Ignore:
Timestamp:
06/08/10 09:49:47 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Working WSGI Authorisation filter with connection to SAML/XACML based Authorisation Service - unit tests: ndg.security.test.unit.wsgi.authz.test_authz
  • It may need some optimisation to avoid too many WS callouts to the Authorisation Service - perhaps add a local PDP to the authorisation filter to filter out some requests going over the wire e.g. requests for web page CSS or graphics content.
  • The XACML policy file has some big additions to it to support the various test conditions in ndg.security.test.unit.wsgi.authz.test_authz. These should be ported back to the ndg_xacml package unit tests.
  • Next major task: remove temp fix in XACML Context handler - instead of using hardwired roles for the user alter it so that the PDP makes a request back to the PIP (Policy Enforcement Point) to grab additional attributes. The PIP will call to Attibute Service(s) to pull any additional attributes needed/
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7257 r7287  
    66    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 
    77    <Description> 
    8         NDG XACML example for unit tests: allow access for resource URIs  
    9         matching given regular expressions.  The subject must have at least one 
    10         of a set of named attributes allocated  
     8        Example for NDG Security unit tests: allow access for resource URIs  
     9        defined in the rules.  All other URIs are blocked from access 
     10         
     11        See ndg.security.test.unit.wsgi.authz.test_authz to see the various  
     12        rules tested out 
    1113    </Description> 
    1214     
     
    7880    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 
    7981        <!--  
    80             Rule target(s) define which requests apply to the particular rule 
     82            Secure a URI path and all sub-paths using a regular expression to  
     83            define a URI pattern 
    8184        --> 
    8285        <Target> 
     
    99102             
    100103            The user must have at least one of the roles set - in this 
    101             case 'urn:siteA:security:authz:1.0:attr:staff' 
     104            case 'staff' 
    102105        --> 
    103106        <Condition> 
     
    118121            <Resources> 
    119122                <Resource> 
    120                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     123                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    121124                        <ResourceAttributeDesignator 
    122                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI" 
     125                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    123126                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    124                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 
     127                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 
     128                    </ResourceMatch> 
     129                </Resource> 
     130            </Resources> 
     131        </Target> 
     132        <Condition> 
     133            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
     134                <SubjectAttributeDesignator  
     135                    AttributeId="urn:ndg:security:authz:1.0:attr"  
     136                    DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
     138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> 
     140                </Apply> 
     141            </Apply> 
     142        </Condition> 
     143    </Rule> 
     144    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> 
     145        <!--  
     146            This rule is a modified version of the above to allow for a real use 
     147            case where adding a special query argument grants extra privileges 
     148            associated with an administrator 
     149        --> 
     150        <Target> 
     151            <Resources> 
     152                <Resource> 
     153                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     154                        <ResourceAttributeDesignator 
     155                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     156                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     157                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> 
    125158                    </ResourceMatch> 
    126159                </Resource> 
     
    128161            <Subjects> 
    129162                <Subject> 
    130                     <SubjectMatch> 
     163                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
    131164                        <SubjectAttributeDesignator  
    132165                            AttributeId="urn:ndg:security:authz:1.0:attr"  
    133166                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    134                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue> 
     167                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> 
    135168                    </SubjectMatch> 
    136169                </Subject> 
Note: See TracChangeset for help on using the changeset viewer.