Merge branch 'release/21.0.0'

CHANGELOG.md

@@ -6,6 +6,38 @@ All notable changes to this project are documented in this file following the [K
 - Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
 
 
+## 21.0.0
+### Changed
+- [GH-87] Minimum required Java version is now **Java 17**. (Java 11 no longer supported.)
+- [GH-86] Upgraded **JAXB to 4.0**. All `javax.xml.bind` namespace replaced with `jakarta.xml.bind` in all package imports.
+- Upgraded parent project (authzforce-ce-parent): 9.0.0
+- Upgraded dependencies:
+  - authzforce-ce-xacml-model: 9.0.0
+  - authzforce-ce-pdp-ext-model: 9.0.0
+  - authzforce-ce-xacml-json-model: 4.0.0
+  - authzforce-ce-core-pdp-api: 22.0.0
+  - jaxb-runtime: 4.0.4
+  - slf4j: 2.0.7
+  - logback: 1.4.11
+  - spring-core: 6.0.11
+  - guava: 32.1.3-jre
+  - jakarta.mail-api: 2.1.2
+  - jakarta.mail: 2.0.2
+  - jakarta.jws-api: 3.0.0
+  - jakarta.xml.ws-api: 3.0.1
+  - org.json:json: 20231013
+  - everit-json-schema: 1.14.3
+  - picocli: 4.7.5
+- authzforce-ce-pdp-testutils module changes:
+  - `junit` removed from compile dependencies (only test dependency)
+  - `jongo` removed from dependencies, replaced with `mongo-driver-sync` (4.11.0) for `MongodbPolicyProvider` (Policy Provider for MongoDB)
+  - Removed `PolicyPojo` class for handling policies in `MongodbPolicyProvider`, replaced with built-in `Document` class with JSON schema validation for the document format. See [new JSON schema for policy documents in MongoDB](pdp-testutils/src/main/resources/mongodb_policy_provider_doc_schema.json). 
+
+### Added
+- authzforce-ce-pdp-testutils module changes:
+    - New dependency: `mongo-driver-sync`: 4.11.0
+
+
 ## 20.3.2
 ### Fixed
 - GH-83: `NoSuchElementException` thrown when the rule combining algorithm is `permit-unless-deny` and there is no Deny rule but at least one Permit rule with Obligation/Advice.

README.md

@@ -32,12 +32,11 @@ AuthzForce Core may be used in the following ways:
 
 ### Enhancements to the XACML standard
 
-GeoXACML 3.0 Core: https://docs.ogc.org/DRAFTS/22-049.html 
-GeoXACML 3.0 JSON Profile 1.0: https://docs.ogc.org/DRAFTS/22-050.html 
+* OGC (Open Geospatial Consortium) GeoXACML standards:
+  * [GeoXACML 1.0](http://portal.opengeospatial.org/files/?artifact_id=42734) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic). 
+  * [GeoXACML 3.0 Core](https://docs.ogc.org/is/22-049r1/22-049r1.html) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3). 
+  * [GeoXACML 3.0 JSON Profile 1.0](https://docs.ogc.org/is/22-050r1/22-050r1.html) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3).
 
-* [GeoXACML 1.0](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic). 
-* [GeoXACML 3.0 Core (draft)](https://docs.ogc.org/DRAFTS/22-049.html) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3). 
-* [GeoXACML 3.0 JSON Profile 1.0 (draft)](https://docs.ogc.org/DRAFTS/22-050.html) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-ce-geoxacml3).
 * Support `<VariableReference>` (indirectly) in `<Target>`/`<Match>` elements: this feature is a workaround for a limitation in XACML schema which does not allow Variables (`<VariableReference>`) in `Match` elements; i.e. the feature allows policy writers to use an equivalent of `<VariableReference>`s in `<Match>` elements (without changing the XACML schema) through a special kind of `<AttributeDesignator>` (specific `Category`, and `AttributeId` is used as `VariableId`). More details in the Usage section below. 
 
 ### Interfaces
@@ -114,7 +113,7 @@ See the [license file](LICENSE).
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_large)
 
 ## System requirements
-Java (JRE) version: 11 or later. Java 8 is no longer supported.
+Java (JRE) version: 17 or later.
 
