refactor plugin functions and other small fixes (#207)

* small refactor to patterns

* remove epp specific exception

* add plugin registry for adding ops and routines at runtime

* wrap the PAP used by PDPTx so the PAP functions are not exposed outside the PDPTx class

* ad tests for routines and operations with plugins

* add overloaded constructor to PMLBootstrapper

Author: joshua-roberts

src/main/java/gov/nist/csd/pm/core/epp/EPP.java

@@ -27,11 +27,11 @@ public EPP(PDP pdp, PAP pap) {
     @Override
     public void processEvent(EventContext eventCtx) throws PMException {
         Collection<Obligation> obligations = pap.query().obligations().getObligations();
-        for(Obligation obligation : obligations) {
+        for (Obligation obligation : obligations) {
             long author = obligation.getAuthorId();
             List<Rule> rules = obligation.getRules();
-            for(Rule rule : rules) {
-                if(!rule.getEventPattern().matches(eventCtx, pap)) {
+            for (Rule rule : rules) {
+                if (!rule.getEventPattern().matches(eventCtx, pap)) {
                     continue;
                 }
 
@@ -45,7 +45,7 @@ public void processEvent(EventContext eventCtx) throws PMException {
 
     public void executeResponse(UserContext author, ObligationResponse obligationResponse, EventContext eventCtx) throws PMException {
         pdp.runTx(author, pdpTx -> {
-            obligationResponse.execute(pdpTx, author, eventCtx);
+            pdpTx.executeObligationResponse(eventCtx, obligationResponse);
             return null;
         });
     }

src/main/java/gov/nist/csd/pm/core/impl/memory/pap/MemoryPAP.java

@@ -2,6 +2,7 @@
 
 import gov.nist.csd.pm.core.common.exception.PMException;
 import gov.nist.csd.pm.core.impl.memory.pap.store.MemoryPolicyStore;
+import gov.nist.csd.pm.core.pap.function.PluginRegistry;
 import gov.nist.csd.pm.core.pap.function.op.PrivilegeChecker;
 import gov.nist.csd.pm.core.pap.modification.GraphModifier;
 import gov.nist.csd.pm.core.pap.modification.ObligationsModifier;
@@ -33,12 +34,13 @@ public MemoryPAP(MemoryPolicyStore store) throws PMException {
     public MemoryPAP(PolicyStore policyStore,
                      PolicyModifier modifier,
                      PolicyQuerier querier,
-                     PrivilegeChecker privilegeChecker) throws PMException {
-        super(policyStore, modifier, querier, privilegeChecker);
+                     PrivilegeChecker privilegeChecker,
+                     PluginRegistry pluginRegistry) throws PMException {
+        super(policyStore, modifier, querier, privilegeChecker, pluginRegistry);
     }
 
-    public MemoryPAP(PolicyQuerier querier, PolicyModifier modifier, PolicyStore policyStore) throws PMException {
-        super(querier, modifier, policyStore);
+    public MemoryPAP(PolicyQuerier querier, PolicyModifier modifier, PolicyStore policyStore, PluginRegistry pluginRegistry) throws PMException {
+        super(querier, modifier, policyStore, pluginRegistry);
     }
 
     public MemoryPAP(PAP pap) throws PMException {
@@ -56,25 +58,27 @@ private static MemoryPAP initDefault(MemoryPolicyStore memoryPolicyStore) throws
     }
 
     private static MemoryPAP initMemoryPAP(MemoryPolicyStore memoryPolicyStore) throws PMException {
+        PluginRegistry pluginRegistry = new PluginRegistry();
+
         PolicyModifier policyModifier = new PolicyModifier(
             new GraphModifier(memoryPolicyStore, new RandomIdGenerator()),
             new ProhibitionsModifier(memoryPolicyStore),
             new ObligationsModifier(memoryPolicyStore),
-            new OperationsModifier(memoryPolicyStore),
-            new RoutinesModifier(memoryPolicyStore)
+            new OperationsModifier(memoryPolicyStore, pluginRegistry),
+            new RoutinesModifier(memoryPolicyStore, pluginRegistry)
         );
 
         PolicyQuerier policyQuerier = new PolicyQuerier(
             new GraphQuerier(memoryPolicyStore),
             new ProhibitionsQuerier(memoryPolicyStore),
             new ObligationsQuerier(memoryPolicyStore),
-            new OperationsQuerier(memoryPolicyStore),
-            new RoutinesQuerier(memoryPolicyStore),
+            new OperationsQuerier(memoryPolicyStore, pluginRegistry),
+            new RoutinesQuerier(memoryPolicyStore, pluginRegistry),
             new AccessQuerier(memoryPolicyStore)
         );
 
