Add XACML DAO Interfaces

[Niru-D]

Proposed changes in this pull request

• Introduce DAO layers for the XACML feature to isolate registry access points.
• Create new interfaces for registry implementations, which can later be extended for RDBMS structures.

Ideally, this change should not introduce any behavioral changes. When considering the future RDBMS implementation, some strictly necessary changes are introduced.

Behavioral changes

• Entitlement property PDP.Policy.Store.Module used to be of type PolicyStoreManageModule but now it should be of typePolicyDAO.
• EntitlementPolicyAdminService.importPolicyFromRegistry() function can no longer be supported since it imports a policy given a registry path, hence the method will be deprecated.

Implementation changes

• Earlier when publishing a policy to PDP, we persisted some light data including the active status and order to path /repository/identity/entitlement/policy/data/, while also persisting the full resource at /repository/identity/entitlement/policy/pdp/. Now we only persist to the pdp path.
• The policy version manager has been removed and versioning is moved inside the methods that require it.
• Three new interfaces have been introduced as follows, replacing some existing files
  • PolicyDAO → CRUD operations of PAP and PDP, replacing PAPPolicyStore.java and RegistryPolicyStoreManageModule along with interface PolicyStoreManageModule.
  • ConfigDAO → Config operations, replacing DefaultPolicyDataStore.java and its interface PolicyDataStore.java
  • SubscriberDAO → CRUD operations of subscribers, extracting the implementations from PolicyPublisher.java

Description

• This PR introduces DAO interfaces to XACML, facilitating multiple DAO implementations.
• This task is a part of an ongoing effort to remove the registry usage from XACML.

Related Issues

• Carbon registry usage removal from the XACML product-is#20000

Checklist (for reviewing)

General

• Is this PR explained thoroughly? All code changes must be accounted for in the PR description.
• Is the PR labeled correctly?

Functionality

• Are all requirements met? Compare implemented functionality with the requirements specification.
• Does the UI work as expected? There should be no Javascript errors in the console; all resources should load. There should be no unexpected errors. Deliberately try to break the feature to find out if there are corner cases that are not handled.

Code

• Do you fully understand the introduced changes to the code? If not ask for clarification, it might uncover ways to solve a problem in a more elegant and efficient way.
• Does the PR introduce any inefficient database requests? Use the debug server to check for duplicate requests.
• Are all necessary strings marked for translation? All strings that are exposed to users via the UI must be marked for translation.

Tests

• Are there sufficient test cases? Ensure that all components are tested individually; models, forms, and serializers should be tested in isolation even if a test for a view covers these components.
• If this is a bug fix, are tests for the issue in place? There must be a test case for the bug to ensure the issue won’t regress. Make sure that the tests break without the new code to fix the issue.
• If this is a new feature or a significant change to an existing feature? has the manual testing spreadsheet been updated with instructions for manual testing?

Security

• Confirm this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.
• Are all UI and API inputs run through forms or serializers?
• Are all external inputs validated and sanitized appropriately?
• Does all branching logic have a default case?
• Does this solution handle outliers and edge cases gracefully?
• Are all external communications secured and restricted to SSL?

Documentation

• Are changes to the UI documented in the platform docs? If this PR introduces new platform site functionality or changes existing ones, the changes should be documented.
• Are changes to the API documented in the API docs? If this PR introduces new API functionality or changes existing ones, the changes must be documented.
• Are reusable components documented? If this PR introduces components that are relevant to other developers (for instance a mixin for a view or a generic form) they should be documented in the Wiki.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9075962866

[darshanasbg]

Policy versioning is removed from this layer and moved to DAO level impl (PolicyDAO.removePolicy()) itself. Validate whether this is ok.

[darshanasbg]

This should be ok, since PolicyDAO.removePolicy() only get called from here.

[darshanasbg]

Policy versioning is removed from this layer and moved to DAO level impl (PolicyDAO.addOrUpdatePolicy()) itself. Validate whether this is ok.

[darshanasbg]

PAPPolicyStoreManager.addOrUpdatePolicy() getting called from three other places.

EntitlementUtil.addFilesystemPolicy() behaves similarly like here.
ie: Creating new version removed from the method impl and new version creation now handled in PolicyDAO.addOrUpdatePolicy().

But two other places (mentioned below) does not creates a version as of now. But with the proposed change it will creates a new version.

• EntitlementPolicyAdminService.orderPolicy()
• EntitlementPolicyAdminService.enableDisablePolicy()

[Yoshani]

This causes a behavioral change where a new policy version is created when updating the policy order or enabling/disabling a published policy from PDP. New versions should not be created for such minor adjustments. To address, we can make versioning a conditional process.

