Commit 6f777cb1 authored by cdanger's avatar cdanger

Added tests comparing Authzforce Core to other XACML PDP engines: WSO2

Balana and AT&T XACML.
parent 48022fd1
......@@ -83,6 +83,52 @@
<version>1.7.0</version>
<scope>test</scope>
</dependency>
<!-- Other XACML engines -->
<dependency>
<groupId>com.att.research.xacml</groupId>
<artifactId>xacml-pdp</artifactId>
<version>2.0.1</version>
<exclusions>
<exclusion>
<!-- Replaced with jcl-over-slf4j depended on by AuthzForce -->
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.wso2.balana</groupId>
<artifactId>org.wso2.balana</artifactId>
<version>1.2.3</version>
<exclusions>
<exclusion>
<!-- Replaced with jcl-over-slf4j depended on by AuthzForce -->
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<!-- already in org.wso2.balana bundle -->
<groupId>org.wso2.balana</groupId>
<artifactId>org.wso2.balana.utils</artifactId>
</exclusion>
<exclusion>
<!-- Overlaps slf4j, logback -->
<groupId>org.ops4j.pax.logging</groupId>
<artifactId>pax-logging-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- <dependency> -->
<!-- Do not use WSO2 version of xercesImpl. See https://github.com/wso2/balana/issues/82 . This org.wso2.balana.utils runtime dependency overlaps with att xacml-pdp's dependency xml-apis -->
<!-- <groupId>xerces.wso2</groupId> -->
<!-- <artifactId>xercesImpl</artifactId> -->
<!-- <version>2.8.1.wso2v2</version> -->
<!-- </dependency> -->
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.0</version>
</dependency>
<!-- /Test dependencies -->
</dependencies>
<build>
......
# Standard API Factories
#
xacml.dataTypeFactory=com.att.research.xacml.std.StdDataTypeFactory
xacml.pdpEngineFactory=com.att.research.xacmlatt.pdp.ATTPDPEngineFactory
xacml.pepEngineFactory=com.att.research.xacml.std.pep.StdEngineFactory
xacml.pipFinderFactory=com.att.research.xacml.std.pip.StdPIPFinderFactory
xacml.traceEngineFactory=com.att.research.xacml.std.trace.LoggingTraceEngineFactory
# AT&T PDP Implementation Factories
#
xacml.att.evaluationContextFactory=com.att.research.xacmlatt.pdp.std.StdEvaluationContextFactory
xacml.att.combiningAlgorithmFactory=com.att.research.xacmlatt.pdp.std.StdCombiningAlgorithmFactory
xacml.att.functionDefinitionFactory=com.att.research.xacmlatt.pdp.std.StdFunctionDefinitionFactory
xacml.att.policyFinderFactory=com.att.research.xacmlatt.pdp.std.StdPolicyFinderFactory
xacml.rootPolicies=root
# root.file is set at runtime for each test case
# File path is relative to current working directory, so make sure the app JAR is executed from the same folder
# Example:
# root.file=target/test-classes/ComparativePdpTest/configs/policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<!-- For AuthzForce SchemaHandler -->
<system systemId="http://www.w3.org/2001/xml.xsd" uri="classpath:xml.xsd" />
<uri name="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" uri="classpath:xacml-core-v3-schema-wd-17.xsd" />
<uri name="http://authzforce.github.io/xmlns/pdp/ext/3" uri="classpath:pdp-ext-base.xsd" />
<!-- PDP Extensions (<uri>'s 'name' attribute value must match the namespace indicated for the schema import
in the PDP extensions schema (pdp-ext.xsd), do not specify any schemaLocation in this schema, only the namespace.
-->
</catalog>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:annotation>
<xs:documentation xml:lang="en">
Import here the schema(s) of any XSD-defined PDP extension that you want to use in a PDP configuration: attribute finders, policy finders, etc.
Indicate only the namespace here and use the XML catalog to resolve the schema location.
</xs:documentation>
</xs:annotation>
<!-- Do not specify schema locations here. Define the schema locations in the XML catalog instead (see file 'catalog.xml'). -->
</xs:schema>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${org.ow2.authzforce.test.case.dir}/policy.xml</policyLocation>
</policyProvider>
<ioProcChain>
<!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax"
for Multiple Decision Profile support. -->
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
</ioProcChain>
</pdp>
<config
defaultPDP="pdp"
defaultAttributeFactory="attr"
defaultCombiningAlgFactory="comb"
defaultFunctionFactory="func">
<pdp name="pdp">
<attributeFinderModule class="org.wso2.balana.finder.impl.CurrentEnvModule" />
<attributeFinderModule class="org.wso2.balana.finder.impl.SelectorModule" />
<policyFinderModule class="org.wso2.balana.finder.impl.FileBasedPolicyFinderModule">
<!-- Policy directory will be set via FileBasedPolicyFinderModule.POLICY_DIR_PROPERTY system property -->
</policyFinderModule>
</pdp>
<attributeFactory
name="attr"
useStandardDatatypes="true" />
<functionFactory
name="func"
useStandardFunctions="true" />
<combiningAlgFactory
name="comb"
useStandardAlgorithms="true" />
</config>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="root"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit" Version="1.0">
<Target />
<Policy PolicyId="1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<Rule RuleId="1.1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">john</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="root"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit" Version="1.0">
<Target />
<Policy PolicyId="1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<Rule RuleId="1.1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" />
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jane</AttributeValue>
</Attribute>
</Attributes>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="root"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit" Version="1.0">
<Target />
<Policy PolicyId="1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<Rule RuleId="1.1" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">john</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
<?xml version="1.0" encoding="UTF-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jane</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">john</AttributeValue>
</Attribute>
</Attributes>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="root"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit" Version="1.0">
<Target />
</PolicySet>
<?xml version="1.0" encoding="UTF-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">jane</AttributeValue>
</Attribute>
</Attributes>
</Request>
<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment