[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Automatic conversion of XACML 2.0 to 3.0 policies
Any improvement, fix, etc. is welcome.
On May 28, 2015, at 12:29 PM, Hal Lockhart wrote:You might consider joining the OpenAz project, now located in the Apache Incubator.Unfortunately the Apache web site is not up yet. Here is the previous one.Here is the Apache proposal (which was accepted).The XACML TC also would accept it as a contribution. If you are not an OASIS member, you can contribute it by posting it to this mailing list (xacml-users@lists.oasis-open.org).HalFrom: Cyril
Sent: Friday, May 22, 2015 8:50 AM
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] Re: Automatic conversion of XACML 2.0 to 3.0 policies/requestsHello,for anyone interested, I ended up writing my own XSLT file for XACML 2.0-to-3.0 Policy conversion. I published it temporarily:
http://catalogue.fiware.org/sites/default/files/storage/enablers/xacml2to3.xslMaybe there is a better place to publish it (OASIS XACML website?). Anyway, it has a few limitations, as explained in comments inside that file. Besides, I noticed different behaviors depending on the XSLT processor, so I just want to inform that I tested only with Xalan and Saxon (HE) implementations.
Any improvement, patch, etc. is welcome of course.
Regards,Cyril DangervilleOn Sat, Mar 14, 2015 at 7:20 PM, Cyril wrote:Hello,I need to convert a significant number of XACML 2.0 PolicySets and Requests to XACML 3.0 equivalents.Has anybody used or developed a XSLT, or any tool, to help with this task? And would be willing to share with the community, of course.
Thanks for your help.
Regards,Cyril
<?xml version="1.0" encoding="UTF-8"?> <!-- Copyright (C) 2015 Thales Services SAS. The contents of this file are subject to the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with AuthZForce. If not, see <http://www.gnu.org/licenses/>. --> <!-- XACML 2.0-to-3.0 Policy Conversion XSL Sheet --> <!-- Author: Cyril DANGERVILLE --> <!-- Suggestion for improvement: replace deprecated identifiers (XACML 3.0 Core Specification, §A.4) with new ones. --> <!-- WARNING: This XSLT does not convert XACML 2.0 AttributeSelectors to their strict equivalent in XACML 3.0: 1) it converts XACML 2.0 RequestContextPath to XACML 3.0 Path although they have different meaning as they do not apply to the same XML node, so please be aware. 2) It cannot determine the required Category in XACML 3.0 from XACML 2.0 input in some cases, so it has to use some default value that you can set with XSLT parameter 'AttributeSelector.SubjectCategory.default' for AttrbuteSelectors coming from SubjectMatches, and 'AttributeSelector.Category.default' for the ones coming from Conditions. --> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xacml2="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xsl:output encoding="UTF-8" indent="yes" method="xml"/> <!-- This element removes indentation with Xalan 2.7.1 (indentation preserved with Saxon 9.6.0.4). --> <!-- <xsl:strip-space elements="*" /> --> <!-- Parameters --> <!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <SubjectMatch>. Author's note: there does not seem to be any automatic way to guess this. --> <xsl:param name="AttributeSelector.SubjectCategory.default">urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:param> <!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <Condition>. Author's note: there does not seem to be any automatic way to guess this. --> <xsl:param name="AttributeSelector.Category.default">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:param> <xsl:template match="xacml2:Subjects | xacml2:Actions | xacml2:Resources | xacml2:Environments"> <xsl:element name="xacml3:AnyOf"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:Subject | xacml2:Action | xacml2:Resource | xacml2:Environment"> <xsl:element name="xacml3:AllOf"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:SubjectMatch | xacml2:ActionMatch | xacml2:ResourceMatch | xacml2:EnvironmentMatch"> <xsl:element name="xacml3:Match"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:SubjectAttributeDesignator | xacml2:ActionAttributeDesignator | xacml2:ResourceAttributeDesignator | xacml2:EnvironmentAttributeDesignator"> <xsl:element name="xacml3:AttributeDesignator"> <xsl:attribute name="Category"> <xsl:choose> <xsl:when test="local-name() = 'SubjectAttributeDesignator'"> <xsl:choose> <xsl:when test="@SubjectCategory"><xsl:value-of select="@SubjectCategory"/></xsl:when> <xsl:otherwise>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:otherwise> </xsl:choose> </xsl:when> <xsl:when test="local-name() = 'ActionAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when> <xsl:when test="local-name() = 'ResourceAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when> <xsl:when test="local-name() = 'EnvironmentAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when> </xsl:choose> </xsl:attribute> <xsl:if test="not(@MustBePresent)"> <xsl:attribute name="MustBePresent">false</xsl:attribute> </xsl:if> <xsl:apply-templates select="@*[not(local-name() = 'SubjectCategory')] | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:AttributeSelector"> <xsl:element name="xacml3:{local-name()}"> <xsl:attribute name="Category"> <xsl:choose> <xsl:when test="local-name(parent::*) = 'SubjectMatch'"><xsl:value-of select="$AttributeSelector.SubjectCategory.default"/></xsl:when> <xsl:when test="local-name(parent::*) = 'ActionMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when> <xsl:when test="local-name(parent::*) = 'ResourceMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when> <xsl:when test="local-name(parent::*) = 'EnvironmentMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when> <xsl:otherwise><xsl:value-of select="$AttributeSelector.Category.default"/></xsl:otherwise> </xsl:choose> </xsl:attribute> <xsl:attribute name="Path"><xsl:value-of select="@RequestContextPath"/></xsl:attribute> <xsl:if test="not(@MustBePresent)"> <xsl:attribute name="MustBePresent">false</xsl:attribute> </xsl:if> <xsl:apply-templates select="@*[not(local-name() = 'RequestContextPath')] | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:Obligations"> <xsl:element name="xacml3:ObligationExpressions"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:Obligation"> <xsl:element name="xacml3:ObligationExpression"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="xacml2:AttributeAssignment"> <xsl:element name="xacml3:AttributeAssignmentExpression"> <xsl:apply-templates select="@AttributeId"/> <xsl:element name="xacml3:AttributeValue"> <xsl:apply-templates select="@*[not(local-name() = 'AttributeId')] | child::node()"/> </xsl:element> </xsl:element> </xsl:template> <xsl:template match="xacml2:PolicySet | xacml2:Policy"> <xsl:element name="xacml3:{local-name()}"> <xsl:if test="not(@Version)"> <xsl:attribute name="Version">1.0</xsl:attribute> </xsl:if> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="child::*"> <xsl:element name="xacml3:{local-name()}"> <xsl:apply-templates select="@* | child::node()"/> </xsl:element> </xsl:template> <xsl:template match="@* | comment()"> <xsl:copy/> </xsl:template> </xsl:stylesheet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]