Merge branch 'release/20.3.1'

CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project are documented in this file following the [K
 - Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. 
 - Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
 
+
+## 20.3.1
+### Fixed
+- CVEs by upgrading:
+  - parent project (authzforce-ce-parent): 8.5.0
+  - authzforce-ce-core-pdp-api: 21.4.0
+  - authzforce-ce-xacml-model, authzforce-ce-pdp-ext-model, authzforce-ce-xmlns-model: 8.5.0
+  - authzforce-ce-xacml-json-model: 3.0.5
+  - picocli: 4.7.4
+  - javax.mail -> jakarta.mail: 1.6.7
+  - mono-java-driver -> mongodb-driver-legacy: 4.8.0
+  - jongo: 1.5.1
+  - guava: 32.1.2-jre
+  - logback-classic: 1.2.12
+  - spring-core: 5.3.29
+  - Saxon-HE: 12.3
+  - jaxb2-basics-runtime: 0.13.1
+  - jaxb-runtime: 2.3.3
+  -  org.everit.json.schema renamed/upgraded to com.github.erosb/everit-json-schema:1.14.2
+- XacmlAttributeId enum: added missing value for standard XACML 3.0 Core attribute ID: `urn:oasis:names:tc:xacml:2.0:resource:target-namespace (used for processing).
+
+
 ## 20.3.0
 ### Fixed
 - Upgraded parent project (8.4.1) to fix CVEs in following dependencies:

README.md

@@ -1,7 +1,7 @@
 [![Codacy Badge](https://app.codacy.com/project/badge/Grade/9c9812d7b09549e59edb99f3948bca4a)](https://www.codacy.com/gh/authzforce/core/dashboard?utm_source=github.com&utm_medium=referral&utm_content=authzforce/core&utm_campaign=Badge_Grade)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/389/badge)](https://bestpractices.coreinfrastructure.org/projects/389)
 [![Build Status](https://github.com/authzforce/core/actions/workflows/maven.yml/badge.svg?branch=develop)](https://github.com/authzforce/core/actions/workflows/maven.yml)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_shield)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_shield)
 
 Javadocs: PDP engine [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-engine.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-engine), XACML/JSON extension [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-io-xacml-json.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-io-xacml-json), Test utilities [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-testutils.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-testutils)
 
@@ -30,7 +30,13 @@ AuthzForce Core may be used in the following ways:
 *For further details on what is actually supported regarding the XACML specifications, please refer to the conformance tests [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md).*
 
 ### Enhancements to the XACML standard
-* [GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic).
+
+GeoXACML 3.0 Core: https://docs.ogc.org/DRAFTS/22-049.html 
+GeoXACML 3.0 JSON Profile 1.0: https://docs.ogc.org/DRAFTS/22-050.html 
+
+* [GeoXACML 1.0](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic). 
+* [GeoXACML 3.0 Core (draft)](https://docs.ogc.org/DRAFTS/22-049.html) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3). 
+* [GeoXACML 3.0 JSON Profile 1.0 (draft)](https://docs.ogc.org/DRAFTS/22-050.html) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3).
 * Support `<VariableReference>` (indirectly) in `<Target>`/`<Match>` elements: this feature is a workaround for a limitation in XACML schema which does not allow Variables (`<VariableReference>`) in `Match` elements; i.e. the feature allows policy writers to use an equivalent of `<VariableReference>`s in `<Match>` elements (without changing the XACML schema) through a special kind of `<AttributeDesignator>` (specific `Category`, and `AttributeId` is used as `VariableId`). More details in the Usage section below. 
 
 ### Interfaces
@@ -295,8 +301,22 @@ If you are using the Java API with extensions configured by XML (Policy Provider
 1. *extensionXsdLocation*: location of the PDP extensions schema file: contains imports of namespaces corresponding to XML schemas of all XML-schema-defined PDP extensions to be used in the configuration file. Used for validation of PDP extensions configuration. The actual schema locations are resolved by the XML catalog parameter. You may use the [pdp-ext.xsd](pdp-testutils/src/test/resources/pdp-ext.xsd) in the sources as an example.
 
