- Overview
- Deployment
- Usage
- Administration
- Configuration
- API With Access Control
- Rules to determine the Context Broker action from the request
- Rules to determine the Perseo action from the request
- Rules to determine the Keypass Access Control action from the request
- Customizing PEP Proxy for other components
- License
- Development documentation
The Policy Enforcement Point (PEP) is a proxy meant to secure independent FiWare components, by intercepting every request sent to the component, validating it against the Access Control component. This validation is based in several pieces of data:
- User token: comes from the OAuth authorization server and is taken from the
x-auth-token
header. - ServiceId: is read from the
fiware-service
header and identifies the protected component. - SubserviceId: is read from the
fiware-servicepath
header and identifies further divisions of the service. - Action: the PEP guess the action for a particular request by checking the path or inspecting the body. The logic for performing such actions depends on the component that is being secured, so the PEP will need a plugin for each of this components.
Communication with the Access Control is based on the XACML protocol.
Along this document, the term IDM (Identity Manager) will be used, as a general term to refer to the server providing user and role creation and authentication. The currently supported IDM is Keystone; a Keyrock IDM option is provided as well, but it may be deprecated in the near future.
Three other documents provide further information about the PEP Proxy:
- Operations Manual: provides information on logs and alarms.
- Architecture information: provides further information on how the PEP works and is structured.
- Keystone installation: provides an example of Keystone installation with services and subservices that can be used to test the PEP Proxy and play with its features.
The PEP Proxy is standard Node.js app and doesn't require more dependencies than the Node.js interpreter and the NPM package utility.
Just checkout this directory and install the Node.js dependencies using:
npm install --production
The proxy should be then ready to be configured and used.
There are automatic builds of the development version of the Steelskin PEP Proxy published in Docker hub. In order to install using the docker version, just execute the following:
docker run -p 11211:11211 -p 1026:1026 -e LOG_LEVEL=DEBUG -e AUTHENTICATION_HOST=<Keystone-host> -e ACCESS_HOST=<Access-control-host> -e TARGET_HOST=<Orion-host> telefonicaiot/fiware-pep-steelskin
This command will create a docker container with a PEP Steelskin running, using for token validation and authentication, for access control and redirecting allowed requests to . Remember there are more environment variables you can use to tailor Steelskin configuration to suit your needs; you can find the complete list in the configuration section below.
Take note that this command expose two ports: the 1026 port for component requests and the administration port, 11211.
There is also the possibility to build your own local Docker image of the PEP component.
To do it, follow the next steps once you have installed Docker in your machine:
- Navigate to the path where the component repository was cloned.
- Launch a Docker build
- Using the default NodeJS version of the operating system used defined in FROM keyword of Dockerfile:
sudo docker build -f Dockerfile .
- Using an alternative NodeJS version:
sudo docker build --build-arg NODEJS_VERSION=0.10.46 -f Dockerfile .
The PEP within the Docker image can be run encapsulated within the pm2 Process
Manager by adding the PM2_ENABLED
environment variable.
docker run --name pep -e PM2_ENABLED=true -d fiware/fiware-pep-steelskin
Use of pm2 is disabled by default. It is unnecessary and counterproductive to add an additional process manager if your dockerized environment is already configured to restart Node.js processes whenever they exit (e.g. when using Kubernetes)
The PEP within the Docker image can be run with node inspection by adding the INSPECT_ENABLED
environment variable.
docker run --name pep -e INSPECT_ENABLED=true -d fiware/fiware-pep-steelskin
Use of node inspection is disabled by default.
In order to undeploy the proxy, if it was installed directly from the GIT repositories, just kill the process and remove the directory.
Assuming the PEP Proxy is deployed directly from the source code, it won't add itself as a service, and the running ports should be configured manually. This configuration will involve two steps:
- Changing the port of the Context Broker to a different internal port (not open to external connections). Refer to the Orion Context Broker Deployment Manual for instructions on how to do it.
