001/* 002 * Portions of this software was developed by employees of the National Institute 003 * of Standards and Technology (NIST), an agency of the Federal Government and is 004 * being made available as a public service. Pursuant to title 17 United States 005 * Code Section 105, works of NIST employees are not subject to copyright 006 * protection in the United States. This software may be subject to foreign 007 * copyright. Permission in the United States and in foreign countries, to the 008 * extent that NIST may hold copyright, to use, copy, modify, create derivative 009 * works, and distribute this software and its documentation without fee is hereby 010 * granted on a non-exclusive basis, provided that this notice and disclaimer 011 * of warranty appears in all copies. 012 * 013 * THE SOFTWARE IS PROVIDED 'AS IS' WITHOUT ANY WARRANTY OF ANY KIND, EITHER 014 * EXPRESSED, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY 015 * THAT THE SOFTWARE WILL CONFORM TO SPECIFICATIONS, ANY IMPLIED WARRANTIES OF 016 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND FREEDOM FROM 017 * INFRINGEMENT, AND ANY WARRANTY THAT THE DOCUMENTATION WILL CONFORM TO THE 018 * SOFTWARE, OR ANY WARRANTY THAT THE SOFTWARE WILL BE ERROR FREE. IN NO EVENT 019 * SHALL NIST BE LIABLE FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DIRECT, 020 * INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF, RESULTING FROM, 021 * OR IN ANY WAY CONNECTED WITH THIS SOFTWARE, WHETHER OR NOT BASED UPON WARRANTY, 022 * CONTRACT, TORT, OR OTHERWISE, WHETHER OR NOT INJURY WAS SUSTAINED BY PERSONS OR 023 * PROPERTY OR OTHERWISE, AND WHETHER OR NOT LOSS WAS SUSTAINED FROM, OR AROSE OUT 024 * OF THE RESULTS OF, OR USE OF, THE SOFTWARE OR SERVICES PROVIDED HEREUNDER. 025 */ 026 027package gov.nist.secauto.oscal.lib.profile.resolver.selection; 028 029import gov.nist.secauto.metaschema.model.common.util.ObjectUtils; 030import gov.nist.secauto.oscal.lib.model.IncludeAll; 031import gov.nist.secauto.oscal.lib.model.ProfileImport; 032import gov.nist.secauto.oscal.lib.model.control.catalog.IControl; 033import gov.nist.secauto.oscal.lib.model.control.profile.IProfileSelectControlById; 034 035import org.apache.commons.lang3.tuple.Pair; 036 037import java.util.List; 038 039import edu.umd.cs.findbugs.annotations.NonNull; 040 041public interface IControlFilter { 042 @NonNull 043 IControlFilter ALWAYS_MATCH = new IControlFilter() { 044 @Override 045 public @NonNull Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch) { 046 return IControlSelectionFilter.MATCH; 047 } 048 049 @Override 050 public @NonNull IControlSelectionFilter getInclusionFilter() { 051 return IControlSelectionFilter.ALL_MATCH; 052 } 053 054 @Override 055 public @NonNull IControlSelectionFilter getExclusionFilter() { 056 return IControlSelectionFilter.NONE_MATCH; 057 } 058 }; 059 060 @NonNull 061 IControlFilter NONE_MATCH = new IControlFilter() { 062 063 @Override 064 public @NonNull Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch) { 065 return IControlSelectionFilter.NON_MATCH; 066 } 067 068 @Override 069 public @NonNull IControlSelectionFilter getInclusionFilter() { 070 return IControlSelectionFilter.NONE_MATCH; 071 } 072 073 @Override 074 public @NonNull IControlSelectionFilter getExclusionFilter() { 075 return IControlSelectionFilter.NONE_MATCH; 076 } 077 }; 078 079 /** 080 * Construct a new filter instance based on the provided profile import 081 * statement. 