diff options
| author |   Pamela Dragosh <pdragosh@research.att.com> | 2018-08-29 07:58:53 -0400 |
|---|---|---|
| committer | Pamela Dragosh <pdragosh@research.att.com> | 2018-08-29 12:34:55 -0400 |
| commit | 8279af376b435e1d7dd118a1955c5681edf3b847 (patch) | |
| tree | f0e9f24028b8e96908184192f9e2813a2981938a /controlloop/templates/template.demo/src/main | |
| parent | 17435998307f9f86ec5ebe55d6d36eceee1f1943 (diff) | |
Fix remaining checkstyle
Lots of formatting, missing javadoc, distance from use,
imports must be explicit, ordering of methods.
Fixed some abbreviation problems in classes and renamed
JUnit tests to fix this.
Issue-ID: POLICY-883
Change-Id: I8494f63d88d63c0232aca97f7bcc848816228fb1
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
Diffstat (limited to 'controlloop/templates/template.demo/src/main')
3 files changed, 278 insertions, 147 deletions
diff --git a/controlloop/templates/template.demo/src/main/resources/blacklist_template.xml b/controlloop/templates/template.demo/src/main/resources/blacklist_template.xml index c27ced3ac..590b19d25 100644 --- a/controlloop/templates/template.demo/src/main/resources/blacklist_template.xml +++ b/controlloop/templates/template.demo/src/main/resources/blacklist_template.xml @@ -18,57 +18,100 @@ limitations under the License. ============LICENSE_END========================================================= --> -<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> - <Description>Policy for frequency limiter.</Description> - <Target> - <AnyOf> - <AllOf> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" + PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" + Version="1" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> + <Description>Policy for frequency limiter.</Description> + <Target> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</AttributeValue>--> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${clname}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:clname:clname-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${clname}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:clname:clname-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> - <!-- <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">--> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - </AllOf> - </AnyOf> - </Target> - <Rule RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" Effect="Deny"> - <Description>DENY - only if target is in black list and guard is active.</Description> - <Condition> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> - <VariableReference VariableId="isGuardActive"/> - <VariableReference VariableId="isInBlackList"/> - </Apply> - </Condition> - </Rule> - <VariableDefinition VariableId="isInBlackList"> - <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of"> - <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:target:target-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Apply> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> - ${blackListElement} - <!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">vserver.vserver-name</AttributeValue>--> - </Apply> - </Apply> - </VariableDefinition> - <VariableDefinition VariableId="isGuardActive"> - <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> - <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"/> - </Apply> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> - </Apply> - </VariableDefinition> + <!-- <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">--> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + </AllOf> + </AnyOf> + </Target> + <Rule + RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" + Effect="Deny"> + <Description>DENY - only if target is in black list and guard is + active.</Description> + <Condition> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <VariableReference + VariableId="isGuardActive" /> + <VariableReference + VariableId="isInBlackList" /> + </Apply> + </Condition> + </Rule> + <VariableDefinition VariableId="isInBlackList"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of"> + <Function + FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" /> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:target:target-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Apply> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> + ${blackListElement} + <!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">vserver.vserver-name</AttributeValue>--> + </Apply> + </Apply> + </VariableDefinition> + <VariableDefinition VariableId="isGuardActive"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> + <AttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" + DataType="http://www.w3.org/2001/XMLSchema#time" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" + MustBePresent="false" /> + </Apply> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> + </Apply> + </VariableDefinition> </Policy> diff --git a/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template.xml b/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template.xml index 9e44ae846..34aa1af69 100644 --- a/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template.xml +++ b/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template.xml @@ -18,60 +18,110 @@ limitations under the License. ============LICENSE_END========================================================= --> -<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> - <Description>Policy for frequency limiter.</Description> - <Target> - <AnyOf> - <AllOf> - - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" + PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" + Version="1" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> + <Description>Policy for frequency limiter.</Description> + <Target> + <AnyOf> + <AllOf> + + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</AttributeValue>--> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${clname}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:clname:clname-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${clname}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:clname:clname-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> - <!-- <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">--> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${targets}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:target:target-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - - </AllOf> - </AnyOf> - </Target> - <Rule RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" Effect="Deny"> - <Description>DENY - only if number of operations performed in the past is larger than the limit and the Guard is active.