From 0c61a0015f2cbffcae1e49c1198375c856203b73 Mon Sep 17 00:00:00 2001 From: joshua-roberts Date: Mon, 13 Jan 2025 12:04:56 -0500 Subject: [PATCH] pdp and proto changes (#178) --- .../nist/csd/pm/pdp/AccessAdjudication.java | 16 ----- .../csd/pm/pdp/EventResponseEvaluation.java | 10 --- src/main/java/gov/nist/csd/pm/pdp/PDP.java | 29 ++++---- .../pm/pdp/ResourceAdjudicationResponse.java | 68 ------------------- .../pdp/adjudication/AccessAdjudication.java | 16 +++++ .../AdjudicationResponse.java} | 13 ++-- .../pdp/{ => adjudication}/Adjudicator.java | 2 +- .../pm/pdp/{ => adjudication}/Decision.java | 2 +- .../{ => adjudication}/OperationRequest.java | 2 +- .../pdp/{ => bootstrap}/PMLBootstrapper.java | 2 +- .../{ => bootstrap}/PolicyBootstrapper.java | 2 +- .../GraphModificationAdjudicator.java | 2 +- .../ObligationsModificationAdjudicator.java | 2 +- .../OperationsModificationAdjudicator.java | 2 +- .../PolicyModificationAdjudicator.java | 2 +- .../ProhibitionsModificationAdjudicator.java | 2 +- .../RoutinesModificationAdjudicator.java | 2 +- .../pm/pdp/query/AccessQueryAdjudicator.java | 2 +- .../pm/pdp/query/GraphQueryAdjudicator.java | 2 +- .../query/ObligationsQueryAdjudicator.java | 2 +- .../pdp/query/OperationsQueryAdjudicator.java | 2 +- .../query/ProhibitionsQueryAdjudicator.java | 2 +- .../pdp/query/RoutinesQueryAdjudicator.java | 2 +- src/main/proto/pdp.proto | 35 +++++----- .../java/gov/nist/csd/pm/epp/EPPTest.java | 8 ++- .../java/gov/nist/csd/pm/pap/pml/PMLTest.java | 8 +-- .../java/gov/nist/csd/pm/pdp/PDPTest.java | 23 ++++--- .../nist/csd/pm/pdp/PMLBootstrapperTest.java | 1 + 28 files changed, 97 insertions(+), 164 deletions(-) delete mode 100644 src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java delete mode 100644 src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java delete mode 100644 src/main/java/gov/nist/csd/pm/pdp/ResourceAdjudicationResponse.java create mode 100644 src/main/java/gov/nist/csd/pm/pdp/adjudication/AccessAdjudication.java rename src/main/java/gov/nist/csd/pm/pdp/{AdminAdjudicationResponse.java => adjudication/AdjudicationResponse.java} (78%) rename src/main/java/gov/nist/csd/pm/pdp/{ => adjudication}/Adjudicator.java (90%) rename src/main/java/gov/nist/csd/pm/pdp/{ => adjudication}/Decision.java (52%) rename src/main/java/gov/nist/csd/pm/pdp/{ => adjudication}/OperationRequest.java (70%) rename src/main/java/gov/nist/csd/pm/pdp/{ => bootstrap}/PMLBootstrapper.java (97%) rename src/main/java/gov/nist/csd/pm/pdp/{ => bootstrap}/PolicyBootstrapper.java (81%) diff --git a/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java b/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java deleted file mode 100644 index f18a69092..000000000 --- a/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java +++ /dev/null @@ -1,16 +0,0 @@ -package gov.nist.csd.pm.pdp; - -import gov.nist.csd.pm.common.exception.PMException; -import gov.nist.csd.pm.pap.query.model.context.UserContext; - -import java.util.List; -import java.util.Map; - -public interface AccessAdjudication { - - ResourceAdjudicationResponse adjudicateResourceOperation(UserContext user, String policyElement, String resourceOperation) throws PMException; - AdminAdjudicationResponse adjudicateAdminOperation(UserContext user, String name, Map operands) throws PMException; - AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, String name, Map operands) throws PMException; - AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, List operationRequests) throws PMException; - -} diff --git a/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java b/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java deleted file mode 100644 index b8a3f553d..000000000 --- a/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java +++ /dev/null @@ -1,10 +0,0 @@ -package gov.nist.csd.pm.pdp; - -import gov.nist.csd.pm.common.obligation.Response; -import gov.nist.csd.pm.pap.query.model.context.UserContext; - -public interface EventResponseEvaluation { - - public void evaluateResponse(UserContext userCtx, Response response); - -} diff --git a/src/main/java/gov/nist/csd/pm/pdp/PDP.java b/src/main/java/gov/nist/csd/pm/pdp/PDP.java index eedfcf5e0..0e8abfb03 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PDP.