Generic AAA Toolkits (GAAA-TK) Pluggable library ------------------------------------------------------------------ Version 0.8, 28 April 2009 1. General information about the library The GAAA-TK library provides all necessary functionality to support policy based on-demand network resource provisioning in a heterogeneous multi-domain environment. The library allows for authorization request evaluation with local XACML based PDP or calling out to the external authorization service. The major GAAA-TK components include Policy Enforcement Point (PEP), XACML based Policy Decision Point (PDP), Context Handler supporting all communications between PDP and PEP, Obligations Handler. The Token Validation Service (TVS) supporting token based signalling and access control functionality is a component of the general GAAA-TK library. For the convenience of application developers, the GAAA-TK provides simple XACML policy generation tools. The library provides flexible configuration that includes a set of domain related properties and policy and network topology description metadata. The library is designed in a such way that it can be used by the network provisioning middleware at control plane or service plane and provide also a gateway between native Grid security middleware and network provisioning security services. 2. License Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 3. GAAA-TK general structure Described in details in a separate document. Major functional package is GAAAPI (Generic AAA programming interface) that accepts calls for service request evaluation against AuthZ policy. 4. Major GAAAPI Components Described in details in a separate document. - PEP (POlicy Enforcement Point) - PDP (POlicy Decision Point) - TVS (Token Validation Service) 4.1. GAAAPI PEP Interface PEP-GAAAPI interface provides a few commands/methods to request policy based AuthZ decision depending on the set of provided information: a) Method #1 should either return a logical value "True" or "False", or throw the appropriate exception Boolean org.aaaarch.gaaapi.PEP.authorizeAction (String resourceURI, String actions, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, /* user subjconfdata (i.e. authenticationToken) is not valid */ org.aaaarch.gaaapi.NotAvailablePDPException; /* PEP could not reach PDP, or other internal PDP error*/ where @ resourceURI – Resource ID in a form of URI @ actions – requested actions (currently supported only one action) @ {subjmap} set of values (subject-id, subject-confdata, subject-role, subject-context) @ subject-id - subject Id in form of RFC822 @ subject-confdata - AuthN token or SAML AuthN assertion @ subject-role - role for the particular request (may be in a form either simple attribute or RQAN) @ subject-context - subject context, e.g. Experiment, VO, or VLab in which the subject and resource attributes are defined Note: This method uses complex resource URI that may consist of ResourceId part and additional parameters in a form of “name=value” pairs. b) Method #2 should either return a logical value "True" or "False", or throw the appropriate exception Boolean org.aaaarch.gaaapi.PEP.authorizeAction (HashMap resmap, HashMap actmap, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAvailablePDPException; where @ resmap – set of the Resource related attributes in a form or HashMap @ resmap = (resource-id, resource-domain, resource-type) and other resource related attributes @ actmap – requested actions (currently supported only one action) c) Method #3 should either return a logical value "True" or "False", or throw the appropriate exception Boolean org.aaaarch.gaaapi.PEP.authorizeAction (String resourceId, String actions, String subjectId, String subjconfdata, String roles, String subjctx) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAvailablePDPException; Note: This method uses simple resource ID format. All additional parameters will be ignored and not used for policy resolution. d) Method #4 should either return a logical value "True" or "False", or throw the appropriate exception Boolean org.aaaarch.gaaapi.PEP.authorizeAction (String authzToken, HashMap resmap, HashMap actmap, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAvailablePDPException; where @ authzToken – access token in a form of XMLToken e) Method #5 should either return a valid AuthorisationTicket or AuthorisationToken, or throw the