source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml @ 7413

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml@7413
Revision 7413, 7.0 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • added local PDP call to PEP to enable some requests to be filtered out as not applicable to the main authorisation service. Tested in ndg.security.test.unit.wsgi.authz.test_authz. TODO: add to integration tests.
  • Property svn:keywords set to Id
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        Example for NDG Security unit tests: allow access for resource URIs
9        defined in the rules.  All other URIs are blocked from access
10       
11        See ndg.security.test.unit.wsgi.authz.test_authz to see the various
12        rules tested out
13    </Description>
14   
15    <!--
16        The Policy target(s) define which requests apply to the whole policy
17    -->
18    <Target>
19        <Resources>
20            <Resource>
21                <!-- Pattern match all request URIs beginning with / -->
22                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
23                    <ResourceAttributeDesignator
24                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
25                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue>
27                </ResourceMatch>
28            </Resource>
29        </Resources>
30    </Target>   
31   
32    <!-- Deny everything by default -->
33    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
34    <!--
35        Following rules punch holes through the deny everything rule above
36        because the rule combining algorithm is set to permit overrides - see
37        Policy element above
38    -->
39    <Rule RuleId="Graphics and CSS" Effect="Permit">
40        <!--
41            Public access for graphics and CSS content
42        -->
43        <Target>
44            <Resources>
45                <Resource>
46                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
47                        <ResourceAttributeDesignator
48                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
49                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
50                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue>
51                    </ResourceMatch>
52                </Resource>
53            </Resources>
54        </Target>
55    </Rule>
56
57    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
58        <!--
59            Define a URI with public access
60           
61            Rule target(s) define which requests apply to the particular rule
62        -->
63        <Target>
64            <Resources>
65                <Resource>
66                    <!-- Match the request URI -->
67                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
68                        <ResourceAttributeDesignator
69                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
70                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
71                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue>
72                    </ResourceMatch>
73                </Resource>
74            </Resources>
75        </Target>
76    </Rule>
77
78    <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit">
79        <!--
80            Demonstrate a URI secured with an attribute which the test user
81            doesn't have
82        -->
83        <Target>
84            <Resources>
85                <Resource>
86                    <!-- Match the request URI -->
87                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
88                        <ResourceAttributeDesignator
89                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
90                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
91                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue>
92                    </ResourceMatch>
93                </Resource>
94            </Resources>
95            <Subjects>
96                <Subject>
97                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
98                        <SubjectAttributeDesignator 
99                            AttributeId="urn:siteA:security:authz:1.0:attr" 
100                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
101                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue>
102                    </SubjectMatch>
103                </Subject>
104            </Subjects>
105        </Target>
106    </Rule>
107   
108    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
109        <!--
110            Secure a URI path and all sub-paths using a regular expression to
111            define a URI pattern
112        -->
113        <Target>
114            <Resources>
115                <Resource>
116                    <!-- Match 'test_securedURI' -->
117                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
118                        <ResourceAttributeDesignator
119                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
120                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
121                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue>
122                    </ResourceMatch>
123                </Resource>
124            </Resources>
125        </Target>
126       
127        <!--
128            The condition narrows down the constraints layed down in the target to
129            something more specific
130           
131            The user must have at least one of the roles set - in this
132            case 'staff'
133        -->
134        <Condition>
135            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
136                <SubjectAttributeDesignator 
137                    AttributeId="urn:siteA:security:authz:1.0:attr" 
138                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
139                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
140                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
141                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
142                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
143                </Apply>
144            </Apply>
145        </Condition>
146    </Rule>
147</Policy>
Note: See TracBrowser for help on using the repository browser.