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PDP.java @@ -18,12 +18,17 @@ import gov.nist.csd.pm.common.exception.PMException; import gov.nist.csd.pm.common.tx.TxRunner; import gov.nist.csd.pm.common.routine.Routine; +import gov.nist.csd.pm.pdp.adjudication.AccessAdjudication; +import gov.nist.csd.pm.pdp.adjudication.AdjudicationResponse; +import gov.nist.csd.pm.pdp.adjudication.OperationRequest; +import gov.nist.csd.pm.pdp.bootstrap.PolicyBootstrapper; import java.util.*; import static gov.nist.csd.pm.pap.admin.AdminPolicy.ALL_NODE_NAMES; import static gov.nist.csd.pm.common.graph.node.NodeType.ANY; import static gov.nist.csd.pm.common.graph.node.Properties.NO_PROPERTIES; +import static gov.nist.csd.pm.pdp.adjudication.Decision.GRANT; public class PDP implements EventPublisher, AccessAdjudication { @@ -105,7 +110,7 @@ public void publishEvent(EventContext event) throws PMException { } @Override - public ResourceAdjudicationResponse adjudicateResourceOperation(UserContext user, String target, String resourceOperation) throws PMException { + public AdjudicationResponse adjudicateResourceOperation(UserContext user, String target, String resourceOperation) throws PMException { if (!pap.query().operations().getResourceOperations().contains(resourceOperation)) { throw new OperationDoesNotExistException(resourceOperation); } @@ -113,7 +118,7 @@ public ResourceAdjudicationResponse adjudicateResourceOperation(UserContext user try { privilegeChecker.check(user, target, resourceOperation); } catch (UnauthorizedException e) { - return new ResourceAdjudicationResponse(e); + return new AdjudicationResponse(e); } Node node = pap.query().graph().getNode(target); @@ -125,7 +130,7 @@ public ResourceAdjudicationResponse adjudicateResourceOperation(UserContext user Map.of("target", target) )); - return new ResourceAdjudicationResponse(node); + return new AdjudicationResponse(GRANT, node); } private Object executeOperation(UserContext user, ExecutionContext ctx, PDPTx pdpTx, String name, Map operands) throws PMException { @@ -154,7 +159,7 @@ private Object executeOperation(UserContext user, ExecutionContext ctx, PDPTx pd } @Override - public AdminAdjudicationResponse adjudicateAdminOperation(UserContext user, String name, Map operands) throws PMException { + public AdjudicationResponse adjudicateAdminOperation(UserContext user, String name, Map operands) throws PMException { try { Object returnValue = runTx(user, tx -> { PDPExecutionContext ctx = new PDPExecutionContext(user, tx); @@ -162,14 +167,14 @@ public AdminAdjudicationResponse adjudicateAdminOperation(UserContext user, Stri return executeOperation(user, ctx, tx, name, operands); }); - return new AdminAdjudicationResponse(Decision.GRANT, returnValue); + return new AdjudicationResponse(GRANT, returnValue); } catch(UnauthorizedException e){ - return new AdminAdjudicationResponse(e); + return new AdjudicationResponse(e); } } @Override - public AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, String name, Map operands) throws PMException { + public AdjudicationResponse adjudicateAdminRoutine(UserContext user, String name, Map operands) throws PMException { Routine adminRoutine = pap.query().routines().getAdminRoutine(name); try { Object returnValue = runTx(user, tx -> { @@ -187,14 +192,14 @@ public AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, String return o; }); - return new AdminAdjudicationResponse(Decision.GRANT, returnValue); + return new AdjudicationResponse(GRANT, returnValue); } catch (UnauthorizedException e) { - return new AdminAdjudicationResponse(e); + return new AdjudicationResponse(e); } } @Override - public AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, List operationRequests) throws PMException { + public AdjudicationResponse adjudicateAdminRoutine(UserContext user, List operationRequests) throws PMException { try { runTx(user, tx -> { PDPExecutionContext ctx = new PDPExecutionContext(user, tx); @@ -206,9 +211,9 @@ public AdminAdjudicationResponse adjudicateAdminRoutine(UserContext user, List properties = 3; +message AdjudicationResponse { + Decision decision = 1; + optional google.protobuf.Struct value = 2; + optional google.protobuf.Struct explain = 3; } -message ResourceOperationResponse { - Node node = 1; +// resource +message ResourceOperationRequest { + string operation = 1; + string target = 2; } service ResourcePDP { - rpc AdjudicateResourceOperation(ResourceOperationRequest) returns (ResourceOperationResponse) {} + rpc AdjudicateResourceOperation(ResourceOperationRequest) returns (AdjudicationResponse) {} } +// admin message AdminOperationRequest { string opName = 1; repeated OperandEntry operands = 2; } -message AdminOperationResponse {} - message AdminRoutineRequest { repeated AdminOperationRequest ops = 1; } @@ -41,11 +43,8 @@ message NamedAdminRoutineRequest { repeated OperandEntry operands = 2; } -message AdminRoutineResponse {} - - service AdminPDP { - rpc AdjudicateAdminOperation(AdminOperationRequest) returns (AdminOperationResponse) {} - rpc AdjudicateAdminRoutine(AdminRoutineRequest) returns (AdminRoutineResponse) {} - rpc AdjudicateNamedAdminRoutine(NamedAdminRoutineRequest) returns (AdminRoutineResponse) {} + rpc AdjudicateAdminOperation(AdminOperationRequest) returns (AdjudicationResponse) {} + rpc AdjudicateAdminRoutine(AdminRoutineRequest) returns (AdjudicationResponse) {} + rpc AdjudicateNamedAdminRoutine(NamedAdminRoutineRequest) returns (AdjudicationResponse) {} } \ No newline at end of file diff --git a/src/test/java/gov/nist/csd/pm/epp/EPPTest.java b/src/test/java/gov/nist/csd/pm/epp/EPPTest.java index 294f161b0..f27ca5eef 100644 --- a/src/test/java/gov/nist/csd/pm/epp/EPPTest.java +++ b/src/test/java/gov/nist/csd/pm/epp/EPPTest.java @@ -27,6 +27,8 @@ import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.*; import gov.nist.csd.pm.pdp.UnauthorizedException; +import gov.nist.csd.pm.pdp.adjudication.AdjudicationResponse; +import gov.nist.csd.pm.pdp.adjudication.Decision; import org.junit.jupiter.api.Test; import java.util.Arrays; @@ -36,7 +38,7 @@ import static gov.nist.csd.pm.pap.AdminAccessRights.*; import static gov.nist.csd.pm.common.op.Operation.NAME_OPERAND; import static gov.nist.csd.pm.common.op.graph.GraphOp.DESCENDANTS_OPERAND; -import static gov.nist.csd.pm.pdp.Decision.GRANT; +import static gov.nist.csd.pm.pdp.adjudication.Decision.GRANT; import static org.junit.jupiter.api.Assertions.*; class EPPTest { @@ -104,7 +106,7 @@ public void canExecute(PrivilegeChecker privilegeChecker, UserContext userCtx, M PDP pdp = new PDP(pap); EPP epp = new EPP(pdp, pap); - AdminAdjudicationResponse response = pdp.adjudicateAdminOperation( + AdjudicationResponse response = pdp.adjudicateAdminOperation( new UserContext("u1"), "op1", Map.of("a", "oa1", "b", List.of("oa1", "oa2")) ); @@ -161,7 +163,7 @@ void testResourceOperationEvent() throws PMException { """); PDP pdp = new PDP(pap); EPP epp = new EPP(pdp, pap); - ResourceAdjudicationResponse response = pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read"); + AdjudicationResponse response = pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read"); assertEquals(GRANT, response.getDecision()); assertTrue(pap.query().graph().nodeExists("oa1pc1")); diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java index 299183ebb..44bbeed8f 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.PrivilegeChecker; import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.common.routine.Routine; -import gov.nist.csd.pm.pdp.AdminAdjudicationResponse; +import gov.nist.csd.pm.pdp.adjudication.AdjudicationResponse; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.UnauthorizedException; import org.junit.jupiter.api.Test; @@ -16,8 +16,8 @@ import java.util.List; import java.util.Map; -import static gov.nist.csd.pm.pdp.Decision.DENY; -import static gov.nist.csd.pm.pdp.Decision.GRANT; +import static gov.nist.csd.pm.pdp.adjudication.Decision.DENY; +import static gov.nist.csd.pm.pdp.adjudication.Decision.GRANT; import static org.junit.jupiter.api.Assertions.*; public class PMLTest { @@ -143,7 +143,7 @@ routine routine1(string a, []string b, map[string]string c) { """); PDP pdp = new PDP(pap); - AdminAdjudicationResponse response = pdp.adjudicateAdminOperation(new UserContext("u1"), + AdjudicationResponse response = pdp.adjudicateAdminOperation(new UserContext("u1"), "op1", Map.of("a", "a", "b", List.of("b", "c"), "c", Map.of("d", "e", "f", "g"))); assertEquals(GRANT, response.getDecision()); assertTrue(pap.query().graph().nodeExists("1a")); diff --git a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java index dceb77237..57f96b0cd 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java @@ -11,6 +11,9 @@ import gov.nist.csd.pm.common.prohibition.ProhibitionSubject; import gov.nist.csd.pm.pap.query.model.explain.