- Changing the port of the proxy to listen in the Context Broker original port, and to redirect to the new one. This parameters can be changed in the config.js file in the root folder. Once configured, the service can be started as a demon with the following comand:
nohup bin/pep-proxy.js &> pep-proxy.log&
The proxy service is disabled once its installed. In order to enable it, use the following command:
service pepProxy start
Independently of how the service is installed, the log files will need an external rotation (e.g.: the logrotate command) to avoid disk full problems.
If the PEP Proxy is not started as a service, it can be started executing the following command from the project root:
bin/pep-proxy.js
Once the PEP Proxy is working, it can be used to enforce both authentication and authorization over the protected component (e.g. Orion Context Broker). In order to enforce both actions, the PEP Proxy has to be connected to an Identity Manager server and an Access Manager server. Next sections will show some examples of both processes.
Note that, in order for a request to be authorized through the Access Control, it's mandatory that it contains all of the following headers:
- x-auth-token: should contain a valid user token, generated by the IDM.
- fiware-service: should contain the name of a service created in the IDM and the user must have access to it.
- fiware-servicepath: should contain a route to a subservice, begining with a slash '/' symbol.
This headers are used by the IDM and Access Control systems to make the decisions about the request, so if any of them are missing, the request will not progress any further, and will be rejected with a 400 HTTP error code. For a detailed explanation of the returned errors, please refer to the API Error codes.
The proxy can also work in an authentication-only mode (using the config.access.disable
flag), in which case the fiware-service
and fiware-servicepath
headers can be marked as optional, or checked anyway for validity (controlled by the config.authentication.checkHeaders
flag). Header checking cannot be disabled for PEP Proxies performing authorization processes.
The authentication process is based on OAuth v2 tokens. The PEP Proxy expects all the requests to have a header x-auth-token
containing a valid access token from the IDM. All the requests without this requirement are rejected with a 401 error.
PEP Proxy currently supports two possible authentication authorities: Keyrock IdM and Openstack Keystone. The following sections show how to retrieve a token with each of this authentication technologies. The module can be configured using the config.authentication.module option.
In order to get an access token to send with the request, a user can send a request to the IDM, with its user and password (here shown as a curl request):
curl -i --user <serverUser>:<serverPassword> -X POST -H "Content-Type: application/x-www-form-urlencoded" https://<idmHostName>/oauth2/token -d 'grant_type=password&username=<theUserName>&password=<theUserPassword>'
If the user and password are correct, the response will be like the following:
{
"access_token":"O-OqiBR1AbZk7qfyidF3AwMeBY253xYEpUdkv",
"refresh_token":"Ny0OwE19230QfftxXYGwwgOLafa5v2xnI5t6HWdQ",
"token_type":"bearer",
"expires_in":2591999
}
The access_token
field contains the required token.
The must be used also to assign roles to each user. For details about role creation and assign, check the IDM API.
