Description
The idea is to use XACML request template to generate the actual XACML request to PDP at runtime. For each access request, the variables used in the template (e.g. user ID, user roles, action ID, resource ID) are resolved at runtime in the context of the request.
For this, you can use one of many Python template engines listed here for instance:
https://wiki.python.org/moin/Templating
For example, if you want the SDK to send XACML/JSON requests, using Jinja template engine, the app developer/admin would provide a XACML request template file looking like this:
{
"Request":
{
"Category":
[
{
"CategoryId":
"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Attribute":
[
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"Value": "{{ user_id }}"
}
{% if user_roles %}
,
{
"AttributeId": "urn:oasis:names:tc:xacml:2.0:subject:role",
"Value":
[
{% for role in user_roles %}
"{{ role }}"
{% if not loop.last %}
,
{% endif %}
{% endfor %}
]
}
{% endif %}
]
},
{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute":
[
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "{{ method_name }}",
}
]
},
{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute":
[
{
"AttributeId":
"urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value": "{{ url }}"
}
]
}
]
}
}When using the SDK API, the developer just needs to call a method template.render( [variables] ), the input variables being in a dict, e.g. {"user_id" = "bob", "method_name" = "read", ...}.
You may find valid XACML/JSON Request samples in xacml-json-model project.
More examples of JSON templating with Python's Jinja:
http://sasheldon.com/blog/2013/12/14/simplifying-json-response-mocks-with-jinja/