Merge branch 'release/6.1.0'

CHANGELOG.md

@@ -4,6 +4,35 @@ All notable changes to this project are documented in this file following the [K
 Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
 
 
+## 6.1.0
+### Added
+- authzforce/core#69 : Support for XACML `<StatusDetail>` / `<MissingAttributeDetail>`s, returned when missing named Attribute(s) in AttributeDesignator/AttributeSelector expressions, and may be returned by custom PDP extensions as well. See the example of [custom RequestPreprocessor](https://github.com/authzforce/core/blob/release-20.3.0/pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/CustomTestRequestPreprocessorFactory.java) (PDP extension) adding AttributeId/Category to [custom AttributeValues](https://github.com/authzforce/core/blob/release-20.3.0/pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/TestExtensibleSimpleValue.java) (PDP extension) and the [custom function](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/TestExtensibleSimpleValueEqualFunction.java) (PDP extension) using this info to throw a standard `missing-attribute` error with `<MissingAttributeDetail>` inside a `<StatusDetail>` element; and also the [example of XACML response](https://github.com/authzforce/core/blob/release-20.3.0/pdp-testutils/src/test/resources/custom/CustomRequestPreproc/response.xml) and [PDP configuration](https://github.com/authzforce/core/blob/release-20.3.0/pdp-testutils/src/test/resources/custom/CustomRequestPreproc/pdp.xml).
+- `BaseXacmlJaxbRequestPreprocessor` and `SingleDecisionXacmlJaxbRequestPreprocessor` classes improved (new constructor arg: `customNamedAttributeParser`) to allow XACML/XML RequestPreprocessor extensions to customize the parsing of named Attributes with minimal effort.
+- Policy / Rule evaluation optimization: if the Rule's Condition is always False, then the Rule is always NotApplicable as per section 7.11 of XACML 3.0, therefore skip the Rule.
+
+### Fixed
+- CVEs by upgrading dependencies:
+    - authzforce-ce-parent: 8.5.0
+    - authzforce-ce-xacml-model, authzforce-ce-pdp-ext-model, authzforce-ce-xmlns-model: 8.5.0
+    - authzforce-ce-core-pdp-engine, authzforce-ce-core-pdp-io-xacml-json: 20.3.1
+    - authzforce-ce-core-pdp-api: 21.4.0
+    - authzforce-ce-xacml-json-model: 3.0.5
+    - authzforce-ce-jaxrs-utils: 2.0.4
+    - javax.mail -> jakarta.mail: 1.6.7
+    - org.json:json: 20230227
+    - Apache CXF version: 3.6.1
+    - Spring Boot Starter: 2.6.14
+    - Spring Core: 5.3.29
+    - SLF4j: 1.7.36
+    - Saxon-HE: 12.3
+    - guava: 32.1.2-jre
+    - org.everit.json.schema, renamed everit-json-schema: 1.14.2
+    - jaxb2-basics-runtime: 0.13.1
+    - jaxb-runtime: 2.3.3
+    - logback-classic: 1.2.12
+- authzforce/core#73 : Exception thrown when a Rule's Condition always returns False.
+
+
 ## 6.0.1
 ### Fixed
 - Dockerfile (JAR version)

CONTRIBUTING.md

@@ -23,7 +23,7 @@
    ```shell
    $ git checkout release-${version} 
    $ cd  cxf-spring-boot-server
-   $ docker build -t authzforce/restful-pdp:${version} .
+   $ docker build -t authzforce/restful-pdp:latest -t authzforce/restful-pdp:${version} .
    $ docker login
    $ docker push authzforce/restful-pdp:${version}
    ```

README.md

@@ -31,7 +31,7 @@ See [AuthzForce Core features](https://github.com/authzforce/core#features) for
 ## Limitations
 See [AuthzForce Core limitations](https://github.com/authzforce/core#limitations).
 
-## System requirements
+## System requirements 
 Java (JRE) 11 or later.
 
