{"info":{"_postman_id":"6554748b-8871-4e83-8c4d-7ab315f9894a","name":"FIWARE XACML Rules","description":"

This tutorial introduces an additional security generic enabler - Authzforce\nand adds fine grained control to the security rules generated by Keyrock.\nAccess to the entities created in the\nprevious tutorial is now\nconfigured and controlled using an XACML access control policy - this creates a\nflexible ruleset which can be uploaded and reinterpreted on the fly so complex\nbusiness rules can be created and changed according to current circumstances.

The tutorial discusses code showing how to integrate Authzforce within a web\napplication and demonstrates examples of Authzforce XACML Server-PDP\ninteractions. cUrl commands are used to show the\ninteractions between generic enablers.

The docker-compose files for this tutorial can be found on GitHub:

$\"GitHub\"$ FIWARE 405: Ruleset Based Permissions

Ruleset Based Permissions

\n
\"Say: Come, I will rehearse what Allah hath prohibited you from:
\n
\n
Join not anything as equal with Him
\n
Be good to your parents
\n
Kill not your children on a plea of want - We provide sustenance for you\nand for them
\n
Come not nigh to shameful deeds. Whether open or secret
\n
Take not life, which Allah hath made sacred, except by way of justice\nand law
\n
\n
thus doth He command you, that ye may learn wisdom.\"
\n
— Quran 6.151, Sūrat al-Anʻām
\n

Previous tutorials have\nintroduced a simple access control system based on authentication (level 1) or\nbasic authorization access to resources based on a role (level 2). These\npolicies are easy to create, but the rules within them are very black and white,\nrules cannot rely on one another, have exception clauses or offer access based\non time limits or attribute values. There is also no mechanism to resolve\ndifferent rules in the case of conflict.

To satisfy a complex access control scenario, an additional arbitration\nmicroservice is required, which is able to come to a judgement on each\nPermit/Deny policy decision by reading and interpreting the full set of access\ncontrol rules, and based their judgement on the evidence provided by the\nrequesting service.

FIWARE Authzforce is a service\nwhich is able to provide such an interpretive Policy Decision Point (PDP). It is\nan advanced access control Generic Enabler which is able to interpret rules\nsupplied using the\nXACML standard.\nRulesets can be amended and uploaded at any time providing a flexible method to\nmaintain security policies which can change according to business need.\nFurthermore the language used to describe the access policy is designed to be\nhighly extensible and cover any access control scenario.

What is XACML

eXtensible Access Control Markup Language (XACML) is a vendor neutral\ndeclarative access control policy language. It was created to promote common\naccess control terminology and interoperability. The architectural naming\nconventions for elements such as Policy Execution Point (PEP) and Policy\nDecision Point (PDP) come from the XACML specifications.

XACML policies are split into a hierarchy of three levels - <PolicySet>,\n<Policy> and <Rule>, the <PolicySet> is a collection of <Policy>\nelements each of which contain one or more <Rule> elements.

Each <Rule> within a <Policy> is evaluated as to whether it should grant\naccess to a resource - the overall <Policy> result is defined by the overall\nresult of all <Rule> elements processed in turn. Separate <Policy> results\nare then evaluated against each other using combining alogorthms define which\n<Policy> wins in case of conflict.

A <Rule> element consists of a <Target> and a <Condition>. This is an\nexample <Rule>, it states access will be granted (Effect=\"Permit\") when a\nPOST request is sent to the /bell/ring endpoint, provided that the\nsubject:role has been provided and that the\nrole=security-role-0000-0000-000000000000 :

<Rule RuleId=\"alrmbell-ring-0000-0000-000000000000\" Effect=\"Permit\">\n  <Description>Ring Alarm Bell</Description>\n  <Target>\n    <AnyOf>\n      <AllOf>\n        <Match MatchId=\"urn:oasis:names:tc:xacml:1.0:function:string-equal\">\n          <AttributeValue DataType=\"http://www.w3.org/2001/XMLSchema#string\">/bell/ring</AttributeValue>\n          <AttributeDesignator Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:resource\" AttributeId=\"urn:thales:xacml:2.0:resource:sub-resource-id\" DataType=\"http://www.w3.org/2001/XMLSchema#string\" MustBePresent=\"true\" />\n        </Match>\n      </AllOf>\n    </AnyOf>\n    <AnyOf>\n      <AllOf>\n        <Match MatchId=\"urn:oasis:names:tc:xacml:1.0:function:string-equal\">\n          <AttributeValue DataType=\"http://www.w3.org/2001/XMLSchema#string\">POST</AttributeValue>\n          <AttributeDesignator Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:action\" AttributeId=\"urn:oasis:names:tc:xacml:1.0:action:action-id\" DataType=\"http://www.w3.org/2001/XMLSchema#string\" MustBePresent=\"true\" />\n        </Match>\n      </AllOf>\n    </AnyOf>\n  </Target>\n  <Condition>\n    <Apply FunctionId=\"urn:oasis:names:tc:xacml:3.0:function:any-of\">\n      <Function FunctionId=\"urn:oasis:names:tc:xacml:1.0:function:string-equal\" />\n      <AttributeValue DataType=\"http://www.w3.org/2001/XMLSchema#string\">security-role-0000-0000-000000000000</AttributeValue>\n      <AttributeDesignator Category=\"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject\" AttributeId=\"urn:oasis:names:tc:xacml:2.0:subject:role\" DataType=\"http://www.w3.org/2001/XMLSchema#string\" MustBePresent=\"false\" />\n    </Apply>\n  </Condition>\n</Rule>\n

