Merge branch 'release/2.0.0'

CHANGELOG.md

@@ -4,6 +4,24 @@ All notable changes to this project are documented in this file following the [K
 Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
 
 
+## 2.0.0
+### Changed
+- Maven parent project version: 7.5.1
+- Dependencies authzforce-ce-core* version: 14.0.1:
+	- Changed **PDP configuration format** (XML Schema 'pdp.xsd'): v7.0.0 (more info in [migration guide](https://github.com/authzforce/core/blob/develop/MIGRATION.md) ):
+	  - Replaced 'refPolicyProvider' and 'rootPolicyProvider' XML elements with 'policyProvider' and 'rootPolicyRef'.
+	  - StaticRootPolicyProvider and StaticRefPolicyProvider XML types replaced by one StaticPolicyProvider type.
+	- Added support for **Multiple Decision Profile when used with XACML/JSON Profile** (JSON input)
+	- Fixed [issue](https://github.com/authzforce/core/issues/42): invalid JSON Response on client or internal error (Status not OK)
+	- Fixed CVEs
+- Dependency authzforce-ce-jaxrs-utils version: 1.4.0:
+  - Upgraded dependency `authzforce-ce-xacml-json-model` version: 2.2.0
+
+### Fixed
+- XACML REST Profile compliance: PDP server returned 500 instead of expected 400 for invalid XACML/JSON
+Request
+
+
 ## 1.6.0
 ### Changed
 - Maven parent project version: 7.5.0
@@ -21,9 +39,8 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
 ### Added
 - Indirect dependency: javax.mail 1.6.0 (mail-api implementation for XACML RFC822Name support)
 - Feature: 
-	- EnvironmentProperties#replacePlaceholders() method now supports replacement of system properties and environment variables enclosed with ${ } (in addition to PARENT_DIR property); and a default value (separated from the property name by '!') if the property is undefined.
-	- In particular, 'policyLocation' elements in PDP's Policy Providers configuration now supports (not only PARENT_DIR property but also) system
-properties and environment variables (enclosed between '${...}') with default value (separated from property name by '!') if the property/variable is undefined.
+	- DefaultEnvironmentProperties#replacePlaceholders() method now supports replacement of system properties and environment variables enclosed with ${ } (in addition to PARENT_DIR property); and a default value (separated from the property name by '!') if the property is undefined. Therefore, PDP extensions such as Attribute and Policy Providers can accept placeholders for system properties and environment variables in their string configuration parameters (as part of PDP configuration) and perform placeholder replacements with their factory method's input EnvironmentProperties.
+	- In particular, 'policyLocation' elements in PDP's Policy Providers configuration now supports (not only PARENT_DIR property but also) system properties and environment variables (enclosed between '${...}') with default value (separated from property name by '!') if the property/variable is undefined.
 
 
 ## 1.5.0

README.md

@@ -2,13 +2,13 @@
 RESTful PDP API implementation, compliant with REST Profile of XACML 3.0. This is minimalist compared to [AuthzForce server project](http://github.com/authzforce/server) as it does not provide multi-tenant PDP/PAP but only a single PDP (per instance). Therefore, this is more suitable for microservices, or, more generally, simple applications requiring only one PDP per instance.
 
 In particular, the project provides the following (Maven groupId:artifactId):
-* `org.ow2.authzforce:authzforce-ce-restful-pdp-cxf-spring-boot-server`: a fully executable RESTful XACML PDP server (runnnable from the command-line), packaged as a [Spring Boot application](https://docs.spring.io/spring-boot/docs/current/reference/html/deployment-install.html).
+* `org.ow2.authzforce:authzforce-ce-restful-pdp-cxf-spring-boot-server`: a fully executable RESTful XACML PDP server (runnable from the command-line), packaged as a [Spring Boot application](https://docs.spring.io/spring-boot/docs/current/reference/html/deployment-install.html).
 * `org.ow2.authzforce:authzforce-ce-restful-pdp-jaxrs`: pure JAX-RS implementation of a PDP service, that you can reuse as a library with any JAX-RS framework, especially other than Apache CXF, to provide your own custom RESTful PDP service.
 
 
 ## Features
 ### XACML PDP engine
-See [AuthzForce Core features](https://github.com/authzforce/core/tree/release-10.1.0#features) for the XACML PDP engine's features.
+See [AuthzForce Core features](https://github.com/authzforce/core#features) for the XACML PDP engine's features.
 
 ### REST API
 * Conformance with [REST Profile of XACML v3.0 Version 1.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html)
@@ -20,7 +20,7 @@ See [AuthzForce Core features](https://github.com/authzforce/core/tree/release-1
 	* `application/json`: same as `application/xacml+json`.
 
 ## Limitations
-See [AuthzForce Core limitations](https://github.com/authzforce/core/tree/release-10.1.0#limitations).
+See [AuthzForce Core limitations](https://github.com/authzforce/core#limitations).
 
 ## System requirements
 Java (JRE) 8 or later.
@@ -33,15 +33,21 @@ See the [change log](CHANGELOG.md) following the *Keep a CHANGELOG* [conventions
 See the [license file](LICENSE).
 