 
@@ -99,9 +99,9 @@ To use the Policy Provider for policies stored in MongoDB, please make sure the
 </dependency>
 <dependency>
          <groupId>org.mongodb</groupId>
-         <artifactId>mongo-java-driver</artifactId>
+         <artifactId>mongodb-driver-legacy</artifactId>
 	<!-- Set the version to whatever version is specified in authzforce-ce-core-pdp-testutils Maven POM. -->
-         <version>${mongo-java-driver.version}</version>
+         <version>${mongodb-driver-legacy.version}</version>
 </dependency>
 ```
 

cxf-spring-boot-server/Dockerfile

@@ -12,7 +12,7 @@ VOLUME /tmp
 RUN addgroup --system spring && adduser --system --home /home/spring --ingroup spring --disabled-password spring
 USER spring:spring
 WORKDIR /home/spring
-ARG JAR_FILE=target/*-6.0.1.jar
+ARG JAR_FILE=target/authzforce-ce-restful-pdp-cxf-spring-boot-server-*.jar
 COPY ${JAR_FILE} /app.jar
 # COPY extensions /extensions
 

cxf-spring-boot-server/owasp-dependency-check-suppression.xml

@@ -1,8 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions
-	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 	<suppress>
-		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
+		<notes><![CDATA[
+   FP per issue https://github.com/jeremylong/DependencyCheck/issues/5545.
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+		<vulnerabilityName>CVE-2022-45688</vulnerabilityName>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+   FP per issue #5779
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+  	Considered FP by Spring devs - https://github.com/spring-projects/spring-framework/issues/24434
+   ]]></notes>
+		<packageUrl>pkg:maven/org.springframework/[email protected]</packageUrl>
+		<cve>CVE-2016-1000027</cve>
 	</suppress>
 </suppressions>

cxf-spring-boot-server/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-restful-pdp</artifactId>
-		<version>6.0.1</version>
+		<version>6.1.0</version>
 	</parent>
 	<artifactId>authzforce-ce-restful-pdp-cxf-spring-boot-server</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
@@ -16,16 +16,12 @@
 		<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
 		<url>${git.url.base}/restful-pdp/cxf-spring-boot-server</url>
 	</scm>
-	<properties>
-		<tomcat-version>9.0.58</tomcat-version>
-	</properties>
 	<dependencyManagement>
 		<dependencies>
 			<dependency>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-dependencies</artifactId>
-				<!-- Override Spring Boot v2.6.1 - used by cxf-spring-boot-starter-jaxrs:3.5.0 - which depends on Spring Core 5.3.14 which has 1 vulnerability. -->
-				<version>${spring-boot-starter.version}</version>
+				<version>${spring-boot.version}</version>
 				<type>pom</type>
 				<scope>import</scope>
 				<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
@@ -46,43 +42,25 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-restful-pdp-jaxrs</artifactId>
-			<version>6.0.1</version>
+			<version>6.1.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-rt-features-logging</artifactId>
 			<version>${cxf.version}</version>
 		</dependency>
+		<!-- cxf-spring-boot-starter-jaxrs:3.6.1 depends on spring-boot-starter:2.7.14 depends on snakeyaml:1.30 by default, which is affected by several CVES, fixed only in snakeyaml:2.0 and above
+		 So we are forcing snakeyaml:2.0+ version.
+		 -->
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+			<version>2.0</version>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-spring-boot-starter-jaxrs</artifactId>
 			<version>${cxf.version}</version>
-			<exclusions>
-				<exclusion>
-					<groupId>com.fasterxml.jackson.core</groupId>
-					<artifactId>jackson-databind</artifactId>
-				</exclusion>
-				<!-- exclude the validation-api:1.1.0 dependency that cxf-spring-boot-starter-jaxrs to prevent conflict with v2.0.1 that cxf-spring-boot-starter-jaxrs also depends on indirectly via spring-boot-starter-web / hibernate-validator -->
-				<exclusion>
-					<groupId>javax.validation</groupId>
-					<artifactId>validation-api</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.tomcat.embed</groupId>
-			<artifactId>tomcat-embed-core</artifactId>
-			<version>${tomcat-version}</version>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.tomcat.embed</groupId>
-			<artifactId>tomcat-embed-websocket</artifactId>
-			<version>${tomcat-version}</version>
-		</dependency>
-		<dependency>
-			<groupId>javax.validation</groupId>
-			<artifactId>validation-api</artifactId>
-			<version>2.0.1.Final</version>
 		</dependency>
 		<dependency>
 			<groupId>junit</groupId>
@@ -92,7 +70,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
-			<version>${spring-boot-starter.version}</version>
+			<version>${spring-boot.version}</version>
