我实施了wso2 Balana PDP。 我有一个简单的政策,鲍勃给予主题爱丽丝许可。当我评估来自Alice的请求时,即使没有可信策略,我也会返回一个Permit(我认为它应该返回NotApplicable)。
据我所知,至少有一个没有发行人的政策是减少图的根(OASIS Specification)。
我是否需要以不同的方式实施政策发现者,或者我是否误解了管理概念?
这是PDP代码:
package xacmlimplementation.wso2;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.NoSuchElementException;
import java.util.Set;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.wso2.balana.Balana;
import org.wso2.balana.PDP;
import org.wso2.balana.PDPConfig;
import org.wso2.balana.ParsingException;
import org.wso2.balana.combine.PolicyCombiningAlgorithm;
import org.wso2.balana.combine.xacml2.FirstApplicablePolicyAlg;
import org.wso2.balana.ctx.AbstractResult;
import org.wso2.balana.ctx.ResponseCtx;
import org.wso2.balana.finder.AttributeFinderModule;
import org.wso2.balana.finder.PolicyFinder;
import org.wso2.balana.finder.PolicyFinderModule;
import org.wso2.balana.finder.impl.FileBasedPolicyFinderModule;
import org.xml.sax.SAXException;
import xacmlimplementation.engine.XacmlResult;
import xacmlimplementation.engine.XacmlResult.Decision;
import xacmlimplementation.engine.XacmlResult.ErrorType;
public class TestBalana {
public static void main(String[] args) {
Set<String> policyLocations = new HashSet<String>();
policyLocations.add("/path/to/policy.xml");
String request = "/path/to/request.xml";
// create default instance of Balana
Balana balana = Balana.getInstance();
// Default PDP config
PDPConfig pdpConfig = balana.getPdpConfig();
// Set up policy finder
PolicyCombiningAlgorithm wso2Alg = new FirstApplicablePolicyAlg();
PolicyFinder policyFinder = new PolicyFinder();
Set<PolicyFinderModule> policyFinderModules = new HashSet<PolicyFinderModule>();
// module for the root policies
// FileBasedPolicyFinderModule uses DenyOverrides
PolicyFinderModule policyModule = new FileBasedPolicyFinderModule(policyLocations);
policyFinderModules.add(policyModule);
policyFinder.setModules(policyFinderModules);
PDP pdp = new PDP(new PDPConfig(pdpConfig.getAttributeFinder(), policyFinder, null));
String requestString = null;
try {
Path p = Paths.get(request);
byte[] content = java.nio.file.Files.readAllBytes(p);
requestString = new String(content);
} catch (IOException e) {
System.out.println("Error reading "+request);
return;
}
String response = pdp.evaluate(requestString);
ResponseCtx responseCtx = null;
ByteArrayInputStream inputStream = null;
AbstractResult result = null;
try {
DocumentBuilderFactory dbf;
Document doc;
inputStream = new ByteArrayInputStream(response.getBytes());
dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
doc = dbf.newDocumentBuilder().parse(inputStream);
responseCtx = ResponseCtx.getInstance(doc.getDocumentElement());
Iterator<AbstractResult> it = responseCtx.getResults().iterator();
result = it.next();
} catch (ParsingException e) {
System.out.println("Error parsing xacml response: " + e.getMessage());
e.printStackTrace();
return;
} catch (NoSuchElementException e) {
System.out.println("Result list is empty");
e.printStackTrace();
return;
} catch (SAXException e) {
System.out.println(e);
e.printStackTrace();
return;
} catch (IOException e) {
System.out.println(e);
e.printStackTrace();
return;
} catch (ParserConfigurationException e) {
System.out.println(e);
e.printStackTrace();
return;
}
try {
inputStream.close();
} catch (IOException e) {
System.err.println("Error in closing input stream of XACML response");
return;
}
//System.out.println(result.encode());
switch (result.getDecision()) {
case AbstractResult.DECISION_PERMIT:
System.out.println("Permit");
break;
case AbstractResult.DECISION_DENY:
System.out.println("Deny");
break;
case AbstractResult.DECISION_NOT_APPLICABLE:
System.out.println("NotApplicable");
break;
case AbstractResult.DECISION_INDETERMINATE:
case AbstractResult.DECISION_INDETERMINATE_PERMIT:
case AbstractResult.DECISION_INDETERMINATE_DENY:
case AbstractResult.DECISION_INDETERMINATE_DENY_OR_PERMIT:
System.out.println("Indeterminate");
break;
default:
System.out.println("Decision doesn't match Permit, Deny, NotApplicable, ...");
break;
}
}
}
政策:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" PolicySetId="PolicySet1" Version="1.0">
<Target/>
<Policy PolicyId="PolicyBobGrantsAliceAccess" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<PolicyIssuer>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bob</AttributeValue>
</Attribute>
</PolicyIssuer>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule1">
<Target/>
</Rule>
</Policy>
</PolicySet>
请求:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</AttributeValue>
</Attribute>
</Attributes>
</Request>