pdp.xsd 18.9 KB
Newer Older
1 2
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/3.6" elementFormDefault="qualified"
3
	xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"  version="3.6.4">
4 5
	<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
	<import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
6 7 8 9 10 11 12 13
	<annotation>
		<documentation xml:lang="en">
			Data model of AuthZForce PDP configuration.
			<p> For any such configuration (XML) file (instance of this schema) loaded, AuthZForce PDP configuration handler sets the global variable 'PARENT_DIR' to the path to the parent directory of this
				XML configuration file, so that any placeholder ${PARENT_DIR} is replaced with this value, and may be used in text nodes to specify file paths relative to the configuration file for instance. If
				the location to the configuration file is not resolved to a file on the file system, 'PARENT_DIR' is undefined. You may use the colon ':' as a separating character between the placeholder variable
				and an associated default value, if PARENT_DIR is initially undefined. E.g. ${PARENT_DIR:/home/foo/conf} will be replaced with '/home/foo/conf' if PARENT_DIR is undefined.
			</p>
14 15 16 17 18 19 20
			<p>
				XML schema versioning: the 'version' attribute of the root 'schema' element identifies the Major.Minor.Patch version of this schema. The Major.Minor part must match the Major.Minor part of the
				first compatible version of authzforce-ce-core library. The Patch version is used for any backwards-compatible change. The Minor version is incremented after any change that is NOT
				backwards-compatible. (As a result, the authzforce-ce-core library's minor version is incremented as well.)
				The Major.Minor version part must be part of the target namespace - but not the Patch
				version - to separate namespaces that are not backwards-compatible.
			</p>
21 22 23 24 25
		</documentation>
	</annotation>
	<element name="attributeProvider" type="authz-ext:AbstractAttributeProvider">
		<annotation>
			<documentation>Attribute Provider that provides attributes not already provided in the XACML request by PEP, e.g. from external sources. There must be one and only one Java class - say
26
				'com.example.FooAttributeProviderModuleFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.CloseableAttributeProviderModule.FactoryBuilder&lt;CONF_T&gt;' with zero-arg constructor,
27 28 29 30 31
				where
				CONF_T is the JAXB type bound to this XML element type. This attribute Provider may also depend on previously defined 'attributeProviders', to find dependency attributes, i.e. attributes that
				this
				Provider does not support itself, but requires to find its supported attributes. Therefore, if an 'attributeProvider' AFy requires/depends on an attribute A that is not to be provided by the
				PEP,
32 33 34 35 36 37 38 39 40 41
				another 'attributeProvider' AFx providing this attribute A must be declared before X.
			</documentation>
		</annotation>
	</element>
	<element name="pdp">
		<complexType>
			<sequence>
				<element name="attributeDatatype" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of an attribute datatype to be added to supported datatypes. There must be one and only one Java class - say 'com.example.FooValueFactory' - on the classpath implementing
42
							interface ' org.ow2.authzforce.core.pdp.api.value.DatatypeFactory' with zero-arg constructor, such that this URI equals: new com.example.FooValueFactory().getId().
43 44 45 46 47 48
						</documentation>
					</annotation>
				</element>
				<element name="function" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a function to be added to supported functions. There must be one and only one Java class - say 'com.example.FooFunction' - on the classpath implementing interface
49
							'org.ow2.authzforce.core.pdp.api.func.Function' with zero-arg constructor, such that this URI equals: new com.example.FooFunction().getId().
50 51 52 53 54 55
						</documentation>
					</annotation>
				</element>
				<element name="functionSet" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a set of functions to be added to supported functions. There must be one and only one Java class - say 'com.example.FooFunctionSet' - on the classpath implementing
56
							interface 'org.ow2.authzforce.core.pdp.api.func.FunctionSet' with zero-arg constructor, such that this URI equals: new com.example.FooFunctionSet().getId().
