Merge branch 'release/6.1.0'

authzforce · Jan 15, 2017 · a06326e · a06326e
2 parents 48179e2 + 9f6e1f7
commit a06326e
Show file tree

Hide file tree

Showing 122 changed files with 409 additions and 296 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,17 @@
 All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. 
 
 
+## 6.1.0
+### Changed
+- Parent project version: 4.0.0 -> 4.1.1 => Changed dependency versions: 
+    - Spring 4.3.4 -> 4.3.5, 
+    - Saxon-HE 9.7.0-11 -> 9.7.0-14
+- authzforce-ce-core-pdp-api dependency version: 8.0.0 -> 8.2.0
+
+### Fixed
+- Security issues reported by Find Security Bugs plugin
+
+
 ## 6.0.0
 ### Added
 - Extension mechanism to switch HashMap/HashSet implementation; default implementation is based on native JRE and Guava.
@@ -25,6 +36,7 @@ All notable changes to this project are documented in this file following the [K
 - OW2 #AUTHZFORCE-23: enforcement of RuleId/PolicyId/PolicySetId uniqueness:
 	- PolicyId (resp. PolicySetId) should be unique across all policies loaded by PDP so that PolicyIdReferences (resp. PolicySetIdReferences) in Responses' PolicyIdentifierList are absolute references to applicable policies (no ambiguity).
  	- [RuleId should be unique within a policy](https://lists.oasis-open.org/archives/xacml/201310/msg00025.html) -> A rule is globally uniquely identified by the parent PolicyId and the RuleId.
+- OW2 #AUTHZFORCE-25: NullPointerException when parsing Apply expressions using invalid/unsupported Function ID
 
 
 ## 5.0.2

diff --git a/findbugs-exclude-filter.xml b/findbugs-exclude-filter.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<!--
+  This file contains some false positive bugs detected by Findbugs. Their
+  false positive nature has been analyzed individually and they have been
+  put here to instruct Findbugs to ignore them.
+-->
+<FindBugsFilter>
+  <Match>
+  <!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
+  More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
+   -->
+    <Bug pattern="CRLF_INJECTION_LOGS" />
+  </Match>
+</FindBugsFilter>
diff --git a/pom.xml b/pom.xml
@@ -3,10 +3,10 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>4.0.0</version>
+      <version>4.1.1</version>
    </parent>
    <artifactId>authzforce-ce-core</artifactId>
-   <version>6.0.0</version>
+   <version>6.1.0</version>
    <name>${project.groupId}:${project.artifactId}</name>
    <description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
    <url>https://tuleap.ow2.org/projects/authzforce</url>
@@ -42,7 +42,7 @@
       <dependency>
          <groupId>${project.groupId}</groupId>
          <artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
-         <version>8.0.0</version>
+         <version>8.2.0</version>
       </dependency>
       <!-- /Authzforce dependencies -->
 
@@ -102,6 +102,9 @@
          <plugin>
             <groupId>org.codehaus.mojo</groupId>
             <artifactId>findbugs-maven-plugin</artifactId>
+            <configuration>
+               <excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
+            </configuration>
             <executions>
                <execution>
                   <phase>verify</phase>

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/AllOfEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/AllOfEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/AnyOfEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/AnyOfEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/AttributeAssignmentExpressionEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/AttributeAssignmentExpressionEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/BasePdpExtensionRegistry.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/BasePdpExtensionRegistry.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/BooleanEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/BooleanEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/CloseableAttributeProvider.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/CloseableAttributeProvider.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -190,13 +190,13 @@ public static CloseableAttributeProvider getInstance(final List<AbstractAttribut
 				for (final AttributeDesignatorType attrDesignator : moduleAdapter.getProvidedAttributes())
 				{
 					final AttributeGUID attrGUID = new AttributeGUID(attrDesignator);
-					if (modulesByAttributeId.containsKey(attrGUID))
+					final AttributeProviderModule duplicate = modulesByAttributeId.putIfAbsent(attrGUID, moduleAdapter.getAdaptedModule());
+					if (duplicate != null)
 					{
 						moduleAdapter.close();
 						throw new IllegalArgumentException("Conflict: " + moduleAdapter + " providing the same AttributeDesignator (" + attrGUID + ") as another already registered.");
 					}
 
-					modulesByAttributeId.put(attrGUID, moduleAdapter.getAdaptedModule());
 				}
 			}
 			catch (final IllegalArgumentException e)

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/DefaultEnvironmentProperties.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/DefaultEnvironmentProperties.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/DefaultRequestFilter.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/DefaultRequestFilter.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -137,11 +137,11 @@ public List<? extends IndividualDecisionRequest> filter(final List<Attributes> a
 			final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
 			if (newContentNode != null)
 			{
-				final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
+				final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryName, newContentNode);
 				/*
 				 * No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
 				 */
-				if (oldContentNode != null)
+				if (duplicate != null)
 				{
 					throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
 							+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/ImmutablePdpExtensionRegistry.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/ImmutablePdpExtensionRegistry.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/IndividualDecisionRequestContext.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/IndividualDecisionRequestContext.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -161,7 +161,8 @@ public <AV extends AttributeValue> Bag<AV> getAttributeDesignatorResult(final At
 	@Override
 	public boolean putAttributeDesignatorResultIfAbsent(final AttributeGUID id, final Bag<?> result)
 	{
-		if (namedAttributes.containsKey(id))
+		final Bag<?> duplicate = namedAttributes.putIfAbsent(id, result);
+		if (duplicate != null)
 		{
 			/*
 			 * This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no further call to
@@ -175,7 +176,7 @@ public boolean putAttributeDesignatorResultIfAbsent(final AttributeGUID id, fina
 		/*
 		 * Attribute value cannot change during evaluation context, so if old value already there, put it back
 		 */
-		return namedAttributes.put(id, result) == null;
+		return true;
 	}
 