In order to get its access token, a user can send the following request to Keystone:
curl http://localhost:5000/v3/auth/tokens \
-s \
-i \
-H "Content-Type: application/json" \
-d '
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "SmartCity"
},
"name": "alice",
"password": "password"
}
}
}
}
}'
The token can be found in the X-Subject-Token
header of the response:
X-Subject-Token: MIIC3AYJKoZIhvcNAQcCoIICzTCCAskCAQExCTAHBgUrDgMCGjCCATIGCSqGSIb3DQEHAaCCASMEggEfeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTQtMTAtMTBUMTA6NTA6NDkuNTMyNTQyWiIsICJleHRyYXMiOiB7fSwgIm1ldGhvZHMiOiBbInBhc3N3b3JkIl0sICJleHBpcmVzX2F0IjogIjIwMTQtMTAtMTBUMTE6NTA6NDkuNTMyNDkxWiIsICJ1c2VyIjogeyJkb21haW4iOiB7ImlkIjogImY3YTViOGUzMDNlYzQzZThhOTEyZmUyNmZhNzlkYzAyIiwgIm5hbWUiOiAiU21hcnRWYWxlbmNpYSJ9LCAiaWQiOiAiNWU4MTdjNWUwZDYyNGVlNjhkZmI3YTcyZDBkMzFjZTQiLCAibmFtZSI6ICJhbGljZSJ9fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAKRGV3uu8fiS7UNm47KhltSjlY1e7KnedUcD-mdwz6Asbo7X9hbtljy1ml9gGcuMf6vX4tycx4goRyMARPS7YKROd0evZtnYArIyx0IrmwDaqodwp8BxBCxFgHRZtCwzHvZFEaUcClydQq7HJvBfTgTwH4v1aJkMyK8wLMP-CYyiZSfCIWPVnoB9I3P56jeKHkmcryYLgT2I-AwDBj1zd9HPzUjyQuNj5rCMkJjvz-A9-hef6AMMZuYPMIYdkei+deq86O1qFuo7PpO2SA7QWkqjcsKs9v+myvHhLrBre9GLP2hP1rc4D67lSL2XB1UY20mc6FNIVIErxT0DOSXltXQ==
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 287
Date: Fri, 10 Oct 2014 10:50:49 GMT
{
"token": {
"issued_at": "2014-10-10T10:50:49.532542Z",
"extras": {},
"methods": [
"password"
],
"expires_at": "2014-10-10T11:50:49.532491Z",
"user": {
"domain": {
"id": "f7a5b8e303ec43e8a912fe26fa79dc02",
"name": "SmartValencia"
},
"id": "5e817c5e0d624ee68dfb7a72d0d31ce4",
"name": "alice"
}
}
}
For details on user and role creation, check the Keystone API.
Once the user is authenticated, the PEP Proxy will ask the Access Control for its permissions. In order for the request to be accepted, at least one rule has to match the request information and the user roles.
Rules are defined in XACML. The particular rules will depend on each case and are left to the authorization designer. The following document shows a typical rule explained for the use case of a Context Broker:
<Policy xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
PolicyId="policy03"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>frn:contextbroker:551:833:.*</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="policy03rule01" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" />
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>read</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
All the rules are associated to a service ID (the value of the fiware-service
header) and a subservice. When the request arrives to the Access Control, the later will retrieve all the permissions for the user roles, each one represented by a XACML policy. All the policies are applied then in order to find any that would let the request be executed.
In the example, the policy states the following: "if the resource has the prefix frn:contextbroker:551:833:
and the action read
the request would be allowed". This policy will allow read access over all the resources in subservice 833
of the service 551
to the roles that have it assigned. The meaning of the term resource will depend on the component which is being protected by the particular access rules. E.g.: for Orion Context Broker, the resources will be the entities of the CB; for each entity, the Policy Enforcement Point of the CB will generate a FRN, composed of the aforementioned prefix plus the identifier of the entity itself.
Another example could be this the following:
<Policy xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
PolicyId="policy02"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">frn:contextbroker:551:833:.*</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="policy02rule01" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" />
</Apply>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
In this example, only those users with subjectId
(user's role) "admin" may write on resources of tenant 511 and subservice 833.
Any number of policies can be included in the Access Control for each pair (tenant, subject). If any of the policies can be applied to the request and Permit
the request, then the global result is a Permit
. If none of the policies can be applied (no target exist for the tenant, subservice and subject of the request) the result will be NotApplicable
. If there are policies that can be applied but all of them deny the access, the result will be a Deny
.
To start the service, use either the service command: service pepProxy start
Or just the launch script:
/etc/init.d/pepProxy start
For testing purposes it might be interesting to launch the process directly without the service. That can be done executing the following command from the project root directory:
./bin/pepProxy
Take into account that when the process is executed manually the system configuration for the script (in /etc/sysconfig/pepProxy) is not loaded and the default configuration (in /opt/pepProxy/config.js) is used.