appropriate exception String org.aaaarch.gaaapi.PEP.authorizeAction (String authzTicketToken, String sessionId, String resourceURI, String actions) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAuthorizedException, org.aaaarch.gaaapi.NotAvailablePDPException; were @ authzTicketToken – AuthZ ticket or token containing all necessary AuthZ session context @ sessionId – Session ID that can be also a Global or Local reservation ID (LRI/GRI) f) Method #6 should either return a valid AuthorisationTicket or AuthorisationToken, or throw the appropriate exception String org.aaaarch.gaaapi.PEP.authorizeAction (String authzTicketToken, String sessionId, String resourceURI, String actions, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAuthorizedException, org.aaaarch.gaaapi.NotAvailablePDPException; The following methods 7, 8, 9 support more flexible session based AuthZ scenarios. g) Method #7 should either return a boolean value Permit or Deny, or throw the appropriate exception boolean org.aaaarch.gaaapi.PEP.authorizeActionSession (String authzToken, String griREq, int delegtype, HashMap resmap, HashMap actmap, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAuthorizedException, org.aaaarch.gaaapi.NotAvailablePDPException; where @ delegtype - enumerated delegation types (for the resource) This method allows for flexible session based access control and delegation where AuthzToken is used as a session credential. It supports the following simple delegation scenarios where the session permissions obtained by a privileged user (e.g. researcher, principal investigator) can be delegated to other user depending on session-delegation modes. The delegation type attribute defines the following session delegation scopes: 0 - strict session based delegation (only authorised roles for only authorised actions - PDP/policy based evaluation) Use: Privilege role can start session/reserve path and all authorised users can use 1 - full session delegation (all actions for all role, i.e. just checking validity of token) Use: token based access control: any owner of the token can perform any action (Warning: recommended only in the controlled environment) 2 – policy allowed actions for all legitimate roles (Note: resmap can contain only (resource-realm, resource-domain; resource Ctx is retrieved based on token) 3 - controlled delegation (require extended AuthzTicket format; delegation defined by AuthzTicket context) (Note: resmap can contain only (resource-realm, resource-domain), subjmap can be null or contain only subject-context, resource and subject Ctx is retrieved based on token) 4 - controlled delegation, defined by the special delegation policy or AuthzTicket context (not supported yet) h) Method #8 should either return a new session/AuthZ token (the same or different type depending on configuration), or string “Deny” or "Permit" depending on the PDP decision String org.aaaarch.gaaapi.PEP.authorizeActionSession (String authzToken, String griReq, int sescred, boolean renew, HashMap resmap, HashMap actmap, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAuthorizedException, org.aaaarch.gaaapi.NotAvailablePDPException; where @ secred – session security credentials type (enumerated) that is expected to be returned @ renew – indicates if the presented credentials should be renewed This method supports either local domain session based access control or can be used for “chained” AuthZ decisions request like in case of multidomain path creation in G2MPLS. This method relays on the TVS method validateAndRelayPilotToken (String pilotToken, byte[] tokenKey) described below. The following sescredtype enumerated types are supported: 1 - pilot token type=1 (not supported in current version) 2 - pilot token type=2 3 - pilot token type=3 (not supported by this method) 10 - access token type=0 11 - access token type=1 (not supported by this method) 20 - AuthzTicket (not supported in current version) 30 - SAML/SAML-XACML assertion (not supported in current version) Usage suggestions: 1) authorizeActionSession (null, *, sescred, resmap, actmap, subjmap) - return session cred of sescredtype, or string ("Permit" | "Deny") if sescredtype id not supported 2) authorizeActionSession (authzToken, delegtype, *, resmap, actmap, subjmap) - return "Permit" if (authzToken is VALID for the domain AND PDPdecision=True), or "Deny" if either authzToken INVALID OR