比较 XACML 策略中的两个多元素属性

Posted

技术标签:

【中文标题】比较 XACML 策略中的两个多元素属性【英文标题】:Compare two multi-element attributes in XACML policy 【发布时间】:2019-05-31 13:36:49 【问题描述】:

考虑一个主题和对象都具有如下定义的标签:

subject/object label = [i1, i2, ..., in],其中i 是另一个主题的subjectId

在策略 (ALFA/XACML) 中,我如何对主题和对象标签进行比较,以使两个列表中的元素都不相同。

例如:

subject_label = [i2, i4, i9]
object_label  = [i1, i3, i7, i9]

结果将是DENY,因为两个标签都包含i9。如果在任何列表中均未找到匹配项,则访问结果将为 PERMIT

【问题讨论】:

【参考方案1】:

您希望使用的是stringAtLeastOneMemberOf(或其他数据类型的等价物)。这个函数有两个参数:

一包字符串类型 一包字符串类型

如果第一个包中至少有一个值等于第二个包中的一个值,则返回 true。对于字符串,比较区分大小写。

namespace com.axiomatics
    /**
     * Ths policy will checks the contents of the user label and the the resource label.
     * It will deny access if there is at least one value in the user label equal to at least
     * one value in the resource label.
     */
    policy denyIfSameContent
        apply firstApplicable
        /**
         * This rule will deny access is user.label contains at least 1 value that is also present
         * in object.label 
         */
        rule denyIfSameContent
            deny
            condition stringAtLeastOneMemberOf(user.label, object.label)
        
    

这里是 XACML/XML 表示:

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.denyIfSameContent"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>Ths policy will checks the contents of the user
        label and the the resource label.&#13;
        It will deny access if there is at least one value in the user label
        equal to at least&#13;
        one value in the resource label.
    </xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule Effect="Deny"
        RuleId="com.axiomatics.denyIfSameContent.denyIfSameContent">
        <xacml3:Description>This rule will deny access is user.label contains
            at least 1 value that is also present&#13;
            in object.label
        </xacml3:Description>
        <xacml3:Target />
        <xacml3:Condition>
            <xacml3:Apply
                FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.user.label"
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
                <xacml3:AttributeDesignator
                    AttributeId="com.axiomatics.object.label"
                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                    DataType="http://www.w3.org/2001/XMLSchema#string"
                    MustBePresent="false" />
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>

【讨论】:

Eclipse 插件(alfa-to-xacml)似乎无法识别您在示例中的apply firstApplicable 您是否在 Eclipse 项目中包含了 system.alfa? 是的,我做到了。问题是我之前定义了denyOverrides。问题已解决,谢谢! 这是一篇关于算法组合的好文章:axiomatics.com/blog/understanding-xacml-combining-algorithms

以上是关于比较 XACML 策略中的两个多元素属性的主要内容,如果未能解决你的问题,请参考以下文章

即使策略规则中缺少该属性,具有附加属性的 XACML 3.0 请求也匹配

XACML 政策。应用函数字符串子集给出意外结果

WSO2IS - 具有自定义属性的 XACML 策略返回“找不到 AttributeDesignator”

XACML 编辑器使用 <Condition> 和字符串比较

XACML Authzforce PDP 自定义策略

XACML 策略位置