Changes between Version 7 and Version 8 of XACML

Timestamp:

03/09/10 17:09:10 (11 years ago)

Author:

pjkersha

Comment:

--

XACML

@@ -6 +6 @@
 
 == Current Status ==
+=== Version 0.3 ===
+ * Important fixes for equals functions, and improvement to at least one member functions.  
+ * Unit tests improved with wider coverage of different rule definitions and example request contexts.
+ * Improved and added to support for context handler and Policy Information Point interfaces including the ability for the PDP to call back to a PIP via a Context handler to retrieve additional subject attributes.
+
 === Version 0.2 ===
 The first Alpha release to PyPI has been made 288 June 2010:
@@ -53 +58 @@
                 <!-- Pattern match all request URIs beginning with / -->
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                     <ResourceAttributeDesignator
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -63 +68 @@
     
     <!-- Deny everything by default -->
-    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
+    <Rule RuleId="DenyAllRule" Effect="Deny"/>
     <!-- 
         Following rules punch holes through the deny everything rule above
@@ -69 +74 @@
         Policy element above
     -->
-    <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit">
-        <!-- 
-            Rule target(s) define which requests apply to the particular rule
+    <Rule RuleId="ResourceBased" Effect="Permit">
+        <!-- 
+            Resource based restriction only
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/resource-only-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+    
+    <Rule RuleId="SingleSubjectRoleBased" Effect="Permit">
+        <!-- 
+            Allow access based on a single subject role
+        -->
+        <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:ndg:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/single-subject-role-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+
+    <Rule RuleId="SingleSubjectRoleBasedWithAction" Effect="Permit">
+        <!-- 
+            Allow access based on a single subject role and given action
+        -->
+        <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:ndg:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/action-and-single-subject-role-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+            <Actions>
+                <Action>
+                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
+                        <ActionAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </ActionMatch>
+                </Action>
+            </Actions>
+        </Target>
+    </Rule>
+    
+    <Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit">
+        <!-- 
+            Subject must have at least one of a group of roles
+            
+            Resource id is a regular expression
         -->
         <Target>
@@ -78 +170 @@
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                     </ResourceMatch>
                 </Resource>
@@ -92 +184 @@
             
             The user must have at least one of the roles set - in this
-            case 'urn:siteA:security:authz:1.0:attr:staff'
+            case 'staff'
         -->
         <Condition>
@@ -107 +199 @@
         </Condition>
     </Rule>
-    <Rule RuleId="urn:ndgsecurity:secured-uri-rule2" Effect="Permit">
-        <Target>
-            <Resources>
-                <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI2$</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-        </Target>
-        <Condition>
-            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
-                <SubjectAttributeDesignator 
-                    AttributeId="urn:ndg:security:authz:1.0:attr" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">restricted</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">privileged</AttributeValue>
-                </Apply>
-            </Apply>
-        </Condition>
-    </Rule>
 </Policy>
 }}}
@@ -139 +206 @@
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
 }}}
-Any rule which follows for which a match is made grants access.  For example, the second rule grants access to any URI which begins with `http://localhost/test_securedURI`, provided the subject (the person or entity requesting access) has at least one of the attributes, `staff`, `admin` or `postdoc`.
+Any rule which follows for which a match is made, grants access.  For example, 
+ * The `ResourceBased` rule, restricts based on resource URI only.  It overrides the previous `DenyAllRule` for requests to `http://localhost/resource-only-restricted`. 
+ * the rule ID'd `AtLeastOneSubjectAttributeBased` grants access to any URI which begins with `http://localhost/at-least-of-subject-role-restricted`, provided the subject (the person or entity requesting access) has at least one of the attributes, `staff`, `admin` or `postdoc`.
 
 ----
 Philip Kershaw, 28 June 2010
+Updated for version 0.3.1, 3 Sept 2010