http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.pip.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.pip.properties b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.pip.properties new file mode 100755 index 0000000..17ec3a2 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.pip.properties @@ -0,0 +1,227 @@ +# PIP Engine Definition +# +xacml.pip.engines=csv1,csv2,hyper1 + +ATTWebPhone.classname=com.att.research.xacmlatt.pip.webphone.PIPEngineATTWebphone +CSO.classname=com.att.research.xacmlatt.pip.cso.PIPEngineCSOCookie +CSO.mode=DEVL + +csv1.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv1.name=Master +csv1.description=Sean Lahman Basebase stats - Player names, DOB, and biographical info +csv1.issuer=com:att:research:xacml:test:csv +csv1.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Master.txt +csv1.maxsize=500000 +csv1.delimiter=, +csv1.quote=" +csv1.skip=0 + +csv1.resolvers=data + +csv1.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv1.resolver.data.name=Player Resolver +csv1.resolver.data.description=This resolver finds player information in the Master table. +csv1.resolver.data.fields=firstname,lastname,deathyear,deathmonth,deathday,debut,finalgame +csv1.resolver.data.field.firstname.column=16 +csv1.resolver.data.field.firstname.id=com:att:research:xacml:test:csv:subject:firstname +csv1.resolver.data.field.firstname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.firstname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.lastname.column=17 +csv1.resolver.data.field.lastname.id=com:att:research:xacml:test:csv:subject:lastname +csv1.resolver.data.field.lastname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.lastname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathyear.column=10 +csv1.resolver.data.field.deathyear.id=com:att:research:xacml:test:csv:subject:deathyear +csv1.resolver.data.field.deathyear.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathyear.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathmonth.column=11 +csv1.resolver.data.field.deathmonth.id=com:att:research:xacml:test:csv:subject:deathmonth +csv1.resolver.data.field.deathmonth.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathmonth.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathday.column=12 +csv1.resolver.data.field.deathday.id=com:att:research:xacml:test:csv:subject:deathday +csv1.resolver.data.field.deathday.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathday.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.debut.column=25 +csv1.resolver.data.field.debut.id=com:att:research:xacml:test:csv:subject:debut +csv1.resolver.data.field.debut.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.debut.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.finalgame.column=26 +csv1.resolver.data.field.finalgame.id=com:att:research:xacml:test:csv:subject:finalgame +csv1.resolver.data.field.finalgame.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.finalgame.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.parameters=playerid +csv1.resolver.data.parameter.playerid.column=1 +csv1.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv1.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv2.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv2.name=Appearances +csv2.description=Sean Lahman Basebase stats - Player appearances for a team in a given year. +#csv2.issuer= +csv2.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Appearances.txt +csv2.maxsize=500000 +csv2.delimiter=, +csv2.quote=" +csv2.skip=0 + +csv2.resolvers=data + +csv2.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv2.resolver.data.name=Appearance Resolver +csv2.resolver.data.description=This resolver returns all the appearances for a player from the appearance table. +csv2.resolver.data.fields=appearance +csv2.resolver.data.field.appearance.column=0 +csv2.resolver.data.field.appearance.id=com:att:research:xacml:test:csv:subject:appearance +csv2.resolver.data.field.appearance.datatype=http://www.w3.org/2001/XMLSchema#integer +csv2.resolver.data.field.appearance.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +csv2.resolver.data.field.appearance.issuer=com:att:research:xacml:test:csv + +csv2.resolver.data.parameters=playerid +csv2.resolver.data.parameter.playerid.column=3 +csv2.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv2.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv2.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#csv1.resolver.data.parameter.playerid.issuer= + +hyper1.classname=com.att.research.xacml.std.pip.engines.csv.HyperCSVEngine +hyper1.name=World Marriage Age Limits +hyper1.description=Minimum age for female/male marriages with or without their parental consent. +hyper1.source=../XACML-TEST/testsets/pip/configurable-csv-hyper/marriage.csv +hyper1.target=marriage +hyper1.definition=country VARCHAR(80) PRIMARY KEY, wofemale INT, womale INT, wfemale INT, wmale INT, year INT, source VARCHAR(20) + +hyper1.resolvers=age_consent + +hyper1.resolver.age_consent.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +hyper1.resolver.age_consent.name=Ages +hyper1.resolver.age_consent.description=This returns all the age's for consent or no consent for a country. +hyper1.resolver.age_consent.select=SELECT wofemale,womale,wfemale,wmale FROM marriage WHERE country=? +hyper1.resolver.age_consent.fields=wofemale,womale,wfemale,wmale + +hyper1.resolver.age_consent.field.wofemale.id=com:att:research:xacml:test:csv:country:no-consent:female +hyper1.resolver.age_consent.field.wofemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wofemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wofemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.womale.id=com:att:research:xacml:test:csv:country:no-consent:male +hyper1.resolver.age_consent.field.womale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.womale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.womale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wfemale.id=com:att:research:xacml:test:csv:country:consent:female +hyper1.resolver.age_consent.field.wfemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wfemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wfemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wmale.id=com:att:research:xacml:test:csv:country:consent:male +hyper1.resolver.age_consent.field.wmale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wmale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wmale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.parameters=country +hyper1.resolver.age_consent.parameter.country.id=com:att:research:xacml:test:csv:country:name +hyper1.resolver.age_consent.parameter.country.datatype=http://www.w3.org/2001/XMLSchema#string +hyper1.resolver.age_consent.parameter.country.category=com:att:research:xacml:test:csv:category:country +#hyper1.resolver.age_consent.parameter.country.issuer= + +sql1.classname=com.att.research.xacml.std.pip.engines.jdbc.JDBCEngine +sql1.name=World +sql1.description=World Database from MySQL website. Copyright Statistics Finland, http://www.stat.fi/worldinfigures. +# This will be the default issuer for the resolvers. NOTE: Issuer only used for attributes provided by the engine. +sql1.issuer=com:att:research:xacml:test:sql +# +# This is the configuration for JDBC. You will have to setup the database and run the data\world*.sql script to +# create the tables and load the data. +# +sql1.type=jdbc +sql1.jdbc.driver=org.postgresql.Driver +#sql1.jdbc.url=jdbc:postgresql://localhost:5432/world +#sql1.jdbc.conn.user=sa +#sql1.jdbc.conn.password= +sql1.jdbc.url=jdbc:postgresql://xacml-pip.research.att.com:5432/world +sql1.jdbc.conn.user=pip +sql1.jdbc.conn.password=p1pUs3r +# +# This is the configuration for JNDI datasource. +# +#sql1.type=jndi +#sql1.datasource=jdbc/xacml + +sql1.resolvers=langer + +sql1.resolver.langer.