 			<scope>test</scope>
 			<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
 			<exclusions>
@@ -217,7 +195,7 @@
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
 				<!-- <version>2.0.0.M6</version> -->
-				<version>${spring-boot-starter.version}</version>
+				<version>${spring-boot.version}</version>
 				<configuration>
 					<executable>true</executable>
 					<layout>ZIP</layout>

cxf-spring-boot-server/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2022 THALES.
+ * Copyright (C) 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

cxf-spring-boot-server/src/test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2022 THALES.
+ * Copyright (C) 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

docker/docker-compose.yml

@@ -6,7 +6,7 @@ services:
   pdp:
     # depends_on:
     #  - iam
-    image: authzforce/restful-pdp:5.0.0
+    image: authzforce/restful-pdp
 
     ports:
      - "8080:8080"

jaxrs/owasp-dependency-check-suppression.xml

@@ -1,7 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
-	<suppress>
-		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
-	</suppress>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 </suppressions>

jaxrs/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-restful-pdp</artifactId>
-		<version>6.0.1</version>
+		<version>6.1.0</version>
 	</parent>
 	<artifactId>authzforce-ce-restful-pdp-jaxrs</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
@@ -17,7 +17,7 @@
 		<url>${git.url.base}/restful-pdp/jaxrs</url>
 	</scm>
 	<properties>
-		<authzforce-ce-core.version>20.0.0</authzforce-ce-core.version>
+		<authzforce-ce-core.version>20.3.1</authzforce-ce-core.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -33,7 +33,7 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-jaxrs-utils</artifactId>
-			<version>2.0.3</version>
+			<version>2.0.4</version>
 		</dependency>
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
@@ -44,7 +44,7 @@
 		<dependency>
 			<groupId>org.testng</groupId>
 			<artifactId>testng</artifactId>
-			<version>6.14.3</version>
+			<version>7.8.0</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -167,7 +167,8 @@
 						in same test suite -->
 					<!-- <suiteXmlFile>src/test/suite.xml</suiteXmlFile> -->
 					<!-- </suiteXmlFiles> -->
-					<skipAfterFailureCount>1</skipAfterFailureCount>
+					<!-- WARNING: skipAfterFailureCount > 0 is causing failure with TestNG 7.x -->
+					<skipAfterFailureCount>0</skipAfterFailureCount>
 					<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit 
 						test standard output to a file (found in reportsDirectory/testName-output.txt) -->
 					<redirectTestOutputToFile>false</redirectTestOutputToFile>

jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/PdpBundle.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 THALES.
+ * Copyright 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/XacmlPdpResource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 THALES.
+ * Copyright 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

jaxrs/src/test/java/org/ow2/authzforce/rest/pdp/jaxrs/test/XacmlRestProfileJaxRsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 THALES.
+ * Copyright 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

owasp-dependency-check-suppression.xml

@@ -1,8 +1,29 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions
-	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
-	<suppress>
+	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+	<!--<suppress>-->
 		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
+		<!--<cve>CVE-2018-8088</cve>-->
+	<!--</suppress>-->
+	<suppress>
+		<notes><![CDATA[
+   FP per issue https://github.com/jeremylong/DependencyCheck/issues/5545.
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+		<vulnerabilityName>CVE-2022-45688</vulnerabilityName>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+   FP per issue #5779
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+  	Considered FP by Spring devs - https://github.com/spring-projects/spring-framework/issues/24434
+   ]]></notes>
+		<packageUrl>pkg:maven/org.springframework/[email protected]</packageUrl>
+		<cve>CVE-2016-1000027</cve>
 	</suppress>
 </suppressions>

pom.xml

@@ -3,10 +3,10 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>8.2.1</version>
+      <version>8.5.0</version>
    </parent>
    <artifactId>authzforce-ce-restful-pdp</artifactId>
-   <version>6.0.1</version>
+   <version>6.1.0</version>
    <packaging>pom</packaging>
    <name>${project.groupId}:${project.artifactId}</name>
    <description>AuthzForce - Parent Project of RESTful PDP API implementation according to REST Profile of XACML 3.0</description>