source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml @ 7335

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml@7335
Revision 7335, 8.6 KB checked in by pjkersha, 9 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • first working e2e test with PEP calling a SAML Authorisation service configured with PIP to make callouts to an Attribute Authority to pull user attributes. This meets the ESG requirements. Next steps:
    • integrate with ndg.security.test.integration.authz_lite browser based integration tests
    • optimise by adding caching of authz decisions to PEP and possibly caching attribute assertions in the PEP.
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        Example for NDG Security unit tests: allow access for resource URIs
9        defined in the rules.  All other URIs are blocked from access
10       
11        See ndg.security.test.unit.wsgi.authz.test_authz to see the various
12        rules tested out
13    </Description>
14   
15    <!--
16        The Policy target(s) define which requests apply to the whole policy
17    -->
18    <Target>
19        <Resources>
20            <Resource>
21                <!-- Pattern match all request URIs beginning with / -->
22                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
23                    <ResourceAttributeDesignator
24                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
25                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
27                </ResourceMatch>
28            </Resource>
29        </Resources>
30    </Target>   
31   
32    <!-- Deny everything by default -->
33    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
34    <!--
35        Following rules punch holes through the deny everything rule above
36        because the rule combining algorithm is set to permit overrides - see
37        Policy element above
38    -->
39    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
40        <!--
41            Define a URI with public access
42           
43            Rule target(s) define which requests apply to the particular rule
44        -->
45        <Target>
46            <Resources>
47                <Resource>
48                    <!-- Match the request URI -->
49                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
50                        <ResourceAttributeDesignator
51                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
52                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
53                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
54                    </ResourceMatch>
55                </Resource>
56            </Resources>
57        </Target>
58    </Rule>
59
60    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit">
61        <!--
62            Define URIs which this policy permits but for which the underlying
63            app returns 40x HTTP response
64        -->
65        <Target>
66            <Resources>
67                <Resource>
68                    <!-- Match the request URI -->
69                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
70                        <ResourceAttributeDesignator
71                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
72                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
73                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
74                    </ResourceMatch>
75                </Resource>
76            </Resources>
77        </Target>
78    </Rule>
79   
80    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
81        <!--
82            Secure a URI path and all sub-paths using a regular expression to
83            define a URI pattern
84        -->
85        <Target>
86            <Resources>
87                <Resource>
88                    <!-- Pattern match the request URI -->
89                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
90                        <ResourceAttributeDesignator
91                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
92                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
93                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
94                    </ResourceMatch>
95                </Resource>
96            </Resources>
97        </Target>
98       
99        <!--
100            The condition narrows down the constraints layed down in the target to
101            something more specific
102           
103            The user must have at least one of the roles set - in this
104            case 'staff'
105        -->
106        <Condition>
107            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
108                <SubjectAttributeDesignator 
109                    AttributeId="urn:siteA:security:authz:1.0:attr" 
110                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
111                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
112                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
113                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
114                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
115                </Apply>
116            </Apply>
117        </Condition>
118    </Rule>
119    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">
120        <Target>
121            <Resources>
122                <Resource>
123                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
124                        <ResourceAttributeDesignator
125                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
126                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
127                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
128                    </ResourceMatch>
129                </Resource>
130            </Resources>
131        </Target>
132        <Condition>
133            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
134                <SubjectAttributeDesignator 
135                    AttributeId="urn:siteA:security:authz:1.0:attr" 
136                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>
139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>
140                </Apply>
141            </Apply>
142        </Condition>
143    </Rule>
144    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
145        <!--
146            This rule is a modified version of the above to allow for a real use
147            case where adding a special query argument grants extra privileges
148            associated with an administrator
149        -->
150        <Target>
151            <Resources>
152                <Resource>
153                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
154                        <ResourceAttributeDesignator
155                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
156                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
157                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
158                    </ResourceMatch>
159                </Resource>
160            </Resources>
161            <Subjects>
162                <Subject>
163                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
164                        <SubjectAttributeDesignator 
165                            AttributeId="urn:siteA:security:authz:1.0:attr" 
166                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
167                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue>
168                    </SubjectMatch>
169                </Subject>
170            </Subjects>
171        </Target>
172    </Rule>
173</Policy>
Note: See TracBrowser for help on using the repository browser.