policy/delegation is negative 3) authorizeActionSession (authzToken, 1, *, resmap, *, *) - return "Permit" if authzToken VALID for the domain k) Method #9 should either return a renewed session/AuthzToken if renew = (1,2) or token is not provided and requested sescred supported, or string “Deny” or "Permit" depending on the PDP decision. Extends method #8 for inter-domain reservation/access control scenario, e.g. request contains pilot token (or local AuthzToken or AuthzTicket) from the previous domain as session credential, and supports inter-domain delegation types. String org.aaaarch.gaaapi.PEP.authorizeActionSession (String authzToken, String griReq, int delegtype, int sescredtype, int renew, HashMap resmap, HashMap actmap, HashMap subjmap) throws java.lang.Exception, org.aaaarch.gaaapi.NotAuthenticatedException, org.aaaarch.gaaapi.NotAuthorizedException, org.aaaarch.gaaapi.NotAvailablePDPException; where @ secred – session security credentials type (enumerated) that is expected to be returned @ renew – indicates if the presented credentials should be renewed 0 - no renewal, return the same token 1 - renew with the same GRI/sessionId 2 - renew with new GRI (old GRI will be included into PTT(3,4) context) Positive AuthZ decision is made if the session credentials are valid (Note: no session context is available for the previous/other domain), and policy/PDP decision is "Permit" and new session credentials are returned. The method also supports basic delegation scenarios. 4.2. GAAAPI TVS interface a) Token Builder commands public static byte[] TokenBuilder.getBinaryToken(String gri, byte[] tokenkey) public static String TokenBuilder.getXMLToken (String domainId, String gri, byte[] tokenKey, int validtime, boolean simple) public static String TokenBuilder.getXMLTokenPilot (String domainId, String gri, String domain, int validtime, byte[] tokenKey, int ptokentype, String tokenCtx) b) TVS token validation interface - validates the binary or XML token thenselves; public static boolean validateBinaryToken (String token, String gri, byte[] tokenKey) throws Exception public static boolean validateXMLToken (Document aztdoc, byte[] tokenKey) throws Exception, MalformedXMLTokenException, NotValidAuthzTokenException public static boolean validateXMLToken (String authzToken, byte[] tokenKey) throws Exception, MalformedXMLTokenException, NotValidAuthzTokenException c) PEP-TVS interface: is called from PEP and validates AuthZ Request (resmap, actmap, subjmap) against XML token; public static boolean validateAuthzRequestByToken (String authzToken, HashMap resmap, HashMap actmap, HashMap subjmap) throws Exception, MalformedXMLTokenException, NotValidAuthzTokenException d) Internal TVSTable programming interface use the following basic commands: TVS.setEntryTVSTable(String domainId, String gri, HashMap resmap, HashMap actmap, HashMap subjmap) TVS.getEntryTVSTable(String domainId, String gri) TVS.deleteEntryTVSTable(String domainId, String gri) public static boolean purgeTVSTable (String domainId, int expireTime) Note, that TVS programming calls will be exposed as We Services. e) Interdomain signaling with XML pilot tokes The TVS token validation method validates input pilot token and, in case of its validity, generates a new token using pre-configured local domain properties such as DomainId, domain tokenKey and can also be configured to either use the same GRI or generate a new one. public static String validateAndRelayPilotToken (String pilotToken, byte[] tokenKey) throws Exception 5. Test classes and calling code examples The library contains few packages/classes designed for testing and debugging different functional components and to provide example how to work with GAAAPI/GAAA-TK library. TestGAAAPI - demonstrate operation and provides tests for different GAAAPI components and functions. TestTVS - demonstrate operation and provides tests for different TVS components and functions. 