XACML Entity Test Plan

Service/Component Description

The component is an internal library used by UNICORE service hosting environment (USE). It provides several implementations of Policy Decision Points for the USE. The following PDPs are implemented:

• legacy XACML 1.x PDP - based on Sun's XACML library, was the only available option prior to UNICORE 6.4.0
• XACML 2.0 PDP - based on HerasAF engine, the default PDP. Uses policies stored in a local directory.
• Argus remote XACML 2.0 PDP - sends an authorization request to the remote Argus PDP (or any other PDP supporting XACML SAML query profile).

Deployment scenarios

The component is closely bound to the UNICORE Service Environment (i.e. hosting container). The only deployment scenario is therefore as a library used by the UNICORE container. For deployment scenarios of the container please refer to its SVVP.

Functionality tests

Local XACML 1.0 policies can be used for obtaining authZ decision (implemented: xacml1_pdp)

Test evaluation of an XACML request with the XACML 1.0 PDP.

Normal workflow - correct input

• User with a role 'user' get PERMIT when request is for invocation of a protected web service operation AND
• User should be able to invoke a protected web service operation on an owned WS-Resource AND
• User without role 'user' should be able to invoke an unprotected web service operation.

Error workflow - erroneous input

• User without role 'user' should not be able to invoke a protected WS operation AND
• User with role 'user' should not be able to invoke a protected web service operation on an WS-Resource owned by somebody else.

Local XACML 2.0 PDP can be used for obtaining authZ decision (implemented: xacml2_pdp)

Test evaluation of an XACML request with the XACML 2.0 PDP. Workflows should be the same as in the Local XACML 1.0 case.

Remote XACML 2.0 PDP can be used for obtaining authZ decision (implemented: argus_pdp)

Test evaluation of an XACML request with the Argus PDP. Workflows should be the same as in the Local XACML 1.0 case.

Integration tests

Local XACML 1.0 PDP authorize users when configured in USE (implemented: xacml1_integration)

Test authorization of a client in USE with the XACML 1.0 PDP configured in USE.

Normal workflow - correct input

• User with a role 'user' should be able to invoke a protected web service operation AND
• User should be able to invoke a protected web service operation on an owned WS-Resource AND
• User without role 'user' should be able to invoke an unprotected web service operation.

Error workflow - erroneous input

• User without role 'user' should not be able to invoke a protected WS operation AND
• User with role 'user' should not be able to invoke a protected web service operation on an WS-Resource owned by somebody else.

Local XACML 2.0 PDP authorize users when configured in USE (implemented: xacml2_integration)

Test authorization of a client in USE with the XACML 2.0 PDP configured in USE. Workflows should be the same as in the Local XACML 1.0 case.

Remote XACML 2.0 PDP authorize users when configured in USE (implemented: argus_integration)

Test authorization of a client in USE with the Argus PDP configured in USE. Workflows should be the same as in the Local XACML 1.0 case.

Performance tests

1. For local PDPs assess number of requests per second served using the standard UNICORE policy. TBD: Define PASS criteria (NOT implemented)
2. For the remote Argus PDP assess number of requests per second served using the standard UNICORE policy. TBD: Define PASS criteria (NOT implemented)

Scalability tests

1. For each of the providers: invoke it by 50 threads, each performing 1000 iterations. Use the standard UNICORE policy. Results of each iteration must be verified for correctness. Test is passed if all iterations succeeded. (NOT implemented)

Standard Compliance/Conformance tests

We can test if XACML requests, policies and SAML XACML request are conforming to the standards. It is hard as there is no external test suite for this.

Regression tests and unit tests

Unit tests coverage must be included in the test report. All bugs reported should have an automated regression test attached if it is possible. Otherwise manual bug checking procedure should be added to this section. Note that this applies to bugs reported from the 1.11.2010.

Regression tests to be performed manually:

• N/A

Deployment tests

Not applicable, as the library can not be deployed independently from UNICORE services environment. The deployment test of UNICORE server should check if configuration file for the default XACML 2.0 PDP implementation is found, by performing at least one proper authorization. Such a configuration must be available by default after UNICORE/X installation.