http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/AzInvoker.class ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/AzInvoker.class b/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/AzInvoker.class new file mode 100644 index 0000000..4fb49b6 Binary files /dev/null and b/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/AzInvoker.class differ
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/HasResult.class ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/HasResult.class b/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/HasResult.class new file mode 100644 index 0000000..a82a6fd Binary files /dev/null and b/openaz-pep/target/test-classes/org/openliberty/openaz/pepapi/std/test/util/HasResult.class differ http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy001.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy001.xml b/openaz-pep/target/test-classes/policies/TestPolicy001.xml new file mode 100644 index 0000000..4f2a711 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy001.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="urn:oasis:names:tc:xacml:2.0:test001:policy" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"> + <Description></Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:1.0:test001:rule-1" Effect="Permit"> + <Description> + Julius Hibbert can read or write Bart Simpson's medical record. + </Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Julius Hibbert</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>http://medico.com/record/patient/BartSimpson</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>write</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy002.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy002.xml b/openaz-pep/target/test-classes/policies/TestPolicy002.xml new file mode 100644 index 0000000..d0308c9 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy002.xml @@ -0,0 +1,125 @@ +<?xml version="1.0" encoding="UTF-8"?> +<Policy + xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA2:policy" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> + <Description> + Policy for Conformance Test IIA001. + </Description> + <Target/> + <Rule + RuleId="urn:oasis:names:tc:xacml:1.0:test-2:rule-1" + Effect="Permit"> + <Description> + Physicians can read or write Bart Simpson's medical record. + </Description> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Physician</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>http://medico.com/record/patient/BartSimpson</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>write</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + </Rule> + <Rule + RuleId="urn:oasis:names:tc:xacml:1.0:test-2:rule-2" + Effect="Permit"> + <Description> + Patient is allowed to read his/her medical record. + </Description> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Patient</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>http://medico.com/record/patient/BartSimpson</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-owner" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" /> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" + SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" /> + </Apply> + </Apply> + </Condition> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy003.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy003.xml b/openaz-pep/target/test-classes/policies/TestPolicy003.xml new file mode 100644 index 0000000..f730e34 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy003.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="urn:oasis:names:tc:xacml:2.0:test003:policy" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"> + <Description></Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test003:rule1" Effect="Permit"> + <Target> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>John Smith</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#anyURI";>file://repository/classified/abc</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#anyURI"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test003:rule2" Effect="Permit"> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>John Smith</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#anyURI";>file://repository/classified/xyz</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#anyURI"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> + <Rule RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA3:rule3" Effect="Permit"> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>John Smith</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#integer";>101</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy004.