Ignore:
Timestamp:
02/09/10 11:43:37 (10 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Tested local PDP with integration tests. ndg.security.test.integration.full_system. This completes the functionality for the XACML integration - now preparing a new release.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml

    r7413 r7414  
    66    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 
    77    <Description> 
    8         Example for NDG Security unit tests: allow access for resource URIs  
    9         defined in the rules.  All other URIs are blocked from access 
    10          
    11         See ndg.security.test.unit.wsgi.authz.test_authz to see the various  
    12         rules tested out 
     8        Policy used by a PDP local to the PEP to filter out some requests from  
     9        being passed on to the main authorisation service 
    1310    </Description> 
    1411     
     
    2421                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2522                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    26                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue> 
     23                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(?!layout).*$</AttributeValue> 
    2724                </ResourceMatch> 
    2825            </Resource> 
    2926        </Resources> 
    3027    </Target>    
    31      
    32     <!-- Deny everything by default --> 
    33     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> 
    34     <!--  
    35         Following rules punch holes through the deny everything rule above 
    36         because the rule combining algorithm is set to permit overrides - see  
    37         Policy element above 
    38     --> 
    39     <Rule RuleId="Graphics and CSS" Effect="Permit"> 
    40         <!--  
    41             Public access for graphics and CSS content 
    42         --> 
    43         <Target> 
    44             <Resources> 
    45                 <Resource> 
    46                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    47                         <ResourceAttributeDesignator 
    48                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    49                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    50                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue> 
    51                     </ResourceMatch> 
    52                 </Resource> 
    53             </Resources> 
    54         </Target> 
    55     </Rule> 
    56  
    57     <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit"> 
    58         <!--  
    59             Define a URI with public access 
    60              
    61             Rule target(s) define which requests apply to the particular rule 
    62         --> 
    63         <Target> 
    64             <Resources> 
    65                 <Resource> 
    66                     <!-- Match the request URI --> 
    67                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    68                         <ResourceAttributeDesignator 
    69                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    70                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    71                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue> 
    72                     </ResourceMatch> 
    73                 </Resource> 
    74             </Resources> 
    75         </Target> 
    76     </Rule> 
    77  
    78     <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 
    79         <!--  
    80             Demonstrate a URI secured with an attribute which the test user  
    81             doesn't have  
    82         --> 
    83         <Target> 
    84             <Resources> 
    85                 <Resource> 
    86                     <!-- Match the request URI --> 
    87                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    88                         <ResourceAttributeDesignator 
    89                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    90                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    91                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 
    92                     </ResourceMatch> 
    93                 </Resource> 
    94             </Resources> 
    95             <Subjects> 
    96                 <Subject> 
    97                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
    98                         <SubjectAttributeDesignator  
    99                             AttributeId="urn:siteA:security:authz:1.0:attr"  
    100                             DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    101                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 
    102                     </SubjectMatch> 
    103                 </Subject> 
    104             </Subjects> 
    105         </Target> 
    106     </Rule> 
    107      
    108     <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 
    109         <!--  
    110             Secure a URI path and all sub-paths using a regular expression to  
    111             define a URI pattern 
    112         --> 
    113         <Target> 
    114             <Resources> 
    115                 <Resource> 
    116                     <!-- Match 'test_securedURI' --> 
    117                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    118                         <ResourceAttributeDesignator 
    119                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    120                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    121                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 
    122                     </ResourceMatch> 
    123                 </Resource> 
    124             </Resources> 
    125         </Target> 
    126          
    127         <!--  
    128             The condition narrows down the constraints layed down in the target to 
    129             something more specific 
    130              
    131             The user must have at least one of the roles set - in this 
    132             case 'staff' 
    133         --> 
    134         <Condition> 
    135             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    136                 <SubjectAttributeDesignator  
    137                     AttributeId="urn:siteA:security:authz:1.0:attr"  
    138                     DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    139                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    140                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
    141                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
    142                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 
    143                 </Apply> 
    144             </Apply> 
    145         </Condition> 
    146     </Rule> 
     28    <Rule RuleId="Catch all" Effect="Deny"></Rule> 
    14729</Policy> 
Note: See TracChangeset for help on using the changeset viewer.