#!/bin/bash source ./java-classpath export RoleManager="java -cp $CLASSPATH nbi.xmlsec.xacml.profile.rbac.RoleManager" /bin/rm -R ./policies /bin/mkdir ./policies /usr/bin/rm -R ./policies /usr/bin/mkdir ./policies # Create Role-User Assignments $RoleManager -a -D biocase -R trustedClient -U ./CA/UserCA/client.crt $RoleManager -a -D biocase -R client -U ./CA/UserCA/client.crt $RoleManager -a -D biocase -R expert -U ./CA/UserCA/expert.crt $RoleManager -a -D biocase -R guest -U ./CA/UserCA/nobody.crt # Role client # Permit capabilities, scan and search requests $RoleManager -a -D biocase -R client -P client-request -p permit_capabilities -z string-equal[capabilities-request] $RoleManager -a -D biocase -R client -P client-request -p permit_scan -z string-equal[scan-request] $RoleManager -a -D biocase -R client -P client-request -p permit_search -z string-equal[search-request] # Deny scan requests on UnitDigitalImages and GatheringSite (ABCD 1.20) and on MultiMediaObjects, Gathering SiteCoordinates and Gathering Site Images (ABCD 2.06) $RoleManager -a -D biocase -R client -P client-request -d -p deny_scan -z string-equal[scan-request] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitDigitalImages] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/Gathering/GatheringSite] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/MultiMediaObjects] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteCoordinateSets] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteImages] # Deny search requests on UnitDigitalImages and GatheringSite and sub elements (ABCD 1.20) and on UnitDigitalImages and GatheringSite and sub elements (ABCD 2.06) $RoleManager -a -D biocase -R client -P client-request -d -p deny_search -z string-equal[search-request] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitDigitalImages] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/Gathering/GatheringSite] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/MultiMediaObjects] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteCoordinateSets] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteImages] # Permit search request, only when responseFormat limit attribute < 100 (default in pywrapper) $RoleManager -a -D biocase -R client -P client-request -p permit_search -C integer-less-than-or-equal[env[limit],100] # -z string-equal[search-request] # Permit capabilities, scan and search responses (ABCD 1.2 and 2.06) $RoleManager -a -D biocase -R client -P client-response -p permit_capabilities -z string-equal[capabilities-response] -y string-match[http://www.biocase.org/schemas/protocol/1.3/capabilities] $RoleManager -a -D biocase -R client -P client-response -p permit_scan -z string-equal[scan-response] -y string-match[http://www.biocase.org/schemas/protocol/1.3/scan] $RoleManager -a -D biocase -R client -P client-response -p permit_search -z string-equal[search-response] -y string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets] $RoleManager -a -D biocase -R client -P client-response -p permit_search -z string-equal[search-response] -y string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets] # Deny search responses on UnitDigitalImages and GatheringSite and sub elements (ABCD 1.20) $RoleManager -a -D biocase -R client -P client-response -d -p deny_search -z string-equal[search-response] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitDigitalImages] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/Gathering/GatheringSite] # Deny search responses on UnitDigitalImages and GatheringSite and sub elements (ABCD 2.06) $RoleManager -a -D biocase -R client -P client-response -d -p deny_search -z string-equal[search-response] -y \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/MultiMediaObjects] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteCoordinateSets] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/Gathering/SiteImages] # Set DenyOverrides for PermissionPolicy client-response $RoleManager -a -D biocase -R client -P client-response -d #$RoleManager -a -D biocase -R client -P client-response -p permit_capabilities_response -z string-equal[capabilities-response] -y string-match[http://www.biocase.org/schemas/protocol/1.3/capabilities/*] #$RoleManager -a -D biocase -R client -P client-response -p permit_scan_response -z string-equal[scan-response] -y string-match[http://www.biocase.org/schemas/protocol/1.3/scan/*] #$RoleManager -a -D biocase -R client -P client-response -p permit_search_abcd_response -z string-equal[scan-response] -y string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/*] #$RoleManager -a -D biocase -R client -P client-response -d -p deny_search_UnitDigitalImage -z string-equal[search-response] -y string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitDigitalImages] #$RoleManager -a -D biocase -R client -P client-response -d -p deny_search_GatheringSite -z string-equal[search-response] -y string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/Gathering/GatheringSite] # Role guest # Permit only capabilities requests $RoleManager -a -D biocase -R guest -P guest-request -p