diff --git a/README.md b/README.md index 6be5f9a2d..338fa6734 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,8 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; import gov.nist.csd.pm.pdp.PDP; import java.util.List; @@ -156,7 +157,7 @@ public class Main { pap.executePML(new UserContext("u1")), pml); */ - AccessRightSet privileges = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + AccessRightSet privileges = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); System.out.println(privileges); // expected output: {associate, read, create_object_attribute, associate_to} diff --git a/src/main/java/gov/nist/csd/pm/epp/EPP.java b/src/main/java/gov/nist/csd/pm/epp/EPP.java index 24194c568..84490e787 100644 --- a/src/main/java/gov/nist/csd/pm/epp/EPP.java +++ b/src/main/java/gov/nist/csd/pm/epp/EPP.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.obligation.Obligation; import gov.nist.csd.pm.pap.obligation.Response; import gov.nist.csd.pm.pap.obligation.Rule; diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryAccessQuerier.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryAccessQuerier.java deleted file mode 100644 index 1494586ad..000000000 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryAccessQuerier.java +++ /dev/null @@ -1,679 +0,0 @@ -package gov.nist.csd.pm.impl.memory.pap; - -import gov.nist.csd.pm.pap.admin.AdminPolicyNode; -import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.graph.dag.*; -import gov.nist.csd.pm.pap.graph.node.Node; -import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; -import gov.nist.csd.pm.pap.graph.relationship.Association; -import gov.nist.csd.pm.pap.prohibition.ContainerCondition; -import gov.nist.csd.pm.pap.prohibition.Prohibition; -import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; -import gov.nist.csd.pm.pap.AccessQuerier; -import gov.nist.csd.pm.pap.GraphQuerier; -import gov.nist.csd.pm.pap.ProhibitionsQuerier; -import gov.nist.csd.pm.pap.query.UserContext; -import gov.nist.csd.pm.pap.query.model.explain.*; -import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; -import gov.nist.csd.pm.pap.store.GraphStoreBFS; -import gov.nist.csd.pm.pap.store.PolicyStore; - -import java.util.*; - -import static gov.nist.csd.pm.pap.graph.node.NodeType.PC; -import static gov.nist.csd.pm.pap.graph.node.NodeType.U; -import static gov.nist.csd.pm.pap.graph.node.Properties.NO_PROPERTIES; -import static gov.nist.csd.pm.pap.AccessRightResolver.*; - -public class MemoryAccessQuerier extends AccessQuerier { - - private GraphQuerier graphQuerier; - private ProhibitionsQuerier prohibitionsQuerier; - - public MemoryAccessQuerier(PolicyStore memoryPolicyStore, GraphQuerier graphQuerier, ProhibitionsQuerier prohibitionsQuerier) { - super(memoryPolicyStore); - this.graphQuerier = graphQuerier; - this.prohibitionsQuerier = prohibitionsQuerier; - } - - @Override - public AccessRightSet computePrivileges(UserContext userCtx, String target) throws PMException { - AccessRightSet accessRights = new AccessRightSet(); - - // if the target node is a PC, check privileges on the PM_ADMIN_OBJECT - Node targetNode = graphQuerier.getNode(target); - if (targetNode.getType().equals(PC)) { - target = AdminPolicyNode.PM_ADMIN_OBJECT.nodeName(); - } - - // traverse the user side of the graph to get the associations - UserDagResult userDagResult = processUserDAG(userCtx.getUser(), userCtx.getProcess()); - if (userDagResult.borderTargets().isEmpty()) { - return accessRights; - } - - // traverse the target side of the graph to get permissions per policy class - TargetDagResult targetDagResult = processTargetDAG(target, userDagResult); - - // resolve the permissions - return resolvePrivileges(userDagResult, targetDagResult, target, store.operations().getResourceOperations()); - } - - @Override - public AccessRightSet computeDeniedPrivileges(UserContext userCtx, String target) throws PMException { - AccessRightSet accessRights = new AccessRightSet(); - - // traverse the user side of the graph to get the associations - UserDagResult userDagResult = processUserDAG(userCtx.getUser(), userCtx.getProcess()); - if (userDagResult.borderTargets().isEmpty()) { - return accessRights; - } - - // traverse the target side of the graph to get permissions per policy class - TargetDagResult targetDagResult = processTargetDAG(target, userDagResult); - - // resolve the permissions - return resolveDeniedAccessRights(userDagResult, targetDagResult, target); - } - - @Override - public Map computePolicyClassAccessRights(UserContext userCtx, String target) throws PMException { - // traverse the user side of the graph to get the associations - UserDagResult userDagResult = processUserDAG(userCtx.getUser(), userCtx.getProcess()); - if (userDagResult.borderTargets().isEmpty()) { - return new HashMap<>(); - } - - // traverse the target side of the graph to get permissions per policy class - TargetDagResult targetDagResult = processTargetDAG(target, userDagResult); - - return targetDagResult.pcSet(); - } - - @Override - public Map computeCapabilityList(UserContext userCtx) throws PMException { - Map results = new HashMap<>(); - - //get border nodes. Can be OA or UA. Return empty set if no attrs are reachable - UserDagResult userDagResult = processUserDAG(userCtx.getUser(), userCtx.getProcess()); - if (userDagResult.borderTargets().isEmpty()) { - return results; - } - - for(String borderTarget : userDagResult.borderTargets().keySet()) { - // compute permissions on the border attr - getAndStorePrivileges(results, userDagResult, borderTarget); - - // compute decisions for the subgraph of the border attr - Set descendants = getDescendants(borderTarget); - for (String descendant : descendants) { - if (results.containsKey(descendant)) { - continue; - } - - getAndStorePrivileges(results, userDagResult, descendant); - } - } - - return results; - } - - @Override - public Map computeACL(String target) throws PMException { - Map acl = new HashMap<>(); - Collection search = graphQuerier.search(U, NO_PROPERTIES); - for (String user : search) { - AccessRightSet list = this.computePrivileges(new UserContext(user), target); - acl.put(user, list); - } - - return acl; - } - - @Override - public Map computeDestinationAttributes(String user) throws PMException { - return processUserDAG(user, UserContext.NO_PROCESS) - .borderTargets(); - } - - @Override - public SubgraphPrivileges computeSubgraphPrivileges(UserContext userCtx, String root) throws PMException { - List subgraphs = new ArrayList<>(); - - Collection adjacentAscendants = graphQuerier.getAdjacentAscendants(root); - for (String adjacent : adjacentAscendants) { - subgraphs.add(computeSubgraphPrivileges(userCtx, adjacent)); - } - - return new SubgraphPrivileges(root, computePrivileges(userCtx, root), subgraphs); - } - - @Override - public Map computeAdjacentAscendantPrivileges(UserContext userCtx, String root) throws PMException { - Map ascendantPrivs = new HashMap<>(); - - Collection adjacentAscendants = graphQuerier.getAdjacentAscendants(root); - for (String adjacentAscendant : adjacentAscendants) { - ascendantPrivs.put(adjacentAscendant, computePrivileges(userCtx, adjacentAscendant)); - } - - return ascendantPrivs; - } - - @Override - public Explain explain(UserContext userCtx, String target) throws PMException { - Node userNode = graphQuerier.getNode(userCtx.getUser()); - Node targetNode = graphQuerier.getNode(target); - - Map>> targetPaths = explainTarget(targetNode.getName()); - Map> userPaths = explainUser(userNode.getName(), targetPaths); - List resolvedPaths = resolvePaths(targetPaths, userPaths); - - UserDagResult userDagResult = processUserDAG(userCtx.getUser(), userCtx.getProcess()); - TargetDagResult targetDagResult = processTargetDAG(target, userDagResult); - - AccessRightSet priv = resolvePrivileges(userDagResult, targetDagResult, target, store.operations().getResourceOperations()); - AccessRightSet deniedPriv = resolveDeniedAccessRights(userDagResult, targetDagResult, target); - List prohibitions = computeSatisfiedProhibitions(userDagResult, targetDagResult, target); - - return new Explain(priv, resolvedPaths, deniedPriv, prohibitions); - } - - @Override - public Map computePersonalObjectSystem(UserContext userCtx) throws PMException { - Map pos = new HashMap<>(); - - for (String pc : graphQuerier.getPolicyClasses()) { - new BreadthFirstGraphWalker(graphQuerier) - .withDirection(Direction.ASCENDANTS) - .withVisitor(n -> { - AccessRightSet privs = computePrivileges(userCtx, n); - if (privs.isEmpty()) { - return; - } - - pos.put(n, privs); - }) - .withSinglePathShortCircuit(n -> { - return pos.containsKey(n); - }) - .walk(pc); - } - return pos; - } - - private void getAndStorePrivileges(Map arsetMap, UserDagResult userDagResult, String target) throws PMException { - TargetDagResult targetCtx = processTargetDAG(target, userDagResult); - AccessRightSet privileges = resolvePrivileges(userDagResult, targetCtx, target, store.operations().getResourceOperations()); - arsetMap.put(target, privileges); - } - - /** - * Perform a depth first search on the object side of the graph. Start at the target node and recursively visit nodes - * until a policy class is reached. On each node visited, collect any operation the user has on the target. At the - * end of each dfs iteration the visitedNodes map will contain the operations the user is permitted on the target under - * each policy class. - */ - protected TargetDagResult processTargetDAG(String target, UserDagResult userCtx) throws PMException { - if (!graphQuerier.nodeExists(target)) { - throw new NodeDoesNotExistException(target); - } - - Collection policyClasses = graphQuerier.getPolicyClasses(); - Map borderTargets = userCtx.borderTargets(); - Map> visitedNodes = new HashMap<>(); - Set reachedTargets = new HashSet<>(); - - Visitor visitor = node -> { - // mark the node as reached, to be used for resolving prohibitions - if (userCtx.prohibitionTargets().contains(node)) { - reachedTargets.add(node); - } - - Map nodeCtx = visitedNodes.getOrDefault(node, new HashMap<>()); - if (nodeCtx.isEmpty()) { - visitedNodes.put(node, nodeCtx); - } - - if (policyClasses.contains(node)) { - nodeCtx.put(node, new AccessRightSet()); - } else { - if (borderTargets.containsKey(node)) { - Set uaOps = borderTargets.get(node); - for (String pc : nodeCtx.keySet()) { - AccessRightSet pcOps = nodeCtx.getOrDefault(pc, new AccessRightSet()); - pcOps.addAll(uaOps); - nodeCtx.put(pc, pcOps); - } - } - } - }; - - Propagator propagator = (desc, asc) -> { - Map descCtx = visitedNodes.get(desc); - Map nodeCtx = visitedNodes.getOrDefault(asc, new HashMap<>()); - for (String name : descCtx.keySet()) { - AccessRightSet ops = nodeCtx.getOrDefault(name, new AccessRightSet()); - ops.addAll(descCtx.get(name)); - nodeCtx.put(name, ops); - } - visitedNodes.put(asc, nodeCtx); - }; - - new DepthFirstGraphWalker(graphQuerier) - .withDirection(Direction.DESCENDANTS) - .withVisitor(visitor) - .withPropagator(propagator) - .walk(target); - - return new TargetDagResult(visitedNodes.get(target), reachedTargets); - } - - /** - * Find the target nodes that are reachable by the subject via an association. This is done by a breadth first search - * starting at the subject node and walking up the user side of the graph until all user attributes the subject is assigned - * to have been visited. For each user attribute visited, get the associations it is the source of and store the - * target of that association as well as the operations in a map. If a target node is reached multiple times, add any - * new operations to the already existing ones. - * - * @return a Map of target nodes that the subject can reach via associations and the operations the user has on each. - */ - protected UserDagResult processUserDAG(String subject, String process) throws PMException { - if (!graphQuerier.nodeExists(subject)) { - throw new NodeDoesNotExistException(subject); - } - - final Map borderTargets = new HashMap<>(); - final Set prohibitionTargets = new HashSet<>(); - // initialize with the prohibitions or the provided process - final Set reachedProhibitions = new HashSet<>(prohibitionsQuerier.getProhibitionsWithSubject(process)); - - // get the associations for the subject, it the subject is a user, nothing will be returned - // this is only when a UA is the subject - Collection subjectAssociations = graphQuerier.getAssociationsWithSource(subject); - collectAssociationsFromBorderTargets(subjectAssociations, borderTargets); - - Visitor visitor = node -> { - Collection subjectProhibitions = prohibitionsQuerier.getProhibitionsWithSubject(node); - reachedProhibitions.addAll(subjectProhibitions); - for (Prohibition prohibition : subjectProhibitions) { - Collection containers = prohibition.getContainers(); - for (ContainerCondition cont : containers) { - prohibitionTargets.add(cont.getName()); - } - } - - Collection nodeAssociations = graphQuerier.getAssociationsWithSource(node); - collectAssociationsFromBorderTargets(nodeAssociations, borderTargets); - }; - - // start the bfs - new GraphStoreBFS(store.graph()) - .withDirection(Direction.DESCENDANTS) - .withVisitor(visitor) - .walk(subject); - - return new UserDagResult(borderTargets, reachedProhibitions, prohibitionTargets); - } - - private List resolvePaths(Map>> targetPaths, - Map> userPaths) { - List result = new ArrayList<>(); - - for (Map.Entry>> targetPathEntry : targetPaths.entrySet()) { - String pc = targetPathEntry.getKey(); - Map> targetPathAssociations = targetPathEntry.getValue(); - - List> paths = getExplainNodePaths(targetPathAssociations, userPaths); - AccessRightSet arset = getArsetFromPaths(paths); - - result.add(new PolicyClassExplain(pc, arset, paths)); - } - - return result; - } - - private List> getExplainNodePaths(Map> targetPathAssociations, - Map> userPaths) { - List> paths = new ArrayList<>(); - - for (Map.Entry> targetPathEntry : targetPathAssociations.entrySet()) { - Path path = targetPathEntry.getKey(); - List pathAssocs = targetPathEntry.getValue(); - - List explainNodes = new ArrayList<>(); - for (String node : path) { - List explainAssocs = new ArrayList<>(); - - for (Association pathAssoc : pathAssocs) { - String ua = pathAssoc.getSource(); - String target = pathAssoc.getTarget(); - if (!target.equals(node)) { - continue; - } - - Set userPathsToAssoc = userPaths.getOrDefault(ua, new HashSet<>()); - - explainAssocs.add(new ExplainAssociation( - ua, - pathAssoc.getAccessRightSet(), - new ArrayList<>(userPathsToAssoc) - )); - } - - explainNodes.add(new ExplainNode(node, explainAssocs)); - } - - paths.add(explainNodes); - } - - return paths; - } - - private AccessRightSet getArsetFromPaths(List> paths) { - AccessRightSet accessRightSet = new AccessRightSet(); - for (List path : paths) { - for (ExplainNode explainNode : path) { - List associations = explainNode.associations(); - for (ExplainAssociation association : associations) { - if (association.userPaths().isEmpty()) { - continue; - } - - accessRightSet.addAll(association.arset()); - } - } - } - - return accessRightSet; - } - - private Map>> explainTarget(String target) throws PMException { - Collection policyClasses = graphQuerier.getPolicyClasses(); - - // initialize map with policy classes - Map, List>> pcPathAssociations = new HashMap<>(); - for (String pc : policyClasses) { - pcPathAssociations.put(pc, new HashMap<>(Map.of(new ArrayList<>(List.of(pc)), new ArrayList<>()))); - } - - Propagator propagator = (src, dst) -> { - Map, List> srcPathAssocs = pcPathAssociations.get(src); - Map, List> dstPathAssocs = pcPathAssociations.getOrDefault(dst, new HashMap<>()); - - for (Map.Entry, List> entry : srcPathAssocs.entrySet()) { - // add DST to the path from SRC - List targetPath = new ArrayList<>(entry.getKey()); - List associations = new ArrayList<>(entry.getValue()); - targetPath.addFirst(dst); - - // collect any associations for the DST node - Collection associationsWithTarget = graphQuerier.getAssociationsWithTarget(dst); - associations.addAll(associationsWithTarget); - dstPathAssocs.put(targetPath, associations); - } - - // update dst entry - pcPathAssociations.put(dst, dstPathAssocs); - }; - - // DFS from target node - new DepthFirstGraphWalker(graphQuerier) - .withPropagator(propagator) - .walk(target); - - // convert the map created above into a map where the policy classes are the keys - Map, List> targetPathAssocs = pcPathAssociations.get(target); - Map>> pcMap = new HashMap<>(); - for (Map.Entry, List> entry : targetPathAssocs.entrySet()) { - Path targetPath = new Path(entry.getKey()); - List associations = new ArrayList<>(entry.getValue()); - - String pc = targetPath.getLast(); - - Map> pcPathAssocs = pcMap.getOrDefault(pc, new HashMap<>()); - pcPathAssocs.put(targetPath, associations); - pcMap.put(pc, pcPathAssocs); - } - - return pcMap; - } - - private Map> explainUser(String user, Map>> targetPaths) throws PMException { - // initialize map with the UAs of the target path associations - Set uasFromTargetPathAssociations = new HashSet<>(getUAsFromTargetPathAssociations(targetPaths)); - Map> pathsToUAs = new HashMap<>(); - for (String ua : uasFromTargetPathAssociations) { - pathsToUAs.put(ua, new HashSet<>(Set.of(new Path(ua)))); - } - - Propagator propagator = (src, dst) -> { - // don't propagate unless the src is a ua in a target path association or an already propagated to dst node - if (!uasFromTargetPathAssociations.contains(src) && !pathsToUAs.containsKey(src)) { - return; - } - - Set srcPaths = pathsToUAs.get(src); - Set dstPaths = pathsToUAs.getOrDefault(dst, new HashSet<>()); - - for (Path srcPath : srcPaths) { - Path copy = new Path(srcPath); - copy.addFirst(dst); - dstPaths.add(copy); - } - - pathsToUAs.put(dst, dstPaths); - }; - - new DepthFirstGraphWalker(graphQuerier) - .withPropagator(propagator) - .walk(user); - - // transform the map so that the key is the last ua in the path pointing to it's paths - Set userPaths = pathsToUAs.getOrDefault(user, new HashSet<>()); - Map> associationUAPaths = new HashMap<>(); - for (Path userPath : userPaths) { - String assocUA = userPath.getLast(); - Set assocUAPaths = associationUAPaths.getOrDefault(assocUA, new HashSet<>()); - assocUAPaths.add(userPath); - associationUAPaths.put(assocUA, assocUAPaths); - } - - return associationUAPaths; - } - - private List getUAsFromTargetPathAssociations(Map>> targetPaths) { - List uas = new ArrayList<>(); - - for (Map.Entry>> pcPaths : targetPaths.entrySet()) { - for (Map.Entry> pathAssociations : pcPaths.getValue().entrySet()) { - List associations = pathAssociations.getValue(); - for (Association association : associations) { - uas.add(association.getSource()); - } - } - } - - return uas; - } - - private void collectAssociationsFromBorderTargets(Collection assocs, Map borderTargets) { - for (Association association : assocs) { - AccessRightSet ops = association.getAccessRightSet(); - AccessRightSet exOps = borderTargets.getOrDefault(association.getTarget(), new AccessRightSet()); - //if the target is not in the map already, put it - //else add the found operations to the existing ones. - exOps.addAll(ops); - borderTargets.put(association.getTarget(), exOps); - } - } - - private Set getDescendants(String vNode) throws PMException { - Set descendants = new HashSet<>(); - - Collection ascendants = graphQuerier.getAdjacentAscendants(vNode); - if (ascendants.isEmpty()) { - return descendants; - } - - descendants.addAll(ascendants); - for (String ascendant : ascendants) { - descendants.add(ascendant); - descendants.addAll(getDescendants(ascendant)); - } - - return descendants; - } - - private Hashtable>> findBorderOaPrivRestrictedInternal(UserContext userCtx) throws PMException { - // Uses a hashtable htReachableOas of reachable oas (see find_border_oa_priv(u)) - // An oa is a key in this hashtable. The value is another hashtable that - // represents a label of the oa. A label is a set of pairs {(op -> pcset)}, with - // the op being the key and pcset being the value. - // {oa -> {op -> pcset}}. - Hashtable>> htReachableOas = new Hashtable<>(); - - // BFS from u (the base node). Prepare a queue. - Set visited = new HashSet<>(); - String crtNode; - - // Get u's directly assigned attributes and put them into the queue. - Collection hsAttrs = graphQuerier.getAdjacentDescendants(userCtx.getUser()); - List queue = new ArrayList<>(hsAttrs); - - // While the queue has elements, extract an element from the queue - // and visit it. - while (!queue.isEmpty()) { - // Extract an ua from queue. - crtNode = queue.remove(0); - if (!visited.contains(crtNode)) { - // If the ua has ua -> oa edges - if (inMemUattrHasOpsets(crtNode)) { - // Find the set of PCs reachable from ua. - HashSet hsUaPcs = inMemFindPcSet(crtNode); - - // From each discovered ua traverse the edges ua -> oa. - - // Find the opsets of this user attribute. Note that the set of containers for this - // node (user attribute) may contain not only opsets. - Collection assocs = graphQuerier.getAssociationsWithSource(crtNode); - - // Go through the containers and only for opsets do the following. - // For each opset ops of ua: - for (Association assoc : assocs) { - String target = assoc.getTarget(); - // If oa is in htReachableOas - if (htReachableOas.containsKey(target)) { - // Then oa has a label op1 -> hsPcs1, op2 -> hsPcs2,... - // Extract its label: - Hashtable> htOaLabel = htReachableOas.get(target); - - // Get the operations from the opset: - AccessRightSet arSet = assoc.getAccessRightSet(); - // For each operation in the opset - for (String sOp : arSet) { - // If the oa's label already contains the operation sOp - if (htOaLabel.containsKey(sOp)) { - // The label contains op -> some pcset. - // Do the union of the old pc with ua's pcset - Set hsPcs = htOaLabel.get(sOp); - hsPcs.addAll(hsUaPcs); - } else { - // The op is not in the oa's label. - // Create new op -> ua's pcs mappiing in the label. - Set hsNewPcs = new HashSet<>(hsUaPcs); - htOaLabel.put(sOp, hsNewPcs); - } - } - } else { - // oa is not in htReachableOas. - // Prepare a new label - Hashtable> htOaLabel = new Hashtable<>(); - - // Get the operations from the opset: - AccessRightSet arSet = assoc.getAccessRightSet(); - // For each operation in the opset - for (String sOp : arSet) { - // Add op -> pcs to the label. - Set hsNewPcs = new HashSet<>(hsUaPcs); - htOaLabel.put(sOp, hsNewPcs); - } - - // Add oa -> {op -> pcs} - htReachableOas.put(target, htOaLabel); - } - } - } - visited.add(crtNode); - - Collection hsDescs = graphQuerier.getAdjacentDescendants(crtNode); - queue.addAll(hsDescs); - } - } - - - // For each reachable oa in htReachableOas.keys - for (Enumeration keys = htReachableOas.keys(); keys.hasMoreElements() ;) { - String oa = keys.nextElement(); - // Compute {pc | oa ->+ pc} - Set hsOaPcs = inMemFindPcSet(oa); - // Extract oa's label. - Hashtable> htOaLabel = htReachableOas.get(oa); - // The label contains op1 -> pcs1, op2 -> pcs2,... - // For each operation in the label - for (Enumeration lbl = htOaLabel.keys(); lbl.hasMoreElements();) { - String sOp = lbl.nextElement(); - // Intersect the pcset corresponding to this operation, - // which comes from the uas, with the oa's pcset. - Set oaPcs = htOaLabel.get(sOp); - oaPcs.retainAll(hsOaPcs); - if (oaPcs.isEmpty()) htOaLabel.remove(sOp); - } - } - - return htReachableOas; - } - - private HashSet inMemFindPcSet(String node) throws PMException { - HashSet reachable = new HashSet<>(); - - // Init the queue, visited - ArrayList queue = new ArrayList<>(); - HashSet visited = new HashSet<>(); - - // The current element - String crtNode; - - // Insert the start node into the queue - queue.add(node); - - Collection policyClasses = graphQuerier.getPolicyClasses(); - - // While queue is not empty - while (!queue.isEmpty()) { - // Extract current element from queue - crtNode = queue.remove(0); - // If not visited - if (!visited.contains(crtNode)) { - // Mark it as visited - visited.add(crtNode); - // Extract its direct descendants. If a descendant is an attribute, - // insert it into the queue. If it is a pc, add it to reachable, - // if not already there - Collection hsContainers = graphQuerier.getAdjacentDescendants(crtNode); - for (String n : hsContainers) { - if (policyClasses.contains(n)) { - reachable.add(n); - } else { - queue.add(n); - } - } - } - } - return reachable; - } - - private boolean inMemUattrHasOpsets(String uaNode) throws PMException { - return !graphQuerier.getAssociationsWithSource(uaNode).isEmpty(); - } -} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPAP.