使用WSO2 IS和XACML策略保护REST API

时间:2019-02-13 16:13:56

标签: oauth-2.0 wso2esb wso2is xacml abac

我尝试使用OAuth中介程序和wso2 IS保护其余API(在wso2 ESB中)。 我想允许用户使用有效的令牌,当请求匹配特定的URI(从ESB exp / sample / test调用)并且还与其他条件(例如scope_nameclient_ip)匹配时。 我可以检查XACML策略中的usernamescope_name并允许它,但是我想添加client_idspecific URI

这是我在WSO2 ESB中的Rest API示例:

<api xmlns="http://ws.apache.org/ns/synapse" name="sample" context="/sample">
   <resource methods="GET" uri-template="/test">
      <inSequence>
         <log level="custom">
            <property name="ip address" expression="get-property('axis2','REMOTE_ADDR')"/>
         </log>
         <oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
         <payloadFactory media-type="json">
            <format>{"result":true}</format>
            <args/>
         </payloadFactory>
         <respond/>
      </inSequence>
   </resource>
</api>

in WSO2 IS我使用以下配置创建服务提供商:

OAuth/OpenID Connect Configuration

<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
  <ApplicationName>samplesp</ApplicationName>
  <Description/>
  <InboundAuthenticationConfig>
    <InboundAuthenticationRequestConfigs>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>samplesp</InboundAuthKey>
        <InboundAuthType>passivests</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>U_SCMKqXqfJqSvyoD5LKFQ3Or7ka</InboundAuthKey>
        <InboundAuthType>oauth2</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>U_SCMKqXqfJqSvyoD5LKFQ3Or7ka</oauthConsumerKey>
    <applicationName>samplesp</applicationName>
    <callbackUrl></callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>refresh_token password client_credentials </grantTypes>
    <scopeValidators>
        <scopeValidator>XACML Scope Validator</scopeValidator>
    </scopeValidators>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <userAccessTokenExpiryTime>360000</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>360000</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>846000</refreshTokenExpiryTime>
    <idTokenExpiryTime>360000</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>false</bypassClientCredentials>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <backChannelLogoutUrl></backChannelLogoutUrl>
    <tokenType>Default</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>samplesp</InboundAuthKey>
        <InboundAuthType>openid</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
    </InboundAuthenticationRequestConfigs>
  </InboundAuthenticationConfig>
  <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps/>
    <AuthenticationType>default</AuthenticationType>
    <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
    <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
    <UseUserstoreDomainInRoles>false</UseUserstoreDomainInRoles>
    <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
    <EnableAuthorization>false</EnableAuthorization>
  </LocalAndOutBoundAuthenticationConfig>
  <RequestPathAuthenticatorConfigs/>
  <InboundProvisioningConfig>
    <ProvisioningUserStore/>
    <IsProvisioningEnabled>false</IsProvisioningEnabled>
    <IsDumbModeEnabled>false</IsDumbModeEnabled>
  </InboundProvisioningConfig>
  <OutboundProvisioningConfig>
    <ProvisioningIdentityProviders/>
  </OutboundProvisioningConfig>
  <ClaimConfig>
    <RoleClaimURI/>
    <LocalClaimDialect>true</LocalClaimDialect>
    <IdpClaim/>
    <ClaimMappings/>
    <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
    <SPClaimDialects/>
  </ClaimConfig>
  <PermissionAndRoleConfig>
    <Permissions/>
    <RoleMappings/>
    <IdpRoles/>
  </PermissionAndRoleConfig>
  <IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>

以下XACML配置除非有规则允许,否则拒绝。它仅允许scope_nameusername起作用,而不适用于其他条件(client_ip和特定的API URI)。它应该只允许具有/sample/.* URI和例如10.2.3.4 IP的请求,但我不知道该怎么做!

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="Apolicy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/sample/.*</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Rule Effect="Permit" RuleId="rule-1">
         <Target>
            <AnyOf>
               <AllOf>
                  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">soheyl</AttributeValue>
                     <AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                  </Match>
                  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplescope</AttributeValue>
                     <AttributeDesignator AttributeId="http://wso2.org/identity/oauth-scope/scope-name" Category="http://wso2.org/identity/oauth-scope" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                  </Match>
               </AllOf>
            </AnyOf>
         </Target>
         <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                  <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Apply>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplesp</AttributeValue>
            </Apply>
         </Condition>
      </Rule>
   </Policy>   

1 个答案:

答案 0 :(得分:0)

在Rule Rule-1的末尾再添加一条规则,如下所示

<Rule Effect="Deny" RuleId="Deny-Rule"/>