Initial commit.
This commit is contained in:
parent
56f4c66e78
commit
d0fc157880
|
@ -0,0 +1,28 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||||
|
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||||
|
<pdp name="pdp">
|
||||||
|
<!-- no need to define attributeFinderModules for analysis: the needed
|
||||||
|
attributeFinderModule for analysis is set automatically -->
|
||||||
|
|
||||||
|
<policyFinderModule class="com.sun.xacml.support.finder.FilePolicyModule">
|
||||||
|
<list>
|
||||||
|
<string>file:abstractEval_policy2011.xacml</string>
|
||||||
|
<string>file:abstractEval_andortest.xacml</string> <!-- andortest xacmlv1test -->
|
||||||
|
<string>file:abstractEval_xacmlv1test.xacml</string>
|
||||||
|
</list>
|
||||||
|
</policyFinderModule>
|
||||||
|
</pdp>
|
||||||
|
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||||
|
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||||
|
</attributeFactory>
|
||||||
|
|
||||||
|
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||||
|
<functionFactory name="func" useStandardFunctions="true"/>
|
||||||
|
|
||||||
|
<!-- no need to define logserver for analysis: would be removed anyhow -->
|
||||||
|
</config>
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
PolicySetId="AndOrTest:main"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||||
|
|
||||||
|
<Description>
|
||||||
|
Simple policy to test the behaviour of the modified logical functions
|
||||||
|
defined in eu.aniketos.securebpmn.xacml.xacml.cond.AnalysisLogicalFunction
|
||||||
|
</Description>
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">AndOrTest</AttributeValue>
|
||||||
|
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||||
|
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Policy PolicyId="AndOrTest_1"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target/>
|
||||||
|
|
||||||
|
<Rule RuleId="AndOrTest_1_1" Effect="Deny">
|
||||||
|
<Target/>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:nothere1"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:test:true"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:test:false"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<!-- final Policy -->
|
||||||
|
<Policy PolicyId="AndOrTest_FinalPolicy"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target/>
|
||||||
|
<Rule RuleId="AndOrTest_FinalRule" Effect="Deny"/>
|
||||||
|
</Policy>
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,103 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
PolicySetId="HealthRecord:main"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||||
|
|
||||||
|
<Description>
|
||||||
|
This is the policy as it was used for the POLICY2011 publication:
|
||||||
|
A Framework for Managing and Analyzing Changes of Security Policies
|
||||||
|
http://www.brucker.ch/bibliography/download/2011/brucker.ea-framework-2011.pdf
|
||||||
|
|
||||||
|
Update: the combining alg of the policy has to be permit-overrides
|
||||||
|
</Description>
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">HealthRecord</AttributeValue>
|
||||||
|
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||||
|
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Policy PolicyId="HealthRecord_Nurse"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Nurse</AttributeValue>
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||||
|
AttributeId="subject-roles"/>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Rule RuleId="HealthRecord_Nurse_1" Effect="Deny">
|
||||||
|
<Target/>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
|
||||||
|
<EnvironmentAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#time"
|
||||||
|
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
|
||||||
|
</Apply>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">20:00:00Z</AttributeValue>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">06:00:00Z</AttributeValue>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
|
||||||
|
<Rule RuleId="HealthRecord_Nurse_2" Effect="Permit">
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||||
|
<ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||||
|
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||||
|
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||||
|
AttributeId="urn:patient:department"/>
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||||
|
AttributeId="urn:subject:department" />
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<Policy PolicyId="HealthRecord_Doctor"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctor</AttributeValue>
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
|
||||||
|
AttributeId="subject-roles"/>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Rule RuleId="HealthRecord_Doctor_2" Effect="Permit"/>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<!-- final Policy -->
|
||||||
|
<Policy PolicyId="HealthRecord_FinalPolicy"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target/>
|
||||||
|
<Rule RuleId="HealthRecord_FinalRule" Effect="Deny"/>
|
||||||
|
</Policy>
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,54 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
PolicySetId="AndOrTestv1:main"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||||
|
|
||||||
|
<Description>
|
||||||
|
Simple policy to test the behaviour of the modified logical functions
|
||||||
|
defined in eu.aniketos.securebpmn.xacml.xacml.cond.AnalysisLogicalFunction
|
||||||
|
</Description>
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">AndOrTestv1</AttributeValue>
|
||||||
|
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
|
||||||
|
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Policy PolicyId="AndOrTest_1"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target/>
|
||||||
|
|
||||||
|
<Rule RuleId="AndOrTest_1_1" Effect="Deny">
|
||||||
|
<Target/>
|
||||||
|
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:nothere1"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:test:true"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#boolean"
|
||||||
|
AttributeId="urn:test:false"/>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<!-- final Policy -->
|
||||||
|
<Policy PolicyId="AndOrTest_FinalPolicy"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target/>
|
||||||
|
<Rule RuleId="AndOrTest_FinalRule" Effect="Deny"/>
|
||||||
|
</Policy>
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,5 @@
|
||||||
|
carol:Nurse;Employee
|
||||||
|
alice:Nurse;Employee
|
||||||
|
marvin:Nurse;Employee
|
||||||
|
bob:Doctor;Nurse;Employee
|
||||||
|
dave:Doctor;Nurse;Employee
|
|
@ -0,0 +1,49 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||||
|
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||||
|
<pdp name="pdp">
|
||||||
|
|
||||||
|
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||||
|
<!-- TODO remove: must be evaluated by recorded context -->
|
||||||
|
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.impl.RoleFinderModule"/>
|
||||||
|
|
||||||
|
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationFinderModule"/>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule"/ -->
|
||||||
|
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.EmergencyLevelModule"/ -->
|
||||||
|
|
||||||
|
<policyFinderModule class="com.sun.xacml.support.finder.FilePolicyModule">
|
||||||
|
<list>
|
||||||
|
<string>conf:useLines:true</string>
|
||||||
|
<string>file:policy2.xacml</string>
|
||||||
|
</list>
|
||||||
|
</policyFinderModule>
|
||||||
|
</pdp>
|
||||||
|
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||||
|
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||||
|
</attributeFactory>
|
||||||
|
|
||||||
|
<combiningAlgFactory name="comb" useStandardAlgorithms="false">