57 58 59 60 61 62
						</documentation>
					</annotation>
				</element>
				<element name="combiningAlgorithm" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say 'com.example.FooCombiningAlg' - on the classpath
63
							implementing interface 'org.ow2.authzforce.core.pdp.api.combining.CombiningAlg' with zero-arg constructor, such that this URI equals: new com.example.FooCombiningAlg().getId().
64 65 66 67 68 69 70
						</documentation>
					</annotation>
				</element>
				<element ref="tns:attributeProvider" maxOccurs="unbounded" minOccurs="0" />
				<element name="refPolicyProvider" type="authz-ext:AbstractPolicyProvider" minOccurs="0" maxOccurs="1">
					<annotation>
						<documentation>Referenced policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class - say 'com.example.FooRefPolicyProviderModuleFactory' - on the
71
							classpath implementing interface 'org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule.Factory&lt;CONF_T&gt;' with zero-arg constructor, where CONF_T is the JAXB type bound to
72 73 74 75 76 77 78 79 80 81
							this XML
							element type. This referenced policy Provider may also use any of the 'refPolicyProvider' previously defined, if any, for Policy(Set)IdReference resolution; as some IdReferences may
							not be
							supported by this Provider. This element is not required if root policies found by the 'rootPolicyProvider' are always Policy elements, and not PolicySet elements.
						</documentation>
					</annotation>
				</element>
				<element name="rootPolicyProvider" type="authz-ext:AbstractPolicyProvider">
					<annotation>
						<documentation>Root/top-level policy Provider that provides the root/top-level Policy(Set) to PDP for evaluation. There must be one and only one Java class - say
82
							'com.example.FooRootPolicyProviderModuleFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.policy.RootPolicyProviderModule.Factory&lt;CONF_T&gt;' with zero-arg
83
							constructor, where CONF_T is the JAXB type bound to this XML element type. This class may also implement
84
							'org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule.Factory&lt;CONF_T&gt;' to
85 86
							be used
							as 'refPolicyProvider' as well. This policy Provider may also use any of the
87 88 89 90 91 92 93
							'refPolicyProvider' previously defined, if any, for Policy(Set)IdReference resolution.
						</documentation>
					</annotation>
				</element>
				<element name="decisionCache" minOccurs="0" maxOccurs="1" type="authz-ext:AbstractDecisionCache">
					<annotation>
						<documentation>Decision Response cache that, for a given request, provides the XACML response from a cache if there is a cached response for the given request. There must be one and only one
94
							Java class - say 'com.example.FooDecisionCacheFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;' with zero-arg constructor,
95 96 97 98 99 100
							where
							CONF_T is the JAXB type bound to this XML element type.
						</documentation>
					</annotation>
				</element>
			</sequence>
101 102 103 104 105 106 107
			<attribute name="version" type="token" use="required">
				<annotation>
					<documentation>Version of the current schema for which the instance document is valid. Must match the 'version' attribute value of the root 'schema' element in the corresponding version of this
						schema.
					</documentation>
				</annotation>
			</attribute>
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139
			<attribute name="useStandardDatatypes" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard attribute datatypes.					</documentation>
				</annotation>
			</attribute>
			<attribute name="useStandardFunctions" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard mandatory functions.					</documentation>
				</annotation>
			</attribute>
			<attribute name="useStandardCombiningAlgorithms" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard combining algorithms.					</documentation>
				</annotation>
			</attribute>
			<attribute name="enableXPath" type="boolean" use="optional" default="false">
				<annotation>
					<documentation>Enable support for AttributeSelectors and xpathExpression datatype. This overrides 'useStandardDatatypes' parameter, i.e. xpathExpression is not supported anyway if 'enableXpath'
						is false. This feature is experimental (not to be used in production) and may have a negative impact on performance. Use with caution. For your information, AttributeSelector and xpathExpression
						datatype support is marked as optional in XACML 3.0 core specification.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="strictAttributeIssuerMatch" type="boolean" use="optional" default="false">
				<annotation>
					<documentation>Enable strict Attribute Issuer matching, i.e. AttributeDesignators without Issuer only match request Attributes without Issuer (and same AttributeId, Category...). This mode is not
						fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it performs better and is recommended when all AttributeDesignators have an
						Issuer (best practice). Reminder: the XACML 3.0 specification for AttributeDesignator evaluation (5.29) says: "If the Issuer is not present in the attribute designator, then the matching of the
						attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."