[Yoshani]

Made versioning in addOrUpdatePolicy conditional.

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9075962866
Status: failure

[darshanasbg]

Removing Boolean.parseBoolean(System.getProperty(ENHANCED_XACML_LOADING_SYSTEM_PROPERTY) intentional?

[Yoshani]

Current impl works as if property ENHANCED_XACML_LOADING_SYSTEM_PROPERTY was true. Earlier behavior where when this property is false, in addition to policy being published to PDP, a subscriber event being published is missed.
See EntitlementUtil.addPolicyToPDP(). Must check if this is ok.

[Yoshani]

Also, the called method executes a version store update, which was not initially triggered in this flow. Perhaps versioning should be conditional?

[Yoshani]

According to the usage, removing this doesn't seem to have much impact, since the flow works by publishing the policy to pdp.

[darshanasbg]

PDP.Policy.Store.Module type used to be PolicyStoreManageModule but with this change its needs to be the type PolicyDAO.

[darshanasbg]

Have to validate, whether this approach (pulling the policy from the database and setting the policy as null in the runtime) will actually serve the purpose of building "Light weight" policy DTO.

[Yoshani]

Refer #5686 (comment)

[darshanasbg]

Have to validate, whether this approach (pulling the policy from the database and setting the policy as null in the runtime) will actually serve the purpose of building "Light weight" policy DTO.

[Yoshani]

Previously also we anyway load the full resource from registry and only set a subset of the attributes in the DTO. Since we are loading the full object, with regards to registry impl there might not be a considerable performance hit. But we could optimize this by only querying the required data in the db impl to be introduced later, but this will be a complexity overhead.
So, IMO it won't have much of a performance hit.

[darshanasbg]

Have to check whether removing this is intentional.

[Yoshani]

Might have been removed since all usages of isPolicyOrderingSupport() evaluate to true. To minimize impact, better to reintroduce it.

[Yoshani]

Reintroduced to AbstractPolicyFinderModule

[darshanasbg]

Have to check whether removing this is intentional.

[Yoshani]

Might have been removed since all usages of isPolicyDeActivationSupport() evaluate to true. To minimize impact, better to reintroduce it.

[Yoshani]

Reintroduced

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9084032838

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9084032838
Status: failure

[darshanasbg]

PR builder completed Link: https://github.com/wso2/product-is/actions/runs/9084032838 Status: failure

[INFO] Results:
 [INFO]
 [ERROR] Failures:
 [ERROR] ApplicationAuthzTenantTestCase.testInit:133->AbstractApplicationAuthzTestCase.setupXACMLPolicy:184 » EntitlementPolicyAdminServiceEntitlement
 [ERROR] ApplicationAuthzTestCase.testInit:129->setupXACMLPolicy:140 » EntitlementPolicyAdminServiceEntitlement
 [ERROR] EntitlementRestServiceTestCase.testPublishPolicy:137 » EntitlementPolicyAdminServiceEntitlement
 [ERROR] IdentityProviderMgtServiceTestCase.testGetAllProvisioningConnectors:610 Default provisioning connectors not available
 [ERROR] OAuth2XACMLScopeValidatorTestCase.testPublishPolicy:182 » EntitlementPolicyAdminServiceEntitlement
 [ERROR] ProvisioningTestCase.createUser:178 expected:<true> but was:<false>
 [ERROR] org.wso2.identity.integration.test.rest.api.server.idp.v1.IdPSuccessTest.testListMetaOutboundConnectors(org.wso2.identity.integration.test.rest.api.server.idp.v1.IdPSuccessTest)
 [ERROR] Run 1: IdPSuccessTest.testListMetaOutboundConnectors:227 1 expectation failed.
 JSON path find{ it.connectorId == 'Z29vZ2xlYXBwcw' }.name doesn't match.
 Expected: googleapps
 Actual: null

 [ERROR] Run 2: IdPSuccessTest.testListMetaOutboundConnectors:227 1 expectation failed.
 JSON path find{ it.connectorId == 'Z29vZ2xlYXBwcw' }.name doesn't match.
 Expected: googleapps
 Actual: null

 [INFO]
 [INFO]
 [ERROR] Tests run: 2018, Failures: 7, Errors: 0, Skipped: 29

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9316445580

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9316445580
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9317194558