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +sql1.resolver.langer.name=Language +sql1.resolver.langer.description=This returns the language for a city. +sql1.resolver.langer.select=SELECT language FROM city INNER JOIN countrylanguage ON city.countrycode = countrylanguage.countrycode WHERE name=? +sql1.resolver.langer.fields=language +sql1.resolver.langer.field.language.id=com:att:research:xacml:test:sql:resource:city:language +sql1.resolver.langer.field.language.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.field.language.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +#You can override the default issuer that is set in the JDBCEngine definition if you want. +#sql1.resolver.langer.field.language.issuer=com:att:research:xacml:test:sql +sql1.resolver.langer.parameters=name +sql1.resolver.langer.parameter.name.id=urn:oasis:names:tc:xacml:1.0:resource:resource-id +sql1.resolver.langer.parameter.name.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.parameter.name.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource + + +ldap1.classname=com.att.research.xacml.std.pip.engines.ldap.LDAPEngine +ldap1.name=LDAP PIP +ldap1.description=The LDAP containing the seven seas sample LDIF data. +ldap1.issuer=com:att:research:xacml:test:ldap +ldap1.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +# +# NOTE: You will have to setup a local LDAP server and load the data\apache-ds-tutorial.ldif before +# this example will work. +# +#ldap1.java.naming.provider.url=ldap://localhost:10389 +ldap1.java.naming.provider.url=ldap://xacml-pip.research.att.com:10389 +#ldap.java.naming.security.principal= +#ldap.java.naming.security.credentials= +ldap1.scope=subtree + +ldap1.resolvers=dn,ship + +ldap1.resolver.dn.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.dn.name=Domain Names +ldap1.resolver.dn.description=Find all the dn's for the subject id +ldap1.resolver.dn.base=o=sevenseas +ldap1.resolver.dn.base.parameters= +ldap1.resolver.dn.filter=(|(uid=${uid})(mail=${uid})) +ldap1.resolver.dn.filter.parameters=uid +ldap1.resolver.dn.filter.parameters.uid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +ldap1.resolver.dn.filter.parameters.uid.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.parameters.uid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#ldap1.resolver.dn.filter.parameters.uid.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.dn.filter.view=dn +ldap1.resolver.dn.filter.view.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.dn.filter.view.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.view.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.dn.filter.view.dn.issuer=com:att:research:xacml:test:ldap + +ldap1.resolver.ship.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.ship.name=Ship Resolver +ldap1.resolver.ship.description=This resolves a subject's dn to a ship. +ldap1.resolver.ship.base=o=sevenseas +ldap1.resolver.ship.base.parameters= +ldap1.resolver.ship.filter=uniquemember=${dn} +ldap1.resolver.ship.filter.parameters=dn +ldap1.resolver.ship.filter.parameters.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.ship.filter.parameters.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.parameters.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.parameters.dn.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.ship.filter.view=cn +ldap1.resolver.ship.filter.view.cn.id=com:att:research:xacml:test:ldap:subject:ship +ldap1.resolver.ship.filter.view.cn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.view.cn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.view.cn.issuer=com:att:research:xacml:test:ldap +
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.policy.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.policy.properties b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.policy.properties new file mode 100755 index 0000000..6c2cb20 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/xacml.policy.properties @@ -0,0 +1,8 @@ +xacml.rootPolicies=CSV-Baseball-Hall-Of-Fame-v1.xml,CSV-Legal-Age-Marriage-v1.xml +xacml.referencedPolicies= + + +CSV-Baseball-Hall-Of-Fame-v1.xml.url=http://localhost:9090/pap/?id=CSV-Baseball-Hall-Of-Fame-v1.xml + +CSV-Legal-Age-Marriage-v1.xml.url=http://localhost:9090/pap/?id=CSV-Legal-Age-Marriage-v1.xml + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/CSV-Legal-Age-Marriage-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/CSV-Legal-Age-Marriage-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/CSV-Legal-Age-Marriage-v1.xml new file mode 100755 index 0000000..15e25ed --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/CSV-Legal-Age-Marriage-v1.xml @@ -0,0 +1,200 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="urn:com:att:xacml:policy:id:98779898-b880-44d7-bee5-ce54e42266eb" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"> + <Description>Sample policy for the XACML-TEST project that tests the configurable CSV PIP.</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Marry</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Policy PolicyId="urn:com:att:xacml:policy:id:c6791398-7e1f-4564-8f5c-19f406ea9950" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> + <Description>Checks the subject. </Description> + <Target/> + <VariableDefinition VariableId="isSubjectFemale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>sex=Female</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Female</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="isSubjectMale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>subject sex=Male</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Male</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesSubjectNeedParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> + <Description>Is the subject a female OR male?</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is female AND does not need parental consent.</Description> + <VariableReference VariableId="isSubjectFemale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:female" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is subject male AND age >= male consent age.</Description> + <VariableReference VariableId="isSubjectMale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= legal age of consent for male.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:male" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesSubjectHaveParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:parental-consent" DataType="http://www.w3.org/2001/XMLSchema#boolean"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </VariableDefinition> + <Rule RuleId="urn:com:att:xacml:rule:id:5970b5d2-c0f3-4132-bfa2-268467b21ed7" Effect="Permit"> + <Description>If the subject does NOT need consent, then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:04b3e93d-ec4e-4cce-a00e-6a54cf3c4056" Effect="Permit"> + <Description>If the subject needs consent AND has parental consent, then Permit.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectHaveParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </Apply> + </Condition> + </Rule> + </Policy> + <Policy PolicyId="urn:com:att:xacml:policy:id:32474315-9d06-47a4-bc2d-319e0568742c" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> + <Description>Check the resource.