source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml @ 7287

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml@7287
Revision 7287, 8.5 KB checked in by pjkersha, 9 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • Working WSGI Authorisation filter with connection to SAML/XACML based Authorisation Service - unit tests: ndg.security.test.unit.wsgi.authz.test_authz
  • It may need some optimisation to avoid too many WS callouts to the Authorisation Service - perhaps add a local PDP to the authorisation filter to filter out some requests going over the wire e.g. requests for web page CSS or graphics content.
  • The XACML policy file has some big additions to it to support the various test conditions in ndg.security.test.unit.wsgi.authz.test_authz. These should be ported back to the ndg_xacml package unit tests.
  • Next major task: remove temp fix in XACML Context handler - instead of using hardwired roles for the user alter it so that the PDP makes a request back to the PIP (Policy Enforcement Point) to grab additional attributes. The PIP will call to Attibute Service(s) to pull any additional attributes needed/
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        Example for NDG Security unit tests: allow access for resource URIs
9        defined in the rules.  All other URIs are blocked from access
10       
11        See ndg.security.test.unit.wsgi.authz.test_authz to see the various
12        rules tested out
13    </Description>
14   
15    <!--
16        The Policy target(s) define which requests apply to the whole policy
17    -->
18    <Target>
19        <Resources>
20            <Resource>
21                <!-- Pattern match all request URIs beginning with / -->
22                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
23                    <ResourceAttributeDesignator
24                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
25                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
27                </ResourceMatch>
28            </Resource>
29        </Resources>
30    </Target>   
31   
32    <!-- Deny everything by default -->
33    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
34    <!--
35        Following rules punch holes through the deny everything rule above
36        because the rule combining algorithm is set to permit overrides - see
37        Policy element above
38    -->
39    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
40        <!--
41            Define a URI with public access
42           
43            Rule target(s) define which requests apply to the particular rule
44        -->
45        <Target>
46            <Resources>
47                <Resource>
48                    <!-- Match the request URI -->
49                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
50                        <ResourceAttributeDesignator
51                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
52                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
53                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
54                    </ResourceMatch>
55                </Resource>
56            </Resources>
57        </Target>
58    </Rule>
59
60    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit">
61        <!--
62            Define URIs which this policy permits but for which the underlying
63            app returns 40x HTTP response
64        -->
65        <Target>
66            <Resources>
67                <Resource>
68                    <!-- Match the request URI -->
69                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
70                        <ResourceAttributeDesignator
71                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
72                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
73                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
74                    </ResourceMatch>
75                </Resource>
76            </Resources>
77        </Target>
78    </Rule>
79   
80    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
81        <!--
82            Secure a URI path and all sub-paths using a regular expression to
83            define a URI pattern
84        -->
85        <Target>
86            <Resources>
87                <Resource>
88                    <!-- Pattern match the request URI -->
89                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
90                        <ResourceAttributeDesignator
91                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
92                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
93                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
94                    </ResourceMatch>
95                </Resource>
96            </Resources>
97        </Target>
98       
99        <!--
100            The condition narrows down the constraints layed down in the target to
101            something more specific
102           
103            The user must have at least one of the roles set - in this
104            case 'staff'
105        -->
106        <Condition>
107            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
108                <SubjectAttributeDesignator 
109                    AttributeId="urn:ndg:security:authz:1.0:attr" 
110                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
111                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
112                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
113                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
114                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
115                </Apply>
116            </Apply>
117        </Condition>
118    </Rule>
119    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">
120        <Target>
121            <Resources>
122                <Resource>
123                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
124                        <ResourceAttributeDesignator
125                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
126                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
127                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
128                    </ResourceMatch>
129                </Resource>
130            </Resources>
131        </Target>
132        <Condition>
133            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
134                <SubjectAttributeDesignator 
135                    AttributeId="urn:ndg:security:authz:1.0:attr" 
136                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
140                </Apply>
141            </Apply>
142        </Condition>
143    </Rule>
144    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
145        <!--
146            This rule is a modified version of the above to allow for a real use
147            case where adding a special query argument grants extra privileges
148            associated with an administrator
149        -->
150        <Target>
151            <Resources>
152                <Resource>
153                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
154                        <ResourceAttributeDesignator
155                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
156                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
157                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
158                    </ResourceMatch>
159                </Resource>
160            </Resources>
161            <Subjects>
162                <Subject>
163                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
164                        <SubjectAttributeDesignator 
165                            AttributeId="urn:ndg:security:authz:1.0:attr" 
166                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
167                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
168                    </SubjectMatch>
169                </Subject>
170            </Subjects>
171        </Target>
172    </Rule>
173</Policy>
Note: See TracBrowser for help on using the repository browser.