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisFirstApplicableRuleAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisFirstApplicablePolicyAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisDenyOverridesRuleAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisDenyOverridesPolicyAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedDenyOverridesRuleAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedDenyOverridesPolicyAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisPermitOverridesRuleAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisPermitOverridesPolicyAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedPermitOverridesRuleAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOrderedPermitOverridesPolicyAlg"/>
|
||||||
|
<algorithm class="eu.aniketos.securebpmn.xacml.xacml.combine.AnalysisOnlyOneApplicablePolicyAlg"/>
|
||||||
|
</combiningAlgFactory>
|
||||||
|
|
||||||
|
<functionFactory name="func" useStandardFunctions="true"/>
|
||||||
|
</config>
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,228 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||||
|
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
PolicySetId="nhs:becker:health-record"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||||
|
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:custom:uri-starts-with">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:nhs:becker:health-record</AttributeValue>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<!-- Clinicians -->
|
||||||
|
<Policy PolicyId="nhs:becker:health-record:clinician"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Description>Policy for role Clinicians</Description>
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">clinician</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:010">
|
||||||
|
<Description>allow read, if subject is owner and patient gave one-off-consent (S5.3.3)</Description>
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:author"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:one-off-consent"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#boolean"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
<Rule Effect="Deny" RuleId="nhs:becker:health-record:clinician:020:deny-non-treating">
|
||||||
|
<Description>deny non treating clinicians</Description>
|
||||||
|
<Condition>
|
||||||
|
<!-- if neither first nor second condistion mathes, deny request -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||||
|
<!-- check if subject is treating clinician -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:treating-clinician" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
<!-- check if clinician is assigned to an active workgoup where the patiant hase given his consent -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:custom:subject:active-workgroup" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:treating-workgroup" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:030">
|
||||||
|
<Description>
|
||||||
|
add a new item S5.1.1
|
||||||
|
get a list of all records (only IDs) S5.2.3
|
||||||
|
</Description>
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<!-- add a new item S5.1.1 -->
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="True"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
<!-- get a list of all records (only IDs) S5.2.3 -->
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="True"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get-record-item-list</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs:becker:health-record:clinician:040">
|
||||||
|
<Description>
|
||||||
|
allow read if subjects match, not sealed by patient (and treating clinician) (S5.3.4)
|
||||||
|
or, if sealed, allow access only if
|
||||||
|
</Description>
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
|
||||||
|
<!-- subject must have permission to read given subject(s) -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:custom:subject:permitted-healthrecord-subjects"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:subjects"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||||
|
<!-- item must not be sealed of by patient -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:item-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:sealed-items"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#integer"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
<!-- or, if sealed, patient may have given authenticated-express-consent -->
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
|
||||||
|
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:authenticated-express-consent"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs:becker:health-record:patient"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Description>Policy for role Patient</Description>
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">patient</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs:becker:health-record:patient:010">
|
||||||
|
<Description>Allow patients to add comments to their own health record</Description>
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">nhs:becker:health-record:comment</AttributeValue>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:custom:resouce:patient:patient-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs:becker:health-record:final"
|
||||||
|
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Description>final deny policy/rule</Description>
|
||||||
|
<Rule Effect="Deny" RuleId="nhs:becker:health-record:final:final"/>
|
||||||
|
</Policy>
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,11 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||||
|
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
PolicySetId="nhs:becker:p_reg"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||||
|
|
||||||
|
<PolicySetIdReference>nhs:becker:health-record</PolicySetIdReference>
|
||||||
|
|
||||||
|
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,23 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||||
|
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
PolicySetId="nhs:becker:main"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:custom:uri-starts-with">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:nhs:becker</AttributeValue>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<PolicySetIdReference>nhs:becker:p_reg</PolicySetIdReference>
|
||||||
|
|
||||||
|
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,41 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||||
|
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
PolicySetId="nhs_becker_agent-relationship"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="string-equal">
|
||||||
|
<ResourceAttributeDesignator AttributeId="access-resouce" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">nhs:becker:agent-relationship</AttributeValue>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs_becker_agent-relationship_patient" RuleCombiningAlgId="firstAppl">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||||
|
<AttributeValue DataType="string">patient</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
allow patients to add and remove agents
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- final rule -->
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,200 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://codemonkey.at/xacml-2.0-policy-schema-extended.xsd"
|
||||||
|
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
|
||||||
|
PolicySetId="nhs:becker:relationship"
|
||||||
|
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||||
|
|
||||||
|
<Target>
|
||||||
|
<Resources>
|
||||||
|
<Resource>
|
||||||
|
<ResourceMatch MatchId="urn:custom:string-starts-with">
|
||||||
|
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">nhs:becker:relationship</AttributeValue>
|
||||||
|
</ResourceMatch>
|
||||||
|
</Resource>
|
||||||
|
</Resources>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs:becker:relationship:clinician" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="urn:custom:subject:role"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">clinician</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs:becker:relationship:clinician:010">
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">request-consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
