OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Automatic conversion of XACML 2.0 to 3.0 policies

Hello,
following the advice on the xacml-users mailing list, please find an XSLT file for XACML 2.0-to-3.0 Policy conversion attached, to share with the XACML community. Be aware it has a few limitations, as explained in comments inside that file. Besides, I noticed different behaviors depending on the XSLT processor, so I just want to inform that I tested only with Xalan and Saxon (HE) implementations.

Any improvement, fix, etc. is welcome.

Regards,
Cyril Dangerville


---------- Forwarded message ----------
From: Chester Ensign
Date: Fri, May 29, 2015 at 1:30 PM
Subject: Re: [xacml-users] Automatic conversion of XACML 2.0 to 3.0 policies/requests
To: Hal Lockhart
Cc: Cyril, xacml-users@lists.oasis-open.org


The better mailing list to contribute it to the Technical Committee is xacml-comment@lists.oasis-open.org. You subscribe by sending an empty message to xccml-comment-subscribe@lists.oasis-open.org. xacml-comment@ is meant specifically for outside feedback and contributions to the TC. 

/chet

 
On May 28, 2015, at 12:29 PM, Hal Lockhart wrote:

You might consider joining the OpenAz project, now located in the Apache Incubator.
 
Unfortunately the Apache web site is not up yet. Here is the previous one.
 
 
Here is the Apache proposal (which was accepted).
 
 
The XACML TC also would accept it as a contribution. If you are not an OASIS member, you can contribute it by posting it to this mailing list (xacml-users@lists.oasis-open.org).
 
Hal
 
From: Cyril
Sent: Friday, May 22, 2015 8:50 AM
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] Re: Automatic conversion of XACML 2.0 to 3.0 policies/requests
 
Hello,

for anyone interested, I ended up writing my own XSLT file for XACML 2.0-to-3.0 Policy conversion. I published it temporarily:
http://catalogue.fiware.org/sites/default/files/storage/enablers/xacml2to3.xsl

Maybe there is a better place to publish it (OASIS XACML website?). Anyway, it has a few limitations, as explained in comments inside that file. Besides, I noticed different behaviors depending on the XSLT processor, so I just want to inform that I tested only with Xalan and Saxon (HE) implementations.

Any improvement, patch, etc. is welcome of course.

Regards,
Cyril Dangerville
 
On Sat, Mar 14, 2015 at 7:20 PM, Cyril  wrote:
Hello,
I need to convert a significant number of XACML 2.0 PolicySets and Requests to XACML 3.0 equivalents.

Has anybody used or developed a XSLT, or any tool, to help with this task? And would be willing to share with the community, of course.

Thanks for your help.

Regards,
Cyril



<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright (C) 2015 Thales Services SAS. The contents of this file are subject to the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, 
	or (at your option) any later version. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 
	PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with AuthZForce. If not, see <http://www.gnu.org/licenses/>. -->
<!-- XACML 2.0-to-3.0 Policy Conversion XSL Sheet  -->
<!-- Author: Cyril DANGERVILLE -->
<!-- Suggestion for improvement: replace deprecated identifiers (XACML 3.0 Core Specification, §A.4) with new ones. -->
<!-- WARNING: This XSLT does not convert XACML 2.0 AttributeSelectors to their strict equivalent in XACML 3.0: 1) it converts XACML 2.0 RequestContextPath to XACML 3.0 Path although they have different 
	meaning as they do not apply to the same XML node, so please be aware. 2) It cannot determine the required Category in XACML 3.0 from XACML 2.0 input in some cases, so it has to use some default value 
	that you can set with XSLT parameter 'AttributeSelector.SubjectCategory.default' for AttrbuteSelectors coming from SubjectMatches, and 'AttributeSelector.Category.default' for the ones coming from Conditions. -->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; xmlns:xacml2="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<xsl:output encoding="UTF-8" indent="yes" method="xml"/>

	<!-- This element removes indentation with Xalan 2.7.1 (indentation preserved with Saxon 9.6.0.4). -->
	<!-- <xsl:strip-space elements="*" /> -->

