1#!/usr/bin/perl 2# 28.1.2011, Sampo Kellomaki (sampo@zxid.org) 3# 4# Extract attributes from XACML request 5# 6# Usage: ./xacml2ldif.pl <xacml.xml >attrs.ldif 7# 8# The input can be SOAP <e:Envelope> containing <xasp:XACMLAuthzDecisionQuery> or 9# just raw <xasp:XACMLAuthzDecisionQuery> or even bare <xac:Request> 10# 11# BUG: The namespace prefixes MUST be e, xasp, and xac. 12 13use XML::Simple; 14use Data::Dumper; 15 16undef $/; 17$data = <STDIN>; 18 19#warn "IN($data)"; 20 21if (length $data) { 22 $rxx = XMLin $data, ForceArray=>['xac:Attribute'], KeepRoot=>0, KeyAttr=>{ 'xac:Attribute'=>'AttributeId' }, GroupTags => { 'xac:Action' => 'xac:Attribute', 'xac:Subject' => 'xac:Attribute', 'xac:Resource' => 'xac:Attribute', 'xac:Environment' => 'xac:Attribute' } ; 23 #warn "Request: ".Dumper($rxx); 24} else { 25 die "No XACML request supplied?!?"; 26} 27 28if (defined($$rxx{'e:Body'}) && defined($$rxx{'e:Body'}{'xasp:XACMLAuthzDecisionQuery'})) { 29 $xac_req = $$rxx{'e:Body'}{'xasp:XACMLAuthzDecisionQuery'}{'xac:Request'}; 30} 31$xac_req = $$rxx{'xac:Request'} if !defined $xac_req; 32$xac_req = $rxx if !defined $xac_req; 33#warn "xac_req: ".Dumper($xac_req); 34 35$idpnid = $$xac_req{'xac:Subject'}{'urn:oasis:names:tc:xacml:1.0:subject:subject-id'}{'xac:AttributeValue'}; 36print "dn: idpnid=$idpnid,o=users\nobjectclass: tas3user\nidpnid: $idpnid\n"; 37 38#warn "xac_req: ".Dumper($$xac_req{'xac:Subject'}); 39for $k (sort keys %{$$xac_req{'xac:Subject'}}) { 40 print "$k: $$xac_req{'xac:Subject'}{$k}{'xac:AttributeValue'}\n"; 41 $subjmap .= "subj\$$k\$\$\$;"; 42} 43chop $subjmap; 44print "subjmap: $subjmap\n"; 45 46for $k (sort keys %{$$xac_req{'xac:Resource'}}) { 47 print "$k: $$xac_req{'xac:Resource'}{$k}{'xac:AttributeValue'}\n"; 48 $rsrcmap .= "rsrc\$$k\$\$\$;"; 49} 50chop $rsrcmap; 51print "rsrcmap: $rsrcmap\n"; 52 53for $k (sort keys %{$$xac_req{'xac:Action'}}) { 54 print "$k: $$xac_req{'xac:Action'}{$k}{'xac:AttributeValue'}\n"; 55 $actmap .= "act\$$k\$\$\$;"; 56} 57chop $actmap; 58print "actmap: $actmap\n"; 59 60for $k (sort keys %{$$xac_req{'xac:Environment'}}) { 61 print "$k: $$xac_req{'xac:Environment'}{$k}{'xac:AttributeValue'}\n"; 62 $envmap .= "env\$$k\$\$\$;"; 63} 64chop $envmap; 65#print "envmap: $envmap\n"; # env is the default anyway 66 67print "\n"; 68 69#$action = $$xac_req{'xac:Action'}{'urn:oasis:names:tc:xacml:1.0:action:action-id'}{'xac:AttributeValue'}; 70#$resource = $$xac_req{'xac:Resource'}{'urn:oasis:names:tc:xacml:1.0:resource:resource-id'}{'xac:AttributeValue'}; 71#$role = $$xac_req{'xac:Subject'}{'role'}{'xac:AttributeValue'}; 72# 73#$perm = $$xx{'user'}{$role}{'aspect'}{$resource}{'right'}; 74#warn "perm($perm) from role($role) resource($resource) action($action)"; 75 76__END__ 77 78Example (azrq1): 79 80<e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"><e:Body><xasp:XACMLAuthzDecisionQuery xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os" ID="RmQtc_SvgPVYANCPrELYfjl59" IssueInstant="2009-12-19T11:33:54Z" Version="2.0"><sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.tas3.pt:8080/zxidservlet/sso?o=B</sa:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#RmQtc_SvgPVYANCPrELYfjl59"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>60AyrnQBTal1wgUkU80gWWUAB4Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QbXbs9WLovuE0Ft15GRK5n8t9iohQzgPUarSQklRIcvCDFafdewEZTGGYLsprZtarBMUTthmu7iVmxwV+iaW3ZoS5FmgoCta5hakMEIVxC8wAhF6JYi3hY3mYlwc86apYGKh/525KTNIbKXrA5nnQUNX6ORyXK3Vu09qyzMnOTE=</ds:SignatureValue></ds:Signature><xac:Request xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xac:Subject></xac:Subject><xac:Resource></xac:Resource><xac:Action><xac:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><xac:AttributeValue>Show</xac:AttributeValue></xac:Attribute></xac:Action><xac:Environment></xac:Environment></xac:Request></xasp:XACMLAuthzDecisionQuery></e:Body></e:Envelope> 81