source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/esgf1.xml @ 7661

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ndg_xacml/ndg/xacml/test/esgf1.xml@7661
Revision 7661, 3.9 KB checked in by pjkersha, 10 years ago (diff)

ndg_xacml:

  • added support for custom AttributeValue? DataTypes? - this means that the ESGF GroupRole? attribute type can be added directly into XACML policies.
  • TODO: add support for adding custom functions so that a PDP can correctly apply rules based on custom types like the ESGF GroupRole?.
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:esgf-policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    xmlns:esg="http://www.earthsystemgrid.org/"
7    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
8    <Description>
9        NDG XACML example for unit tests: add custom ESG Group/Role Attribute Value type
10    </Description>
11   
12    <!--
13        The Policy target(s) define which requests apply to the whole policy
14    -->
15    <Target>
16        <Resources>
17            <Resource>
18                <!-- Pattern match all request URIs beginning with / -->
19                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
20                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
21                    <ResourceAttributeDesignator
22                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
23                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
24                </ResourceMatch>
25            </Resource>
26        </Resources>
27    </Target>   
28   
29    <!-- Deny everything by default -->
30    <Rule RuleId="DenyAllRule" Effect="Deny"/>
31    <!--
32        Following rules punch holes through the deny everything rule above
33        because the rule combining algorithm is set to permit overrides - see
34        Policy element above
35    --> 
36    <Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit">
37        <!--
38            Subject must have at least one of a group of roles
39           
40            Resource id is a regular expression
41        -->
42        <Target>
43            <Resources>
44                <Resource>
45                    <!-- Pattern match the request URI -->
46                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
47                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
48                        <ResourceAttributeDesignator
49                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
50                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
51                    </ResourceMatch>
52                </Resource>
53            </Resources>
54        </Target>
55       
56        <!--
57            The condition narrows down the constraints layed down in the target to
58            something more specific
59           
60            The user must have at least one of the roles set - in this
61            case 'staff'
62        -->
63        <Condition>
64            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
65                <SubjectAttributeDesignator 
66                    AttributeId="urn:ndg:security:authz:1.0:attr" 
67                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
68                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
69                    <AttributeValue DataType="urn:esgf:pcmdi:grouprole">
70                        <esg:groupRole>
71                            <esg:group>CMIP5_Research</esg:group>
72                            <esg:role>default</esg:role>
73                        </esg:groupRole>
74                    </AttributeValue>
75                    <AttributeValue DataType="urn:esgf:pcmdi:grouprole">
76                        <esg:groupRole>
77                            <esg:group>CMIP5_Commercial</esg:group>
78                            <esg:role>default</esg:role>
79                        </esg:groupRole>
80                    </AttributeValue>
81                </Apply>
82            </Apply>
83        </Condition>
84    </Rule>
85</Policy>
Note: See TracBrowser for help on using the repository browser.