Initial commit.
This commit is contained in:
parent
56f4c66e78
commit
d0fc157880
|
@ -0,0 +1,28 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||
<pdp name="pdp">
|
||||
<!-- no need to define attributeFinderModules for analysis: the needed
|
||||
attributeFinderModule for analysis is set automatically -->
|
||||
|
||||
<policyFinderModule class="com.sun.xacml.support.finder.FilePolicyModule">
|
||||
<list>
|
||||
<string>file:abstractEval_policy2011.xacml</string>
|
||||
<string>file:abstractEval_andortest.xacml</string> <!-- andortest xacmlv1test -->
|
||||
<string>file:abstractEval_xacmlv1test.xacml</string>
|
||||
</list>
|
||||
</policyFinderModule>
|
||||
</pdp>
|
||||
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||
</attributeFactory>
|
||||
|
||||
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||
<functionFactory name="func" useStandardFunctions="true"/>
|
||||
|
||||
<!-- no need to define logserver for analysis: would be removed anyhow -->
|
||||
</config>
|
||||
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
PolicySetId="AndOrTest:main"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||
|
||||
<Description>
|
||||
Simple policy to test the behaviour of the modified logical functions
|
||||
defined in eu.aniketos.securebpmn.xacml.xacml.cond.AnalysisLogicalFunction
|
||||
</Description>
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">AndOrTest</AttributeValue>
|
||||
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
<Policy PolicyId="AndOrTest_1"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target/>
|
||||
|
||||
<Rule RuleId="AndOrTest_1_1" Effect="Deny">
|
||||
<Target/>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:nothere1"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:test:true"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:test:false"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
</Policy>
|
||||
|
||||
<!-- final Policy -->
|
||||
<Policy PolicyId="AndOrTest_FinalPolicy"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target/>
|
||||
<Rule RuleId="AndOrTest_FinalRule" Effect="Deny"/>
|
||||
</Policy>
|
||||
</PolicySet>
|
|
@ -0,0 +1,103 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
PolicySetId="HealthRecord:main"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||
|
||||
<Description>
|
||||
This is the policy as it was used for the POLICY2011 publication:
|
||||
A Framework for Managing and Analyzing Changes of Security Policies
|
||||
http://www.brucker.ch/bibliography/download/2011/brucker.ea-framework-2011.pdf
|
||||
|
||||
Update: the combining alg of the policy has to be permit-overrides
|
||||
</Description>
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">HealthRecord</AttributeValue>
|
||||
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
<Policy PolicyId="HealthRecord_Nurse"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Nurse</AttributeValue>
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||
AttributeId="subject-roles"/>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
<Rule RuleId="HealthRecord_Nurse_1" Effect="Deny">
|
||||
<Target/>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
|
||||
<EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#time"
|
||||
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
|
||||
</Apply>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">20:00:00Z</AttributeValue>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">06:00:00Z</AttributeValue>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
|
||||
<Rule RuleId="HealthRecord_Nurse_2" Effect="Permit">
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||
<ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||
AttributeId="urn:patient:department"/>
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||
AttributeId="urn:subject:department" />
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
</Policy>
|
||||
|
||||
<Policy PolicyId="HealthRecord_Doctor"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctor</AttributeValue>
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||
AttributeId="subject-roles"/>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
<Rule RuleId="HealthRecord_Doctor_2" Effect="Permit"/>
|
||||
</Policy>
|
||||
|
||||
<!-- final Policy -->
|
||||
<Policy PolicyId="HealthRecord_FinalPolicy"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target/>
|
||||
<Rule RuleId="HealthRecord_FinalRule" Effect="Deny"/>
|
||||
</Policy>
|
||||
</PolicySet>
|
|
@ -0,0 +1,54 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
PolicySetId="AndOrTestv1:main"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||
|
||||
<Description>
|
||||
Simple policy to test the behaviour of the modified logical functions
|
||||
defined in eu.aniketos.securebpmn.xacml.xacml.cond.AnalysisLogicalFunction
|
||||
</Description>
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">AndOrTestv1</AttributeValue>
|
||||
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
<Policy PolicyId="AndOrTest_1"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target/>
|
||||
|
||||
<Rule RuleId="AndOrTest_1_1" Effect="Deny">
|
||||
<Target/>
|
||||
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:nothere1"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:test:true"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||
AttributeId="urn:test:false"/>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
</Policy>
|
||||
|
||||
<!-- final Policy -->
|
||||
<Policy PolicyId="AndOrTest_FinalPolicy"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target/>
|
||||
<Rule RuleId="AndOrTest_FinalRule" Effect="Deny"/>
|
||||
</Policy>
|
||||
</PolicySet>
|
|
@ -0,0 +1,5 @@
|
|||
carol:Nurse;Employee
|
||||
alice:Nurse;Employee
|
||||
marvin:Nurse;Employee
|
||||
bob:Doctor;Nurse;Employee
|
||||
dave:Doctor;Nurse;Employee
|
|
@ -0,0 +1,49 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||
<pdp name="pdp">
|
||||
|
||||
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||
<!-- TODO remove: must be evaluated by recorded context -->
|
||||
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.impl.RoleFinderModule"/>
|
||||
|
||||
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationFinderModule"/>
|
||||
|
||||
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule"/ -->
|
||||
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.EmergencyLevelModule"/ -->
|
||||
|
||||
<policyFinderModule class="com.sun.xacml.support.finder.FilePolicyModule">
|
||||
<list>
|
||||
<string>conf:useLines:true</string>
|
||||
<string>file:policy2.xacml</string>
|
||||
</list>
|
||||
</policyFinderModule>
|
||||
</pdp>
|
||||
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||
</attributeFactory>
|
||||
|
||||
<combiningAlgFactory name="comb" useStandardAlgorithms="false">
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisFirstApplicableRuleAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisFirstApplicablePolicyAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisDenyOverridesRuleAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisDenyOverridesPolicyAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedDenyOverridesRuleAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedDenyOverridesPolicyAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisPermitOverridesRuleAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisPermitOverridesPolicyAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedPermitOverridesRuleAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedPermitOverridesPolicyAlg"/>