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9317194558
Status: failure

ERROR [org.wso2.carbon.integration.common.admin.client.TenantManagementServiceClient] - RemoteException thrown while adding user/tenants : 
org.apache.axis2.AxisFault: Exception occurred while trying to invoke service method addTenant
	at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
	at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
	at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)
	at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
	at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
	at org.wso2.carbon.tenant.mgt.stub.TenantMgtAdminServiceStub.addTenant(TenantMgtAdminServiceStub.java:2540)
	at org.wso2.carbon.integration.common.admin.client.TenantManagementServiceClient.addTenant(TenantManagementServiceClient.java:75)
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulator.populateUsers(UserPopulator.java:101)
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulateExtension.onExecutionStart(UserPopulateExtension.java:68)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.wso2.carbon.automation.engine.extensions.TestNGExtensionExecutor.executeExtensible(TestNGExtensionExecutor.java:75)
	at org.wso2.carbon.automation.engine.testlisteners.TestExecutionListener.onExecutionStart(TestExecutionListener.java:47)
	at org.testng.TestNG.runExecutionListeners(TestNG.java:1032)
	at org.testng.TestNG.run(TestNG.java:983)
	at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:283)
	at org.apache.maven.surefire.testng.TestNGXmlTestSuite.execute(TestNGXmlTestSuite.java:75)
	at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:120)
	at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
ERROR [org.wso2.carbon.automation.engine.testlisteners.TestExecutionListener] - Execution error occurred in TestExecutionListener:-
java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.wso2.carbon.automation.engine.extensions.TestNGExtensionExecutor.executeExtensible(TestNGExtensionExecutor.java:75)
	at org.wso2.carbon.automation.engine.testlisteners.TestExecutionListener.onExecutionStart(TestExecutionListener.java:47)
	at org.testng.TestNG.runExecutionListeners(TestNG.java:1032)
	at org.testng.TestNG.run(TestNG.java:983)
	at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:283)
	at org.apache.maven.surefire.testng.TestNGXmlTestSuite.execute(TestNGXmlTestSuite.java:75)
	at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:120)
	at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
	at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
	at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
	at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
Caused by: org.wso2.carbon.automation.engine.exceptions.AutomationFrameworkException: Error while populating users 
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulateExtension.onExecutionStart(UserPopulateExtension.java:71)
	... 15 more
Caused by: org.wso2.carbon.integration.common.extensions.exceptions.AutomationExtensionException: Error while populating users 
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulator.populateUsers(UserPopulator.java:132)
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulateExtension.onExecutionStart(UserPopulateExtension.java:68)
	... 15 more
Caused by: java.rmi.RemoteException: RemoteException thrown while adding user/tenants : ; nested exception is: 
	org.apache.axis2.AxisFault: Exception occurred while trying to invoke service method addTenant
	at org.wso2.carbon.integration.common.admin.client.TenantManagementServiceClient.addTenant(TenantManagementServiceClient.java:83)
	at org.wso2.carbon.integration.common.extensions.usermgt.UserPopulator.populateUsers(UserPopulator.java:101)
	... 16 more
Caused by: org.apache.axis2.AxisFault: Exception occurred while trying to invoke service method addTenant
	at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
	at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:370)
	at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:445)
	at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225)
	at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
	at org.wso2.carbon.tenant.mgt.stub.TenantMgtAdminServiceStub.addTenant(TenantMgtAdminServiceStub.java:2540)
	at org.wso2.carbon.integration.common.admin.client.TenantManagementServiceClient.addTenant(TenantManagementServiceClient.java:75)
	... 17 more

Adding a tenant fails

[Yoshani]

We might also have to deprecate the method EntitlementPolicyAdminService.importPolicyFromRegistry()

https://github.com/wso2/carbon-identity-framework/pull/5686/files/4bb29679719cc3820022119cffbf2bfd75eac00c#diff-4e841d78f60660bccbda0a2057df8b16697a1b8a72861066039ebc90227675fcL106

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9378350423

[Thumimku]

why we are logging this, instead of throwing?
and can we use the warn log if applicable

[Yoshani]

This implementation has been directly ported from:

carbon-identity-framework/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement/policy/store/DefaultPolicyDataStore.java

Line 78 in 53fb513

log.debug(e);

So we cannot throw the exception since that would require changing public methods at the higher level.
Here it is logging the exception that the algorithm specified in the entitlement.properties file is not supported, so we can change it to warn log instead.

[Thumimku]

is this unused import?

[Yoshani]

yes

[Thumimku]

Why we removed the log here, I think its better to add some debug logs WDYT?

[Yoshani]

It was removed since it is not used. This file doesn't handle any exceptions, and logs have been added at lower places where the exceptions are thrown.

[Thumimku]

Whats the reason to remove these methods and move to RegistrySubscriberDAOImpl class

[Yoshani]

We need to separate these methods into a specific implementation of an interface that handles subscriber operations, to facilitate the database implementation.

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9639137561

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9639137561
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9641764635

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9641764635
Status: failure

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/9641764635

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/9641764635
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/9641764635