					</documentation>
				</annotation>
			</attribute>
140
			<attribute name="maxVariableRefDepth" type="nonNegativeInteger" use="optional">
141 142 143 144
				<annotation>
					<documentation> Maximum depth of Variable reference chaining: VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...; where '-&gt;' represents a VariableReference.					</documentation>
				</annotation>
			</attribute>
145
			<attribute name="maxPolicyRefDepth" type="nonNegativeInteger" use="optional">
146 147 148 149
				<annotation>
					<documentation>Maximum depth of Policy(Set) reference chaining: PolicySet1 -&gt; PolicySet2 -&gt; ... -&gt; Policy(Set)N; where '-&gt;' represents a Policy(Set)IdReference.					</documentation>
				</annotation>
			</attribute>
150
			<attribute name="requestFilter" type="anyURI" use="optional" default="urn:ow2:authzforce:feature:pdp:request-filter:default-lax">
151 152 153 154
				<annotation>
					<documentation>
						<p>URI of a XACML Request filter to be enabled. A XACML Request filter is a PDP extension that applies some processing of the request, such as validation and transformation, prior to the policy
							evaluation. As an example of validation, a Request filter may reject a request containing an unsupported XACML element. As an example of transformation, it may support the MultiRequests
155 156
							element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple
							Individual Decision Requests from the original XACML request, as defined in XACML
157 158 159
							Multiple Decision Profile specification, section 2; and then call the policy evaluation engine for each Individual Decision Request. At the end, the results (one per Individual Decision
							Request) may be combined by a DecisionCombiner specified by next attribute 'decisionCombiner'.
						</p>
160
						<p>There must be one and only one Java class - say 'com.example.FooRequestFilter' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.RequestFilter' with zero-arg
161 162 163 164 165 166 167
							constructor, such
							that this URI equals: new com.example.FooRequestFilter().getId().</p>
						<p>If the configuration parameter 'enableXPath' is true, it is the responsibility of the RequestFilter to parse XACML Request/Attributes/Content nodes. If the configuration parameter
							'strictAttributeIssuerMatch' is true, it is the responsibility of the RequestFilter to keep values of Attributes with Issuer
							separate from values of Attributes without Issuer, in the attribute
							map returned by getNamedAttributes() on
							the IndividualDecisionRequests produced by the RequestFilter.</p>
168
						<p>The following values of 'requestFilter' are natively supported:</p>
169
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:default-lax": implements only XACML 3.0 Core (NO support for Multiple Decision) and allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request
170
							(complying with XACML 3.0 core spec, §7.3.3)</p>
171
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:default-strict": implements only XACML 3.0 Core (NO support for Multiple Decision) and does not allow duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request
172
							(NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)</p>
173
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax": implements Multiple Decision Profile, section 2.3 (repeated attribute categories), and allows duplicate &lt;Attribute&gt; with same meta-data in the same
174
							&lt;Attributes&gt; element of a Request (complying with XACML 3.0 core spec, §7.3.3)</p>
175
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-strict": same as previous one, except it does not allow duplicate &lt;Attribute&gt; with same meta-data in the same
176
							&lt;Attributes&gt; element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)</p>
177 178 179 180 181 182 183 184
					</documentation>
				</annotation>
			</attribute>
			<attribute name="resultFilter" type="anyURI" use="optional">
				<annotation>
					<documentation>URI of a XACML decision Result filter to be enabled. A decision Result filter is a PDP extension that process the result(s) from the policy evaluation before the final XACML
						Response is created (and returned back to the requester). For example, a typical Result filter may combine multiple individual decisions - produced by the 'requestFilter' - to a single decision
						Result if and only if the XACML Request's 'CombinedDecision' is set to true, as defined in XACML Multiple Decision Profile specification, section 3. There must be one and only one Java class -
185
						say 'com.example.FooDecisionResultFilter' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.DecisionResultFilter' with zero-arg constructor, such that this URI equals:
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216
						new
						com.example.FooDecisionResultFilter().getId().