|
||||
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOnlyOneApplicablePolicyAlg"/>
|
||||
</combiningAlgFactory>
|
||||
|
||||
<functionFactory name="func" useStandardFunctions="true"/>
|
||||
</config>
|
||||
|
||||
|
|
@ -0,0 +1,228 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
PolicySetId="nhs:becker:health-record"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:custom:uri-starts-with">
|
||||
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:nhs:becker:health-record</AttributeValue>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
|
||||
<!-- Clinicians -->
|
||||
<Policy PolicyId="nhs:becker:health-record:clinician"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Description>Policy for role Clinicians</Description>
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">clinician</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:010">
|
||||
<Description>allow read, if subject is owner and patient gave one-off-consent (S5.3.3)</Description>
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:author"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:one-off-consent"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#boolean"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
<Rule Effect="Deny" RuleId="nhs:becker:health-record:clinician:020:deny-non-treating">
|
||||
<Description>deny non treating clinicians</Description>
|
||||
<Condition>
|
||||
<!-- if neither first nor second condistion mathes, deny request -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||
<!-- check if subject is treating clinician -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:treating-clinician" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
<!-- check if clinician is assigned to an active workgoup where the patiant hase given his consent -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||
<SubjectAttributeDesignator AttributeId="urn:custom:subject:active-workgroup" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:treating-workgroup" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:030">
|
||||
<Description>
|
||||
add a new item S5.1.1
|
||||
get a list of all records (only IDs) S5.2.3
|
||||
</Description>
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<!-- add a new item S5.1.1 -->
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="True"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add</AttributeValue>
|
||||
</ActionMatch>
|
||||
<!-- get a list of all records (only IDs) S5.2.3 -->
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="True"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get-record-item-list</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
</Rule>
|
||||
|
||||
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:040">
|
||||
<Description>
|
||||
allow read if subjects match, not sealed by patient (and treating clinician) (S5.3.4)
|
||||
or, if sealed, allow access only if
|
||||
</Description>
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
|
||||
<!-- subject must have permission to read given subject(s) -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||
<SubjectAttributeDesignator AttributeId="urn:custom:subject:permitted-healthrecord-subjects"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:subjects"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||
<!-- item must not be sealed of by patient -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:item-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:sealed-items"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
<!-- or, if sealed, patient may have given authenticated-express-consent -->
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:authenticated-express-consent"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
</Policy>
|
||||
|
||||
<Policy PolicyId="nhs:becker:health-record:patient"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Description>Policy for role Patient</Description>
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">patient</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs:becker:health-record:patient:010">
|
||||
<Description>Allow patients to add comments to their own health record</Description>
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">nhs:becker:health-record:comment</AttributeValue>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:patient-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
</Policy>
|
||||
|
||||
<Policy PolicyId="nhs:becker:health-record:final"
|
||||
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Description>final deny policy/rule</Description>
|
||||
<Rule Effect="Deny" RuleId="nhs:becker:health-record:final:final"/>
|
||||
</Policy>
|
||||
</PolicySet>
|
|
@ -0,0 +1,11 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
PolicySetId="nhs:becker:p_reg"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||
|
||||
<PolicySetIdReference>nhs:becker:health-record</PolicySetIdReference>
|
||||
|
||||
|
||||
</PolicySet>
|
|
@ -0,0 +1,23 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
PolicySetId="nhs:becker:main"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:custom:uri-starts-with">
|
||||
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:nhs:becker</AttributeValue>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
<PolicySetIdReference>nhs:becker:p_reg</PolicySetIdReference>
|
||||
|
||||
|
||||
</PolicySet>
|
|
@ -0,0 +1,41 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
PolicySetId="nhs_becker_agent-relationship"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="string-equal">
|
||||
<ResourceAttributeDesignator AttributeId="access-resouce" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">nhs:becker:agent-relationship</AttributeValue>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
|
||||
<Policy PolicyId="nhs_becker_agent-relationship_patient" RuleCombiningAlgId="firstAppl">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||
<AttributeValue DataType="string">patient</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
<!--
|
||||
|
||||
allow patients to add and remove agents
|
||||
-->
|
||||
|
||||
<!-- final rule -->
|
||||
</Policy>
|
||||
|
||||
|
||||
</PolicySet>
|
|
@ -0,0 +1,200 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||
PolicySetId="nhs:becker:relationship"
|
||||
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||
|
||||
<Target>
|
||||
<Resources>
|
||||
<Resource>
|
||||
<ResourceMatch MatchId="urn:custom:string-starts-with">
|
||||
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">nhs:becker:relationship</AttributeValue>
|
||||
</ResourceMatch>
|
||||
</Resource>
|
||||
</Resources>
|
||||
</Target>
|
||||
|
||||
|
||||
<Policy PolicyId="nhs:becker:relationship:clinician" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">clinician</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
|
||||
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs:becker:relationship:clinician:010">