</Description> + <Target/> + <VariableDefinition VariableId="isResourceFemale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>sex=Female</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Female</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="isResourceMale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>subject sex=Male</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Male</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesResourceNeedParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> + <Description>Is resource female OR male?</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is female AND does not need parental consent.</Description> + <VariableReference VariableId="isResourceFemale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age for female.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>un-bag attribute</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:female" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is male and AND does not need parental consent.</Description> + <VariableReference VariableId="isResourceMale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age for male.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:male" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesResourceHaveParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:parental-consent" DataType="http://www.w3.org/2001/XMLSchema#boolean"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </VariableDefinition> + <Rule RuleId="urn:com:att:xacml:rule:id:7d1c6802-97f7-44f6-9819-12edc1801fb7" Effect="Permit"> + <Description>If the resource does NOT need consent, then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:62e07da4-f0e5-46eb-9894-f5e6d2e5868b" Effect="Permit"> + <Description>The resources needs parental consent and has parental consent then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceHaveParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </Apply> + </Condition> + </Rule> + </Policy> +</PolicySet> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.pip.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.pip.properties b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.pip.properties new file mode 100755 index 0000000..5f66428 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.pip.properties @@ -0,0 +1,227 @@ +# PIP Engine Definition +# +xacml.pip.engines=hyper1 + +ATTWebPhone.classname=com.att.research.xacmlatt.pip.webphone.PIPEngineATTWebphone +CSO.classname=com.att.research.xacmlatt.pip.cso.PIPEngineCSOCookie +CSO.mode=DEVL + +csv1.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv1.name=Master +csv1.description=Sean Lahman Basebase stats - Player names, DOB, and biographical info +csv1.issuer=com:att:research:xacml:test:csv +csv1.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Master.txt +csv1.maxsize=500000 +csv1.delimiter=, +csv1.quote=" +csv1.skip=0 + +csv1.resolvers=data + +csv1.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv1.resolver.data.name=Player Resolver +csv1.resolver.data.description=This resolver finds player information in the Master table. +csv1.resolver.data.fields=firstname,lastname,deathyear,deathmonth,deathday,debut,finalgame +csv1.resolver.data.field.firstname.column=16 +csv1.resolver.data.field.firstname.id=com:att:research:xacml:test:csv:subject:firstname +csv1.resolver.data.field.firstname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.firstname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.lastname.column=17 +csv1.resolver.data.field.lastname.id=com:att:research:xacml:test:csv:subject:lastname +csv1.resolver.data.field.lastname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.lastname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathyear.column=10 +csv1.resolver.data.field.deathyear.id=com:att:research:xacml:test:csv:subject:deathyear +csv1.resolver.data.field.deathyear.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathyear.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathmonth.column=11 +csv1.resolver.data.field.deathmonth.id=com:att:research:xacml:test:csv:subject:deathmonth +csv1.resolver.data.field.deathmonth.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathmonth.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathday.column=12 +csv1.resolver.data.field.deathday.id=com:att:research:xacml:test:csv:subject:deathday +csv1.resolver.data.field.deathday.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathday.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.debut.column=25 +csv1.resolver.data.field.debut.id=com:att:research:xacml:test:csv:subject:debut +csv1.resolver.data.field.debut.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.debut.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.finalgame.column=26 +csv1.resolver.data.field.finalgame.id=com:att:research:xacml:test:csv:subject:finalgame +csv1.resolver.data.field.finalgame.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.finalgame.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.parameters=playerid +csv1.resolver.data.parameter.playerid.column=1 +csv1.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv1.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv2.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv2.name=Appearances +csv2.description=Sean Lahman Basebase stats - Player appearances for a team in a given year. +#csv2.issuer= +csv2.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Appearances.txt +csv2.maxsize=500000 +csv2.delimiter=, +csv2.quote=" +csv2.skip=0 + +csv2.resolvers=data + +csv2.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv2.resolver.data.name=Appearance Resolver +csv2.resolver.data.description=This resolver returns all the appearances for a player from the appearance table. +csv2.resolver.data.fields=appearance +csv2.resolver.data.field.appearance.column=0 +csv2.resolver.data.field.appearance.id=com:att:research:xacml:test:csv:subject:appearance +csv2.resolver.data.field.appearance.datatype=http://www.w3.org/2001/XMLSchema#integer +csv2.resolver.data.field.appearance.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +csv2.resolver.data.field.appearance.issuer=com:att:research:xacml:test:csv + +csv2.resolver.data.parameters=playerid +csv2.resolver.data.parameter.playerid.column=3 +csv2.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv2.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv2.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#csv1.resolver.data.parameter.playerid.issuer= + +hyper1.classname=com.att.research.xacml.std.pip.engines.csv.HyperCSVEngine +hyper1.name=World Marriage Age Limits +hyper1.description=Minimum age for female/male marriages with or without their parental consent. +hyper1.source=../XACML-TEST/testsets/pip/configurable-csv-hyper/marriage.csv +hyper1.target=marriage +hyper1.definition=country VARCHAR(80) PRIMARY KEY, wofemale INT, womale INT, wfemale INT, wmale INT, year INT, source VARCHAR(20) + +hyper1.resolvers=age_consent + +hyper1.resolver.age_consent.