Proxy Classification Filtering

These procedures will test classification filtering through our proxy.

Setup

To set up for the test, we will:

  • create a test user in a test group, that can be deleted after the test

  • configure the proxy to target mock data

Create Test User

For this test we will use a test user classtest-user, belonging to a test group classtest.

Login to Keycloak

  1. Open a browser to DF’s Keycloak at https://localhost/auth.

  2. Click the Administration Console link.

  3. Login as admin user (or any other user with admin privileges).

  4. In the top left dropdown, select the data-fabric realm (not master realm).

Create Test Group

  1. In Keycloak, from the left nav menu select Groups.

  2. Click the "Create group" button.

  3. Input classtest for the group name.

  4. Click the "Create" button.

Create Test User

  1. From the left nav menu, select Users.

  2. Click the "Add user" button.

  3. Input classtest-user for the username.

  4. Click the "Join Groups" button.

  5. In the popup, check the box for the classtest group.

  6. Click the "Join" button.

  7. Back at the create user page for classtest-user, click the "Create" button.

  8. Now on the user details page for classtest-user, select the Credentials tab.

  9. Click the "Set password" button.

  10. Input test for the password and confirmation.

  11. Toggle the Temporary switch to Off.

  12. Click the "Save" button.

  13. Click the "Save password" confirmation button.

Enable Proxies with Mock Data

  1. Open a browser to https://localhost.

  2. Login as:

    • Username: classtest-user

    • Password: test

  3. In the Group access selection (top right corner), select classtest.

  4. In the catalog card view, find and enable the following data sources with:

Tests

Login to DF Swagger

  1. In DF, open Swagger from the left nav menu by expanding APIs and selecting Swagger.

  2. On the right of the page, click the "Authorize" button.

  3. Click the "Logout" button for any/all currently enabled authorization schemes (log out of any cached credentials).

  4. Under df_basic, enter the following:

    • Username: classtest-user

    • Password: test

  5. Click the "Authorize" button for df_basic.

  6. Click any of the "Close" buttons to dismiss the authorization popup.

  7. Test the credentials for classtest-user by scrolling down to the testing section and expanding the GET /test/auth endpoint row.

  8. Click the Try it out button in the upper right of the expanded section.

  9. Click the "Execute" button.

  10. Verify you get a good 200 response, which should contain the "principal" identifier for the user.

    {
      "principal": "{the-uuid-of-user}"
    }

Test No Access

Initially, our classtest-user will not have any authorization credentials in Keycloak. Therefore, all responses with classification markings will be redacted.

UDL

  1. From the home Swagger page, under the list of "Proxied Services" click the link for UDL (/api/proxy/udl).

  2. Scroll down to the Track section and expand the row for GET /udl/track.

  3. Click the "Try it out" button in the upper right of the expanded section.

  4. Input the following Parameters values:

    • ts: 2024-01-01T00:00:00.000Z

  5. Click the "Execute" button.

  6. Verify you get back a good 200 response, and that the response payload has been completely redacted by returning an empty JSON list. json []

Palantir

  1. From the home Swagger page, under the list of "Proxied Services" click the link for Palantir (/api/proxy/palantir).

  2. Scroll down to the Object section and expand the row for GET /api/v1/ontologies/{ontologyRid}/objects/{objectType}.

  3. Click the "Try it out" button in the upper right of the expanded section.

  4. Input the following Parameters values:

    • ontologyRid: some.ontology.rid

    • objectType: iir

  5. Click the "Execute" button.

  6. Verify you get back a good 200 response, and that the response payload has been completely redacted by returning an empty JSON list.

    {
      "data": [],
      "totalCount": 50
    }

Test UNCLASSIFIED Access

In this test we will add the necessary attributes in Keycloak to authorize data at the UNCLASSIFIED level for the classtest-user user.

  1. Log back in to Keycloak again as an admin user (same as before).

  2. From the left nav menu, select Users.

  3. Click the link for classtest-user to view user details.

  4. Now on the user details page for classtest-user, select the Attributes tab.

  5. Click the "Add an attribute" button link twice to create two new (empty) key/value rows.

  6. Input the following attributes in the two rows:

    | Key              | Value        |
    |------------------|--------------|
    | `country`        | USA          |
    | `citizenship`    | Y            |
    | `classification` | UNCLASSIFIED |
  7. Click the "Save" button.

UDL

  1. Repeat the steps above to invoke UDL.

  2. Verify you get back a good 200 response, and that the response payload contains only unclassified (U) tracks.

Palantir

  1. Repeat the steps above to invoke Palantir.

  2. Verify you get back a good 200 response, and that the response payload contains only unclassified (U) IIRs.

Test SECRET Access

⚠️ This test can only be performed when SDL is operating under the SECRET classification level (or above).

In this test we will add the necessary attributes in Keycloak to authorize data at the SECRET level for the classtest-user user.

All data and markings are mocked for demonstration purposes only.

  1. Log back in to Keycloak again as an admin user (same as before).

  2. From the left nav menu, select Users.

  3. Click the link for classtest-user to view user details.

  4. Now on the user details page for classtest-user, select the Attributes tab.

  5. Modify the following attribute values:

    Key Value

    classification

    SECRET

  6. Click the "Save" button.

UDL

  1. Repeat the steps above to invoke UDL for tracks.

  2. Verify you get back a good 200 response, and that the response payload contains both unclassified (U) and secret (S) tracks.

Palantir

  1. Repeat the steps above to invoke Palantir for IIRs.

  2. Verify you get back a good 200 response, and that the response payload contains both unclassified (U) and secret (S) IIRs.