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy004.xml b/openaz-pep/target/test-classes/policies/TestPolicy004.xml new file mode 100644 index 0000000..83ec917 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy004.xml @@ -0,0 +1,116 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="urn:oasis:names:tc:xacml:2.0:test004:policy" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"> + <Description></Description> + <Target/> + <Rule + RuleId="urn:oasis:names:tc:xacml:1.0:mapper-test:rule1" + Effect="Permit"> + <Description></Description> + <Target> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>ROLE_DOCUMENT_WRITER</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Document</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>write</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="jpmc:document:document-owner" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" /> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" /> + </Apply> + </Apply> + </Condition> + </Rule> + <Rule + RuleId="urn:oasis:names:tc:xacml:1.0:mapper-test:rule2" + Effect="Permit"> + <Description></Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>ROLE_DOCUMENT_READER</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Document</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator AttributeId="jpmc:client:country-of-domicile" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" /> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator AttributeId="jpmc:request-context:country" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" + DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false" /> + </Apply> + </Apply> + </Condition> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy005.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy005.xml b/openaz-pep/target/test-classes/policies/TestPolicy005.xml new file mode 100644 index 0000000..e8d43b5 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy005.xml @@ -0,0 +1,190 @@ +<?xml version="1.0" encoding="UTF-8"?> +<PolicySet + xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os + access_control-xacml-2.0-policy-schema-os.xsd" + PolicySetId="urn:oasis:names:tc:xacml:2.0:test005:policyset" + PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"> + <Description> + PolicySet for Test 005. + </Description> + <Target/> + <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:test005:policy1" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description> + Policy for Test 005. + </Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test005:rule1" + Effect="Permit"> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Physician</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>PatientMedicalRecord</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + </Rule> + <Obligations> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:simpletest" + FulfillOn="Permit"> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_SUBJECT_ATTRIBUTE</AttributeAssignment> + </Obligation> + </Obligations> + </Policy> + <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:test005:policy2" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description> + Policy for Test 005. + </Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test005:rule2" + Effect="Permit"> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>Patient</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>PatientMedicalRecord</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + </Rule> + <Obligations> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:age-restriction" + FulfillOn="Permit"> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:age" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_SUBJECT_ATTRIBUTE</AttributeAssignment> + </Obligation> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:audit" + FulfillOn="Permit"/> + </Obligations> + </Policy> + <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:test005:policy3" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description> + Policy for Test 005. + </Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test005:rule3" + Effect="Permit"> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>InsuranceAgent</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>PatientMedicalRecord</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + </Rule> + <Obligations> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:access-restriction" + FulfillOn="Permit"> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-access-group" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_RESOURCE_ATTRIBUTE</AttributeAssignment> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_SUBJECT_ATTRIBUTE</AttributeAssignment> + </Obligation> + </Obligations> + </Policy> +</PolicySet> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/policies/TestPolicy006.xml ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/policies/TestPolicy006.xml b/openaz-pep/target/test-classes/policies/TestPolicy006.xml new file mode 100644 index 0000000..d609e58 --- /dev/null +++ b/openaz-pep/target/test-classes/policies/TestPolicy006.xml @@ -0,0 +1,80 @@ +<?xml version="1.0" encoding="UTF-8"?> +<PolicySet + xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os + access_control-xacml-2.0-policy-schema-os.xsd" + PolicySetId="urn:oasis:names:tc:xacml:2.0:test005:policyset" + PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"> + <Description> + PolicySet for Test 005. + </Description> + <Target/> + <Policy PolicyId="urn:oasis:names:tc:xacml:2.0:test005:policy1" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description> + Policy for Test 005. + </Description> + <Target/> + <Rule RuleId="urn:oasis:names:tc:xacml:2.0:test005:rule1" + Effect="Permit"> + <Target> + <Subjects> + <Subject> + <SubjectMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>John