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +hyper1.resolver.age_consent.name=Ages +hyper1.resolver.age_consent.description=This returns all the age's for consent or no consent for a country. +hyper1.resolver.age_consent.select=SELECT wofemale,womale,wfemale,wmale FROM marriage WHERE country=? +hyper1.resolver.age_consent.fields=wofemale,womale,wfemale,wmale + +hyper1.resolver.age_consent.field.wofemale.id=com:att:research:xacml:test:csv:country:no-consent:female +hyper1.resolver.age_consent.field.wofemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wofemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wofemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.womale.id=com:att:research:xacml:test:csv:country:no-consent:male +hyper1.resolver.age_consent.field.womale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.womale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.womale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wfemale.id=com:att:research:xacml:test:csv:country:consent:female +hyper1.resolver.age_consent.field.wfemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wfemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wfemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wmale.id=com:att:research:xacml:test:csv:country:consent:male +hyper1.resolver.age_consent.field.wmale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wmale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wmale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.parameters=country +hyper1.resolver.age_consent.parameter.country.id=com:att:research:xacml:test:csv:country:name +hyper1.resolver.age_consent.parameter.country.datatype=http://www.w3.org/2001/XMLSchema#string +hyper1.resolver.age_consent.parameter.country.category=com:att:research:xacml:test:csv:category:country +#hyper1.resolver.age_consent.parameter.country.issuer= + +sql1.classname=com.att.research.xacml.std.pip.engines.jdbc.JDBCEngine +sql1.name=World +sql1.description=World Database from MySQL website. Copyright Statistics Finland, http://www.stat.fi/worldinfigures. +# This will be the default issuer for the resolvers. NOTE: Issuer only used for attributes provided by the engine. +sql1.issuer=com:att:research:xacml:test:sql +# +# This is the configuration for JDBC. You will have to setup the database and run the data\world*.sql script to +# create the tables and load the data. +# +sql1.type=jdbc +sql1.jdbc.driver=org.postgresql.Driver +#sql1.jdbc.url=jdbc:postgresql://localhost:5432/world +#sql1.jdbc.conn.user=sa +#sql1.jdbc.conn.password= +sql1.jdbc.url=jdbc:postgresql://xacml-pip.research.att.com:5432/world +sql1.jdbc.conn.user=pip +sql1.jdbc.conn.password=p1pUs3r +# +# This is the configuration for JNDI datasource. +# +#sql1.type=jndi +#sql1.datasource=jdbc/xacml + +sql1.resolvers=langer + +sql1.resolver.langer.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +sql1.resolver.langer.name=Language +sql1.resolver.langer.description=This returns the language for a city. +sql1.resolver.langer.select=SELECT language FROM city INNER JOIN countrylanguage ON city.countrycode = countrylanguage.countrycode WHERE name=? +sql1.resolver.langer.fields=language +sql1.resolver.langer.field.language.id=com:att:research:xacml:test:sql:resource:city:language +sql1.resolver.langer.field.language.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.field.language.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +#You can override the default issuer that is set in the JDBCEngine definition if you want. +#sql1.resolver.langer.field.language.issuer=com:att:research:xacml:test:sql +sql1.resolver.langer.parameters=name +sql1.resolver.langer.parameter.name.id=urn:oasis:names:tc:xacml:1.0:resource:resource-id +sql1.resolver.langer.parameter.name.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.parameter.name.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource + + +ldap1.classname=com.att.research.xacml.std.pip.engines.ldap.LDAPEngine +ldap1.name=LDAP PIP +ldap1.description=The LDAP containing the seven seas sample LDIF data. +ldap1.issuer=com:att:research:xacml:test:ldap +ldap1.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +# +# NOTE: You will have to setup a local LDAP server and load the data\apache-ds-tutorial.ldif before +# this example will work. +# +#ldap1.java.naming.provider.url=ldap://localhost:10389 +ldap1.java.naming.provider.url=ldap://xacml-pip.research.att.com:10389 +#ldap.java.naming.security.principal= +#ldap.java.naming.security.credentials= +ldap1.scope=subtree + +ldap1.resolvers=dn,ship + +ldap1.resolver.dn.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.dn.name=Domain Names +ldap1.resolver.dn.description=Find all the dn's for the subject id +ldap1.resolver.dn.base=o=sevenseas +ldap1.resolver.dn.base.parameters= +ldap1.resolver.dn.filter=(|(uid=${uid})(mail=${uid})) +ldap1.resolver.dn.filter.parameters=uid +ldap1.resolver.dn.filter.parameters.uid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +ldap1.resolver.dn.filter.parameters.uid.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.parameters.uid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#ldap1.resolver.dn.filter.parameters.uid.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.dn.filter.view=dn +ldap1.resolver.dn.filter.view.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.dn.filter.view.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.view.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.dn.filter.view.dn.issuer=com:att:research:xacml:test:ldap + +ldap1.resolver.ship.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.ship.name=Ship Resolver +ldap1.resolver.ship.description=This resolves a subject's dn to a ship. +ldap1.resolver.ship.base=o=sevenseas +ldap1.resolver.ship.base.parameters= +ldap1.resolver.ship.filter=uniquemember=${dn} +ldap1.resolver.ship.filter.parameters=dn +ldap1.resolver.ship.filter.parameters.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.ship.filter.parameters.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.parameters.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.parameters.dn.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.ship.filter.view=cn +ldap1.resolver.ship.filter.view.cn.id=com:att:research:xacml:test:ldap:subject:ship +ldap1.resolver.ship.filter.view.cn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.view.cn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.view.cn.issuer=com:att:research:xacml:test:ldap + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.policy.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.policy.properties b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.policy.properties new file mode 100755 index 0000000..273f36d --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-hyper/xacml.policy.properties @@ -0,0 +1,6 @@ +xacml.rootPolicies=CSV-Legal-Age-Marriage-v1.xml +xacml.referencedPolicies= + + +CSV-Legal-Age-Marriage-v1.xml.url=http://localhost:9090/pap/?id=CSV-Legal-Age-Marriage-v1.xml + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv/CSV-Baseball-Hall-Of-Fame-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv/CSV-Baseball-Hall-Of-Fame-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-csv/CSV-Baseball-Hall-Of-Fame-v1.xml new file mode 100755 index 0000000..68c7783 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv/CSV-Baseball-Hall-Of-Fame-v1.xml @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="urn:com:att:xacml:policy:id:f3047eab-6f97-49b4-8127-a2737a184b35" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"> + <Description>This policy enforces the BBWAA rules for baseball Hall of Fame induction. + +http://baseballhall.org/hall-famers/rules-election/bbwaa +</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>eligible</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>HOF</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Policy PolicyId="urn:com:att:xacml:policy:id:8f295c67-7b6e-4db6-b558-005b36abd970" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>Active Timeframe: + +A. A baseball player must have been active as a player in the Major Leagues at some time during a period beginning twenty (20) years before and ending five (5) years prior to election.