 
-## Integration with other Security Policy models, languages, formats, etc.
-### SPIF (Security Policy Information File)
+
+## Editing and creating XACML 3.0 policies from scratch and from other formats
+
+### Using a full-fledged XML editor
+
+For full support of XACML, you may use any XML editor supporting XML Schema. Make sure you import the XACML 3.0 schema into the tool and enable XML schema validation.
+
+### Using ALFA plugin for VScode - ALFA to XACML
+Axiomatics provides an [VScode plugin](https://marketplace.visualstudio.com/items?itemName=Axiomatics.alfa) to edit policies in [ALFA](https://axiomatics.github.io/alfa-vscode-doc/docs/alfa-introduction/introduction/) (Abbreviated Language for Authorization) and generate XACML 3.0 policies from it automatically. Beware of the [Axiomatics license](https://marketplace.visualstudio.com/items/Axiomatics.alfa/license) and [limitations of ALFA with respect to XACML](https://axiomatics.github.io/alfa-vscode-doc/docs/xacml/limitations-with-respect-to-xacml/).
+
+### From XACML 2.0 policies - XACML 2.0 to 3.0
+
+If you still have legacy policies in older XACML 2.0 format, you can migrate to XACML 3.0 automatically with a simple command given in a previous section:
+https://github.com/authzforce/core#xacml-20-support-and-migrating-to-xacml-30
+
+### From SPIF (Security Policy Information File) - SPIF to XACML
 A SPIF (Security Policy Information File) defines a security labeling policy in a XML document (based on the [SPIF XML schema](spif-utils/spif.xsd)). More info on the [Open XML SPIF website](http://www.xmlspif.org/).
 
 [NATO ADatP-4774.1](https://nso.nato.int/nso/nsdd/main/standards/srd-details/222/EN) - related to [STANAG 4774](https://nso.nato.int/nso/nsdd/main/standards/stanag-details/8612/EN) - gives implementation guidance on how to generate a XACML policy from a SPIF, including an example of XSLT stylesheet. We made a few improvements to that stylesheet, using the latest XACML 3.0 enhancements and AuthzForce optimizations, and differentiating READ and WRITE actions in accordance to the Bell-Lapadula model. The enhanced stylesheet is available in the [spif-utils](spif-utils) folder in two versions:

owasp-dependency-check-suppression.xml

@@ -14,4 +14,11 @@
         <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
         <vulnerabilityName>CVE-2022-45688</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   FP per issue #5779
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+        <cve>CVE-2023-35116</cve>
+    </suppress>
 </suppressions>

pdp-cli/pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-core</artifactId>
-      <version>20.3.0</version>
+      <version>20.3.1</version>
       <relativePath>../pom.xml</relativePath>
    </parent>
    <artifactId>authzforce-ce-core-pdp-cli</artifactId>
@@ -21,7 +21,7 @@
       <dependency>
          <groupId>info.picocli</groupId>
          <artifactId>picocli</artifactId>
-         <version>4.6.2</version>
+         <version>4.7.4</version>
       </dependency>
       <dependency>
          <groupId>ch.qos.logback</groupId>
@@ -30,26 +30,26 @@
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-engine</artifactId>
-         <version>20.3.0</version>
+         <version>20.3.1</version>
       </dependency>
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
-         <version>20.3.0</version>
+         <version>20.3.1</version>
       </dependency>
       <dependency>
          <groupId>org.testng</groupId>
          <artifactId>testng</artifactId>
          <!-- v7.5 not yet compatible with maven Surefire plugin!
          https://groups.google.com/g/testng-users/c/ESLiK8xSomc?pli=1
          -->
-         <version>6.14.3</version>
+         <version>7.8.0</version>
          <scope>test</scope>
       </dependency>
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-testutils</artifactId>
-         <version>20.3.0</version>
+         <version>20.3.1</version>
          <scope>test</scope>
       </dependency>
    </dependencies>
@@ -177,7 +177,8 @@
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-surefire-plugin</artifactId>
             <configuration>
-               <skipAfterFailureCount>1</skipAfterFailureCount>
+               <!-- skipAfterFailureCount > 0 issue with TestNG: https://issues.apache.org/jira/browse/SUREFIRE-1762?jql=text%20~%20%22testng%22 -->
+               <skipAfterFailureCount>0</skipAfterFailureCount>
                <!-- redirectTestOutputToFile: set this to 'true' to redirect the unit test standard output to a file (found in reportsDirectory/testName-output.txt) -->
                <redirectTestOutputToFile>false</redirectTestOutputToFile>
                <systemPropertyVariables>
@@ -196,7 +197,7 @@
          <plugin>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-maven-plugin</artifactId>
-            <version>2.0.0.M6</version>
+            <version>${spring-boot.version}</version>
             <configuration>
                <executable>true</executable>
                <layout>ZIP</layout>