Smith</AttributeValue> + <SubjectAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </SubjectMatch> + </Subject> + </Subjects> + <Resources> + <Resource> + <ResourceMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>resource1</AttributeValue> + <ResourceAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ResourceMatch> + </Resource> + </Resources> + <Actions> + <Action> + <ActionMatch + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string";>view</AttributeValue> + <ActionAttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" + DataType="http://www.w3.org/2001/XMLSchema#string"/> + </ActionMatch> + </Action> + </Actions> + </Target> + </Rule> + <Obligations> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:obligation-1" + FulfillOn="Permit"> + <AttributeAssignment + AttributeId="jpmc:obligation:obligation-type" + DataType="http://www.w3.org/2001/XMLSchema#string";>Filtering</AttributeAssignment> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_SUBJECT_ATTRIBUTE</AttributeAssignment> + </Obligation> + <Obligation + ObligationId="urn:oasis:names:tc:xacml:2.0:obligation:obligation-2" + FulfillOn="Permit"> + <AttributeAssignment + AttributeId="urn:oasis:names:tc:xacml:1.0:subject:age" + DataType="http://www.w3.org/2001/XMLSchema#string";>EVAL_SUBJECT_ATTRIBUTE</AttributeAssignment> + </Obligation> + </Obligations> + </Policy> +</PolicySet> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/properties/testapi.xacml.properties ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/properties/testapi.xacml.properties b/openaz-pep/target/test-classes/properties/testapi.xacml.properties new file mode 100644 index 0000000..b45d2c1 --- /dev/null +++ b/openaz-pep/target/test-classes/properties/testapi.xacml.properties @@ -0,0 +1,20 @@ +# Default XACML Properties File +# Standard API Factories +# +xacml.dataTypeFactory=com.att.research.xacml.std.StdDataTypeFactory +xacml.pdpEngineFactory=com.att.research.xacmlatt.pdp.ATTPDPEngineFactory +xacml.pepEngineFactory=com.att.research.xacml.std.pep.StdEngineFactory +xacml.pipFinderFactory=com.att.research.xacml.std.pip.StdPIPFinderFactory + +# AT&T PDP Implementation Factories +# +xacml.att.evaluationContextFactory=com.att.research.xacmlatt.pdp.std.StdEvaluationContextFactory +xacml.att.combiningAlgorithmFactory=com.att.research.xacmlatt.pdp.std.StdCombiningAlgorithmFactory +xacml.att.functionDefinitionFactory=com.att.research.xacmlatt.pdp.std.StdFunctionDefinitionFactory +xacml.att.policyFinderFactory=com.att.research.xacmlatt.pdp.std.StdPolicyFinderFactory + +xacml.rootPolicies=testPolicy +testPolicy.file=src/test/resources/policies/TestPolicy001.xml + +# If there is a standard policy for the engine: +# xacml.att.stdPolicyFinderFactory.rootPolicyFile=/etc/stdpolicyset.xml http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/properties/testdatatypes.xacml.properties ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/properties/testdatatypes.xacml.properties b/openaz-pep/target/test-classes/properties/testdatatypes.xacml.properties new file mode 100644 index 0000000..cb6d77b --- /dev/null +++ b/openaz-pep/target/test-classes/properties/testdatatypes.xacml.properties @@ -0,0 +1,20 @@ +# Default XACML Properties File +# Standard API Factories +# +xacml.dataTypeFactory=com.att.research.xacml.std.StdDataTypeFactory +xacml.pdpEngineFactory=com.att.research.xacmlatt.pdp.ATTPDPEngineFactory +xacml.pepEngineFactory=com.att.research.xacml.std.pep.StdEngineFactory +xacml.pipFinderFactory=com.att.research.xacml.std.pip.StdPIPFinderFactory + +# AT&T PDP Implementation Factories +# +xacml.att.evaluationContextFactory=com.att.research.xacmlatt.pdp.std.StdEvaluationContextFactory +xacml.att.combiningAlgorithmFactory=com.att.research.xacmlatt.pdp.std.StdCombiningAlgorithmFactory +xacml.att.functionDefinitionFactory=com.att.research.xacmlatt.pdp.std.StdFunctionDefinitionFactory +xacml.att.policyFinderFactory=com.att.research.xacmlatt.pdp.std.StdPolicyFinderFactory + +xacml.rootPolicies=testPolicy +testPolicy.file=src/test/resources/policies/TestPolicy003.xml + +# If there is a standard policy for the engine: +# xacml.att.stdPolicyFinderFactory.rootPolicyFile=/etc/stdpolicyset.xml http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/target/test-classes/properties/testmapper.xacml.properties ---------------------------------------------------------------------- diff --git a/openaz-pep/target/test-classes/properties/testmapper.xacml.properties b/openaz-pep/target/test-classes/properties/testmapper.xacml.properties new file mode 100644 index 0000000..12e1754 --- /dev/null +++ b/openaz-pep/target/test-classes/properties/testmapper.xacml.properties @@ -0,0 +1,24 @@ +# Default XACML Properties File +# Standard API Factories +# +xacml.dataTypeFactory=com.att.research.xacml.std.StdDataTypeFactory +xacml.pdpEngineFactory=com.att.research.xacmlatt.pdp.ATTPDPEngineFactory +xacml.pepEngineFactory=com.att.research.xacml.std.pep.StdEngineFactory +xacml.pipFinderFactory=com.att.research.xacml.std.pip.StdPIPFinderFactory + +# AT&T PDP Implementation Factories +# +xacml.att.evaluationContextFactory=com.att.research.xacmlatt.pdp.std.StdEvaluationContextFactory +xacml.att.combiningAlgorithmFactory=com.att.research.xacmlatt.pdp.std.StdCombiningAlgorithmFactory +xacml.att.functionDefinitionFactory=com.att.research.xacmlatt.pdp.std.StdFunctionDefinitionFactory +xacml.att.policyFinderFactory=com.att.research.xacmlatt.pdp.std.StdPolicyFinderFactory + +xacml.rootPolicies=testPolicy +testPolicy.file=src/test/resources/policies/TestPolicy004.xml + +#pep properties +pep.issuer=test +pep.mapper.classes=org.openliberty.openaz.pepapi.std.test.mapper.BusinessRequestContextMapper,\ + org.openliberty.openaz.pepapi.std.test.mapper.DocumentMapper, \ + org.openliberty.openaz.pepapi.std.test.mapper.ClientMapper, \ + org.openliberty.openaz.pepapi.std.test.mapper.MedicalRecordMapper http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-admin/pom.