search

ging / fiware-pep-proxy

Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema.
https://fiware-pep-proxy.rtfd.io/
MIT License
27 stars 45 forks source link

doubt about pep proxy #103

Open fernandorr21 opened 4 years ago

fernandorr21 commented 4 years ago

hello, I would like to obtain in wilma the attributes of an entity already defined in orion based on its id. In order to evaluate those attributes in authzforce. Could it be done?

jason-fox commented 3 years ago

A combination of https://github.com/ging/fiware-idm/pull/226 and #132 would form the basis of what you need. Currently the PRs are using an XACML JSON endpoint on the Keyrock PDP to do this, but you could alter the Authzforce code to add in the same new attributes to the Authzforce request.

Currently this is added to the JSON payload under the resource category:

if (data.payloadAttrs) {
    resourceInfo.push(attribute('urn:ngsi-ld:resource:attrs', data.payloadAttrs));
  }
  if (data.payloadEntityIds) {
    resourceInfo.push(attribute('urn:ngsi-ld:resource:ids', data.payloadEntityIds));
  }
  if (data.payloadIdPatterns) {
    resourceInfo.push(attribute('urn:ngsi-ld:resource:id-patterns', data.payloadIdPatterns));
  }

I assume the equivalent adding in ID checking in the Authzforce PDP request would look something like this (repeat for attrs and patterns)

{
  AttributeId: 'urn:ngsi-ld:resource:ids',
  IncludeInResult: 'false',
  AttributeValue: {
    DataType: 'http://www.w3.org/2001/XMLSchema#string',
    $t: escapeXML(data.payloadEntityIds),
  },
},

Obviously the XACML Policy would need to be changed as well to support ID checking.