Does that work with spaces only or does it include tabs as well? Seems like a good idea using it on strings with unwanted space in them. I also wonder if there is a list somewhere specifying which functions are available and an explanation of these functions. Searching on google for urn:oasis:names:tc:xacml:1.0:function:string-normalize-space for instance give no direct results on how to use it and explaining what it exactly does. Though I found a list here: http://naxx-security.googlecode.com/svn-history/r3/trunk/naxx-security/resources/function/functions.properties for something called naxx-security, but it might be that not all of them are implemented for Fedora.
Thio, I hope you have noticed that there is a difference between the old XACML policy enforcement and FeSL, which might introduce some strangeness as well. These are not meant to be run together. Also as far as I know FeSL will be the default policy enforcment in the future replacing the old XACML policy enforcment. Hence it might be a good idea to use FeSL and write policies for FeSL. On Thu, Aug 4, 2011 at 3:55 PM, Asger Askov Blekinge <a...@statsbiblioteket.dk> wrote: > The whitespace thing is very funny. That one boggled me for a while, > because my editor would insert them automatically... > > I have taken to using > > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string"; > >administrator > </AttributeValue> > </Apply> > > on every single constant string I use, to guard against this. > > Regards > > > On 04/08/11 11:52, thio wrote: >> Forget it, found the problem :) >> >> On 04.08.2011 11:30, thio wrote: >>> Had trailing whitespaces in it .. *sigh* >>> >>> So i'm further along now, but bumped into another problem. I have >>> defined a rule with several allowed actions. One action is >>> "urn:fedora:names:fedora:2.1:action:api-a" while the other actions are >>> specific api-m methods. I assumed that specifiying the first would allow >>> to use all api-a methods, but it seems i cannot. >>> >>> Now the question is: is there actually some error in the policy, or is >>> my assessment of the api-a action attribute incorrect? >>> >>> On 08.07.2011 18:03, thio wrote: >>>> I could access it being logged in as another user which has a group. >>>> Tried to add MustBePresent="false", but that didn't change the outcome. >>>> >>>> On 08.07.2011 17:53, Benjamin Armintor wrote: >>>>> Are the unexpected Permit results coming when a user is logged in, has >>>>> a fedoraRole, but it is not "administrator"? Or is it that no one is >>>>> logged in/the logged in user has no fedoraRole? >>>>> >>>>> If the latter, the first thing I would try is adding >>>>> MustBePresent="false" to your subjectAttributeDesignator. According >>>>> to the spec: >>>>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf >>>>> >>>>> it effectively default to "true", and returns an Indeterminate result >>>>> in the event of a missing attribute. Quoting from the rule evaluation >>>>> spec: >>>>> "If the target value is "No-match" or “Indeterminate” then the rule >>>>> value SHALL be “NotApplicable” or “Indeterminate”, respectively, >>>>> regardless of the value of the condition. For these cases, therefore, >>>>> the condition need not be evaluated." >>>>> >>>>> Since you have no condition, it may be applying that rule whenever the >>>>> fedoraRole attribute is missing. >>>>> >>>>> On 7/8/11, thio<t...@uni-koblenz.de> wrote: >>>>>> Hi! >>>>>> >>>>>> Recently i was asked to build Policies for Fedora Objects. >>>>>> >>>>>> I have looked at the policy writing guide, and so far doing it like THAT >>>>>> works, but i find this style kind of convoluted. >>>>>> >>>>>> Since i only need simple rules i thought i could as well use the >>>>>> "straightforward" way, which is closer to the datamodel i get. >>>>>> >>>>>> To give you an example, a policy that shuts everyone out but admins: >>>>>> >>>>>> _*-guide:*_ >>>>>> <Policy PolicyId="demo" >>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>>>> xmlns="urn:oasis:names:tc:xacml:1.0:policy" >>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>>>>> <Target> >>>>>> <Subjects> >>>>>> <AnySubject/> >>>>>> </Subjects> >>>>>> <Resources> >>>>>> <Resource> >>>>>> <ResourceMatch >>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>>>> <AttributeValue >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue> >>>>>> <ResourceAttributeDesignator >>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>>>> </ResourceMatch> >>>>>> </Resource> >>>>>> </Resources> >>>>>> <Actions> >>>>>> <AnyAction/> >>>>>> </Actions> >>>>>> </Target> >>>>>> <Rule Effect="Deny" RuleId="1"> >>>>>> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> >>>>>> <Apply >>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >>>>>> <SubjectAttributeDesignator AttributeId="fedoraRole" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; >>>>>> MustBePresent="false"/> >>>>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >>>>>> <AttributeValue >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> >>>>>> </Apply> >>>>>> </Apply> >>>>>> </Condition> >>>>>> </Rule> >>>>>> <Rule Effect="Permit" RuleId="3"/> >>>>>> </Policy> >>>>>> _* >>>>>> -mine:*_ >>>>>> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" >>>>>> >>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> >>>>>> <Target> >>>>>> <Subjects> >>>>>> <AnySubject /> >>>>>> </Subjects> >>>>>> <Resources> >>>>>> <Resource> >>>>>> <ResourceMatch >>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>>>> <AttributeValue >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 >>>>>> </AttributeValue> >>>>>> <ResourceAttributeDesignator >>>>>> >>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>>>> >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>>>>> </ResourceMatch> >>>>>> </Resource> >>>>>> </Resources> >>>>>> <Actions> >>>>>> <AnyAction /> >>>>>> </Actions> >>>>>> </Target> >>>>>> <Rule RuleId="AdminRule" Effect="Permit"> >>>>>> <Target> >>>>>> <Subjects> >>>>>> <Subject> >>>>>> <SubjectMatch >>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>>>> <AttributeValue >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator >>>>>> </AttributeValue> >>>>>> <SubjectAttributeDesignator >>>>>> AttributeId="fedoraRole" >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>>>>> </SubjectMatch> >>>>>> </Subject> >>>>>> </Subjects> >>>>>> <Resources> >>>>>> <AnyResource /> >>>>>> </Resources> >>>>>> <Actions> >>>>>> <AnyAction /> >>>>>> </Actions> >>>>>> </Target> >>>>>> </Rule> >>>>>> <Rule RuleId="FinalRule" Effect="Deny"> >>>>>> </Rule> >>>>>> </Policy> >>>>>> >>>>>> As far as i understood this SHOULD constitute the same behaviour, but my >>>>>> policy doesn't shut anyone out. And i have no idea why not. >>>>>> >>>>>> greetings and thanks for any help, >>>>>> Jessi >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> All of the data generated in your IT infrastructure is seriously valuable. >>>>> Why? It contains a definitive record of application performance, security >>>>> threats, fraudulent activity, and more. Splunk takes this data and makes >>>>> sense of it. IT sense. And common sense. >>>>> http://p.sf.net/sfu/splunk-d2d-c2 >>>>> _______________________________________________ >>>>> Fedora-commons-users mailing list >>>>> Fedora-commons-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>> ------------------------------------------------------------------------------ >>>> All of the data generated in your IT infrastructure is seriously valuable. >>>> Why? It contains a definitive record of application performance, security >>>> threats, fraudulent activity, and more. Splunk takes this data and makes >>>> sense of it. IT sense. And common sense. >>>> http://p.sf.net/sfu/splunk-d2d-c2 >>>> _______________________________________________ >>>> Fedora-commons-users mailing list >>>> Fedora-commons-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>> >>> ------------------------------------------------------------------------------ >>> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >>> The must-attend event for mobile developers. Connect with experts. >>> Get tools for creating Super Apps. See the latest technologies. >>> Sessions, hands-on labs, demos& much more. Register early& save! >>> http://p.sf.net/sfu/rim-blackberry-1 >>> _______________________________________________ >>> Fedora-commons-users mailing list >>> Fedora-commons-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> The must-attend event for mobile developers. Connect with experts. >> Get tools for creating Super Apps. See the latest technologies. >> Sessions, hands-on labs, demos& much more. Register early& save! >> http://p.sf.net/sfu/rim-blackberry-1 >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > -- Med Venlig Hilsen / With Best Regards Tomasz Cielecki http://ostebaronen.dk ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