</Description> - <Condition> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> - <VariableReference VariableId="isGuardActive"/> - <VariableReference VariableId="isHistoryGreaterThanLimit"/> - </Apply> - </Condition> - </Rule> - <VariableDefinition VariableId="isGuardActive"> - <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> - <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"/> - </Apply> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> - </Apply> - </VariableDefinition> - <VariableDefinition VariableId="isHistoryGreaterThanLimit"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:sql:resource:operations:count" DataType="http://www.w3.org/2001/XMLSchema#integer" Issuer="com:att:research:xacml:guard:historydb:tw:${twValue}:${twUnits}" MustBePresent="false"/> - </Apply> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue> - </Apply> - </VariableDefinition> + <!-- <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">--> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${targets}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="urn:oasis:names:tc:xacml:1.0:target:target-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + + </AllOf> + </AnyOf> + </Target> + <Rule + RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" + Effect="Deny"> + <Description>DENY - only if number of operations performed in + the past is larger than the limit and the Guard is active.</Description> + <Condition> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <VariableReference + VariableId="isGuardActive" /> + <VariableReference + VariableId="isHistoryGreaterThanLimit" /> + </Apply> + </Condition> + </Rule> + <VariableDefinition VariableId="isGuardActive"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> + <AttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" + DataType="http://www.w3.org/2001/XMLSchema#time" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" + MustBePresent="false" /> + </Apply> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition + VariableId="isHistoryGreaterThanLimit"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="com:att:research:xacml:test:sql:resource:operations:count" + DataType="http://www.w3.org/2001/XMLSchema#integer" + Issuer="com:att:research:xacml:guard:historydb:tw:${twValue}:${twUnits}" + MustBePresent="false" /> + </Apply> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue> + </Apply> + </VariableDefinition> </Policy> diff --git a/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template_old.xml b/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template_old.xml index 0bc182e71..b41fdb3f2 100644 --- a/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template_old.xml +++ b/controlloop/templates/template.demo/src/main/resources/frequency_limiter_template_old.xml @@ -18,46 +18,84 @@ limitations under the License. ============LICENSE_END========================================================= --> -<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> - <Description>Policy for frequency limiter.</Description> - <Target> - <AnyOf> - <AllOf> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> - </Match> - </AllOf> - </AnyOf> - </Target> - <Rule RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" Effect="Deny"> - <Description>DENY - only if number of operations performed in the past is larger than the limit and the Guard is active.</Description> - <Condition> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> - <VariableReference VariableId="isGuardActive"/> - <VariableReference VariableId="isHistoryGreaterThanLimit"/> - </Apply> - </Condition> - </Rule> - <VariableDefinition VariableId="isGuardActive"> - <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> - <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" MustBePresent="false"/> - </Apply> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> - </Apply> - </VariableDefinition> - <VariableDefinition VariableId="isHistoryGreaterThanLimit"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> - <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> - <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="com:att:research:xacml:test:sql:resource:operations:count" DataType="http://www.w3.org/2001/XMLSchema#integer" Issuer="com:att:research:xacml:test:sql:${timeWindow}" MustBePresent="false"/> - </Apply> - <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue> - </Apply> - </VariableDefinition> +<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" + PolicyId="urn:com:att:xacml:policy:id:25e12b06-11d5-4895-b2a2-6f6c594de069" + Version="1" + RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny"> + <Description>Policy for frequency limiter.</Description> + <Target> + <AnyOf> + <AllOf> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${actor}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" + AttributeId="urn:oasis:names:tc:xacml:1.0:actor:actor-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + <Match + MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#string">${recipe}</AttributeValue> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" + AttributeId="urn:oasis:names:tc:xacml:1.0:operation:operation-id" + DataType="http://www.w3.org/2001/XMLSchema#string" + MustBePresent="false" /> + </Match> + </AllOf> + </AnyOf> + </Target> + <Rule + RuleId="urn:com:att:xacml:rule:id:e1e8c5c0-e2ba-47d5-9289-6c015305ed21" + Effect="Deny"> + <Description>DENY - only if number of operations performed in + the past is larger than the limit and the Guard is active.</Description> + <Condition> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> + <VariableReference + VariableId="isGuardActive" /> + <VariableReference + VariableId="isHistoryGreaterThanLimit" /> + </Apply> + </Condition> + </Rule> + <VariableDefinition VariableId="isGuardActive"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> + <AttributeDesignator + AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" + DataType="http://www.w3.org/2001/XMLSchema#time" + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" + MustBePresent="false" /> + </Apply> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveStart}</AttributeValue> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#time">${guardActiveEnd}</AttributeValue> + </Apply> + </VariableDefinition> + <VariableDefinition + VariableId="isHistoryGreaterThanLimit"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> + <Apply + FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> + <AttributeDesignator + Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" + AttributeId="com:att:research:xacml:test:sql:resource:operations:count" + DataType="http://www.w3.org/2001/XMLSchema#integer" + Issuer="com:att:research:xacml:test:sql:${timeWindow}" + MustBePresent="false" /> + </Apply> + <AttributeValue + DataType="http://www.w3.org/2001/XMLSchema#integer">${limit}</AttributeValue> + </Apply> + </VariableDefinition> </Policy> |