 ## Getting started
-Get the [latest executable jar](http://central.maven.org/maven2/org/ow2/authzforce/authzforce-ce-restful-pdp-cxf-spring-boot-server/) from Maven Central with groupId/artifactId = `org.ow2.authzforce`/`authzforce-ce-restful-pdp-cxf-spring-boot-server`.
+Get the [latest executable jar](http://central.maven.org/maven2/org/ow2/authzforce/authzforce-ce-restful-pdp-cxf-spring-boot-server/) from Maven Central with groupId/artifactId = `org.ow2.authzforce`/`authzforce-ce-restful-pdp-cxf-spring-boot-server`. 
 
-Copy the content of [that folder](cxf-spring-boot-server/src/test/cli) to the same directory and run the executable from that directory as follows:
+Make sure it is executable (replace `M.m.p` with the current version):
 
+```sh
+chmod u+x authzforce-ce-restful-pdp-cxf-spring-boot-server-M.m.p.jar
 ```
-$ ./authzforce-ce-restful-pdp-cxf-spring-boot-server-1.2.0.jar
+
+Copy the content of [that folder](cxf-spring-boot-server/src/test/resources/server) to the same directory and run the executable from that directory as follows (replace `M.m.p` with the current version):
+
+```sh
+$ ./authzforce-ce-restful-pdp-cxf-spring-boot-server-M.m.p.jar
 ```
 
-If it refuses to start because the TCP listening port is already used (by some other server on the system), you can change that port in file `application.properties` copied previously: uncomment and change `server.port` property value to something else (default is 8080).
+If it refuses to start because the TCP listening port is already used (by some other server on the system), you can change that port in file `application.yml` copied previously: uncomment and change `server.port` property value to something else (default is 8080).
 
 You know the embedded server is up and running when you see something like this (if and only if the logger for Spring classes is at least in INFO level, according to Logback configuration file mentioned down below) :
 ```
@@ -50,10 +56,10 @@ You know the embedded server is up and running when you see something like this
 
 (You can change logging verbosity by modifying the Logback configuration file `logback.xml` copied previously.)
 
-Now you can make a XACML request from a different terminal (install command `curl` if you don't have it already on your system):
+Now you can make a XACML request from a different terminal (install `curl` tool if you don't have it already on your system):
 
-```
-$ curl --header "Content-Type: application/xacml+json" --data @IIA001/Request.json --request POST http://localhost:8080/services/pdp
+```sh
+$ curl --verbose --include --header "Content-Type: application/xacml+json" --data @IIA001/Request.json --request POST http://localhost:8080/services/pdp
 ```
 
 You should get a XACML/JSON response such as:
@@ -66,14 +72,17 @@ You should get a XACML/JSON response such as:
 ## Extensions
 If you are missing features in AuthzForce, you can extend it with various types of plugins (without changing the existing code), as described on AuthzForce Core's [wiki](https://github.com/authzforce/core/wiki/Extensions).
 
-In order to use them, put the extension JAR(s) into an `extensions` folder in the same directory as the executable jar, already present if you followed the previous *Getting started* section. If the extension(s) use XML configuration (e.g. AttributeProvider), add the schema import into `pdp-ext.xsd` (import namespace only, do not specify schema location) and schema namespace-to-location mapping into `catalog.xml`. Then run the executable as follows:
+In order to use them, put the extension JAR(s) into an `extensions` folder in the same directory as the executable jar, already present if you followed the previous *Getting started* section. If the extension(s) use XML configuration (e.g. AttributeProvider), add the schema import into `pdp-ext.xsd` (import namespace only, do not specify schema location) and schema namespace-to-location mapping into `catalog.xml`. Then run the executable as follows (replace `M.m.p` with the current version):
 
