Here we have two different kind of handlers 'download' and 'exec'.
TODO: we have to decide what the client application should do. It would be possible to call an external program like 'curl' or 'wget' or the call libcurl to download a file. I would vote for using 'curl' or 'libcurl' because it seem that curl supports more methods than wget. Download should be done by user nobody into a teporary file and then moved and chowned to the destination.
TODO: we have to decide how the client application should call the applied program or script. If no 'user' is specifed the default user should be 'nobody'.
# IPA generated script for ipaaction policy. DO NOT EDIT
# unknown output_selector
su - nobody 'curl -o /tmp/SAFE_TEMP_FILE
'
cat << EOF | base64 -d > /tmp/SAFE_TEMP_FILE
EOF
# unknown element:
mv /tmp/SAFE_TEMP_FILE
chown
:
nobody
su -
'
'