This is a very verbose method for creating a simple Verb-Resource access rule,\nbut unlike simple Verb-Resource rules, with XACML, other more complex\ncomparisons can be made, for example checking that time is before a certain hour\nof day, or checking that a URL starts with or contains a certain string.\nConditions can be specified down to the attribute level or combined to make\ncomplex calculations, for example - an XACML <Rule> could be created to apply\nthe following policy:

\n
A store manager is able to amend Product prices only the first of the month,\nand can only alter prices of products she or her immediate superior has\ncreated in the first place
\n

Such a <Rule> would require that the <Condition> includes separate\nclauses/clarifications for the following:

What is the User's role? (e.g. manager)
What action is being invoked? (e.g PATCH or PUT)
Which resource is being protected URL string? (e.g. /v2/entities)
What other information must be present in the body of the request? (e.g.\nEntity type must equal Product)
When is the resource being requested? (e.g. the current date)
What other additional information must be retrieved from elsewhere prior to\nmaking the request
- Who created the entity? Is it me or my manager?
\n

As you can see these rules can quickly become very complex. For this initial\nintroduction to XACML, the basic rule set used will be kept as simple as\npossible to avoid unnecessary confusion, suffice it to say that an access policy\nbased on XACML can be expanded to fit the security needs of any complex system.

Prerequisites

Docker

To keep things simple all components will be run using\nDocker. Docker is a container technology which\nallows to different components isolated into their respective environments.

To install Docker on Windows follow the instructions\nhere
To install Docker on Mac follow the instructions\nhere
To install Docker on Linux follow the instructions\nhere

Docker Compose is a tool for defining and running multi-container Docker\napplications. A\nYAML file\nis used configure the required services for the application. This means all\ncontainer services can be brought up in a single command. Docker Compose is\ninstalled by default as part of Docker for Windows and Docker for Mac, however\nLinux users will need to follow the instructions found\nhere

Cygwin

We will start up our services using a simple bash script. Windows users should\ndownload cygwin to provide a command-line\nfunctionality similar to a Linux distribution on Windows.

Architecture

This application adds level 3 Advanced Authorization security into the existing\nStock Management and Sensors-based application created in\nprevious tutorials and\nsecures access to the context broker behind a\nPEP Proxy. It will make use of\nfive FIWARE components - the\nOrion Context Broker,the\nIoT Agent for UltraLight 2.0,\nthe Keyrock Identity Manager,\nthe Wilma PEP Proxy and the\nAuthzforce XACML Server. All\naccess control decisions will be delegated to Authzforce which will read the\nruleset from a previously uploaded policy domain.

Both the Orion Context Broker and the IoT Agent rely on open source\nMongoDB technology to keep persistence of the\ninformation they hold. We will also be using the dummy IoT devices created in\nthe previous tutorial.\nKeyrock uses its own MySQL database.

Therefore the overall architecture will consist of the following elements:

The FIWARE\nOrion Context Broker which\nwill receive requests using\nNGSI
The FIWARE\nIoT Agent for UltraLight 2.0\nwhich will receive southbound requests using\nNGSI and convert\nthem to\nUltraLight 2.0\ncommands for the devices
FIWARE Keyrock offer a\ncomplement Identity Management System including:
- An OAuth2 authentication system for Applications and Users
- A site graphical frontend for Identity Management Administration
- An equivalent REST API for Identity Management via HTTP requests
\n
FIWARE Authzforce is a XACML\nServer providing an interpretive Policy Decision Point (PDP) access to the\nOrion and/or IoT Agent microservices
FIWARE Wilma is a PEP Proxy securing\naccess to the Orion microservices, it delegates the passing of\nauthorisation decisions to Authzforce PDP
The underlying MongoDB database :
- Used by the Orion Context Broker to hold context data information\nsuch as data entities, subscriptions and registrations
- Used by the IoT Agent to hold device information such as device URLs\nand Keys
\n
A MySQL database :
- Used to persist user identities, applications, roles and permissions
\n
The Stock Management Frontend does the following:
- Displays store information
- Shows which products can be bought at each store
- Allows users to \"buy\" products and reduce the stock count.
- Allows authorized users into restricted areas, it also delegates\nauthoriation decisions to the Authzforce PDP
\n
A webserver acting as set of\ndummy IoT devices using\nthe\nUltraLight 2.0\nprotocol running over HTTP - access to certain resources is restricted.