|
||||||
|
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">request-consent-to-group-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition>
|
||||||
|
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
|
||||||
|
<!-- clinical is requesting hisself -->
|
||||||
|
|
||||||
|
|
||||||
|
<Apply FunctionId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="requesting-clinical" DataType="string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||||
|
<!-- TODO -->
|
||||||
|
<Apply FunctionId="bag-contains-string">
|
||||||
|
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="treating-clinicals" DataType="string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Rule>
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition FunctionId="or">
|
||||||
|
<!-- clinical is requesting hisself -->
|
||||||
|
<Apply FunctionId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="requesting-clinical" DataType="string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||||
|
<!-- TODO -->
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Deny" RuleId="nhs_becker_relationship_clinican_final"/>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs_becker_relationship_patient" RuleCombiningAlgId="firstAppl">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||||
|
<AttributeValue DataType="string">patient</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Permit" RuleId="nhs_becker_relationship_requ_clinican_01">
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition FunctionId="or">
|
||||||
|
<!-- clinical is requesting hisself -->
|
||||||
|
<Apply FunctionId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="subject-Id" DataType="string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="requested-patient" DataType="string" MustBePresent="true"/>
|
||||||
|
</Apply>
|
||||||
|
<!-- someone who is permitted to do so, is requeisting for the clinical -->
|
||||||
|
<!-- TODO -->
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
<Rule Effect="Deny" RuleId="nhs_becker_relationship_patient_final"/>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs_becker_relationship_agent" RuleCombiningAlgId="firstAppl">
|
||||||
|
<Target>
|
||||||
|
<Subjects>
|
||||||
|
<Subject>
|
||||||
|
<SubjectMatch MatchId="string-equal">
|
||||||
|
<SubjectAttributeDesignator AttributeId="role" DataType="string"/>
|
||||||
|
<AttributeValue DataType="string">agent</AttributeValue>
|
||||||
|
</SubjectMatch>
|
||||||
|
</Subject>
|
||||||
|
</Subjects>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
|
||||||
|
<Rule>
|
||||||
|
<Target>
|
||||||
|
<Actions>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
<Action>
|
||||||
|
<ActionMatch MatchId="string-equal">
|
||||||
|
<ActionAttributeDesignator AttributeId="action-id" DataType="string" MustBePresent="true"/>
|
||||||
|
<AttributeValue DataType="string">cancel-consent-to-treatment</AttributeValue>
|
||||||
|
</ActionMatch>
|
||||||
|
</Action>
|
||||||
|
</Actions>
|
||||||
|
</Target>
|
||||||
|
<Condition FunctionId="or">
|
||||||
|
<Apply FunctionId="bag-contains-string">
|
||||||
|
<SubjectAttributeDesignator AttributeId="requested-patient" DataType="string" MustBePresent="true"/>
|
||||||
|
<ResourceAttributeDesignator AttributeId="agent-for-patients" DataType="string"/>
|
||||||
|
</Apply>
|
||||||
|
</Condition>
|
||||||
|
</Rule>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Rule Effect="Deny" RuleId="nhs_becker_relationship_agent_final"/>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
<Policy PolicyId="nhs_becker_relationship_final" RuleCombiningAlgId="firstAppl">
|
||||||
|
<Rule Effect="Deny" RuleId="nhs_becker_relationship_final_final"/>
|
||||||
|
</Policy>
|
||||||
|
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,183 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
import com.sun.xacml.ctx.RequestCtx;
|
||||||
|
import com.sun.xacml.ctx.ResponseCtx;
|
||||||
|
|
||||||
|
import junit.framework.Test;
|
||||||
|
import junit.framework.TestCase;
|
||||||
|
import junit.framework.TestSuite;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* code to test the PDPServer as it is used for analysis purposes;
|
||||||
|
* configuration is loaded from a local file
|
||||||
|
* <br/>
|
||||||
|
* <b>Note:</b> Only works when pdp project is build with analysis-pdp.pom.xml
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class AnalysisPDPTest extends TestCase {
|
||||||
|
|
||||||
|
|
||||||
|
private PDPServer pdp;
|
||||||
|
|
||||||
|
private KnownAttributeResolver knownAttrs;
|
||||||
|
private AnalysisConfig conf;
|
||||||
|
private EvaluationEventHub eventHub;
|
||||||
|
private MissingAttrCapture attrCapt;
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
//when using the PDPServer not within tomcat
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
AnalysisPDPTest test = new AnalysisPDPTest();
|
||||||
|
|
||||||
|
test.setup();
|
||||||
|
test.exec();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/productive-config.xml"));
|
||||||
|
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||||
|
|
||||||
|
knownAttrs = new KnownAttributeResolver();
|
||||||
|
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||||
|
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||||
|
|
||||||
|
//create PDP
|
||||||
|
pdp = new PDPServer(conf);
|
||||||
|
|
||||||
|
//for analysis/evaluation create required classes
|
||||||
|
eventHub = new EvaluationEventHub();
|
||||||
|
|
||||||
|
// keep track of missing and resovled attributes
|
||||||
|
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||||
|
eventHub.register(attrCapt);
|
||||||
|
|
||||||
|
// print the call stack
|
||||||
|
eventHub.register(new PrettyPrinter());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
private void exec() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
Constants.SUBJECT_ID,
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"root"));
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:subject:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
// attributes.add(
|
||||||
|
// new AuthoAttribute(
|
||||||
|
// Constants.RESOURCE_CAT,
|
||||||
|
// URI.create("urn:patient:department"),
|
||||||
|
// TypeIdentifierConstants.STRING_URI,
|
||||||
|
// "test1"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("subject-roles"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"Nurse"));
|
||||||
|
|
||||||
|
//urn:nhs:becker:health-record MedicalRecord
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("urn:nhs:becker:health-record"), "read", attributes);
|
||||||
|
|
||||||
|
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||||
|
System.out.println("REQUEST:\n" + requestString);
|
||||||
|
|
||||||
|
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||||
|
EvaluationIdAttribute.INVALID, eventHub));
|
||||||
|
|
||||||
|
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||||
|
|
||||||
|
//String responseString = pdp.evaluateXACML(requestString);
|
||||||
|
System.out.println("RESPONE:\n" + responseString); //XACMLEncoder.encodeResponseCtx(response));
|
||||||
|
|
||||||
|
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||||
|
eventHub.getEvalInfo().getTreeElemTree());
|
||||||
|
|
||||||
|
System.out.println("REPORT:::");
|
||||||
|
System.out.println( repGen.reportMissingAttr());
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the suite of tests being tested
|
||||||
|
*/
|
||||||
|
public static Test suite()
|
||||||
|
{
|
||||||
|
return new TestSuite( AnalysisPDPTest.class );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rigourous Test :-)
|
||||||
|
*/
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
assertTrue( true );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,102 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
|
||||||
|
import junit.framework.Test;
|
||||||
|
import junit.framework.TestCase;
|
||||||
|
import junit.framework.TestSuite;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Unit test for simple App.
