如何在 XACML 中将两条规则合并为一条？

Question

如何结合这两条规则

(1) 任何用户都可以访问（读取、写入等）资源http://www.example.com/info1 和http://www.example.com/info2

(2) 对任何资源的任何读取操作（读取）只能由属于组 admin 和 manager 的用户访问。

在一个单一的？

到目前为止我所做的是：

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
    <Description>Policy 1</Description>
    <Target />
    <!--Punto d.1,2-->
    <Rule Effect="Permit" RuleId="Rule Permit #1" >
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
                </Apply>
                <AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
            </Apply>
        </Condition>
    </Rule>
    <Rule Effect="Deny" RuleId="Rule Deny #1" />
</Policy>

当任何具有任何操作（读、写等）的用户尝试访问这两个 URL 中的任何一个时，我如何将 Condition 设为可选？

而且，我如何验证当一个具有读取操作的访问请求时，它只能在用户（主题）属于组或管理员时访问？

Answer 1

有几种方法可以实现您的方案。最简单的可能是为您的策略创建一个结构。例如，您可能会说您有一个针对http://www.example.com/info1 的策略和另一个针对http://www.example.com/info2 的策略。每个策略都可以有读取、写入、删除的规则……或者，如果您不想指定任何操作，则可以跳过它。在您的情况下，您希望将读取限制为管理员和经理。

使用ALFA 语法，您可以：

namespace so{
    attribute group{
        category = subjectCat
        id = "group"
        type = string
    }
    // Standard XACML attributes e.g. resource-id
    import Attributes.*

    policyset resources{
        apply firstApplicable
        policy info1{            
            target clause resourceId == "http://www.example.com/info1"
            apply firstApplicable
            rule read{
                target clause Attributes.actionId=="read"
                       clause group=="admin" or group=="manager"
                permit 
            }
            // Add other rules for other actions here
        }
        policy info2{
            target clause resourceId == "http://www.example.com/info2"
            apply firstApplicable
            rule read{
                target clause Attributes.actionId=="read"
                       clause group=="admin" or group=="manager"
                permit 
            }
            // Add other rules for other actions here
        }
    }
}

也就是说，这并不能完全回答您的问题。首先，它没有组合在一个规则中（这样做不是很好，顺便说一句，我不会这样做 - 定义一个好的结构，它更易于管理）。在我的方法中，您必须明确列出所有其他操作。

这是另一种方法

policy allowAccess{
    target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
    apply firstApplicable
    rule allowRead{
        target clause group=="admin" and group=="manager" and Attributes.actionId=="read"
        permit
    }
    rule allowOtherActions{
        condition not(Attributes.actionId=="read")
        permit
    }
}

最终的精简版将是

policy allowAccess2{
    apply firstApplicable
    rule allow{
        target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
        condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read"))
        permit
    }
}  

XACML 输出为：

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description />
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow">
        <xacml3:Description />
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                        <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="group"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            MustBePresent="false"
                        />
                    </xacml3:Apply>
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                            <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator 
                                AttributeId="group"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                                MustBePresent="false"
                            />
                        </xacml3:Apply>
                        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                            <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator 
                                AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                MustBePresent="false"
                            />
                        </xacml3:Apply>
                    </xacml3:Apply>
                </xacml3:Apply>
                <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                    <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                        <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            MustBePresent="false"
                        />
                    </xacml3:Apply>
                </xacml3:Apply>
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>