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-admin/pom.xml b/openaz-xacml-pap-admin/pom.xml new file mode 100755 index 0000000..78f7817 --- /dev/null +++ b/openaz-xacml-pap-admin/pom.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <parent> + <artifactId>openaz</artifactId> + <groupId>org.openliberty.openaz</groupId> + <version>0.0.1-SNAPSHOT</version> + </parent> + <modelVersion>4.0.0</modelVersion> + + <artifactId>openaz-xacml-pap-admin</artifactId> + + +</project> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-admin/target/maven-archiver/pom.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-admin/target/maven-archiver/pom.properties b/openaz-xacml-pap-admin/target/maven-archiver/pom.properties new file mode 100644 index 0000000..d531585 --- /dev/null +++ b/openaz-xacml-pap-admin/target/maven-archiver/pom.properties @@ -0,0 +1,5 @@ +#Generated by Maven +#Tue Apr 07 07:42:37 EDT 2015 +version=0.0.1-SNAPSHOT +groupId=org.openliberty.openaz +artifactId=openaz-xacml-pap-admin http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst b/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst new file mode 100644 index 0000000..e69de29 http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst b/openaz-xacml-pap-admin/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst new file mode 100644 index 0000000..e69de29 http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-admin/target/openaz-xacml-pap-admin-0.0.1-SNAPSHOT.jar ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-admin/target/openaz-xacml-pap-admin-0.0.1-SNAPSHOT.jar b/openaz-xacml-pap-admin/target/openaz-xacml-pap-admin-0.0.1-SNAPSHOT.jar new file mode 100644 index 0000000..00bbf9f Binary files /dev/null and b/openaz-xacml-pap-admin/target/openaz-xacml-pap-admin-0.0.1-SNAPSHOT.jar differ http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/WebContent/META-INF/MANIFEST.MF ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/WebContent/META-INF/MANIFEST.MF b/openaz-xacml-pap-rest/WebContent/META-INF/MANIFEST.MF new file mode 100755 index 0000000..58630c0 --- /dev/null +++ b/openaz-xacml-pap-rest/WebContent/META-INF/MANIFEST.MF @@ -0,0 +1,2 @@ +Manifest-Version: 1.0 + http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/WebContent/README.txt ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/WebContent/README.txt b/openaz-xacml-pap-rest/WebContent/README.txt new file mode 100755 index 0000000..e69de29 http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/annotation/AnnotationPolicy.v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/annotation/AnnotationPolicy.v1.xml b/openaz-xacml-pap-rest/pdps/annotation/AnnotationPolicy.v1.xml new file mode 100755 index 0000000..ae838f4 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/annotation/AnnotationPolicy.v1.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:5b82db34-1613-4108-8973-93074182dd94" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>A sample policy to demonstrate use of annotations in a Java class.</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>www.mywebsite.com</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Rule RuleId="urn:com:att:xacml:rule:id:8b257f30-4e06-4c8e-8fb7-691b9534d55c" Effect="Permit"> + <Description>PERMIT - John can access it</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>John</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>ACCESS</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:4fe7c147-7811-4e30-a463-9135afb1cfc2" Effect="Deny"> + <Description>DENY - Ringo cannot</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Ringo</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + </Rule> +</Policy> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/annotation/xacml.pip.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/annotation/xacml.pip.properties b/openaz-xacml-pap-rest/pdps/annotation/xacml.pip.properties new file mode 100755 index 0000000..999c160 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/annotation/xacml.pip.properties @@ -0,0 +1,3 @@ +# PIP Engine Definition +# +xacml.pip.engines= http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/annotation/xacml.policy.properties ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/annotation/xacml.policy.properties b/openaz-xacml-pap-rest/pdps/annotation/xacml.policy.properties new file mode 100755 index 0000000..1e6bf8a --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/annotation/xacml.policy.properties @@ -0,0 +1,5 @@ +xacml.rootPolicies=AnnotationPolicy.v1.xml +xacml.referencedPolicies= + + +AnnotationPolicy.v1.xml.url=http://localhost:9090/pap/?id=AnnotationPolicy.v1.xml