 ## Usage
 ### Getting started

pdp-cli/pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-core</artifactId>
-      <version>20.3.2</version>
+      <version>21.0.0</version>
       <relativePath>../pom.xml</relativePath>
    </parent>
    <artifactId>authzforce-ce-core-pdp-cli</artifactId>
@@ -21,7 +21,7 @@
       <dependency>
          <groupId>info.picocli</groupId>
          <artifactId>picocli</artifactId>
-         <version>4.7.4</version>
+         <version>4.7.5</version>
       </dependency>
       <dependency>
          <groupId>ch.qos.logback</groupId>
@@ -30,12 +30,17 @@
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-engine</artifactId>
-         <version>20.3.2</version>
+         <version>21.0.0</version>
       </dependency>
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
-         <version>20.3.2</version>
+         <version>21.0.0</version>
+      </dependency>
+      <dependency>
+         <groupId>junit</groupId>
+         <artifactId>junit</artifactId>
+         <scope>test</scope>
       </dependency>
       <dependency>
          <groupId>org.testng</groupId>
@@ -49,7 +54,7 @@
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-testutils</artifactId>
-         <version>20.3.2</version>
+         <version>21.0.0</version>
          <scope>test</scope>
       </dependency>
    </dependencies>

pdp-cli/src/main/java/org/ow2/authzforce/core/pdp/cli/PdpCommandLineCallable.java

@@ -17,6 +17,7 @@
  */
 package org.ow2.authzforce.core.pdp.cli;
 
+import jakarta.xml.bind.Marshaller;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
 import org.json.JSONObject;
@@ -38,7 +39,6 @@
 import picocli.CommandLine.Option;
 import picocli.CommandLine.Parameters;
 
-import javax.xml.bind.Marshaller;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
@@ -106,10 +106,13 @@ public Void call() throws Exception
 				        configuration.getAttributeValueFactoryRegistry(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.isXPathEnabled(),
 				        defaultResultPostproc.getFeatures());
 
-				final PdpEngineInoutAdapter<JSONObject, JSONObject> jsonPdpEngineAdapter = PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, configuration, defaultReqPreproc,
-				        defaultResultPostproc);
-				final JSONObject jsonResponse = jsonPdpEngineAdapter.evaluate(jsonRequest);
-				System.out.println(jsonResponse.toString(formattedOutput ? 4 : 0));
+				final JSONObject jsonResponse;
+				try (PdpEngineInoutAdapter<JSONObject, JSONObject> jsonPdpEngineAdapter = PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, configuration, defaultReqPreproc,
+						defaultResultPostproc))
+				{
+					jsonResponse = jsonPdpEngineAdapter.evaluate(jsonRequest);
+					System.out.println(jsonResponse.toString(formattedOutput ? 4 : 0));
+				}
 				break;
 
 			default:
@@ -120,12 +123,15 @@ public Void call() throws Exception
 					throw new IllegalArgumentException("Invalid XACML/XML Request file (according to XACML 3.0 schema): " + reqFile);
 				}
 
-				final PdpEngineInoutAdapter<Request, Response> xmlPdpEngineAdapter = PdpEngineAdapters.newXacmlJaxbInoutAdapter(configuration);
-				final Response xmlResponse = xmlPdpEngineAdapter.evaluate((Request) request, parser.getNamespacePrefixUriMap());
-				final Marshaller marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
-				final Boolean formatted = formattedOutput;
-				marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, formatted);
-				marshaller.marshal(xmlResponse, System.out);
+				final Response xmlResponse;
+				try (PdpEngineInoutAdapter<Request, Response> xmlPdpEngineAdapter = PdpEngineAdapters.newXacmlJaxbInoutAdapter(configuration))
+				{
+					xmlResponse = xmlPdpEngineAdapter.evaluate((Request) request, parser.getNamespacePrefixUriMap());
+					final Marshaller marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
+					final Boolean formatted = formattedOutput;
+					marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, formatted);
+					marshaller.marshal(xmlResponse, System.out);
+				}
 				break;
 		}
 

pdp-cli/src/test/java/org/ow2/authzforce/core/pdp/cli/test/CliTest.java

@@ -17,6 +17,7 @@
  */
 package org.ow2.authzforce.core.pdp.cli.test;
 
+import jakarta.xml.bind.JAXBException;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
 import org.json.JSONObject;
 import org.json.JSONTokener;
@@ -28,11 +29,11 @@
 import org.testng.Assert;
 import picocli.CommandLine;
 
-import javax.xml.bind.JAXBException;
 import java.io.*;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.Optional;
 
 import static org.junit.Assert.assertSame;
 
