将范围内的时间作为条件的 XACML 规则
XACML Rule for Time In Range as a Condition
我想编写一个规则,使用条件语句构建一个
XACML 函数:"urn:oasis:names:tc:xacml:2.0:function:time-in-range" 使用 ALFA 语言语法。为了简单的义务处理,我更愿意在条件函数中使用它,而不是在目标表达式中。
这可能吗?我没有在手册中找到任何参考资料。
@David Brossard。按照下面的方案,我使用以下 ALFA 代码测试了该策略:
namespace com.ibm.XACML {
import Attributes.*
import attributes.*
import com.ibm.XACML.Attributes.*
attribute currentTime {
id = "urn:oasis:names:tc:xacml:1.0:environment:current-time"
type = time
category = environmentCat
}
function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean
// lowerBound = "09:00:00-03:00"
// upperBound = "18:00:00-03:00"
// current-time = "02:00:00-03:00" decision permit
// current-time = "10:00:00-03:00" decision permit
// current-time = "22:00:00-03:00" decision permit
policy checkTimeInRange{
apply firstApplicable
rule allowWithinRange{
permit
condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(timeBag("09:00:00-03:00":time)), timeOneAndOnly(timeBag("19:00:00-03:00":time)))
}
}
}
语法验证运行正常,但 WSO2 PDP 代码中的评估结果 return 存在错误,对所有三个测试给出 "Permit",02:00:00、10:00:00 和 22:00:00。
我已经解决了这个问题。 WSO2 Try-It 工具默认生成 "String",而 XACML 需要时间数据类型。要修复它,必须发出手动请求,@David Brossard 显示的逻辑完美运行。这里是一个示例请求,生成一个 "Permit"。
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">11:00:00-03:00</AttributeValue>
</Attribute>
</Attributes>
</Request>
"TimeInRange" 函数结合条件语句非常有用。
来自XACML standard我可以阅读
urn:oasis:names:tc:xacml:2.0:function:time-in-range
This function SHALL take three arguments of data-type time and SHALL return a boolean. It SHALL return True if the first argument falls in the range defined inclusively by the second and third arguments. Otherwise, it SHALL return “False”.
Regardless of its value, the third argument SHALL be interpreted as a time that is equal to, or later than by less than twenty-four hours, the second argument. If no time zone is provided for the first argument, it SHALL use the default time zone at the context handler. If no time zone is provided for the second or third arguments, then they SHALL use the time zone from the first argument.
ALFA也有这个功能。它被定义为
function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean
要使用它,只需执行以下操作:
policy checkTimeInRange{
apply firstApplicable
rule allowWithinRange{
permit
condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(lowerBound), timeOneAndOnly(upperBound))
}
}
请注意,如果您缺少任何这些值,PDP 将回复 Indeterminate。
我想编写一个规则,使用条件语句构建一个
XACML 函数:"urn:oasis:names:tc:xacml:2.0:function:time-in-range" 使用 ALFA 语言语法。为了简单的义务处理,我更愿意在条件函数中使用它,而不是在目标表达式中。
这可能吗?我没有在手册中找到任何参考资料。
@David Brossard。按照下面的方案,我使用以下 ALFA 代码测试了该策略:
namespace com.ibm.XACML {
import Attributes.*
import attributes.*
import com.ibm.XACML.Attributes.*
attribute currentTime {
id = "urn:oasis:names:tc:xacml:1.0:environment:current-time"
type = time
category = environmentCat
}
function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean
// lowerBound = "09:00:00-03:00"
// upperBound = "18:00:00-03:00"
// current-time = "02:00:00-03:00" decision permit
// current-time = "10:00:00-03:00" decision permit
// current-time = "22:00:00-03:00" decision permit
policy checkTimeInRange{
apply firstApplicable
rule allowWithinRange{
permit
condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(timeBag("09:00:00-03:00":time)), timeOneAndOnly(timeBag("19:00:00-03:00":time)))
}
}
}
语法验证运行正常,但 WSO2 PDP 代码中的评估结果 return 存在错误,对所有三个测试给出 "Permit",02:00:00、10:00:00 和 22:00:00。
我已经解决了这个问题。 WSO2 Try-It 工具默认生成 "String",而 XACML 需要时间数据类型。要修复它,必须发出手动请求,@David Brossard 显示的逻辑完美运行。这里是一个示例请求,生成一个 "Permit"。
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">11:00:00-03:00</AttributeValue>
</Attribute>
</Attributes>
</Request>
"TimeInRange" 函数结合条件语句非常有用。
来自XACML standard我可以阅读
urn:oasis:names:tc:xacml:2.0:function:time-in-range
This function SHALL take three arguments of data-type time and SHALL return a boolean. It SHALL return True if the first argument falls in the range defined inclusively by the second and third arguments. Otherwise, it SHALL return “False”.
Regardless of its value, the third argument SHALL be interpreted as a time that is equal to, or later than by less than twenty-four hours, the second argument. If no time zone is provided for the first argument, it SHALL use the default time zone at the context handler. If no time zone is provided for the second or third arguments, then they SHALL use the time zone from the first argument.
ALFA也有这个功能。它被定义为
function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean
要使用它,只需执行以下操作:
policy checkTimeInRange{
apply firstApplicable
rule allowWithinRange{
permit
condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(lowerBound), timeOneAndOnly(upperBound))
}
}
请注意,如果您缺少任何这些值,PDP 将回复 Indeterminate。