OpenConext implementation of a XACML based PDP engine for access policy enforcement
License: Apache License 2.0
See the LICENSE file
See the NOTICE.txt file
General information on OpenConext can be found at: https://www.openconext.org
OpenConext uses the GitHub OpenConext wiki for information regarding deployment and development of OpenConext.
OpenConext wants to kindly thank BrowserStack.com for providing a "Free for Open Source" license. This tool provides live, web-based browser testing and eliminates the need for maintaining several local VMs.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
I have an issue with the xacml.properties-file and the xacml-directory because I can't seem to override the default location of these files from the application.properties..
Setting them as below doesn't work:
xacml.properties.path=file:/some/path/xacml.conext.properties
policy.base.dir=file:/some/path/xacml/policies
The only solution I have right now is to copy my modified files to pdp-server/src/main/resources and run mvn build..
When mulitple entities (IdP,SP) have the same name, there is no way to distinguish between them in the PDP UI. For example:
It would be nice to show at least the status (prod or test) or the entityid.
Both pdp-gui/src/javascripts/locale/en.js and nl.js contain 11 references to SURF. ROLE_ADMIN eg is translated as "SURFnet Admin". Should only contain references to OpenConext.
When viewing violations on a policy, I get "The PDP application is currently unavailable".
Global violations view (/violations) works, specific ones fail (/violations/123)
This started after updating from 2.0.1 to 2.0.2.
I have verified that the issue still exists on master and that a rollback to 2.0.1 fixes it.
When I ran Openconext-Deploy engineblock5-centos7, pdp is provisioned. However, I noticed that it wasn't starting due the following error:
Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:62)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:54)
... 1 more
Caused by: java.lang.IllegalStateException: Could not evaluate condition on org.springframework.boot.actuate.autoconfigure.HealthIndicatorAutoConfiguration$DataSourcesHealthIndicatorConfiguration due to org/springframework/mail/javamail/JavaMailSenderImpl not found. Make sure your own configuration does not rely on that class. This can also happen if you are @ComponentScanning a springframework package (e.g. if you put a @ComponentScan in the default package by mistake)
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:55)
at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:102)
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader$TrackedConditionEvaluator.shouldSkip(ConfigurationClassBeanDefinitionReader.java:436)
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:127)
at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:116)
at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:333)
at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:243)
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:273)
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:98)
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:678)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:520)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:118)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:766)
at org.springframework.boot.SpringApplication.createAndRefreshContext(SpringApplication.java:361)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:307)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1191)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1180)
at pdp.PdpApplication.main(PdpApplication.java:47)
... 6 more
Caused by: java.lang.NoClassDefFoundError: org/springframework/mail/javamail/JavaMailSenderImpl
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
at java.lang.Class.getDeclaredMethods(Class.java:1975)
at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:609)
at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:521)
at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:507)
at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:567)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:683)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:627)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:597)
at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1445)
at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:975)
at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.addBeanTypeForNonAliasDefinition(BeanTypeRegistry.java:289)
at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.addBeanType(BeanTypeRegistry.java:278)
at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.getNamesForType(BeanTypeRegistry.java:259)
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.collectBeanNamesForType(OnBeanCondition.java:182)
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:171)
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchingBeans(OnBeanCondition.java:139)
at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:86)
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47)
... 23 more
Caused by: java.lang.ClassNotFoundException: org.springframework.mail.javamail.JavaMailSenderImpl
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at org.springframework.boot.loader.LaunchedURLClassLoader.doLoadClass(LaunchedURLClassLoader.java:178)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:142)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 43 more
I cloned the pdp repo and rebuilt by adding the following to the pdp-server/pom.xml file. It seems to run ok after adding it under <dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>3.2.8.RELEASE</version>
</dependency>
According to: http://stackoverflow.com/questions/21829749/cannot-find-class-org-springframework-mail-javamail-javamailsenderimpl-for-bea
At some point org.springframework.mail.javamail.JavaMailSenderImpl was moved to the dependency spring-context-support.
Ensure that you have: the artifact spring-context-support included in your project example(if using maven):
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>3.2.8.RELEASE</version> </dependency>Link to context support versions: Link to context support versions
As far as I could read from the code, on authentication PDP will do a lookup in Manage to find the pretty name that goes with the authenticating authority's entityID. In my case, I use an admin-IDP that is not connected to the EB-instance and therefore is not known to Manage.
This will lead to an 'Access denied' message in the logs and a 'PDP currently unavailable' message in the GUI, even though the Shibboleth-authentication succeeded.
If this is indeed only used for pretty printing (I'm not 100% sure) the IDP's name, could this be fixed by falling back on the entityID as a name instead of failing miserably?
Background:
Proposal:
When the PDP-server responds with a HTTP/500 error, the GUI will show a 'Page not found' message. This is very confusing.
With a /src/main/resources/logback.xml file in place, it's become useless to set logging.config=file:/example-dir/logback.xml because the one in the class-path will take precedence over the application.properties setting.
It took me quite a while to figure out why the app was trying to start with the default logback-settings, while other apps like Manage and AA didn't give me this issue. Obviously, they don't include a default logback.xml, so my suggestion would be to either remove it from this repo, move it to extra/logback.xml or exclude it from the jar using an exclusion in pom.xml
When allowing access to multiple teams, the current behaviour seems to be that the user needs to be a member of all specified teams (rather than of at least one team), even though the rules are "OR" and the automatically generated description suggests that the user needs to be a member of either team.
I'm not entirely sure if this is intended or whether this is a bug. Either way, the UI is rather unclear on this point. If it is intended, than please add another way to allow access to more than one team.
Please remove trailing and leading spaces in attribute values when submitting a policy. I can't think of a situation in which such spaces would actually make sense, and they do get in the way in the current UI, in particularly when copy-and-pasting SURFconext Teams identifiers: it easy and unnoticeable to add an extra space, which gives very hard-to-debug issues.
Can i put mitreid connect as an idp in the configuration ? if yes what information do i need to put in the configuration for idp ?
Hi,
Has anyone seen an issue that after creating a policy through PDP-gui and then immediately requesting pdp-server with right set of request for permit decision resulting in NotApplicable result.
When PDP server is tested in spring.profiles.active=dev mode, the database is filled with test rules, referring to test IdP's and SP's but in this mode changes do not persists server restarts.
Once changed to prod, these policies remain, but are checked against the real metadata export from SR. This results in a hard to diagnose "Something went wrong when opening this page." Maybe a more graceful acceptance of unresolvable entityID's could relieve this pain for admins that try to bootstrap PDP (manually).
On Acc, the PDP hangs on loading an external resource rollbar.min.js. It might be worth considering not loading any external resources at al, to increase privacy.
Is it possible to use OpenContext-pdp as a standalone pdp-engine ? what is the use of service registry dependency ?
pdp-gui is an alternative to PAP in openaz ?
In the policy overview, there is a dropdown item to select the number of policies to show. It would be nice if:
For accountability, it would be nice to have a log of who has made which changes to the authz policy, and to make that list visible in the PAP gui.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.