|
||||||
|
*/
|
||||||
|
public class AppTest
|
||||||
|
extends TestCase
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Create the test case
|
||||||
|
*
|
||||||
|
* @param testName name of the test case
|
||||||
|
*/
|
||||||
|
public AppTest( String testName )
|
||||||
|
{
|
||||||
|
super( testName );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the suite of tests being tested
|
||||||
|
*/
|
||||||
|
public static Test suite()
|
||||||
|
{
|
||||||
|
return new TestSuite( AppTest.class );
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException, ParsingException, UnknownIdentifierException {
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
// //AppTest test = new AppTest("pdpServer test");
|
||||||
|
//test.testApp();
|
||||||
|
foo();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException {
|
||||||
|
//PDPServer pdpServer = new PDPServer(new File("src/main/webapp/WEB-INF/policy-config.xml"), "src/main/webapp/webapp/WEB-INF/");
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
// private static final String SVN_URL = "https://projects.brucker.ch/soknos-dev/svn/trunk/examples/versionedPDP_data";
|
||||||
|
// private static final String USERNAME = "pdp";
|
||||||
|
// private static final String PASSWORD = "HJeSnelw";
|
||||||
|
|
||||||
|
// private static void bar() {
|
||||||
|
//
|
||||||
|
////
|
||||||
|
//// Properties log4jProps = new Properties();
|
||||||
|
//// try {
|
||||||
|
//// log4jProps.load(new BufferedInputStream(new FileInputStream(new File(PDPServer.LOG4J))));
|
||||||
|
//// PropertyConfigurator.configure(log4jProps);
|
||||||
|
//// logger.info("Loaded log4j configuration from " + PDPServer.LOG4J);
|
||||||
|
//// } catch (IOException e) {
|
||||||
|
//// logger.error("Could not load log4j configuration from " + PDPServer.LOG4J + " IOException: " + e.getMessage());
|
||||||
|
//// System.err.println("Could not load log4j configuration from log4j.properties IOException: " + e.getMessage());
|
||||||
|
//// }
|
||||||
|
//
|
||||||
|
// new SVNPolicyFinderModule(SVN_URL, USERNAME, PASSWORD, -1);
|
||||||
|
// }
|
||||||
|
/**
|
||||||
|
* Rigourous Test :-)
|
||||||
|
*/
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
|
||||||
|
assertTrue( true );
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,60 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.DemoPDPStateMgt;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||||
|
|
||||||
|
public class PDPState {
|
||||||
|
|
||||||
|
private static PDPStateManagement pdpStateMgt;
|
||||||
|
private static DemoPDPStateMgt demoPdpStateMgt;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args
|
||||||
|
*/
|
||||||
|
public static void main(String[] args) {
|
||||||
|
// TODO Auto-generated method stub
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public static final String ALICE = "Alice",
|
||||||
|
BOB = "Bob",
|
||||||
|
NURSE = "nurse",
|
||||||
|
CLINICAN = "clinician";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
public static void setupDemoRoles() {
|
||||||
|
init();
|
||||||
|
|
||||||
|
demoPdpStateMgt.addRole(ALICE, NURSE);
|
||||||
|
demoPdpStateMgt.addRole(BOB, CLINICAN);
|
||||||
|
demoPdpStateMgt.addRole(BOB, NURSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static void init() {
|
||||||
|
if (pdpStateMgt == null ) {
|
||||||
|
pdpStateMgt = PDPStateManagement.getInstance();
|
||||||
|
demoPdpStateMgt = new DemoPDPStateMgt();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,139 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.PDP;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
import com.sun.xacml.ctx.RequestCtx;
|
||||||
|
import com.sun.xacml.ctx.ResponseCtx;
|
||||||
|
|
||||||
|
import junit.framework.Test;
|
||||||
|
import junit.framework.TestCase;
|
||||||
|
import junit.framework.TestSuite;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tests the plain (com.sun.xacml) PDP
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class PlainPDPTest extends TestCase {
|
||||||
|
|
||||||
|
private PDP pdp;
|
||||||
|
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
PlainPDPTest test = new PlainPDPTest();
|
||||||
|
test.setup();
|
||||||
|
test.foo();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(
|
||||||
|
new FileInputStream(new File("src/test/productive-config.xml")), "src/test/");
|
||||||
|
pdp = new PDP(config.getDefaultPDPConfig());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// private static void bar() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// ConfigurationStore config = new ConfigurationStore(
|
||||||
|
// new FileInputStream(new File("src/test/productive-config.xml")), "src/test/");
|
||||||
|
// PDP pdp = new PDP(config.getDefaultPDPConfig());
|
||||||
|
|
||||||
|
// PDPServer pdp = new PDPServer(new File("src/test/productive-config.xml"), "src/test/");
|
||||||
|
////
|
||||||
|
////
|
||||||
|
//// exec(pdp);
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// }
|
||||||
|
|
||||||
|
private void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
Constants.SUBJECT_ID,
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"root"));
|
||||||
|
|
||||||
|
// attributes.add(
|
||||||
|
// new AuthoAttribute(
|
||||||
|
// Constants.RESOURCE_CAT,
|
||||||
|
// URI.create("urn:owner"),
|
||||||
|
// TypeIdentifierConstants.STRING_URI,
|
||||||
|
// "helmut"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("MedicalRecord"), "read", attributes);
|
||||||
|
|
||||||
|
|
||||||
|
System.out.println("REQUEST:\n" + XACMLEncoder.encodeRequestCtx(request));
|
||||||
|
|
||||||
|
ResponseCtx response = pdp.evaluate(request);
|
||||||
|
System.out.println("RESPONE:\n" + XACMLEncoder.encodeResponseCtx(response));
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the suite of tests being tested
|
||||||
|
*/
|
||||||
|
public static Test suite()
|
||||||
|
{
|
||||||
|
return new TestSuite( PlainPDPTest.class );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rigourous Test :-)
|
||||||
|
*/
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
|
||||||
|
assertTrue( true );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,75 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.SVNPDPConfig;
|
||||||
|
|
||||||
|
import com.sun.xacml.PDPConfig;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
|
||||||
|
import junit.framework.Test;
|
||||||
|
import junit.framework.TestSuite;
|
||||||
|
|
||||||
|
public class ProductiveSVNTest extends ProductiveTest {
|
||||||
|
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
ProductiveSVNTest test = new ProductiveSVNTest();
|
||||||
|
test.setup();
|
||||||
|
test.foo();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError {
|
||||||
|
PDPConfig conf = SVNPDPConfig.getSVNPDPConfig(new File("src/main/webapp/WEB-INF/svn-config.xml"));
|
||||||
|