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPAP.java index 060eb1174..d145b4fb1 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPAP.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPAP.java @@ -4,6 +4,7 @@ import gov.nist.csd.pm.impl.memory.pap.store.MemoryPolicyStore; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.PolicyQuerier; +import gov.nist.csd.pm.pap.store.PolicyStore; public class MemoryPAP extends PAP { diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPolicyQuerier.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPolicyQuerier.java index 2ba9b99ec..728d411f8 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPolicyQuerier.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/MemoryPolicyQuerier.java @@ -1,5 +1,6 @@ package gov.nist.csd.pm.impl.memory.pap; +import gov.nist.csd.pm.impl.memory.pap.access.MemoryAccessQuerier; import gov.nist.csd.pm.pap.PolicyQuerier; import gov.nist.csd.pm.pap.store.PolicyStore; @@ -9,7 +10,7 @@ public class MemoryPolicyQuerier extends PolicyQuerier { public MemoryPolicyQuerier(PolicyStore policyStore) { super(policyStore); - this.accessQuerier = new MemoryAccessQuerier(policyStore, graph(), prohibitions()); + this.accessQuerier = new MemoryAccessQuerier(policyStore); } @Override diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java new file mode 100644 index 000000000..65ff287a9 --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java @@ -0,0 +1,224 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.*; +import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; +import gov.nist.csd.pm.pap.AccessQuerier; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.explain.*; +import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; +import gov.nist.csd.pm.pap.store.GraphStoreBFS; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +import static gov.nist.csd.pm.pap.admin.AdminPolicyNode.PM_ADMIN_OBJECT; +import static gov.nist.csd.pm.pap.AccessRightResolver.*; +import static gov.nist.csd.pm.pap.graph.node.NodeType.U; +import static gov.nist.csd.pm.pap.graph.node.Properties.NO_PROPERTIES; + +public class MemoryAccessQuerier extends AccessQuerier { + + public MemoryAccessQuerier(PolicyStore memoryPolicyStore) { + super(memoryPolicyStore); + } + + @Override + public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + // traverse the user side of the graph to get the associations + MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); + UserDagResult userDagResult = userEvaluator.evaluate(userCtx); + + // traverse the target side of the graph to get permissions per policy class + MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(store); + TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); + + // resolve the permissions + return resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations()); + } + + @Override + public List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException { + // traverse the user side of the graph to get the associations + MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); + UserDagResult userDagResult = userEvaluator.evaluate(userCtx); + + // traverse the target side of the graph to get permissions per policy class + MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(store); + + List accessRightSets = new ArrayList<>(); + for (TargetContext targetCtx : targetCtxs) { + TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); + AccessRightSet privs = resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations()); + + accessRightSets.add(privs); + } + + return accessRightSets; + } + + @Override + public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + AccessRightSet accessRights = new AccessRightSet(); + + // traverse the user side of the graph to get the associations + MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); + UserDagResult userDagResult = userEvaluator.evaluate(userCtx); + if (userDagResult.borderTargets().isEmpty()) { + return accessRights; + } + + // traverse the target side of the graph to get permissions per policy class + MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(store); + TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); + + // resolve the permissions + return resolveDeniedAccessRights(userDagResult, targetDagResult); + } + + @Override + public Map computeCapabilityList(UserContext userCtx) throws PMException { + Map results = new HashMap<>(); + + //get border nodes. Can be OA or UA. Return empty set if no attrs are reachable + MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); + UserDagResult userDagResult = userEvaluator.evaluate(userCtx); + if (userDagResult.borderTargets().isEmpty()) { + return results; + } + + for(String borderTarget : userDagResult.borderTargets().keySet()) { + // compute permissions on the border attr + getAndStorePrivileges(results, userDagResult, borderTarget); + + // compute decisions for the subgraph of the border attr + Set descendants = getDescendants(borderTarget); + for (String descendant : descendants) { + if (results.containsKey(descendant)) { + continue; + } + + getAndStorePrivileges(results, userDagResult, descendant); + } + } + + // add policy classes + if (results.containsKey(PM_ADMIN_OBJECT.nodeName())) { + AccessRightSet arset = results.get(PM_ADMIN_OBJECT.nodeName()); + for (String pc : store.graph().getPolicyClasses()) { + results.put(pc, arset); + } + } + + return results; + } + + @Override + public Map computeACL(TargetContext targetCtx) throws PMException { + Map acl = new HashMap<>(); + Collection search = store.graph().search(U, NO_PROPERTIES); + for (String user : search) { + AccessRightSet list = this.computePrivileges(new UserContext(user), targetCtx); + acl.put(user, list); + } + + return acl; + } + + @Override + public Map computeDestinationAttributes(UserContext userCtx) throws PMException { + return new MemoryUserEvaluator(store) + .evaluate(userCtx) + .borderTargets(); + } + + @Override + public SubgraphPrivileges computeSubgraphPrivileges(UserContext userCtx, String root) throws PMException { + List subgraphs = new ArrayList<>(); + + Collection adjacentAscendants = store.graph().getAdjacentAscendants(root); + for (String adjacent : adjacentAscendants) { + subgraphs.add(computeSubgraphPrivileges(userCtx, adjacent)); + } + + return new SubgraphPrivileges(root, computePrivileges(userCtx, new TargetContext(root)), subgraphs); + } + + @Override + public Map computeAdjacentAscendantPrivileges(UserContext userCtx, String root) throws PMException { + Map ascendantPrivs = new HashMap<>(); + + Collection adjacentAscendants = store.graph().getAdjacentAscendants(root); + for (String adjacentAscendant : adjacentAscendants) { + ascendantPrivs.put(adjacentAscendant, computePrivileges(userCtx, new TargetContext(adjacentAscendant))); + } + + return ascendantPrivs; + } + + @Override + public Map computeAdjacentDescendantPrivileges(UserContext userCtx, String root) throws PMException { + Map descendantPrivs = new HashMap<>(); + + Collection adjacentDescendants = store.graph().getAdjacentDescendants(root); + for (String adjacentDescendant : adjacentDescendants) { + descendantPrivs.put(adjacentDescendant, computePrivileges(userCtx, new TargetContext(adjacentDescendant))); + } + + return descendantPrivs; + } + + @Override + public Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMException { + return new MemoryExplainer(store) + .explain(userCtx, targetCtx); + } + + @Override + public Map computePersonalObjectSystem(UserContext userCtx) throws PMException { + Map pos = new HashMap<>(); + + for (String pc : store.graph().getPolicyClasses()) { + new GraphStoreBFS(store.graph()) + .withDirection(Direction.ASCENDANTS) + .withVisitor(n -> { + AccessRightSet privs = computePrivileges(userCtx, new TargetContext(n)); + if (privs.isEmpty()) { + return; + } + + pos.put(n, privs); + }) + .withSinglePathShortCircuit(n -> { + return pos.containsKey(n); + }) + .walk(pc); + } + return pos; + } + + private void getAndStorePrivileges(Map arsetMap, UserDagResult userDagResult, String target) throws PMException { + TargetDagResult result = new MemoryTargetEvaluator(store) + .evaluate(userDagResult, new TargetContext(target)); + AccessRightSet privileges = resolvePrivileges(userDagResult, result, store.operations().getResourceOperations()); + arsetMap.put(target, privileges); + } + + private Set getDescendants(String vNode) throws PMException { + Set descendants = new HashSet<>(); + + Collection ascendants = store.graph().getAdjacentAscendants(vNode); + if (ascendants.isEmpty()) { + return descendants; + } + + descendants.addAll(ascendants); + for (String ascendant : ascendants) { + descendants.add(ascendant); + descendants.addAll(getDescendants(ascendant)); + } + + return descendants; + } +} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java new file mode 100644 index 000000000..21584b4db --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java @@ -0,0 +1,121 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.TargetDagResult; +import gov.nist.csd.pm.pap.graph.dag.UserDagResult; +import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; +import gov.nist.csd.pm.pap.graph.relationship.Association; +import gov.nist.csd.pm.pap.prohibition.Prohibition; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.query.model.explain.*; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +import static gov.nist.csd.pm.pap.AccessRightResolver.*; + +public class MemoryExplainer { + + private PolicyStore policyStore; + + public MemoryExplainer(PolicyStore policyStore) { + this.policyStore = policyStore; + } + + public Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMException { + // resolve paths from u to target + List resolvedPaths = resolvePaths(userCtx, targetCtx); + + // evaluate user + MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(policyStore); + UserDagResult userDagResult = userEvaluator.evaluate(userCtx); + + // evaluate target + MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(policyStore); + TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); + + // resolve privs and prohibitions + AccessRightSet priv = resolvePrivileges(userDagResult, targetDagResult, policyStore.operations().getResourceOperations()); + AccessRightSet deniedPriv = resolveDeniedAccessRights(userDagResult, targetDagResult); + List prohibitions = computeSatisfiedProhibitions(userDagResult, targetDagResult); + + return new Explain(priv, resolvedPaths, deniedPriv, prohibitions); + } + + private List resolvePaths(UserContext userCtx, TargetContext targetCtx) throws PMException { + MemoryUserExplainer userExplainer = new MemoryUserExplainer(policyStore); + MemoryTargetExplainer targetExplainer = new MemoryTargetExplainer(policyStore); + Map>> targetPaths = targetExplainer.explainTarget(targetCtx); + Map> userPaths = userExplainer.explainIntersectionOfTargetPaths(userCtx, targetPaths); + + List result = new ArrayList<>(); + + for (Map.Entry>> targetPathEntry : targetPaths.entrySet()) { + String pc = targetPathEntry.getKey(); + Map> targetPathAssociations = targetPathEntry.getValue(); + + List> paths = getExplainNodePaths(targetPathAssociations, userPaths); + AccessRightSet arset = getArsetFromPaths(paths); + + result.add(new PolicyClassExplain(pc, arset, paths)); + } + + return result; + } + + private List> getExplainNodePaths(Map> targetPathAssociations, + Map> userPaths) { + List> paths = new ArrayList<>(); + + for (Map.Entry> targetPathEntry : targetPathAssociations.entrySet()) { + Path path = targetPathEntry.getKey(); + List pathAssocs = targetPathEntry.getValue(); + + List explainNodes = new ArrayList<>(); + for (String node : path) { + List explainAssocs = new ArrayList<>(); + + for (Association pathAssoc : pathAssocs) { + String ua = pathAssoc.getSource(); + String target = pathAssoc.getTarget(); + if (!target.equals(node)) { + continue; + } + + Set userPathsToAssoc = userPaths.getOrDefault(ua, new HashSet<>()); + + explainAssocs.add(new ExplainAssociation( + ua, + pathAssoc.getAccessRightSet(), + new ArrayList<>(userPathsToAssoc) + )); + } + + explainNodes.add(new ExplainNode(node, explainAssocs)); + } + + paths.add(explainNodes); + } + + return paths; + } + + private AccessRightSet getArsetFromPaths(List> paths) { + AccessRightSet accessRightSet = new AccessRightSet(); + for (List path : paths) { + for (ExplainNode explainNode : path) { + List associations = explainNode.associations(); + for (ExplainAssociation association : associations) { + if (association.userPaths().isEmpty()) { + continue; + } + + accessRightSet.addAll(association.arset()); + } + } + } + + return accessRightSet; + } +} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java new file mode 100644 index 000000000..9e7c75477 --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java @@ -0,0 +1,138 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.*; +import gov.nist.csd.pm.pap.graph.node.Node; +import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; +import gov.nist.csd.pm.pap.prohibition.ContainerCondition; +import gov.nist.csd.pm.pap.prohibition.Prohibition; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.store.GraphStoreDFS; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +import static gov.nist.csd.pm.pap.admin.AdminPolicyNode.PM_ADMIN_OBJECT; +import static gov.nist.csd.pm.pap.graph.node.NodeType.PC; + +public class MemoryTargetEvaluator { + + private PolicyStore policyStore; + + public MemoryTargetEvaluator(PolicyStore policyStore) { + this.policyStore = policyStore; + } + + /** + * Perform a depth first search on the object side of the graph. Start at the target node and recursively visit nodes + * until a policy class is reached. On each node visited, collect any operation the user has on the target. At the + * end of each dfs iteration the visitedNodes map will contain the operations the user is permitted on the target under + * each policy class. + */ + public TargetDagResult evaluate(UserDagResult userCtx, TargetContext targetCtx) throws PMException { + targetCtx.checkExists(policyStore.graph()); + + Collection policyClasses = policyStore.graph().getPolicyClasses(); + Map borderTargets = userCtx.borderTargets(); + Set userProhibitionTargets = collectUserProhibitionTargets(userCtx.prohibitions()); + Map> visitedNodes = new HashMap<>(); + Set reachedTargets = new HashSet<>(); + + Visitor visitor = node -> { + // mark the node as reached, to be used for resolving prohibitions + if (userProhibitionTargets.contains(node)) { + reachedTargets.add(node); + } + + Map nodeCtx = visitedNodes.getOrDefault(node, new HashMap<>()); + if (nodeCtx.isEmpty()) { + visitedNodes.put(node, nodeCtx); + } + + if (policyClasses.contains(node)) { + nodeCtx.put(node, new AccessRightSet()); + } else if (borderTargets.containsKey(node)) { + Set uaOps = borderTargets.get(node); + + for (String pc : nodeCtx.keySet()) { + AccessRightSet pcOps = nodeCtx.getOrDefault(pc, new AccessRightSet()); + pcOps.addAll(uaOps); + nodeCtx.put(pc, pcOps); + } + } + }; + + Propagator propagator = (desc, asc) -> { + Map descCtx = visitedNodes.get(desc); + Map ascCtx = visitedNodes.getOrDefault(asc, new HashMap<>()); + + for (String name : descCtx.keySet()) { + AccessRightSet ops = ascCtx.getOrDefault(name, new AccessRightSet()); + ops.addAll(descCtx.get(name)); + ascCtx.put(name, ops); + } + + visitedNodes.put(asc, ascCtx); + }; + + DepthFirstGraphWalker dfs = new GraphStoreDFS(policyStore.graph()) + .withDirection(Direction.DESCENDANTS) + .withVisitor(visitor) + .withPropagator(propagator); + + List targetNodes = new ArrayList<>(); + if (targetCtx.isNode()) { + String target = targetCtx.getTarget(); + Node targetNode = policyStore.graph().getNode(target); + if (targetNode.getType().equals(PC)) { + target = PM_ADMIN_OBJECT.nodeName(); + } + + targetNodes.add(target); + + dfs.walk(target); + } else { + List attrs = targetCtx.getAttributes(); + targetNodes.addAll(attrs); + + dfs.walk(attrs); + } + + return new TargetDagResult(mergeResults(targetNodes, visitedNodes), reachedTargets); + } + + private Set collectUserProhibitionTargets(Set prohibitions) { + Set userProhibitionTargets = new HashSet<>(); + for (Prohibition prohibition : prohibitions) { + for (ContainerCondition cc : prohibition.getContainers()) { + userProhibitionTargets.add(cc.getName()); + } + } + + return userProhibitionTargets; + } + + private Map mergeResults(List targetNodes, Map> visitedNodes) { + HashMap merged = new HashMap<>(); + + for (String target : targetNodes) { + Map pcMap = visitedNodes.getOrDefault(target, new HashMap<>()); + + for (Map.Entry entry : pcMap.entrySet()) { + String pc = entry.getKey(); + AccessRightSet pcArset = entry.getValue(); + + if (!merged.containsKey(pc)) { + merged.put(pc, pcArset); + } else { + AccessRightSet mergedArset = merged.get(pc); + mergedArset.retainAll(pcArset); + merged.put(pc, mergedArset); + } + } + } + + return merged; + } + +} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java new file mode 100644 index 000000000..2a795ebbb --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java @@ -0,0 +1,97 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.DepthFirstGraphWalker; +import gov.nist.csd.pm.pap.graph.dag.Propagator; +import gov.nist.csd.pm.pap.graph.node.Node; +import gov.nist.csd.pm.pap.graph.relationship.Association; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.explain.Path; +import gov.nist.csd.pm.pap.store.GraphStoreDFS; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +import static gov.nist.csd.pm.pap.admin.AdminPolicyNode.PM_ADMIN_OBJECT; +import static gov.nist.csd.pm.pap.graph.node.NodeType.PC; + +public class MemoryTargetExplainer { + + private PolicyStore policyStore; + + public MemoryTargetExplainer(PolicyStore policyStore) { + this.policyStore = policyStore; + } + + public Map>> explainTarget(TargetContext targetCtx) throws PMException { + targetCtx.checkExists(policyStore.graph()); + + Collection policyClasses = policyStore.graph().getPolicyClasses(); + + // initialize map with policy classes + Map, List>> pcPathAssociations = new HashMap<>(); + for (String pc : policyClasses) { + pcPathAssociations.put(pc, new HashMap<>(Map.of(new ArrayList<>(List.of(pc)), new ArrayList<>()))); + } + + Propagator propagator = (src, dst) -> { + Map, List> srcPathAssocs = pcPathAssociations.get(src); + Map, List> dstPathAssocs = pcPathAssociations.getOrDefault(dst, new HashMap<>()); + + for (Map.Entry, List> entry : srcPathAssocs.entrySet()) { + // add DST to the path from SRC + List targetPath = new ArrayList<>(entry.getKey()); + List associations = new