Hi Ben,
If I use "formatUri" as a string, the policy is accepted but seems not
working.
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<!-- 'string-equal' has same result -->
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>ucl:protected</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:formatUri"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
If I use "formatUri" as "anyURI" (as it must be done viewing
vocabulary.txt), the policy is rejected during server startup :
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<!-- 'string-equal' has same result -->
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>ucl:protected</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:formatUri"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
... (fedora.log)
INFO 2013-09-30 10:16:15.526 [main] (PolicyFinderModule) Loading policy:
/usr/vtls/vital/vital_5.5.2/store/fedora-xacml-policies/repository-policies/deny-apia-uclprotected.xml
ERROR 2013-09-30 10:16:15.547 [main] (Server) Module
(org.fcrepo.server.security.Authorization) failed to initialize
org.fcrepo.server.errors.ModuleInitializationException: Error loading
repository policies
at
org.fcrepo.server.security.DefaultAuthorization.postInitModule(DefaultAuthorization.java:408)
[fcrepo-server-3.5.jar:na]
at org.fcrepo.server.Server.<init>(Server.java:644)
[fcrepo-server-3.5.jar:na]
at org.fcrepo.server.BasicServer.<init>(BasicServer.java:41)
[fcrepo-server-3.5.jar:na]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [na:1.7.0]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
[na:1.7.0]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[na:1.7.0]
at java.lang.reflect.Constructor.newInstance(Constructor.java:525)
[na:1.7.0]
at org.fcrepo.server.Server.getInstance(Server.java:1239)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.ServerController.init(ServerController.java:403)
[fcrepo-server-3.5.jar:na]
...
Caused by: org.fcrepo.server.errors.GeneralException: Error loading
repository policies
at
org.fcrepo.server.security.PolicyFinderModule.<init>(PolicyFinderModule.java:102)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.security.PolicyEnforcementPoint.newPdp(PolicyEnforcementPoint.java:162)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.security.PolicyEnforcementPoint.initPep(PolicyEnforcementPoint.java:233)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.security.DefaultAuthorization.postInitModule(DefaultAuthorization.java:396)
[fcrepo-server-3.5.jar:na]
... 35 common frames omitted
Caused by: java.lang.IllegalArgumentException: illegal parameter
at
com.sun.xacml.cond.FunctionBase.checkInputsNoBag(FunctionBase.java:479)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.TargetMatch.getInstance(TargetMatch.java:264)
[sunxacml-1.2-melcoe.jar:na]
at
com.sun.xacml.TargetMatchGroup.getInstance(TargetMatchGroup.java:115)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.TargetSection.getInstance(TargetSection.java:117)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.Target.getInstance(Target.java:188)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.Rule.getInstance(Rule.java:206)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.Policy.<init>(Policy.java:346)
[sunxacml-1.2-melcoe.jar:na]
at com.sun.xacml.Policy.getInstance(Policy.java:431)
[sunxacml-1.2-melcoe.jar:na]
at
org.fcrepo.server.security.PolicyParser.parse(PolicyParser.java:132)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.security.PolicyFinderModule.loadPolicies(PolicyFinderModule.java:247)
[fcrepo-server-3.5.jar:na]
at
org.fcrepo.server.security.PolicyFinderModule.<init>(PolicyFinderModule.java:93)
[fcrepo-server-3.5.jar:na]
... 38 common frames omitted
If I just replace by :
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>PDF_01</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
It's working fine.
Tell me if you need more informations and/or tests.
Regards
Renaud
Le 27/09/13 19:28, Benjamin Armintor a écrit :
Renaud-
I'll take a look at this soon, but I have a clarifying question: Are
you saying formatURI is not available as a property at all, or that it
is not available as a URI attribute? I was under the impression that
it was available as a String attribute.
- Ben
On Thu, Sep 26, 2013 at 10:38 AM, Renaud Michotte
<renaud.micho...@uclouvain.be <mailto:renaud.micho...@uclouvain.be>>
wrote:
Hi all,
I'm using Fedora 3.5 and I tried to use XACML to restrict access
for some datastream to a all IPaddress (except localhost and my IP).
My condition use "altIds" attribute (as we can't use formatURI :
https://jira.duraspace.org/browse/FCREPO-87)
Despite many many tries, no restriction seems working usingaltIds,
checksumand checksumTypefields.(cfr XACML policy ; I use another
IP adresse to test my policy ;) )
It works with datastream id attribute... but it's not usable for us.
Below you can find my XACML. Can you tell me if you found any
problem with it ?
Thanks a lot.
Regards
Renaud
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
<http://www.w3.org/2001/XMLSchema-instance>
PolicyId="deny-apia-uclprotected"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>This Policy will denied access to "ucl:restricted"
datastream for UCL network</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="1" Effect="Deny">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<!-- ON ALT_IDS : NOT WORKING (best solution if cannot use
formatURI) ========================= -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>ucl\:protected</AttributeValue>
<!--<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>ucl:protected</AttributeValue>
NOT WORKING -->
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
</ResourceMatch>
</Resource>
<!-- ON CHECKSUM TYPE : NOT WORKING
=========================================================== -->
<!--<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>MD5</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:checksumType"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
</ResourceMatch>
</Resource> NOT WORKING -->
<!-- ON DS ID : WORKS BUT USABLE
============================================================== -->
<!--<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>PDF_01</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
</ResourceMatch>
</Resource>-->
<!-- REGEXP ON ID : WORKS BUT UNFORTUNATLY USABLE
============================================= -->
<!--<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>^PDF</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
</ResourceMatch>
</Resource>-->
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>127.0.0.1</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";
<http://www.w3.org/2001/XMLSchema#string>>XXX.XXX.XXX.XXX</AttributeValue>
<!-- my IP adress -->
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="2" Effect="Permit"/>
</Policy>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get
the most from
the latest Intel processors and coprocessors. See abstracts and
register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
<mailto:Fedora-commons-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
