We are looking into Keyrock + Wilma + AuthZForce to secure our FIWARE system running Orion and Quantum Leap. The entities in our system are under services and service paths. These are accessed with appropriate headers, namely Fiware-Service and Fiware-Servicepath.
I am trying to create XACML rules for AuthZForce that would include the services and service paths, but haven't been successful yet. If anyone has been able to do so, I would appreciate the help. Also, if this approach is wrong, I would appreciate other suggestions on how services and service paths can be used with FIWARE access control.
Dealing with FIWARE headers isn't a problem for Authzforce , it is the just not the default behaviour of the PEP Proxy.
Authzforce is an entirely generic PDP, if you providethe right set of XACML policies and send the appropriate data it will adjudicate for you. The following <Rule> will permit all access to /v2/entities when the fiware-header = "smartgondor"
<?xml version="1.0" encoding="UTF-8"?>
<Rule RuleId="ccxsx-xs-xsx-xsxs-xs" Effect="Permit">
<Description>Context Broker Access with Header=SmartGondor</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/v2/entities</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">smartgondor</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="fiware-header" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
Unfortunately the issue is that by default the PEP Proxy code when making a request to Authzforce, only passses the following values out-of-the-box:
As you can see no header information is passed by default.
To include information about the FIWARE headers. You're going to have to alter the file to read the headers from the request sent to the PEP Proxy and add another attribute sent with the request to Authzforce. A simpler example of this sort of custom request can be found within the Administrating-XACML Tutorial
Security Staff Can only ring the alarm bell before 9 a.m. or after 5 p.m., except for Charlie who can ring the bell at any time
The custom code to send a request to Authzforce can be found in the tutorial codebase - Charlie's username is included in the request.