5.1. Calling GAAAPI-PEP functions 1) Preparing input/test data //String subjectId = "WHO740@users.testbed.ist-phosphorus.eu"; //String subjconfdata = "2SeDFGVHYTY83ZXxEdsweOP8Iok"; //String roles = "researcher"; //String roles = "admin"; //String subjctx = "demo001"; HashMap subjmap = SubjectSet.getSubjSetTest(); // extracting subject attrs from the subjmap String subjectId = subjmap.get(ConstantsNS.SUBJECT_SUBJECT_ID).toString(); String subjconfdata = subjmap.get(ConstantsNS.SUBJECT_CONFDATA).toString(); String roles = subjmap.get(ConstantsNS.SUBJECT_ROLE).toString(); String subjctx = subjmap.get(ConstantsNS.SUBJECT_CONTEXT).toString(); String griprefix = "nsp-domain.uob"; String sessionId = GRIgenerator.generateGRI(32, griprefix); String resourceId = "http://testbed.ist-phosphorus.eu/resource-type/nsp"; String actions = ActionSet.NSP_CREATE_PATH; 2) Calling Methods #1 and #2 returning boolean AuthZ decision // Actual call PEP method#1 boolean decision = PEP.authorizeAction (resourceId, actions, subjmap); // Actual call PEP method#2 boolean decision = PEP.authorizeAction (resourceId, actions, subjectId, subjconfdata, roles, subjctx); 3) Calling Methods #3 and #4 that accept and return AuthZ ticket or token String azticket = PEP.authorizeAction ( (AzTicketToken or null), sessionId, resourceId, actions, subjmap); String authorizeAction(String authzTicketToken, String sessionId, String resourceId, String actions) 5.2. Calling TVS functions 1) Generating binary token To request token generation from the calling application, use these commands/methods: byte[]org.aaaarch.gaaapi.tvs.TokenKey.generateTokenKey(String gri) throws Exception byte[]org.aaaarch.gaaapi.tvs.TokenBuilder.getToken(String gri, byte[] tokenkey) throws Exception Example: byte[] tokenkey = org.aaaarch.gaaapi.tvs.TokenKey.generateTokenKey(gri); byte[] token = org.aaaarch.gaaapi.tvs.TokenBuilder.getToken(gri, null); Note: GRI can be generated using TVS package as well: String gri = "".concat(org.aaaarch.gaaapi.common.IDgenerator.generateID(20).toString()); 2) Generating XML token To request XML token generation from the calling application, use these commands/methods: byte[] org.aaaarch.gaaapi.tvs.TokenKey.generateTokenKey(String gri) throws Exception -- optionally public static String org.aaaarch.gaaapi.tvs.TokenBuilder.getXMLToken(String gri, byte[] tokenKey) throws Exception Example: String tokenxml = org.aaaarch.gaaapi.tvs.TokenBuilder.getXMLToken(gri, null); 3) Validating binary token To verify binary token, use these commands/methods: boolean validateToken (String token, String gri, byte[] tokenKey) throws Exception Example: boolean valid = org.aaaarch.gaaapi.tvs.TVS.validateToken (token, gri, null); 4) Validating XML token To verify XMLtoken, use these command/methods: boolean validateXMLToken (Document aztdoc, byte[] tokenKey) throws Exception, MalformedTokenException, NotValidAuthzTokenException boolean validateXMLToken (String authzToken, byte[] tokenKey) throws Exception, MalformedTokenException, NotValidAuthzTokenException Example: TvsXMLTokenType token = new org.aaaarch.gaaapi.tvs.TvsXMLTokenType (tokendoc); boolean timevalid = token.isTimeValid(token); +++++++ NEW +++++++++++++++++++ /* Validity condition is defined in the following way: * - if "NotBefore" and "NotOnOrAfter" are present and not null * then match validity period * - if only "NotBefore" is present and not "0" * then not before specified time and not longer than default validity period * (that is defined as TVS configuration constant) * - if only "NotOnOrAfter" is present and not "0" * then after secified time */ +++++++++++++++++++++++++++++++++++++++++++ /* Parse ResourceId in a form of URL * http://testbed.ist-phosphorus.eu/subdomain/resource-type/nsp * http://testbed.ist-phosphorus.eu/subdomain/(vlan or TNA) * and split it on components: * - domain (ConstantsXACMLprofileNRP.RESOURCE_DOMAIN) * - subdomain (ConstantsXACMLprofileNRP.RESOURCE_SUBDOMAIN) * - resource-type or TNA/VLAN (ConstantsXACMLprofileNRP.RESOURCE_TYPE) resource-id = http://testbed.ist-phosphorus.eu/resource-type/nsp Added to resmap: resource-domain = testbed.ist-phosphorus.eu Added to resmap: resource-subdomain = resource-type Added to resmap: resource-type = nsp +++++++++++++++++++++++++++ 6. XACML Policy generator – XACMLPolicyMaker XACMLPolicyMaker uses the same policy generation conventions by using Access Control Table (ACT) and produce policy in the XACML format. Example ACT for simple NSP AuthZ policy Roles Admin Researcher Professor Student Create-Path 1 1 0 0 Activate-Path 1 1 1 0 Cancel 1 1 0 0 Access 0 1 1 1 7. Required libraries List of required libraries is provided below (can also be found in .classpath file of the Eclipse project snapshot) NOTE: DUe to used advanced cryptography functions, GAAA-TK library requires Java SE 6. gaaapi-nrp-v01-20080508.jar xmlsecSamples.jar