Java Code Examples for org.wso2.balana.ctx.AbstractResult#DECISION_INDETERMINATE_DENY_OR_PERMIT

The following examples show how to use org.wso2.balana.ctx.AbstractResult#DECISION_INDETERMINATE_DENY_OR_PERMIT . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: PermitOverridesPolicyAlg.java    From balana with Apache License 2.0 4 votes vote down vote up
/**
 * Applies the combining rule to the set of policies based on the evaluation context.
 * 
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param policyElements the policies to combine
 *
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
    boolean atLeastOneError = false;
    boolean atLeastOneDeny = false;
    List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
    List<Advice> denyAdvices = new ArrayList<Advice>();
    Status firstIndeterminateStatus = null;
    Iterator it = policyElements.iterator();

    while (it.hasNext()) {
        AbstractPolicy policy = ((PolicyCombinerElement) (it.next())).getPolicy();

        // make sure that the policy matches the context
        MatchResult match = policy.match(context);

        if (match.getResult() == MatchResult.INDETERMINATE) {
            atLeastOneError = true;

            // keep track of the first error, regardless of cause
            if (firstIndeterminateStatus == null){
                firstIndeterminateStatus = match.getStatus();
            }
        } else if (match.getResult() == MatchResult.MATCH) {
            // now we evaluate the policy
            AbstractResult result = policy.evaluate(context);
            int effect = result.getDecision();

            // this is a little different from DenyOverrides...

            if (effect == Result.DECISION_PERMIT)
                return result;

            if (effect == Result.DECISION_DENY) {
                atLeastOneDeny = true;
                denyAdvices.addAll(result.getAdvices());
                denyObligations.addAll(result.getObligations());
            } else if (effect == AbstractResult.DECISION_INDETERMINATE ||
                effect == AbstractResult.DECISION_INDETERMINATE_DENY ||
                effect == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
                effect == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
                
                atLeastOneError = true;
                // keep track of the first error, regardless of cause
                if (firstIndeterminateStatus == null)
                    firstIndeterminateStatus = result.getStatus();
            }
        }
    }

    // if we got a DENY, return it
    if (atLeastOneDeny){
        return ResultFactory.getFactory().getResult(Result.DECISION_DENY, denyObligations,
                                                                        denyAdvices, context);
    }
    // if we got an INDETERMINATE, return it
    if (atLeastOneError){
        return ResultFactory.getFactory().getResult(Result.DECISION_INDETERMINATE,
                firstIndeterminateStatus, context);
    }

    // if we got here, then nothing applied to us
    //return new Result(Result.DECISION_NOT_APPLICABLE, context.getResourceId().encode());
    return ResultFactory.getFactory().getResult(Result.DECISION_NOT_APPLICABLE, context);
}
 
Example 2
Source File: PermitOverridesRuleAlg.java    From balana with Apache License 2.0 4 votes vote down vote up
/**
 * Applies the combining rule to the set of rules based on the evaluation context.
 *
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param ruleElements the rules to combine
 *
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
    boolean atLeastOneError = false;
    boolean potentialPermit = false;
    boolean atLeastOneDeny = false;
    AbstractResult firstIndeterminateResult = null;
    List<ObligationResult> denyObligations = new ArrayList<ObligationResult>();
    List<Advice> denyAdvices = new ArrayList<Advice>();
    Iterator it = ruleElements.iterator();

    while (it.hasNext()) {
        Rule rule = ((RuleCombinerElement) (it.next())).getRule();
        AbstractResult result = rule.evaluate(context);
        int value = result.getDecision();

        // if there was a value of PERMIT, then regardless of what
        // else we've seen, we always return PERMIT
        if (value == AbstractResult.DECISION_PERMIT){
            return result;
        }
        // if it was INDETERMINATE, then we couldn't figure something
        // out, so we keep track of these cases...
        if (value == AbstractResult.DECISION_INDETERMINATE ||
                value == AbstractResult.DECISION_INDETERMINATE_DENY ||
                value == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
                value == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
            
            atLeastOneError = true;

            // there are no rules about what to do if multiple cases
            // cause errors, so we'll just return the first one
            if (firstIndeterminateResult == null){
                firstIndeterminateResult = result;
            }
            // if the Rule's effect is PERMIT, then we can't let this
            // alg return DENY, since this Rule might have permitted
            // if it could do its stuff
            if (rule.getEffect() == AbstractResult.DECISION_PERMIT){
                potentialPermit = true;
            }
        } else {
            // keep track of whether we had at least one rule that
            // actually pertained to the request
            if (value == AbstractResult.DECISION_DENY)
                atLeastOneDeny = true;
                denyAdvices.addAll(result.getAdvices());
                denyObligations.addAll(result.getObligations());
        }
    }

    // we didn't explicitly PERMIT, but we might have had some Rule
    // been evaluated, so we have to return INDETERMINATE
    if (potentialPermit){
        return firstIndeterminateResult;
    }
    // some Rule said DENY, so since nothing could have permitted,
    // we return DENY
    if (atLeastOneDeny){
        return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, denyObligations,
                                                                        denyAdvices, context);
    }
    // we didn't find anything that said DENY, but if we had a
    // problem with one of the Rules, then we're INDETERMINATE
    if (atLeastOneError){
        return firstIndeterminateResult;
    }
    // if we hit this point, then none of the rules actually applied
    // to us, so we return NOT_APPLICABLE
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
 