permit_capabilities -z string-equal[capabilities-request] # Permit scan requests on OriginalSource, DatasetDerivations and UnitID and all sub elements (ABCD 1.20) and all mandatory concepts of ABCD 2.06 $RoleManager -a -D biocase -R guest -P guest-request -p permit_scan -z string-equal[scan-request] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/OriginalSource] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/Units/Unit/UnitID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/TechnicalContacts/TechnicalContact] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/ContentContacts/ContentContact] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/Description/Representation] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/RevisionData] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceInstitutionID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/UnitID] # Permit search requests on OriginalSource/Source, DatasetDerivations/DateSupplied and Supplier, UnitID and all sub elements (ABCD 1.20) and all mandatory elements of ABCD 2.06 $RoleManager -a -D biocase -R guest -P guest-request -p permit_search -z string-equal[search-request] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/OriginalSource/Source] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/DateSupplied] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/Supplier] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/TechnicalContacts/TechnicalContact/Name] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/ContentContacts/ContentContact/Name] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/Description/Representation/Title] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/RevisionData/DateModified] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceInstitutionID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/UnitID] # Permit search request, only when responseFormat limit attribute < 5 $RoleManager -a -D biocase -R guest -P guest-request -p permit_search -C integer-less-than-or-equal[env[limit],5] # -z string-equal[search-request] # Permit capabilities responses $RoleManager -a -D biocase -R guest -P guest-response -p permit_capabilities -z string-equal[capabilities-response] # Permit scan responses $RoleManager -a -D biocase -R guest -P guest-response -p permit_scan -z string-equal[scan-response] # Permit search responses on OriginalSource, DatasetDerivations and UnitID and their sub elements only (ABCD 1.20) and all mandatory elements of ABCD 2.06 $RoleManager -a -D biocase -R guest -P guest-response -p permit_search -z string-equal[search-response] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/OriginalSource/Source] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/DateSupplied] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/Supplier] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/TechnicalContacts/TechnicalContact/Name] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/ContentContacts/ContentContact/Name] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/Description/Representation/Title] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/MetaData/RevisionData/DateModified] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceInstitutionID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/SourceID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units/Unit/UnitID] # Permit search responses on the data paths to OriginalSource, DatasetDerivations and UnitID only #$RoleManager -a -D biocase -R guest -P guest-response -p permit_search -z string-equal[search-response] -y \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/OriginalSource] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units] \ #string-equal[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit] # Role expert # Permit all kind of requests $RoleManager -a -D biocase -R expert -P expert-request -p permit_capabilities -z string-equal[capabilities-request] $RoleManager -a -D biocase -R expert -P expert-request -p permit_scan -z string-equal[scan-request] $RoleManager -a -D biocase -R expert -P expert-request -p permit_search -z string-equal[search-request] # Permit all kind of responses $RoleManager -a -D biocase -R expert -P expert-response -p permit_capabilities -z string-equal[capabilities-response] $RoleManager -a -D biocase -R expert -P expert-response -p permit_scan -z string-equal[scan-response] $RoleManager -a -D biocase -R expert -P expert-response -p permit_search -z string-equal[search-response] # Sign elements of responses $RoleManager -a -D biocase -R expert -P expert-response -p permit_sign -z string-equal[signElements-response] -y \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/OriginalSource/Source] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/DateSupplied] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/DatasetDerivations/DatasetDerivation/Supplier] \ string-match[http://www.tdwg.org/schemas/abcd/1.2/DataSets/DataSet/Units/Unit/UnitID] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Metadata] \ string-match[http://www.tdwg.org/schemas/abcd/2.06/DataSets/DataSet/Units]