ArrayList<>(entry.getValue()); + targetPath.addFirst(dst); + + // collect any associations for the DST node + Collection associationsWithTarget = policyStore.graph().getAssociationsWithTarget(dst); + associations.addAll(associationsWithTarget); + dstPathAssocs.put(targetPath, associations); + } + + // update dst entry + pcPathAssociations.put(dst, dstPathAssocs); + }; + + // DFS from target node + DepthFirstGraphWalker dfs = new GraphStoreDFS(policyStore.graph()) + .withPropagator(propagator); + + List nodes = new ArrayList<>(); + if (targetCtx.isNode()) { + String target = targetCtx.getTarget(); + Node targetNode = policyStore.graph().getNode(target); + if (targetNode.getType().equals(PC)) { + target = PM_ADMIN_OBJECT.nodeName(); + } + + nodes.add(target); + + dfs.walk(target); + } else { + nodes.addAll(targetCtx.getAttributes()); + + dfs.walk(targetCtx.getAttributes()); + } + + // convert the map created above into a map where the policy classes are the keys + Map>> pcMap = new HashMap<>(); + + for (String target : nodes) { + Map, List> targetPathAssocs = pcPathAssociations.get(target); + for (Map.Entry, List> entry : targetPathAssocs.entrySet()) { + Path targetPath = new Path(entry.getKey()); + List associations = new ArrayList<>(entry.getValue()); + + String pc = targetPath.getLast(); + + Map> pcPathAssocs = pcMap.getOrDefault(pc, new HashMap<>()); + pcPathAssocs.put(targetPath, associations); + pcMap.put(pc, pcPathAssocs); + } + } + + return pcMap; + } +} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java new file mode 100644 index 000000000..b293d7c7c --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java @@ -0,0 +1,79 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.BreadthFirstGraphWalker; +import gov.nist.csd.pm.pap.graph.dag.Direction; +import gov.nist.csd.pm.pap.graph.dag.UserDagResult; +import gov.nist.csd.pm.pap.graph.dag.Visitor; +import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; +import gov.nist.csd.pm.pap.graph.relationship.Association; +import gov.nist.csd.pm.pap.prohibition.Prohibition; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.store.GraphStoreBFS; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +public class MemoryUserEvaluator { + + private PolicyStore policyStore; + + public MemoryUserEvaluator(PolicyStore policyStore) { + this.policyStore = policyStore; + } + + /** + * Find the target nodes that are reachable by the subject via an association. This is done by a breadth first search + * starting at the subject node and walking up the user side of the graph until all user attributes the subject is assigned + * to have been visited. For each user attribute visited, get the associations it is the source of and store the + * target of that association as well as the operations in a map. If a target node is reached multiple times, add any + * new operations to the already existing ones. + * + * @return a Map of target nodes that the subject can reach via associations and the operations the user has on each. + */ + protected UserDagResult evaluate(UserContext userCtx) throws PMException { + userCtx.checkExists(policyStore.graph()); + + final Map borderTargets = new HashMap<>(); + // initialize with the prohibitions or the provided process + final Set reachedProhibitions = new HashSet<>(getProhibitionsWithSubject(userCtx.getProcess())); + + Visitor visitor = node -> { + // cache prohibitions reached by the user + Collection subjectProhibitions = getProhibitionsWithSubject(node); + reachedProhibitions.addAll(subjectProhibitions); + + Collection nodeAssociations = policyStore.graph().getAssociationsWithSource(node); + collectAssociationsFromBorderTargets(nodeAssociations, borderTargets); + }; + + // start the bfs + BreadthFirstGraphWalker bfs = new GraphStoreBFS(policyStore.graph()) + .withDirection(Direction.DESCENDANTS) + .withVisitor(visitor); + + if (userCtx.isUser()) { + bfs.walk(userCtx.getUser()); + } else { + bfs.walk(userCtx.getAttributes()); + } + + return new UserDagResult(borderTargets, reachedProhibitions); + } + + private Collection getProhibitionsWithSubject(String node) throws PMException { + return policyStore.prohibitions().getProhibitions().getOrDefault(node, new ArrayList<>()); + } + + private void collectAssociationsFromBorderTargets(Collection assocs, Map borderTargets) { + for (Association association : assocs) { + AccessRightSet ops = association.getAccessRightSet(); + AccessRightSet exOps = borderTargets.getOrDefault(association.getTarget(), new AccessRightSet()); + //if the target is not in the map already, put it + //else add the found operations to the existing ones. + exOps.addAll(ops); + borderTargets.put(association.getTarget(), exOps); + } + } + +} diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java new file mode 100644 index 000000000..f0038e38c --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java @@ -0,0 +1,96 @@ +package gov.nist.csd.pm.impl.memory.pap.access; + +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.graph.dag.DepthFirstGraphWalker; +import gov.nist.csd.pm.pap.graph.dag.Propagator; +import gov.nist.csd.pm.pap.graph.relationship.Association; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.query.model.explain.Path; +import gov.nist.csd.pm.pap.store.GraphStoreDFS; +import gov.nist.csd.pm.pap.store.PolicyStore; + +import java.util.*; + +public class MemoryUserExplainer { + + private PolicyStore policyStore; + + public MemoryUserExplainer(PolicyStore policyStore) { + this.policyStore = policyStore; + } + + public Map> explainIntersectionOfTargetPaths(UserContext userCtx, Map>> targetPaths) throws PMException { + userCtx.checkExists(policyStore.graph()); + + // initialize map with the UAs of the target path associations + Map> associationUAPaths = new HashMap<>(); + Set uasFromTargetPathAssociations = new HashSet<>(getUAsFromTargetPathAssociations(targetPaths)); + Map> pathsToUAs = new HashMap<>(); + for (String ua : uasFromTargetPathAssociations) { + pathsToUAs.put(ua, new HashSet<>(Set.of(new Path(ua)))); + } + + Propagator propagator = (src, dst) -> { + // don't propagate unless the src is a ua in a target path association or an already propagated to dst node + if (!uasFromTargetPathAssociations.contains(src) && !pathsToUAs.containsKey(src)) { + return; + } + + Set srcPaths = pathsToUAs.get(src); + Set dstPaths = pathsToUAs.getOrDefault(dst, new HashSet<>()); + + for (Path srcPath : srcPaths) { + Path copy = new Path(srcPath); + copy.addFirst(dst); + dstPaths.add(copy); + } + + pathsToUAs.put(dst, dstPaths); + }; + + DepthFirstGraphWalker dfs = new GraphStoreDFS(policyStore.graph()) + .withPropagator(propagator); + + List nodes = new ArrayList<>(); + if (userCtx.isUser()) { + String user = userCtx.getUser(); + nodes.add(user); + + dfs.walk(user); + } else { + List attributes = userCtx.getAttributes(); + nodes.addAll(attributes); + + dfs.walk(attributes); + } + + // transform the map so that the key is the last ua in the path pointing to it's paths + for (String node : nodes) { + Set userPaths = pathsToUAs.getOrDefault(node, new HashSet<>()); + + for (Path userPath : userPaths) { + String assocUA = userPath.getLast(); + Set assocUAPaths = associationUAPaths.getOrDefault(assocUA, new HashSet<>()); + assocUAPaths.add(userPath); + associationUAPaths.put(assocUA, assocUAPaths); + } + } + + return associationUAPaths; + } + + private List getUAsFromTargetPathAssociations(Map>> targetPaths) { + List uas = new ArrayList<>(); + + for (Map.Entry>> pcPaths : targetPaths.entrySet()) { + for (Map.Entry> pathAssociations : pcPaths.getValue().entrySet()) { + List associations = pathAssociations.getValue(); + for (Association association : associations) { + uas.add(association.getSource()); + } + } + } + + return uas; + } +} diff --git a/src/main/java/gov/nist/csd/pm/pap/AccessRightResolver.java b/src/main/java/gov/nist/csd/pm/pap/AccessRightResolver.java index 3c6c5759b..b3d9fdf7d 100644 --- a/src/main/java/gov/nist/csd/pm/pap/AccessRightResolver.java +++ b/src/main/java/gov/nist/csd/pm/pap/AccessRightResolver.java @@ -15,9 +15,9 @@ public class AccessRightResolver { private AccessRightResolver() {} - public static AccessRightSet resolvePrivileges(UserDagResult userCtx, TargetDagResult targetCtx, String target, AccessRightSet resourceOps) { + public static AccessRightSet resolvePrivileges(UserDagResult userCtx, TargetDagResult targetCtx, AccessRightSet resourceOps) { Map resolvedPcMap = new HashMap<>(); - for (Map.Entry pc : targetCtx.pcSet().entrySet()) { + for (Map.Entry pc : targetCtx.pcMap().entrySet()) { AccessRightSet pcOps = pc.getValue(); // replace instances of *, *a or *r with the literal access rights @@ -29,19 +29,19 @@ public static AccessRightSet resolvePrivileges(UserDagResult userCtx, TargetDagR AccessRightSet result = resolvePolicyClassAccessRightSets(resolvedPcMap); // remove any prohibited access rights - AccessRightSet denied = resolveDeniedAccessRights(userCtx, targetCtx, target); + AccessRightSet denied = resolveDeniedAccessRights(userCtx, targetCtx); result.removeAll(denied); return result; } - public static AccessRightSet resolveDeniedAccessRights(UserDagResult userCtx, TargetDagResult targetCtx, String target) { + public static AccessRightSet resolveDeniedAccessRights(UserDagResult userCtx, TargetDagResult targetCtx) { AccessRightSet denied = new AccessRightSet(); Set prohibitions = userCtx.prohibitions(); Set reachedTargets = targetCtx.reachedTargets(); for(Prohibition p : prohibitions) { - if (isProhibitionSatisfied(p, reachedTargets, target)) { + if (isProhibitionSatisfied(p, reachedTargets)) { denied.addAll(p.getAccessRightSet()); } } @@ -49,15 +49,14 @@ public static AccessRightSet resolveDeniedAccessRights(UserDagResult userCtx, Ta return denied; } - public static List computeSatisfiedProhibitions(UserDagResult userDagResult, TargetDagResult targetDagResult, - String target) { + public static List computeSatisfiedProhibitions(UserDagResult userDagResult, TargetDagResult targetDagResult) { List satisfied = new ArrayList<>(); Set prohibitions = userDagResult.prohibitions(); Set reachedTargets = targetDagResult.reachedTargets(); for(Prohibition p : prohibitions) { - if (isProhibitionSatisfied(p, reachedTargets, target)) { + if (isProhibitionSatisfied(p, reachedTargets)) { satisfied.add(p); } } @@ -106,7 +105,7 @@ private static void resolveWildcardAccessRights(AccessRightSet accessRightSet, A } } - private static boolean isProhibitionSatisfied(Prohibition prohibition, Set reachedTargets, String target) { + private static boolean isProhibitionSatisfied(Prohibition prohibition, Set reachedTargets) { boolean inter = prohibition.isIntersection(); Collection containers = prohibition.getContainers(); boolean addOps = false; @@ -115,35 +114,12 @@ private static boolean isProhibitionSatisfied(Prohibition prohibition, Set firstLevel) throws PMException { + for (String node : firstLevel) { + walk(node); + } + } + private boolean walkInternal(String start) throws PMException { Collection nextLevel = getNextLevel(start); Set skip = new HashSet<>(); diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/dag/DepthFirstGraphWalker.java b/src/main/java/gov/nist/csd/pm/pap/graph/dag/DepthFirstGraphWalker.java index 900f76766..eebb02bbb 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/dag/DepthFirstGraphWalker.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/dag/DepthFirstGraphWalker.java @@ -4,6 +4,7 @@ import gov.nist.csd.pm.pap.query.GraphQuery; import java.util.Collection; +import java.util.List; public class DepthFirstGraphWalker implements GraphWalker { @@ -77,6 +78,13 @@ public void walk(String start) throws PMException { walkInternal(start); } + @Override + public void walk(List firstLevel) throws PMException { + for (String node : firstLevel) { + walkInternal(node); + } + } + private int walkInternal(String start) throws PMException { if (allPathsShortCircuit.evaluate(start)) { visitor.visit(start); diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/dag/GraphWalker.java b/src/main/java/gov/nist/csd/pm/pap/graph/dag/GraphWalker.java index a548784a3..7227c22a0 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/dag/GraphWalker.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/dag/GraphWalker.java @@ -2,11 +2,22 @@ import gov.nist.csd.pm.pap.exception.PMException; +import java.util.List; + public interface GraphWalker { /** - * Traverse a graph starting at the start node. + * Traverse the graph starting at the given node. + * @param start The node to start traversing at. + * @throws PMException If there is an exception in the PM. */ void walk(String start) throws PMException; + /** + * Traverse the graph as if there was a node assigned to the given nodes. + * @param firstLevel The node to start traversing at. + * @throws PMException If there is an exception in the PM. + */ + void walk(List firstLevel) throws PMException; + } diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/dag/TargetDagResult.java b/src/main/java/gov/nist/csd/pm/pap/graph/dag/TargetDagResult.java index 6f84fba87..3bad33135 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/dag/TargetDagResult.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/dag/TargetDagResult.java @@ -5,6 +5,6 @@ import java.util.Map; import java.util.Set; -public record TargetDagResult(Map pcSet, Set reachedTargets) { +public record TargetDagResult(Map pcMap, Set reachedTargets) { } diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/dag/UserDagResult.java b/src/main/java/gov/nist/csd/pm/pap/graph/dag/UserDagResult.java index 3fadb4df6..faa7111c6 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/dag/UserDagResult.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/dag/UserDagResult.java @@ -9,9 +9,8 @@ import java.util.Set; public record UserDagResult(Map borderTargets, - Set prohibitions, - Set prohibitionTargets) { + Set prohibitions) { public UserDagResult() { - this(new HashMap<>(), new HashSet<>(), new HashSet<>()); + this(new HashMap<>(), new HashSet<>()); } } diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java b/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java index e42dbe1a8..2f2f64786 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java @@ -15,21 +15,29 @@ * OS = Operation Set */ public enum NodeType implements Serializable { - OA("OA"), - UA("UA"), - U("U"), - O("O"), - PC("PC"), - ANY("ANY"); + OA(0), + UA(1), + U(2), + O(3), + PC(4), + ANY(5); - private final String label; + private final int i; - NodeType(String label) { - this.label = label; + NodeType(int i) { + this.i = i; } public String toString() { - return label; + return switch (i) { + case 0 -> "OA"; + case 1 -> "UA"; + case 2 -> "U"; + case 3 -> "O"; + case 4 -> "PC"; + case 5 -> "ANY"; + default -> throw new IllegalStateException("Unexpected value: " + i); + }; } /** diff --git a/src/main/java/gov/nist/csd/pm/pap/obligation/EventContext.java b/src/main/java/gov/nist/csd/pm/pap/obligation/EventContext.java index a3f7816b6..c465c5a59 100644 --- a/src/main/java/gov/nist/csd/pm/pap/obligation/EventContext.java +++ b/src/main/java/gov/nist/csd/pm/pap/obligation/EventContext.java @@ -23,15 +23,19 @@ public EventContext(String user, String process, String opName, Map operands, List nodeOperands) { - this(user, "", opName, operands, nodeOperands); + this(user, null, opName, operands, nodeOperands); } public EventContext(String user, String process, Operation op, Map operands) { this(user, process, op.getName(), operands, op.getNodeOperands()); } + public EventContext(String user, Operation op, Map operands) { + this(user, null, op.getName(), operands, op.getNodeOperands()); + } + public EventContext(String user, String opName, Map operands) { - this(user, "", opName, operands, List.of()); + this(user, null, opName, operands, List.of()); } public String user() { diff --git a/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java b/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java index b26776ae1..15318ba45 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java @@ -62,7 +62,6 @@ public class AdminAccessRights { public static final String CREATE_ADMIN_ROUTINE = "create_admin_routine"; public static final String DELETE_ADMIN_ROUTINE = "delete_admin_routine"; - // policy review public static final String REVIEW_POLICY = "review_policy"; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/Operation.java b/src/main/java/gov/nist/csd/pm/pap/op/Operation.java index 69c85f140..649bc00b4 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/Operation.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/Operation.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.exception.OperandsDoNotMatchException; import gov.nist.csd.pm.pap.executable.AdminExecutable; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.io.Serializable; import java.util.*; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/PreparedOperation.java b/src/main/java/gov/nist/csd/pm/pap/op/PreparedOperation.java index 44a55f2c8..6b3dd7175 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/PreparedOperation.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/PreparedOperation.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.obligation.EventContext; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.Map; import java.util.Objects; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java b/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java index 27737096e..d2850f0f0 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java @@ -5,15 +5,14 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.pml.pattern.Pattern; import gov.nist.csd.pm.pap.pml.pattern.ReferencedNodes; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; -import gov.nist.csd.pm.pap.query.UserContext; -import gov.nist.csd.pm.pap.graph.node.Node; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.Arrays; import java.util.Collection; - -import static gov.nist.csd.pm.pap.graph.node.NodeType.PC; +import java.util.List; public class PrivilegeChecker { @@ -34,23 +33,34 @@ public void setExplain(boolean explain) { } public void check(UserContext userCtx, String target, Collection toCheck) throws PMException { - AccessRightSet computed = pap.query().access().computePrivileges(userCtx, target); - if (!computed.containsAll(toCheck)) { - if (explain) { - throw new UnauthorizedException(pap.query().access().explain(userCtx, target), userCtx, target, toCheck); - } else { - throw new UnauthorizedException(null, userCtx, target, toCheck); - } - } + TargetContext targetContext = new TargetContext(target); + + AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext); + + checkOrThrow(userCtx, targetContext, computed, toCheck); + } + + public void check(UserContext userCtx, UserContext target, Collection toCheck) throws PMException { + TargetContext targetContext = new TargetContext(target); + + AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext); + + checkOrThrow(userCtx, targetContext, computed, toCheck); + } + + public void check(UserContext userCtx, TargetContext targetContext, Collection toCheck) throws PMException { + AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext); + + checkOrThrow(userCtx, targetContext, computed, toCheck); } public void check(UserContext userCtx, String target, String... toCheck) throws PMException { check(userCtx, target, Arrays.asList(toCheck)); } - public void check(UserContext userCtx, Collection targets, String... toCheck) throws PMException { + public void check(UserContext userCtx, List targets, String... toCheck) throws PMException { for (String target : targets) { - check(userCtx, target, toCheck); + check(userCtx, target, Arrays.asList(toCheck)); } } @@ -65,6 +75,29 @@ public void checkPattern(UserContext userCtx, Pattern pattern, String toCheck) t for (String entity : referencedNodes.nodes()) { check(userCtx, entity, toCheck); } + } + private void checkOrThrow(UserContext userContext, TargetContext targetContext, AccessRightSet computed, Collection toCheck) throws PMException { + if (!computed.containsAll(toCheck) || (toCheck.isEmpty() && computed.isEmpty())) { + if (explain) { + throw new UnauthorizedException( + pap.query().access().explain(userContext, targetContext), + userContext, + targetContext, + toCheck + ); + } else { + throw new UnauthorizedException(null, userContext, targetContext, toCheck); + } + } + } + + private void checkOrThrow(UserContext userCtx, List targetContexts, List privileges, Collection toCheck) throws PMException { + for (int i = 0; i < targetContexts.size(); i++) { + TargetContext targetContext = targetContexts.get(i); + AccessRightSet privs = privileges.get(i); + + checkOrThrow(userCtx, targetContext, privs, toCheck); + } } } diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/AssignOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/AssignOp.java index 8835c4eaa..f3c0a8067 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/AssignOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/AssignOp.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/AssociateOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/AssociateOp.java index b8f29cb78..6feef9408 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/AssociateOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/AssociateOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/CreateNodeOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/CreateNodeOp.java index c3aee1e9f..dc4652224 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/CreateNodeOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/CreateNodeOp.java @@ -2,7 +2,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.*; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/CreatePolicyClassOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/CreatePolicyClassOp.java index 616ef7db0..0b883f7a0 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/CreatePolicyClassOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/CreatePolicyClassOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/DeassignOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/DeassignOp.java index 632ba9014..a2534f256 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/DeassignOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/DeassignOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/DeleteNodeOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/DeleteNodeOp.java index 0fbcaea91..9028e150d 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/DeleteNodeOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/DeleteNodeOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.Collection; import java.util.List; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/DissociateOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/DissociateOp.java index 4e89d81c9..8e800ac07 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/DissociateOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/DissociateOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/graph/SetNodePropertiesOp.java b/src/main/java/gov/nist/csd/pm/pap/op/graph/SetNodePropertiesOp.java index ca7ad3b06..3e4367312 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/graph/SetNodePropertiesOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/graph/SetNodePropertiesOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/obligation/ObligationOp.java b/src/main/java/gov/nist/csd/pm/pap/op/obligation/ObligationOp.java index 43081a2a1..0aab71b51 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/obligation/ObligationOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/obligation/ObligationOp.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.pml.pattern.operand.OperandPatternExpression; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/operation/CreateAdminOperationOp.java b/src/main/java/gov/nist/csd/pm/pap/op/operation/CreateAdminOperationOp.java index 1ddc2aef5..34204f0ee 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/operation/CreateAdminOperationOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/operation/CreateAdminOperationOp.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/operation/DeleteAdminOperationOp.java b/src/main/java/gov/nist/csd/pm/pap/op/operation/DeleteAdminOperationOp.java index 14668b8e1..74ba5dac6 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/operation/DeleteAdminOperationOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/operation/DeleteAdminOperationOp.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/operation/SetResourceOperationsOp.java b/src/main/java/gov/nist/csd/pm/pap/op/operation/SetResourceOperationsOp.java index a2eab000b..8d5652beb 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/operation/SetResourceOperationsOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/operation/SetResourceOperationsOp.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/prohibition/ProhibitionOp.java b/src/main/java/gov/nist/csd/pm/pap/op/prohibition/ProhibitionOp.java index c336d0fef..e17bc1ac0 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/prohibition/ProhibitionOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/prohibition/ProhibitionOp.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.*; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/routine/CreateAdminRoutineOp.java b/src/main/java/gov/nist/csd/pm/pap/op/routine/CreateAdminRoutineOp.java index e27717bf0..e63bdea7b 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/routine/CreateAdminRoutineOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/routine/CreateAdminRoutineOp.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import java.util.List; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/routine/DeleteAdminRoutineOp.java b/src/main/java/gov/nist/csd/pm/pap/op/routine/DeleteAdminRoutineOp.java index e6610f4f1..37ca98abc 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/routine/DeleteAdminRoutineOp.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/routine/DeleteAdminRoutineOp.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/context/ExecutionContext.java b/src/main/java/gov/nist/csd/pm/pap/pml/context/ExecutionContext.java index 2226a6d4b..f8e0b45fc 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/context/ExecutionContext.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/context/ExecutionContext.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.pml.scope.ExecuteGlobalScope; import gov.nist.csd.pm.pap.pml.statement.PMLStatement; import gov.nist.csd.pm.pap.pml.value.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.scope.Scope; import java.io.Serializable; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapper.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapper.java index 5388e73e5..3a7158e65 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapper.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapper.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.HashMap; import java.util.List; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLStmtsOperation.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLStmtsOperation.java index 66dbcb4c2..409cc724a 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLStmtsOperation.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLStmtsOperation.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.statement.PMLStatementSerializable; import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Append.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Append.java index 199e59b4b..6d22b86db 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Append.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Append.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/AppendAll.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/AppendAll.java index 9d7c14a25..13b8c507b 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/AppendAll.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/AppendAll.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Concat.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Concat.java index 5d6e5edc6..06e837e66 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Concat.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Concat.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Contains.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Contains.java index 624815379..b7bf8dcc5 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Contains.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Contains.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/ContainsKey.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/ContainsKey.java index 56c1a6fac..174302e8c 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/ContainsKey.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/ContainsKey.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Equals.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Equals.java index a78309c4f..83dc5a21d 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Equals.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Equals.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentAscendants.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentAscendants.java index 9498c1ac7..7f4605764 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentAscendants.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentAscendants.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.ArrayList; import java.util.Collection; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentDescendants.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentDescendants.java index 4ce478da7..2896b23a3 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentDescendants.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAdjacentDescendants.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.ArrayList; import java.util.Collection; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithSource.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithSource.java index 8b7e9f484..a215724ca 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithSource.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithSource.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.ArrayList; import java.util.Collection; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithTarget.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithTarget.java index 6c4611ee2..8b17b39e4 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithTarget.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetAssociationsWithTarget.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.ArrayList; import java.util.Collection; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNode.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNode.java index 6c7cb478d..4178cc352 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNode.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNode.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.executable.operation.PMLOperation; import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeProperties.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeProperties.java index 8f852c67f..23b79ee40 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeProperties.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeProperties.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.value.MapValue; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.HashMap; import java.util.List; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeType.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeType.java index 1bc2dccae..dcfe0938d 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeType.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/GetNodeType.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyKey.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyKey.java index 6cf005cc2..9106ebf0f 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyKey.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyKey.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyValue.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyValue.java index d0dc81a99..5da473744 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyValue.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/HasPropertyValue.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/NodeExists.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/NodeExists.java index 4ed61c361..45f39083b 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/NodeExists.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/NodeExists.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.BoolValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Search.java b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Search.java index 42906f5c8..742629ee3 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Search.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/executable/operation/builtin/Search.java @@ -10,7 +10,7 @@ import gov.nist.csd.pm.pap.pml.value.ArrayValue; import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.*; diff --git a/src/main/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatement.java b/src/main/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatement.java index 2590bafd3..0e0bb59f7 100644 --- a/src/main/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatement.java +++ b/src/main/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatement.java @@ -10,7 +10,7 @@ import gov.nist.csd.pm.pap.op.obligation.DeleteObligationOp; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.expression.Expression; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.ArrayList; import java.util.List; diff --git a/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java b/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java index 1679913eb..6db07af38 100644 --- a/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java +++ b/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java @@ -2,9 +2,12 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; import gov.nist.csd.pm.pap.query.model.explain.Explain; +import java.util.List; import java.util.Map; /** @@ -13,62 +16,72 @@ public interface AccessQuery { /** - * Compute the privileges the user has on the target node. - * @param userCtx The user and process (optional). - * @param target The target node. + * Compute the privileges the user has on the target node. The provided User and Target contexts, allow for the + * specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. + * @param targetCtx The target node or list of attributes. * @return An AccessRightSet that contains the users privileges on the target node. * @throws PMException If there is an error in the PM. */ - AccessRightSet computePrivileges(UserContext userCtx, String target) throws PMException; + AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException; /** - * Compute the privileges that are denied for the user on the target node. - * @param userCtx The user and process (optional). - * @param target The target node. - * @return An AccessRightSet that contains the users denied privileges on the target node. + * Compute the privileges the user has on each target node. The provided User and Target contexts, allow for the + * specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. + * @param targetCtxs The target nodes. + * @return An AccessRightSet that contains the users privileges on the target node. * @throws PMException If there is an error in the PM. */ - AccessRightSet computeDeniedPrivileges(UserContext userCtx, String target) throws PMException; + List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException; /** - * Compute the access rights that a user has access to under each policy class the target is an ascendant of. This - * does not include prohibitions. - * @param userCtx The user and process (optional). - * @param target The target node. - * @return A mapping of policy class names to the access rights the user has under them on the target node. + * Compute the privileges that are denied for the user on the target node.The provided User and Target contexts, + * allow for the specification of a single node or a list of attributes. + * @param userCtx The user and process or list of attributes and process. Process is optional. + * @param targetCtx The target node or list of attributes. + * @return An AccessRightSet that contains the users denied privileges on the target node. * @throws PMException If there is an error in the PM. */ - Map computePolicyClassAccessRights(UserContext userCtx, String target) throws PMException; + AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException; /** - * Compute a mapping of all the nodes the user has access to the access rights they have on each. - * @param userCtx The user and process (optional). + * Compute a mapping of all the nodes the user has access to the access rights they have on each. The provided + * UserContext allows for the specification of a single node or a list of attributes. + * @param userCtx The user and process or list of attributes and process. Process is optional. * @return A mapping of node names to access rights. * @throws PMException If there is an error in the PM. */ Map computeCapabilityList(UserContext userCtx) throws PMException; /** - * Compute the Access Control List for the given target. - * @param target The target node. + * Compute the Access Control List for the node or a list of attributes. The provided TargetContext allows for the + * specification of a single node or a list of attributes. + * @param targetCtx The target node or list of attributes. * @return A mapping of each user and their privileges on the target. * @throws PMException If there is an error in the PM. */ - Map computeACL(String target) throws PMException; + Map computeACL(TargetContext targetCtx) throws PMException; /** * Compute the attributes that are targets of associations in which the user attribute is a descendant of the user. - * @param user The user node. + * The provided UserContext allows for the specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. * @return A mapping of the destination attributes to the access rights in the destination association. * @throws PMException If there is an error in the PM. */ - Map computeDestinationAttributes(String user) throws PMException; + Map computeDestinationAttributes(UserContext userCtx) throws PMException; /** * Compute the privileges for all nodes in the subgraph starting at the root node. The returned Subgraph object stores * the privileges for the user on the root node and a recursive list of the users access to the root node's subgraph. * Any node that the user does not have access to will be included in the result but will have an empty privileges set. - * @param userCtx The user and process (optional). + * The provided UserContext allows for the specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. * @param root The root node. * @return The Subgraph for the root node. * @throws PMException If there is an error in the PM. @@ -77,8 +90,10 @@ public interface AccessQuery { /** * Compute the privileges for the adjacent ascendants of the given root node. Any node that the user does not have - * access to will be included in the result but will have an empty privileges set. - * @param userCtx The user and process (optional). + * access to will be included in the result but will have an empty privileges set. The provided UserContext allows + * for the specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. * @param root The root node. * @return A Map of the adjacent ascendants of the root node the user has access to and the privileges on each. * @throws PMException If there is an error in the PM. @@ -86,21 +101,36 @@ public interface AccessQuery { Map computeAdjacentAscendantPrivileges(UserContext userCtx, String root) throws PMException; /** - * Explain why a user may or may not have privileges on a target node. - * @param userCtx The user and process (optional). - * @param target The target node. + * Compute the privileges for the adjacent descendants of the given root node. Any node that the user does not have + * access to will be included in the result but will have an empty privileges set. The provided UserContext allows + * for the specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. + * @param root The root node. + * @return A Map of the adjacent descendants of the root node the user has access to and the privileges on each. + * @throws PMException If there is an error in the PM. + */ + Map computeAdjacentDescendantPrivileges(UserContext userCtx, String root) throws PMException; + + /** + * Explain why a user may or may not have privileges on a target node. The provided User and Target contexts, allow + * for the specification of a single node or a list of attributes. + * + * @param userCtx The user and process or list of attributes and process. Process is optional. + * @param targetCtx The target node or list of attributes. * @return An Explain object which enumerates the paths under each policy class that the user has access to the * target node. * @throws PMException If there is an error in the PM. */ - Explain explain(UserContext userCtx, String target) throws PMException; + Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMException; /** * Compute the original configuration of a user's Personal Object System. The returned nodes are the nodes closest * to policy class nodes that the user has privileges on. If the user has privileges on policy classes, the returned - * nodes will just be the set of policy classes. + * nodes will just be the set of policy classes. The provided UserContext allows for the specification of a single + * node or a list of attributes. * - * @param userCtx The user and process (optional). + * @param userCtx The user and process or list of attributes and process. Process is optional. * @return A map of nodes representing the first level of the user's POS and the privileges of the user. * @throws PMException If there is an error in the PM. */ diff --git a/src/main/java/gov/nist/csd/pm/pap/query/UserContext.java b/src/main/java/gov/nist/csd/pm/pap/query/UserContext.java deleted file mode 100644 index 1fa972fa2..000000000 --- a/src/main/java/gov/nist/csd/pm/pap/query/UserContext.java +++ /dev/null @@ -1,60 +0,0 @@ -package gov.nist.csd.pm.pap.query; - -import java.io.Serializable; -import java.util.Objects; - -public class UserContext implements Serializable { - - public static final String NO_PROCESS = ""; - private String user; - private String process; - - public UserContext(String user, String process) { - this.user = user; - this.process = process; - } - - public UserContext(String user) { - this.user = user; - this.process = NO_PROCESS; - } - - public UserContext() { - this.user = ""; - this.process = ""; - } - - public String getUser() { - return user; - } - - public void setUser(String user) { - this.user = user; - } - - public String getProcess() { - return process; - } - - public void setProcess(String process) { - this.process = process; - } - - @Override - public String toString() { - return "user=" + user + (process.isEmpty() ? "" : "process=" + process); - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - UserContext