</Description> + <Target/> + <Rule RuleId="urn:com:att:xacml:rule:id:f04b2700-1236-4066-81e4-e341b5b2f3b5" Effect="Permit"> + <Description>Player's debut date >= (today's date - 20 years) AND final date <= (today's date - 5 years).</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>debut within 20 years AND final game more than 5 years ago.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> + <Description>Debut date <= (today's date - 20 years)</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> + <Description>UN-bag player's debut date.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:debut" DataType="http://www.w3.org/2001/XMLSchema#date"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration"> + <Description>Subtract 20 years from today's date.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> +<Description>UN-bag today's date.</Description> +<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"; MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#yearMonthDuration";>P20Y</AttributeValue> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> + <Description>Final Game <= (today's date - 5 years)</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> + <Description>UN-bag final game date</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:finalgame" DataType="http://www.w3.org/2001/XMLSchema#date"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration"> + <Description>Subtract 5 years from today's date.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> +<Description>UN-bag today's date.</Description> +<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"; MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#yearMonthDuration";>P5Y</AttributeValue> + </Apply> + </Apply> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:33a42a79-9d82-4aa1-99d3-9fd168363695" Effect="Deny"> + <Description>DENY - Default</Description> + <Target/> + </Rule> + </Policy> + <Policy PolicyId="urn:com:att:xacml:policy:id:1bf74cc4-658f-4e87-be22-5d5cb741f1f5" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>B. Player must have played in each of ten (10) Major League championship seasons, some part of which must have been within the period described in 3 (A).</Description> + <Target/> + <Rule RuleId="urn:com:att:xacml:rule:id:54405c39-a3f6-4a88-89bd-084f68567acd" Effect="Permit"> + <Description>There should be >= 10 years of appearance(s) values.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> + <Description>The number of years a player appeared.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-bag-size"> + <Description>Count the number.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:appearance" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>10</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:912dd1a2-1527-4b6f-a95b-6a729ff9caab" Effect="Deny"> + <Description>DENY - Default</Description> + <Target/> + </Rule> + </Policy> +</PolicySet> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.pip.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.pip.properties b/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.pip.properties new file mode 100755 index 0000000..ebd0904 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.pip.properties @@ -0,0 +1,227 @@ +# PIP Engine Definition +# +xacml.pip.engines=csv1,csv2 + +ATTWebPhone.classname=com.att.research.xacmlatt.pip.webphone.PIPEngineATTWebphone +CSO.classname=com.att.research.xacmlatt.pip.cso.PIPEngineCSOCookie +CSO.mode=DEVL + +csv1.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv1.name=Master +csv1.description=Sean Lahman Basebase stats - Player names, DOB, and biographical info +csv1.issuer=com:att:research:xacml:test:csv +csv1.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Master.txt +csv1.maxsize=500000 +csv1.delimiter=, +csv1.quote=" +csv1.skip=0 + +csv1.resolvers=data + +csv1.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv1.resolver.data.name=Player Resolver +csv1.resolver.data.description=This resolver finds player information in the Master table. +csv1.resolver.data.fields=firstname,lastname,deathyear,deathmonth,deathday,debut,finalgame +csv1.resolver.data.field.firstname.column=16 +csv1.resolver.data.field.firstname.id=com:att:research:xacml:test:csv:subject:firstname +csv1.resolver.data.field.firstname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.firstname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.lastname.column=17 +csv1.resolver.data.field.lastname.id=com:att:research:xacml:test:csv:subject:lastname +csv1.resolver.data.field.lastname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.lastname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathyear.column=10 +csv1.resolver.data.field.deathyear.id=com:att:research:xacml:test:csv:subject:deathyear +csv1.resolver.data.field.deathyear.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathyear.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathmonth.column=11 +csv1.resolver.data.field.deathmonth.id=com:att:research:xacml:test:csv:subject:deathmonth +csv1.resolver.data.field.deathmonth.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathmonth.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathday.column=12 +csv1.resolver.data.field.deathday.id=com:att:research:xacml:test:csv:subject:deathday +csv1.resolver.data.field.deathday.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathday.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.debut.column=25 +csv1.resolver.data.field.debut.id=com:att:research:xacml:test:csv:subject:debut +csv1.resolver.data.field.debut.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.debut.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.finalgame.column=26 +csv1.resolver.data.field.finalgame.id=com:att:research:xacml:test:csv:subject:finalgame +csv1.resolver.data.field.finalgame.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.finalgame.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.parameters=playerid +csv1.resolver.data.parameter.playerid.column=1 +csv1.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv1.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv2.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv2.name=Appearances +csv2.description=Sean Lahman Basebase stats - Player appearances for a team in a given year. +#csv2.issuer= +csv2.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Appearances.txt +csv2.maxsize=500000 +csv2.delimiter=, +csv2.quote=" +csv2.skip=0 + +csv2.resolvers=data + +csv2.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv2.resolver.data.name=Appearance Resolver +csv2.resolver.data.description=This resolver returns all the appearances for a player from the appearance table. +csv2.resolver.data.fields=appearance +csv2.resolver.data.field.appearance.column=0 +csv2.resolver.data.field.appearance.id=com:att:research:xacml:test:csv:subject:appearance +csv2.resolver.data.field.appearance.datatype=http://www.w3.org/2001/XMLSchema#integer +csv2.resolver.data.field.appearance.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +csv2.resolver.data.field.appearance.issuer=com:att:research:xacml:test:csv + +csv2.resolver.data.parameters=playerid +csv2.resolver.data.parameter.playerid.column=3 +csv2.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv2.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv2.