@@ -61,7 +62,10 @@ public void testXml() throws JAXBException
         try
         {
             actualXacmlJaxbObj = (Response) Xacml3JaxbHelper.createXacml3Unmarshaller().unmarshal(new StringReader(output));
-            TestUtils.assertNormalizedEquals(TEST_DATA_DIR + "/IIA001", expectedXacmlJaxbObj, actualXacmlJaxbObj, true);
+            final Optional<String> result = TestUtils.assertNormalizedEquals(TEST_DATA_DIR + "/IIA001", expectedXacmlJaxbObj, actualXacmlJaxbObj, true);
+            if(result.isPresent()) {
+                throw new AssertionError(result.get());
+            }
         } catch (final JAXBException e)
         {
             Assert.fail("Invalid XACML/XML Response returned", e);
@@ -87,9 +91,9 @@ public void testJson() throws IOException
         final JSONObject normalizedExpectedResponse;
         try (final BufferedReader reader = Files.newBufferedReader(Paths.get(TEST_DATA_DIR + "/IIA001/Response.json"), StandardCharsets.UTF_8))
         {
-            normalizedExpectedResponse = XacmlJsonUtils.canonicalizeResponse(new JSONObject(new JSONTokener(reader)), true);
+            normalizedExpectedResponse = XacmlJsonUtils.canonicalizeResponse(new JSONObject(new JSONTokener(reader)));
         }
-        final JSONObject normalizedActualResponse = XacmlJsonUtils.canonicalizeResponse(new JSONObject(output), true);
+        final JSONObject normalizedActualResponse = XacmlJsonUtils.canonicalizeResponse(new JSONObject(output));
         Assert.assertTrue(normalizedActualResponse.similar(normalizedExpectedResponse), "Actual XACML/JSON Response does not match expected");
     }
 

pdp-engine/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.ow2.authzforce</groupId>
         <artifactId>authzforce-ce-core</artifactId>
-        <version>20.3.2</version>
+        <version>21.0.0</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
     <artifactId>authzforce-ce-core-pdp-engine</artifactId>
@@ -27,23 +27,8 @@
             <artifactId>jcl-over-slf4j</artifactId>
         </dependency>
         <dependency>
-            <!-- Future JavaMail API implementation for XACML RFC822Name datatype -->
-            <!--
             <groupId>org.eclipse.angus</groupId>
-            <artifactId>angus-mail</artifactId>
-            <version>2.0.2</version>
-            -->
-            <!-- Must match authzforce-ce-core-pdp-api's mail-api dependency -->
-            <groupId>com.sun.mail</groupId>
             <artifactId>jakarta.mail</artifactId>
-            <version>1.6.7</version>
-            <exclusions>
-                <exclusion>
-                    <!-- jakarta.activation dependency v1.2.1 conflicting with dependency v1.2.2 of jaxb-runtime down below -->
-                    <groupId>com.sun.activation</groupId>
-                    <artifactId>jakarta.activation</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <dependency>
             <!-- Needed for org.springframework.util.ResourceUtils,SystemPropertyUtils,FileCopyUtils, etc. -->
@@ -55,13 +40,6 @@
             <groupId>xml-resolver</groupId>
             <artifactId>xml-resolver</artifactId>
         </dependency>
-        <!-- https://eclipse-ee4j.github.io/jaxb-ri/2.3.3/docs/ch03.html#deployment-maven-coordinates
-        <dependency>
-            <groupId>com.sun.xml.bind</groupId>
-            <artifactId>jaxb-impl</artifactId>
-            <scope>runtime</scope>
-         </dependency>
-         -->
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
@@ -179,8 +157,7 @@
                     <dependency>
                         <groupId>com.github.sabomichal</groupId>
                         <artifactId>immutable-xjc-plugin</artifactId>
-                        <!-- For compatibility with jaxb-maven-plugin 2.x (supports JAXB 2.X only), use 1.7.x version. -->
-                        <version>1.7.1</version>
+                        <version>${immutable-xjc-plugins.version}</version>
                     </dependency>
                 </dependencies>
                 <configuration>
@@ -191,18 +168,8 @@
                     <removeOldOutput>true</removeOldOutput>
                     <extension>true</extension>
                     <args>
-                        <!--<arg>-Xvalue-constructor</arg>-->
-                        <arg>-immutable</arg>
+                        <arg>-Ximm</arg>
                     </args>
-                    <plugins>
-                        <!--
-                        <plugin>
-                            <groupId>org.jvnet.jaxb2_commons</groupId>
-                            <artifactId>jaxb2-value-constructor</artifactId>
-                            <version>${jaxb2-value-constructor.version}</version>
-                        </plugin>
-                        -->
-                    </plugins>
                     <useDependenciesAsEpisodes>false</useDependenciesAsEpisodes>
                     <episodes>
                         <episode>
@@ -243,29 +210,6 @@
                     </execution>
                 </executions>
             </plugin>
-            <!-- Note for the future migration to JAXB >= 3.0.0: since v3.0.0, package names have been changed to jakarta.xml.bind, so we'll need to change javax.xml.bind imports generated by maven-jaxb2-plugin-->
-            <!--
-            <plugin>
-                <artifactId>maven-antrun-plugin</artifactId>
-                <version>1.8</version>
-                <executions>
-                    <execution>
-                        <id>rename-old-jaxb-package-names-for-java-11</id>
-                        <phase>process-sources</phase>
-                        <goals>
-                            <goal>run</goal>
-                        </goals>
-                        <configuration>
-                            <target>
-                                <replace token= "javax.xml.bind" value="jakarta.xml.bind" dir="${project.basedir}/target/generated-sources/xjc">
-                                    <include name="**/*.java" />
-                                  </replace>
-                            </target>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            -->
             <plugin>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/AllOfEvaluator.java

