Skip to content
A JSON/REST XACML Policy Enforcement Point implementation in Lua for NGINX/OpenResty
Lua
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib/resty
.gitignore
AUTHORS
ChangeLog
DISCLAIMER release 0.1.1 Apr 3, 2018
LICENSE Initial commit Aug 2, 2017
README.md

README.md

lua-resty-xacml-pep

lua-resty-xacml-pep is a library for NGINX implementing the XACML Policy Enforcement Point functionality using the REST and JSON Profiles of XACML 3.0.

It can be used as a reverse proxy authorizing incoming requests in front of an origin server so that the origin server/services can be protected with the XACML Attribute Based Access Control (ABAC) without implementing XACML on the server or in the application itself.

Dependencies

lua-resty-xacml-pep depends on the following packages:

The dependencies above come automatically with OpenResty. You will need to install one extra pure-Lua dependency that implements HTTP client functions:

Installation

Copy xacml_pep.lua somewhere in your lua_package_path under a directory named resty. If you are using OpenResty, the default location would be /usr/local/openresty/lualib/resty.

Support

Community Support

For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/lua-resty-xacml-pep/wiki
Any questions/issues should go to issues tracker.

Commercial Services

For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
sales@zmartzone.eu

Sample Configuration

events {
  worker_connections 128;
}

http {

  lua_package_path '~/lua/?.lua;;';

  resolver 8.8.8.8;

  lua_ssl_trusted_certificate /opt/local/etc/openssl/cert.pem;
  lua_ssl_verify_depth 5;

  -- cache for PDP decisions
  lua_shared_dict decision 1m;
  
  server {
    listen 8080;

    location / {

      access_by_lua '

          -- PDP configuration
          local opts = {
             pdp_endpoint="https://localhost:8643/asm-pdp/authorize",
             pdp_user="pdp-user",
             pdp_passwd="my_secret",
             ssl_verify = "no",
          }

          -- typically you'd get the input parameters to the PDP call
          -- from the current context, such as the authenticated "subject",
          -- the "action" and the current "resource" that is being accessed
          local res, err = require("resty.xacml_pep").pdp_decision(opts, "hans", "GET", "https://www.example.com")
          
          if err then
            ngx.status = 403
            ngx.say(err)
            ngx.exit(ngx.HTTP_FORBIDDEN)
          end
          
          -- at this point the user is authorized and content can be served, e.g.:
          local cjson = require "cjson"
          ngx.header.content_type = "text/json"          
          ngx.say(cjson.encode(res))
          ngx.exit(ngx.OK)
      ';
    }
  }
}

Disclaimer

This software is open sourced by ZmartZone IAM. For commercial support you can contact ZmartZone IAM as described above in the Support section.

You can’t perform that action at this time.