Since all interactions between the elements are initiated by HTTP requests, the\nentities can be containerized and run from exposed ports.

$\"\"$

The specific architecture of each section of the tutorial is discussed below.

Keyrock Configuration

keyrock:\n    image: fiware/idm\n    container_name: fiware-keyrock\n    hostname: keyrock\n    networks:\n        default:\n            ipv4_address: 172.18.1.5\n    depends_on:\n        - mysql-db\n        - authzforce\n    ports:\n        - \"3005:3005\"\n    environment:\n        - DEBUG=idm:*\n        - DATABASE_HOST=mysql-db\n        - IDM_DB_PASS_FILE=/run/secrets/my_secret_data\n        - IDM_DB_USER=root\n        - IDM_HOST=http://localhost:3005\n        - IDM_PORT=3005\n        - IDM_ADMIN_USER=alice\n        - IDM_ADMIN_EMAIL=alice-the-admin@test.com\n        - IDM_ADMIN_PASS=test\n        - IDM_PDP_LEVEL=advanced\n        - IDM_AUTHZFORCE_ENABLED=true\n        - IDM_AUTHZFORCE_HOST=authzforce\n        - IDM_AUTHZFORCE_PORT=8080\n    secrets:\n        - my_secret_data\n

The keyrock container is a web application server listening on a single port:

Port 3005 has been exposed for HTTP traffic so we can display the web page\nand interact with the REST API.

The keyrock container is connecting to Authzforce and is driven by\nenvironment variables as shown:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
IDM_PDP_LEVEL	`advanced`	Flag indicating that Keyrock should delegate PDP decisions to Authzforce
IDM_AUTHZFORCE_ENABLED	`true`	Flag indicating that Authzforce is available
IDM_AUTHZFORCE_HOST	`authzforce`	This is URL where the Authzforce is found
IDM_AUTHZFORCE_PORT	`8080`	Port that Authzforce is listening on

The other keyrock container configuration values described in the YAML file\nhave been described in previous tutorials

PEP Proxy Configuration

orion-proxy:\n    image: fiware/pep-proxy\n    container_name: fiware-orion-proxy\n    hostname: orion-proxy\n    networks:\n        default:\n            ipv4_address: 172.18.1.10\n    depends_on:\n        - keyrock\n        - authzforce\n    ports:\n        - \"1027:1027\"\n    expose:\n        - \"1027\"\n    environment:\n        - PEP_PROXY_APP_HOST=orion\n        - PEP_PROXY_APP_PORT=1026\n        - PEP_PROXY_PORT=1027\n        - PEP_PROXY_IDM_HOST=keyrock\n        - PEP_PROXY_HTTPS_ENABLED=false\n        - PEP_PROXY_IDM_SSL_ENABLED=false\n        - PEP_PROXY_IDM_PORT=3005\n        - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp\n        - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000\n        - PEP_PASSWORD=test\n        - PEP_PROXY_PDP=authzforce\n        - PEP_PROXY_AUTH_ENABLED=true\n        - PEP_PROXY_MAGIC_KEY=1234\n        - PEP_PROXY_AZF_PROTOCOL=http\n        - PEP_PROXY_AZF_HOST=authzforce\n        - PEP_PROXY_AZF_PORT=8080\n

The orion-proxy container is an instance of FIWARE Wilma listening on port\n1027, it is configured to forward traffic to orion on port 1026, which is\nthe default port that the Orion Context Broker is listening to for NGSI\nRequests.

The orion-proxy container is delegating PDP decisions to Authzforce and is\ndriven by environment variables as shown:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
PEP_PROXY_PDP	`authzforce`	Flag ensuring that the PEP Proxy uses Authzforce as a PDP
PEP_PROXY_AZF_PROTOCOL	`http`	Flag to enable use of the XACML PDP
PEP_PROXY_AZF_HOST	`authzforce`	This is URL where the Authzforce is found users
PEP_PROXY_AZF_PORT	`8080`	Port that Authzforce is listening on

The other orion-proxy container configuration values described in the YAML\nfile have been described in previous tutorials

Authzforce Configuration

authzforce:\n    image: fiware/authzforce-ce-server\n    hostname: authzforce\n    container_name: fiware-authzforce\n    networks:\n        default:\n            ipv4_address: 172.18.1.12\n    ports:\n        - \"8080:8080\"\n    volumes:\n        - ./authzforce/domains:/opt/authzforce-ce-server/data/domains\n

The authzforce container is listening on port 8080, where it receives\nrequests to make PDP decisions. A volume has been exposed to upload a\npre-configured domain so that a set of XACML access control policies has already\nbeen supplied.