         PrivilegeChecker privilegeChecker = new PrivilegeChecker(policyQuerier.access());
 
-        return new MemoryPAP(memoryPolicyStore, policyModifier, policyQuerier, privilegeChecker);
+        return new MemoryPAP(memoryPolicyStore, policyModifier, policyQuerier, privilegeChecker, pluginRegistry);
     }
 }

src/main/java/gov/nist/csd/pm/core/impl/neo4j/embedded/pap/Neo4jEmbeddedPAP.java

@@ -3,6 +3,7 @@
 import gov.nist.csd.pm.core.common.exception.PMException;
 import gov.nist.csd.pm.core.impl.neo4j.embedded.pap.store.Neo4jEmbeddedPolicyStore;
 import gov.nist.csd.pm.core.pap.PAP;
+import gov.nist.csd.pm.core.pap.function.PluginRegistry;
 import gov.nist.csd.pm.core.pap.function.op.PrivilegeChecker;
 import gov.nist.csd.pm.core.pap.id.RandomIdGenerator;
 import gov.nist.csd.pm.core.pap.modification.GraphModifier;
@@ -29,13 +30,16 @@ public Neo4jEmbeddedPAP(Neo4jEmbeddedPolicyStore store) throws PMException {
 	public Neo4jEmbeddedPAP(PolicyStore policyStore,
 							PolicyModifier modifier,
 							PolicyQuerier querier,
-							PrivilegeChecker privilegeChecker) throws PMException {
-		super(policyStore, modifier, querier, privilegeChecker);
+							PrivilegeChecker privilegeChecker,
+							PluginRegistry pluginRegistry) throws PMException {
+		super(policyStore, modifier, querier, privilegeChecker, pluginRegistry);
 	}
 
-	public Neo4jEmbeddedPAP(PolicyQuerier querier, PolicyModifier modifier, PolicyStore policyStore) throws
-                                                                                                     PMException {
-		super(querier, modifier, policyStore);
+	public Neo4jEmbeddedPAP(PolicyQuerier querier,
+							PolicyModifier modifier,
+							PolicyStore policyStore,
+							PluginRegistry pluginRegistry) throws PMException {
+		super(querier, modifier, policyStore, pluginRegistry);
 	}
 
 	public Neo4jEmbeddedPAP(PAP pap) throws PMException {
@@ -47,25 +51,27 @@ private static Neo4jEmbeddedPAP initDefault(Neo4jEmbeddedPolicyStore memoryPolic
 	}
 
 	private static Neo4jEmbeddedPAP initNeo4MemoryPAP(Neo4jEmbeddedPolicyStore memoryPolicyStore) throws PMException {
+		PluginRegistry pluginRegistry = new PluginRegistry();
+
 		PolicyModifier policyModifier = new PolicyModifier(
 			new GraphModifier(memoryPolicyStore, new RandomIdGenerator()),
 			new ProhibitionsModifier(memoryPolicyStore),
 			new ObligationsModifier(memoryPolicyStore),
-			new OperationsModifier(memoryPolicyStore),
-			new RoutinesModifier(memoryPolicyStore)
+			new OperationsModifier(memoryPolicyStore, pluginRegistry),
+			new RoutinesModifier(memoryPolicyStore, pluginRegistry)
 		);
 
 		PolicyQuerier policyQuerier = new PolicyQuerier(
 			new GraphQuerier(memoryPolicyStore),
 			new ProhibitionsQuerier(memoryPolicyStore),
 			new ObligationsQuerier(memoryPolicyStore),
-			new OperationsQuerier(memoryPolicyStore),
-			new RoutinesQuerier(memoryPolicyStore),
+			new OperationsQuerier(memoryPolicyStore, pluginRegistry),
+			new RoutinesQuerier(memoryPolicyStore, pluginRegistry),
 			new AccessQuerier(memoryPolicyStore)
 		);
 
 		PrivilegeChecker privilegeChecker = new PrivilegeChecker(policyQuerier.access());
 