pdp-engine-oss-functional-benchmark/.gitignore

@@ -0,0 +1,7 @@
+/target/
+/.settings/
+/.classpath
+/.pmd
+/.pmdruleset.xml
+/.project
+/test-output/

pdp-engine-oss-functional-benchmark/license/alv2-header.txt

@@ -0,0 +1,16 @@
+Copyright ${inceptionYear}-${currentYear} ${copyrightOwner}.
+
+This file is part of ${projectName}.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+

pdp-engine-oss-functional-benchmark/license/header-defs.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<additionalHeaders>
+    <javadoc_style>
+        <firstLine>/*</firstLine>
+        <beforeEachLine> * </beforeEachLine>
+        <endLine> */</endLine>
+        <!--<afterEachLine></afterEachLine>-->
+        <!--skipLine></skipLine-->
+        <firstLineDetectionPattern>(\s|\t)*/\*.*$</firstLineDetectionPattern>
+        <lastLineDetectionPattern>.*\*/(\s|\t)*$</lastLineDetectionPattern>
+        <allowBlankLines>false</allowBlankLines>
+        <isMultiline>true</isMultiline>
+        <padLines>false</padLines>
+    </javadoc_style>
+</additionalHeaders>
+

pdp-engine-oss-functional-benchmark/owasp-dependency-check-suppression.xml

@@ -1,3 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 </suppressions>

pdp-engine-oss-functional-benchmark/pom.xml

@@ -3,33 +3,27 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-core</artifactId>
-		<version>17.1.3-SNAPSHOT</version>
+		<version>20.3.1-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
-	<artifactId>authzforce-ce-core-pdp-benchmark</artifactId>
+	<artifactId>authzforce-ce-core-pdp-engine-oss-functional-benchmark</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
-	<description>AuthzForce - Core PDP Benchmark against AT&amp;T XACML and WSO2 Balana</description>
+	<description>AuthzForce - Functional benchmark of open source PDP engines (Authzforce, AT&amp;amp;T XACML, WSO2 Balana)</description>
 	<url>${project.url}</url>
 	<scm>
 		<!-- Used by Jenkins - Maven release plugin -->
-		<connection>scm:git:${git.url.base}/core.git/pdp-benchmark</connection>
-		<developerConnection>scm:git:${git.url.base}/core.git/pdp-benchmark</developerConnection>
+		<connection>scm:git:${git.url.base}/core.git/pdp-engine-oss-functional-benchmark</connection>
+		<developerConnection>scm:git:${git.url.base}/core.git/pdp-engine-oss-functional-benchmark</developerConnection>
 		<tag>HEAD</tag>
 		<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
-		<url>${git.url.base}/core/pdp-benchmark</url>
+		<url>${git.url.base}/core/pdp-engine-oss-functional-benchmark</url>
 	</scm>
 	<!-- distributionManagement defined in parent POM already -->
 	<dependencies>
 		<dependency>
-			<groupId>org.ow2.authzforce</groupId>
+			<groupId>${parent.groupId}</groupId>
 			<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
-			<version>17.1.3-SNAPSHOT</version>
-		</dependency>
-		<dependency>
-			<groupId>org.ow2.authzforce</groupId>
-			<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
-			<version>17.1.3-SNAPSHOT</version>
-			<scope>compile</scope>
+			<version>20.3.1-SNAPSHOT</version>
 		</dependency>
 		<dependency>
 			<groupId>junit</groupId>
@@ -44,7 +38,7 @@
 		<dependency>
 			<groupId>org.testng</groupId>
 			<artifactId>testng</artifactId>
-			<version>7.5</version>
+			<version>7.8.0</version>
 			<scope>test</scope>
 		</dependency>
 		<!-- Other XACML engines -->
@@ -196,7 +190,7 @@
 							<includes>
 								<include>**/ComparativePdpTest.java</include>
 							</includes>
-							<skipAfterFailureCount>1</skipAfterFailureCount>
+							<skipAfterFailureCount>0</skipAfterFailureCount>
 							<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit test standard output to a file (found in reportsDirectory/testName-output.txt) -->
 							<redirectTestOutputToFile>false</redirectTestOutputToFile>
 							<systemPropertyVariables>

