Changeset 7287 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

Timestamp:

06/08/10 09:49:47 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• Working WSGI Authorisation filter with connection to SAML/XACML based Authorisation Service - unit tests: ndg.security.test.unit.wsgi.authz.test_authz
• It may need some optimisation to avoid too many WS callouts to the Authorisation Service - perhaps add a local PDP to the authorisation filter to filter out some requests going over the wire e.g. requests for web page CSS or graphics content.
• The XACML policy file has some big additions to it to support the various test conditions in ndg.security.test.unit.wsgi.authz.test_authz. These should be ported back to the ndg_xacml package unit tests.
• Next major task: remove temp fix in XACML Context handler - instead of using hardwired roles for the user alter it so that the PDP makes a request back to the PIP (Policy Enforcement Point) to grab additional attributes. The PIP will call to Attibute Service(s) to pull any additional attributes needed/

File:

• TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (5 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

@@ -6 +6 @@
     RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
     <Description>
-        NDG XACML example for unit tests: allow access for resource URIs 
-        matching given regular expressions.  The subject must have at least one
-        of a set of named attributes allocated 
+        Example for NDG Security unit tests: allow access for resource URIs 
+        defined in the rules.  All other URIs are blocked from access
+        
+        See ndg.security.test.unit.wsgi.authz.test_authz to see the various 
+        rules tested out
     </Description>
     
@@ -78 +80 @@
     <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
         <!-- 
-            Rule target(s) define which requests apply to the particular rule
+            Secure a URI path and all sub-paths using a regular expression to 
+            define a URI pattern
         -->
         <Target>
@@ -99 +102 @@
             
             The user must have at least one of the roles set - in this
-            case 'urn:siteA:security:authz:1.0:attr:staff'
+            case 'staff'
         -->
         <Condition>
@@ -118 +121 @@
             <Resources>
                 <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                         <ResourceAttributeDesignator
-                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:ndg:security:authz:1.0:attr" 
+                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
+        <!-- 
+            This rule is a modified version of the above to allow for a real use
+            case where adding a special query argument grants extra privileges
+            associated with an administrator
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -128 +161 @@
             <Subjects>
                 <Subject>
-                    <SubjectMatch>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                         <SubjectAttributeDesignator 
                             AttributeId="urn:ndg:security:authz:1.0:attr" 
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
                     </SubjectMatch>
                 </Subject>