-		return new Neo4jEmbeddedPAP(memoryPolicyStore, policyModifier, policyQuerier, privilegeChecker);
+		return new Neo4jEmbeddedPAP(memoryPolicyStore, policyModifier, policyQuerier, privilegeChecker, pluginRegistry);
 	}
 }

src/main/java/gov/nist/csd/pm/core/pap/PAP.java

@@ -4,6 +4,7 @@
 import gov.nist.csd.pm.core.common.exception.PMException;
 import gov.nist.csd.pm.core.pap.admin.AdminPolicy;
 import gov.nist.csd.pm.core.pap.admin.AdminPolicyNode;
+import gov.nist.csd.pm.core.pap.function.PluginRegistry;
 import gov.nist.csd.pm.core.pap.function.arg.Args;
 import gov.nist.csd.pm.core.pap.function.AdminFunction;
 import gov.nist.csd.pm.core.pap.function.AdminFunctionExecutor;
@@ -26,6 +27,7 @@
 import gov.nist.csd.pm.core.pdp.bootstrap.PolicyBootstrapper;
 
 import java.util.*;
+import scala.concurrent.impl.FutureConvertersImpl.P;
 
 import static gov.nist.csd.pm.core.common.graph.node.NodeType.ANY;
 import static gov.nist.csd.pm.core.common.graph.node.Properties.NO_PROPERTIES;
@@ -36,29 +38,32 @@ public abstract class PAP implements AdminFunctionExecutor, Transactional {
     private final PolicyModifier modifier;
     private final PolicyQuerier querier;
     private final PrivilegeChecker privilegeChecker;
+    private final PluginRegistry pluginRegistry;
 
-    public PAP(PolicyStore policyStore, PolicyModifier modifier, PolicyQuerier querier, PrivilegeChecker privilegeChecker) throws PMException {
+    public PAP(PolicyStore policyStore, PolicyModifier modifier, PolicyQuerier querier, PrivilegeChecker privilegeChecker, PluginRegistry pluginRegistry) throws PMException {
         this.policyStore = policyStore;
         this.modifier = modifier;
         this.querier = querier;
         this.privilegeChecker = privilegeChecker;
+        this.pluginRegistry = pluginRegistry;
 
         // verify admin policy
         AdminPolicy.verifyAdminPolicy(policyStore().graph());
     }
 
-    public PAP(PolicyQuerier querier, PolicyModifier modifier, PolicyStore policyStore) throws PMException {
+    public PAP(PolicyQuerier querier, PolicyModifier modifier, PolicyStore policyStore, PluginRegistry pluginRegistry) throws PMException {
         this.querier = querier;
         this.modifier = modifier;
         this.policyStore = policyStore;
         this.privilegeChecker = new PrivilegeChecker(querier.access());
+        this.pluginRegistry = pluginRegistry;
 
         // verify admin policy
         AdminPolicy.verifyAdminPolicy(policyStore().graph());
     }
 
     public PAP(PAP pap) throws PMException {
-        this(pap.policyStore, pap.modifier, pap.querier, pap.privilegeChecker);
+        this(pap.policyStore, pap.modifier, pap.querier, pap.privilegeChecker, pap.pluginRegistry);
     }
 
     public PolicyQuery query() {
@@ -77,6 +82,10 @@ public PrivilegeChecker privilegeChecker() {
         return privilegeChecker;
     }
 
+    public PluginRegistry plugins() {
+        return pluginRegistry;
+    }
+
     public PAP withIdGenerator(IdGenerator idGenerator) {
         this.modifier.graph().setIdGenerator(idGenerator);
         return this;

src/main/java/gov/nist/csd/pm/core/pap/function/PluginRegistry.java

@@ -0,0 +1,96 @@
+package gov.nist.csd.pm.core.pap.function;
+
+import gov.nist.csd.pm.core.pap.function.op.Operation;
+import gov.nist.csd.pm.core.pap.function.routine.Routine;
+import java.util.ArrayList;
+import java.util.List;
+
+public class PluginRegistry {
+
+    private final List<Operation<?, ?>> operations;
+    private final List<Routine<?, ?>> routines;
+
+    public PluginRegistry() {
+        operations = new ArrayList<>();
+        routines = new ArrayList<>();
+    }
+
+    public PluginRegistry(List<Operation<?, ?>> operations, List<Routine<?, ?>> routines) {
+        this.operations = operations;
+        this.routines = routines;
+    }
+
+    public List<Operation<?, ?>> getOperations() {
+        return operations;
+    }
+
+    public List<Routine<?, ?>> getRoutines() {
+        return routines;
+    }
+
+    public Operation<?, ?> getOperation(String name) {
+        for (Operation<?, ?> op : operations) {
+            if (op.getName().equals(name)) {
+                return op;
+            }
+        }
+
+        return null;
+    }
+
+    public Routine<?, ?> getRoutine(String name) {
+        for (Routine<?, ?> routine : routines) {
+            if (routine.getName().equals(name)) {
+                return routine;
+            }
+        }
+
+        return null;
+    }
+
+    public void registerOperation(Operation<?, ?> op) {
+        boolean exists = operations.stream()
+            .anyMatch(existing -> existing.getName().equals(op.getName()));
+
+        if (exists) {
+            throw new IllegalArgumentException(
+                "An operation with the name " + op.getName() + " is already registered"
+            );
+        }
+
+        operations.add(op);
+    }
+
+    public void registerRoutine(Routine<?, ?> routine) {
+        boolean exists = operations.stream()
+            .anyMatch(existing -> existing.getName().equals(routine.getName()));
+
+        if (exists) {
+            throw new IllegalArgumentException(
+                "A routine with the name " + routine.getName() + " is already registered"
+            );
+        }
+
+        routines.add(routine);
+    }
+
+    public void removeOperation(String opName) {
+        operations.removeIf(op -> op.getName().equals(opName));
+    }
+
+    public void removeRoutine(String routineName) {
+        routines.removeIf(routine -> routine.getName().equals(routineName));
+    }
+
+    public List<String> getOperationNames() {
+        return operations.stream()
+            .map(Operation::getName)
+            .toList();
+    }
+
+    public List<String> getRoutineNames() {
+        return routines.stream()
+            .map(Routine::getName)
+            .toList();
+    }
+}