that = (UserContext) o; - return Objects.equals(user, that.user) && Objects.equals(process, that.process); - } - - @Override - public int hashCode() { - return Objects.hash(user, process); - } -} diff --git a/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java b/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java new file mode 100644 index 000000000..22cac1b86 --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java @@ -0,0 +1,86 @@ +package gov.nist.csd.pm.pap.query.model.context; + +import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.store.GraphStore; + +import java.util.List; +import java.util.Objects; + +public class TargetContext { + + private String target; + private List attributes; + + public TargetContext(String target) { + this.target = target; + } + + public TargetContext(UserContext target) { + if (target.isUser()) { + this.target = target.getUser(); + } else { + this.attributes = target.getAttributes(); + } + } + + public TargetContext(List attributes) { + this.attributes = attributes; + } + + public String getTarget() { + return target; + } + + public void setTarget(String target) { + this.target = target; + } + + public List getAttributes() { + return attributes; + } + + public void setAttributes(List attributes) { + this.attributes = attributes; + } + + public boolean isNode() { + return target != null; + } + + public void checkExists(GraphStore graphStore) throws PMException { + if (isNode()) { + if (!graphStore.nodeExists(target)) { + throw new NodeDoesNotExistException(target); + } + } else { + for (String attribute : attributes) { + if (!graphStore.nodeExists(attribute)) { + throw new NodeDoesNotExistException(attribute); + } + } + } + } + + @Override + public String toString() { + String s = "%s"; + if (isNode()) { + return String.format(s, "target=" + target); + } else { + return String.format(s, "attributes=" + attributes); + } + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof TargetContext that)) return false; + return Objects.equals(target, that.target) && Objects.equals(attributes, that.attributes); + } + + @Override + public int hashCode() { + return Objects.hash(target, attributes); + } +} diff --git a/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java b/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java new file mode 100644 index 000000000..c9ba47853 --- /dev/null +++ b/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java @@ -0,0 +1,102 @@ +package gov.nist.csd.pm.pap.query.model.context; + +import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.store.GraphStore; + +import java.io.Serializable; +import java.util.List; +import java.util.Objects; + +public class UserContext implements Serializable { + + private String user; + private List attributes; + private String process; + + public UserContext(String user, String process) { + this.user = user; + this.process = process; + } + + public UserContext(String user) { + this.user = user; + } + + public UserContext(List attributes, String process) { + this.attributes = attributes; + this.process = process; + } + + public UserContext(List attributes) { + this.attributes = attributes; + } + + public String getUser() { + return user; + } + + public void setUser(String user) { + this.user = user; + } + + public List getAttributes() { + return attributes; + } + + public void setAttributes(List attributes) { + this.attributes = attributes; + } + + public String getProcess() { + return process; + } + + public void setProcess(String process) { + this.process = process; + } + + public boolean isUser() { + return user != null; + } + + public void checkExists(GraphStore graphStore) throws PMException { + if (isUser()) { + if (!graphStore.nodeExists(user)) { + throw new NodeDoesNotExistException(user); + } + } else { + for (String attribute : attributes) { + if (!graphStore.nodeExists(attribute)) { + throw new NodeDoesNotExistException(attribute); + } + } + } + } + + @Override + public String toString() { + String s = "%s"; + if (process != null) { + s += ", process=" + process + "]"; + } + + if (isUser()) { + return String.format(s, "user=" + user); + } else { + return String.format(s, "attributes=" + attributes); + } + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof UserContext that)) return false; + return Objects.equals(user, that.user) && Objects.equals(attributes, that.attributes) && Objects.equals(process, that.process); + } + + @Override + public int hashCode() { + return Objects.hash(user, attributes, process); + } +} \ No newline at end of file diff --git a/src/main/java/gov/nist/csd/pm/pap/serialization/PolicyDeserializer.java b/src/main/java/gov/nist/csd/pm/pap/serialization/PolicyDeserializer.java index 6e7a33a40..dfd92e153 100644 --- a/src/main/java/gov/nist/csd/pm/pap/serialization/PolicyDeserializer.java +++ b/src/main/java/gov/nist/csd/pm/pap/serialization/PolicyDeserializer.java @@ -2,7 +2,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; public interface PolicyDeserializer { diff --git a/src/main/java/gov/nist/csd/pm/pap/serialization/json/JSONDeserializer.java b/src/main/java/gov/nist/csd/pm/pap/serialization/json/JSONDeserializer.java index baab7712f..49ed9fd14 100644 --- a/src/main/java/gov/nist/csd/pm/pap/serialization/json/JSONDeserializer.java +++ b/src/main/java/gov/nist/csd/pm/pap/serialization/json/JSONDeserializer.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.serialization.PolicyDeserializer; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.graph.node.NodeType; import java.util.*; diff --git a/src/main/java/gov/nist/csd/pm/pap/serialization/pml/PMLDeserializer.java b/src/main/java/gov/nist/csd/pm/pap/serialization/pml/PMLDeserializer.java index 244211367..eae36357e 100644 --- a/src/main/java/gov/nist/csd/pm/pap/serialization/pml/PMLDeserializer.java +++ b/src/main/java/gov/nist/csd/pm/pap/serialization/pml/PMLDeserializer.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.serialization.PolicyDeserializer; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; public class PMLDeserializer implements PolicyDeserializer { diff --git a/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java b/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java index 7b3d4417d..700510270 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java +++ b/src/main/java/gov/nist/csd/pm/pdp/AccessAdjudication.java @@ -1,7 +1,7 @@ package gov.nist.csd.pm.pdp; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pdp/Adjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/Adjudicator.java index a7819a4d1..bbdf7c5cf 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/Adjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/Adjudicator.java @@ -2,8 +2,13 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; +import java.util.List; + +import static gov.nist.csd.pm.pap.op.AdminAccessRights.REVIEW_POLICY; + public abstract class Adjudicator { + public static final List TO_CHECK = List.of(REVIEW_POLICY); protected PrivilegeChecker privilegeChecker; public Adjudicator(PrivilegeChecker privilegeChecker) { diff --git a/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java b/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java index 534ba5435..924e3e87f 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java +++ b/src/main/java/gov/nist/csd/pm/pdp/EventResponseEvaluation.java @@ -1,7 +1,7 @@ package gov.nist.csd.pm.pdp; import gov.nist.csd.pm.pap.obligation.Response; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; public interface EventResponseEvaluation { diff --git a/src/main/java/gov/nist/csd/pm/pdp/PDP.java b/src/main/java/gov/nist/csd/pm/pdp/PDP.java index 5ebef5c7e..0c1fde2de 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PDP.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PDP.java @@ -13,7 +13,7 @@ import gov.nist.csd.pm.pap.pml.executable.operation.PMLOperation; import gov.nist.csd.pm.pap.pml.executable.routine.PMLRoutine; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.exception.BootstrapExistingPolicyException; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.tx.TxRunner; @@ -21,7 +21,6 @@ import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import java.util.*; -import java.util.concurrent.atomic.AtomicReference; import static gov.nist.csd.pm.pap.admin.AdminPolicy.ALL_NODE_NAMES; import static gov.nist.csd.pm.pap.graph.node.NodeType.ANY; diff --git a/src/main/java/gov/nist/csd/pm/pdp/PDPExecutionContext.java b/src/main/java/gov/nist/csd/pm/pdp/PDPExecutionContext.java index ea0b654fc..ced0a980d 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PDPExecutionContext.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PDPExecutionContext.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.pml.scope.Scope; import gov.nist.csd.pm.pap.pml.statement.PMLStatement; import gov.nist.csd.pm.pap.pml.value.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java b/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java index 13c6be833..0b7893e25 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java @@ -13,7 +13,7 @@ import gov.nist.csd.pm.pap.pml.executable.routine.PMLRoutine; import gov.nist.csd.pm.pap.pml.statement.PMLStatement; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pap.serialization.PolicyDeserializer; import gov.nist.csd.pm.pap.serialization.PolicySerializer; @@ -64,7 +64,6 @@ public PolicyQueryAdjudicator query() { @Override public void setPMLOperations(Map pmlOperations) throws PMException { privilegeChecker.check(userCtx, AdminPolicyNode.PM_ADMIN_OBJECT.nodeName(), SET_PML_OPS); - super.setPMLOperations(pmlOperations); } diff --git a/src/main/java/gov/nist/csd/pm/pdp/PMLBootstrapper.java b/src/main/java/gov/nist/csd/pm/pdp/PMLBootstrapper.java index 788ce97a2..ea42e85a1 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PMLBootstrapper.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PMLBootstrapper.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.pml.executable.operation.PMLOperation; import gov.nist.csd.pm.pap.pml.executable.routine.PMLRoutine; import gov.nist.csd.pm.pap.pml.value.Value; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import java.util.List; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pdp/exception/UnauthorizedException.java b/src/main/java/gov/nist/csd/pm/pdp/exception/UnauthorizedException.java index 64b78334a..7b8909f5f 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/exception/UnauthorizedException.java +++ b/src/main/java/gov/nist/csd/pm/pdp/exception/UnauthorizedException.java @@ -1,6 +1,7 @@ package gov.nist.csd.pm.pdp.exception; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.query.model.explain.Explain; @@ -15,6 +16,11 @@ public UnauthorizedException(Explain explain, UserContext user, String target, C this.explain = explain; } + public UnauthorizedException(Explain explain, UserContext user, TargetContext target, Collection missingAccessRights) { + super("[" + user + "] does not have access right " + missingAccessRights + " on [" + target + "]"); + this.explain = explain; + } + public Explain getExplain() { return explain; } diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicator.java index 3c7379591..e69f24fc6 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicator.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.graph.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.graph.node.NodeType; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicator.java index e38f8a0cb..d2d7dc4f8 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicator.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.obligation.CreateObligationOp; import gov.nist.csd.pm.pap.op.obligation.DeleteObligationOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.obligation.Rule; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicator.java index 59ff13c0c..e2a1169ea 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicator.java @@ -11,7 +11,7 @@ import gov.nist.csd.pm.pap.op.operation.CreateAdminOperationOp; import gov.nist.csd.pm.pap.op.operation.DeleteAdminOperationOp; import gov.nist.csd.pm.pap.op.operation.SetResourceOperationsOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.Adjudicator; import java.util.Map; diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/PolicyModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/PolicyModificationAdjudicator.java index 9213e15c9..093f463e4 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/PolicyModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/PolicyModificationAdjudicator.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.modification.*; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.Adjudicator; public class PolicyModificationAdjudicator extends Adjudicator implements PolicyModification { diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicator.java index 2bba04653..478607805 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicator.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.prohibition.CreateProhibitionOp; import gov.nist.csd.pm.pap.op.prohibition.DeleteProhibitionOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.Prohibition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; diff --git a/src/main/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicator.java index 8f22f6c22..cdaad4141 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicator.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.routine.CreateAdminRoutineOp; import gov.nist.csd.pm.pap.op.routine.DeleteAdminRoutineOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java index 2f7f19437..1ae5a91f8 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java @@ -3,101 +3,82 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.op.AdminAccessRights; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.AccessQuery; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.query.model.explain.Explain; import gov.nist.csd.pm.pdp.Adjudicator; +import java.util.List; import java.util.Map; public class AccessQueryAdjudicator extends Adjudicator implements AccessQuery { - private final UserContext userCtx; + private final UserContext adjUserContext; private final PAP pap; private final PrivilegeChecker privilegeChecker; - public AccessQueryAdjudicator(UserContext userCtx, PAP pap, PrivilegeChecker privilegeChecker) { + public AccessQueryAdjudicator(UserContext adjUserContext, PAP pap, PrivilegeChecker privilegeChecker) { super(privilegeChecker); - this.userCtx = userCtx; + this.adjUserContext = adjUserContext; this.pap = pap; this.privilegeChecker = privilegeChecker; } @Override - public AccessRightSet computePrivileges(UserContext userCtx, String target) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - privilegeChecker.check(userCtx, target, AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computePrivileges(userCtx, target); + public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + return pap.query().access().computePrivileges(userCtx, targetCtx); } @Override - public AccessRightSet computeDeniedPrivileges(UserContext userCtx, String target) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - privilegeChecker.check(userCtx, target, AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computeDeniedPrivileges(userCtx, target); + public List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException { + return pap.query().access().computePrivileges(userCtx, targetCtxs); } @Override - public Map computePolicyClassAccessRights(UserContext userCtx, String target) - throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - privilegeChecker.check(userCtx, target, AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computePolicyClassAccessRights(userCtx, target); + public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + return pap.query().access().computeDeniedPrivileges(userCtx, targetCtx); } @Override public Map computeCapabilityList(UserContext userCtx) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - return pap.query().access().computeCapabilityList(userCtx); } @Override - public Map computeACL(String target) throws PMException { - privilegeChecker.check(userCtx, target, AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computeACL(target); + public Map computeACL(TargetContext targetCtx) throws PMException { + return pap.query().access().computeACL(targetCtx); } @Override - public Map computeDestinationAttributes(String user) throws PMException { - privilegeChecker.check(userCtx, user, AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computeDestinationAttributes(user); + public Map computeDestinationAttributes(UserContext userCtx) throws PMException { + return pap.query().access().computeDestinationAttributes(userCtx); } @Override public SubgraphPrivileges computeSubgraphPrivileges(UserContext userCtx, String root) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - return pap.query().access().computeSubgraphPrivileges(userCtx, root); } @Override public Map computeAdjacentAscendantPrivileges(UserContext userCtx, String root) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - return pap.query().access().computeAdjacentAscendantPrivileges(userCtx, root); } @Override - public Explain explain(UserContext userCtx, String target) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - privilegeChecker.check(userCtx, target, AdminAccessRights.REVIEW_POLICY); + public Map computeAdjacentDescendantPrivileges(UserContext userCtx, String root) throws PMException { + return pap.query().access().computeAdjacentDescendantPrivileges(userCtx, root); + } - return pap.query().access().explain(userCtx, target); + @Override + public Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMException { + return pap.query().access().explain(userCtx, targetCtx); } @Override public Map computePersonalObjectSystem(UserContext userCtx) throws PMException { - privilegeChecker.check(userCtx, userCtx.getUser(), AdminAccessRights.REVIEW_POLICY); - - return pap.query().access().computePersonalObjectSystem(userCtx); + return pap.query().access().computePersonalObjectSystem(userCtx); } } diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/GraphQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/GraphQueryAdjudicator.java index 9ecda89cc..260b344e9 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/GraphQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/GraphQueryAdjudicator.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.GraphQuery; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.query.model.subgraph.AscendantSubgraph; import gov.nist.csd.pm.pap.query.model.subgraph.DescendantSubgraph; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/ObligationsQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/ObligationsQueryAdjudicator.java index f343fd639..5c0b98e3c 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/ObligationsQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/ObligationsQueryAdjudicator.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.pml.pattern.operand.OperandPatternExpression; import gov.nist.csd.pm.pap.query.ObligationsQuery; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.obligation.Obligation; import gov.nist.csd.pm.pdp.Adjudicator; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/OperationsQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/OperationsQueryAdjudicator.java index c8ee46e2c..0e8dcc73b 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/OperationsQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/OperationsQueryAdjudicator.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.OperationsQuery; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.Adjudicator; import java.util.Collection; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/PolicyQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/PolicyQueryAdjudicator.java index 945193c30..3623c5761 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/PolicyQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/PolicyQueryAdjudicator.java @@ -1,7 +1,7 @@ package gov.nist.csd.pm.pdp.query; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.*; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/ProhibitionsQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/ProhibitionsQueryAdjudicator.java index ace4c6bfd..7bf85d5db 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/ProhibitionsQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/ProhibitionsQueryAdjudicator.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.op.AdminAccessRights; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.ProhibitionsQuery; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.prohibition.Prohibition; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/RoutinesQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/RoutinesQueryAdjudicator.java index 03dad7e6a..966a668cb 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/RoutinesQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/RoutinesQueryAdjudicator.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.op.AdminAccessRights; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.RoutinesQuery; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pdp.Adjudicator; diff --git a/src/test/java/gov/nist/csd/pm/common/obligation/ObligationTest.java b/src/test/java/gov/nist/csd/pm/common/obligation/ObligationTest.java index 1839798d2..5ef78822b 100644 --- a/src/test/java/gov/nist/csd/pm/common/obligation/ObligationTest.java +++ b/src/test/java/gov/nist/csd/pm/common/obligation/ObligationTest.java @@ -12,7 +12,7 @@ import gov.nist.csd.pm.pap.pml.value.StringValue; import gov.nist.csd.pm.pap.pml.value.Value; import gov.nist.csd.pm.pap.pml.value.VoidValue; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pap.exception.PMException; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/epp/EPPTest.java b/src/test/java/gov/nist/csd/pm/epp/EPPTest.java index b94643883..96c1528e9 100644 --- a/src/test/java/gov/nist/csd/pm/epp/EPPTest.java +++ b/src/test/java/gov/nist/csd/pm/epp/EPPTest.java @@ -24,7 +24,7 @@ import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.type.Type; import gov.nist.csd.pm.pap.pml.value.VoidValue; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.*; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/integration/IntegrationTest.java b/src/test/java/gov/nist/csd/pm/integration/IntegrationTest.java index 90bba0012..14e050205 100644 --- a/src/test/java/gov/nist/csd/pm/integration/IntegrationTest.java +++ b/src/test/java/gov/nist/csd/pm/integration/IntegrationTest.java @@ -3,12 +3,10 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.epp.EPP; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; -import gov.nist.csd.pm.pdp.OperationRequest; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import org.junit.jupiter.api.Test; -import java.util.List; import java.util.Map; import static org.junit.jupiter.api.Assertions.assertFalse; diff --git a/src/test/java/gov/nist/csd/pm/pap/PAPTest.java b/src/test/java/gov/nist/csd/pm/pap/PAPTest.java index f351157fa..690b1cf9c 100644 --- a/src/test/java/gov/nist/csd/pm/pap/PAPTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/PAPTest.java @@ -10,7 +10,7 @@ import gov.nist.csd.pm.pap.pml.value.VoidValue; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.graph.relationship.Association; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.util.SamplePolicy; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/modification/ObligationsModifierTest.java b/src/test/java/gov/nist/csd/pm/pap/modification/ObligationsModifierTest.java index 1be2ee510..e7c4b2ac4 100644 --- a/src/test/java/gov/nist/csd/pm/pap/modification/ObligationsModifierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/modification/ObligationsModifierTest.java @@ -17,7 +17,7 @@ import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.UsernamePattern; import gov.nist.csd.pm.pap.pml.statement.operation.CreatePolicyStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/modification/OperationsModifierTest.java b/src/test/java/gov/nist/csd/pm/pap/modification/OperationsModifierTest.java index 6bcd78a12..a53487a3d 100644 --- a/src/test/java/gov/nist/csd/pm/pap/modification/OperationsModifierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/modification/OperationsModifierTest.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.graph.AssignOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/modification/ProhibitionsModifierTest.java b/src/test/java/gov/nist/csd/pm/pap/modification/ProhibitionsModifierTest.java index f03f9d927..229d40b42 100644 --- a/src/test/java/gov/nist/csd/pm/pap/modification/ProhibitionsModifierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/modification/ProhibitionsModifierTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; import gov.nist.csd.pm.pap.PAPTestInitializer; import gov.nist.csd.pm.pap.exception.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.util.SamplePolicy; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/op/PreparedOperationTest.java b/src/test/java/gov/nist/csd/pm/pap/op/PreparedOperationTest.java index 905b0dd10..8c2beccc1 100644 --- a/src/test/java/gov/nist/csd/pm/pap/op/PreparedOperationTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/op/PreparedOperationTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.obligation.EventContext; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import java.util.List; @@ -40,7 +40,7 @@ public Void execute(PAP pap, Map operands) throws PMException { ); EventContext execute = preparedOperation.execute(new MemoryPAP(), new UserContext("u1"), new PrivilegeChecker(new MemoryPAP())); - assertEquals(execute, new EventContext("u1", "", op1, + assertEquals(execute, new EventContext("u1", null, op1, Map.of(ASCENDANT_OPERAND, "c", DESCENDANTS_OPERAND, List.of("a", "b")))); } diff --git a/src/test/java/gov/nist/csd/pm/pap/op/PrivilegeCheckerTest.java b/src/test/java/gov/nist/csd/pm/pap/op/PrivilegeCheckerTest.java new file mode 100644 index 000000000..d2d5fb44e --- /dev/null +++ b/src/test/java/gov/nist/csd/pm/pap/op/PrivilegeCheckerTest.java @@ -0,0 +1,40 @@ +package gov.nist.csd.pm.pap.op; + +import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.query.model.context.UserContext; +import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; +import org.junit.jupiter.api.Test; + +import java.util.List; + +import static org.junit.jupiter.api.Assertions.*; + +class PrivilegeCheckerTest { + + @Test + void testEmptyToCheck() throws PMException { + String pml = """ + set resource operations ["read"] + + create pc "pc1" + create ua "ua1" in ["pc1"] + create ua "ua2" in ["pc1"] + create oa "oa1" in ["pc1"] + + associate "ua1" and "oa1" with ["read"] + + create u "u1" in ["ua1"] + create u "u2" in ["ua2"] + create o "o1" in ["oa1"] + """; + + MemoryPAP pap = new MemoryPAP(); + pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); + + PrivilegeChecker checker = new PrivilegeChecker(pap); + assertDoesNotThrow(() -> checker.check(new UserContext("u1"), "o1", List.of())); + assertThrows(PMException.class, () -> checker.check(new UserContext("u2"), "o1", List.of())); + } + +} \ No newline at end of file diff --git a/src/test/java/gov/nist/csd/pm/pap/op/obligation/ObligationOpTest.java b/src/test/java/gov/nist/csd/pm/pap/op/obligation/ObligationOpTest.java index e93ebe4e3..f743c080e 100644 --- a/src/test/java/gov/nist/csd/pm/pap/op/obligation/ObligationOpTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/op/obligation/ObligationOpTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.pattern.operand.NodeOperandPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.LogicalSubjectPatternExpression; import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/ExecutionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/ExecutionTest.java index 56e14353d..bda15d5c9 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/ExecutionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/ExecutionTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import java.util.Arrays; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/FunctionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/FunctionTest.java index 3dcefef2e..15bc16cf6 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/FunctionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/FunctionTest.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.exception.PMLCompilationException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.*; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java index 34d543cb0..f09a4ed03 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/PMLTest.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pdp.AdminAdjudicationResponse; import gov.nist.csd.pm.pdp.PDP; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/compiler/visitor/IfStmtVisitorTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/compiler/visitor/IfStmtVisitorTest.java index 6a6fafa8b..785a89a63 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/compiler/visitor/IfStmtVisitorTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/compiler/visitor/IfStmtVisitorTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.statement.IfStatement; import gov.nist.csd.pm.pap.pml.statement.PMLStatementBlock; import gov.nist.csd.pm.pap.pml.statement.ShortDeclarationStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.PMLContextVisitor; import gov.nist.csd.pm.pap.pml.antlr.PMLParser; import gov.nist.csd.pm.pap.pml.expression.literal.BoolLiteral; @@ -82,7 +82,7 @@ create policy class "pc1" f1() """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertFalse(pap.query().graph().nodeExists("pc1")); } diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapperTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapperTest.java index e918e9f84..832c84803 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapperTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/executable/operation/PMLOperationWrapperTest.java @@ -7,8 +7,7 @@ import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.pml.executable.PMLExecutableSignature; import gov.nist.csd.pm.pap.pml.type.Type; -import gov.nist.csd.pm.pap.query.UserContext; -import gov.nist.csd.pm.pdp.OperationRequest; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/executable/routine/PMLRoutineWrapperTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/executable/routine/PMLRoutineWrapperTest.java index f8e5b11ec..3052de2af 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/executable/routine/PMLRoutineWrapperTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/executable/routine/PMLRoutineWrapperTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.executable.PMLExecutableSignature; import gov.nist.csd.pm.pap.pml.type.Type; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pdp.PDP; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/EqualsExpressionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/EqualsExpressionTest.java index 7856efa09..e7775f608 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/EqualsExpressionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/EqualsExpressionTest.java @@ -11,7 +11,7 @@ import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; import gov.nist.csd.pm.pap.pml.value.Value; import gov.nist.csd.pm.pap.pml.value.BoolValue; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import static gov.nist.csd.pm.pap.pml.PMLUtil.buildArrayLiteral; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/FunctionInvokeExpressionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/FunctionInvokeExpressionTest.java index d5dad2c68..acddd42d1 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/FunctionInvokeExpressionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/FunctionInvokeExpressionTest.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; import gov.nist.csd.pm.pap.pml.statement.PMLStatementBlock; import gov.nist.csd.pm.pap.pml.statement.operation.CreatePolicyStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.PMLContextVisitor; import gov.nist.csd.pm.pap.pml.antlr.PMLParser; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; @@ -202,7 +202,7 @@ operation a(string x) { } """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertTrue(pap.query().graph().nodeExists("cx")); assertTrue(pap.query().graph().nodeExists("cy")); } @@ -218,7 +218,7 @@ operation a(string x) { } """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertFalse(pap.query().graph().nodeExists("x")); assertTrue(pap.query().graph().nodeExists("test")); } @@ -237,7 +237,7 @@ operation a() { a() """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertFalse(pap.query().graph().nodeExists("pc1")); } diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/LogicalExpressionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/LogicalExpressionTest.java index df13628fc..ade81e131 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/LogicalExpressionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/LogicalExpressionTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.PMLContextVisitor; import gov.nist.csd.pm.pap.pml.antlr.PMLParser; import gov.nist.csd.pm.pap.pml.expression.literal.BoolLiteral; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/ParenExpressionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/ParenExpressionTest.java index 09f69c8e4..d45656871 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/ParenExpressionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/ParenExpressionTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.PMLContextVisitor; import gov.nist.csd.pm.pap.pml.antlr.PMLParser; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/PlusExpressionTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/PlusExpressionTest.java index 1ad0b28ee..6e78fea80 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/PlusExpressionTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/PlusExpressionTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.pml.exception.PMLCompilationRuntimeException; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.PMLContextVisitor; import gov.nist.csd.pm.pap.pml.antlr.PMLParser; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByBracketIndexTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByBracketIndexTest.java index a1a6f2833..09a1979a8 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByBracketIndexTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByBracketIndexTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.compiler.Variable; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByDotIndexTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByDotIndexTest.java index d118c31b9..3dd0fe3f1 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByDotIndexTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByDotIndexTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.compiler.Variable; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.context.VisitorContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByIDTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByIDTest.java index f916c0965..ec6894369 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByIDTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/expression/reference/ReferenceByIDTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.pml.scope.CompileGlobalScope; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.compiler.Variable; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.context.VisitorContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/pattern/operand/OperandPatternTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/pattern/operand/OperandPatternTest.java index 7106cbaf4..5435740c7 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/pattern/operand/OperandPatternTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/pattern/operand/OperandPatternTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; import gov.nist.csd.pm.pap.pml.statement.operation.CreateRuleStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import java.util.List; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/BreakStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/BreakStatementTest.java index 151660937..014ee33e6 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/BreakStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/BreakStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.*; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ContinueStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ContinueStatementTest.java index d3ef9c6ca..46f7fb9f4 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ContinueStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ContinueStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.*; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ForeachStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ForeachStatementTest.java index 16fc62969..8d1d569b1 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ForeachStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ForeachStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.statement.operation.CreatePolicyStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.reference.ReferenceByID; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.scope.UnknownVariableInScopeException; @@ -152,7 +152,7 @@ operation f1() { } """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertTrue(pap.query().graph().nodeExists("1")); assertFalse(pap.query().graph().nodeExists("2")); @@ -171,7 +171,7 @@ operation f1() { } """; pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); assertTrue(pap.query().graph().nodeExists("1")); assertFalse(pap.query().graph().nodeExists("2")); diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionDefinitionStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionDefinitionStatementTest.java index d5ea59df5..6ba61606a 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionDefinitionStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionDefinitionStatementTest.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.pml.executable.routine.PMLStmtsRoutine; import gov.nist.csd.pm.pap.pml.expression.reference.ReferenceByID; import gov.nist.csd.pm.pap.pml.statement.operation.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.type.Type; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionReturnStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionReturnStatementTest.java index e3a542a59..afbf8c551 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionReturnStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/FunctionReturnStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; class FunctionReturnStatementTest { @@ -23,7 +23,7 @@ operation f2() string { create policy class f1() """; PAP pap = new MemoryPAP(); - pap.executePML(new UserContext(), pml); + pap.executePML(new UserContext(""), pml); } } \ No newline at end of file diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/IfStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/IfStatementTest.java index a268f123b..9eece3636 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/IfStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/IfStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.statement.operation.CreatePolicyStatement; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.BoolLiteral; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ShortDeclarationStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ShortDeclarationStatementTest.java index 933ea6ac0..500a137e8 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/ShortDeclarationStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/ShortDeclarationStatementTest.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.value.StringValue; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableAssignmentStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableAssignmentStatementTest.java index 4fd5f226f..9215ad580 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableAssignmentStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableAssignmentStatementTest.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.value.StringValue; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableDeclarationStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableDeclarationStatementTest.java index b1cace863..4407f157d 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableDeclarationStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/VariableDeclarationStatementTest.java @@ -3,7 +3,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import gov.nist.csd.pm.pap.pml.value.StringValue; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssignStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssignStatementTest.java index fe8a8a607..7eee51be5 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssignStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssignStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssociateStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssociateStatementTest.java index 063288647..1d7a0f1ce 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssociateStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/AssociateStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.graph.relationship.Association; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CheckStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CheckStatementTest.java index 6789ebc81..b1e52ebd7 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CheckStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CheckStatementTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.pml.expression.literal.ArrayLiteral; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.type.Type; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateNonPCStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateNonPCStatementTest.java index 27ec3d566..24e3bad78 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateNonPCStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateNonPCStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.graph.node.NodeType; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateObligationStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateObligationStatementTest.java index c149606ec..5a3d554b8 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateObligationStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateObligationStatementTest.java @@ -12,7 +12,7 @@ import gov.nist.csd.pm.pap.pml.pattern.operand.NodeOperandPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.UsernamePattern; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import java.util.List; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateOperationStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateOperationStatementTest.java index 8813b2272..bce372a45 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateOperationStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateOperationStatementTest.java @@ -2,7 +2,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreatePolicyStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreatePolicyStatementTest.java index 64541eb36..456f5281b 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreatePolicyStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreatePolicyStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.Test; import java.util.List; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateProhibitionStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateProhibitionStatementTest.java index 2bc88afde..b6e3f9a4e 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateProhibitionStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateProhibitionStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.Prohibition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateRoutineStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateRoutineStatementTest.java index edc6a23f8..a68d45d47 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateRoutineStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/CreateRoutineStatementTest.java @@ -2,7 +2,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeassignStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeassignStatementTest.java index f874c7883..23c8e6790 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeassignStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeassignStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatementTest.java index 4954e647c..f17ad736c 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteRuleStatementTest.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.pattern.OperationPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteStatementTest.java index 9abd16dc2..974d1e2ba 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DeleteStatementTest.java @@ -11,7 +11,7 @@ import gov.nist.csd.pm.pap.exception.ProhibitionDoesNotExistException; import gov.nist.csd.pm.pap.pml.pattern.OperationPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DissociateStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DissociateStatementTest.java index d1ebae065..6ea5ea850 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DissociateStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/DissociateStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetNodePropertiesStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetNodePropertiesStatementTest.java index f7e5df2de..9a3439e8e 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetNodePropertiesStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetNodePropertiesStatementTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.expression.literal.StringLiteral; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetResourceOperationsStatementTest.java b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetResourceOperationsStatementTest.java index 6e29fa830..db57e8e69 100644 --- a/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetResourceOperationsStatementTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/pml/statement/operation/SetResourceOperationsStatementTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.pml.context.ExecutionContext; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java b/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java index e919dc966..770e44337 100644 --- a/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java @@ -1,7 +1,6 @@ package gov.nist.csd.pm.pap.query; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.admin.AdminPolicy; import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.exception.PMException; @@ -9,8 +8,9 @@ import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.Prohibition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; +import gov.nist.csd.pm.pap.query.model.context.TargetContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.query.model.explain.*; -import gov.nist.csd.pm.pap.query.model.subgraph.DescendantSubgraph; import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import org.junit.jupiter.api.Nested; @@ -23,7 +23,7 @@ public abstract class AccessQuerierTest extends PAPTestInitializer { - private static final AccessRightSet RWE = new AccessRightSet("read", "write", "execute"); + public static final AccessRightSet RWE = new AccessRightSet("read", "write", "execute"); @Test void testComputeAdjacentAscendantPrivileges() throws PMException { @@ -50,6 +50,31 @@ void testComputeAdjacentAscendantPrivileges() throws PMException { ); } + @Test + void testComputeAdjacentDescendantPrivileges() throws PMException { + String pml = """ + set resource operations ["read", "write"] + create pc "pc1" + create ua "ua1" in ["pc1"] + create oa "oa1" in ["pc1"] + create oa "oa2" in ["oa1"] + create oa "oa3" in ["oa1"] + + associate "ua1" and "oa2" with ["read", "write"] + + create u "u1" in ["ua1"] + create o "o1" in ["oa2", "oa3"] + """; + pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); + + Map actual = pap.query().access().computeAdjacentDescendantPrivileges(new UserContext("u1"), "o1"); + assertEquals( + Map.of("oa2", new AccessRightSet("read", "write"), + "oa3", new AccessRightSet()), + new HashMap<>(actual) + ); + } + @Test void testBuildPOS() throws PMException { String pml = """ @@ -162,7 +187,7 @@ void testExplain() throws PMException { """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Explain explain = pap.query().access().explain(new UserContext("u1"), "o1"); + Explain explain = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); Explain expected = new Explain( new AccessRightSet("read"), List.of( @@ -248,7 +273,7 @@ void testExplain2() throws PMException { MemoryPAP pap = new MemoryPAP(); pap.executePML(new UserContext(""), pml); - Explain explain = pap.query().access().explain(new UserContext("u1"), "o1"); + Explain explain = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); Explain expected = new Explain( new AccessRightSet("read"), List.of( @@ -297,7 +322,7 @@ void testExplain2() throws PMException { pap.modify().graph().deassign("o1", List.of("oa4")); - explain = pap.query().access().explain(new UserContext("u1"), "o1"); + explain = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); expected = new Explain( new AccessRightSet("read"), List.of( @@ -347,7 +372,7 @@ void testExplainOnObjAttrWithAssociation() throws PMException { create user "u1" in ["ua1"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Explain actual = pap.query().access().explain(new UserContext("u1"), "oa2"); + Explain actual = pap.query().access().explain(new UserContext("u1"), new TargetContext("oa2")); assertExplainEquals( new Explain( new AccessRightSet("read", "write"), @@ -391,7 +416,7 @@ void testExplainNoPaths() throws PMException { create object "o1" in ["oa1"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Explain actual = pap.query().access().explain(new UserContext("u1"), "o1"); + Explain actual = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); assertExplainEquals( new Explain( new AccessRightSet(), @@ -437,7 +462,7 @@ void testExplainPathsButNoPrivileges() throws PMException { create object "o1" in ["oa1", "oa2"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Explain actual = pap.query().access().explain(new UserContext("u1"), "o1"); + Explain actual = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); assertExplainEquals( new Explain( new AccessRightSet(), @@ -497,7 +522,7 @@ void testExplainMultiplePolicyClasses() throws PMException { create object "o1" in ["oa1", "oa2"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Explain actual = pap.query().access().explain(new UserContext("u1"), "o1"); + Explain actual = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); assertExplainEquals( new Explain( new AccessRightSet("read", "write"), @@ -555,7 +580,7 @@ void testExplainMultiplePolicyClasses() throws PMException { """; pap.reset(); pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - actual = pap.query().access().explain(new UserContext("u1"), "o1"); + actual = pap.query().access().explain(new UserContext("u1"), new TargetContext("o1")); assertExplainEquals( new Explain( new AccessRightSet("read"), @@ -661,7 +686,7 @@ void testFindBorderAttributes() throws PMException { create u "u1" in ["ua1", "ua2"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Map u1 = pap.query().access().computeDestinationAttributes("u1"); + Map u1 = pap.query().access().computeDestinationAttributes(new UserContext("u1")); assertEquals( Map.of( "oa1", new AccessRightSet("read", "write"), @@ -687,7 +712,7 @@ void testBuildACL() throws PMException { create o "o1" in ["oa1"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Map o1 = pap.query().access().computeACL("o1"); + Map o1 = pap.query().access().computeACL(new TargetContext("o1")); assertEquals( Map.of( "u1", new AccessRightSet("read", "write"), @@ -728,6 +753,21 @@ void testBuildCapabilityList() throws PMException { ), u1 ); + + pap.modify().graph().associate("ua1", AdminPolicyNode.PM_ADMIN_OBJECT.nodeName(), new AccessRightSet("read")); + u1 = pap.query().access().computeCapabilityList(new UserContext("u1")); + assertEquals( + Map.of( + "o1", new AccessRightSet("read"), + "o2", new AccessRightSet("read"), + "oa1", new AccessRightSet("read"), + "oa2", new AccessRightSet("read"), + "pc1", new AccessRightSet("read"), + "PM_ADMIN", new AccessRightSet("read"), + AdminPolicyNode.PM_ADMIN_OBJECT.nodeName(), new AccessRightSet("read") + ), + u1 + ); } @Test @@ -748,39 +788,10 @@ void testComputeDeniedPrivileges() throws PMException { on union of ["oa1"] """; pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - AccessRightSet deniedPrivileges = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), "o1"); + AccessRightSet deniedPrivileges = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), new TargetContext("o1")); assertEquals(new AccessRightSet("write"), deniedPrivileges); } - @Test - void testComputePolicyClassAccessRights() throws PMException { - String pml = """ - set resource operations ["read", "write"] - create pc "pc1" - create UA "ua1" in ["pc1"] - create OA "oa1" in ["pc1"] - associate "ua1" and "oa1" with ["read", "write"] - - create pc "pc2" - create UA "ua2" in ["pc2"] - create OA "oa2" in ["pc2"] - associate "ua2" and "oa2" with ["read"] - - create u "u1" in ["ua1", "ua2"] - create o "o1" in ["oa1", "oa2"] - """; - pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Map policyClassAccessRights = - pap.query().access().computePolicyClassAccessRights(new UserContext("u1"), "o1"); - assertEquals( - Map.of( - "pc1", new AccessRightSet("read", "write"), - "pc2", new AccessRightSet("read") - ), - policyClassAccessRights - ); - } - @Test void testGetAccessibleNodes() throws PMException { pap.modify().operations().setResourceOperations(RWE); @@ -823,7 +834,7 @@ void testGraph1() throws PMException { pap.modify().graph().associate(ua1, oa1, new AccessRightSet("read", "write")); assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -843,7 +854,7 @@ void testGraph2() throws PMException { pap.modify().graph().associate(ua1, oa1, new AccessRightSet("read")); - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -859,7 +870,7 @@ void testGraph3() throws PMException { assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -878,7 +889,7 @@ void testGraph4() throws PMException { assertEquals( new AccessRightSet("read", "write"), - pap.query().access().computePrivileges(new UserContext(u1), o1) + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)) ); } @@ -899,7 +910,7 @@ void testGraph4() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read"))); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read"))); } @Test @@ -919,7 +930,7 @@ void testGraph6() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read"))); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read"))); } @Test @@ -938,7 +949,7 @@ void testGraph7() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -954,7 +965,7 @@ void testGraph8() throws PMException { - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); } @@ -974,7 +985,7 @@ void testGraph9() throws PMException { - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); } @@ -997,7 +1008,7 @@ void testGraph10() throws PMException { assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -1015,7 +1026,7 @@ void testGraph11() throws PMException { - assertEquals(new AccessRightSet(), pap.query().access().computePrivileges(new UserContext(u1), o1)); + assertEquals(new AccessRightSet(), pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1))); } @Test @@ -1034,7 +1045,7 @@ void testGraph12() throws PMException { assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -1053,7 +1064,7 @@ void testGraph13() throws PMException { - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.contains("read")); } @@ -1074,7 +1085,7 @@ void testGraph14() throws PMException { - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); } @@ -1095,7 +1106,7 @@ void testGraph15() throws PMException { - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); } @@ -1116,7 +1127,7 @@ void testGraph16() throws PMException { assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } // removed graph7 due to adding the descendant IDs to the createNode, need to always connect to the testCtx.policy().graph(). @@ -1135,7 +1146,7 @@ void testGraph18() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -1152,7 +1163,7 @@ void testGraph19() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -1172,7 +1183,7 @@ void testGraph20() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read"))); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read"))); } @Test @@ -1192,7 +1203,7 @@ void testGraph21() throws PMException { - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -1210,7 +1221,7 @@ void testGraph22() throws PMException { assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -1238,13 +1249,14 @@ void testGraph23WithProhibitions() throws PMException { ); - Set list = pap.query().access().computePrivileges(new UserContext(u1), o1); + Set list = pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)); assertEquals(1, list.size()); assertTrue(list.contains("execute")); } @Test - void testGraph24WithProhibitions() throws PMException { pap.modify().operations().setResourceOperations(RWE); + void testGraph24WithProhibitions() throws PMException { + pap.modify().operations().setResourceOperations(RWE); String pc1 = pap.modify().graph().createPolicyClass("pc1"); String ua1 = pap.modify().graph().createUserAttribute("ua1", List.of(pc1)); @@ -1266,8 +1278,8 @@ void testGraph23WithProhibitions() throws PMException { ); - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).contains("read")); - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o2).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).contains("read")); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o2)).isEmpty()); pap.modify().graph().associate(ua1, oa2, new AccessRightSet("read")); @@ -1279,7 +1291,7 @@ void testGraph23WithProhibitions() throws PMException { assertEquals( new AccessRightSet(), - pap.query().access().computePrivileges(new UserContext(u1, "1234"), o1) + pap.query().access().computePrivileges(new UserContext(u1, "1234"), new TargetContext(o1)) ); } @@ -1306,9 +1318,9 @@ void testGraph25WithProhibitions() throws PMException { ); - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), oa5).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(oa5)).isEmpty()); assertTrue( - pap.query().access().computePrivileges(new UserContext(u1), o1).containsAll(Arrays.asList("read", "write"))); + pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).containsAll(Arrays.asList("read", "write"))); } @Test @@ -1332,7 +1344,7 @@ void testGraph25WithProhibitions2() throws PMException { ); - assertTrue(pap.query().access().computePrivileges(new UserContext(u1), o1).isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext(u1), new TargetContext(o1)).isEmpty()); } @Test @@ -1352,7 +1364,7 @@ void testDeciderWithUA() throws PMException { pap.modify().graph().associate(ua2, oa1, new AccessRightSet("write")); - assertTrue(pap.query().access().computePrivileges(new UserContext(ua1), oa1) + assertTrue(pap.query().access().computePrivileges(new UserContext(ua1), new TargetContext(oa1)) .containsAll(Arrays.asList("read", "write"))); } @@ -1431,22 +1443,22 @@ void testProhibitionsAllCombinations() throws PMException { ); - Set list = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + Set list = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertTrue(list.contains("read") && !list.contains("write")); - list = pap.query().access().computePrivileges(new UserContext("u1"), "o2"); + list = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o2")); assertTrue(list.contains("read") && list.contains("write")); - list = pap.query().access().computePrivileges(new UserContext("u2"), "o2"); + list = pap.query().access().computePrivileges(new UserContext("u2"), new TargetContext("o2")); assertTrue(list.contains("read") && !list.contains("write")); - list = pap.query().access().computePrivileges(new UserContext("u3"), "o2"); + list = pap.query().access().computePrivileges(new UserContext("u3"), new TargetContext("o2")); assertTrue(list.contains("read") && !list.contains("write")); - list = pap.query().access().computePrivileges(new UserContext("u4"), "o1"); + list = pap.query().access().computePrivileges(new UserContext("u4"), new TargetContext("o1")); assertTrue(list.contains("read") && !list.contains("write")); - list = pap.query().access().computePrivileges(new UserContext("u4"), "o2"); + list = pap.query().access().computePrivileges(new UserContext("u4"), new TargetContext("o2")); assertTrue(list.contains("read") && !list.contains("write")); } @@ -1462,17 +1474,17 @@ void testProhibitionsAllCombinations() throws PMException { pap.modify().graph().associate(ua1, oa1, allAccessRights()); - Set list = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + Set list = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertTrue(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); pap.modify().graph().associate(ua1, oa1, allAdminAccessRights()); - list = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + list = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertTrue(list.containsAll(allAdminAccessRights())); assertFalse(list.containsAll(RWE)); pap.modify().graph().associate(ua1, oa1, new AccessRightSet(ALL_RESOURCE_ACCESS_RIGHTS)); - list = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + list = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertFalse(list.containsAll(allAdminAccessRights())); assertTrue(list.containsAll(RWE)); } @@ -1494,7 +1506,7 @@ void testPermissionsInOnlyOnePC() throws PMException { pap.modify().graph().associate("ua3", "oa1", new AccessRightSet("read")); - assertTrue(pap.query().access().computePrivileges(new UserContext("u1"), "o1").isEmpty()); + assertTrue(pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")).isEmpty()); } @Test @@ -1511,7 +1523,7 @@ void testProhibitionsWithContainerAsTarget() throws PMException { ); - AccessRightSet deniedAccessRights = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), "oa1"); + AccessRightSet deniedAccessRights = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), new TargetContext("oa1")); assertTrue(deniedAccessRights.contains("read")); } @@ -1529,7 +1541,7 @@ void testProhibitionWithContainerAsTargetComplement() throws PMException { ); - AccessRightSet deniedAccessRights = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), "oa1"); + AccessRightSet deniedAccessRights = pap.query().access().computeDeniedPrivileges(new UserContext("u1"), new TargetContext("oa1")); assertFalse(deniedAccessRights.contains("read")); } @@ -1543,7 +1555,7 @@ void testAssociationWithObject() throws PMException { pap.modify().graph().createUser("u1", List.of("ua1")); pap.modify().graph().associate("ua1", "o1", new AccessRightSet("read")); - AccessRightSet accessRightSet = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + AccessRightSet accessRightSet = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertEquals(new AccessRightSet("read"), accessRightSet); } @@ -1562,8 +1574,86 @@ void testAssociationWithObjectAndProhibitions() throws PMException { ); - AccessRightSet accessRightSet = pap.query().access().computePrivileges(new UserContext("u1"), "o1"); + AccessRightSet accessRightSet = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); assertEquals(new AccessRightSet(), accessRightSet); } } + + @Test + void testAttributesInUserAndTargetContexts() throws PMException { + String pml = """ + set resource operations ["read", "write"] + + create pc "pc1" + create pc "pc2" + create ua "ua1" in ["pc1"] + create ua "ua2" in ["pc2"] + create oa "oa1" in ["pc1"] + create oa "oa2" in ["pc2"] + + associate "ua1" and "oa1" with ["read", "write"] + associate "ua2" and "oa2" with ["read"] + + create u "u1" in ["ua1", "ua2"] + create o "o1" in ["oa1", "oa2"] + """; + MemoryPAP pap = new MemoryPAP(); + pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); + + AccessRightSet actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext("o1")); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet("read"), actual); + + // create a prohibition for the user on the object + pml = """ + create prohibition "p1" + deny user "u1" + access rights ["read"] + on union of ["o1"] + """; + pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); + + actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); + assertEquals(new AccessRightSet(), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext("o1")); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet("read"), actual); + + pml = """ + delete prohibition "p1" + + create prohibition "p1" + deny