diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java index e47b0ee5..65ff287a 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryAccessQuerier.java @@ -23,6 +23,7 @@ public class MemoryAccessQuerier extends AccessQuerier { public MemoryAccessQuerier(PolicyStore memoryPolicyStore) { super(memoryPolicyStore); } + @Override public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { // traverse the user side of the graph to get the associations @@ -38,38 +39,42 @@ public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targe } @Override - public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { - AccessRightSet accessRights = new AccessRightSet(); - + public List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException { // traverse the user side of the graph to get the associations MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); UserDagResult userDagResult = userEvaluator.evaluate(userCtx); - if (userDagResult.borderTargets().isEmpty()) { - return accessRights; - } // traverse the target side of the graph to get permissions per policy class MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(store); - TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); - // resolve the permissions - return resolveDeniedAccessRights(userDagResult, targetDagResult); + List accessRightSets = new ArrayList<>(); + for (TargetContext targetCtx : targetCtxs) { + TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); + AccessRightSet privs = resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations()); + + accessRightSets.add(privs); + } + + return accessRightSets; } @Override - public Map computePolicyClassAccessRights(UserContext userCtx, TargetContext targetCtx) throws PMException { + public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + AccessRightSet accessRights = new AccessRightSet(); + // traverse the user side of the graph to get the associations MemoryUserEvaluator userEvaluator = new MemoryUserEvaluator(store); UserDagResult userDagResult = userEvaluator.evaluate(userCtx); if (userDagResult.borderTargets().isEmpty()) { - return new HashMap<>(); + return accessRights; } // traverse the target side of the graph to get permissions per policy class MemoryTargetEvaluator targetEvaluator = new MemoryTargetEvaluator(store); TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx); - return targetDagResult.pcMap(); + // resolve the permissions + return resolveDeniedAccessRights(userDagResult, targetDagResult); } @Override diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java index 2cc661bb..21584b4d 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryExplainer.java @@ -47,7 +47,7 @@ private List resolvePaths(UserContext userCtx, TargetContext MemoryUserExplainer userExplainer = new MemoryUserExplainer(policyStore); MemoryTargetExplainer targetExplainer = new MemoryTargetExplainer(policyStore); Map>> targetPaths = targetExplainer.explainTarget(targetCtx); - Map> userPaths = userExplainer.explainUser(userCtx, targetPaths); + Map> userPaths = userExplainer.explainIntersectionOfTargetPaths(userCtx, targetPaths); List result = new ArrayList<>(); diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java index fcffda88..9e7c7547 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetEvaluator.java @@ -1,6 +1,5 @@ package gov.nist.csd.pm.impl.memory.pap.access; -import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.dag.*; import gov.nist.csd.pm.pap.graph.node.Node; @@ -31,6 +30,8 @@ public MemoryTargetEvaluator(PolicyStore policyStore) { * each policy class. */ public TargetDagResult evaluate(UserDagResult userCtx, TargetContext targetCtx) throws PMException { + targetCtx.checkExists(policyStore.graph()); + Collection policyClasses = policyStore.graph().getPolicyClasses(); Map borderTargets = userCtx.borderTargets(); Set userProhibitionTargets = collectUserProhibitionTargets(userCtx.prohibitions()); diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java index 0bf699e7..2a795ebb 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryTargetExplainer.java @@ -24,10 +24,11 @@ public MemoryTargetExplainer(PolicyStore policyStore) { } public Map>> explainTarget(TargetContext targetCtx) throws PMException { + targetCtx.checkExists(policyStore.graph()); + Collection policyClasses = policyStore.graph().getPolicyClasses(); // initialize map with policy classes - Map>> pcMap = new HashMap<>(); Map, List>> pcPathAssociations = new HashMap<>(); for (String pc : policyClasses) { pcPathAssociations.put(pc, new HashMap<>(Map.of(new ArrayList<>(List.of(pc)), new ArrayList<>()))); @@ -75,6 +76,8 @@ public Map>> explainTarget(TargetContext tar } // convert the map created above into a map where the policy classes are the keys + Map>> pcMap = new HashMap<>(); + for (String target : nodes) { Map, List> targetPathAssocs = pcPathAssociations.get(target); for (Map.Entry, List> entry : targetPathAssocs.entrySet()) { diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java index d3320b85..b293d7c7 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserEvaluator.java @@ -32,6 +32,8 @@ public MemoryUserEvaluator(PolicyStore policyStore) { * @return a Map of target nodes that the subject can reach via associations and the operations the user has on each. */ protected UserDagResult evaluate(UserContext userCtx) throws PMException { + userCtx.checkExists(policyStore.graph()); + final Map borderTargets = new HashMap<>(); // initialize with the prohibitions or the provided process final Set reachedProhibitions = new HashSet<>(getProhibitionsWithSubject(userCtx.getProcess())); diff --git a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java index 06d9d50c..f0038e38 100644 --- a/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java +++ b/src/main/java/gov/nist/csd/pm/impl/memory/pap/access/MemoryUserExplainer.java @@ -19,7 +19,9 @@ public MemoryUserExplainer(PolicyStore policyStore) { this.policyStore = policyStore; } - public Map> explainUser(UserContext userCtx, Map>> targetPaths) throws PMException { + public Map> explainIntersectionOfTargetPaths(UserContext userCtx, Map>> targetPaths) throws PMException { + userCtx.checkExists(policyStore.graph()); + // initialize map with the UAs of the target path associations Map> associationUAPaths = new HashMap<>(); Set uasFromTargetPathAssociations = new HashSet<>(getUAsFromTargetPathAssociations(targetPaths)); @@ -53,10 +55,12 @@ public Map> explainUser(UserContext userCtx, Map attributes = userCtx.getAttributes(); nodes.addAll(attributes); + dfs.walk(attributes); } diff --git a/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java b/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java index e42dbe1a..2f2f6478 100644 --- a/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java +++ b/src/main/java/gov/nist/csd/pm/pap/graph/node/NodeType.java @@ -15,21 +15,29 @@ * OS = Operation Set */ public enum NodeType implements Serializable { - OA("OA"), - UA("UA"), - U("U"), - O("O"), - PC("PC"), - ANY("ANY"); + OA(0), + UA(1), + U(2), + O(3), + PC(4), + ANY(5); - private final String label; + private final int i; - NodeType(String label) { - this.label = label; + NodeType(int i) { + this.i = i; } public String toString() { - return label; + return switch (i) { + case 0 -> "OA"; + case 1 -> "UA"; + case 2 -> "U"; + case 3 -> "O"; + case 4 -> "PC"; + case 5 -> "ANY"; + default -> throw new IllegalStateException("Unexpected value: " + i); + }; } /** diff --git a/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java b/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java index b26776ae..15318ba4 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/AdminAccessRights.java @@ -62,7 +62,6 @@ public class AdminAccessRights { public static final String CREATE_ADMIN_ROUTINE = "create_admin_routine"; public static final String DELETE_ADMIN_ROUTINE = "delete_admin_routine"; - // policy review public static final String REVIEW_POLICY = "review_policy"; diff --git a/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java b/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java index 126c46b6..d2850f0f 100644 --- a/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java +++ b/src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java @@ -41,26 +41,14 @@ public void check(UserContext userCtx, String target, Collection toCheck } public void check(UserContext userCtx, UserContext target, Collection toCheck) throws PMException { - TargetContext targetContext; - if (target.isUser()) { - targetContext = new TargetContext(target.getUser()); - } else { - targetContext = new TargetContext(target.getAttributes()); - } + TargetContext targetContext = new TargetContext(target); AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext); checkOrThrow(userCtx, targetContext, computed, toCheck); } - public void check(UserContext userCtx, TargetContext target, Collection toCheck) throws PMException { - TargetContext targetContext; - if (target.isNode()) { - targetContext = new TargetContext(target.getTarget()); - } else { - targetContext = new TargetContext(target.getAttributes()); - } - + public void check(UserContext userCtx, TargetContext targetContext, Collection toCheck) throws PMException { AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext); checkOrThrow(userCtx, targetContext, computed, toCheck); @@ -76,12 +64,6 @@ public void check(UserContext userCtx, List targets, String... toCheck) } } - public void check(UserContext userCtx, Collection targets, String... toCheck) throws PMException { - for (String target : targets) { - check(userCtx, target, toCheck); - } - } - public void checkPattern(UserContext userCtx, Pattern pattern, String toCheck) throws PMException { ReferencedNodes referencedNodes = pattern.getReferencedNodes(); if (referencedNodes.isAny()) { @@ -109,4 +91,13 @@ private void checkOrThrow(UserContext userContext, TargetContext targetContext, } } } + + private void checkOrThrow(UserContext userCtx, List targetContexts, List privileges, Collection toCheck) throws PMException { + for (int i = 0; i < targetContexts.size(); i++) { + TargetContext targetContext = targetContexts.get(i); + AccessRightSet privs = privileges.get(i); + + checkOrThrow(userCtx, targetContext, privs, toCheck); + } + } } diff --git a/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java b/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java index bdc39eac..6db07af3 100644 --- a/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java +++ b/src/main/java/gov/nist/csd/pm/pap/query/AccessQuery.java @@ -7,6 +7,7 @@ import gov.nist.csd.pm.pap.query.model.subgraph.SubgraphPrivileges; import gov.nist.csd.pm.pap.query.model.explain.Explain; +import java.util.List; import java.util.Map; /** @@ -26,26 +27,25 @@ public interface AccessQuery { AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException; /** - * Compute the privileges that are denied for the user on the target node.The provided User and Target contexts, - * allow for the specification of a single node or a list of attributes. + * Compute the privileges the user has on each target node. The provided User and Target contexts, allow for the + * specification of a single node or a list of attributes. + * * @param userCtx The user and process or list of attributes and process. Process is optional. - * @param targetCtx The target node or list of attributes. - * @return An AccessRightSet that contains the users denied privileges on the target node. + * @param targetCtxs The target nodes. + * @return An AccessRightSet that contains the users privileges on the target node. * @throws PMException If there is an error in the PM. */ - AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException; + List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException; /** - * Compute the access rights that a user has access to under each policy class the target is an ascendant of. This - * does not include prohibitions. The provided User and Target contexts, allow for the specification of a single - * node or a list of attributes. - * + * Compute the privileges that are denied for the user on the target node.The provided User and Target contexts, + * allow for the specification of a single node or a list of attributes. * @param userCtx The user and process or list of attributes and process. Process is optional. * @param targetCtx The target node or list of attributes. - * @return A mapping of policy class names to the access rights the user has under them on the target node. + * @return An AccessRightSet that contains the users denied privileges on the target node. * @throws PMException If there is an error in the PM. */ - Map computePolicyClassAccessRights(UserContext userCtx, TargetContext targetCtx) throws PMException; + AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException; /** * Compute a mapping of all the nodes the user has access to the access rights they have on each. The provided diff --git a/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java b/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java index f4f6f203..22cac1b8 100644 --- a/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java +++ b/src/main/java/gov/nist/csd/pm/pap/query/model/context/TargetContext.java @@ -1,6 +1,9 @@ package gov.nist.csd.pm.pap.query.model.context; -import java.util.ArrayList; +import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.store.GraphStore; + import java.util.List; import java.util.Objects; @@ -13,6 +16,14 @@ public TargetContext(String target) { this.target = target; } + public TargetContext(UserContext target) { + if (target.isUser()) { + this.target = target.getUser(); + } else { + this.attributes = target.getAttributes(); + } + } + public TargetContext(List attributes) { this.attributes = attributes; } @@ -37,6 +48,20 @@ public boolean isNode() { return target != null; } + public void checkExists(GraphStore graphStore) throws PMException { + if (isNode()) { + if (!graphStore.nodeExists(target)) { + throw new NodeDoesNotExistException(target); + } + } else { + for (String attribute : attributes) { + if (!graphStore.nodeExists(attribute)) { + throw new NodeDoesNotExistException(attribute); + } + } + } + } + @Override public String toString() { String s = "%s"; diff --git a/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java b/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java index eef1fc8a..c9ba4785 100644 --- a/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java +++ b/src/main/java/gov/nist/csd/pm/pap/query/model/context/UserContext.java @@ -1,7 +1,10 @@ package gov.nist.csd.pm.pap.query.model.context; +import gov.nist.csd.pm.pap.exception.NodeDoesNotExistException; +import gov.nist.csd.pm.pap.exception.PMException; +import gov.nist.csd.pm.pap.store.GraphStore; + import java.io.Serializable; -import java.util.ArrayList; import java.util.List; import java.util.Objects; @@ -57,6 +60,20 @@ public boolean isUser() { return user != null; } + public void checkExists(GraphStore graphStore) throws PMException { + if (isUser()) { + if (!graphStore.nodeExists(user)) { + throw new NodeDoesNotExistException(user); + } + } else { + for (String attribute : attributes) { + if (!graphStore.nodeExists(attribute)) { + throw new NodeDoesNotExistException(attribute); + } + } + } + } + @Override public String toString() { String s = "%s"; diff --git a/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java b/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java index 5b476010..0b7893e2 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java +++ b/src/main/java/gov/nist/csd/pm/pdp/PDPTx.java @@ -64,7 +64,6 @@ public PolicyQueryAdjudicator query() { @Override public void setPMLOperations(Map pmlOperations) throws PMException { privilegeChecker.check(userCtx, AdminPolicyNode.PM_ADMIN_OBJECT.nodeName(), SET_PML_OPS); - super.setPMLOperations(pmlOperations); } diff --git a/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java b/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java index 4a5fb108..1ae5a91f 100644 --- a/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java +++ b/src/main/java/gov/nist/csd/pm/pdp/query/AccessQueryAdjudicator.java @@ -3,7 +3,6 @@ import