http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Baseball-Hall-Of-Fame-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Baseball-Hall-Of-Fame-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Baseball-Hall-Of-Fame-v1.xml new file mode 100755 index 0000000..68c7783 --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Baseball-Hall-Of-Fame-v1.xml @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="urn:com:att:xacml:policy:id:f3047eab-6f97-49b4-8127-a2737a184b35" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"> + <Description>This policy enforces the BBWAA rules for baseball Hall of Fame induction. + +http://baseballhall.org/hall-famers/rules-election/bbwaa +</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>eligible</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>HOF</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Policy PolicyId="urn:com:att:xacml:policy:id:8f295c67-7b6e-4db6-b558-005b36abd970" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>Active Timeframe: + +A. A baseball player must have been active as a player in the Major Leagues at some time during a period beginning twenty (20) years before and ending five (5) years prior to election.</Description> + <Target/> + <Rule RuleId="urn:com:att:xacml:rule:id:f04b2700-1236-4066-81e4-e341b5b2f3b5" Effect="Permit"> + <Description>Player's debut date >= (today's date - 20 years) AND final date <= (today's date - 5 years).</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>debut within 20 years AND final game more than 5 years ago.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> + <Description>Debut date <= (today's date - 20 years)</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> + <Description>UN-bag player's debut date.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:debut" DataType="http://www.w3.org/2001/XMLSchema#date"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration"> + <Description>Subtract 20 years from today's date.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> +<Description>UN-bag today's date.</Description> +<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"; MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#yearMonthDuration";>P20Y</AttributeValue> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal"> + <Description>Final Game <= (today's date - 5 years)</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> + <Description>UN-bag final game date</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:finalgame" DataType="http://www.w3.org/2001/XMLSchema#date"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration"> + <Description>Subtract 5 years from today's date.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> +<Description>UN-bag today's date.</Description> +<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"; MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#yearMonthDuration";>P5Y</AttributeValue> + </Apply> + </Apply> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:33a42a79-9d82-4aa1-99d3-9fd168363695" Effect="Deny"> + <Description>DENY - Default</Description> + <Target/> + </Rule> + </Policy> + <Policy PolicyId="urn:com:att:xacml:policy:id:1bf74cc4-658f-4e87-be22-5d5cb741f1f5" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> + <Description>B. Player must have played in each of ten (10) Major League championship seasons, some part of which must have been within the period described in 3 (A).</Description> + <Target/> + <Rule RuleId="urn:com:att:xacml:rule:id:54405c39-a3f6-4a88-89bd-084f68567acd" Effect="Permit"> + <Description>There should be >= 10 years of appearance(s) values.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> + <Description>The number of years a player appeared.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-bag-size"> + <Description>Count the number.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:appearance" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>10</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:912dd1a2-1527-4b6f-a95b-6a729ff9caab" Effect="Deny"> + <Description>DENY - Default</Description> + <Target/> + </Rule> + </Policy> +</PolicySet> http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Legal-Age-Marriage-v1.xml ---------------------------------------------------------------------- diff --git a/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Legal-Age-Marriage-v1.xml b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Legal-Age-Marriage-v1.xml new file mode 100755 index 0000000..15e25ed --- /dev/null +++ b/openaz-xacml-pap-rest/pdps/configurable-csv-and-hyper/CSV-Legal-Age-Marriage-v1.xml @@ -0,0 +1,200 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="urn:com:att:xacml:policy:id:98779898-b880-44d7-bee5-ce54e42266eb" Version="1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"> + <Description>Sample policy for the XACML-TEST project that tests the configurable CSV PIP.