To stop the service, use either the service command:
service pepProxy stop
Or just the launch script:
/etc/init.d/pepProxy stop
The status of the process can be retrieved using the service command:
service pepProxy status
It also can be checked with ps, using a filter with the command name:
ps -ef | grep "bin/pepProxy"
In both cases a result of 0 (echoing $?) indicates the process is supposed to be running, and an error otherwise.
The following command:
netstat -ntpl | grep 1026
can be used to check the process is listening in the appropriate port (provided the port is the standard 1026). The result should resemble this line:
tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN 12179/node
The PEP Proxy provides an Administration port that can be used to check whether the proxy is up and listening or down.
The administration API consists in a single /version
path, that returns useful information from the proxy (currently just the listening port and version).
Example of output:
{
"version": "0.4.1-next",
"port": 1026
}
All the configuration of the proxy is stored in the config.js
file in the root of the project folder. The values set inside config.js operate as the default values for all the important pieces of configuration data, so it is important none of them are removed (you can change them to suit your needs, as long as they have a valid value).
Another way of configuring the component is through the use of environment variables, although less configuration options are exposed with this mechanism.
In order to have the proxy running, there are several basic pieces of information to fill:
config.resource.proxy
: The information of the server proxy itself. Two ports must be configured for the proxy:port
indicates in which port is the proxy listening for requests;adminPort
indicates the administration port. E.g.:
{
port: 1026,
adminPort: 11211
}
config.resource.original
: The address and port of the proxied server. E.g.:
{
host: 'localhost',
port: 10026
},
config.access
: connection information to the selected Access Control PDP API. Includes adisable
flag, to allow the proxy to work in authentication-only mode and a flag to activate accounting access in file. E.g.:
{
disable: false,
protocol: 'http',
host: 'localhost',
port: 7070,
path: '/pdp/v3',
account: false,
accountFile: '/tmp/pepAccount.log',
accountMode: 'all'
}
Accounting log is only activated when account flag is true, and the logs are produced in a fixed INFO level for accessLogger, redardless of the pep log level. Note that accounting log is not rotated, so you should make sure you configure your own rotation system. Accounting access log include data about:
- Attempt was right or not
- Token
- Origin
- UserId
- UserName
- ServiceId
- Service
- SubServiceId
- SubService
- Action
- Path
- Body (Truncated to 100 chars when is valid access)
- Date
- Query Example of access log:
"Right Attempt | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z"
Note that the above format is not the same than the regular PEP log (although it is also based in fields separated by |
, the fields themselves are not the same).
Additionally a file configAccessMatch could be provided to pep to check matches about some elements involved in current access, regardless is right or not right access. For example:
- List for users involved
- List of headers and values
- List of subpaths in URL request
- List of subqueries in query request
- List of strings in body
PEP reloads this file each time it changes without needing restarting PEP itself.
This is an example of file configAccessMatch.js
(full path /opt/fiware-pep-steelskin/configAccessMatch.js
i.e. in a docker image):
// Activity related with a list of users
configAccessMatch.users = [
'cracker1', 'cracker2',
];
// Activity related with request which the following headers
configAccessMatch.headers = [
{ "fiware-service": "smartcity" },
{ "x-real-ip": "127.0.0.1" }
];
// Activity related with request including the following subpaths
configAccessMatch.subpaths = [
'/v1',
];
// Activity related with request including the following subqueries
configAccessMatch.subqueries = [
'flowControl', 'options',
];
// Activity related with request including the following strings in body
configAccessMatch.body = [
'legacy',
];
When any of theses patterns matches in current access, message access is added with MATCHED <element> <value>
, where <element>
would be: USER
, HEADER <header-name>
, SUBPATH
, SUBQUERY
, BODY
and <value>
the value which matches. For example:
Right Attempt MATCHED HEADER fiware-service smartcity | ResponseStatus=200 | Token=gAAAAABnBPgPrgwpcAkbQOZIryu5ADUIScyorN3vbPYbTJxTE5AF3RO1y25Tf-sL3EKzvfr_1U3u8IL8ylB4e4B_vD5yZjc9rnrSIqoiC77B7uZ1O1xZCyukq_MkjRxJLqA9yQ5lQtAQCC6ig7Kn5uPhpPD-mhVb7kyQjUw1QjtCiyP7UKXZvKU | Origin=172.17.0.22 | UserId=753b954985bf460fabbd6953c71d50c7 | UserName=adm1 | ServiceId=9f710408f5944c3993db600810e97c83 | Service=smartcity | SubServiceId=/ | SubService=/ | Action=read | Path=/v2/entities | Query={\"limit\":\"15\",\"offset\":\"0\",\"options\":\"count\"} | Body={} | Date=2024-10-08T09:25:30.441Z"
Account log has three modes: all
, matched
, wrong
. First one all
includes right and wrong access regardles if matches or not. Second one matched
includes all wrong and just rigth matches acess. And wrong
mode only includes all wrong access, regardless is matches or not with patterns.
config.componentName
: name of the component that will be used to compose the FRN that will identify the resource to be accessed. E.g.:orion
.config.resourceNamePrefix
: string prefix that will be used to compose the FRN that will identify the resource to be accessed. E.g.:fiware:
.config.bypass
: used to activate the administration bypass in the proxy. Valid values aretrue
orfalse
.config.bypassRoleId
: ID of the role that will be considered to have administrative rights over the proxy (so being transparently proxied without validation). Valid values are Role UUIDs. E.g.:db50362d5f264c8292bebdb5c5783741
.config.dieOnRedirectError
: this flags changes the behavior of the PEP Proxy when an error is received when redirecting a request. If the flag is true, the PEP Proxy process is shut down immediately; if it is false, the behavior is the usual: generate a 501 Code error.config.bodyLimit
: Controls the maximum request body size allowed, in bytes. Default is 1 Mb
config.authentication.checkHeaders
: when the proxy is working with the access control disabled (just user authentication), indicates whether thefiware-service
andfiware-servicepath
headers should be checked for existance and validity (checking: the headers exist, thy are not empty and the user is really part of the service and subservice mentioned in the header). This option is ignored when authorization is enabled, and considered to betrue
(as the headers constitute a mandatory part of the authorization process). Default value istrue
.config.authentication.module
: indicates what type of authentication server should be used: keystone or idm. The currently supported one (and default) iskeystone
.config.authentication.username
: username of the PEP proxy in the IDM.config.authentication.password
: password of the PEP proxy in the IDM.config.authentication.domainName
: (only meaningful for Keystone) name of the administration domain the PEP proxy user belongs to.config.authentication.retries
: as the authentication is based in the use of tokens that can expire, the operations against Keystone are meant to retry with a fresh token. This configuration value indicates how many retries the PEP should perform in case the communication against Keystone fails. The value0
means the default will be used (default value is 3). The value-1
implies that it should be retried forever.cacheTTLs
: the values in this object correspond to the Time To Live of the values of the different caches the PEP uses to cache requests for information in Keystone. The value is expressed in seconds and0
value implies unlimited.config.authentication.options
: address, port and other communication data needed to communicate with the Identity Manager. Apart from the host and port, default values should be used.
The config.js
file contains configuration parameter that lets the deployer decide what plugin the proxy should use in order to extract the action type from the request attributes: the middleware
parameter. This object has two attributes:
require
: indicating the route from the project folder to the module that contains the middleware.functions
: an array of the middlewares to execute from the selected module. All the currently available plugins are in the folderlib/plugins/
, and most of them implement a single middleware calledextractAction
(the name for Orion plugin isextractCBAction
). The following example should work for any plugin following this patterns:
config.middlewares = {
require: 'lib/plugins/perseoPlugin',
functions: [
'extractAction'
]
};
The environment variables provide ways of configuring the plugin without taking care of this details.
Some of the configuration values for the attributes above mentioned can be overriden with values in environment variables. The following table shows the environment variables and what attribute they map to.