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">request-consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
<Action>
|
||||
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">request-consent-to-group-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition>
|
||||
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||
<!-- clinical is requesting hisself -->
|
||||
|
||||
|
||||
<Apply FunctionId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="requesting-clinical" DataType="string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||
<!-- TODO -->
|
||||
<Apply FunctionId="bag-contains-string">
|
||||
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="treating-clinicals" DataType="string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<Rule>
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="string-equal">
|
||||
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition FunctionId="or">
|
||||
<!-- clinical is requesting hisself -->
|
||||
<Apply FunctionId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="requesting-clinical" DataType="string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||
<!-- TODO -->
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
|
||||
<Rule Effect="Deny" RuleId="nhs_becker_relationship_clinican_final"/>
|
||||
</Policy>
|
||||
|
||||
|
||||
|
||||
<Policy PolicyId="nhs_becker_relationship_patient" RuleCombiningAlgId="firstAppl">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||
<AttributeValue DataType="string">patient</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
|
||||
<Rule Effect="Permit" RuleId="nhs_becker_relationship_requ_clinican_01">
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="string-equal">
|
||||
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
<Action>
|
||||
<ActionMatch MatchId="string-equal">
|
||||
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition FunctionId="or">
|
||||
<!-- clinical is requesting hisself -->
|
||||
<Apply FunctionId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="requested-patient" DataType="string" MustBePresent="true"/>
|
||||
</Apply>
|
||||
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||
<!-- TODO -->
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
<Rule Effect="Deny" RuleId="nhs_becker_relationship_patient_final"/>
|
||||
</Policy>
|
||||
|
||||
<Policy PolicyId="nhs_becker_relationship_agent" RuleCombiningAlgId="firstAppl">
|
||||
<Target>
|
||||
<Subjects>
|
||||
<Subject>
|
||||
<SubjectMatch MatchId="string-equal">
|
||||
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||
<AttributeValue DataType="string">agent</AttributeValue>
|
||||
</SubjectMatch>
|
||||
</Subject>
|
||||
</Subjects>
|
||||
</Target>
|
||||
|
||||
|
||||
<Rule>
|
||||
<Target>
|
||||
<Actions>
|
||||
<Action>
|
||||
<ActionMatch MatchId="string-equal">
|
||||
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
<Action>
|
||||
<ActionMatch MatchId="string-equal">
|
||||
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||
</ActionMatch>
|
||||
</Action>
|
||||
</Actions>
|
||||
</Target>
|
||||
<Condition FunctionId="or">
|
||||
<Apply FunctionId="bag-contains-string">
|
||||
<SubjectAttributeDesignator AttributeId="requested-patient" DataType="string" MustBePresent="true"/>
|
||||
<ResourceAttributeDesignator AttributeId="agent-for-patients" DataType="string"/>
|
||||
</Apply>
|
||||
</Condition>
|
||||
</Rule>
|
||||
|
||||
|
||||
|
||||
|
||||
<Rule Effect="Deny" RuleId="nhs_becker_relationship_agent_final"/>
|
||||
</Policy>
|
||||
|
||||
<Policy PolicyId="nhs_becker_relationship_final" RuleCombiningAlgId="firstAppl">
|
||||
<Rule Effect="Deny" RuleId="nhs_becker_relationship_final_final"/>
|
||||
</Policy>
|
||||
|
||||
</PolicySet>
|
|
@ -0,0 +1,183 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestCase;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
/**
|
||||
* code to test the PDPServer as it is used for analysis purposes;
|
||||
* configuration is loaded from a local file
|
||||
* <br/>
|
||||
* <b>Note:</b> Only works when pdp project is build with analysis-pdp.pom.xml
|
||||
*
|
||||
*/
|
||||
public class AnalysisPDPTest extends TestCase {
|
||||
|
||||
|
||||
private PDPServer pdp;
|
||||
|
||||
private KnownAttributeResolver knownAttrs;
|
||||
private AnalysisConfig conf;
|
||||
private EvaluationEventHub eventHub;
|
||||
private MissingAttrCapture attrCapt;
|
||||
|
||||
public static void main(String[] args) throws IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
//when using the PDPServer not within tomcat
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
AnalysisPDPTest test = new AnalysisPDPTest();
|
||||
|
||||
test.setup();
|
||||
test.exec();
|
||||
}
|
||||
|
||||
|
||||
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/productive-config.xml"));
|
||||
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||
|
||||
knownAttrs = new KnownAttributeResolver();
|
||||
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||
|
||||
//create PDP
|
||||
pdp = new PDPServer(conf);
|
||||
|
||||
//for analysis/evaluation create required classes
|
||||
eventHub = new EvaluationEventHub();
|
||||
|
||||
// keep track of missing and resovled attributes
|
||||
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||
eventHub.register(attrCapt);
|
||||
|
||||
// print the call stack
|
||||
eventHub.register(new PrettyPrinter());
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
private void exec() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
Constants.SUBJECT_ID,
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"root"));
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:subject:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
// attributes.add(
|
||||
// new AuthoAttribute(
|
||||
// Constants.RESOURCE_CAT,
|
||||
// URI.create("urn:patient:department"),
|
||||
// TypeIdentifierConstants.STRING_URI,
|
||||
// "test1"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("subject-roles"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"Nurse"));
|
||||
|
||||
//urn:nhs:becker:health-record MedicalRecord
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("urn:nhs:becker:health-record"), "read", attributes);
|
||||
|
||||
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||
System.out.println("REQUEST:\n" + requestString);
|
||||
|
||||
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||
EvaluationIdAttribute.INVALID, eventHub));
|
||||
|
||||
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||
|
||||
//String responseString = pdp.evaluateXACML(requestString);
|
||||
System.out.println("RESPONE:\n" + responseString); //XACMLEncoder.encodeResponseCtx(response));
|
||||
|
||||
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||
eventHub.getEvalInfo().getTreeElemTree());
|
||||
|
||||
System.out.println("REPORT:::");
|
||||
System.out.println( repGen.reportMissingAttr());
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( AnalysisPDPTest.class );
|
||||
}
|
||||
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
assertTrue( true );
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,102 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestCase;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
/**
|
||||
* Unit test for simple App.
