I would like to know if is possible achieve this work environment:
I'm building a secure Orion Context Broker through PEP, PDP, PAP, etc. I would like that, in case of Orion stores an abnormal value for an attribute, an alert was sent (an email, e.g) and, a new XACML rule was created so a role-user can see those values (before this happens he doesn't have to have permission to see it).
Is it possible? If it is, how can I achieve it? Is there any option to do it through jenkins?
in case of Orion stores an abnormal value for an attribute, an alert was sent ( e.g an email)
The FIWARE component to use to send an eMail in this case would be Complex Event Processing - e.g. Perseo
You can set up an EPL rule to send an eMail
Set up an XACML rule to only allow access if an attribute is "abnormal"
This looks like a standard <Condition>
clause, for example, the following:
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
</Apply>
</Condition>
will only allow an action after a certain time of day.
I guess you may be looking at using "urn:oasis:names:tc:xacml:1.0:function:double-greater-than"
or urn:oasis:names:tc:xacml:1.0:function:integer-greater-than"
in the <Condition>
something like:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
<SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subjectcategory:accesssubject" AttributeId="SubjectClassificationRank" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"></SubjectAttributeDesignator>
<ResourceAttributeDesignator AttributeId="ResourceClassificationRank" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"></ResourceAttributeDesignator>
</Apply>
Now here is the tricky bit, you will need to amend the code of your PEP proxy to ensure you can pass the the value of the "abnormal" attribute so that Authzforce can adjudicate.
The logic will need to be something like this:
The point here is that the standard code of the PEP Proxy won't have the necessary information to allow Authzforce to adjudicate, so you're going to have to add in more information.
A simpler scenario of the same type occurs within the following Tutorial - here the User's eMail address is added to the request to Authzforce, you'll just have to apply the same principle.