Tutorial Security Configuration

tutorial:\n    image: fiware/tutorials.context-provider\n    hostname: tutorial\n    container_name: fiware-tutorial\n    networks:\n        default:\n            ipv4_address: 172.18.1.7\n    expose:\n        - \"3000\"\n        - \"3001\"\n    ports:\n        - \"3000:3000\"\n        - \"3001:3001\"\n    environment:\n        - \"DEBUG=tutorial:*\"\n        - \"WEB_APP_PORT=3000\"\n        - \"KEYROCK_URL=http://localhost\"\n        - \"KEYROCK_IP_ADDRESS=http://172.18.1.5\"\n        - \"KEYROCK_PORT=3005\"\n        - \"KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp\"\n        - \"KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret\"\n        - \"CALLBACK_URL=http://localhost:3000/login\"\n        - \"AUTHZFORCE_ENABLED=true\"\n        - \"AUTHZFORCE_URL=http://authzforce\"\n        - \"AUTHZFORCE_PORT=8080\"\n

The tutorial container is listening on two ports:

Port 3000 is exposed so we can see the web page displaying the Dummy IoT\ndevices.
Port 3001 is exposed purely for tutorial access - so that cUrl or Postman\ncan make UltraLight commands without being part of the same network.

The tutorial container is now secured by Authforce, and is driven by\nenvironment variables as shown:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Key	Value	Description
AUTHZFORCE_ENABLED	`true`	Flag to enable use of the XACML PDP
AUTHZFORCE_URL	`http://authzforce`	This is URL where the Authzforce is found users
AUTHZFORCE_PORT	`8080`	Port that Authzforce is listening on

The other tutorial container configuration values described in the YAML file\nhave been described in previous tutorials

Start Up

To start the installation, do the following:

git clone git@github.com:Fiware/tutorials.XACML-Access-Rules.git\ncd tutorials.XACML-Access-Rules\n\n./services create\n

\n
Note The initial creation of Docker images can take up to three minutes
\n

Thereafter, all services can be initialized from the command-line by running the\nservices\nBash script provided within the repository:

./services start\n

\n
:information_source: Note: If you want to clean up and start over again\nyou can do so with the following command:
\n
./services stop\n
\n

Dramatis Personae

The following people at test.com legitimately have accounts within the\nApplication

Alice, she will be the Administrator of the Keyrock Application
Bob, the Regional Manager of the supermarket chain - he has several store\nmanagers under him:
- Manager1
- Manager2
\n
Charlie, the Head of Security of the supermarket chain - he has several\nstore detectives under him:
- Detective1
- Detective2
\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	eMail	Password
alice	alice-the-admin@test.com	`test`
bob	bob-the-manager@test.com	`test`
charlie	charlie-security@test.com	`test`
manager1	manager1@test.com	`test`
manager2	manager2@test.com	`test`
detective1	detective1@test.com	`test`
detective2	detective2@test.com	`test`

The following people at example.com have signed up for accounts, but have no\nreason to be granted access

Eve - Eve the Eavesdropper
Mallory - Mallory the malicious attacker
Rob - Rob the Robber

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	eMail	Password
eve	eve@example.com	`test`
mallory	mallory@example.com	`test`
rob	rob@example.com	`test`

","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[{"content":"Ruleset Based Permissions","slug":"ruleset-based-permissions"},{"content":"Prerequisites","slug":"prerequisites"},{"content":"Architecture","slug":"architecture"},{"content":"Start Up","slug":"start-up"}],"owner":"513743","collectionId":"6554748b-8871-4e83-8c4d-7ab315f9894a","publishedId":"RznBPLzn","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF7059"},"publishDate":"2020-01-02T11:11:33.000Z"},"item":[{"name":"Reading XACML Access Rules","item":[{"name":"Authzforce - Obtain Version Information","id":"6b8adac5-0ff6-45aa-9818-22db2d27f438","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Accept","value":"application/xml","type":"text"}],"url":"http://localhost:8080/authzforce-ce/version","description":"

Once Authzforce is running, you can check the status by making an HTTP\nrequest to the exposed administration port (usually 8080. If the response is\nblank, this is usually because Authzforce is not running or is listening on\nanother port.

