1 | <?xml version="1.0" encoding="UTF-8"?> |
---|
2 | <Policy PolicyId="urn:ndg:security:1.0:authz:test:policy" |
---|
3 | xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04" |
---|
4 | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
---|
5 | xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd" |
---|
6 | RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> |
---|
7 | <Description> |
---|
8 | Example for NDG Security unit tests: allow access for resource URIs |
---|
9 | defined in the rules. All other URIs are blocked from access |
---|
10 | |
---|
11 | See ndg.security.test.unit.wsgi.authz.test_authz to see the various |
---|
12 | rules tested out |
---|
13 | </Description> |
---|
14 | |
---|
15 | <!-- |
---|
16 | The Policy target(s) define which requests apply to the whole policy |
---|
17 | --> |
---|
18 | <Target> |
---|
19 | <Resources> |
---|
20 | <Resource> |
---|
21 | <!-- Pattern match all request URIs beginning with / --> |
---|
22 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> |
---|
23 | <ResourceAttributeDesignator |
---|
24 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
25 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
26 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> |
---|
27 | </ResourceMatch> |
---|
28 | </Resource> |
---|
29 | </Resources> |
---|
30 | </Target> |
---|
31 | |
---|
32 | <!-- Deny everything by default --> |
---|
33 | <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> |
---|
34 | <!-- |
---|
35 | Following rules punch holes through the deny everything rule above |
---|
36 | because the rule combining algorithm is set to permit overrides - see |
---|
37 | Policy element above |
---|
38 | --> |
---|
39 | <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit"> |
---|
40 | <!-- |
---|
41 | Define a URI with public access |
---|
42 | |
---|
43 | Rule target(s) define which requests apply to the particular rule |
---|
44 | --> |
---|
45 | <Target> |
---|
46 | <Resources> |
---|
47 | <Resource> |
---|
48 | <!-- Match the request URI --> |
---|
49 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> |
---|
50 | <ResourceAttributeDesignator |
---|
51 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
52 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
53 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue> |
---|
54 | </ResourceMatch> |
---|
55 | </Resource> |
---|
56 | </Resources> |
---|
57 | </Target> |
---|
58 | </Rule> |
---|
59 | |
---|
60 | <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit"> |
---|
61 | <!-- |
---|
62 | Define URIs which this policy permits but for which the underlying |
---|
63 | app returns 40x HTTP response |
---|
64 | --> |
---|
65 | <Target> |
---|
66 | <Resources> |
---|
67 | <Resource> |
---|
68 | <!-- Match the request URI --> |
---|
69 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> |
---|
70 | <ResourceAttributeDesignator |
---|
71 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
72 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
73 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue> |
---|
74 | </ResourceMatch> |
---|
75 | </Resource> |
---|
76 | </Resources> |
---|
77 | </Target> |
---|
78 | </Rule> |
---|
79 | |
---|
80 | <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> |
---|
81 | <!-- |
---|
82 | Secure a URI path and all sub-paths using a regular expression to |
---|
83 | define a URI pattern |
---|
84 | --> |
---|
85 | <Target> |
---|
86 | <Resources> |
---|
87 | <Resource> |
---|
88 | <!-- Pattern match the request URI --> |
---|
89 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> |
---|
90 | <ResourceAttributeDesignator |
---|
91 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
92 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
93 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue> |
---|
94 | </ResourceMatch> |
---|
95 | </Resource> |
---|
96 | </Resources> |
---|
97 | </Target> |
---|
98 | |
---|
99 | <!-- |
---|
100 | The condition narrows down the constraints layed down in the target to |
---|
101 | something more specific |
---|
102 | |
---|
103 | The user must have at least one of the roles set - in this |
---|
104 | case 'staff' |
---|
105 | --> |
---|
106 | <Condition> |
---|
107 | <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> |
---|
108 | <SubjectAttributeDesignator |
---|
109 | AttributeId="urn:ndg:security:authz:1.0:attr" |
---|
110 | DataType="http://www.w3.org/2001/XMLSchema#string"/> |
---|
111 | <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> |
---|
112 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> |
---|
113 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> |
---|
114 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> |
---|
115 | </Apply> |
---|
116 | </Apply> |
---|
117 | </Condition> |
---|
118 | </Rule> |
---|
119 | <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit"> |
---|
120 | <Target> |
---|
121 | <Resources> |
---|
122 | <Resource> |
---|
123 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> |
---|
124 | <ResourceAttributeDesignator |
---|
125 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
126 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
127 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> |
---|
128 | </ResourceMatch> |
---|
129 | </Resource> |
---|
130 | </Resources> |
---|
131 | </Target> |
---|
132 | <Condition> |
---|
133 | <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> |
---|
134 | <SubjectAttributeDesignator |
---|
135 | AttributeId="urn:ndg:security:authz:1.0:attr" |
---|
136 | DataType="http://www.w3.org/2001/XMLSchema#string"/> |
---|
137 | <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> |
---|
138 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> |
---|
139 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> |
---|
140 | </Apply> |
---|
141 | </Apply> |
---|
142 | </Condition> |
---|
143 | </Rule> |
---|
144 | <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> |
---|
145 | <!-- |
---|
146 | This rule is a modified version of the above to allow for a real use |
---|
147 | case where adding a special query argument grants extra privileges |
---|
148 | associated with an administrator |
---|
149 | --> |
---|
150 | <Target> |
---|
151 | <Resources> |
---|
152 | <Resource> |
---|
153 | <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> |
---|
154 | <ResourceAttributeDesignator |
---|
155 | AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" |
---|
156 | DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> |
---|
157 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> |
---|
158 | </ResourceMatch> |
---|
159 | </Resource> |
---|
160 | </Resources> |
---|
161 | <Subjects> |
---|
162 | <Subject> |
---|
163 | <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> |
---|
164 | <SubjectAttributeDesignator |
---|
165 | AttributeId="urn:ndg:security:authz:1.0:attr" |
---|
166 | DataType="http://www.w3.org/2001/XMLSchema#string"/> |
---|
167 | <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> |
---|
168 | </SubjectMatch> |
---|
169 | </Subject> |
---|
170 | </Subjects> |
---|
171 | </Target> |
---|
172 | </Rule> |
---|
173 | </Policy> |
---|