ECOMP-PAP-REST/Decision_GuardPolicyTemplate.xml

   1 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
   2 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:xacml:policy:id:d56af069-6cf1-430c-ba07-e26602e06a52" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
   3     <Description>${description}</Description>
   4     <Target>
   5         <AnyOf>
   6             <AllOf>
   7                 <Match MatchId="org.openecomp.function.regex-match">
   8                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${PolicyName}</AttributeValue>
   9                     <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="PolicyName" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  10                 </Match>
  11             </AllOf>
  12             <AllOf>
  13                 <Match MatchId="org.openecomp.function.regex-match">
  14                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${ECOMPName}</AttributeValue>
  15                     <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="ECOMPName" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  16                 </Match>
  17                 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
  18                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue>
  19                     <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="actor" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  20                 </Match>
  21                 <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
  22                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue>
  23                     <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="recipe" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  24                 </Match>
  25             </AllOf>
  26         </AnyOf>
  27     </Target>
  28     <Rule RuleId="urn:com:xacml:rule:id:284d9393-f861-4250-b62d-fc36640a363a" Effect="Permit">
  29         <Target>
  30             <AnyOf>
  31                 <AllOf>
  32                     <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
  33                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DECIDE</AttributeValue>
  34                         <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  35                     </Match>
  36                 </AllOf>
  37             </AnyOf>
  38         </Target>
  39         <Condition>
  40             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
  41                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
  42                     <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
  43                         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
  44                             <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"/>
  45                         </Apply>
  46                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue>
  47                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue>
  48                     </Apply>
  49                 </Apply>
  50                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
  51                     <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
  52                         <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="count" DataType="http://www.w3.org/2001/XMLSchema#integer" Issuer="org:openecomp:xacml:sql:${timeWindow}" MustBePresent="false"/>
  53                     </Apply>
  54                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue>
  55                 </Apply>
  56             </Apply>
  57         </Condition>
  58     </Rule>
  59     <Rule RuleId="urn:com:xacml:rule:id:284d9393-f861-4250-b62d-fc36640a363a" Effect="Deny">
  60         <Target>
  61             <AnyOf>
  62                 <AllOf>
  63                     <Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
  64                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DECIDE</AttributeValue>
  65                         <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  66                     </Match>
  67                 </AllOf>
  68             </AnyOf>
  69         </Target>
  70         <Condition>
  71             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
  72                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
  73                         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
  74                                 <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
  75                                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
  76                                 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"/>
  77                                 </Apply>
  78                                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue>
  79                                 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue>
  80                         </Apply>
  81                         </Apply>
  82                         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
  83                         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
  84                                 <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="count" DataType="http://www.w3.org/2001/XMLSchema#integer" Issuer="org:openecomp:xacml:sql:${timeWindow}" MustBePresent="false"/>
  85                         </Apply>
  86                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue>
  87                         </Apply>
  88                 </Apply>
  89             </Apply>
  90         </Condition>
  91         <AdviceExpressions>
  92             <AdviceExpression AdviceId="GUARD_YAML" AppliesTo="Deny">
  93                 <AttributeAssignmentExpression AttributeId="guard.response" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  94                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Denied!</AttributeValue>
  95                 </AttributeAssignmentExpression>
  96             </AdviceExpression>
  97         </AdviceExpressions>
  98     </Rule>
  99 </Policy>