 	/** {@inheritDoc} */
@@ -210,13 +211,13 @@ public <V extends Value> V getVariableValue(final String variableId, final Datat
 	@Override
 	public boolean putVariableIfAbsent(final String variableId, final Value value)
 	{
-		if (varValsById.containsKey(variableId))
+		if (varValsById.putIfAbsent(variableId, value) != null)
 		{
 			LOGGER.error("Attempt to override value of Variable '{}' already set in evaluation context. Overriding value: {}", variableId, value);
 			return false;
 		}
 
-		return varValsById.put(variableId, value) == null;
+		return true;
 	}
 
 	/** {@inheritDoc} */
@@ -257,13 +258,13 @@ public <AV extends AttributeValue> Bag<AV> getAttributeSelectorResult(final Attr
 	@Override
 	public boolean putAttributeSelectorResultIfAbsent(final AttributeSelectorId id, final Bag<?> result) throws IndeterminateEvaluationException
 	{
-		if (attributeSelectorResults.containsKey(id))
+		if (attributeSelectorResults.putIfAbsent(id, result) != null)
 		{
 			LOGGER.error("Attempt to override value of AttributeSelector {} already set in evaluation context. Overriding value: {}", id, result);
 			return false;
 		}
 
-		return attributeSelectorResults.put(id, result) == null;
+		return true;
 	}
 
 	/** {@inheritDoc} */

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/IndividualDecisionRequestEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/IndividualDecisionRequestEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/MatchEvaluator.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/MatchEvaluator.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -86,7 +86,7 @@ public MatchEvaluator(final Match jaxbMatch, final XPathCompiler xPathCompiler,
 		final FunctionExpression matchFunction = expFactory.getFunction(matchId);
 		if (matchFunction == null)
 		{
-			throw new IllegalArgumentException("Unsupported function for MatchId: " + matchId);
+			throw new IllegalArgumentException("Unsupported function for MatchId: '" + matchId + "'");
 		}
 
 		// next, get the designator or selector being used, and the attribute

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/ModularAttributeProvider.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/ModularAttributeProvider.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/MultiDecisionRequestFilter.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/MultiDecisionRequestFilter.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/MutableIndividualDecisionRequest.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/MutableIndividualDecisionRequest.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -109,8 +109,8 @@ public void put(final String categoryName, final SingleCategoryAttributes<?> cat
 		final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
 		if (newContentNode != null)
 		{
-			final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
-			if (oldContentNode != null)
+			final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryName, newContentNode);
+			if (duplicate != null)
 			{
 				throw new IllegalArgumentException("Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
 			}

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PDPImpl.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PDPImpl.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpBean.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpBean.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpConfigurationParser.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpConfigurationParser.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpExtensionLoader.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpExtensionLoader.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *
@@ -83,10 +83,10 @@ public final class PdpExtensionLoader
 			if (extension instanceof JaxbBoundPdpExtension<?>)
 			{
 				final JaxbBoundPdpExtension<?> jaxbBoundExt = (JaxbBoundPdpExtension<?>) extension;
-				final JaxbBoundPdpExtension<?> conflictingExt = mutableJaxbBoundExtMapByClass.put(jaxbBoundExt.getJaxbClass(), jaxbBoundExt);
-				if (conflictingExt != null)
+				final JaxbBoundPdpExtension<?> duplicate = mutableJaxbBoundExtMapByClass.putIfAbsent(jaxbBoundExt.getJaxbClass(), jaxbBoundExt);
+				if (duplicate != null)
 				{
-					throw new IllegalArgumentException("Extension " + jaxbBoundExt + " (" + jaxbBoundExt.getClass() + ") is conflicting with " + conflictingExt + "(" + conflictingExt.getClass()
+					throw new IllegalArgumentException("Extension " + jaxbBoundExt + " (" + jaxbBoundExt.getClass() + ") is conflicting with " + duplicate + "(" + duplicate.getClass()
 							+ ") for the same XML/JAXB configuration class: " + jaxbBoundExt.getJaxbClass());
 				}
 
@@ -98,10 +98,10 @@ public final class PdpExtensionLoader
 				{
 					if (extClass.isInstance(extension))
 					{
-						final PdpExtension conflictingExt = mutableNonJaxbBoundExtMapByClassAndId.put(extClass, extension.getId(), extension);
-						if (conflictingExt != null)
+						final PdpExtension duplicate = mutableNonJaxbBoundExtMapByClassAndId.put(extClass, extension.getId(), extension);
+						if (duplicate != null)
 						{
-							throw new IllegalArgumentException("Extension " + extension + " is conflicting with " + conflictingExt + " registered with same ID: " + extension.getId());
+							throw new IllegalArgumentException("Extension " + extension + " is conflicting with " + duplicate + " registered with same ID: " + extension.getId());
 						}
 
 						isValidExt = true;

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpModelHandler.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpModelHandler.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionExpression.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionExpression.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionExpressions.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionExpressions.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *

diff --git a/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionFactories.java b/src/main/java/org/ow2/authzforce/core/pdp/impl/PepActionFactories.java
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2016 Thales Services SAS.
+ * Copyright (C) 2012-2017 Thales Services SAS.
  *
  * This file is part of AuthZForce CE.
  *