Generate the XACML Request from a template
Created by: cdanger
The idea is to use XACML request template to generate the actual XACML request to PDP at runtime. For each access request, the variables used in the template (e.g. user ID, user roles, action ID, resource ID) are resolved at runtime in the context of the request. For this, you can use one of many Python template engines listed here for instance: https://wiki.python.org/moin/Templating
For example, if you want the SDK to send XACML/JSON requests, using Jinja template engine, the app developer/admin would provide a XACML request template file looking like this:
{
"Request":
{
"Category":
[
{
"CategoryId":
"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Attribute":
[
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "{{ user_id }}"
}
{% if user_roles %}
,
{
"AttributeId": "urn:oasis:names:tc:xacml:2.0:subject:role",
"Value":
[
{% for role in user_roles %}
"{{ role }}"
{% if not loop.last %}
,
{% endif %}
{% endfor %}
]
}
{% endif %}
]
},
{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute":
[
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "{{ method_name }}",
}
]
},
{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute":
[
{
"AttributeId":
"urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "{{ url }}"
}
]
}
]
}
}
When using the SDK API, the developer just needs to call a method template.render( [variables] )
, the variables being variables etant dans un dict (user_id = "trucmuche", method_name = "prout", ...)
More examples: http://sasheldon.com/blog/2013/12/14/simplifying-json-response-mocks-with-jinja/