lua-resty-xacml-pep

lua-resty-xacml-pep is a library for NGINX implementing the XACML Policy Enforcement Point functionality using the REST and JSON Profiles of XACML 3.0.

It can be used as a reverse proxy authorizing incoming requests in front of an origin server so that the origin server/services can be protected with the XACML Attribute Based Access Control (ABAC) without implementing XACML on the server or in the application itself.

Dependencies

lua-resty-xacml-pep depends on the following packages:

• NGINX and ngx_devel_kit
• Lua or LuaJIT
• lua-nginx-module
• lua-cjson
• lua-resty-string

The dependencies above come automatically with OpenResty. You will need to install one extra pure-Lua dependency that implements HTTP client functions:

• lua-resty-http

Installation

Copy xacml_pep.lua somewhere in your lua_package_path under a directory named resty. If you are using OpenResty, the default location would be /usr/local/openresty/lualib/resty.

Support

Community Support

For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/lua-resty-xacml-pep/wiki
Any questions/issues should go to issues tracker.

Commercial Services

For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
[email protected]

Sample Configuration

events {
  worker_connections 128;
}

http {

  lua_package_path '~/lua/?.lua;;';

  resolver 8.8.8.8;

  lua_ssl_trusted_certificate /opt/local/etc/openssl/cert.pem;
  lua_ssl_verify_depth 5;

  -- cache for PDP decisions
  lua_shared_dict decision 1m;
  
  server {
    listen 8080;

    location / {

      access_by_lua '

          -- PDP configuration
          local opts = {
             pdp_endpoint="https://localhost:8643/asm-pdp/authorize",
             pdp_user="pdp-user",
             pdp_passwd="my_secret",
             ssl_verify = "no",
          }

          -- typically you'd get the input parameters to the PDP call
          -- from the current context, such as the authenticated "subject",
          -- the "action" and the current "resource" that is being accessed
          local res, err = require("resty.xacml_pep").pdp_decision(opts, "hans", "GET", "https://www.example.com")
          
          if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
          
          -- at this point the user is authorized and content can be served, e.g.:
          local cjson = require "cjson"
          ngx.header.content_type = "text/json"          
          ngx.say(cjson.encode(res))
          ngx.exit(ngx.OK)
      ';
    }
  }
}

Disclaimer

This software is open sourced by ZmartZone IAM. For commercial support you can contact ZmartZone IAM as described above in the Support section.