|
||||
*/
|
||||
public class AppTest
|
||||
extends TestCase
|
||||
{
|
||||
/**
|
||||
* Create the test case
|
||||
*
|
||||
* @param testName name of the test case
|
||||
*/
|
||||
public AppTest( String testName )
|
||||
{
|
||||
super( testName );
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( AppTest.class );
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException, ParsingException, UnknownIdentifierException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
// //AppTest test = new AppTest("pdpServer test");
|
||||
//test.testApp();
|
||||
foo();
|
||||
}
|
||||
|
||||
private static void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException {
|
||||
//PDPServer pdpServer = new PDPServer(new File("src/main/webapp/WEB-INF/policy-config.xml"), "src/main/webapp/webapp/WEB-INF/");
|
||||
|
||||
|
||||
}
|
||||
// private static final String SVN_URL = "https://projects.brucker.ch/soknos-dev/svn/trunk/examples/versionedPDP_data";
|
||||
// private static final String USERNAME = "pdp";
|
||||
// private static final String PASSWORD = "HJeSnelw";
|
||||
|
||||
// private static void bar() {
|
||||
//
|
||||
////
|
||||
//// Properties log4jProps = new Properties();
|
||||
//// try {
|
||||
//// log4jProps.load(new BufferedInputStream(new FileInputStream(new File(PDPServer.LOG4J))));
|
||||
//// PropertyConfigurator.configure(log4jProps);
|
||||
//// logger.info("Loaded log4j configuration from " + PDPServer.LOG4J);
|
||||
//// } catch (IOException e) {
|
||||
//// logger.error("Could not load log4j configuration from " + PDPServer.LOG4J + " IOException: " + e.getMessage());
|
||||
//// System.err.println("Could not load log4j configuration from log4j.properties IOException: " + e.getMessage());
|
||||
//// }
|
||||
//
|
||||
// new SVNPolicyFinderModule(SVN_URL, USERNAME, PASSWORD, -1);
|
||||
// }
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
|
||||
assertTrue( true );
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,60 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.DemoPDPStateMgt;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||
|
||||
public class PDPState {
|
||||
|
||||
private static PDPStateManagement pdpStateMgt;
|
||||
private static DemoPDPStateMgt demoPdpStateMgt;
|
||||
|
||||
/**
|
||||
* @param args
|
||||
*/
|
||||
public static void main(String[] args) {
|
||||
// TODO Auto-generated method stub
|
||||
|
||||
}
|
||||
|
||||
public static final String ALICE = "Alice",
|
||||
BOB = "Bob",
|
||||
NURSE = "nurse",
|
||||
CLINICAN = "clinician";
|
||||
|
||||
|
||||
|
||||
public static void setupDemoRoles() {
|
||||
init();
|
||||
|
||||
demoPdpStateMgt.addRole(ALICE, NURSE);
|
||||
demoPdpStateMgt.addRole(BOB, CLINICAN);
|
||||
demoPdpStateMgt.addRole(BOB, NURSE);
|
||||
}
|
||||
|
||||
|
||||
private static void init() {
|
||||
if (pdpStateMgt == null ) {
|
||||
pdpStateMgt = PDPStateManagement.getInstance();
|
||||
demoPdpStateMgt = new DemoPDPStateMgt();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,139 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.PDP;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestCase;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
|
||||
/**
|
||||
* tests the plain (com.sun.xacml) PDP
|
||||
*
|
||||
*/
|
||||
public class PlainPDPTest extends TestCase {
|
||||
|
||||
private PDP pdp;
|
||||
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
PlainPDPTest test = new PlainPDPTest();
|
||||
test.setup();
|
||||
test.foo();
|
||||
}
|
||||
|
||||
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException {
|
||||
ConfigurationStore config = new ConfigurationStore(
|
||||
new FileInputStream(new File("src/test/productive-config.xml")), "src/test/");
|
||||
pdp = new PDP(config.getDefaultPDPConfig());
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
// private static void bar() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
//
|
||||
//
|
||||
// ConfigurationStore config = new ConfigurationStore(
|
||||
// new FileInputStream(new File("src/test/productive-config.xml")), "src/test/");
|
||||
// PDP pdp = new PDP(config.getDefaultPDPConfig());
|
||||
|
||||
// PDPServer pdp = new PDPServer(new File("src/test/productive-config.xml"), "src/test/");
|
||||
////
|
||||
////
|
||||
//// exec(pdp);
|
||||
//
|
||||
//
|
||||
//
|
||||
//
|
||||
//
|
||||
// }
|
||||
|
||||
private void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
Constants.SUBJECT_ID,
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"root"));
|
||||
|
||||
// attributes.add(
|
||||
// new AuthoAttribute(
|
||||
// Constants.RESOURCE_CAT,
|
||||
// URI.create("urn:owner"),
|
||||
// TypeIdentifierConstants.STRING_URI,
|
||||
// "helmut"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("MedicalRecord"), "read", attributes);
|
||||
|
||||
|
||||
System.out.println("REQUEST:\n" + XACMLEncoder.encodeRequestCtx(request));
|
||||
|
||||
ResponseCtx response = pdp.evaluate(request);
|
||||
System.out.println("RESPONE:\n" + XACMLEncoder.encodeResponseCtx(response));
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( PlainPDPTest.class );
|
||||
}
|
||||
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
|
||||
assertTrue( true );
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.SVNPDPConfig;
|
||||
|
||||
import com.sun.xacml.PDPConfig;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
public class ProductiveSVNTest extends ProductiveTest {
|
||||
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
ProductiveSVNTest test = new ProductiveSVNTest();
|
||||
test.setup();
|
||||
test.foo();
|
||||
|
||||
}
|
||||
|
||||
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError {
|
||||
PDPConfig conf = SVNPDPConfig.getSVNPDPConfig(new File("src/main/webapp/WEB-INF/svn-config.xml"));
|
||||
pdp = new PDPServer(conf);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( ProductiveSVNTest.class );
|
||||
}
|
||||
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
|
||||
assertTrue( true );
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,122 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestCase;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
public class ProductiveTest extends TestCase {
|
||||
|
||||
protected PDPServer pdp;
|
||||
|
||||
public static void main(String[] args) throws UnknownIdentifierException, ParsingException, IOException, SecurityError, URISyntaxException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
ProductiveTest test = new ProductiveTest();
|
||||
test.setup();
|
||||
test.foo();
|
||||
}
|
||||
|
||||
private void setup() throws UnknownIdentifierException, ParsingException, FileNotFoundException {
|
||||
pdp = new PDPServer(new File("src/test/productive-config.xml"));
|
||||
|
||||
}
|
||||
|
||||
protected void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
Constants.SUBJECT_ID,
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"root"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:subject:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.RESOURCE_CAT,
|
||||
URI.create("urn:patient:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
|
||||
// RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("MedicalRecord"), "read", attributes);
|
||||
//
|
||||
//
|
||||
// System.out.println("REQUEST:\n" + XACMLEncoder.encodeRequestCtx(request));
|
||||
|
||||
AuthoResult result = pdp.evaluate(new IdInfo("root", null, null), "MedicalRecord", "read", attributes);
|
||||
|
||||
//ResponseCtx response = pdp.evaluate(request);
|
||||
System.out.println("RESPONE:\n" + result);
|
||||
|
||||
pdp.unload();
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( ProductiveTest.class );
|
||||
}
|
||||
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
assertTrue( true );
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,205 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp.abtractEval;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||
|
||||
public class AndOr {
|
||||
|
||||
/*
|
||||
* TODO modify the current infrastructure => do not evaluate or treat the result as
|
||||
* abstract if a non-abstract true was found
|
||||
*/
|
||||
|
||||
|
||||
private PDPServer pdp;
|
||||
|
||||
private KnownAttributeResolver knownAttrs;
|
||||
private AnalysisConfig conf;
|
||||
private EvaluationEventHub eventHub;
|
||||
private MissingAttrCapture attrCapt;
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
* @throws URISyntaxException
|
||||
* @throws SecurityError
|
||||
* @throws UnknownIdentifierException
|
||||
* @throws ParsingException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
|
||||
AndOr test = new AndOr();
|
||||
test.setup();
|
||||
|
||||
test.testv1();
|
||||
//test.testv2();
|
||||
//test.testRoleAssignment();
|
||||
}
|
||||
|
||||
|
||||
private void testRoleAssignment() throws SecurityError, URISyntaxException, ParsingException {
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("admin@aniketos.eu"),
|
||||
new URI("urn:runEx:role:assignment"),
|
||||
"add", null);
|
||||
analyze(request);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
private void testv2() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
|
||||
//add some attribute directly to the request
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:test:true"),
|
||||
TypeIdentifierConstants.BOOLEAN_URI,
|
||||
"true"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:test:false"),
|
||||
TypeIdentifierConstants.BOOLEAN_URI,
|
||||
"false"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("foo", null, null),
|
||||
new URI("AndOrTest"),
|
||||
"bar", attributes);
|
||||
|
||||
analyze(request);
|
||||
}
|
||||
|
||||
private void testv1() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
|
||||
//add some attribute directly to the request
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:test:true"),
|
||||
TypeIdentifierConstants.BOOLEAN_URI,
|
||||
"true"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:test:false"),
|
||||
TypeIdentifierConstants.BOOLEAN_URI,
|
||||
"false"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("foo", null, null),
|
||||
new URI("AndOrTestv1"),
|
||||
"bar", attributes);
|
||||
|
||||
analyze(request);
|
||||
}
|
||||
|
||||
|
||||
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/abstractEval/abstractEval-config.xml"));
|
||||
//ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||
|
||||
// first add attribute resolvers which will resolve known attributes
|
||||
// can/should be replaced for workbench version with versioned policy state module
|
||||
knownAttrs = new KnownAttributeResolver();
|
||||
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||
|
||||
//only if no attribute can be found, use abstract value
|
||||
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||
|
||||
//create PDP
|
||||
pdp = new PDPServer(conf);
|
||||
|
||||
//for analysis/evaluation create required classes
|
||||
eventHub = new EvaluationEventHub();
|
||||
|
||||
// keep track of missing and resovled attributes
|
||||
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||
eventHub.register(attrCapt);
|
||||
|
||||
// print the call stack
|
||||
eventHub.register(new PrettyPrinter());
|
||||
}
|
||||
|
||||
private void analyze(RequestCtx request) throws ParsingException {
|
||||
// print XACML request
|
||||
