + - parameterName + decision: Deny + - condition: + apply: + operator: any-of + keys: + - function: string-equal + - "'ABC'" + - list: + - "'ABC'" + - "'xyz'" + - parameterName + decision: Permit + - condition: + apply: + operator: all-of + keys: + - function: integer-greater-than + - 10 + - list: + - 6 + - 1 + - parameterName + decision: Permit + - condition: + apply: + operator: any-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: any-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: map + keys: + - function: string-normalize-to-lower-case + - list: + - Hello + - World! + decision: Permit + metadata: + policy-id: 1 + policy-version: 2.0.0 + description: >- + Policy which checks a function over a list + name: function.list.check.set + version: 1.0.0 + metadata: + action: function.list-check-policy + description: >- + Policy which checks a function over a list + policy-id: function.list.check.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple \ No newline at end of file diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.nestedapply.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.nestedapply.yaml new file mode 100644 index 00000000..c8792f2c --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.nestedapply.yaml @@ -0,0 +1,49 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - nestedapply.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: Example policy for nested or stacked functions (inner to outer evaluation, an alternative to expr) + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - apply: + operator: double-multiply + keys: + - apply: + operator: double-divide + keys: + - apply: + operator: integer-to-double + keys: + - input1 + - apply: + operator: integer-to-double + keys: + - input2 + - 100 + compareWith: + value: 50 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: nestedapply.example.policy + policy-version: 1.0.0 + name: nestedapply.policy.set + version: 1.0.0 + metadata: + action: check-nestedapply-policy + description: policy set for nested apply + policy-id: nestedapply.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.operators.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.operators.yaml new file mode 100644 index 00000000..2ee5a815 --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.operators.yaml @@ -0,0 +1,2104 @@ +--- +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - operators.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: test policy + combiningAlgo: first-applicable + target: + anyOne: + - allOf: + - key: input1 + operator: string-equal + value: "Z" + - key: input2 + operator: boolean-equal + value: true + - key: input3 + operator: dateTime-equal + value: "2024-12-31T14:00:00.000Z" + - key: input4 + operator: integer-equal + value: 5 + - key: input5 + operator: double-equal + value: 5.5 + - key: input6 + operator: date-equal + value: "2024-12-31" + - key: input7 + operator: time-equal + value: "14:00:00.000Z" + - key: input8 + operator: dayTimeDuration-equal + value: "P1DT2H" + - key: input9 + operator: yearMonthDuration-equal + value: "P2Y6M" + - key: input10 + operator: anyURI-equal + value: "http://datypic.com" + - key: input11 + operator: rfc822Name-equal + value: "user@example.com" + - key: input12 + operator: x500Name-equal + value: "2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT" + - key: input13 + operator: hexBinary-equal + value: "0FB7" + - key: input14 + operator: base64Binary-equal + value: "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" + rules: + - condition: + apply: + keys: + - input1 + operator: integer-greater-than + compareWith: + value: 1 + decision: Permit + - condition: + apply: + keys: + - input1 + operator: integer-greater-than-or-equal + compareWith: + value: 1 + decision: Permit + - condition: + apply: + keys: + - input1 + operator: integer-less-than + compareWith: + value: 1 + decision: Permit + - condition: + apply: + keys: + - input1 + operator: integer-less-than-or-equal + compareWith: + value: 1 + decision: Permit + - condition: + apply: + keys: + - input2 + operator: double-greater-than + compareWith: + value: 1.1 + decision: Permit + - condition: + apply: + keys: + - input2 + operator: double-greater-than-or-equal + compareWith: + value: 1.1 + decision: Permit + - condition: + apply: + keys: + - input2 + operator: double-less-than + compareWith: + value: 1.1 + decision: Permit + - condition: + apply: + keys: + - input2 + operator: double-less-than-or-equal + compareWith: + value: 1.1 + decision: Permit + - condition: + apply: + keys: + - input3 + operator: string-greater-than + compareWith: + value: "A" + decision: Permit + - condition: + apply: + keys: + - input3 + operator: string-greater-than-or-equal + compareWith: + value: "A" + decision: Permit + - condition: + apply: + keys: + - input3 + operator: string-less-than + compareWith: + value: "B" + decision: Permit + - condition: + apply: + keys: + - input3 + operator: string-less-than-or-equal + compareWith: + value: "B" + decision: Permit + - condition: + apply: + keys: + - input4 + operator: dateTime-greater-than + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input4 + operator: dateTime-greater-than-or-equal + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input4 + operator: dateTime-less-than + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input4 + operator: dateTime-less-than-or-equal + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input5 + operator: time-greater-than + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input5 + operator: time-greater-than-or-equal + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input5 + operator: time-less-than + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input5 + operator: time-less-than-or-equal + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + keys: + - input6 + operator: date-greater-than + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + keys: + - input6 + operator: date-greater-than-or-equal + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + keys: + - input6 + operator: date-less-than + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + keys: + - input6 + operator: date-less-than-or-equal + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: integer-add + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: integer-subtract + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: integer-multiply + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: integer-divide + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: integer-mod + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + operator: integer-abs + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: double-add + compareWith: + value: 10.5 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: double-subtract + compareWith: + value: 10.5 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: double-multiply + compareWith: + value: 10.5 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: double-divide + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + operator: round + compareWith: + value: 10.0 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input6 + operator: floor + compareWith: + value: 10.5 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input6 + operator: double-abs + compareWith: + value: 10.3 + decision: Permit + - condition: + apply: + operator: dateTime-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: dateTime-subtract-dayTimeDuration + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: dateTime-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: dateTime-add-dayTimeDuration + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: date-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: date-subtract-yearMonthDuration + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + operator: dateTime-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: dateTime-subtract-yearMonthDuration + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: dateTime-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: dateTime-add-yearMonthDuration + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: date-equal + keys: + - apply: + keys: + - input6 + - input7 + operator: date-add-yearMonthDuration + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input1 + operator: integer-from-string + compareWith: + value: 1 + decision: Permit + - condition: + apply: + operator: integer-equal + keys: + - apply: + keys: + - input1 + operator: double-to-integer + compareWith: + value: 1 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input1 + operator: double-from-string + compareWith: + value: 1.0 + decision: Permit + - condition: + apply: + operator: double-equal + keys: + - apply: + keys: + - input1 + operator: integer-to-double + compareWith: + value: 1.5 + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-date + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-time + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-dateTime + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-dayTimeDuration + compareWith: + value: "P1DT2H" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-yearMonthDuration + compareWith: + value: "P2Y6M" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-anyURI + compareWith: + value: "http://datypic.com" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-rfc822Name + compareWith: + value: "user@example.com" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-x500Name + compareWith: + value: "2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-ipAddress + compareWith: + value: "10.4.1.1" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-from-boolean + compareWith: + value: "true" + decision: Permit + - condition: + apply: + operator: date-equal + keys: + - apply: + keys: + - input1 + operator: date-from-string + compareWith: + value: "2024-12-31" + decision: Permit + - condition: + apply: + operator: time-equal + keys: + - apply: + keys: + - input1 + operator: time-from-string + compareWith: + value: "14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: dateTime-equal + keys: + - apply: + keys: + - input1 + operator: dateTime-from-string + compareWith: + value: "2024-12-31T14:00:00.000Z" + decision: Permit + - condition: + apply: + operator: dayTimeDuration-equal + keys: + - apply: + keys: + - input1 + operator: dayTimeDuration-from-string + compareWith: + value: "P1DT2H" + decision: Permit + - condition: + apply: + operator: yearMonthDuration-equal + keys: + - apply: + keys: + - input1 + operator: yearMonthDuration-from-string + compareWith: + value: "P2Y6M" + decision: Permit + - condition: + apply: + operator: anyURI-equal + keys: + - apply: + keys: + - input1 + operator: anyURI-from-string + compareWith: + value: "http://datypic.com" + decision: Permit + - condition: + apply: + operator: rfc822Name-equal + keys: + - apply: + keys: + - input1 + operator: rfc822Name-from-string + compareWith: + value: "user@example.com" + decision: Permit + - condition: + apply: + operator: x500Name-equal + keys: + - apply: + keys: + - input1 + operator: x500Name-from-string + compareWith: + value: "2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT" + decision: Permit + - condition: + apply: + operator: boolean-equal + keys: + - apply: + keys: + - input1 + operator: boolean-from-string + compareWith: + value: "true" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-normalize-space + compareWith: + value: "ABC" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + operator: string-normalize-to-lower-case + compareWith: + value: "abc" + decision: Permit + - condition: + apply: + operator: string-equal + keys: + - apply: + keys: + - input1 + - input2 + operator: string-concatenate + compareWith: + value: "abcxyz" + decision: Permit + - condition: + apply: + operator: string-ends-with + keys: + - input1 + compareWith: + value: "ABC" + decision: Permit + - condition: + apply: + operator: string-starts-with + keys: + - input1 + compareWith: + value: "ABC" + decision: Permit + - condition: + apply: + operator: string-substring + keys: + - input1 + compareWith: + value: "ABC" + decision: Permit + - condition: + apply: + operator: string-contains + keys: + - input1 + compareWith: + value: "ABC" + decision: Permit + - condition: + apply: + operator: anyURI-ends-with + keys: + - input1 + compareWith: + value: ".com" + decision: Permit + - condition: + apply: + operator: anyURI-starts-with + keys: + - input1 + compareWith: + value: "www" + decision: Permit + - condition: + apply: + operator: anyURI-contains + keys: + - input1 + compareWith: + value: "tele" + decision: Permit + - condition: + apply: + operator: anyURI-substring + keys: + - input1 + compareWith: + value: "tele" + decision: Permit + - condition: + apply: + operator: string-regexp-match + keys: + - input1 + compareWith: + value: "[a-z]*" + decision: Permit + - condition: + apply: + operator: dnsName-regexp-match + keys: + - input1 + compareWith: + value: "^(?![0-9]+$)(?!-)[a-zA-Z0-9-]{,63}(?CN=(?[^,]*)),)?(?:(?(?:(?:CN|OU)=[^,]+,?)+),)?(?(?:DC=[^,]+,?)+)$" + decision: Permit + - condition: + apply: + operator: rfc822Name-regexp-match + keys: + - input1 + compareWith: + value: "[a-z0-9]+(-[a-z0-9]+)*" + decision: Permit + - condition: + apply: + operator: anyURI-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: hexBinary-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: base64Binary-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: x500Name-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: rfc822Name-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: dnsName-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: ipAddress-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: string-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: integer-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: double-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: boolean-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: date-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: time-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: dateTime-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: yearMonthDuration-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: dayTimeDuration-bag-size + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: string-is-in + keys: + - input1 + - list: + - "'ABC'" + - "'xyz'" + - "'example'" + - input2 + decision: Permit + - condition: + apply: + operator: integer-is-in + keys: + - input1 + - list: + - 10 + - 20 + - 30 + - input2 + decision: Permit + - condition: + apply: + operator: double-is-in + keys: + - input1 + - list: + - 10.0 + - 20.1 + - 30.1 + - input2 + decision: Permit + - condition: + apply: + operator: dnsName-is-in + keys: + - input1 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + - input2 + decision: Permit + - condition: + apply: + operator: anyURI-is-in + keys: + - input1 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + - input2 + decision: Permit + - condition: + apply: + operator: rfc822Name-is-in + keys: + - input1 + - list: + - "'someone@example1.com'" + - "'someone@example2.com'" + - "'someone@example3.com'" + - input2 + decision: Permit + - condition: + apply: + operator: x500Name-is-in + keys: + - input1 + - list: + - "'2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.3.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.1.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - input2 + decision: Permit + - condition: + apply: + operator: ipAddress-is-in + keys: + - input1 + - list: + - "'10.2.3.3'" + - "'12.33.2.1'" + - "'89.2.1.2'" + - input2 + decision: Permit + - condition: + apply: + operator: time-is-in + keys: + - input1 + - list: + - "'14:00:00.000Z'" + - "'15:00:00.000Z'" + - "'16:00:00.000Z'" + - input2 + decision: Permit + - condition: + apply: + operator: dateTime-is-in + keys: + - input1 + - list: + - "'2024-12-31T14:00:00.000Z'" + - "'2024-12-31T15:00:00.000Z'" + - "'2024-12-31T16:00:00.000Z'" + - input2 + decision: Permit + - condition: + apply: + operator: date-is-in + keys: + - input1 + - list: + - "'2024-12-31'" + - "'2024-12-30'" + - "'2024-12-29'" + - input2 + decision: Permit + - condition: + apply: + operator: hexBinary-is-in + keys: + - input1 + - list: + - "'06FA'" + - "'07FA'" + - "'05FA'" + - input2 + decision: Permit + - condition: + apply: + operator: base64Binary-is-in + keys: + - input1 + - list: + - "'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcDusIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcddVuIHNlc2FtZQ=='" + - input2 + decision: Permit + - condition: + apply: + operator: dayTimeDuration-is-in + keys: + - input1 + - list: + - "'P1DT2H'" + - "'PT20M'" + - "'PT120M'" + - input2 + decision: Permit + - condition: + apply: + operator: yearMonthDuration-is-in + keys: + - input1 + - list: + - "'P2Y6M'" + - "'P0Y20M'" + - "'P0Y'" + - input2 + decision: Permit + - condition: + apply: + operator: and + keys: + - apply: + operator: integer-equal + keys: + - input1 + compareWith: + value: 10 + - apply: + operator: integer-equal + keys: + - input2 + compareWith: + value: 20 + decision: Permit + - condition: + apply: + operator: or + keys: + - apply: + operator: integer-equal + keys: + - input1 + compareWith: + value: 10 + - apply: + operator: integer-equal + keys: + - input2 + compareWith: + value: 20 + decision: Permit + - condition: + apply: + operator: not + keys: + - apply: + operator: integer-equal + keys: + - input1 + compareWith: + value: 10 + decision: Permit + - condition: + apply: + operator: string-at-least-one-member-of + keys: + - input3 + - list: + - "'A'" + - "'B'" + - "'C'" + decision: Permit + - condition: + apply: + operator: boolean-at-least-one-member-of + keys: + - input3 + - list: + - "true" + decision: Permit + - condition: + apply: + operator: integer-at-least-one-member-of + keys: + - input3 + - list: + - 10 + - 20 + - 30 + decision: Permit + - condition: + apply: + operator: double-at-least-one-member-of + keys: + - input3 + - list: + - 10.5 + - 20.2 + - 30.1 + decision: Permit + - condition: + apply: + operator: dateTime-at-least-one-member-of + keys: + - input3 + - list: + - "'2024-12-31T14:00:00.000Z'" + - "'2024-12-30T14:00:00.000Z'" + - "'2024-12-29T14:00:00.000Z'" + decision: Permit + - condition: + apply: + operator: time-at-least-one-member-of + keys: + - input3 + - list: + - "'14:00:00.000Z'" + - "'15:00:00.000Z'" + - "'16:00:00.000Z'" + decision: Permit + - condition: + apply: + operator: date-at-least-one-member-of + keys: + - input3 + - list: + - "'2024-12-31'" + - "'2024-12-30'" + - "'2024-12-29'" + decision: Permit + - condition: + apply: + operator: anyURI-at-least-one-member-of + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + decision: Permit + - condition: + apply: + operator: dnsName-at-least-one-member-of + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + decision: Permit + - condition: + apply: + operator: hexBinary-at-least-one-member-of + keys: + - input3 + - list: + - "'06DF'" + - "'23EA'" + - "'6AFB'" + decision: Permit + - condition: + apply: + operator: base64Binary-at-least-one-member-of + keys: + - input3 + - list: + - "'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcDusIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcddVuIHNlc2FtZQ=='" + decision: Permit + - condition: + apply: + operator: x500Name-at-least-one-member-of + keys: + - input3 + - list: + - "'2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.3.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.1.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + decision: Permit + - condition: + apply: + operator: rfc822Name-at-least-one-member-of + keys: + - input3 + - list: + - "'someone@example1.com'" + - "'someone@example2.com'" + - "'someone@example3.com'" + decision: Permit + - condition: + apply: + operator: ipAddress-at-least-one-member-of + keys: + - input3 + - list: + - "'10.1.2.2'" + - "'10.3.4.4'" + - "'10.4.2.3'" + decision: Permit + - condition: + apply: + operator: yearMonthDuration-at-least-one-member-of + keys: + - input3 + - list: + - "'P2Y6M'" + - "'P0Y20M'" + - "'P0Y'" + decision: Permit + - condition: + apply: + operator: dayTimeDuration-at-least-one-member-of + keys: + - input3 + - list: + - "'P1DT2H'" + - "'PT20M'" + - "'PT120M'" + decision: Permit + - condition: + apply: + operator: string-set-equals + keys: + - apply: + operator: string-intersection + keys: + - input3 + - list: + - "'A'" + - "'B'" + - "'C'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: boolean-set-equals + keys: + - apply: + operator: boolean-intersection + keys: + - input3 + - list: + - "true" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: integer-set-equals + keys: + - apply: + operator: integer-intersection + keys: + - input3 + - list: + - 10 + - 20 + - 30 + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: double-set-equals + keys: + - apply: + operator: double-intersection + keys: + - input3 + - list: + - 10.5 + - 20.2 + - 30.1 + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dateTime-set-equals + keys: + - apply: + operator: dateTime-intersection + keys: + - input3 + - list: + - "'2024-12-31T14:00:00.000Z'" + - "'2024-12-30T14:00:00.000Z'" + - "'2024-12-29T14:00:00.000Z'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: time-set-equals + keys: + - apply: + operator: time-intersection + keys: + - input3 + - list: + - "'14:00:00.000Z'" + - "'15:00:00.000Z'" + - "'16:00:00.000Z'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: date-set-equals + keys: + - apply: + operator: date-intersection + keys: + - input3 + - list: + - "'2024-12-31'" + - "'2024-12-30'" + - "'2024-12-29'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: anyURI-set-equals + keys: + - apply: + operator: anyURI-intersection + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dnsName-set-equals + keys: + - apply: + operator: dnsName-intersection + keys: + - input3 + list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: hexBinary-set-equals + keys: + - apply: + operator: hexBinary-intersection + keys: + - input3 + - list: + - "'06DF'" + - "'23EA'" + - "'6AFB'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: base64Binary-set-equals + keys: + - apply: + operator: base64Binary-intersection + keys: + - input3 + list: + - "'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcDusIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcddVuIHNlc2FtZQ=='" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: x500Name-set-equals + keys: + - apply: + operator: x500Name-intersection + keys: + - input3 + - list: + - "'2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.3.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.1.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: rfc822Name-set-equals + keys: + - apply: + operator: rfc822Name-intersection + keys: + - input3 + - list: + - "'someone@example1.com'" + - "'someone@example2.com'" + - "'someone@example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: ipAddress-set-equals + keys: + - apply: + operator: ipAddress-intersection + keys: + - input1 + - list: + - "'10.1.2.2'" + - "'10.3.4.4'" + - "'10.4.2.3'" + compareWith: + value: input3 + decision: Permit + - condition: + apply: + operator: yearMonthDuration-set-equals + keys: + - apply: + operator: yearMonthDuration-intersection + keys: + - input3 + - list: + - "'P2Y6M'" + - "'P0Y20M'" + - "'P0Y'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dayTimeDuration-set-equals + keys: + - apply: + operator: dayTimeDuration-intersection + keys: + - input3 + - list: + - "'P1DT2H'" + - "'PT20M'" + - "'PT120M'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: string-set-equals + keys: + - apply: + operator: string-union + keys: + - input3 + - list: + - "'A'" + - "'B'" + - "'C'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: boolean-set-equals + keys: + - apply: + operator: boolean-union + keys: + - input3 + - list: + - "true" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: integer-set-equals + keys: + - apply: + operator: integer-union + keys: + - input3 + - list: + - 10 + - 20 + - 30 + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: double-set-equals + keys: + - apply: + operator: double-union + keys: + - input3 + - list: + - 10.5 + - 20.2 + - 30.1 + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dateTime-set-equals + keys: + - apply: + operator: dateTime-union + keys: + - input3 + - list: + - "'2024-12-31T14:00:00.000Z'" + - "'2024-12-30T14:00:00.000Z'" + - "'2024-12-29T14:00:00.000Z'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: time-set-equals + keys: + - apply: + operator: time-union + keys: + - input3 + - list: + - "'14:00:00.000Z'" + - "'15:00:00.000Z'" + - "'16:00:00.000Z'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: date-set-equals + keys: + - apply: + operator: date-union + keys: + - input3 + - list: + - "'2024-12-31'" + - "'2024-12-30'" + - "'2024-12-29'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: anyURI-set-equals + keys: + - apply: + operator: anyURI-union + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dnsName-set-equals + keys: + - apply: + operator: dnsName-union + keys: + - input3 + list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: hexBinary-set-equals + keys: + - apply: + operator: hexBinary-union + keys: + - input3 + - list: + - "'06DF'" + - "'23EA'" + - "'6AFB'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: base64Binary-set-equals + keys: + - apply: + operator: base64Binary-union + keys: + - input3 + list: + - "'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcDusIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcddVuIHNlc2FtZQ=='" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: x500Name-set-equals + keys: + - apply: + operator: x500Name-union + keys: + - input3 + - list: + - "'2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.3.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.1.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: rfc822Name-set-equals + keys: + - apply: + operator: rfc822Name-union + keys: + - input3 + - list: + - "'someone@example1.com'" + - "'someone@example2.com'" + - "'someone@example3.com'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: ipAddress-set-equals + keys: + - apply: + operator: ipAddress-union + keys: + - input1 + - list: + - "'10.1.2.2'" + - "'10.3.4.4'" + - "'10.4.2.3'" + compareWith: + value: input3 + decision: Permit + - condition: + apply: + operator: yearMonthDuration-set-equals + keys: + - apply: + operator: yearMonthDuration-union + keys: + - input3 + - list: + - "'P2Y6M'" + - "'P0Y20M'" + - "'P0Y'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: dayTimeDuration-set-equals + keys: + - apply: + operator: dayTimeDuration-union + keys: + - input3 + - list: + - "'P1DT2H'" + - "'PT20M'" + - "'PT120M'" + compareWith: + value: input1 + decision: Permit + - condition: + apply: + operator: string-subset + keys: + - input3 + - list: + - "'A'" + - "'B'" + - "'C'" + decision: Permit + - condition: + apply: + operator: boolean-subset + keys: + - input1 + - list: + - "true" + decision: Permit + - condition: + apply: + operator: integer-subset + keys: + - input1 + - list: + - 10 + - 20 + - 30 + decision: Permit + - condition: + apply: + operator: double-subset + keys: + - input1 + - list: + - 10.5 + - 20.2 + - 30.1 + decision: Permit + - condition: + apply: + operator: dateTime-subset + keys: + - input1 + - list: + - "'2024-12-31T14:00:00.000Z'" + - "'2024-12-30T14:00:00.000Z'" + - "'2024-12-29T14:00:00.000Z'" + decision: Permit + - condition: + apply: + operator: time-subset + keys: + - input1 + - list: + - "'14:00:00.000Z'" + - "'15:00:00.000Z'" + - "'16:00:00.000Z'" + decision: Permit + - condition: + apply: + operator: date-subset + keys: + - input3 + - list: + - "'2024-12-31'" + - "'2024-12-30'" + - "'2024-12-29'" + decision: Permit + - condition: + apply: + operator: anyURI-subset + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + decision: Permit + - condition: + apply: + operator: dnsName-subset + keys: + - input3 + - list: + - "'example1.com'" + - "'example2.com'" + - "'example3.com'" + decision: Permit + - condition: + apply: + operator: hexBinary-subset + keys: + - input3 + - list: + - "'06DF'" + - "'23EA'" + - "'6AFB'" + decision: Permit + - condition: + apply: + operator: base64Binary-subset + keys: + - input3 + - list: + - "'QWxhZGRpbjpvcGVuIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcDusIHNlc2FtZQ=='" + - "'QWxhZGRpbjpvcddVuIHNlc2FtZQ=='" + decision: Permit + - condition: + apply: + operator: x500Name-subset + keys: + - input3 + - list: + - "'2.5.4.