</Description> + <Target> + <AnyOf> + <AllOf> + <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Marry</AttributeValue> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> + </Match> + </AllOf> + </AnyOf> + </Target> + <Policy PolicyId="urn:com:att:xacml:policy:id:c6791398-7e1f-4564-8f5c-19f406ea9950" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> + <Description>Checks the subject. </Description> + <Target/> + <VariableDefinition VariableId="isSubjectFemale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>sex=Female</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Female</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="isSubjectMale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>subject sex=Male</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Male</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesSubjectNeedParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> + <Description>Is the subject a female OR male?</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is female AND does not need parental consent.</Description> + <VariableReference VariableId="isSubjectFemale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:female" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is subject male AND age >= male consent age.</Description> + <VariableReference VariableId="isSubjectMale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= legal age of consent for male.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute.</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:male" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesSubjectHaveParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com:att:research:xacml:test:csv:subject:parental-consent" DataType="http://www.w3.org/2001/XMLSchema#boolean"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </VariableDefinition> + <Rule RuleId="urn:com:att:xacml:rule:id:5970b5d2-c0f3-4132-bfa2-268467b21ed7" Effect="Permit"> + <Description>If the subject does NOT need consent, then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:04b3e93d-ec4e-4cce-a00e-6a54cf3c4056" Effect="Permit"> + <Description>If the subject needs consent AND has parental consent, then Permit.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesSubjectHaveParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </Apply> + </Condition> + </Rule> + </Policy> + <Policy PolicyId="urn:com:att:xacml:policy:id:32474315-9d06-47a4-bc2d-319e0568742c" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"> + <Description>Check the resource.</Description> + <Target/> + <VariableDefinition VariableId="isResourceFemale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>sex=Female</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Female</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="isResourceMale"> + <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case"> + <Description>subject sex=Male</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:sex" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Male</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesResourceNeedParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> + <Description>Is resource female OR male?</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is female AND does not need parental consent.</Description> + <VariableReference VariableId="isResourceFemale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age for female.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag attribute</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="true"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>un-bag attribute</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:female" DataType="http://www.w3.org/2001/XMLSchema#integer"; Issuer="com:att:research:xacml:test:csv" MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Description>Is male and AND does not need parental consent.</Description> + <VariableReference VariableId="isResourceMale"/> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> + <Description>age >= consent age for male.</Description> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:age" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="false"/> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <Description>Un-bag</Description> + <AttributeDesignator Category="com:att:research:xacml:test:csv:category:country" AttributeId="com:att:research:xacml:test:csv:country:no-consent:male" DataType="http://www.w3.org/2001/XMLSchema#integer"; MustBePresent="false"/> + </Apply> + </Apply> + </Apply> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="doesResourceHaveParentalConsent"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only"> + <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:csv:resource:parental-consent" DataType="http://www.w3.org/2001/XMLSchema#boolean"; MustBePresent="true"/> + </Apply> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </VariableDefinition> + <Rule RuleId="urn:com:att:xacml:rule:id:7d1c6802-97f7-44f6-9819-12edc1801fb7" Effect="Permit"> + <Description>If the resource does NOT need consent, then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>false</AttributeValue> + </Apply> + </Condition> + </Rule> + <Rule RuleId="urn:com:att:xacml:rule:id:62e07da4-f0e5-46eb-9894-f5e6d2e5868b" Effect="Permit"> + <Description>The resources needs parental consent and has parental consent then PERMIT.</Description> + <Target/> + <Condition> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceNeedParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"> + <VariableReference VariableId="doesResourceHaveParentalConsent"/> + <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean";>true</AttributeValue> + </Apply> + </Apply> + </Condition> + </Rule> + </Policy> +</PolicySet>
