1#!/usr/bin/perl
2# 28.1.2011, Sampo Kellomaki (sampo@zxid.org)
3#
4# Extract attributes from XACML request
5#
6# Usage: ./xacml2ldif.pl <xacml.xml >attrs.ldif
7#
8# The input can be SOAP <e:Envelope> containing <xasp:XACMLAuthzDecisionQuery> or
9# just raw <xasp:XACMLAuthzDecisionQuery> or even bare <xac:Request>
10#
11# BUG: The namespace prefixes MUST be e, xasp, and xac.
12
13use XML::Simple;
14use Data::Dumper;
15
16undef $/;
17$data = <STDIN>;
18
19#warn "IN($data)";
20
21if (length $data) {
22    $rxx = XMLin $data, ForceArray=>['xac:Attribute'], KeepRoot=>0, KeyAttr=>{ 'xac:Attribute'=>'AttributeId' }, GroupTags => { 'xac:Action' => 'xac:Attribute', 'xac:Subject' => 'xac:Attribute', 'xac:Resource' => 'xac:Attribute', 'xac:Environment' => 'xac:Attribute' } ;
23    #warn "Request: ".Dumper($rxx);
24} else {
25    die "No XACML request supplied?!?";
26}
27
28if (defined($$rxx{'e:Body'}) && defined($$rxx{'e:Body'}{'xasp:XACMLAuthzDecisionQuery'})) {
29    $xac_req = $$rxx{'e:Body'}{'xasp:XACMLAuthzDecisionQuery'}{'xac:Request'};
30}
31$xac_req = $$rxx{'xac:Request'} if !defined $xac_req;
32$xac_req = $rxx if !defined $xac_req;
33#warn "xac_req: ".Dumper($xac_req);
34
35$idpnid = $$xac_req{'xac:Subject'}{'urn:oasis:names:tc:xacml:1.0:subject:subject-id'}{'xac:AttributeValue'};
36print "dn: idpnid=$idpnid,o=users\nobjectclass: tas3user\nidpnid: $idpnid\n";
37
38#warn "xac_req: ".Dumper($$xac_req{'xac:Subject'});
39for $k (sort keys %{$$xac_req{'xac:Subject'}}) {
40    print "$k: $$xac_req{'xac:Subject'}{$k}{'xac:AttributeValue'}\n";
41    $subjmap .= "subj\$$k\$\$\$;";
42}
43chop $subjmap;
44print "subjmap: $subjmap\n";
45
46for $k (sort keys %{$$xac_req{'xac:Resource'}}) {
47    print "$k: $$xac_req{'xac:Resource'}{$k}{'xac:AttributeValue'}\n";
48    $rsrcmap .= "rsrc\$$k\$\$\$;";
49}
50chop $rsrcmap;
51print "rsrcmap: $rsrcmap\n";
52
53for $k (sort keys %{$$xac_req{'xac:Action'}}) {
54    print "$k: $$xac_req{'xac:Action'}{$k}{'xac:AttributeValue'}\n";
55    $actmap .= "act\$$k\$\$\$;";
56}
57chop $actmap;
58print "actmap: $actmap\n";
59
60for $k (sort keys %{$$xac_req{'xac:Environment'}}) {
61    print "$k: $$xac_req{'xac:Environment'}{$k}{'xac:AttributeValue'}\n";
62    $envmap .= "env\$$k\$\$\$;";
63}
64chop $envmap;
65#print "envmap: $envmap\n";   # env is the default anyway
66
67print "\n";
68
69#$action = $$xac_req{'xac:Action'}{'urn:oasis:names:tc:xacml:1.0:action:action-id'}{'xac:AttributeValue'};
70#$resource = $$xac_req{'xac:Resource'}{'urn:oasis:names:tc:xacml:1.0:resource:resource-id'}{'xac:AttributeValue'};
71#$role = $$xac_req{'xac:Subject'}{'role'}{'xac:AttributeValue'};
72#
73#$perm = $$xx{'user'}{$role}{'aspect'}{$resource}{'right'};
74#warn "perm($perm) from role($role) resource($resource) action($action)";
75
76__END__
77
78Example (azrq1):
79
80<e:Envelope xmlns:e="http://schemas.xmlsoap.org/soap/envelope/"><e:Body><xasp:XACMLAuthzDecisionQuery xmlns:xasp="urn:oasis:xacml:2.0:saml:protocol:schema:os" ID="RmQtc_SvgPVYANCPrELYfjl59" IssueInstant="2009-12-19T11:33:54Z" Version="2.0"><sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.tas3.pt:8080/zxidservlet/sso?o=B</sa:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#RmQtc_SvgPVYANCPrELYfjl59"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>60AyrnQBTal1wgUkU80gWWUAB4Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QbXbs9WLovuE0Ft15GRK5n8t9iohQzgPUarSQklRIcvCDFafdewEZTGGYLsprZtarBMUTthmu7iVmxwV+iaW3ZoS5FmgoCta5hakMEIVxC8wAhF6JYi3hY3mYlwc86apYGKh/525KTNIbKXrA5nnQUNX6ORyXK3Vu09qyzMnOTE=</ds:SignatureValue></ds:Signature><xac:Request xmlns:xac="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xac:Subject></xac:Subject><xac:Resource></xac:Resource><xac:Action><xac:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><xac:AttributeValue>Show</xac:AttributeValue></xac:Attribute></xac:Action><xac:Environment></xac:Environment></xac:Request></xasp:XACMLAuthzDecisionQuery></e:Body></e:Envelope>
81