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||
System.out.println("XACML REQUEST:\n" + requestString);
|
||||
|
||||
// evaluate request
|
||||
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||
EvaluationIdAttribute.INVALID, eventHub));
|
||||
|
||||
// print XACML response
|
||||
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||
System.out.println("RESPONE:\n" + responseString);
|
||||
|
||||
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||
eventHub.getEvalInfo().getTreeElemTree());
|
||||
|
||||
System.out.println("REPORT:::");
|
||||
System.out.println( repGen.reportMissingAttr());
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,288 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp.abtractEval;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||
|
||||
public class HolTestGen {
|
||||
|
||||
private PDPServer pdp;
|
||||
|
||||
private KnownAttributeResolver knownAttrs;
|
||||
private AnalysisConfig conf;
|
||||
private EvaluationEventHub eventHub;
|
||||
private MissingAttrCapture attrCapt;
|
||||
|
||||
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
HolTestGen test = new HolTestGen();
|
||||
|
||||
test.setup();
|
||||
|
||||
// missing time
|
||||
test.carol_read_notime();
|
||||
test.clear();
|
||||
|
||||
|
||||
// // missing patient department and time
|
||||
// test.carol_read_noPatDepTime();
|
||||
// test.clear();
|
||||
|
||||
}
|
||||
|
||||
private void clear() {
|
||||
eventHub.clearEvalInfo();
|
||||
knownAttrs.clear();
|
||||
}
|
||||
|
||||
|
||||
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/abstractEval/abstractEval-config.xml"));
|
||||
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||
|
||||
// first add attribute resolvers which will resolve known attributes
|
||||
// can/should be replaced for workbench version with versioned policy state module
|
||||
knownAttrs = new KnownAttributeResolver();
|
||||
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||
|
||||
//only if no attribute can be found, use abstract value
|
||||
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||
|
||||
//create PDP
|
||||
pdp = new PDPServer(conf);
|
||||
|
||||
//for analysis/evaluation create required classes
|
||||
eventHub = new EvaluationEventHub();
|
||||
|
||||
// keep track of missing and resovled attributes
|
||||
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||
eventHub.register(attrCapt);
|
||||
|
||||
// print the call stack
|
||||
eventHub.register(new PrettyPrinter());
|
||||
}
|
||||
|
||||
private void carol_read_notime() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
|
||||
//add some attribute directly to the request
|
||||
attributes.add(
|
||||
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("urn:subject:department"), TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(Constants.RESOURCE_CAT, URI.create("urn:patient:department"), TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
|
||||
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||
attributes.add(
|
||||
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||
"Nurse"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("carol", null, null),
|
||||
new URI("HealthRecord"),
|
||||
"read", attributes);
|
||||
|
||||
analyze(request);
|
||||
}
|
||||
|
||||
private void carol_read_noPatDep() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
|
||||
//add some attribute directly to the request
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:subject:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.ENVIRONMENT_CAT,
|
||||
URI.create("urn:oasis:names:tc:xacml:1.0:environment:current-time"),
|
||||
TypeIdentifierConstants.TIME_URI,
|
||||
"12:00:00Z"));
|
||||
|
||||
|
||||
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||
attributes.add(
|
||||
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||
"Nurse"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("carol", null, null),
|
||||
new URI("HealthRecord"),
|
||||
"read", attributes);
|
||||
|
||||
analyze(request);
|
||||
}
|
||||
|
||||
private void carol_read_noPatDepTime() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
|
||||
//add some attribute directly to the request
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:subject:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
|
||||
|
||||
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||
attributes.add(
|
||||
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||
"Nurse"));
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||
new IdInfo("carol", null, null),
|
||||
new URI("HealthRecord"),
|
||||
"read", attributes);
|
||||
|
||||
analyze(request);
|
||||
}
|
||||
|
||||
private void analyze(RequestCtx request) throws ParsingException {
|
||||
// print XACML request
|
||||
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||
System.out.println("XACML REQUEST:\n" + requestString);
|
||||
|
||||
// evaluate request
|
||||
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||
EvaluationIdAttribute.INVALID, eventHub));
|
||||
|
||||
// print XACML response
|
||||
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||
System.out.println("RESPONE:\n" + responseString);
|
||||
|
||||
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||
eventHub.getEvalInfo().getTreeElemTree());
|
||||
|
||||
System.out.println("REPORT:::");
|
||||
System.out.println( repGen.reportMissingAttr());
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
private void exec() throws SecurityError, URISyntaxException, ParsingException {
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
Constants.SUBJECT_ID,
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"root"));