pdp = new PDPServer(conf);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the suite of tests being tested
|
||||||
|
*/
|
||||||
|
public static Test suite()
|
||||||
|
{
|
||||||
|
return new TestSuite( ProductiveSVNTest.class );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rigourous Test :-)
|
||||||
|
*/
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
|
||||||
|
assertTrue( true );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,122 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||||
|
|
||||||
|
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
|
||||||
|
|
||||||
|
import junit.framework.Test;
|
||||||
|
import junit.framework.TestCase;
|
||||||
|
import junit.framework.TestSuite;
|
||||||
|
|
||||||
|
public class ProductiveTest extends TestCase {
|
||||||
|
|
||||||
|
protected PDPServer pdp;
|
||||||
|
|
||||||
|
public static void main(String[] args) throws UnknownIdentifierException, ParsingException, IOException, SecurityError, URISyntaxException {
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
ProductiveTest test = new ProductiveTest();
|
||||||
|
test.setup();
|
||||||
|
test.foo();
|
||||||
|
}
|
||||||
|
|
||||||
|
private void setup() throws UnknownIdentifierException, ParsingException, FileNotFoundException {
|
||||||
|
pdp = new PDPServer(new File("src/test/productive-config.xml"));
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void foo() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
Constants.SUBJECT_ID,
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"root"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:subject:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.RESOURCE_CAT,
|
||||||
|
URI.create("urn:patient:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
|
||||||
|
// RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("MedicalRecord"), "read", attributes);
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// System.out.println("REQUEST:\n" + XACMLEncoder.encodeRequestCtx(request));
|
||||||
|
|
||||||
|
AuthoResult result = pdp.evaluate(new IdInfo("root", null, null), "MedicalRecord", "read", attributes);
|
||||||
|
|
||||||
|
//ResponseCtx response = pdp.evaluate(request);
|
||||||
|
System.out.println("RESPONE:\n" + result);
|
||||||
|
|
||||||
|
pdp.unload();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the suite of tests being tested
|
||||||
|
*/
|
||||||
|
public static Test suite()
|
||||||
|
{
|
||||||
|
return new TestSuite( ProductiveTest.class );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rigourous Test :-)
|
||||||
|
*/
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
assertTrue( true );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,205 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.abtractEval;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
import com.sun.xacml.ctx.RequestCtx;
|
||||||
|
import com.sun.xacml.ctx.ResponseCtx;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||||
|
|
||||||
|
public class AndOr {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TODO modify the current infrastructure => do not evaluate or treat the result as
|
||||||
|
* abstract if a non-abstract true was found
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
private PDPServer pdp;
|
||||||
|
|
||||||
|
private KnownAttributeResolver knownAttrs;
|
||||||
|
private AnalysisConfig conf;
|
||||||
|
private EvaluationEventHub eventHub;
|
||||||
|
private MissingAttrCapture attrCapt;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args
|
||||||
|
* @throws IOException
|
||||||
|
* @throws FileNotFoundException
|
||||||
|
* @throws URISyntaxException
|
||||||
|
* @throws SecurityError
|
||||||
|
* @throws UnknownIdentifierException
|
||||||
|
* @throws ParsingException
|
||||||
|
*/
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
|
||||||
|
AndOr test = new AndOr();
|
||||||
|
test.setup();
|
||||||
|
|
||||||
|
test.testv1();
|
||||||
|
//test.testv2();
|
||||||
|
//test.testRoleAssignment();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void testRoleAssignment() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("admin@aniketos.eu"),
|
||||||
|
new URI("urn:runEx:role:assignment"),
|
||||||
|
"add", null);
|
||||||
|
analyze(request);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
private void testv2() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
//add some attribute directly to the request
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:test:true"),
|
||||||
|
TypeIdentifierConstants.BOOLEAN_URI,
|
||||||
|
"true"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:test:false"),
|
||||||
|
TypeIdentifierConstants.BOOLEAN_URI,
|
||||||
|
"false"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("foo", null, null),
|
||||||
|
new URI("AndOrTest"),
|
||||||
|
"bar", attributes);
|
||||||
|
|
||||||
|
analyze(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void testv1() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
//add some attribute directly to the request
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:test:true"),
|
||||||
|
TypeIdentifierConstants.BOOLEAN_URI,
|
||||||
|
"true"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:test:false"),
|
||||||
|
TypeIdentifierConstants.BOOLEAN_URI,
|
||||||
|
"false"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("foo", null, null),
|
||||||
|
new URI("AndOrTestv1"),
|
||||||
|
"bar", attributes);
|
||||||
|
|
||||||
|
analyze(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/abstractEval/abstractEval-config.xml"));
|
||||||
|
//ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||||
|
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||||
|
|
||||||
|
// first add attribute resolvers which will resolve known attributes
|
||||||
|
// can/should be replaced for workbench version with versioned policy state module
|
||||||
|
knownAttrs = new KnownAttributeResolver();
|
||||||
|
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||||
|
|
||||||
|
//only if no attribute can be found, use abstract value
|
||||||
|
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||||
|
|
||||||
|
//create PDP
|
||||||
|
pdp = new PDPServer(conf);
|
||||||
|
|
||||||
|
//for analysis/evaluation create required classes
|
||||||
|
eventHub = new EvaluationEventHub();
|
||||||
|
|
||||||
|
// keep track of missing and resovled attributes
|
||||||
|
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||||
|
eventHub.register(attrCapt);
|
||||||
|
|
||||||
|
// print the call stack
|
||||||
|
eventHub.register(new PrettyPrinter());
|
||||||
|
}
|
||||||
|
|
||||||
|
private void analyze(RequestCtx request) throws ParsingException {
|
||||||
|
// print XACML request
|
||||||
|
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||||
|
System.out.println("XACML REQUEST:\n" + requestString);
|
||||||
|
|
||||||
|
// evaluate request
|
||||||
|
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||||
