source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml @ 7257

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml@7257
Revision 7257, 6.7 KB checked in by pjkersha, 9 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • cleaning out more old modules containing retired NDG2 security functionality
  • progress with ndg.security.test.unit.wsgi.authz.test_authz unit tests integrating SAML/XACML authorisation service to WSGI filter SAML PEP
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        NDG XACML example for unit tests: allow access for resource URIs
9        matching given regular expressions.  The subject must have at least one
10        of a set of named attributes allocated
11    </Description>
12   
13    <!--
14        The Policy target(s) define which requests apply to the whole policy
15    -->
16    <Target>
17        <Resources>
18            <Resource>
19                <!-- Pattern match all request URIs beginning with / -->
20                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
21                    <ResourceAttributeDesignator
22                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
23                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
24                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
25                </ResourceMatch>
26            </Resource>
27        </Resources>
28    </Target>   
29   
30    <!-- Deny everything by default -->
31    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
32    <!--
33        Following rules punch holes through the deny everything rule above
34        because the rule combining algorithm is set to permit overrides - see
35        Policy element above
36    -->
37    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
38        <!--
39            Define a URI with public access
40           
41            Rule target(s) define which requests apply to the particular rule
42        -->
43        <Target>
44            <Resources>
45                <Resource>
46                    <!-- Match the request URI -->
47                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
48                        <ResourceAttributeDesignator
49                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
50                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
51                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
52                    </ResourceMatch>
53                </Resource>
54            </Resources>
55        </Target>
56    </Rule>
57
58    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit">
59        <!--
60            Define URIs which this policy permits but for which the underlying
61            app returns 40x HTTP response
62        -->
63        <Target>
64            <Resources>
65                <Resource>
66                    <!-- Match the request URI -->
67                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
68                        <ResourceAttributeDesignator
69                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
70                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
71                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
72                    </ResourceMatch>
73                </Resource>
74            </Resources>
75        </Target>
76    </Rule>
77   
78    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
79        <!--
80            Rule target(s) define which requests apply to the particular rule
81        -->
82        <Target>
83            <Resources>
84                <Resource>
85                    <!-- Pattern match the request URI -->
86                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
87                        <ResourceAttributeDesignator
88                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
89                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
90                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
91                    </ResourceMatch>
92                </Resource>
93            </Resources>
94        </Target>
95       
96        <!--
97            The condition narrows down the constraints layed down in the target to
98            something more specific
99           
100            The user must have at least one of the roles set - in this
101            case 'urn:siteA:security:authz:1.0:attr:staff'
102        -->
103        <Condition>
104            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
105                <SubjectAttributeDesignator 
106                    AttributeId="urn:ndg:security:authz:1.0:attr" 
107                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
108                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
109                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
110                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
111                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
112                </Apply>
113            </Apply>
114        </Condition>
115    </Rule>
116    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">
117        <Target>
118            <Resources>
119                <Resource>
120                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
121                        <ResourceAttributeDesignator
122                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
123                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
124                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
125                    </ResourceMatch>
126                </Resource>
127            </Resources>
128            <Subjects>
129                <Subject>
130                    <SubjectMatch>
131                        <SubjectAttributeDesignator 
132                            AttributeId="urn:ndg:security:authz:1.0:attr" 
133                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
134                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
135                    </SubjectMatch>
136                </Subject>
137            </Subjects>
138        </Target>
139    </Rule>
140</Policy>
Note: See TracBrowser for help on using the repository browser.