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#csv1.resolver.data.parameter.playerid.issuer= + +hyper1.classname=com.att.research.xacml.std.pip.engines.csv.HyperCSVEngine +hyper1.name=World Marriage Age Limits +hyper1.description=Minimum age for female/male marriages with or without their parental consent. +hyper1.source=../XACML-TEST/testsets/pip/configurable-csv-hyper/marriage.csv +hyper1.target=marriage +hyper1.definition=country VARCHAR(80) PRIMARY KEY, wofemale INT, womale INT, wfemale INT, wmale INT, year INT, source VARCHAR(20) + +hyper1.resolvers=age_consent + +hyper1.resolver.age_consent.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +hyper1.resolver.age_consent.name=Ages +hyper1.resolver.age_consent.description=This returns all the age's for consent or no consent for a country. +hyper1.resolver.age_consent.select=SELECT wofemale,womale,wfemale,wmale FROM marriage WHERE country=? +hyper1.resolver.age_consent.fields=wofemale,womale,wfemale,wmale + +hyper1.resolver.age_consent.field.wofemale.id=com:att:research:xacml:test:csv:country:no-consent:female +hyper1.resolver.age_consent.field.wofemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wofemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wofemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.womale.id=com:att:research:xacml:test:csv:country:no-consent:male +hyper1.resolver.age_consent.field.womale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.womale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.womale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wfemale.id=com:att:research:xacml:test:csv:country:consent:female +hyper1.resolver.age_consent.field.wfemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wfemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wfemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wmale.id=com:att:research:xacml:test:csv:country:consent:male +hyper1.resolver.age_consent.field.wmale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wmale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wmale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.parameters=country +hyper1.resolver.age_consent.parameter.country.id=com:att:research:xacml:test:csv:country:name +hyper1.resolver.age_consent.parameter.country.datatype=http://www.w3.org/2001/XMLSchema#string +hyper1.resolver.age_consent.parameter.country.category=com:att:research:xacml:test:csv:category:country +#hyper1.resolver.age_consent.parameter.country.issuer= + +sql1.classname=com.att.research.xacml.std.pip.engines.jdbc.JDBCEngine +sql1.name=World +sql1.description=World Database from MySQL website. Copyright Statistics Finland, http://www.stat.fi/worldinfigures. +# This will be the default issuer for the resolvers. NOTE: Issuer only used for attributes provided by the engine. +sql1.issuer=com:att:research:xacml:test:sql +# +# This is the configuration for JDBC. You will have to setup the database and run the data\world*.sql script to +# create the tables and load the data. +# +sql1.type=jdbc +sql1.jdbc.driver=org.postgresql.Driver +#sql1.jdbc.url=jdbc:postgresql://localhost:5432/world +#sql1.jdbc.conn.user=sa +#sql1.jdbc.conn.password= +sql1.jdbc.url=jdbc:postgresql://xacml-pip.research.att.com:5432/world +sql1.jdbc.conn.user=pip +sql1.jdbc.conn.password=p1pUs3r +# +# This is the configuration for JNDI datasource. +# +#sql1.type=jndi +#sql1.datasource=jdbc/xacml + +sql1.resolvers=langer + +sql1.resolver.langer.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +sql1.resolver.langer.name=Language +sql1.resolver.langer.description=This returns the language for a city. +sql1.resolver.langer.select=SELECT language FROM city INNER JOIN countrylanguage ON city.countrycode = countrylanguage.countrycode WHERE name=? +sql1.resolver.langer.fields=language +sql1.resolver.langer.field.language.id=com:att:research:xacml:test:sql:resource:city:language +sql1.resolver.langer.field.language.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.field.language.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +#You can override the default issuer that is set in the JDBCEngine definition if you want. +#sql1.resolver.langer.field.language.issuer=com:att:research:xacml:test:sql +sql1.resolver.langer.parameters=name +sql1.resolver.langer.parameter.name.id=urn:oasis:names:tc:xacml:1.0:resource:resource-id +sql1.resolver.langer.parameter.name.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.parameter.name.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource + + +ldap1.classname=com.att.research.xacml.std.pip.engines.ldap.LDAPEngine +ldap1.name=LDAP PIP +ldap1.description=The LDAP containing the seven seas sample LDIF data. +ldap1.issuer=com:att:research:xacml:test:ldap +ldap1.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +# +# NOTE: You will have to setup a local LDAP server and load the data\apache-ds-tutorial.ldif before +# this example will work. +# +#ldap1.java.naming.provider.url=ldap://localhost:10389 +ldap1.java.naming.provider.url=ldap://xacml-pip.research.att.com:10389 +#ldap.java.naming.security.principal= +#ldap.java.naming.security.credentials= +ldap1.scope=subtree + +ldap1.resolvers=dn,ship + +ldap1.resolver.dn.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.dn.name=Domain Names +ldap1.resolver.dn.description=Find all the dn's for the subject id +ldap1.resolver.dn.base=o=sevenseas +ldap1.resolver.dn.base.parameters= +ldap1.resolver.dn.filter=(|(uid=${uid})(mail=${uid})) +ldap1.resolver.dn.filter.parameters=uid +ldap1.resolver.dn.filter.parameters.uid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +ldap1.resolver.dn.filter.parameters.uid.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.parameters.uid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#ldap1.resolver.dn.filter.parameters.uid.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.dn.filter.view=dn +ldap1.resolver.dn.filter.view.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.dn.filter.view.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.view.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.dn.filter.view.dn.issuer=com:att:research:xacml:test:ldap + +ldap1.resolver.ship.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.ship.name=Ship Resolver +ldap1.resolver.ship.description=This resolves a subject's dn to a ship. +ldap1.resolver.ship.base=o=sevenseas +ldap1.resolver.ship.base.parameters= +ldap1.resolver.ship.filter=uniquemember=${dn} +ldap1.resolver.ship.filter.parameters=dn +ldap1.resolver.ship.filter.parameters.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.ship.filter.parameters.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.parameters.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.parameters.dn.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.ship.filter.view=cn +ldap1.resolver.ship.filter.view.cn.id=com:att:research:xacml:test:ldap:subject:ship +ldap1.resolver.ship.filter.view.cn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.view.cn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.view.cn.issuer=com:att:research:xacml:test:ldap + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.policy.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.policy.properties b/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.policy.properties new file mode 100755 index 0000000..59a8dd7 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv/xacml.policy.properties @@ -0,0 +1,6 @@ +xacml.rootPolicies=CSV-Baseball-Hall-Of-Fame-v1.xml +xacml.referencedPolicies= + + +CSV-Baseball-Hall-Of-Fame-v1.xml.url=http://localhost:9090/pap/?id=CSV-Baseball-Hall-Of-Fame-v1.xml + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-ldap/LDAP-Seven-Seas-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-ldap/LDAP-Seven-Seas-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-ldap/LDAP-Seven-Seas-v1.xml new file mode 100755 index 0000000..9e36f68 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-ldap/LDAP-Seven-Seas-v1.