-```
-$ java -Dloader.path=extensions -jar authzforce-ce-restful-pdp-cxf-spring-boot-server-1.2.0.jar
+```sh
+$ java -Dloader.path=extensions -jar authzforce-ce-restful-pdp-cxf-spring-boot-server-M.m.p.jar
 ```
 
+## Vulnerability reporting
+If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/restful-pdp/issues) and when creating the issue, check the box labeled **"This issue is confidential and should only be visible to team members with at least Reporter access"**. Then, if the AuthzForce team can confirm it, they will make it public and set a fix version.
+
 ## Support
-If you are experiencing any issue with this project, please report it on the [OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/). Select component `RESTFUL-PDP` when creating the issue.
+If you are experiencing any issue with this project except for vulnerabilities mentioned previously, please report it on the [GitHub Issue Tracker](https://github.com/authzforce/restful-pdp/issues).
 Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
 
 * Software version
@@ -84,8 +93,5 @@ Please include as much information as possible; the more we know, the better the
 
 If you wish to contact the developers for other reasons, use [AuthzForce contact mailing list](http://scr.im/azteam).
 
-## Vulnerability reporting
-If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/) with *Security Level* set to **Private**. Then, if the AuthzForce team can confirm it, they will change it to **Public** and set a fix version.
-
 ## Contributing
 See [CONTRIBUTING.md](CONTRIBUTING.md).

cxf-spring-boot-server/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-restful-pdp</artifactId>
-		<version>1.6.0</version>
+		<version>2.0.0</version>
 	</parent>
 	<artifactId>authzforce-ce-restful-pdp-cxf-spring-boot-server</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
@@ -20,7 +20,7 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-restful-pdp-jaxrs</artifactId>
-			<version>1.6.0</version>
+			<version>2.0.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>

cxf-spring-boot-server/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2018 THALES.
+ * Copyright (C) 2012-2020 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -30,7 +30,7 @@
 @Configuration
 @EnableAutoConfiguration
 // @PropertySource("classpath:application.properties")
-@ImportResource("${pdp.service.conf}")
+@ImportResource("${spring.beans.conf}")
 public class CxfJaxrsPdpSpringBootApp
 {
 

cxf-spring-boot-server/src/main/resources/application.properties

@@ -3,7 +3,7 @@
 # JAX-RS server endpoint address (default is "/")
 #cxf.jaxrs.server.path=/
 # Do not use server.address to set service endpoint address as it is already used by Spring Boot
-pdp.service.conf=classpath:cxf-pdp-service.xml
+spring.beans.conf=classpath:spring-beans.xml
 
 # LOGGING
 logging.config= classpath:logback.xml

cxf-spring-boot-server/src/main/resources/pdp.xml

@@ -1,5 +1,13 @@
-<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
-   version="6.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
-   <!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
-   <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="classpath:policy.xml" />
-</pdp>
+<?xml version="1.0" encoding="UTF-8"?>
+<pdp
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
+	version="7.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
+	 <!-- You may customize this PDP configuration except 'rootPolicyProvider' element. -->
+	<policyProvider
+		id="rootPolicyProvider"
+		xsi:type="StaticPolicyProvider">
+		<policyLocation>classpath:policy.xml</policyLocation>
+	</policyProvider>
+	<rootPolicyRef>root</rootPolicyRef>
+</pdp>

cxf-spring-boot-server/src/test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2012-2018 THALES.
+ * Copyright (C) 2012-2020 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -23,6 +23,9 @@
 import java.io.InputStream;
 import java.util.Collections;
 
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.json.JSONObject;
 import org.junit.Assert;
@@ -43,7 +46,8 @@
  * 
  */
 @RunWith(SpringRunner.class)
-@SpringBootTest(classes = CxfJaxrsPdpSpringBootApp.class, webEnvironment = WebEnvironment.RANDOM_PORT)
+@SpringBootTest(classes = CxfJaxrsPdpSpringBootApp.class, properties = { "spring.config.location=target/test-classes/server/application.yml",
+        "cfg.dir=target/test-classes/server" }, webEnvironment = WebEnvironment.RANDOM_PORT)
 public class XacmlRestProfileJaxRsTest
 {
 	private static final int MAX_JSON_STRING_LENGTH = 100;
@@ -73,7 +77,7 @@ public static void setup()
 	public void testPdpRequest() throws IOException
 	{
 		// Request body
-		final String reqLocation = "src/test/resources/IIA001/Request.json";
+		final String reqLocation = "src/test/resources/server/IIA001/Request.json";
 		try (InputStream reqIn = new FileInputStream(reqLocation))
 		{
 			final JSONObject jsonRequest = new LimitsCheckingJSONObject(reqIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
@@ -85,7 +89,7 @@ public void testPdpRequest() throws IOException
 			XacmlJsonUtils.REQUEST_SCHEMA.validate(jsonRequest);
 
 			// expected response
-			final String respLocation = "src/test/resources/IIA001/Response.json";
+			final String respLocation = "src/test/resources/server/IIA001/Response.json";
 			try (final InputStream respIn = new FileInputStream(respLocation))
 			{
 				final JSONObject expectedResponse = new LimitsCheckingJSONObject(respIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
@@ -105,4 +109,30 @@ public void testPdpRequest() throws IOException
 			}
 		}
 	}
+
+	@Test
+	public void testInvalidPdpRequest() throws IOException
+	{
+		// Request body (invalid according to JSON schema)
+		final String reqLocation = "src/test/resources/server/IIA001/Request-missing-category-id.json";
+		try (InputStream reqIn = new FileInputStream(reqLocation))
+		{
+			final JSONObject jsonRequest = new LimitsCheckingJSONObject(reqIn, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+			if (!jsonRequest.has("Request"))
+			{
+				throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqLocation + ". Expected root key: \"Request\"");
+			}
+
+			/*
+			 * No preliminary request schema validation this time, let the server reject it
+			 */
+
+			// send request
+			final WebClient client = WebClient.create("http://localhost:" + port + "/services", Collections.singletonList(new JsonRiJaxrsProvider()));
+			final Response actualResponse = client.path("pdp").type("application/xacml+json").accept("application/xacml+json").post(jsonRequest);
+
+			// check response
+			Assert.assertEquals(Status.BAD_REQUEST.getStatusCode(), actualResponse.getStatus());
+		}
+	}
 }