gov.nist.csd.pm.pap.exception.PMException; import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet; import gov.nist.csd.pm.pap.PAP; -import gov.nist.csd.pm.pap.op.AdminAccessRights; import gov.nist.csd.pm.pap.op.PrivilegeChecker; import gov.nist.csd.pm.pap.query.AccessQuery; import gov.nist.csd.pm.pap.query.model.context.TargetContext; @@ -12,6 +11,7 @@ import gov.nist.csd.pm.pap.query.model.explain.Explain; import gov.nist.csd.pm.pdp.Adjudicator; +import java.util.List; import java.util.Map; public class AccessQueryAdjudicator extends Adjudicator implements AccessQuery { @@ -29,85 +29,56 @@ public AccessQueryAdjudicator(UserContext adjUserContext, PAP pap, PrivilegeChec @Override public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, targetCtx, TO_CHECK); - return pap.query().access().computePrivileges(userCtx, targetCtx); } @Override - public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, targetCtx, TO_CHECK); - - return pap.query().access().computeDeniedPrivileges(userCtx, targetCtx); + public List computePrivileges(UserContext userCtx, List targetCtxs) throws PMException { + return pap.query().access().computePrivileges(userCtx, targetCtxs); } @Override - public Map computePolicyClassAccessRights(UserContext userCtx, TargetContext targetCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, targetCtx, TO_CHECK); - - return pap.query().access().computePolicyClassAccessRights(userCtx, targetCtx); + public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException { + return pap.query().access().computeDeniedPrivileges(userCtx, targetCtx); } @Override public Map computeCapabilityList(UserContext userCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - return pap.query().access().computeCapabilityList(userCtx); } @Override public Map computeACL(TargetContext targetCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, targetCtx, TO_CHECK); - return pap.query().access().computeACL(targetCtx); } @Override public Map computeDestinationAttributes(UserContext userCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - return pap.query().access().computeDestinationAttributes(userCtx); } @Override public SubgraphPrivileges computeSubgraphPrivileges(UserContext userCtx, String root) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, root, TO_CHECK); - return pap.query().access().computeSubgraphPrivileges(userCtx, root); } @Override public Map computeAdjacentAscendantPrivileges(UserContext userCtx, String root) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, root, TO_CHECK); - return pap.query().access().computeAdjacentAscendantPrivileges(userCtx, root); } @Override public Map computeAdjacentDescendantPrivileges(UserContext userCtx, String root) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, root, TO_CHECK); - return pap.query().access().computeAdjacentDescendantPrivileges(userCtx, root); } @Override public Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - privilegeChecker.check(this.adjUserContext, targetCtx, TO_CHECK); - return pap.query().access().explain(userCtx, targetCtx); } @Override public Map computePersonalObjectSystem(UserContext userCtx) throws PMException { - privilegeChecker.check(this.adjUserContext, userCtx, TO_CHECK); - return pap.query().access().computePersonalObjectSystem(userCtx); } } diff --git a/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java b/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java index 833ad98c..770e4433 100644 --- a/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java +++ b/src/test/java/gov/nist/csd/pm/pap/query/AccessQuerierTest.java @@ -792,35 +792,6 @@ void testComputeDeniedPrivileges() throws PMException { assertEquals(new AccessRightSet("write"), deniedPrivileges); } - @Test - void testComputePolicyClassAccessRights() throws PMException { - String pml = """ - set resource operations ["read", "write"] - create pc "pc1" - create UA "ua1" in ["pc1"] - create OA "oa1" in ["pc1"] - associate "ua1" and "oa1" with ["read", "write"] - - create pc "pc2" - create UA "ua2" in ["pc2"] - create OA "oa2" in ["pc2"] - associate "ua2" and "oa2" with ["read"] - - create u "u1" in ["ua1", "ua2"] - create o "o1" in ["oa1", "oa2"] - """; - pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer()); - Map policyClassAccessRights = - pap.query().access().computePolicyClassAccessRights(new UserContext("u1"), new TargetContext("o1")); - assertEquals( - Map.of( - "pc1", new AccessRightSet("read", "write"), - "pc2", new AccessRightSet("read") - ), - policyClassAccessRights - ); - } - @Test void testGetAccessibleNodes() throws PMException { pap.modify().operations().setResourceOperations(RWE); diff --git a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java index 9a956a4f..dc666844 100644 --- a/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java +++ b/src/test/java/gov/nist/csd/pm/pdp/PDPTest.java @@ -253,7 +253,7 @@ void testAdjudicateDoesNotExist() throws PMException { PDP pdp = new PDP(pap); assertThrows(OperationDoesNotExistException.class, () -> pdp.adjudicateAdminOperation(new UserContext("u1"), "op1", Map.of())); - assertDoesNotThrow(() -> pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read")); + assertThrows(NodeDoesNotExistException.class, () -> pdp.adjudicateResourceOperation(new UserContext("u1"), "oa1", "read")); assertThrows(OperationDoesNotExistException.class, () -> pdp.adjudicateResourceOperation(new UserContext("u1"), "ua1", "x")); }