082 * 083 * @param profileImport 084 * an OSCAL profile import statement 085 * @return a new control filter 086 */ 087 @NonNull 088 static IControlFilter newInstance(@NonNull ProfileImport profileImport) { 089 return new Filter(profileImport); 090 } 091 092 @NonNull 093 static IControlFilter newInstance(@NonNull IControlSelectionFilter includes, 094 @NonNull IControlSelectionFilter excludes) { 095 return new Filter(includes, excludes); 096 } 097 098 /** 099 * Determines if the control is matched by this filter. This method returns a 100 * {@link Pair} where the first member of the pair indicates if the control 101 * matches, and the second indicates if the match applies to child controls as 102 * well. 103 * 104 * @param control 105 * the control to check for a match 106 * @return a pair indicating the status of the match ({@code true} for a match 107 * or {@code false} otherwise), and if a match applies to child controls 108 */ 109 @NonNull 110 default Pair<Boolean, Boolean> match(@NonNull IControl control) { 111 return match(control, false); 112 } 113 114 /** 115 * Determines if the control is matched by this filter. This method returns a 116 * {@link Pair} where the first member of the pair indicates if the control 117 * matches, and the second indicates if the match applies to child controls as 118 * well. 119 * 120 * @param control 121 * the control to check for a match 122 * @param defaultMatch 123 * the match status to use if the filter doesn't have an explicit hit 124 * @return a pair indicating the status of the match ({@code true} for a match 125 * or {@code false} otherwise), and if a match applies to child controls 126 */ 127 @NonNull 128 Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch); 129 130 @NonNull 131 IControlSelectionFilter getInclusionFilter(); 132 133 @NonNull 134 IControlSelectionFilter getExclusionFilter(); 135 136 class Filter implements IControlFilter { 137 @NonNull 138 private final IControlSelectionFilter inclusionFilter; 139 @NonNull 140 private final IControlSelectionFilter exclusionFilter; 141 142 public Filter(@NonNull ProfileImport profileImport) { 143 IncludeAll includeAll = profileImport.getIncludeAll(); 144 145 if (includeAll == null) { 146 List<? extends IProfileSelectControlById> selections = profileImport.getIncludeControls(); 147 if (selections == null) { 148 this.inclusionFilter = IControlSelectionFilter.NONE_MATCH; 149 } else { 150 this.inclusionFilter = new DefaultControlSelectionFilter(selections); 151 } 152 } else { 153 this.inclusionFilter = IControlSelectionFilter.ALL_MATCH; 154 } 155 156 List<? extends IProfileSelectControlById> selections = profileImport.getExcludeControls(); 157 if (selections == null) { 158 this.exclusionFilter = IControlSelectionFilter.NONE_MATCH; 159 } else { 160 this.exclusionFilter = new DefaultControlSelectionFilter(selections); 161 } 162 163 } 164 165 public Filter(@NonNull IControlSelectionFilter includes, @NonNull IControlSelectionFilter excludes) { 166 this.inclusionFilter = includes; 167 this.exclusionFilter = excludes; 168 } 169 170 @Override 171 @NonNull 172 public IControlSelectionFilter getInclusionFilter() { 173 return inclusionFilter; 174 } 175 176 @Override 177 @NonNull 178 public IControlSelectionFilter getExclusionFilter() { 179 return exclusionFilter; 180 } 181 182 @Override 183 public Pair<Boolean, Boolean> match(@NonNull IControl control, boolean defaultMatch) { 184 @NonNull Pair<Boolean, Boolean> result = getInclusionFilter().apply(control); 185 boolean left = ObjectUtils.notNull(result.getLeft()); 186 if (left) { 187 // this is a positive include match. Is it excluded? 188 Pair<Boolean, Boolean> excluded = getExclusionFilter().apply(control); 189 if (ObjectUtils.notNull(excluded.getLeft())) { 190 // the effective result is a non-match 191 result = IControlSelectionFilter.NON_MATCH; 192 } 193 } else { 194 result = defaultMatch ? IControlSelectionFilter.MATCH : IControlSelectionFilter.NON_MATCH; 195 } 196 return result; 197 } 198 199 } 200 201}