The response returns information about the version of Authzforce.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","version"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"6b8adac5-0ff6-45aa-9818-22db2d27f438"},{"name":"List all domains","id":"6f24ebcf-eaa2-4a7f-815c-f419d9ab97a7","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:8080/authzforce-ce/domains","description":"

To request domain information from Authzforce, make a request to the\n/authzforce-ce/domains endpoint.

The response lists the domains which are available in Authzforce. This\ncorresponds to the directory structure uploaded to Authzforce on start-up.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"6f24ebcf-eaa2-4a7f-815c-f419d9ab97a7"},{"name":"Read a single domain","id":"8eba82d9-91bf-4e79-ac0f-66c04f03c229","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA","description":"

To read information about a domain, and to explore further, make a request to\nthe authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA endpoint. The following request\nobtains information about the gQqnLOnIEeiBFQJCrBIBDA domain, which has been\ngenerated using using a random key by an external Policy Adminstration Point in\nthis case Keyrock has been used as the PAP, and pre-generated the rule sets.

The response lists more information about the domain, including the id used\nwithin Keyrock (tutorial-dckr-site-0000-xpresswebapp)

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"8eba82d9-91bf-4e79-ac0f-66c04f03c229"},{"name":"List all PolicySets available within a Domain","id":"051f9200-52bb-4fa5-ac8a-da515dfc6889","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies","description":"

To list the generated ids for all of the PolicySets found within a domain make a\nrequest to the authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies endpoint. The\nfollowing request obtains a list of a given policy ids found within the\ngQqnLOnIEeiBFQJCrBIBDA domain.

The response returns a list of available revisions of the given policy which are\navailable within. the Authzforce container. This corresponds the named XML\nfiles 1.xml, 2.xml etc.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pap","policies"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"051f9200-52bb-4fa5-ac8a-da515dfc6889"},{"name":"List the available revisions of a PolicySet","id":"9e04e292-b976-4dc5-8f07-37ae25f31f3e","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c","description":"

To list the available revisions of a policy, make a request to the\nauthzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c endpoint.\nAvailable policy id are randomly generated, and can be obtained by drilling down\nusing the previous request. The following request obtains a list revision of a\ngiven policy found within the gQqnLOnIEeiBFQJCrBIBDA domain.

The response returns a list of available revisions of the given policy which are\navailable within the Authzforce container. This corresponds the named XML\nfiles 1.xml, 2.xml etc.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pap","policies","f8194af5-8a07-486a-9581-c1f05d05483c"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"9e04e292-b976-4dc5-8f07-37ae25f31f3e"},{"name":"Read a single version of a PolicySet","id":"042b20b8-93e7-4f01-9e04-246f3719819e","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c/2","description":"

To obtain a single revison of a <PolicySet>, make a request to the\nauthzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c/{{revision-number}}\nendpoint. The following request obtains the second revision of the given policy\nfound within the gQqnLOnIEeiBFQJCrBIBDA domain.

The response contains the full <PolicySet> for the given revision. This is a\ncopy of\nthe file\nheld within Authzforce.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pap","policies","f8194af5-8a07-486a-9581-c1f05d05483c","2"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"042b20b8-93e7-4f01-9e04-246f3719819e"}],"id":"34a57f1e-4fbd-4d2f-9c56-c559e278d8bb","description":"

A single XACML server can be used to administrate access control policies for\nmultiple applications. Authzforce is implicitly multi-tenant, in that it\nallows separate organizations to work on their policies in isolation from one\nanother. This is done by separating the security policies for each application\ninto a separate domain where they can access their own <PolicySets>. A\ndomain holds meta data about the secured application along with versions of the\npolicies themselves (effectively a series of files which can be accessed by a\nfile server). The domain management API can be used to query Authzforce\nabout the domains served and policies held.

\n","event":[{"listen":"prerequest","script":{"id":"a4c41e34-093d-4739-b5e1-13736c5a803c","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"62d13514-54db-4270-a2c2-beed012e7404","type":"text/javascript","exec":[""]}}],"_postman_id":"34a57f1e-4fbd-4d2f-9c56-c559e278d8bb"},{"name":"Requesting Policy Decisions","item":[{"name":"Permit Access to a Resource","id":"b4cbbdc9-18c9-4db9-bf68-602e5c7715da","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/xml","type":"text"}],"body":{"mode":"raw","raw":"\n\n \n \n managers-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /app/price-change\n \n \n \n \n GET\n \n \n \n"},"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp","description":"

To request a decision from Authzforce, make a POST requets to the\ndomains/{domain-id}/pdp endpoint. In this case the user has the\nmanagers-role-0000-0000-000000000000 and is requesting access the the\n/app/price-change resource.

