source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml @ 7444

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml@7444
Revision 7444, 4.9 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • fixed ordering of attribute designator and attribute value elements in example policy files for correct schema validation.
  • Property svn:keywords set to Id
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
7    <Description>
8        NDG XACML example for unit tests
9    </Description>
10   
11    <!--
12        The Policy target(s) define which requests apply to the whole policy
13    -->
14    <Target>
15        <Resources>
16            <Resource>
17                <!-- Pattern match all request URIs beginning with / -->
18                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
19                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
20                    <ResourceAttributeDesignator
21                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
22                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
23                </ResourceMatch>
24            </Resource>
25        </Resources>
26    </Target>   
27   
28    <!-- Deny everything by default -->
29    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
30    <!--
31        Following rules punch holes through the deny everything rule above
32        because the rule combining algorithm is set to permit overrides - see
33        Policy element above
34    -->
35    <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit">
36        <!--
37            Rule target(s) define which requests apply to the particular rule
38        -->
39        <Target>
40            <Resources>
41                <Resource>
42                    <!-- Pattern match the request URI -->
43                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
44                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/dap/data/my.nc.dods\?time\[0:1:0\]&amp;lat$</AttributeValue>
45                        <ResourceAttributeDesignator
46                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
47                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
48                    </ResourceMatch>
49                </Resource>
50            </Resources>
51        </Target>
52       
53        <!--
54            The condition narrows down the constraints layed down in the target to
55            something more specific
56           
57            The user must have at least one of the roles set - in this
58            case 'staff'
59        -->
60        <Condition>
61            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
62                <SubjectAttributeDesignator 
63                    AttributeId="urn:ndg:security:authz:1.0:attr" 
64                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
65                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
66                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
67                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
68                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
69                </Apply>
70            </Apply>
71        </Condition>
72    </Rule>
73    <Rule RuleId="accessDeniedToSecuredURIRule" Effect="Permit">
74        <Target>
75            <Resources>
76                <Resource>
77                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
78                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
79                        <ResourceAttributeDesignator
80                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
81                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
82                    </ResourceMatch>
83                </Resource>
84            </Resources>
85        </Target>
86        <Condition>
87            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
88                <SubjectAttributeDesignator 
89                    AttributeId="urn:ndg:security:authz:1.0:attr" 
90                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
91                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
92                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
93                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
94                </Apply>
95            </Apply>
96        </Condition>
97    </Rule>
98</Policy>
Note: See TracBrowser for help on using the repository browser.