Environment variable | Configuration attribute |
---|---|
PROXY_PORT | config.resource.proxy.port |
ADMIN_PORT | config.resource.proxy.adminPort |
TARGET_HOST | config.resource.original.host |
TARGET_PORT | config.resource.original.port |
LOG_LEVEL | config.logLevel |
ACCESS_DISABLE | config.access.disable |
ACCESS_HOST | config.access.host |
ACCESS_PORT | config.access.port |
ACCESS_PROTOCOL | config.access.protocol |
ACCESS_ACCOUNT | config.access.account |
ACCESS_ACCOUNTFILE | config.access.accountFile |
ACCESS_ACCOUNTMODE | config.access.accountMode |
AUTHENTICATION_HOST | config.authentication.options.host |
AUTHENTICATION_PORT | config.authentication.options.port |
AUTHENTICATION_PROTOCOL | config.authentication.options.protocol |
AUTHENTICATION_CACHE_PROJECTIDS | config.authentication.cacheTTLs.projectIds |
AUTHENTICATION_CACHE_ROLES | config.authentication.cacheTTLs.roles |
AUTHENTICATION_CACHE_USERS | config.authentication.cacheTTLs.users |
AUTHENTICATION_CACHE_VALIDATION | config.authentication.cacheTTLs.validation |
PROXY_USERNAME | config.authentication.user |
PROXY_PASSWORD | config.authentication.password |
PROXY_PASSWORD | config.authentication.password |
COMPONENT_NAME | config.componentName |
COMPONENT_PLUGIN | config.middlewares and config.componentName if no COMPONENT_NAME provided |
BODY_LIMIT | config.bodyLimit |
A special environment variable, called COMPONENT_PLUGIN
can be set with one of this values: orion
, perseo
, keypass
and rest
. This variable can be used to select what component plugin to load in order to determine the action of the incoming requests. This variable also rewrites config.componentName
configuration paramenter.
If SSL Termination is not available, the PEP Proxy can be configured to listen HTTPS instead of plain HTTP. To activate the SSL:
- Create the appropiate public keys and certificates and store them in the PEP Proxy machine.
- In the
config.js
file, change theconfig.ssl.active
flag to true. - In the same ssl object in the configuration, fill the path to the key and cert files.
PEP Proxy is able to start multiple instances by adding and configuring certain files in /etc/pepProxy.d
and using pepProxy
service script
In order to start multiple instances of the proxy, just add one configuration file per instance in the /etc/pepProxy.d
folder.
In its starting sequence, the pepProxy
service looks for files in /etc/pepProxy.d
that begins with pepproxy_
prefix and has .conf
extension and start (or stop or status or restat) one process for file found.
It is important to change PROXY_PORT
and ADMIN_PORT
to one not used by other PEP intances/services.
The validation of each request si done connecting with the Access Control component, which, using the information provided by the PEP Proxy, decides whether the user can execute the selected action in this organization or not. The following is a summary of this interaction with some examples.
The XACML Request maps the information extracted from the request and from the IDM (roles, organization and action) to XACML categories (access-subject
, resource
and action
, respectively).
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
ReturnPolicyIdList="false">
<!-- X-Auth-Token-->
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#int">511</AttributeValue>
</Attribute>
</Attributes>
<!-- fiware resource name being accessed: organization id -->
<Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">frn:contextbroker:551:::</AttributeValue>
</Attribute>
</Attributes>
<!-- action performed -->
<Attributes
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</Attribute>
</Attributes>
</Request>
The XACML Response returns a Decision
element that can have the following values: “Permit”, “Deny”, “NotApplicable” or “Indeterminate”. The subset of allowable values understood by the PEP Proxy is:
Permit
: allows the request to continue its way to the Context Broker.Deny
: rejects the request, returning a 403 error to the requestor.
