Tuesday, April 5, 2016

Automated Regression test for Verification of XACML Policy responses (WSO2 carbon product platform)


XACML, shortened for extensible access control markup language, provides a flexible, fine-grained and scalable way of achieving policy-based access control. WSO2 carbon product platform provides a fine-grained access management solution with Policy Based Access Control (PBAC) based on XACML.

There are different mechanisms in use but they also have some drawbacks. Mechanisms like :
- User Centric Permission
- Role Based Access Control
- Attribute Based Access Control

have main Drawbacks like :
- non-scalability,
- coarse-grained permission and authorization logic being coupled with application logic which prevents flexibility.


Solution :

Policy-Based Access Control (PBAC).

This is emerging as a flexible and scalable solution for access management. XACML is a powerful way of achieving PBAC in a fine grained manner.


Steps to Setup:
Step1. Setup Identity Server. Configure MySQL database as WSO2 Identity Server’s data store.

Step2. Create XACML policies and XACML requests using tool.

Step3. Upload XACML policies in to Identity Server.

Step4. Configure script in test environment.

- Send call to specific Endpoint defined on IS. Use the soap envelop example:

POST data:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getPolicy>
         <!--Optional:-->
         <xsd:policyId>Test-Scenario-4</xsd:policyId>
         <!--Optional:-->
         <xsd:isPDPPolicy>true</xsd:isPDPPolicy>
      </xsd:getPolicy>
   </soapenv:Body>
</soapenv:Envelope>

 *****************
A parameterized policy example :

2.Single Permission, multiple groups, single rule

Parameters:

Policy id = $RAHULSPolicyId
Group name 1 = $RAHULSGroup1
Group name 2 = $RAHULSGroup2
Permission = $RAHULSPermission
Rule = $RAHULSRule

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="$PolicyId" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">$RAHULSPolicyId</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="$Rule">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">$RAHULSPermission</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">$RAHULSGroup1</AttributeValue>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">$RAHULSGroup2</AttributeValue>
            </Apply>
            <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
</Policy>    
**********************
- In this simple example, the policyId is checked and the response can be asserted for attribute values.
- Further when the call is sent to the Endpoint it will check the policy and revert with a response message. This response contains: policy and the attributes canbe verified. This scenario can be added to the regression test suite to ensure that all policy's are fine after a patch/update of Identity server/bug fix etc.,
- Parse the response on the attribute values and check if the policy is correct.
- similarly Soap message can be used for other attributes of the XACML Requests : Subject, Resource, Action.  
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Json extractor and While loop

Waiting for a specific value in response of api request. using while loop. Add a While Loop. The api requets will be executed inside th...