The managers-role-0000-0000-000000000000 permits access to the\n/app/price-change endpoint. The response for a successful request includes a\n<Decision> element to Permit access to the resource.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pdp"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"b4cbbdc9-18c9-4db9-bf68-602e5c7715da"},{"name":"Deny Access to a Resource","id":"71a148b9-d998-48f6-ae9b-4a7a0c58552f","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/xml","type":"text"}],"body":{"mode":"raw","raw":"\n\n \n \n security-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /app/price-change\n \n \n \n \n GET\n \n \n \n"},"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp","description":"

To request a decision from Authzforce, make a POST requets to the\ndomains/{domain-id}/pdp endpoint. In this case the user has the\nsecurity-role-0000-0000-000000000000 and is requesting access the the\n/app/price-change resource.

The security-role-0000-0000-000000000000 does not permit access to the\n/app/price-change endpoint. The response for an unsuccessful request includes\na <Decision> element which will Deny access to the resource.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pdp"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"71a148b9-d998-48f6-ae9b-4a7a0c58552f"}],"id":"08d23e31-e200-47e9-907d-137a1940d550","description":"

For the purpose of this tutorial, Authzforce has been just been supplied\nwith a simple set of basic role-based rules in a similar fashion to the level 2\nauthorization example found in the previous Securing Access tutorial:

The unlock door command can only be sent by Security staff.
Access to the price-change and order-stock areas are only available to\nManagers
People with either the Manager or Security role can ring the bell
Both Manager or Security can access and interact with the store data

The only difference is that access to all store entities is now restricted to\nusers with an assigned role rather than being based on level 1 authentication\naccess.

To request a decision from Authzforce, a structured request containing all\nrelevant information must be sent to the domains/{domain-id}/pdp endpoint. In\nthis case, the Body of the request includes information such as the roles that\nthe User has, the application id that is being requested\n(tutorial-dckr-site-0000-xpresswebapp) and the HTTP verb and resource that are\nbeing requested ( a GET request on the /app/price-change URL). Obviously the\ninformation passed in the Body can be expanded as the rules become more complex.

\n","event":[{"listen":"prerequest","script":{"id":"7b40d496-0a0f-424d-a300-d7a4c7946cf7","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"121f1a38-45b2-4245-9fdc-97dfd34c1f5b","type":"text/javascript","exec":[""]}}],"_postman_id":"08d23e31-e200-47e9-907d-137a1940d550"},{"name":"PDP - Advanced Authorization","item":[{"name":"Keyrock - User Obtains an Access Token","id":"bcf98c37-9e73-4ec6-8bbb-2e5e54686af6","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==","description":"

base64 concatenation of Client Id and Client Secret

\n"},{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"Accept","value":"application/json"}],"body":{"mode":"raw","raw":"username=bob-the-manager@test.com&password=test&grant_type=password"},"url":"http://localhost:3005/oauth2/token","description":"

In order to identify themselves, every user must obtain an access token, in\norder to do so, they must use one of the OAuth2 access grants described in a\nprevious tutorial.

To log in using the user-credentials flow send a POST request to the\noauth2/token endpoint of Keyrock with the grant_type=password

The response returns an access_token to identify the user (in this case Bob\nthe Manager)

\n","urlObject":{"protocol":"http","path":["oauth2","token"],"host":["localhost:3005"],"query":[],"variable":[]}},"response":[],"_postman_id":"bcf98c37-9e73-4ec6-8bbb-2e5e54686af6"},{"name":"Keyrock - Obtain Roles and Domain","id":"59184bac-1fa0-4fa4-985e-62a707d0c726","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"http://localhost:3005/user?access_token=1b88827586409b3b4dc67378e6b945c99b94c6cf&app_id=tutorial-dckr-site-0000-xpresswebapp&authzforce=true","description":"

If a user has logged in, the access_token can be used in combiniation with the /user endpoint\nto obtain access permissions to a resouce. This example retrieves Bobs's permissions to a given\nresource.

Where :

{{access-token}} is the current access token of a logged in user (e.g.\n08fef363c429cb34cfff3f56dfe751a8d1890690)
tutorial-dckr-site-0000-xpresswebapp holds the application to request\ntutorial-dckr-site-0000-xpresswebapp and authzforce=true indicates that\nwe want to obtain an Authzforce Domain from Keyrock

The response include an authorization_decision attribute which denies direct\naccess for the request, but includes additional information so that an\nadditional request a decision from Authzforce

In the example below the access token used belonged to Bob the manager, and his\nroles and the app_azf_domain associated to the app-id are returned.

