Out of curiosity, is this whitespace in the XML (in the XACML policy), or whitespace in the attribute values returned by an attribute finder? (if it's in the XML I appreciate the issue also; I've now got into the habit of never having linebreaks in element content for instance; and if generating with xslt I always use xsl:text to wrap text for the same reason).
For a list of functions, consult the XACML specs at http://www.oasis-open.org/committees/xacml/ - the XACML 2.0 Specification Document lists all the functions and there's an appendix defining them. In theory all of those marked as mandatory *should* be implemented; and we would be interested to hear of any exceptions. > -----Original Message----- > From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > Sent: 05 August 2011 13:31 > To: Support and info exchange list for Fedora users. > Subject: Re: [fcrepo-user] What is wrong with my Policy? > > > Does that work with spaces only or does it include tabs as > well? Seems like a good idea using it on strings with > unwanted space in them. I also wonder if there is a list > somewhere specifying which functions are available and an > explanation of these functions. Searching on google for > urn:oasis:names:tc:xacml:1.0:function:string-normalize-space > for instance give no direct results on how to use it and > explaining what it exactly does. Though I found a list here: > http://naxx-security.googlecode.com/svn-history/r3/trunk/naxx- > security/resources/function/functions.properties > for something called naxx-security, but it might be that not > all of them are implemented for Fedora. > > Thio, I hope you have noticed that there is a difference > between the old XACML policy enforcement and FeSL, which > might introduce some strangeness as well. These are not meant > to be run together. Also as far as I know FeSL will be the > default policy enforcment in the future replacing the old > XACML policy enforcment. Hence it might be a good idea to use > FeSL and write policies for FeSL. > > On Thu, Aug 4, 2011 at 3:55 PM, Asger Askov Blekinge > <a...@statsbiblioteket.dk> wrote: > > The whitespace thing is very funny. That one boggled me for > a while, > > because my editor would insert them automatically... > > > > I have taken to using > > > > <Apply > > > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-spa > > ce"> > > <AttributeValue > > DataType="http://www.w3.org/2001/XMLSchema#string"; > > >administrator > > </AttributeValue> > > </Apply> > > > > on every single constant string I use, to guard against this. > > > > Regards > > > > > > On 04/08/11 11:52, thio wrote: > >> Forget it, found the problem :) > >> > >> On 04.08.2011 11:30, thio wrote: > >>> Had trailing whitespaces in it .. *sigh* > >>> > >>> So i'm further along now, but bumped into another problem. I have > >>> defined a rule with several allowed actions. One action is > >>> "urn:fedora:names:fedora:2.1:action:api-a" while the > other actions > >>> are specific api-m methods. I assumed that specifiying the first > >>> would allow to use all api-a methods, but it seems i cannot. > >>> > >>> Now the question is: is there actually some error in the > policy, or > >>> is my assessment of the api-a action attribute incorrect? > >>> > >>> On 08.07.2011 18:03, thio wrote: > >>>> I could access it being logged in as another user which has a > >>>> group. Tried to add MustBePresent="false", but that > didn't change > >>>> the outcome. > >>>> > >>>> On 08.07.2011 17:53, Benjamin Armintor wrote: > >>>>> Are the unexpected Permit results coming when a user is > logged in, > >>>>> has a fedoraRole, but it is not "administrator"? Or is > it that no > >>>>> one is logged in/the logged in user has no fedoraRole? > >>>>> > >>>>> If the latter, the first thing I would try is adding > >>>>> MustBePresent="false" to your subjectAttributeDesignator. > >>>>> According to the spec: > >>>>> > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core > >>>>> -spec-os.pdf > >>>>> > >>>>> it effectively default to "true", and returns an Indeterminate > >>>>> result in the event of a missing attribute. Quoting > from the rule > >>>>> evaluation > >>>>> spec: > >>>>> "If the target value is "No-match" or Indeterminate > then the rule > >>>>> value SHALL be NotApplicable or Indeterminate, respectively, > >>>>> regardless of the value of the condition. For these > cases, therefore, > >>>>> the condition need not be evaluated." > >>>>> > >>>>> Since you have no condition, it may be applying that > rule whenever > >>>>> the fedoraRole attribute is missing. > >>>>> > >>>>> On 7/8/11, thio<t...@uni-koblenz.de> wrote: > >>>>>> Hi! > >>>>>> > >>>>>> Recently i was asked to build Policies for Fedora Objects. > >>>>>> > >>>>>> I have looked at the policy writing guide, and so far doing it > >>>>>> like THAT works, but i find this style kind of convoluted. > >>>>>> > >>>>>> Since i only need simple rules i thought i could as > well use the > >>>>>> "straightforward" way, which is closer to the datamodel i get. > >>>>>> > >>>>>> To give you an example, a policy that shuts everyone out but > >>>>>> admins: > >>>>>> > >>>>>> _*-guide:*_ > >>>>>> <Policy PolicyId="demo" > >>>>>> > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-a > >>>>>> lgorithm:first-applicable" > >>>>>> xmlns="urn:oasis:names:tc:xacml:1.0:policy" > >>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > >>>>>> <Target> > >>>>>> <Subjects> > >>>>>> <AnySubject/> > >>>>>> </Subjects> > >>>>>> <Resources> > >>>>>> <Resource> > >>>>>> <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >>>>>> <AttributeValue > >>>>>> > DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10 > 061</AttributeValue> > >>>>>> <ResourceAttributeDesignator > >>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> > >>>>>> </ResourceMatch> > >>>>>> </Resource> > >>>>>> </Resources> > >>>>>> <Actions> > >>>>>> <AnyAction/> > >>>>>> </Actions> > >>>>>> </Target> > >>>>>> <Rule