dom3-xercesImpl-2.5.0.jar dom3-xml-apis-2.5.0.jar jaxrpc-sec.jar jaxrpc-1_1-fr-spec-api.jar soapprocessor.jar saaj-api.jar saaj-impl.jar bcprov-jdk15-130.jar xmldsig.jar xmlsec-1.4.1.jar commons-codec-1.3.jar joda-time-1.4.jar log4j-1.2.8.jar commons-logging-api.jar commons-logging-1.0.3.jar junit-3.8.1.jar XACML and SAML related libraries sunxacml-1.2.jar opensaml-1.1.jar opensaml-2.0-TP1-jdk-1.5.jar openws-1.0-alpha1-jdk-1.5.jar xmltooling-1.0-TP1-jdk-1.5.jar Libraries to be placed into endorsed direcroty (xalan 2.7 and xerces 2.5; Note: newer versions are incompatible with SunXACML) resolver.jar xalan-2.6.jar xercesImpl.jar xml-apis.jar xmlParserAPIs.jar xercesSamples.jar Library to support IBC (Identity Based Cryptography) IdentityBasedEncryptionJCA.1.0.38.jar jakarta-regexp-1.4.jar bcel-head.jar FieldTracker.jar Nuimcscg package for IBC tender-dev.jar ArtimaSuiteRunnerAntTask.1.1.3.jar blitz-dev.jar fault-dev.jar Artima package for IBC suiterunner-1.0beta6.jar -------------------------------------- 8. GAAA-TK library Installation and configuration This section provides basic information about configuration parameters and how the GAAA-TK library can be installed and integrated into the main application that needs to be protected by the AuthZ service. 8.1 Configuration 8.1.1 Directories structure GAAAPI/TVS installation requires configuration of a few folders that contain a keystorage or used as a temporal directories when processing AuthZ session credentials. The following directories are used in current implementation and can be configured via the ConfigSecurity.java class (currently hard coded): LOCAL_DIR_ROOT = "" - GAAAPI installation directory LOCAL_DIR_SECURITYCONFIG = LOCAL_DIR_ROOT + "data/config/"; LOCAL_DIR_KEYSTORE = LOCAL_DIR_ROOT + "etc/security/keystore/"; LOCAL_DIR_KEYSTORE_TRUSTED = LOCAL_DIR_KEYSTORE + "trusted/"; LOCAL_DIR_SYMKEYSTORE = LOCAL_DIR_KEYSTORE + "cnlsec/symkeystore/"; LOCAL_DIR_KEYSTORE_IBC = LOCAL_DIR_KEYSTORE + "ibc/"; LOCAL_DIR_POLICY = LOCAL_DIR_ROOT + "data/policy/"; LOCAL_DIR_SCHEMAS = LOCAL_DIR_ROOT + "data/schemas/"; LOCAL_DIR_AAADATA_CACHE_AZTICKETS = LOCAL_DIR_ROOT + "_aaadata/cache/aztickets/"; LOCAL_DIR_AAADATA_TMP = LOCAL_DIR_ROOT + "_aaadata/tmp/"; Note. Provided GAAA-TK package contains all necessary directories structure and also crypto keys. TVS shared secret is hard coded into the token building classes. +-- data | +-- config | +-- gaaapi-nrp-config001.xml | +-- xacml1.2-config.xml | +-- docs | +-- policy | +-- nrp | +-- testbed.ist-phosphorus.eu | +-- schemas | +-- sql +-- +-- wsdl +-- etc | +-- security | +-- keystore | +-- ibc | +-- trusted | +-- xmlsec | +-- unicore6 | +-- symkeystore +-- gaaa-bin | +-- gaaapi-nrp-v0*-release-date*.jar +-- gaaa-lib | +-- endorsed | +-- lib-ibc +-- x-output +-- _aaadata +-- cache | +-- aztickets | +-- sessions +-- tvs-table-simple.xml +-- tmp where gaaapi-nrp-v0*-release-date*.jar is the GAAA-TK library of the recent release. 8.1.2 Configuring domain related information with gaaapi-nrp-config001.xml file The GAAA-TK configuration facility allows configuring domain specific information in the gaaapi-nrp-config001.xml file. Listing below provides example of such configuration that allows to specify: local domain and neighbour domains, domain’s related public key information (which is treated as trusted), identifiers for domain related services AAAServer, TVS, AARR, and other information related to profile, namespace and other type of metadata (see example below). It is considered that this information will be extended with directory configuration information in the next release of the library. http://testbed.ist-phosphorus.eu/phosphorus/_public_key_/a8b7573ff8a820fe31b9a67858d7ad37a756818c5756fca04a7f4e9334f92 http://testbed.ist-phosphorus.eu/phosphorus/_public_key_/a8b7573ff8a820fe31b9a67858d7ad37a756855756fca04a7536f4e9334f92 http://testbed.ist-phosphorus.eu/phosphorus/_public_key_/a8b7573ff8a820fe31b9a67858d7ad37a756818c5756fca07536f4e9334f92 x-urn:gaaapi:pep-pdp azticket 0 86400 3600 8.2 Installation Current GAAA-TK library requires manual installation. The installation package consists of the 3 archives: gaaa-tk-lib-external-libraries.zip – all required libraries including GAAA-TK library itself. gaaa-tk-lib-directories.zip – all necessary supporting directories gaaa-tk-lib-test-classes.zip – test classes that contains examples how to