\n","urlObject":{"protocol":"http","path":["user"],"host":["localhost:3005"],"query":[{"key":"access_token","value":"1b88827586409b3b4dc67378e6b945c99b94c6cf"},{"key":"app_id","value":"tutorial-dckr-site-0000-xpresswebapp"},{"key":"authzforce","value":"true"}],"variable":[]}},"response":[],"_postman_id":"59184bac-1fa0-4fa4-985e-62a707d0c726"},{"name":"Authzforce - Apply a Policy to a Request","id":"d260afa1-4c85-4306-af9a-cf37541dc96b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/xml","type":"text"}],"body":{"mode":"raw","raw":"\n\n \n \n managers-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /v2/entities\n \n \n \n \n POST\n \n \n \n"},"url":"http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp","description":"

To request a decision from Authzforce, a structured request containing all\nrelevant information must be sent to the domains/{domain-id}/pdp endpoint. In\nthis case, the Body of the request includes information such as the roles that\nthe User has (managers-role-0000-0000-000000000000), the application id that\nis being requested (tutorial-dckr-site-0000-xpresswebapp) and the HTTP verb\nand resource that are being requested ( a POST request on the /v2/entities\nURL)

The response includes a <Decision> element which will either Permit or\nDeny the request.

\n","urlObject":{"protocol":"http","path":["authzforce-ce","domains","gQqnLOnIEeiBFQJCrBIBDA","pdp"],"host":["localhost:8080"],"query":[],"variable":[]}},"response":[],"_postman_id":"d260afa1-4c85-4306-af9a-cf37541dc96b"}],"id":"2a70896b-9f08-4b9a-8c83-e4864ccf797b","description":"

As a reminder, there are three Levels of PDP Access Control:

Level 1: Authentication Access - Allow all actions to every signed in user\nand no actions to an anonymous user.
Level 2: Basic Authorization - Check which resources and verbs the currently\nlogged in user should have access to
Level 3: Advanced Authorization - Fine grained control through\nXACML

Within FIWARE, Level 3 access control can be provided by adding Authzforce\nto the existing security microservices (IDM and PEP Proxy) within the Smart\nApplication infrastructure. Access control levels 1 and 2 have been covered in\nprevious tutorials and\ncan be fulfilled using Keyrock alone or with or without an associated PEP\nProxy.

Advanced Authorization is able to deal with complex rulesets. Permissions are no\nlonger merely based on a fixed role, resource and an action, but can be extended\nas necessary.

For example users in role XXX can access URL starting with YYY provided\nthat the HTTP verb is either GET, PUT or POST. Such users may also\nDELETE provided that they were the creator in the first place.

Within the tutorial programatic example we are using our own trusted instance of\nKeyrock - once a user has signed in and obtained an access_token, the\naccess_token can be stored in session and used to retrieve user details on\ndemand. All access to the Orion context broker is hidden behind a PEP Proxy.\nWhenever a request is made to Orion, the access_token is passed in the header\nof the request, and the PEP proxy handles the decision to whether to execute the\nrequest.

\n","event":[{"listen":"prerequest","script":{"id":"d0b2c33c-4bd4-4144-b0c4-6ff68f7c4b51","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"1c0f1529-fe24-44cf-a947-6cc4d9132580","type":"text/javascript","exec":[""]}}],"_postman_id":"2a70896b-9f08-4b9a-8c83-e4864ccf797b"},{"name":"Advanced Authorization - Sample Code","item":[],"id":"5c0fb346-ffee-4564-aea1-c77e217ff41f","description":"

Programmatically, any Policy Execution Point consists of two parts, an oAuth\nrequest to Keyrock retrieves information about the user (such as the assigned\nroles) as well as the policy domain to be queried.

A second request is sent to the relevant domain endpoint within Authzforce,\nproviding all of the information necessary for Authzforce to provide a\njudgement. Authzforce responds with a permit or deny response, and the\ndecision whether to continue can be made thereafter.

function authorizeAdvancedXACML(req, res, next, resource = req.url) {\n    const keyrockUserUrl =\n        \"http://keyrock/user?access_token=\" +\n        req.session.access_token +\n        \"&app_id=\" +\n        clientId +\n        \"&authzforce=true\";\n\n    return oa\n        .get(keyrockUserUrl)\n        .then(response => {\n            const user = JSON.parse(response);\n            return azf.policyDomainRequest(\n                user.app_azf_domain,\n                user.roles,\n                resource,\n                req.method\n            );\n        })\n        .then(authzforceResponse => {\n            res.locals.authorized = authzforceResponse === \"Permit\";\n            return next();\n        })\n        .catch(error => {\n            debug(error);\n            res.locals.authorized = false;\n            return next();\n        });\n}\n