|
EvaluationIdAttribute.INVALID, eventHub));
|
||||||
|
|
||||||
|
// print XACML response
|
||||||
|
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||||
|
System.out.println("RESPONE:\n" + responseString);
|
||||||
|
|
||||||
|
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||||
|
eventHub.getEvalInfo().getTreeElemTree());
|
||||||
|
|
||||||
|
System.out.println("REPORT:::");
|
||||||
|
System.out.println( repGen.reportMissingAttr());
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,288 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.abtractEval;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URISyntaxException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
import com.sun.xacml.ctx.RequestCtx;
|
||||||
|
import com.sun.xacml.ctx.ResponseCtx;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.MissingAttrCapture;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.PrettyPrinter;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.ReportGenerator;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.AbstractAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.attributes.KnownAttributeResolver;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||||
|
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||||
|
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||||
|
|
||||||
|
public class HolTestGen {
|
||||||
|
|
||||||
|
private PDPServer pdp;
|
||||||
|
|
||||||
|
private KnownAttributeResolver knownAttrs;
|
||||||
|
private AnalysisConfig conf;
|
||||||
|
private EvaluationEventHub eventHub;
|
||||||
|
private MissingAttrCapture attrCapt;
|
||||||
|
|
||||||
|
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
HolTestGen test = new HolTestGen();
|
||||||
|
|
||||||
|
test.setup();
|
||||||
|
|
||||||
|
// missing time
|
||||||
|
test.carol_read_notime();
|
||||||
|
test.clear();
|
||||||
|
|
||||||
|
|
||||||
|
// // missing patient department and time
|
||||||
|
// test.carol_read_noPatDepTime();
|
||||||
|
// test.clear();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private void clear() {
|
||||||
|
eventHub.clearEvalInfo();
|
||||||
|
knownAttrs.clear();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private void setup() throws FileNotFoundException, ParsingException, UnknownIdentifierException, SecurityError, URISyntaxException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/abstractEval/abstractEval-config.xml"));
|
||||||
|
conf = new AnalysisConfig(config.getDefaultPDPConfig());
|
||||||
|
|
||||||
|
// first add attribute resolvers which will resolve known attributes
|
||||||
|
// can/should be replaced for workbench version with versioned policy state module
|
||||||
|
knownAttrs = new KnownAttributeResolver();
|
||||||
|
conf.addAnalysisAttributeResolver(knownAttrs);
|
||||||
|
|
||||||
|
//only if no attribute can be found, use abstract value
|
||||||
|
conf.addAnalysisAttributeResolver(new AbstractAttributeResolver());
|
||||||
|
|
||||||
|
//create PDP
|
||||||
|
pdp = new PDPServer(conf);
|
||||||
|
|
||||||
|
//for analysis/evaluation create required classes
|
||||||
|
eventHub = new EvaluationEventHub();
|
||||||
|
|
||||||
|
// keep track of missing and resovled attributes
|
||||||
|
attrCapt = new MissingAttrCapture(eventHub.getEvalInfo());
|
||||||
|
eventHub.register(attrCapt);
|
||||||
|
|
||||||
|
// print the call stack
|
||||||
|
eventHub.register(new PrettyPrinter());
|
||||||
|
}
|
||||||
|
|
||||||
|
private void carol_read_notime() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
//add some attribute directly to the request
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("urn:subject:department"), TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(Constants.RESOURCE_CAT, URI.create("urn:patient:department"), TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
|
||||||
|
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||||
|
"Nurse"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("carol", null, null),
|
||||||
|
new URI("HealthRecord"),
|
||||||
|
"read", attributes);
|
||||||
|
|
||||||
|
analyze(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void carol_read_noPatDep() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
//add some attribute directly to the request
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:subject:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.ENVIRONMENT_CAT,
|
||||||
|
URI.create("urn:oasis:names:tc:xacml:1.0:environment:current-time"),
|
||||||
|
TypeIdentifierConstants.TIME_URI,
|
||||||
|
"12:00:00Z"));
|
||||||
|
|
||||||
|
|
||||||
|
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||||
|
"Nurse"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("carol", null, null),
|
||||||
|
new URI("HealthRecord"),
|
||||||
|
"read", attributes);
|
||||||
|
|
||||||
|
analyze(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void carol_read_noPatDepTime() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
//add some attribute directly to the request
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:subject:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
|
||||||
|
|
||||||
|
// as the roleFindermodule is removed due to analysis mode, add also the role
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI,
|
||||||
|
"Nurse"));
|
||||||
|
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(
|
||||||
|
new IdInfo("carol", null, null),
|
||||||
|
new URI("HealthRecord"),
|
||||||
|
"read", attributes);
|
||||||
|
|
||||||
|
analyze(request);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void analyze(RequestCtx request) throws ParsingException {
|
||||||
|
// print XACML request
|
||||||
|
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||||
|
System.out.println("XACML REQUEST:\n" + requestString);
|
||||||
|
|
||||||
|
// evaluate request
|
||||||
|
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||||
|
EvaluationIdAttribute.INVALID, eventHub));
|
||||||
|
|
||||||
|
// print XACML response
|
||||||
|
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||||
|
System.out.println("RESPONE:\n" + responseString);
|
||||||
|
|
||||||
|
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||||
|
eventHub.getEvalInfo().getTreeElemTree());
|
||||||
|
|
||||||
|
System.out.println("REPORT:::");
|
||||||
|
System.out.println( repGen.reportMissingAttr());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
private void exec() throws SecurityError, URISyntaxException, ParsingException {
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
Constants.SUBJECT_ID,
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"root"));
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("urn:subject:department"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"test1"));
|
||||||
|
// attributes.add(
|
||||||
|
// new AuthoAttribute(
|
||||||
|
// Constants.RESOURCE_CAT,
|
||||||
|
