Orion-Wilma-Authzforce

[fernandorr21]

hello, I would like to obtain in wilma the attributes of an entity already defined in orion based on its id (in root.js for example) . In order to evaluate those attributes in authzforce. Could it be done?

[jason-fox]

Yes it could be done, but you would need to customize the PEP Proxy code to do it.

[fernandorr21]

how could i do it?

[jason-fox]

https://github.com/FIWARE/tutorials.Step-by-Step/blob/master/context-provider/lib/azf.js#L12 provides an example of an application (in this case the Tutorial app) creating a custom XACML request for Authzforce.

The equivalent code in the PEP Proxy is here: https://github.com/ging/fiware-pep-proxy/blob/master/lib/azf.js#L92

You could check the flow of the code to find out where getRESTPolicy() is called and write the following:

1.   Get Value from cache
2.  If not found or expired retrieve current value from CB (look at store.js)
3.  Call Amended getRESTPolicy() and retrieve Permit/Deny.

Obviously Authzforce would need a rule which checked the additional value as well, much like the eMail example in the tutorial

[fernandorr21]

But, how achieve i attributes of a predefined entity?

[jason-fox]

To read attributes of an entity or entities use the attrs parameter - something like the NGSI-LD example here:

let productsInStore = await ngsiLD.listEntities(
            {
                type: 'Product',
                options: 'keyValues',
                attrs: 'name,price',
                id: stockedProducts.join(',')
            },
            headers
        );

Effectively you're just sending a request like:

curl -L -X GET 'http://localhost:1026/v2/entities/urn:ngsi-ld:Store:001?options=keyValues&attrs=name'

To generate the XACML you will have to do that yourself - but you can follow the eMail example as a template.

[fernandorr21]

thank you, I achieve it. But I have another problem, I want to permit acces /v2/entities and all /v2/entities/id..., how could i permit in XACML access children of /v2/entities/....../....

[jason-fox]

If you are using XACML then create a rule <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with"> see: here as an example.

However, this complexity is no longer necessary, as this issue https://github.com/FIWARE/tutorials.XACML-Access-Rules/issues/7 points out. You could just use the Keyrock simple Policy Decision Point and supply a regex.

More info here