authorization - Xacml策略测试网兜中字符串的出现情况

Question

我试图提出一个规则，规定字符串必须以 ABC 开头，但不能是 ABC123、ABC456、ABC789。

我正在尝试编写此代码来针对字符串包进行评估，非常感谢任何指针。

Answer 1

您需要两件事:

1. 将您的属性(例如 a)与值 (ABC) 进行匹配的检查
2. 检查同一属性的条件不是 ABC123、ABC456、ABC789 中的任何一个。

(至少)有两种方法可以做到这一点:

1. 您可以编写一个策略来检查以 ABC 开头的属性，然后制定一条规则，如果该值是 3 个禁止的值之一，则拒绝访问
2. 您可以编写一个策略来检查以 ABC 开头的属性，并且仅当该值不是 3 个禁止的值之一时才返回允许。

ALFA 示例

ALFA 是 AuthZ 的缩写语言，是 XACML 策略的轻量级语法。 (来源:alfa、Wikipedia)

namespace com.axiomatics{
    attribute a{
        category = subjectCat
        id = "com.axiomatics.a"
        type = string
    }
    /**
     * This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
     */
    policy example{
        apply firstApplicable
        /**
         * Deny specific values
         */
        rule denySpecificValues{
            target clause a == "ABC123" or a == "ABC456" or a == "ABC789"
            deny
        }
        /**
         * Allow if the string starts with ABC
         */
        rule startsWithABC{
            target clause stringStartsWith("ABC", a)
            permit
        }
    }
    /**
     * This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
     */
    policy anotherExample{
        apply firstApplicable
        /**
         * Allow if the string with ABC
         */
        rule startsWithABC{
            target clause stringStartsWith("ABC", a)
            permit
            condition not (a == "ABC123") && not(a == "ABC456") || not(a == "ABC789")
        }
    }
}

XACML XML 等效项

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.example"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>This policy allows access if the string starts with
        ABC but is not ABC123, ABC456, or ABC789</xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target />
    <xacml3:Rule Effect="Deny"
        RuleId="com.axiomatics.example.denySpecificValues">
        <xacml3:Description>Deny specific values</xacml3:Description>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">ABC123</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.a"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">ABC456</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.a"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">ABC789</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.a"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
    </xacml3:Rule>
    <xacml3:Rule Effect="Permit"
        RuleId="com.axiomatics.example.startsWithABC">
        <xacml3:Description>Allow if the string starts with ABC
        </xacml3:Description>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">ABC</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.a"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
    </xacml3:Rule>
</xacml3:Policy>