// URI.create("urn:patient:department"),
|
||||||
|
// TypeIdentifierConstants.STRING_URI,
|
||||||
|
// "test1"));
|
||||||
|
|
||||||
|
attributes.add(
|
||||||
|
new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT,
|
||||||
|
URI.create("subject-roles"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
"Nurse"));
|
||||||
|
|
||||||
|
//urn:nhs:becker:health-record MedicalRecord
|
||||||
|
RequestCtx request = XACMLDecoder.decodeRequestCtx(null, new URI("urn:nhs:becker:health-record"), "read", attributes);
|
||||||
|
|
||||||
|
String requestString = XACMLEncoder.encodeRequestCtx(request);
|
||||||
|
System.out.println("REQUEST:\n" + requestString);
|
||||||
|
|
||||||
|
ResponseCtx resp = pdp.analyze(new AnalysisCtx(request, conf,
|
||||||
|
EvaluationIdAttribute.INVALID, eventHub));
|
||||||
|
|
||||||
|
String responseString = XACMLEncoder.encodeResponseCtx(resp);
|
||||||
|
|
||||||
|
//String responseString = pdp.evaluateXACML(requestString);
|
||||||
|
System.out.println("RESPONE:\n" + responseString); //XACMLEncoder.encodeResponseCtx(response));
|
||||||
|
|
||||||
|
ReportGenerator repGen = new ReportGenerator(attrCapt.getKnownAttributes(),
|
||||||
|
eventHub.getEvalInfo().getTreeElemTree());
|
||||||
|
|
||||||
|
System.out.println("REPORT:::");
|
||||||
|
System.out.println( repGen.reportMissingAttr());
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public HolTestGen() {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testApp()
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,74 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.runEx;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
|
||||||
|
public class DenyPoliciesExample {
|
||||||
|
|
||||||
|
private static PDPServer pdp;
|
||||||
|
private static PDPStateManagement pdpStateMgt;
|
||||||
|
|
||||||
|
private static final String nurse = "nurse",
|
||||||
|
physician = "physician";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args
|
||||||
|
* @throws IOException
|
||||||
|
* @throws FileNotFoundException
|
||||||
|
* @throws ParsingException
|
||||||
|
* @throws UnknownIdentifierException
|
||||||
|
*/
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||||
|
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
init();
|
||||||
|
setupSzenario();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void setupSzenario() {
|
||||||
|
//pdpStateMgt.addRole("", ")
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config-denyPolicies.xml"));
|
||||||
|
|
||||||
|
|
||||||
|
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||||
|
pdpStateMgt = PDPStateManagement.getInstance();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,73 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.runEx;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||||
|
|
||||||
|
public class RunningExample {
|
||||||
|
|
||||||
|
private static PDPServer pdp;
|
||||||
|
private static PDPStateManagement pdpStateMgt;
|
||||||
|
|
||||||
|
private static final String nurse = "nurse",
|
||||||
|
physician = "physician";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args
|
||||||
|
* @throws IOException
|
||||||
|
* @throws FileNotFoundException
|
||||||
|
* @throws ParsingException
|
||||||
|
* @throws UnknownIdentifierException
|
||||||
|
*/
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||||
|
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
init();
|
||||||
|
setupSzenario();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void setupSzenario() {
|
||||||
|
//pdpStateMgt.addRole("", ")
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||||
|
|
||||||
|
|
||||||
|
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||||
|
pdpStateMgt = PDPStateManagement.getInstance();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,215 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.state;
|
||||||
|
|
||||||
|
import java.io.BufferedInputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.util.Date;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.apache.log4j.PropertyConfigurator;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.DemoPDPStateMgt;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdpstate.PDPStateManagement;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
|
||||||
|
public class PDPStateMgt {
|
||||||
|
|
||||||
|
private static long start, setup;
|
||||||
|
|
||||||
|
private static PDPServer pdp;
|
||||||
|
private static PDPStateManagement pdpStateMgt;
|
||||||
|
private static DemoPDPStateMgt demoMgt;
|
||||||
|
|
||||||
|
private static final String ADMIN_USER = "admin@aniketos.eu",
|
||||||
|
ADMIN_ROLE = "admin";
|
||||||
|
|
||||||
|
private static AttributeIdentifier resource_subject = new AttributeIdentifier(
|
||||||
|
URI.create("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),
|
||||||
|
URI.create("http://www.w3.org/2001/XMLSchema#string"),
|
||||||
|
URI.create("urn:custom:resource:subject-id"), null);
|
||||||
|
|
||||||
|
private static AttributeIdentifier resource_role = new AttributeIdentifier(
|
||||||
|
URI.create("urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),
|
||||||
|
URI.create("http://www.w3.org/2001/XMLSchema#string"),
|
||||||
|
URI.create("urn:custom:resource:role"), null);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args
|
||||||
|
* @throws IOException
|
||||||
|
* @throws FileNotFoundException
|
||||||
|
* @throws UnknownIdentifierException
|
||||||
|
* @throws ParsingException
|
||||||
|
*/
|
||||||
|
public static void main(String[] args) throws FileNotFoundException, IOException, ParsingException, UnknownIdentifierException {
|
||||||
|
start = new Date().getTime();
|
||||||
|
Properties log4jProps = new Properties();
|
||||||
|
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||||
|
PropertyConfigurator.configure(log4jProps);
|
||||||
|
|
||||||
|
init();
|
||||||
|
demoSetup();
|
||||||
|
setup = new Date().getTime();
|
||||||
|
|
||||||
|
System.out.println("STARTUP TIME: " + ( setup - start));
|
||||||
|
|
||||||
|
test1();
|
||||||
|
long test1 = new Date().getTime();
|
||||||
|
|
||||||
|
System.out.println("TEST TIME: " + (test1 - setup));
|
||||||
|
|
||||||
|
//
|
||||||
|
// test2();
|
||||||
|
// long test2 = new Date().getTime();
|
||||||
|
//
|
||||||
|
// System.out.println("TEST TIME2: " + (test2 - test1));
|
||||||
|
|
||||||
|
List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||||
|
System.out.print("roles for helmut@aniketos.eu: ");
|
||||||
|
for(String s : roles ) {
|
||||||
|
System.out.print(s +", ");
|
||||||
|
}
|
||||||
|
System.out.println("");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void init() throws ParsingException, UnknownIdentifierException {
|
||||||
|
//ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config.xml"));
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/runningExample/pdp-config-denyPolicies.xml"));
|
||||||