pdp-engine-oss-functional-benchmark/src/test/java/org/ow2/authzforce/core/pdp/benchmark/test/ComparativePdpTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 THALES.
+ * Copyright 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -33,7 +33,6 @@
 import org.junit.runners.Parameterized.Parameters;
 import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
 import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
-import org.ow2.authzforce.core.pdp.api.XmlUtils;
 import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParser;
 import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParserFactory;
 import org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbResultPostprocessor;
@@ -51,7 +50,10 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.ResourceUtils;
-import org.wso2.balana.*;
+import org.wso2.balana.ConfigurationStore;
+import org.wso2.balana.PDP;
+import org.wso2.balana.PDPConfig;
+import org.wso2.balana.UnknownIdentifierException;
 import org.wso2.balana.ctx.AbstractRequestCtx;
 import org.wso2.balana.ctx.RequestCtxFactory;
 import org.wso2.balana.ctx.ResponseCtx;
@@ -148,7 +150,7 @@ private static final class AuthzForcePdpEngineInvoker implements PdpEngineInvoke
 		private static final AttributeValueFactoryRegistry STD_ATTRIBUTE_VALUE_FACTORIES = StandardAttributeValueFactories.getRegistry(false, Optional.empty());
 
 		private static final DecisionRequestPreprocessor<Request, IndividualXacmlJaxbRequest> DEFAULT_XACML_JAXB_REQ_PREPROC = SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE
-		        .getInstance(STD_ATTRIBUTE_VALUE_FACTORIES, false, false, XmlUtils.SAXON_PROCESSOR, Collections.emptySet());
+				.getInstance(STD_ATTRIBUTE_VALUE_FACTORIES, false, false, Set.of());
 		private static final DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> DEFAULT_XACML_JAXB_RESULT_POSTPROC = new BaseXacmlJaxbResultPostprocessor(0);
 		private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
 		// private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
@@ -323,7 +325,7 @@ public Response eval(final Path testCaseDirPath) throws IOException, JAXBExcepti
 				final ConfigurationStore configStore = new ConfigurationStore(pdpConfFile);
 				pdpConfig = configStore.getDefaultPDPConfig();
 			}
-			catch (final UnknownIdentifierException | ParsingException e)
+			catch (final UnknownIdentifierException | org.wso2.balana.ParsingException e)
 			{
 				throw new IllegalArgumentException("WSO2 Balana engine - Invalid PDP configuration", e);
 			}
@@ -336,7 +338,7 @@ public Response eval(final Path testCaseDirPath) throws IOException, JAXBExcepti
 			{
 				balanaRequest = REQUEST_FACTORY.getRequestCtx(is);
 			}
-			catch (final ParsingException e)
+			catch (final org.wso2.balana.ParsingException e)
 			{
 				throw new IllegalArgumentException("WSO2 Balana engine - Bad Request", e);
 			}
@@ -426,7 +428,7 @@ public void policyEval() throws IOException, JAXBException
 
 		final XmlnsFilteringParser unmarshaller = XACML_PARSER_FACTORY.getInstance();
 		final Response expectedResponse = TestUtils.createResponse(this.testDirPath.resolve(EXPECTED_RESPONSE_FILENAME), unmarshaller);
-		TestUtils.assertNormalizedEquals(testDirPath.toString(), expectedResponse, actualResponse);
+		TestUtils.assertNormalizedEquals(testDirPath.toString(), expectedResponse, actualResponse, true);
 	}
 
 }