@@ -88,14 +88,12 @@ public AllOfEvaluator(final List<Match> jaxbMatches,
 
     /**
      * Determines whether this <code>AllOf</code> matches the input request
-     * (whether it is applicable).Here is the table shown in the specification:
-     * <code>
-     * <Match> values 						<AllOf> value
-     * All True				 			“Match�?
-     * No False and at least
-     * one "Indeterminate" 				“Indeterminate�?
-     * At least one False					"No Match"
-     * </code>
+     * (whether it is applicable), according to the XACML 3.0 specification, section 7.7:
+     * <ol>
+     *     <li>If all Match values in the AllOf are True, the AllOf value is Match.</li>
+     *     <li>If no False and at least one Indeterminate, the AllOf value is Inderminate.</li>
+     *     <li>If at least one False, the AllOf value is "No match".</li>
+     * </ol>
      *
      * @param context the representation of the Individual Decision request
      * @param mdpContext

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/AttributeAssignmentExpressionEvaluator.java

@@ -18,6 +18,7 @@
 package org.ow2.authzforce.core.pdp.impl;
 
 import com.google.common.base.Preconditions;
+import jakarta.xml.bind.JAXBElement;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeAssignmentExpression;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.ExpressionType;
 import org.ow2.authzforce.core.pdp.api.EvaluationContext;
@@ -33,7 +34,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.xml.bind.JAXBElement;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/CloseableNamedAttributeProviderRegistry.java

@@ -202,7 +202,7 @@ private static void close(final Set<CloseableNamedAttributeProvider> closeablePr
 	 *            (mandatory) attribute value factory
 	 * @param attributeProviderFactories
 	 *            Factories of all the Attribute Providers to be combined in the created instance (Attribute Providers resolve values of attributes absent from the request context). Empty if none.
-	 *            <b>We assume that they are listed in dependency order, i.e. for any AttributeProvider AP (at index N) in the list, if AP depends on attribute(s) A, B, etc. then A, B, etc. are assumed to be provided by either another AttributeProvider preceding AP in the list (at index n < N), or the PDP input request directly.</b>
+	 *            <b>We assume that they are listed in dependency order, i.e. for any AttributeProvider AP (at index N) in the list, if AP depends on attribute(s) A, B, etc. then A, B, etc. are assumed to be provided by either another AttributeProvider preceding AP in the list (at index n &lt; N), or the PDP input request directly.</b>
 	 * @param strictAttributeIssuerMatch
 	 *            true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that
 	 *            the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with
@@ -341,6 +341,7 @@ public void beginMultipleDecisionRequest(final EvaluationContext mdpContext) {
 	 * This call is passed on to all AttributeProviders (used in this factory) that have {@link NamedAttributeProvider#supportsBeginIndividualDecisionRequest()} return true
 	 * @param context individual decision request context, will be passed on as {@code context} argument of each AttributeProvider ( {@link NamedAttributeProvider#get(AttributeFqn, Datatype, EvaluationContext, Optional)} ) when the Individual Decision request is evaluated against an AttributeDesignator or AttributeSelector with ContextSelectorId.
 	 * @param mdpContext context of a Multiple Decision request evaluation, will be passed on as {@code mdpContext} argument of each AttributeProvider ( {@link NamedAttributeProvider#get(AttributeFqn, Datatype, EvaluationContext, Optional)} ) when Individual Decision requests are evaluated.
+	 * @throws IndeterminateEvaluationException error beginning the request evaluation
 	 */
 	public void beginIndividualDecisionRequest(final EvaluationContext context, final Optional<EvaluationContext> mdpContext) throws IndeterminateEvaluationException {
 		for (final NamedAttributeProvider provider : this.individualReqBeginners)