	<!-- Parameters -->
	<!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <SubjectMatch>. Author's note: there does not seem to be any automatic 
		way to guess this. -->
	<xsl:param name="AttributeSelector.SubjectCategory.default">urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:param>
	<!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <Condition>. Author's note: there does not seem to be any automatic 
		way to guess this. -->
	<xsl:param name="AttributeSelector.Category.default">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:param>

	<xsl:template match="xacml2:Subjects | xacml2:Actions | xacml2:Resources | xacml2:Environments">
		<xsl:element name="xacml3:AnyOf">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:Subject | xacml2:Action | xacml2:Resource | xacml2:Environment">
		<xsl:element name="xacml3:AllOf">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:SubjectMatch | xacml2:ActionMatch | xacml2:ResourceMatch | xacml2:EnvironmentMatch">
		<xsl:element name="xacml3:Match">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:SubjectAttributeDesignator | xacml2:ActionAttributeDesignator | xacml2:ResourceAttributeDesignator | xacml2:EnvironmentAttributeDesignator">
		<xsl:element name="xacml3:AttributeDesignator">
			<xsl:attribute name="Category">
				<xsl:choose>
					<xsl:when test="local-name() = 'SubjectAttributeDesignator'">
						<xsl:choose>
							<xsl:when test="@SubjectCategory"><xsl:value-of select="@SubjectCategory"/></xsl:when>
							<xsl:otherwise>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:otherwise>
						</xsl:choose>
					</xsl:when>
					<xsl:when test="local-name() = 'ActionAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when>
					<xsl:when test="local-name() = 'ResourceAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when>
					<xsl:when test="local-name() = 'EnvironmentAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when>
				</xsl:choose>
			</xsl:attribute>
			<xsl:if test="not(@MustBePresent)">
				<xsl:attribute name="MustBePresent">false</xsl:attribute>
			</xsl:if>
			<xsl:apply-templates select="@*[not(local-name() = 'SubjectCategory')] | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:AttributeSelector">
		<xsl:element name="xacml3:{local-name()}">
			<xsl:attribute name="Category">
				<xsl:choose>
					<xsl:when test="local-name(parent::*) = 'SubjectMatch'"><xsl:value-of select="$AttributeSelector.SubjectCategory.default"/></xsl:when>
					<xsl:when test="local-name(parent::*) = 'ActionMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when>
					<xsl:when test="local-name(parent::*) = 'ResourceMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when>
					<xsl:when test="local-name(parent::*) = 'EnvironmentMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when>
					<xsl:otherwise><xsl:value-of select="$AttributeSelector.Category.default"/></xsl:otherwise>
				</xsl:choose>
			</xsl:attribute>
			<xsl:attribute name="Path"><xsl:value-of select="@RequestContextPath"/></xsl:attribute>
			<xsl:if test="not(@MustBePresent)">
				<xsl:attribute name="MustBePresent">false</xsl:attribute>
			</xsl:if>
			<xsl:apply-templates select="@*[not(local-name() = 'RequestContextPath')] | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:Obligations">
		<xsl:element name="xacml3:ObligationExpressions">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:Obligation">
		<xsl:element name="xacml3:ObligationExpression">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:AttributeAssignment">
		<xsl:element name="xacml3:AttributeAssignmentExpression">
			<xsl:apply-templates select="@AttributeId"/>
			<xsl:element name="xacml3:AttributeValue">
				<xsl:apply-templates select="@*[not(local-name() = 'AttributeId')] | child::node()"/>
			</xsl:element>
		</xsl:element>
	</xsl:template>
	<xsl:template match="xacml2:PolicySet | xacml2:Policy">
		<xsl:element name="xacml3:{local-name()}">
			<xsl:if test="not(@Version)">
				<xsl:attribute name="Version">1.0</xsl:attribute>
			</xsl:if>
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="child::*">
		<xsl:element name="xacml3:{local-name()}">
			<xsl:apply-templates select="@* | child::node()"/>
		</xsl:element>
	</xsl:template>
	<xsl:template match="@* | comment()">
		<xsl:copy/>
	</xsl:template>
</xsl:stylesheet>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]