<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
<Result>
<Decision>Permit</Decision>
</Result>
</Response>
This is the list of actions available for the Context Broker. For every action, the abbreviature is also shown (will be used in some of the following tables).
Action | Abbreviature |
---|---|
create | C |
update | U |
delete | D |
read | R |
subscribe | S |
register | Reg |
discover | Dis |
N/A | - |
Method | Path | Action |
---|---|---|
GET | /v2 | R |
GET | /v2/entities | R |
GET | /v2/entities/{entityId} | R |
GET | /v2/entities/{entityId}/attrs | R |
POST | /v2/entities | C |
PATCH | /v2/entities/{entityId}/attrs | U |
POST | /v2/entities/{entityId}/attrs | U |
POST | /v2/entities/{entityId}/attrs?options=append | C |
DELETE | /v2/entities/{entityId} | D |
PUT | /v2/entities/{entityId}/attrs | U |
GET | /v2/entities/{entityId}/attrs/{attrId} | R |
PUT | /v2/entities/{entityId}/attrs/{attrId} | U |
DELETE | /v2/entities/{entityId}/attrs/{attrId} | D |
GET | /v2/entities/{entityId}/attrs/{attrId}/value | R |
PUT | /v2/entities/{entityId}/attrs/{attrId}/value | U |
GET | /v2/types | R |
GET | /v2/types/{typeId} | R |
GET | /v2/subscriptions | R |
POST | /v2/subscriptions | C |
GET | /v2/subscriptions/{subscriptionId} | R |
PATCH | /v2/subscriptions/{subscriptionId} | U |
DELETE | /v2/subscriptions/{subscriptionId} | D |
POST | /v2/op/query | R |
POST | /v2/op/update | (*) |
(*) It depends on the actionType
(within payload):
- update: U
- append: C
- appendStrict: C
- delete: D
- replace: U
Operations marked with a slash, "-" are now deprecated. All those operations will be tagged with the special action "N/A". If you want to allow them anyway, just add a rule to the Access Control allowing the "N/A" action for the desired roles.
The available actions are:
- readRule: to get working rules in CEP
- writeRule: to modify rules in CEP (create, delete, update)
- notify: to fire rules (if appropiate) with an event notification
The following tables show the map from method and path of the request to the action.
Method | Path | Action |
---|---|---|
POST | /notices | notify |
Method | Path | Action |
---|---|---|
GET | /rules | readRule |
GET | /rules/{id} | readRule |
POST | /rules | writeRule |
DELETE | /rules/{id} | writeRule |
Method | Path | Action |
---|---|---|
GET | /m2m/vrules | readRule |
GET | /m2m/vrules/{id} | readRule |
POST | /m2m/vrules | writeRule |
DELETE | /m2m/vrules/{id} | writeRule |
PUT | /m2m/vrules/{id} | writeRule |
The available actions are:
- createPolicy: to create a new policy for a subject in Keypass.
- listPolicies: to list all the policies belonging to a subject.
- deleteSubjectPolicies: to remove all the policies for a particular subject.
- deleteTenantPolicies: to remove all the policies for all the subjects of a tenant.
- readPolicy: to get the policy body for a particular policy.
- deletePolicy: to remove a single policy of a subject.
The following table show the map from method and path of the request to the action.
Method | Path | Action |
---|---|---|
POST | /pap/v1/subject/{subjectId} | createPolicy |
GET | /pap/v1/subject/{subjectId} | listPolicies |
DELETE | /pap/v1/subject/{subjectId} | deleteSubjectPolicies |
DELETE | /pap/v1 | deleteTenantPolicies |
GET | /pap/v1/subject/{subjectId}/policy/{policyId} | readPolicy |
DELETE | /pap/v1/subject/{subjectId}/policy/{policyId} | deletePolicy |
Most of the code of the proxy (i.e. the extraction of user data, the communication with the Keystone Proxy and the proxy process itself) will execute exactly the same for all the components. The exception is the rule to determine the action the request is trying to perform. To address this behavior and possible actions different customizations of the proxy could need, the proxy allows for the introduction of middlewares in the validation process.