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:94378f81-6810-408f-a072-a1a8a7585a24" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>Sample policy that demonstrates use of Configurable LDAP Resolver with sample data. + +The PEP Request should provide the following attributes: +action-id=board +subject-id-qualifer=uid|mail +subject-id=hnelson|[email protected] +resource-id=HMS Lydia|HMS Victory|HMS Bounty + </Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>board</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Rule RuleId="urn:com:att:xacml:rule:id:bf241671-54de-404c-ac59-bb17b919783f" Effect="Permit"> + <Description>This sailor is a member of the crew for the ship.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:ldap:subject:ship" DataType="http://www.w3.org/2001/XMLSchema#string"; Issuer="com:att:research:xacml:test:ldap" MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:490228ea-98ee-48d8-84c9-da07334726fd" Effect="Deny"> + <Description>Default is to DENY.</Description> + <Target/> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.pip.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.pip.properties b/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.pip.properties new file mode 100755 index 0000000..deb58b4 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.pip.properties @@ -0,0 +1,227 @@ +# PIP Engine Definition +# +xacml.pip.engines=ldap1 + +ATTWebPhone.classname=com.att.research.xacmlatt.pip.webphone.PIPEngineATTWebphone +CSO.classname=com.att.research.xacmlatt.pip.cso.PIPEngineCSOCookie +CSO.mode=DEVL + +csv1.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv1.name=Master +csv1.description=Sean Lahman Basebase stats - Player names, DOB, and biographical info +csv1.issuer=com:att:research:xacml:test:csv +csv1.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Master.txt +csv1.maxsize=4000000 +csv1.delimiter=, +csv1.quote=" +csv1.skip=0 + +csv1.resolvers=data + +csv1.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv1.resolver.data.name=Player Resolver +csv1.resolver.data.description=This resolver finds player information in the Master table. +csv1.resolver.data.fields=firstname,lastname,deathyear,deathmonth,deathday,debut,finalgame +csv1.resolver.data.field.firstname.column=16 +csv1.resolver.data.field.firstname.id=com:att:research:xacml:test:csv:subject:firstname +csv1.resolver.data.field.firstname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.firstname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.lastname.column=17 +csv1.resolver.data.field.lastname.id=com:att:research:xacml:test:csv:subject:lastname +csv1.resolver.data.field.lastname.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.field.lastname.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathyear.column=10 +csv1.resolver.data.field.deathyear.id=com:att:research:xacml:test:csv:subject:deathyear +csv1.resolver.data.field.deathyear.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathyear.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathmonth.column=11 +csv1.resolver.data.field.deathmonth.id=com:att:research:xacml:test:csv:subject:deathmonth +csv1.resolver.data.field.deathmonth.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathmonth.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.deathday.column=12 +csv1.resolver.data.field.deathday.id=com:att:research:xacml:test:csv:subject:deathday +csv1.resolver.data.field.deathday.datatype=http://www.w3.org/2001/XMLSchema#integer +csv1.resolver.data.field.deathday.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.debut.column=25 +csv1.resolver.data.field.debut.id=com:att:research:xacml:test:csv:subject:debut +csv1.resolver.data.field.debut.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.debut.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.field.finalgame.column=26 +csv1.resolver.data.field.finalgame.id=com:att:research:xacml:test:csv:subject:finalgame +csv1.resolver.data.field.finalgame.datatype=http://www.w3.org/2001/XMLSchema#date +csv1.resolver.data.field.finalgame.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv1.resolver.data.parameters=playerid +csv1.resolver.data.parameter.playerid.column=1 +csv1.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv1.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv1.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject + +csv2.classname=com.att.research.xacml.std.pip.engines.csv.CSVEngine +csv2.name=Appearances +csv2.description=Sean Lahman Basebase stats - Player appearances for a team in a given year. +#csv2.issuer= +csv2.source=../XACML-TEST/testsets/pip/configurable-csv/adminDB/Appearances.txt +csv2.maxsize=4000000 +csv2.delimiter=, +csv2.quote=" +csv2.skip=0 + +csv2.resolvers=data + +csv2.resolver.data.classname=com.att.research.xacml.std.pip.engines.csv.ConfigurableCSVResolver +csv2.resolver.data.name=Appearance Resolver +csv2.resolver.data.description=This resolver returns all the appearances for a player from the appearance table. +csv2.resolver.data.fields=appearance +csv2.resolver.data.field.appearance.column=0 +csv2.resolver.data.field.appearance.id=com:att:research:xacml:test:csv:subject:appearance +csv2.resolver.data.field.appearance.datatype=http://www.w3.org/2001/XMLSchema#integer +csv2.resolver.data.field.appearance.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +csv2.resolver.data.field.appearance.issuer=com:att:research:xacml:test:csv + +csv2.resolver.data.parameters=playerid +csv2.resolver.data.parameter.playerid.column=3 +csv2.resolver.data.parameter.playerid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +csv2.resolver.data.parameter.playerid.datatype=http://www.w3.org/2001/XMLSchema#string +csv2.resolver.data.parameter.playerid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#csv1.resolver.data.parameter.playerid.issuer= + +hyper1.classname=com.att.research.xacml.std.pip.engines.csv.HyperCSVEngine +hyper1.name=World Marriage Age Limits +hyper1.description=Minimum age for female/male marriages with or without their parental consent. +hyper1.source=../XACML-TEST/testsets/pip/configurable-csv-hyper/marriage.csv +hyper1.target=marriage +hyper1.definition=country VARCHAR(80) PRIMARY KEY, wofemale INT, womale INT, wfemale INT, wmale INT, year INT, source VARCHAR(20) + +hyper1.resolvers=age_consent + +hyper1.resolver.age_consent.