*; import gov.nist.csd.pm.common.routine.Routine; +import gov.nist.csd.pm.pdp.adjudication.AdjudicationResponse; +import gov.nist.csd.pm.pdp.adjudication.Decision; +import gov.nist.csd.pm.pdp.adjudication.OperationRequest; import org.junit.jupiter.api.Test; import java.util.Collections; @@ -22,8 +25,8 @@ import static gov.nist.csd.pm.common.op.Operation.NAME_OPERAND; import static gov.nist.csd.pm.common.op.graph.GraphOp.ASCENDANT_OPERAND; import static gov.nist.csd.pm.common.op.graph.GraphOp.DESCENDANTS_OPERAND; -import static gov.nist.csd.pm.pdp.Decision.DENY; -import static gov.nist.csd.pm.pdp.Decision.GRANT; +import static gov.nist.csd.pm.pdp.adjudication.Decision.DENY; +import static gov.nist.csd.pm.pdp.adjudication.Decision.GRANT; import static org.junit.jupiter.api.Assertions.*; class PDPTest { @@ -148,13 +151,13 @@ void testAdjudicateResourceOperation() throws PMException { PDP pdp = new PDP(pap); pdp.setExplain(true); - ResourceAdjudicationResponse resp = pdp.adjudicateResourceOperation(new UserContext("u1"), "o1", "read"); - assertEquals(resp.getResource(), pap.query().graph().getNode("o1")); + AdjudicationResponse resp = pdp.adjudicateResourceOperation(new UserContext("u1"), "o1", "read"); + assertEquals(resp.getValue(), pap.query().graph().getNode("o1")); assertEquals(resp.getDecision(), GRANT); assertNull(resp.getExplain()); resp = pdp.adjudicateResourceOperation(new UserContext("u1"), "o1", "write"); - assertNull(resp.getResource()); + assertNull(resp.getValue()); assertEquals(resp.getDecision(), Decision.DENY); assertEquals(new Explain( new AccessRightSet("read"), @@ -204,7 +207,7 @@ operation op1() string { pdp.setExplain(true); // builtin operation - AdminAdjudicationResponse resp = pdp.adjudicateAdminOperation( + AdjudicationResponse resp = pdp.adjudicateAdminOperation( new UserContext("u1"), "assign", Map.of(ASCENDANT_OPERAND, "o1", DESCENDANTS_OPERAND, List.of("oa2")) ); @@ -283,7 +286,7 @@ create policy class "test2" PDP pdp = new PDP(pap); pdp.setExplain(true); - AdminAdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), "routine1", Map.of("a", "test")); + AdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), "routine1", Map.of("a", "test")); assertEquals(GRANT, response.getDecision()); assertEquals("test1", response.getValue()); response = pdp.adjudicateAdminRoutine(new UserContext("u1"), "routine2", Map.of()); @@ -337,7 +340,7 @@ routine routine1() { pap.executePML(new UserContext("u1"), pml); PDP pdp = new PDP(pap); - AdminAdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), "routine1", Map.of()); + AdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), "routine1", Map.of()); assertEquals(DENY, response.getDecision()); } @@ -435,7 +438,7 @@ operation op1(string name) { PDP pdp = new PDP(pap); EPP epp = new EPP(pdp, pap); - AdminAdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), List.of( + AdjudicationResponse response = pdp.adjudicateAdminRoutine(new UserContext("u1"), List.of( new OperationRequest("op1", Map.of("name", "pc2")), new OperationRequest("op1", Map.of("name", "pc3")) )); @@ -462,7 +465,7 @@ void testExplainFalseDoesNotIncludeExplainInResponse() throws PMException { """); PDP pdp = new PDP(pap); - AdminAdjudicationResponse response = pdp.adjudicateAdminOperation(new UserContext("u1"), "create_policy_class", Map.of(NAME_OPERAND, "test")); + AdjudicationResponse response = pdp.adjudicateAdminOperation(new UserContext("u1"), "create_policy_class", Map.of(NAME_OPERAND, "test")); assertEquals(response.getDecision(), DENY); assertNull(response.getExplain()); } diff --git a/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java b/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java index 50060323f..5fc6b1696 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java @@ -10,6 +10,7 @@ import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.common.routine.Routine; +import gov.nist.csd.pm.pdp.bootstrap.PMLBootstrapper; import org.junit.jupiter.api.Test; import java.util.List;