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("urn:subject:department"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"test1"));
|
||||
// attributes.add(
|
||||
// new AuthoAttribute(
|
||||
// Constants.RESOURCE_CAT,
|
||||
// URI.create("urn:patient:department"),
|
||||
// TypeIdentifierConstants.STRING_URI,
|
||||
// "test1"));
|
||||
|
||||
attributes.add(
|
||||
new AuthoAttribute(
|
||||
Constants.SUBJECT_CAT,
|
||||
URI.create("subject-roles"),
|
||||
TypeIdentifierConstants.STRING_URI,
|
||||
"Nurse"));
|
||||
|
||||
//urn:nhs:becker:health-record MedicalRecord
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("urn:nhs:becker:health-record"), "read", attributes);
|
||||
|
||||
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||
System.out.println("REQUEST:\n" + requestString);
|
||||
|
||||
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||
EvaluationIdAttribute.INVALID, eventHub));
|
||||
|
||||
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||
|
||||
//String responseString = pdp.evaluateXACML(requestString);
|
||||
System.out.println("RESPONE:\n" + responseString); //XACMLEncoder.encodeResponseCtx(response));
|
||||
|
||||
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||
eventHub.getEvalInfo().getTreeElemTree());
|
||||
|
||||
System.out.println("REPORT:::");
|
||||
System.out.println( repGen.reportMissingAttr());
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
public HolTestGen() {
|
||||
|
||||
}
|
||||
|
||||
public void testApp()
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,74 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp.runEx;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
|
||||
public class DenyPoliciesExample {
|
||||
|
||||
private static PDPServer pdp;
|
||||
private static PDPStateManagement pdpStateMgt;
|
||||
|
||||
private static final String nurse = "nurse",
|
||||
physician = "physician";
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
* @throws ParsingException
|
||||
* @throws UnknownIdentifierException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
init();
|
||||
setupSzenario();
|
||||
|
||||
}
|
||||
|
||||
private static void setupSzenario() {
|
||||
//pdpStateMgt.addRole("", ")
|
||||
}
|
||||
|
||||
|
||||
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config-denyPolicies.xml"));
|
||||
|
||||
|
||||
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||
pdpStateMgt = PDPStateManagement.getInstance();
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,73 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp.runEx;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||
|
||||
public class RunningExample {
|
||||
|
||||
private static PDPServer pdp;
|
||||
private static PDPStateManagement pdpStateMgt;
|
||||
|
||||
private static final String nurse = "nurse",
|
||||
physician = "physician";
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
* @throws ParsingException
|
||||
* @throws UnknownIdentifierException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
init();
|
||||
setupSzenario();
|
||||
|
||||
}
|
||||
|
||||
private static void setupSzenario() {
|
||||
//pdpStateMgt.addRole("", ")
|
||||
}
|
||||
|
||||
|
||||
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||
|
||||
|
||||
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||
pdpStateMgt = PDPStateManagement.getInstance();
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,215 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp.state;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.DemoPDPStateMgt;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
|
||||
public class PDPStateMgt {
|
||||
|
||||
private static long start, setup;
|
||||
|
||||
private static PDPServer pdp;
|
||||
private static PDPStateManagement pdpStateMgt;
|
||||
private static DemoPDPStateMgt demoMgt;
|
||||
|
||||
private static final String ADMIN_USER = "admin@aniketos.eu",
|
||||
ADMIN_ROLE = "admin";
|
||||
|
||||
private static AttributeIdentifier resource_subject = new AttributeIdentifier(
|
||||
URI.create("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),
|
||||
URI.create("http://www.w3.org/2001/XMLSchema#string"),
|
||||
URI.create("urn:custom:resource:subject-id"), null);
|
||||
|
||||
private static AttributeIdentifier resource_role = new AttributeIdentifier(
|
||||
URI.create("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),
|
||||
URI.create("http://www.w3.org/2001/XMLSchema#string"),
|
||||
URI.create("urn:custom:resource:role"), null);
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
* @throws UnknownIdentifierException
|
||||
* @throws ParsingException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||
start = new Date().getTime();
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
init();
|
||||
demoSetup();
|
||||
setup = new Date().getTime();
|
||||
|
||||
System.out.println("STARTUP TIME: " + ( setup - start));
|
||||
|
||||
test1();
|
||||
long test1 = new Date().getTime();
|
||||
|
||||
System.out.println("TEST TIME: " + (test1 - setup));
|
||||
|
||||
//
|
||||
// test2();
|
||||
// long test2 = new Date().getTime();
|
||||
//
|
||||
// System.out.println("TEST TIME2: " + (test2 - test1));
|
||||
|
||||
List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||
System.out.print("roles for helmut@aniketos.eu: ");
|
||||
for(String s : roles ) {
|
||||
System.out.print(s +", ");
|
||||
}
|
||||
System.out.println("");
|
||||
}
|
||||
|
||||
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||
//ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config-denyPolicies.xml"));
|
||||
|
||||
|
||||
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||
|
||||
|
||||
pdpStateMgt = PDPStateManagement.getInstance();
|
||||
demoMgt = new DemoPDPStateMgt();
|
||||
|
||||
}
|
||||
|
||||
private static void demoSetup() {
|
||||
demoMgt.addRole(ADMIN_USER, ADMIN_ROLE);
|
||||
|
||||
List<String> roles = demoMgt.getRoles(ADMIN_USER);
|
||||
System.out.print("### TEST ### roles for " + ADMIN_USER + ": ");
|
||||
for(String s : roles ) {
|
||||
System.out.print(s +", ");
|
||||
}
|
||||
System.out.println("");
|
||||
|
||||
demoMgt.addActivePolicy("preg");
|
||||
List<String> polices = demoMgt.getActivePolicies();
|
||||
System.out.print("### TEST ### active policies: ");
|
||||
for(String s : polices ) {
|
||||
System.out.print(s +", ");
|
||||
}
|
||||
System.out.println("");
|
||||
}
|
||||
|
||||
|
||||
private static void test1() {
|
||||
|
||||
List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||
System.out.print("### TEST ### roles for helmut@aniketos.eu: ");
|
||||
for(String s : roles ) {
|
||||
System.out.print(s +", ");
|
||||
}
|
||||
System.out.println("");
|
||||
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(new AuthoAttribute(resource_subject, "helmut@aniketos.eu"));
|
||||
attributes.add(new AuthoAttribute(resource_role, "employee"));
|
||||
|
||||
try {
|
||||
AuthoResult res = pdp.evaluate(new IdInfo(ADMIN_USER), "urn:runEx:role:assignment", "add", attributes);
|
||||
System.out.println("result: " + res.toString());
|
||||
|
||||
long evalId = Long.parseLong(res.getObligations().get(0).getParameters().iterator().next().getValue());
|
||||
System.out.println("evalId: " + evalId);
|
||||
|
||||
// try {
|
||||
// Thread.sleep(1000);
|
||||
// } catch (InterruptedException e) {
|
||||
// // TODO Auto-generated catch block
|
||||
// e.printStackTrace();
|
||||
// }
|
||||
|
||||
pdp.notifyStateChange(evalId);
|
||||
} catch (SecurityError e) {
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||
System.out.print("### TEST ### roles for helmut@aniketos.eu: ");
|
||||
for(String s : roles ) {
|
||||
System.out.print(s +", ");
|
||||
}
|
||||
System.out.println("");
|
||||
|
||||
}
|
||||
|
||||
|
||||
private static void test2() {
|
||||
|
||||
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||
attributes.add(new AuthoAttribute(resource_subject, "helmut@aniketos.eu"));
|
||||
attributes.add(new AuthoAttribute(resource_role, "anotherRole"));
|
||||
|
||||
try {
|
||||
AuthoResult res = pdp.evaluate(new IdInfo(ADMIN_USER), "urn:runEx:role:assignment", "add", attributes);
|
||||
System.out.println("result: " + res.toString());
|
||||
|
||||
long evalId = Long.parseLong(res.getObligations().get(0).getParameters().iterator().next().getValue());
|
||||
System.out.println("evalId: " + evalId);
|
||||
|
||||
// try {
|
||||
// Thread.sleep(1000);
|
||||
// } catch (InterruptedException e) {
|
||||
// // TODO Auto-generated catch block
|
||||
// e.printStackTrace();
|
||||
// }
|
||||
|
||||
pdp.notifyStateChange(evalId);
|
||||
} catch (SecurityError e) {
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
// List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||
// System.out.print("roles for helmut@aniketos.eu: ");
|
||||
// for(String s : roles ) {
|
||||
// System.out.print(s +", ");
|
||||
// }
|
||||
// System.out.println("");
|
||||
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||
<pdp name="pdp">
|
||||
<attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
|
||||
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdpState.xacml.PDPStateModule"/>
|
||||
|
||||
<policyFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.FilePolicyModule">
|
||||
<list>
|
||||
<string>conf:useLines:true</string>
|
||||
<string>folder:healthcare</string>
|
||||
</list>
|
||||
</policyFinderModule>
|
||||
</pdp>
|
||||
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||
</attributeFactory>
|
||||
|
||||
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||
|
||||
<functionFactory name="func" useStandardFunctions="true">
|
||||
<target>
|
||||
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||
</target>
|
||||
</functionFactory>
|
||||
|
||||
<logServer>eu.aniketos.securebpmn.xacml.log.LogServer</logServer>
|
||||
</config>
|
||||
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||
<pdp name="pdp">
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule"/ -->
|
||||
|
||||
<attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
|
||||
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.impl.RoleFinderFileModule"/>
|
||||
|
||||
<!-- attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationFinderModule"/ -->
|
||||
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.EmergencyLevelModule"/ -->
|
||||
<!-- eu.aniketos.securebpmn.xacml.xacml.finder
|
||||
com.sun.xacml.support.finder
|
||||
-->
|
||||
<policyFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.FilePolicyModule">
|
||||
<list>
|
||||
<string>conf:useLines:true</string>
|
||||
<string>file:nhs-becker.xacml</string>
|
||||
<string>file:nhs-becker-p_reg.xacml</string>
|
||||
<string>file:nhs-becker-healthrecord.xacml</string>
|
||||
</list>
|
||||
</policyFinderModule>
|
||||
</pdp>
|
||||
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||
</attributeFactory>
|
||||
|
||||
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||
|
||||
<functionFactory name="func" useStandardFunctions="true">
|
||||
<target>
|
||||
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||
</target>
|
||||
<!-- condition>
|
||||
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||
</condition -->
|
||||
</functionFactory>
|
||||
|
||||
<logServer>eu.aniketos.securebpmn.xacml.log.LogServer</logServer>
|
||||
</config>
|
||||
|
||||
|
Reference in New Issue