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.3.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + - "'2.5.1.5=8,O=ABC,CN=ABC Class 3 CA,C=LT'" + decision: Permit + - condition: + apply: + operator: rfc822Name-subset + keys: + - input3 + - list: + - "'someone@example1.com'" + - "'someone@example2.com'" + - "'someone@example3.com'" + decision: Permit + - condition: + apply: + operator: ipAddress-subset + keys: + - input3 + - list: + - "'10.1.2.2'" + - "'10.3.4.4'" + - "'10.4.2.3'" + decision: Permit + - condition: + apply: + operator: yearMonthDuration-subset + keys: + - input3 + - list: + - "'P2Y6M'" + - "'P0Y20M'" + - "'P0Y'" + decision: Permit + - condition: + apply: + operator: dayTimeDuration-subset + keys: + - input3 + - list: + - "'P1DT2H'" + - "'PT20M'" + - "'PT120M'" + decision: Permit + - condition: + apply: + operator: any-of + keys: + - function: string-equal + - "'ABC'" + - list: + - "'ABC'" + - "'xyz'" + - parameterName + decision: Permit + - condition: + apply: + operator: all-of + keys: + - function: integer-greater-than + - 10 + - list: + - 6 + - 1 + - parameterName + decision: Permit + - condition: + apply: + operator: any-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-any + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: any-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: all-of-all + keys: + - function: integer-equal + - list: + - 4 + - 5 + - parameterName1 + - list: + - 6 + - 1 + - parameterName2 + decision: Permit + - condition: + apply: + operator: map + keys: + - function: string-normalize-to-lower-case + - list: + - Hello + - World! + decision: Permit + - condition: + apply: + operator: n-of + keys: + - 2 + - parameter1 + - true + - false + decision: Permit + metadata: + policy-id: operators.example.policy + policy-version: 1.0.0 + name: operators.policy.set + version: 1.0.0 + metadata: + action: check-operators + description: policy set for operators + policy-id: operators.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.ref.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.ref.yaml new file mode 100644 index 00000000..659edc3f --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.ref.yaml @@ -0,0 +1,34 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - ref.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: policy set ID reference + rules: + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + metadata: + policy-id: ref.example.policy + policy-version: 1.0.0 + policySetIdRefs: + - id: example.policy.set + version: 1.0.0 + name: ref.policy.set + version: 1.0.0 + metadata: + description: policy set with referenced policy set + policy-id: ref.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 diff --git a/applications/native/src/test/resources/policies/native.toscaxacml.policy.target.yaml b/applications/native/src/test/resources/policies/native.toscaxacml.policy.target.yaml new file mode 100644 index 00000000..1598657b --- /dev/null +++ b/applications/native/src/test/resources/policies/native.toscaxacml.policy.target.yaml @@ -0,0 +1,61 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + inputs: {} + policies: + - target.policy.set: + type: onap.policies.native.ToscaXacml + type_version: 1.0.0 + properties: + policies: + - properties: + description: target example + rules: + - target: + anyOne: + - allOf: + - key: input1 + operator: integer-equal + value: 5 + description: test rule + condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + value: 50 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + key: parameter2 + decision: Permit + - condition: + apply: + operator: double-greater-than-or-equal + keys: + - parameter1 + compareWith: + apply: + operator: integer-to-double + keys: + - parameter3 + decision: Permit + - decision: Deny + advice: + value: this is a default rule + metadata: + policy-id: compareWith.example.policy + policy-version: 1.0.0 + name: target.policy.set + version: 1.0.0 + metadata: + action: check-compareWith-policy + description: policy set for nested apply + policy-id: target.policy.set + policy-version: 1.0.0 +name: ToscaServiceTemplateSimple +version: 1.0.0 -- 2.16.6