call the library functions. Installation procedure is simple. To install GAAA-TK library, you need to unpack provided archives into the selected from which the GAAA-TK functions will be run. 8.3 Required external libraries The list of currently used libraries to support core GAAAPI and TVS functionality: bcprov-jdk15-140.jar commons-codec-1.3.jar commons-logging-1.0.3.jar commons-logging-api.jar dom3-xercesImpl-2.5.0.jar dom3-xml-apis-2.5.0.jar jaxrpc-1_1-fr-spec-api.jar jaxrpc-sec.jar joda-time-1.4.jar junit-3.8.1.jar log4j-1.2.12.jar opensaml-2.2.0.jar openws-1.2.2.jar saaj-api.jar saaj-impl.jar soapprocessor.jar slf4j-api-1.5.5.jar slf4j-log4j12-1.5.5.jar xmldsig.jar sunxacml-cvs1.6.jar sunxacml-support-cvs1.6.jar sunxacml-test-cvs1.6.jar xmlsec-1.4.1.jar xmlsecSamples.jar xalan-2.6.jar xercesImpl.jar xmltooling-1.2.0.jar The following libraries must be placed into “endorsed” directory: endorsed/resolver-2.9.1.jar endorsed/serializer-2.9.1.jar endorsed/xalan-2.7.1.jar endorsed/xercesImpl-2.9.1.jar endorsed/xercesSamples.jar endorsed/xml-apis-2.9.1.jar ext-unicore6-assertion-utils01.jar The following libraries are required to support use of Unicore6 SAML assertions and Unicore6 Security Framework: lib-unicore/SAMLtypes-1.1.jar"/> lib-unicore/xbean.jar lib-unicore/axiom.jar lib-unicore/axis2-kernel-1.4.1.jar lib-unicore/wss4j-1.5.5.jar lib-unicore/ext-unicore6-assertion-utils01.jar – contains necessary classes from the Unicore Security Framework library 8.4. Eclipse project setup All required directories and keys are supplied as part of Eclipse poorject snapshot. To install in Eclipse (version 3.2+) - just unpack and add as a standard Eclipse project To get all required directories structure, unzip project archive and copy directories to location where the library will be used. 9. Running test classes and examples The following two main test classes provide interactive interface for running examples and testing/debugging all system. #java TestGAAAPI TestGAAAPI runs different tests that invilves all API calls and methods. "0 - test GAAAPI: Simple test PEP & TestPDPlocal (hard-coded policy); \n" + "1 - test GAAAPI: Test PDPXACML & booleanPEP (simple ResourceId);" "2 - test GAAAPI: Test PDPXACML & booleanPEP (complex ResourceId);" "3 - test PEP-TVS (Stage 1&2 - Reservation && Deployment): Request PEP-XACMLPDPD -> create XMLToken -> Program TVS" "4 - test PEP-TVS (Stage 3 - Access): Request PEP-XACMLPDPD with AuthzToken \n" "5 - AuthZ Session Mngnt with AuthzToken: (1) AuthzReq & return AuthzToken; (2) AuthzReq w. AuthzToken" "6* - AuthZ Session with AuthzTicket: AuthzRequest with Azticket & Evaluate AuthzTicket w. Triage & Return Azticket;" "7* - AuthZ Session with AuthzTicket: AuthzRequest with Azticket & Evaluate AuthzTicket w. Triage & Return Aztoken;;" #java TestTVS TestTVS class provides interactive tool for testing and debugging all TVS token handling functionality. "0 - TVS-TB: generate token of GRI - TokenBuilder.getBinaryToken (GRI, TokenKey or null)" (uses internal TokenKey or default token generation convention)" "1 - TVS: validate binary token - TVS.ValidateBinaryToken (GRI, TokenValue, TokenKey?))" "2 - TVS-TB: generate XMLtoken of GRI - TokenBuilder.getXMLToken(GRI, TokenKey||null)" "3 - TVS: validate XML token (generated in option 2) - TVS.validateXMLToken (XMLToken, TokenKey||null))" "4 - PEP-TVS: Validate Service/PEP Request with XMLToken (generated in option 2)" "5 - TVS-TB: generate Pilot XMLtoken types 1-3 - TokenBuilder.generatePilotXMLToken(gri, domainId, validtime, tokenKey, toktype, tokPrevs)" "6 - TVS: validate and process pilot XML token (generated in option 5) - TVS.validateXMLToken (XMLToken, TokenKey||null))" "7 - Programming TVS(table): Create and fill in TVStable (GRI, DomainId, sessionCtx)" "8 - Programming TVS(table) via API: add/delete entry, purge;" + "10* - Programming TVS(table) via WS/XML message: MessageSetTVS (GRI, ResourceID, (TokenValue | TokenKey)?, NotBefore?, NotOnOrAfter?)" ======================================================================== Appendix A - XACML Policy example ======================================================================== Permit actions for Phosphorus testbed users with specific roles http://testbed.ist-phosphorus.eu/resource-type/nsp create-path admin researcher professor activate-path researcher professor cancel admin access admin professor researcher student