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +hyper1.resolver.age_consent.name=Ages +hyper1.resolver.age_consent.description=This returns all the age's for consent or no consent for a country. +hyper1.resolver.age_consent.select=SELECT wofemale,womale,wfemale,wmale FROM marriage WHERE country=? +hyper1.resolver.age_consent.fields=wofemale,womale,wfemale,wmale + +hyper1.resolver.age_consent.field.wofemale.id=com:att:research:xacml:test:csv:country:no-consent:female +hyper1.resolver.age_consent.field.wofemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wofemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wofemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.womale.id=com:att:research:xacml:test:csv:country:no-consent:male +hyper1.resolver.age_consent.field.womale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.womale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.womale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wfemale.id=com:att:research:xacml:test:csv:country:consent:female +hyper1.resolver.age_consent.field.wfemale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wfemale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wfemale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.field.wmale.id=com:att:research:xacml:test:csv:country:consent:male +hyper1.resolver.age_consent.field.wmale.datatype=http://www.w3.org/2001/XMLSchema#integer +hyper1.resolver.age_consent.field.wmale.category=com:att:research:xacml:test:csv:category:country +hyper1.resolver.age_consent.field.wmale.issuer=com:att:research:xacml:test:csv + +hyper1.resolver.age_consent.parameters=country +hyper1.resolver.age_consent.parameter.country.id=com:att:research:xacml:test:csv:country:name +hyper1.resolver.age_consent.parameter.country.datatype=http://www.w3.org/2001/XMLSchema#string +hyper1.resolver.age_consent.parameter.country.category=com:att:research:xacml:test:csv:category:country +#hyper1.resolver.age_consent.parameter.country.issuer= + +sql1.classname=com.att.research.xacml.std.pip.engines.jdbc.JDBCEngine +sql1.name=World +sql1.description=World Database from MySQL website. Copyright Statistics Finland, http://www.stat.fi/worldinfigures. +# This will be the default issuer for the resolvers. NOTE: Issuer only used for attributes provided by the engine. +sql1.issuer=com:att:research:xacml:test:sql +# +# This is the configuration for JDBC. You will have to setup the database and run the data\world*.sql script to +# create the tables and load the data. +# +sql1.type=jdbc +sql1.jdbc.driver=org.postgresql.Driver +#sql1.jdbc.url=jdbc:postgresql://localhost:5432/world +#sql1.jdbc.conn.user=sa +#sql1.jdbc.conn.password= +sql1.jdbc.url=jdbc:postgresql://xacml-pip.research.att.com:5432/world +sql1.jdbc.conn.user=pip +sql1.jdbc.conn.password=p1pUs3r +# +# This is the configuration for JNDI datasource. +# +#sql1.type=jndi +#sql1.datasource=jdbc/xacml + +sql1.resolvers=langer + +sql1.resolver.langer.classname=com.att.research.xacml.std.pip.engines.jdbc.ConfigurableJDBCResolver +sql1.resolver.langer.name=Language +sql1.resolver.langer.description=This returns the language for a city. +sql1.resolver.langer.select=SELECT language FROM city INNER JOIN countrylanguage ON city.countrycode = countrylanguage.countrycode WHERE name=? +sql1.resolver.langer.fields=language +sql1.resolver.langer.field.language.id=com:att:research:xacml:test:sql:resource:city:language +sql1.resolver.langer.field.language.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.field.language.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +#You can override the default issuer that is set in the JDBCEngine definition if you want. +#sql1.resolver.langer.field.language.issuer=com:att:research:xacml:test:sql +sql1.resolver.langer.parameters=name +sql1.resolver.langer.parameter.name.id=urn:oasis:names:tc:xacml:1.0:resource:resource-id +sql1.resolver.langer.parameter.name.datatype=http://www.w3.org/2001/XMLSchema#string +sql1.resolver.langer.parameter.name.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource + + +ldap1.classname=com.att.research.xacml.std.pip.engines.ldap.LDAPEngine +ldap1.name=LDAP PIP +ldap1.description=The LDAP containing the seven seas sample LDIF data. +ldap1.issuer=com:att:research:xacml:test:ldap +ldap1.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +# +# NOTE: You will have to setup a local LDAP server and load the data\apache-ds-tutorial.ldif before +# this example will work. +# +#ldap1.java.naming.provider.url=ldap://localhost:10389 +ldap1.java.naming.provider.url=ldap://xacml-pip.research.att.com:10389 +#ldap.java.naming.security.principal= +#ldap.java.naming.security.credentials= +ldap1.scope=subtree + +ldap1.resolvers=dn,ship + +ldap1.resolver.dn.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.dn.name=Domain Names +ldap1.resolver.dn.description=Find all the dn's for the subject id +ldap1.resolver.dn.base=o=sevenseas +ldap1.resolver.dn.base.parameters= +ldap1.resolver.dn.filter=(|(uid=${uid})(mail=${uid})) +ldap1.resolver.dn.filter.parameters=uid +ldap1.resolver.dn.filter.parameters.uid.id=urn:oasis:names:tc:xacml:1.0:subject:subject-id +ldap1.resolver.dn.filter.parameters.uid.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.parameters.uid.category=urn:oasis:names:tc:xacml:1.0:subject-category:access-subject +#ldap1.resolver.dn.filter.parameters.uid.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.dn.filter.view=dn +ldap1.resolver.dn.filter.view.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.dn.filter.view.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.dn.filter.view.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.dn.filter.view.dn.issuer=com:att:research:xacml:test:ldap + +ldap1.resolver.ship.classname=com.att.research.xacml.std.pip.engines.ldap.ConfigurableLDAPResolver +ldap1.resolver.ship.name=Ship Resolver +ldap1.resolver.ship.description=This resolves a subject's dn to a ship. +ldap1.resolver.ship.base=o=sevenseas +ldap1.resolver.ship.base.parameters= +ldap1.resolver.ship.filter=uniquemember=${dn} +ldap1.resolver.ship.filter.parameters=dn +ldap1.resolver.ship.filter.parameters.dn.id=com:att:research:xacml:test:ldap:subject:dn +ldap1.resolver.ship.filter.parameters.dn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.parameters.dn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.parameters.dn.issuer=com:att:research:xacml:test:ldap +ldap1.resolver.ship.filter.view=cn +ldap1.resolver.ship.filter.view.cn.id=com:att:research:xacml:test:ldap:subject:ship +ldap1.resolver.ship.filter.view.cn.datatype=http://www.w3.org/2001/XMLSchema#string +ldap1.resolver.ship.filter.view.cn.category=urn:oasis:names:tc:xacml:3.0:attribute-category:resource +ldap1.resolver.ship.filter.view.cn.issuer=com:att:research:xacml:test:ldap + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.policy.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.policy.properties b/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.policy.properties new file mode 100755 index 0000000..df57627 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-ldap/xacml.policy.properties @@ -0,0 +1,5 @@ +xacml.rootPolicies=LDAP-Seven-Seas-v1.xml +xacml.referencedPolicies= + + +LDAP-Seven-Seas-v1.xml.url=http://localhost:9090/pap/?id=LDAP-Seven-Seas-v1.xml http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-sql/SQL-World-Languages-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-sql/SQL-World-Languages-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-sql/SQL-World-Languages-v1.xml new file mode 100755 index 0000000..85443dc --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-sql/SQL-World-Languages-v1.xml @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>Policy for speaking a language in a city.</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>speak</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Rule RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" Effect="Permit"> + <Description>PERMIT - People in this city speak my language.</Description> + <Target/> + <Condition> + <VariableReference VariableId="cityLanguage"/> + </Condition> + </Rule> + <VariableDefinition VariableId="cityLanguage"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> + <Description>The city's language must match exactly the subject's language.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:sql:resource:city:language" DataType="http://www.w3.org/2001/XMLSchema#string"; Issuer="com:att:research:xacml:test:sql" MustBePresent="false"/> + </Apply> + </VariableDefinition> + <Rule RuleId="urn:com:att:xacml:rule:id:c9a3fb7d-d0b9-48bb-bdca-87eb4957120c" Effect="Deny"> + <Description>DENY - default.</Description> + <Target/> + </Rule> +</Policy>