|
|
||||||
|
|
||||||
|
pdp = new PDPServer(config.getDefaultPDPConfig());
|
||||||
|
|
||||||
|
|
||||||
|
pdpStateMgt = PDPStateManagement.getInstance();
|
||||||
|
demoMgt = new DemoPDPStateMgt();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void demoSetup() {
|
||||||
|
demoMgt.addRole(ADMIN_USER, ADMIN_ROLE);
|
||||||
|
|
||||||
|
List<String> roles = demoMgt.getRoles(ADMIN_USER);
|
||||||
|
System.out.print("### TEST ### roles for " + ADMIN_USER + ": ");
|
||||||
|
for(String s : roles ) {
|
||||||
|
System.out.print(s +", ");
|
||||||
|
}
|
||||||
|
System.out.println("");
|
||||||
|
|
||||||
|
demoMgt.addActivePolicy("preg");
|
||||||
|
List<String> polices = demoMgt.getActivePolicies();
|
||||||
|
System.out.print("### TEST ### active policies: ");
|
||||||
|
for(String s : polices ) {
|
||||||
|
System.out.print(s +", ");
|
||||||
|
}
|
||||||
|
System.out.println("");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static void test1() {
|
||||||
|
|
||||||
|
List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||||
|
System.out.print("### TEST ### roles for helmut@aniketos.eu: ");
|
||||||
|
for(String s : roles ) {
|
||||||
|
System.out.print(s +", ");
|
||||||
|
}
|
||||||
|
System.out.println("");
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(new AuthoAttribute(resource_subject, "helmut@aniketos.eu"));
|
||||||
|
attributes.add(new AuthoAttribute(resource_role, "employee"));
|
||||||
|
|
||||||
|
try {
|
||||||
|
AuthoResult res = pdp.evaluate(new IdInfo(ADMIN_USER), "urn:runEx:role:assignment", "add", attributes);
|
||||||
|
System.out.println("result: " + res.toString());
|
||||||
|
|
||||||
|
long evalId = Long.parseLong(res.getObligations().get(0).getParameters().iterator().next().getValue());
|
||||||
|
System.out.println("evalId: " + evalId);
|
||||||
|
|
||||||
|
// try {
|
||||||
|
// Thread.sleep(1000);
|
||||||
|
// } catch (InterruptedException e) {
|
||||||
|
// // TODO Auto-generated catch block
|
||||||
|
// e.printStackTrace();
|
||||||
|
// }
|
||||||
|
|
||||||
|
pdp.notifyStateChange(evalId);
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
// TODO Auto-generated catch block
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
|
||||||
|
roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||||
|
System.out.print("### TEST ### roles for helmut@aniketos.eu: ");
|
||||||
|
for(String s : roles ) {
|
||||||
|
System.out.print(s +", ");
|
||||||
|
}
|
||||||
|
System.out.println("");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static void test2() {
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
attributes.add(new AuthoAttribute(resource_subject, "helmut@aniketos.eu"));
|
||||||
|
attributes.add(new AuthoAttribute(resource_role, "anotherRole"));
|
||||||
|
|
||||||
|
try {
|
||||||
|
AuthoResult res = pdp.evaluate(new IdInfo(ADMIN_USER), "urn:runEx:role:assignment", "add", attributes);
|
||||||
|
System.out.println("result: " + res.toString());
|
||||||
|
|
||||||
|
long evalId = Long.parseLong(res.getObligations().get(0).getParameters().iterator().next().getValue());
|
||||||
|
System.out.println("evalId: " + evalId);
|
||||||
|
|
||||||
|
// try {
|
||||||
|
// Thread.sleep(1000);
|
||||||
|
// } catch (InterruptedException e) {
|
||||||
|
// // TODO Auto-generated catch block
|
||||||
|
// e.printStackTrace();
|
||||||
|
// }
|
||||||
|
|
||||||
|
pdp.notifyStateChange(evalId);
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
// TODO Auto-generated catch block
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
|
||||||
|
// List<String> roles = demoMgt.getRoles("helmut@aniketos.eu");
|
||||||
|
// System.out.print("roles for helmut@aniketos.eu: ");
|
||||||
|
// for(String s : roles ) {
|
||||||
|
// System.out.print(s +", ");
|
||||||
|
// }
|
||||||
|
// System.out.println("");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||||
|
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||||
|
<pdp name="pdp">
|
||||||
|
<attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
|
||||||
|
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdpState.xacml.PDPStateModule"/>
|
||||||
|
|
||||||
|
<policyFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.FilePolicyModule">
|
||||||
|
<list>
|
||||||
|
<string>conf:useLines:true</string>
|
||||||
|
<string>folder:healthcare</string>
|
||||||
|
</list>
|
||||||
|
</policyFinderModule>
|
||||||
|
</pdp>
|
||||||
|
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||||
|
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||||
|
</attributeFactory>
|
||||||
|
|
||||||
|
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||||
|
|
||||||
|
<functionFactory name="func" useStandardFunctions="true">
|
||||||
|
<target>
|
||||||
|
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||||
|
</target>
|
||||||
|
</functionFactory>
|
||||||
|
|
||||||
|
<logServer>eu.aniketos.securebpmn.xacml.log.LogServer</logServer>
|
||||||
|
</config>
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||||
|
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||||
|
<pdp name="pdp">
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule"/ -->
|
||||||
|
|
||||||
|
<attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
|
||||||
|
<attributeFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.impl.RoleFinderFileModule"/>
|
||||||
|
|
||||||
|
<!-- attributeFinderModule class="eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationFinderModule"/ -->
|
||||||
|
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/ -->
|
||||||
|
<!-- attributeFinderModule class="com.sun.xacml.finder.impl.EmergencyLevelModule"/ -->
|
||||||
|
<!-- eu.aniketos.securebpmn.xacml.xacml.finder
|
||||||
|
com.sun.xacml.support.finder
|
||||||
|
-->
|
||||||
|
<policyFinderModule class="eu.aniketos.securebpmn.xacml.xacml.finder.FilePolicyModule">
|
||||||
|
<list>
|
||||||
|
<string>conf:useLines:true</string>
|
||||||
|
<string>file:nhs-becker.xacml</string>
|
||||||
|
<string>file:nhs-becker-p_reg.xacml</string>
|
||||||
|
<string>file:nhs-becker-healthrecord.xacml</string>
|
||||||
|
</list>
|
||||||
|
</policyFinderModule>
|
||||||
|
</pdp>
|
||||||
|
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||||
|
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||||
|
</attributeFactory>
|
||||||
|
|
||||||
|
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||||
|
|
||||||
|
<functionFactory name="func" useStandardFunctions="true">
|
||||||
|
<target>
|
||||||
|
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||||
|
</target>
|
||||||
|
<!-- condition>
|
||||||
|
<functionCluster class="eu.aniketos.securebpmn.xacml.xacml.cond.CustomFunctionCluster"/>
|
||||||
|
</condition -->
|
||||||
|
</functionFactory>
|
||||||
|
|
||||||
|
<logServer>eu.aniketos.securebpmn.xacml.log.LogServer</logServer>
|
||||||
|
</config>
|
||||||
|
|
||||||
|
|
Reference in New Issue