user "u1" + access rights ["read"] + on intersection of ["oa1", "oa2"] + """; + pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); + + actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1")); + assertEquals(new AccessRightSet(), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext("o1")); + assertEquals(new AccessRightSet("read"), actual); + + actual = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet(), actual); + + actual = pap.query().access().computePrivileges(new UserContext(List.of("ua1", "ua2")), new TargetContext(List.of("oa1", "oa2"))); + assertEquals(new AccessRightSet("read"), actual); + + } } diff --git a/src/test/java/gov/nist/csd/pm/pap/query/GraphQuerierTest.java b/src/test/java/gov/nist/csd/pm/pap/query/GraphQuerierTest.java index 3079f6785..c5075281a 100644 --- a/src/test/java/gov/nist/csd/pm/pap/query/GraphQuerierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/query/GraphQuerierTest.java @@ -7,6 +7,7 @@ import gov.nist.csd.pm.pap.graph.relationship.Association; import gov.nist.csd.pm.pap.PAPTestInitializer; import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.query.model.subgraph.AscendantSubgraph; import gov.nist.csd.pm.pap.query.model.subgraph.DescendantSubgraph; import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; diff --git a/src/test/java/gov/nist/csd/pm/pap/query/OperationsQuerierTest.java b/src/test/java/gov/nist/csd/pm/pap/query/OperationsQuerierTest.java index b5d9451d8..7bce3f360 100644 --- a/src/test/java/gov/nist/csd/pm/pap/query/OperationsQuerierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/query/OperationsQuerierTest.java @@ -7,6 +7,7 @@ import gov.nist.csd.pm.pap.exception.OperationDoesNotExistException; import gov.nist.csd.pm.pap.op.Operation; import gov.nist.csd.pm.pap.op.PrivilegeChecker; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.util.SamplePolicy; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pap/serialization/JSONSerializationTest.java b/src/test/java/gov/nist/csd/pm/pap/serialization/JSONSerializationTest.java index c064b943d..12636ad6a 100644 --- a/src/test/java/gov/nist/csd/pm/pap/serialization/JSONSerializationTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/serialization/JSONSerializationTest.java @@ -3,12 +3,10 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.serialization.json.JSONDeserializer; import gov.nist.csd.pm.pap.serialization.json.JSONGraph; import gov.nist.csd.pm.pap.serialization.json.JSONPolicy; -import gov.nist.csd.pm.pap.serialization.json.JSONSerializer; -import gov.nist.csd.pm.util.SamplePolicy; import org.junit.jupiter.api.Test; import java.io.IOException; @@ -37,7 +35,7 @@ void testJSONSerializationDoesNotThrowNPE() throws PMException, IOException { ); for (JSONPolicy policy : policies) { - assertDoesNotThrow(() -> new MemoryPAP().deserialize(new UserContext(), policy.toString(), new JSONDeserializer())); + assertDoesNotThrow(() -> new MemoryPAP().deserialize(new UserContext(""), policy.toString(), new JSONDeserializer())); } } diff --git a/src/test/java/gov/nist/csd/pm/pap/serialization/PMLTest.java b/src/test/java/gov/nist/csd/pm/pap/serialization/PMLTest.java index 9f2a4b994..86ac7fb48 100644 --- a/src/test/java/gov/nist/csd/pm/pap/serialization/PMLTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/serialization/PMLTest.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.pml.executable.operation.PMLOperationWrapper; import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.serialization.pml.PMLSerializer; import gov.nist.csd.pm.util.PolicyEquals; diff --git a/src/test/java/gov/nist/csd/pm/pap/serialization/SerializationTest.java b/src/test/java/gov/nist/csd/pm/pap/serialization/SerializationTest.java index 5e8391a1f..2958bd859 100644 --- a/src/test/java/gov/nist/csd/pm/pap/serialization/SerializationTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/serialization/SerializationTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.pap.serialization.pml.PMLSerializer; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.util.PolicyEquals; import gov.nist.csd.pm.util.SamplePolicy; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java index 96735f069..dc6668446 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.exception.*; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.prohibition.ContainerCondition; import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject; import gov.nist.csd.pm.pap.query.model.explain.*; @@ -54,7 +54,7 @@ void testRunTx() throws PMException { } ) ); - assertEquals("[user=u1] does not have access right [associate] on [ua1]", e.getMessage()); + assertEquals("[user=u1] does not have access right [associate] on [target=ua1]", e.getMessage()); assertTrue(pap.query().graph().nodeExists("pc1")); assertTrue(pap.query().graph().nodeExists("oa1")); @@ -253,8 +253,7 @@ void testAdjudicateDoesNotExist() throws PMException { PDP pdp = new PDP(pap); assertThrows(OperationDoesNotExistException.class, () -> pdp.adjudicateAdminOperation(new UserContext("u1"), "op1", Map.of())); - assertThrows(NodeDoesNotExistException.class, - () -> pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read")); + assertThrows(NodeDoesNotExistException.class, () -> pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read")); assertThrows(OperationDoesNotExistException.class, () -> pdp.adjudicateResourceOperation(new UserContext("u1"), "ua1", "x")); } diff --git a/src/test/java/gov/nist/csd/pm/pdp/PDPTxTest.java b/src/test/java/gov/nist/csd/pm/pdp/PDPTxTest.java index aa442722e..fbdd08cde 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PDPTxTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PDPTxTest.java @@ -4,7 +4,7 @@ import gov.nist.csd.pm.impl.memory.pap.MemoryPAP; import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.serialization.json.JSONSerializer; import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; @@ -67,9 +67,9 @@ void testDeserialize() throws PMException { String serialize = "create pc \"test\""; PDPTx u2 = new PDPTx(new UserContext("u2"), new PrivilegeChecker(pap), pap, List.of()); - assertThrows(UnauthorizedException.class, () -> u2.deserialize(new UserContext(), serialize, new PMLDeserializer())); + assertThrows(UnauthorizedException.class, () -> u2.deserialize(new UserContext(""), serialize, new PMLDeserializer())); PDPTx u1 = new PDPTx(new UserContext("u1"), new PrivilegeChecker(pap), pap, List.of()); - assertDoesNotThrow(() -> u1.deserialize(new UserContext(), serialize, new PMLDeserializer())); + assertDoesNotThrow(() -> u1.deserialize(new UserContext(""), serialize, new PMLDeserializer())); } } \ No newline at end of file diff --git a/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java b/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java index eb7330765..c2d8ad102 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PMLBootstrapperTest.java @@ -8,7 +8,7 @@ import gov.nist.csd.pm.pap.pml.executable.operation.PMLOperationWrapper; import gov.nist.csd.pm.pap.pml.executable.routine.PMLRoutineWrapper; import gov.nist.csd.pm.pap.pml.value.StringValue; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pdp/PrivilegeCheckerTest.java b/src/test/java/gov/nist/csd/pm/pdp/PrivilegeCheckerTest.java index f7ceec557..62c14284e 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PrivilegeCheckerTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PrivilegeCheckerTest.java @@ -5,7 +5,7 @@ import gov.nist.csd.pm.pap.op.AdminAccessRights; import gov.nist.csd.pm.pap.admin.AdminPolicyNode; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; diff --git a/src/test/java/gov/nist/csd/pm/pdp/adjudicator/PrivilegeCheckerTest.java b/src/test/java/gov/nist/csd/pm/pdp/adjudicator/PrivilegeCheckerTest.java index 83ffabae1..5b90454ab 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/adjudicator/PrivilegeCheckerTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/adjudicator/PrivilegeCheckerTest.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; diff --git a/src/test/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicatorTest.java b/src/test/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicatorTest.java index 7323c172d..9b85f9d1d 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicatorTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/modification/GraphModificationAdjudicatorTest.java @@ -10,7 +10,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.op.graph.*; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.BeforeEach; @@ -75,7 +75,7 @@ void setup() throws PMException { void createPolicyClass() throws PMException { assertDoesNotThrow(() -> ok.createPolicyClass("test")); assertEquals( - new EventContext("u1", "", new CreatePolicyClassOp(), Map.of(NAME_OPERAND, "test")), + new EventContext("u1", new CreatePolicyClassOp(), Map.of(NAME_OPERAND, "test")), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().nodeExists("test")); @@ -87,7 +87,7 @@ void createPolicyClass() throws PMException { void createUserAttribute() throws PMException { assertDoesNotThrow(() -> ok.createUserAttribute("test", List.of("ua1"))); assertEquals( - new EventContext("u1", "", new CreateUserAttributeOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("ua1"))), + new EventContext("u1", new CreateUserAttributeOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("ua1"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().nodeExists("test")); @@ -99,7 +99,7 @@ void createUserAttribute() throws PMException { void createObjectAttribute() throws PMException { assertDoesNotThrow(() -> ok.createObjectAttribute("test", List.of("oa1"))); assertEquals( - new EventContext("u1", "", new CreateObjectAttributeOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("oa1"))), + new EventContext("u1", new CreateObjectAttributeOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("oa1"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().nodeExists("test")); @@ -111,7 +111,7 @@ void createObjectAttribute() throws PMException { void createObject() throws PMException { assertDoesNotThrow(() -> ok.createObject("test", List.of("oa1"))); assertEquals( - new EventContext("u1", "", new CreateObjectOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("oa1"))), + new EventContext("u1", new CreateObjectOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("oa1"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().nodeExists("test")); @@ -123,7 +123,7 @@ void createObject() throws PMException { void createUser() throws PMException { assertDoesNotThrow(() -> ok.createUser("test", List.of("ua1"))); assertEquals( - new EventContext("u1", "", new CreateUserOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("ua1"))), + new EventContext("u1", new CreateUserOp(), Map.of(NAME_OPERAND, "test", DESCENDANTS_OPERAND, List.of("ua1"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().nodeExists("test")); @@ -135,7 +135,7 @@ void createUser() throws PMException { void setNodeProperties() throws PMException { assertDoesNotThrow(() -> ok.setNodeProperties("o1", Map.of("a", "b"))); assertEquals( - new EventContext("u1", "", new SetNodePropertiesOp(), Map.of(NAME_OPERAND, "o1", PROPERTIES_OPERAND, Map.of("a", "b"))), + new EventContext("u1", new SetNodePropertiesOp(), Map.of(NAME_OPERAND, "o1", PROPERTIES_OPERAND, Map.of("a", "b"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().getNode("o1").getProperties().equals(Map.of("a", "b"))); @@ -147,27 +147,27 @@ void setNodeProperties() throws PMException { void deleteNodeOk() throws PMException { assertDoesNotThrow(() -> ok.deleteNode("o1")); assertEquals( - new EventContext("u1", "", new DeleteObjectOp(), Map.of(NAME_OPERAND, "o1", DESCENDANTS_OPERAND, Set.of("oa1"), TYPE_OPERAND, NodeType.O)), + new EventContext("u1", new DeleteObjectOp(), Map.of(NAME_OPERAND, "o1", DESCENDANTS_OPERAND, Set.of("oa1"), TYPE_OPERAND, NodeType.O)), testEventProcessor.getEventContext() ); assertDoesNotThrow(() -> ok.deleteNode("oa2")); assertEquals( - new EventContext("u1", "", new DeleteObjectAttributeOp(), Map.of(NAME_OPERAND, "oa2", DESCENDANTS_OPERAND, Set.of("pc1"), TYPE_OPERAND, NodeType.OA)), + new EventContext("u1", new DeleteObjectAttributeOp(), Map.of(NAME_OPERAND, "oa2", DESCENDANTS_OPERAND, Set.of("pc1"), TYPE_OPERAND, NodeType.OA)), testEventProcessor.getEventContext() ); assertDoesNotThrow(() -> ok.deleteNode("ua4")); assertEquals( - new EventContext("u1", "", new DeleteUserAttributeOp(), Map.of(NAME_OPERAND, "ua4", DESCENDANTS_OPERAND, Set.of("pc1"), TYPE_OPERAND, NodeType.UA)), + new EventContext("u1", new DeleteUserAttributeOp(), Map.of(NAME_OPERAND, "ua4", DESCENDANTS_OPERAND, Set.of("pc1"), TYPE_OPERAND, NodeType.UA)), testEventProcessor.getEventContext() ); assertDoesNotThrow(() -> ok.deleteNode("pc2")); assertEquals( - new EventContext("u1", "", new DeletePolicyClassOp(), Map.of(NAME_OPERAND, "pc2", TYPE_OPERAND, NodeType.PC, DESCENDANTS_OPERAND, Set.of())), + new EventContext("u1", new DeletePolicyClassOp(), Map.of(NAME_OPERAND, "pc2", TYPE_OPERAND, NodeType.PC, DESCENDANTS_OPERAND, Set.of())), testEventProcessor.getEventContext() ); assertDoesNotThrow(() -> ok.deleteNode("u1")); assertEquals( - new EventContext("u1", "", new DeleteUserOp(), Map.of(NAME_OPERAND, "u1", DESCENDANTS_OPERAND, Set.of("ua1", "ua3"), TYPE_OPERAND, NodeType.U)), + new EventContext("u1", new DeleteUserOp(), Map.of(NAME_OPERAND, "u1", DESCENDANTS_OPERAND, Set.of("ua1", "ua3"), TYPE_OPERAND, NodeType.U)), testEventProcessor.getEventContext() ); @@ -191,7 +191,7 @@ void deleteNodeFail() { void assign() throws PMException { assertDoesNotThrow(() -> ok.assign("o1", List.of("oa2"))); assertEquals( - new EventContext("u1", "", new AssignOp(), Map.of(ASCENDANT_OPERAND, "o1", DESCENDANTS_OPERAND, List.of("oa2"))), + new EventContext("u1", new AssignOp(), Map.of(ASCENDANT_OPERAND, "o1", DESCENDANTS_OPERAND, List.of("oa2"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().isAscendant("o1", "oa2")); @@ -203,7 +203,7 @@ void assign() throws PMException { void deassign() throws PMException { assertDoesNotThrow(() -> ok.deassign("u1", List.of("ua1"))); assertEquals( - new EventContext("u1", "", new DeassignOp(), Map.of(ASCENDANT_OPERAND, "u1", DESCENDANTS_OPERAND, List.of("ua1"))), + new EventContext("u1", new DeassignOp(), Map.of(ASCENDANT_OPERAND, "u1", DESCENDANTS_OPERAND, List.of("ua1"))), testEventProcessor.getEventContext() ); assertFalse(pap.query().graph().isAscendant("u1", "ua1")); @@ -215,7 +215,7 @@ void deassign() throws PMException { void associate() throws PMException { assertDoesNotThrow(() -> ok.associate("ua1", "ua3", new AccessRightSet("assign"))); assertEquals( - new EventContext("u1", "", new AssociateOp(), Map.of(UA_OPERAND, "ua1", TARGET_OPERAND, "ua3", ARSET_OPERAND, new AccessRightSet("assign"))), + new EventContext("u1", new AssociateOp(), Map.of(UA_OPERAND, "ua1", TARGET_OPERAND, "ua3", ARSET_OPERAND, new AccessRightSet("assign"))), testEventProcessor.getEventContext() ); assertTrue(pap.query().graph().getAssociationsWithSource("ua1").contains(new Association("ua1", "ua3", new AccessRightSet("assign")))); @@ -227,7 +227,7 @@ void associate() throws PMException { void dissociate() throws PMException { assertDoesNotThrow(() -> ok.dissociate("ua1", "ua3")); assertEquals( - new EventContext("u1", "", new DissociateOp(), Map.of(UA_OPERAND, "ua1", TARGET_OPERAND, "ua3")), + new EventContext("u1", new DissociateOp(), Map.of(UA_OPERAND, "ua1", TARGET_OPERAND, "ua3")), testEventProcessor.getEventContext() ); assertFalse(pap.query().graph().getAssociationsWithSource("ua1").contains(new Association("ua1", "ua3", new AccessRightSet("*a")))); diff --git a/src/test/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicatorTest.java b/src/test/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicatorTest.java index a41b21a97..fca3db310 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicatorTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/modification/ObligationsModificationAdjudicatorTest.java @@ -9,7 +9,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.pml.pattern.OperationPattern; import gov.nist.csd.pm.pap.pml.pattern.subject.SubjectPattern; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.BeforeEach; diff --git a/src/test/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicatorTest.java b/src/test/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicatorTest.java index 79ec2a04d..e6ec5ed9f 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicatorTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/modification/OperationsModificationAdjudicatorTest.java @@ -11,7 +11,7 @@ import gov.nist.csd.pm.pap.op.operation.CreateAdminOperationOp; import gov.nist.csd.pm.pap.op.operation.DeleteAdminOperationOp; import gov.nist.csd.pm.pap.op.operation.SetResourceOperationsOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.BeforeEach; @@ -70,7 +70,7 @@ void setup() throws PMException { void setResourceOperations() throws PMException { assertDoesNotThrow(() -> ok.setResourceOperations(new AccessRightSet("read"))); assertEquals( - new EventContext("u1", "", new SetResourceOperationsOp(), Map.of(OPERATIONS_OPERAND, new AccessRightSet("read"))), + new EventContext("u1", null, new SetResourceOperationsOp(), Map.of(OPERATIONS_OPERAND, new AccessRightSet("read"))), testEventProcessor.getEventContext() ); assertEquals(new AccessRightSet("read"), pap.query().operations().getResourceOperations()); @@ -93,7 +93,7 @@ public Void execute(PAP pap, Map operands) throws PMException { assertDoesNotThrow(() -> ok.createAdminOperation(op1)); assertEquals( - new EventContext("u1", "", new CreateAdminOperationOp(), Map.of(OPERATION_OPERAND, op1)), + new EventContext("u1", null, new CreateAdminOperationOp(), Map.of(OPERATION_OPERAND, op1)), testEventProcessor.getEventContext() ); assertTrue(pap.query().operations().getAdminOperationNames().contains("op1")); @@ -117,7 +117,7 @@ public Void execute(PAP pap, Map operands) throws PMException { assertDoesNotThrow(() -> ok.deleteAdminOperation("op1")); assertEquals( - new EventContext("u1", "", new DeleteAdminOperationOp(), Map.of(NAME_OPERAND, "op1")), + new EventContext("u1", null, new DeleteAdminOperationOp(), Map.of(NAME_OPERAND, "op1")), testEventProcessor.getEventContext() ); diff --git a/src/test/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicatorTest.java b/src/test/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicatorTest.java index 5435a956f..56265ba61 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicatorTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/modification/ProhibitionsModificationAdjudicatorTest.java @@ -10,7 +10,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.prohibition.CreateProhibitionOp; import gov.nist.csd.pm.pap.op.prohibition.DeleteProhibitionOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; import org.junit.jupiter.api.BeforeEach; @@ -75,7 +75,7 @@ void createProhibition() throws PMException { )); assertEquals( new EventContext( - "u1", "", + "u1", new CreateProhibitionOp(), Map.of( NAME_OPERAND, "pro1", @@ -99,7 +99,7 @@ ARSET_OPERAND, new AccessRightSet("assign"), )); assertEquals( new EventContext( - "u1", "", + "u1", new CreateProhibitionOp(), Map.of( NAME_OPERAND, "pro2", @@ -147,7 +147,7 @@ void deleteProhibition() throws PMException { assertEquals( new EventContext( - "u1", "", + "u1", new DeleteProhibitionOp(), Map.of( NAME_OPERAND, "pro1", diff --git a/src/test/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicatorTest.java b/src/test/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicatorTest.java index cc4ae7700..9c967c128 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicatorTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/modification/RoutinesModificationAdjudicatorTest.java @@ -7,7 +7,7 @@ import gov.nist.csd.pm.pap.PAP; import gov.nist.csd.pm.pap.op.routine.CreateAdminRoutineOp; import gov.nist.csd.pm.pap.op.routine.DeleteAdminRoutineOp; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import gov.nist.csd.pm.pap.routine.Routine; import gov.nist.csd.pm.pdp.PDP; import gov.nist.csd.pm.pdp.exception.UnauthorizedException; @@ -74,7 +74,7 @@ public Void execute(PAP pap, Map operands) throws PMException { assertDoesNotThrow(() -> ok.createAdminRoutine(routine1)); assertEquals( - new EventContext("u1", "", new CreateAdminRoutineOp(), Map.of(ROUTINE_OPERAND, routine1)), + new EventContext("u1", new CreateAdminRoutineOp(), Map.of(ROUTINE_OPERAND, routine1)), testEventProcessor.getEventContext() ); assertTrue(pap.query().routines().getAdminRoutineNames().contains("routine1")); @@ -93,7 +93,7 @@ public Void execute(PAP pap, Map operands) throws PMException { assertDoesNotThrow(() -> ok.deleteAdminRoutine("routine1")); assertEquals( - new EventContext("u1", "", new DeleteAdminRoutineOp(), Map.of(NAME_OPERAND, "routine1")), + new EventContext("u1", new DeleteAdminRoutineOp(), Map.of(NAME_OPERAND, "routine1")), testEventProcessor.getEventContext() ); diff --git a/src/test/java/gov/nist/csd/pm/util/SamplePolicy.java b/src/test/java/gov/nist/csd/pm/util/SamplePolicy.java index d60f37eda..477ca3eb5 100644 --- a/src/test/java/gov/nist/csd/pm/util/SamplePolicy.java +++ b/src/test/java/gov/nist/csd/pm/util/SamplePolicy.java @@ -6,7 +6,7 @@ import gov.nist.csd.pm.pap.serialization.json.JSONDeserializer; import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer; import gov.nist.csd.pm.pap.exception.PMException; -import gov.nist.csd.pm.pap.query.UserContext; +import gov.nist.csd.pm.pap.query.model.context.UserContext; import org.apache.commons.io.IOUtils; import java.io.IOException;