					</documentation>
				</annotation>
			</attribute>
		</complexType>
		<key name="datatypeKey">
			<selector xpath="tns:attributeDatatype" />
			<field xpath="." />
		</key>
		<key name="functionKey">
			<selector xpath="tns:function" />
			<field xpath="." />
		</key>
		<key name="functionSetKey">
			<selector xpath="tns:functionSet" />
			<field xpath="." />
		</key>
		<key name="algorithmKey">
			<selector xpath="tns:combiningAlgorithm" />
			<field xpath="." />
		</key>
		<key name="refPolicyProviderKey">
			<selector xpath="tns:refPolicyProvider" />
			<field xpath="@id" />
		</key>
		<key name="attributeProviderKey">
			<selector xpath="tns:attributeProvider" />
			<field xpath="@id" />
		</key>
	</element>
217
	<complexType name="StaticRootPolicyProvider">
218
		<annotation>
219
			<documentation>PolicyProvider loading root policies statically from URLs.</documentation>
220 221 222 223 224 225 226 227 228 229 230 231 232
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<attribute name="policyLocation" type="anyURI" use="required">
					<annotation>
						<documentation> Location of a XML file that is expected to contain the root (aka top-level) Policy or PolicySet. Use the global property 'PARENT_DIR' for paths under the parent directory to the
							XML file where this is used.
						</documentation>
					</annotation>
				</attribute>
			</extension>
		</complexContent>
	</complexType>
233
	<complexType name="StaticRefPolicyProvider">
234 235 236 237 238 239 240 241 242 243 244 245
		<annotation>
			<documentation>Policy(Set)IdReference Provider loading policies statically from URLs. Any PolicyIdReference used in a PolicySet here must refer to a Policy loaded here as well. Besides, a PolicySet
				P1 must be loaded before any other PolicySet P2 with a reference (PolicySetIdReference) to P1. As PolicySets are loaded in the order of declaration of policyLocations, the order matters for
				PolicySetIdReference resolution.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element name="policyLocation" type="anyURI" minOccurs="1" maxOccurs="unbounded">
						<annotation>
							<documentation> Location of the XML file that is expected to contain the Policy or PolicySet element to be referenced by a Policy(Set)IdReference in the root PolicySet loaded by a root policy
246 247 248 249 250 251 252 253 254 255
								Provider. The location may also be a file pattern in the following form: "file://DIRECTORY_PATH/*SUFFIX", using wilcard character '*'; in which case the location is expanded to all regular
								files
								(not
								subdirectories)
								in
								directory located at DIRECTORY_PATH with suffix SUFFIX (there may not be a SUFFIX; in other words, SUFFIX may be an empty string). The files are
								NOT searched
								recursively on
								sub-directories. Use the global property 'PARENT_DIR' for defining - in a
								generic way - a path relative to the parent directory to the XML file where this is used.
256 257 258 259 260 261 262
							</documentation>
						</annotation>
					</element>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
263 264 265 266 267 268 269 270 271 272 273 274 275 276
	<complexType name="StaticRefBasedRootPolicyProvider">
		<annotation>
			<documentation>
				Static Root Policy Provider based on the RefPolicyProvider, i.e. the root policy is a PolicySet retrieved using the RefPolicyProvider (mandatory in this case).
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element name="policyRef" type="xacml:IdReferenceType" />
				</sequence>
			</extension>
		</complexContent>
	</complexType>
cdanger's avatar
cdanger committed
277
</schema>