The middlewares are quite similar to the ones used by the Connect (or Express) framework. A middleware is a function that receives three parameters:
- req: The object representing the incoming HTTP request. Along with all the request information, the request is used to store the information for the validation process (i.e. attributes
userId
with the user token,organization
with the organization extracted from the headers andaction
that should be filled in by the middlewares). - res: The object representing the response. This object can be used to stop the request pipeline due to conditions defined by the specific component (although it is advisable to use a
next(error)
call with a custom error to allow the error to be handled by the proxy). - next: Callback used to call the next middleware in the chain. In the current version, it is required that the call to the next middleware contains both the request and response objects (this behavior is not the same as the one in Connect middlewares). If the first parameter in the call is an error, the request will be rejected. If the first parameter is null or undefined, the request will continue through the validation process. This is an example of a call to next that lets the request follow through:
next(null, req, res);
The middlewares must be defined inside a Node.js module. They can be configured using the config.middlewares
object of the config.js
file. This object contains two attributes:
require
: path to the module that contains the middlewares, from the project root. The system currently supports only modules defined inside the fiware-pep-steelskin project (or in accessible folders).functions
: list of the middlewares to load. The names in this list must be exported functions of the module selected in the previous attribute.
For standard REST APIs that make use exclusively of the POST, PUT, DELETE and GET methods with their CRUD meaning, the PEP Proxy provides a generic plugin that maps those methods to actions in the access request. To configure it, put the following lines in the middleware section of the PEP Proxy installation:
config.middlewares = {
require: 'lib/services/restPlugin',
functions: [
'extractAction'
]
};
In order to add more expression power to the authorization rules created in the Access Control component, the Generic REST Plugin adds a new element to the FRN: the URL of the resource is appended to the existing elements in the FRN.
For applications that require a mapping between URLs and Method to actions when the REST Middleware is not enough, a plugin generator based on tables is provided. In order to use this plugin, create a new plugin file and import the ./urlTablePlugin
module. This module contains just one function, extractAction
, that takes a mapping table and generates a middleware function that extract the action of a request based on it.
The mapping table has to have one row for each action to check indicating:
- Request Method
- URL pattern (using regular expressions)
- Action name Whenever a request arrives to the plugin with the selected method and a URL that matches the URL expression, the action will be assigned to the request.
An example of use of the urlTablePlugin
can be found in the Perseo plugin.
Orion FiWare Policy Enforcement Point is licensed under Affero General Public License (GPL) version 3.
The project is managed using npm.
For a list of available task, type
npm run
The following sections show the available options in detail.
Mocha Test Runner + Should.js Assertion Library.
The test environment is preconfigured to run BDD testing style.
Module mocking during testing can be done with proxyquire
To run tests, type
npm test
jshint
Uses provided .jshintrc flag file. To check source code style, type
npm run lint
Support for continuous testing by modifying a src file or a test. For continuous testing, type
npm run test:watch
If you want to continuously check also source code style, use instead:
npm run watch
Istanbul
Analizes the code coverage of your tests.
To generate an HTML coverage report under site/coverage/
and to print out a summary, type
# Use git-bash on Windows
npm run test:coverage
Removes node_modules
and coverage
folders, and package-lock.json
file so that a fresh copy of the project is restored.
# Use git-bash on Windows
npm run clean
The project contains a script to aid in the releasing process. This script is located in the scripts/build
folder. In
order to create a new release, just invoke the script, from the project root folder, with the following line:
scripts/build/release.sh <NEW_VERSION> <RELEASE_TYPE>
Usually, RELEASE_TYPE
will be sprint
. This release procedure will do the following steps:
- Change the version in package.json to the selected version.
- Create a branch
release/0.6.0
and a tag0.6.0
frommaster
. - Add the
-next
suffix to the version in master and clean theCHANGES_NEXT_RELEASE
file.
For other release types, check the command help.