How do I can combine two rules in single one in XACML?

非 Y 不嫁゛ 提交于 2019-12-11 01:50:51

问题


How do I combine these two rules

(1) Any user can access (read, write, etc.) to the resources http://www.example.com/info1 and http://www.example.com/info2

(2) Any reading action (read) to any resource can only be accessed by users which belong to the group admin and manager.

in a single one?

What I have done so far is this:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
    <Description>Policy 1</Description>
    <Target />
    <!--Punto d.1,2-->
    <Rule Effect="Permit" RuleId="Rule Permit #1" >
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </Apply>
        </Condition>
    </Rule>
    <Rule Effect="Deny" RuleId="Rule Deny #1" />
</Policy>

How do I made the Condition optional when any user with any action -read, write, etc.-, try to access any of the two URLs?

And, how do I validate when an access request with read action, it can only be accessed when user (subject) belongs to the groups, or admin?


回答1:


There are several ways you can achieve your scenario. The easiest might yet be to create a structure for your policies. For instance, you might say that you have a policy for http://www.example.com/info1 and another for http://www.example.com/info2. Each policy could have rules for read, write, delete... Or if you do not want to specify any action then you could skip it. In your case, you want to restrict read to administrators and managers.

Using the ALFA syntax, this gives you:

namespace so{
    attribute group{
        category = subjectCat
        id = "group"
        type = string
    }
    // Standard XACML attributes e.g. resource-id
    import Attributes.*

    policyset resources{
        apply firstApplicable
        policy info1{            
            target clause resourceId == "http://www.example.com/info1"
            apply firstApplicable
            rule read{
                target clause Attributes.actionId=="read"
                       clause group=="admin" or group=="manager"
                permit 
            }
            // Add other rules for other actions here
        }
        policy info2{
            target clause resourceId == "http://www.example.com/info2"
            apply firstApplicable
            rule read{
                target clause Attributes.actionId=="read"
                       clause group=="admin" or group=="manager"
                permit 
            }
            // Add other rules for other actions here
        }
    }
}

That said this does not answer your question exactly. Firstly it is not combined in a single rule (doing that is not great BTW, I wouldn't do it - define a good structure, it is more manageable). And in my approach, you have to explicitly list all other actions.

Here is another approach

policy allowAccess{
    target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
    apply firstApplicable
    rule allowRead{
        target clause group=="admin" and group=="manager" and Attributes.actionId=="read"
        permit
    }
    rule allowOtherActions{
        condition not(Attributes.actionId=="read")
        permit
    }
}

A final condensed version would be

policy allowAccess2{
    apply firstApplicable
    rule allow{
        target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
        condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read"))
        permit
    }
}  

The XACML output is:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow">
        <xacml3:Description />
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                        <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="group"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            MustBePresent="false"
                        />
                    </xacml3:Apply>
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                            <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator 
                                AttributeId="group"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                                MustBePresent="false"
                            />
                        </xacml3:Apply>
                        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                            <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator 
                                AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                MustBePresent="false"
                            />
                        </xacml3:Apply>
                    </xacml3:Apply>
                </xacml3:Apply>
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                        <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            MustBePresent="false"
                        />
                    </xacml3:Apply>
                </xacml3:Apply>
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>


来源:https://stackoverflow.com/questions/42597859/how-do-i-can-combine-two-rules-in-single-one-in-xacml

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!