In this topic, we will implement a policy on the Authentication Gateway server to disallow users, except "Administrator", from accessing the OpenEdge database on the weekend.

Policies allow you to further manage authorization in the OpenEdge Authentication server. You may need to implement different policies for different users, roles, applications, or geographies, depending on your business needs. This topic shows how to setup a simple policy.

In this topic, we will add a policy provider to a domain and then set the ABL class to run the policy.

Add policy

Modify your domains.json to use a specific policyProvider to be run for that domain:

  1. Open the C:\OpenEdge\WRK\oeauthserver\webapps\ROOT\WEB-INF\config\domains.json file in an editor.
  2. For the local domain, set the policyProvider to "weekend", for example:
    "authProvider":"_oslocal",
         "policyProvider":"weekend",
  3. At the bottom of the domains.json file, edit the policyProviders section to add a weekend policy, and information about finding the Weekend Policy and hash information (which can be blank), for example:
       "policyProviders":{
      "weekend":{
         "type":"example.sts.WeekendPolicy",
         "hash":""
      }
   },
    Note: For testing purposes, the hash information can be blank or omitted. However, the hash value is a security feature to ensure that the correct code is being run. For more information about setting hash values for events and policies, see Configure event callbacks.
  4. Create the directory path for the WeekendPolicy code so that it is added to the PROPATH: 
    proenv>cd %WRKDIR%\oeauthserver\openedge
proenv>mkdir example\sts
  5. Create the WeekendPolicy.cls file in the newly-created oeauthserver\openedge\example\sts directory using the following code:
    using OpenEdge.Security.PAMStatusEnum.
using OpenEdge.Security.Principal.
using OpenEdge.Security.STS.IPolicyProvider.
using Progress.Json.ObjectModel.JsonObject.

class example.STS.WeekendPolicy implements IPolicyProvider: 
    method public PAMStatusEnum ApplyPolicy( input pcSender as character,
                                             input pcPolicyName as character, 
                                             input poPrincipal as Principal, 
                                             input poDomainCtx as JsonObject, 
                                             output pcStatusDetail as character ):
											 
        // Allow user 'Administrator' to login every day of the week
        if    poPrincipal:Token:user-id <> 'Administrator'
           then
        do:
            // Only allow logins on weekdays for users not named 'Administrator' 
            if    weekday(now) eq 1 //SUNDAY
               or weekday(now) eq 7 //SATURDAY
               then
            do:
                // Record the policy violation
                log-manager:write-message(substitute('Weekend login attempt detected by &1',
                                                poPrincipal:Token:qualified-user-id),
                                          'POLICY':u).
                // Don't allow the login
                return PAMStatusEnum:LoginDenied.  
            end.
        end.
        
        return PAMStatusEnum:Success.
    end method.
    
end class.
  6. Stop, clean, and restart the Authentication Gateway server:
    proenv>cd %WRKDIR%\oeauthserver
proenv>bin\tcman pasoestart -restart
  7. On the database machine, connect to the database:
    proenv>cd %WRKDIR%\db
proenv>mpro sports2020 -U testuser1@local -P testuser1
    If you attempt to login with a user not named Administrator on the weekend, this login attempt returns a "Password and Userid do not match" error.
    Note: If you don't want to wait for the weekend to test this policy, edit the WeekendPolicy.cls file to set weekday(now) equal to whichever day of the week it currently is: 1 being Sunday, and 7 being Saturday.
  8. Use an editor to check the oeauthserver.agent.log for the policy message:
    2020-08-01T14:22:11.292-0400 002324 005372 1 AS-14 ?:?:? POLICY         Weekend login attempt detected by testuser1@local
  9. However, the Administrator can still log in on the weekends. Assuming you are running this exercise on a weekend, or have modified the WeekendPolicy.cls file appropriately, try to log in to the database with the local operating system Administrator user:
    proenv>mpro sports2020 -U Administrator@local -P adminOSpassword
    Note: If the local Administrator user on your Authentication Gateway machine uses a different user ID than 'Administrator', edit the WeekendPolicy.cls file to let that named user log in any day of the week.
    The Policy warning statement does not print to the agent log file, but some information is printed to the log file because of the event auditing that was added to the domain, such as the different events that occur during the Administrator policy authorization:
    2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) sender:  STS 
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) event:  CLIENT-AUTHENTICATING 
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Token:  1215 
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Domain:  local 
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Roles:   
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P user id:  Administrator 
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) context: Progress.Json.ObjectModel.JsonObject_1217
2020-08-01T15:05:46.964-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:18)        
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) sender:  STS 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) event:  POLICY-APPLYING 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Token:  1222 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Domain:  local 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Roles:  ROLE_Administrators 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P user id:  Administrator 
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) context: Progress.Json.ObjectModel.JsonObject_1224
2020-08-01T15:05:47.023-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:18)        
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) sender:  STS 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) event:  POLICY-APPLIED 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Token:  1237 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Domain:  local 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Roles:  ROLE_Administrators 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P user id:  Administrator 
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) context: Progress.Json.ObjectModel.JsonObject_1239
2020-08-01T15:05:47.030-0400 013096 010064 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:18)        
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) sender:  STS 
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) event:  CLIENT-AUTHENTICATED 
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Token:  1244 
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Domain:  local 
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P Roles:   
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) C-P user id:  Administrator 
2020-08-01T15:05:47.211-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:11) context: Progress.Json.ObjectModel.JsonObject_1246
2020-08-01T15:05:47.212-0400 013096 011228 1 AS-15 ?:?:? -- (Procedure: 'RecordEvent com.progress.sts.SampleEventHandler' Line:18)

Summary

In this topic, we configured policy that did not allow connection to the database on the weekend unless a user is named as "Administrator". We also saw some of the advanced logging that occurs when policy events take place.