Effect="Deny" RuleId="1"> > >>>>>> <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > >>>>>> <Apply > >>>>>> > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-le > ast-one-member-of"> > >>>>>> <SubjectAttributeDesignator AttributeId="fedoraRole" > >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; > MustBePresent="false"/> > >>>>>> <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > >>>>>> <AttributeValue > >>>>>> > DataType="http://www.w3.org/2001/XMLSchema#string";>administrat > or</AttributeValue> > >>>>>> </Apply> > >>>>>> </Apply> > >>>>>> </Condition> > >>>>>> </Rule> > >>>>>> <Rule Effect="Permit" RuleId="3"/> > >>>>>> </Policy> > >>>>>> _* > >>>>>> -mine:*_ > >>>>>> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" > >>>>>> > >>>>>> > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-a > >>>>>> lgorithm:first-applicable"> > >>>>>> <Target> > >>>>>> <Subjects> > >>>>>> <AnySubject /> > >>>>>> </Subjects> > >>>>>> <Resources> > >>>>>> <Resource> > >>>>>> <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >>>>>> <AttributeValue > >>>>>> > DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 > >>>>>> </AttributeValue> > >>>>>> <ResourceAttributeDesignator > >>>>>> > >>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > >>>>>> > >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > >>>>>> </ResourceMatch> </Resource> > >>>>>> </Resources> > >>>>>> <Actions> > >>>>>> <AnyAction /> > >>>>>> </Actions> > >>>>>> </Target> > >>>>>> <Rule RuleId="AdminRule" Effect="Permit"> > >>>>>> <Target> > >>>>>> <Subjects> > >>>>>> <Subject> > >>>>>> <SubjectMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > >>>>>> <AttributeValue > >>>>>> > DataType="http://www.w3.org/2001/XMLSchema#string";>administrator > >>>>>> </AttributeValue> > >>>>>> <SubjectAttributeDesignator > >>>>>> AttributeId="fedoraRole" > >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> > >>>>>> </SubjectMatch> > >>>>>> </Subject> > >>>>>> </Subjects> > >>>>>> <Resources> > >>>>>> <AnyResource /> > >>>>>> </Resources> > >>>>>> <Actions> > >>>>>> <AnyAction /> > >>>>>> </Actions> > >>>>>> </Target> > >>>>>> </Rule> > >>>>>> <Rule RuleId="FinalRule" Effect="Deny"> > >>>>>> </Rule> > >>>>>> </Policy> > >>>>>> > >>>>>> As far as i understood this SHOULD constitute the same > behaviour, > >>>>>> but my policy doesn't shut anyone out. And i have no idea why > >>>>>> not. > >>>>>> > >>>>>> greetings and thanks for any help, > >>>>>> Jessi > >>>>>> > >>>>> > ------------------------------------------------------------------ > >>>>> ------------ > >>>>> All of the data generated in your IT infrastructure is > seriously valuable. > >>>>> Why? It contains a definitive record of application > performance, security > >>>>> threats, fraudulent activity, and more. Splunk takes > this data and makes > >>>>> sense of it. IT sense. And common sense. > >>>>> http://p.sf.net/sfu/splunk-d2d-c2 > >>>>> _______________________________________________ > >>>>> Fedora-commons-users mailing list > >>>>> Fedora-commons-users@lists.sourceforge.net > >>>>> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >>>> > ------------------------------------------------------------------- > >>>> ----------- > >>>> All of the data generated in your IT infrastructure is > seriously valuable. > >>>> Why? It contains a definitive record of application > performance, security > >>>> threats, fraudulent activity, and more. Splunk takes > this data and makes > >>>> sense of it. IT sense. And common sense. > >>>> http://p.sf.net/sfu/splunk-d2d-c2 > >>>> _______________________________________________ > >>>> Fedora-commons-users mailing list > >>>> Fedora-commons-users@lists.sourceforge.net > >>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >>> > >>> > -------------------------------------------------------------------- > >>> ---------- > >>> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > >>> The must-attend event for mobile developers. Connect with experts. > >>> Get tools for creating Super Apps. See the latest technologies. > >>> Sessions, hands-on labs, demos& much more. Register > early& save! > >>> http://p.sf.net/sfu/rim-blackberry-1 > >>> _______________________________________________ > >>> Fedora-commons-users mailing list > >>> Fedora-commons-users@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > >> > >> > --------------------------------------------------------------------- > >> --------- > >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > >> The must-attend event for mobile developers. Connect with experts. > >> Get tools for creating Super Apps. See the latest technologies. > >> Sessions, hands-on labs, demos& much more. Register early& save! > >> http://p.sf.net/sfu/rim-blackberry-1 > >> _______________________________________________ > >> Fedora-commons-users mailing list > >> Fedora-commons-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > > ---------------------------------------------------------------------- > > -------- > > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > > The must-attend event for mobile developers. Connect with experts. > > Get tools for creating Super Apps. See the latest technologies. > > Sessions, hands-on labs, demos & much more. Register early & save! > > http://p.sf.net/sfu/rim-blackberry-1 > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > -- > Med Venlig Hilsen / With Best Regards > Tomasz Cielecki > http://ostebaronen.dk > > -------------------------------------------------------------- > ---------------- > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, > CA The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest > technologies. Sessions, hands-on labs, demos & much more. > Register early & save! http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