src/main/java/gov/nist/csd/pm/core/pap/modification/OperationsModifier.java

@@ -1,20 +1,26 @@
 package gov.nist.csd.pm.core.pap.modification;
 
 import gov.nist.csd.pm.core.common.exception.PMException;
+import gov.nist.csd.pm.core.common.exception.RoutineExistsException;
 import gov.nist.csd.pm.core.common.graph.relationship.AccessRightSet;
 import gov.nist.csd.pm.core.common.exception.AdminAccessRightExistsException;
 import gov.nist.csd.pm.core.common.exception.OperationExistsException;
 import gov.nist.csd.pm.core.pap.admin.AdminOperations;
+import gov.nist.csd.pm.core.pap.function.PluginRegistry;
 import gov.nist.csd.pm.core.pap.function.op.Operation;
 import gov.nist.csd.pm.core.pap.store.PolicyStore;
+import java.util.List;
 
 import static gov.nist.csd.pm.core.pap.admin.AdminAccessRights.isAdminAccessRight;
 import static gov.nist.csd.pm.core.pap.admin.AdminAccessRights.isWildcardAccessRight;
 
 public class OperationsModifier extends Modifier implements OperationsModification {
 
-    public OperationsModifier(PolicyStore store) {
+    private PluginRegistry pluginRegistry;
+
+    public OperationsModifier(PolicyStore store, PluginRegistry pluginRegistry) {
         super(store);
+        this.pluginRegistry = pluginRegistry;
     }
 
     @Override
@@ -27,7 +33,8 @@ public void setResourceOperations(AccessRightSet resourceOperations) throws PMEx
     @Override
     public void createAdminOperation(Operation<?, ?> operation) throws PMException {
         if (AdminOperations.isAdminOperation(operation.getName())
-                || policyStore.operations().getAdminOperationNames().contains(operation.getName())) {
+            || policyStore.operations().getAdminOperationNames().contains(operation.getName())
+            || pluginRegistry.getOperationNames().contains(operation.getName())) {
             throw new OperationExistsException(operation.getName());
         }
 
@@ -36,24 +43,29 @@ public void createAdminOperation(Operation<?, ?> operation) throws PMException {
 
     @Override
     public void deleteAdminOperation(String operation) throws PMException {
+        if (pluginRegistry.getOperationNames().contains(operation)) {
+            pluginRegistry.removeOperation(operation);
+            return;
+        }
+
         // return without error if the operation does not exist or is a built in admin op such as assign
         if (AdminOperations.ADMIN_OP_NAMES.contains(operation)
-                || !policyStore.operations().getAdminOperationNames().contains(operation)) {
+            || !policyStore.operations().getAdminOperationNames().contains(operation)) {
             return;
         }
 
         policyStore.operations().deleteAdminOperation(operation);
     }
 
     /**
-     * Check that the provided resource operations are not existing admin access rights.
+     * Check that the provided resource operations are not existing admin access rights, operations or routines.
      *
      * @param accessRightSet The access right set to check.
      * @throws PMException If any PM related exceptions occur in the implementing class.
      */
     protected void checkSetResourceAccessRightsInput(AccessRightSet accessRightSet) throws PMException {
         for (String ar : accessRightSet) {
-            if (isAdminAccessRight(ar) || isWildcardAccessRight(ar)) {
+            if (isAdminAccessRight(ar) || isWildcardAccessRight(ar) ) {
                 throw new AdminAccessRightExistsException(ar);
             }
         }