Example 3
Source File: DenyOverridesRuleAlg.java    From balana with Apache License 2.0 4 votes vote down vote up
/**
 * Applies the combining rule to the set of rules based on the evaluation context.
 *
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param ruleElements the rules to combine
 *
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List ruleElements) {
    
    boolean atLeastOneError = false;
    boolean potentialDeny = false;
    boolean atLeastOnePermit = false;
    AbstractResult firstIndeterminateResult = null;
    List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
    List<Advice> permitAdvices = new ArrayList<Advice>();
    Iterator it = ruleElements.iterator();

    while (it.hasNext()) {
        Rule rule = ((RuleCombinerElement) (it.next())).getRule();
        AbstractResult result = rule.evaluate(context);
        int value = result.getDecision();

        // if there was a value of DENY, then regardless of what else
        // we've seen, we always return DENY
        if (value == AbstractResult.DECISION_DENY){     // TODO  -- i changed
            return result;
        }
        // if it was INDETERMINATE, then we couldn't figure something
        // out, so we keep track of these cases...
        if (value == AbstractResult.DECISION_INDETERMINATE ||
                value == AbstractResult.DECISION_INDETERMINATE_DENY ||
                value == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
                value == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
            
            atLeastOneError = true;

            // there are no rules about what to do if multiple cases
            // cause errors, so we'll just return the first one
            if (firstIndeterminateResult == null){
                firstIndeterminateResult = result;
            }
            // if the Rule's effect is DENY, then we can't let this
            // alg return PERMIT, since this Rule might have denied
            // if it could do its stuff
            if (rule.getEffect() == AbstractResult.DECISION_DENY){
                potentialDeny = true;
            }
        } else {
            // keep track of whether we had at least one rule that
            // actually pertained to the request
            if (value == AbstractResult.DECISION_PERMIT){
                atLeastOnePermit = true;
                permitAdvices.addAll(result.getAdvices());
                permitObligations.addAll(result.getObligations());
            }

        }
    }

    // we didn't explicitly DENY, but we might have had some Rule
    // been evaluated, so we have to return INDETERMINATE
    if (potentialDeny){
        return firstIndeterminateResult;
    }
    // some Rule said PERMIT, so since nothing could have denied,
    // we return PERMIT
    if (atLeastOnePermit) {
        return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
                                                    permitObligations, permitAdvices, context);            
    }


    // we didn't find anything that said PERMIT, but if we had a
    // problem with one of the Rules, then we're INDETERMINATE
    if (atLeastOneError){
        return firstIndeterminateResult;
    }
    // if we hit this point, then none of the rules actually applied
    // to us, so we return NOT_APPLICABLE
    //return new Result(Result.DECISION_NOT_APPLICABLE, context.getResourceId().encode());
    return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context);
}
 
Example 4
Source File: DenyOverridesPolicyAlg.java    From balana with Apache License 2.0 4 votes vote down vote up
/**
 * Applies the combining rule to the set of policies based on the evaluation context.
 * 
 * @param context the context from the request
 * @param parameters a (possibly empty) non-null <code>List</code> of
 *            <code>CombinerParameter<code>s
 * @param policyElements the policies to combine
 * 
 * @return the result of running the combining algorithm
 */
public AbstractResult combine(EvaluationCtx context, List parameters, List policyElements) {
    boolean atLeastOnePermit = false;
    List<ObligationResult> permitObligations = new ArrayList<ObligationResult>();
    List<Advice> permitAdvices= new ArrayList<Advice>();
    Iterator it = policyElements.iterator();

    while (it.hasNext()) {
        AbstractPolicy policy = ((PolicyCombinerElement) (it.next())).getPolicy();
        // make sure that the policy matches the context
        MatchResult match = policy.match(context);

        if (match.getResult() == MatchResult.INDETERMINATE){ //TODO  do we really want this?
            return ResultFactory.getFactory().getResult(AbstractResult.DECISION_DENY, context);
        }

        if (match.getResult() == MatchResult.MATCH) {
            // evaluate the policy
            AbstractResult result = policy.evaluate(context);
            int effect = result.getDecision();

            // unlike in the RuleCombining version of this alg, we always
            // return DENY if any Policy returns DENY or INDETERMINATE
            if (effect == AbstractResult.DECISION_DENY){
                return result;
            }
            
            if (effect == AbstractResult.DECISION_INDETERMINATE ||
                effect == AbstractResult.DECISION_INDETERMINATE_DENY ||
                effect == AbstractResult.DECISION_INDETERMINATE_PERMIT ||
                effect == AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT) {
                
                return ResultFactory.getFactory().getResult(Result.DECISION_DENY, context);
            }
            // remember if at least one Policy said PERMIT
            if (effect == Result.DECISION_PERMIT) {
                atLeastOnePermit = true;
                permitAdvices.addAll(result.getAdvices());
                permitObligations.addAll(result.getObligations());
            }
        }
    }

    // if we got a PERMIT, return it, otherwise it's NOT_APPLICABLE
    if (atLeastOnePermit) {
        return ResultFactory.getFactory().getResult(AbstractResult.DECISION_PERMIT,
                                                    permitObligations, permitAdvices, context);
    } else {
        return ResultFactory.getFactory().getResult(AbstractResult.DECISION_NOT_APPLICABLE, context); 
    }
}