The full code to supply each request to Authzforce can be found within the\ntutorials'\nGit Repository -\nthe actual information to supply will depend on business use case - it could be\nexpanded to include temporal information, relationships between records and so\non, but in this very simple example only roles are necessary.

const xml2js = require(\"xml2js\");\nconst request = require(\"request\");\n\nfunction policyDomainRequest(domain, roles, resource, action) {\n    let body =\n        '<?xml version=\"1.0\" encoding=\"UTF-8\"?>\\n' +\n        '<Request xmlns=\"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17\" CombinedDecision=\"false\" ReturnPolicyIdList=\"false\">\\n';\n    // Code to create the XML body for the request is omitted\n    body = body + \"</Request>\";\n\n    const options = {\n        method: \"POST\",\n        url: \"http://authzforceUrl/authzforce-ce/domains/\" + domain + \"/pdp\",\n        headers: { \"Content-Type\": \"application/xml\" },\n        body\n    };\n\n    return new Promise((resolve, reject) => {\n        request(options, function(error, response, body) {\n            let decision;\n            xml2js.parseString(\n                body,\n                { tagNameProcessors: [xml2js.processors.stripPrefix] },\n                function(err, jsonRes) {\n                    // The decision is found within the /Response/Result[0]/Decision[0] XPath\n                    decision = jsonRes.Response.Result[0].Decision[0];\n                }\n            );\n            decision = String(decision);\n            return error ? reject(error) : resolve(decision);\n        });\n    });\n}\n

Advanced Authorization - PEP Proxy

Applying advanced authorization within a PEP proxy requires very similar code to\nthe programmatic example described above. The Wilma generic enabler extracts\na token from the header supplied by the request and makes a request to\nKeyrock to obtain further information about the user. A PDP request is then\nmade to Authzforce to decide whether to procede.

Obviously any scalable solution should also cache information about the PDP\nrequests made and the responses to avoid making unnecessary requests.

PDP - Advanced Authorization - Running the Example

\n
Note Five resources have been secured at level 3:
\n
\n
sending the unlock door command
\n
sending the ring bell command
\n
access to the price-change area
\n
access to the order-stock area
\n
access to Orion (behind a PEP Proxy)
\n
\n

Eve the Eavesdropper

Eve has an account, but no roles in the application.

\n
Note As Eve has a recognized account, she gains full authentication\naccess. This means she is able to view the Store page, even though her\naccount has no roles attached.
\n

From http://localhost:3000, log in as eve@example.com with the password\ntest

Level 3 : Advanced Authorization Access

Click on any store page - access to view the page is permitted for any\nlogged in users, however access to retrieve Orion data is now denied\nsince Eve has no role which permits access.
\n
Click on the restricted access links at http://localhost:3000 - access is\ndenied
\n
Open the Device Monitor on http://localhost:3000/device/monitor
\n
- Unlock a door - access is denied
- Ring a bell - access is denied
\n

Bob The Regional Manager

Bob has the management role

From http://localhost:3000, log in as bob-the-manager@test.com with the\npassword test

Level 3 : Advanced Authorization Access

Click on the restricted access links at http://localhost:3000 - access is\npermitted - This is a management only permission
Open the Device Monitor on http://localhost:3000/device/monitor
- Unlock a door - access is denied. - This is a security only\npermission
- Ring a bell - access is permitted - This is permitted to management\nusers
\n

Charlie the Security Manager

Charlie has the security role

From http://localhost:3000, log in as charlie-security@test.com with the\npassword test

Level 3: Advanced Authorization Access

Click on the restricted access links at http://localhost:3000 - access is\ndenied - This is a management only permission
Open the Device Monitor on http://localhost:3000/device/monitor
- Unlock a door - access is permitted - This is a security only\npermission
- Ring a bell - access is permitted - This is permitted to security\nusers
\n

\n","_postman_id":"5c0fb346-ffee-4564-aea1-c77e217ff41f"}],"event":[{"listen":"prerequest","script":{"id":"bf821021-7bc2-471e-9ab7-a55ecb9e663f","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"1269e342-1093-4844-83cb-f8fed192c512","type":"text/javascript","exec":[""]}}],"variable":[{"key":"authzforce","value":"localhost:8080"},{"key":"keyrock","value":"localhost:3005"},{"key":"domain-id","value":"gQqnLOnIEeiBFQJCrBIBDA"},{"key":"policy-id","value":"f8194af5-8a07-486a-9581-c1f05d05483c"},{"key":"Authorization","value":"dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA=="},{"key":"access-token-bob","value":"1b88827586409b3b4dc67378e6b945c99b94c6cf"},{"key":"app-id","value":"tutorial-dckr-site-0000-xpresswebapp"}]}