I am using Authzforce 10.1.1 and i have already created some basic policies, now im trying to use the element <AttributeSelector> to compare some values of a resource that I plan to send on the request.
I have been following the documentation of xacml present in http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf and even tried some of the examples that they have for <AttributeSelector> with no success.
Policy I want to create
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
Error i get
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
<message>Invalid PolicySet with PolicySetId='root', Version=1.0.5</message>
</error>
If I replace <AttributeSelector> for <AttributeDesignator> the policy is created with success, so I assume the error is in the <AttributeSelector>, but from the documentation i have read i can't find the error.
Make sure you have enabled the PDP feature urn:ow2:authzforce:feature:pdp:core:xpath-eval as mentioned in the documentation on PDP properties.
UPDATE 2022-03-10
Then you need to fix a few things in the PolicySet:
Specify the XPath version in a Policy(Set)Defaults / XPathVersion element. I strongly recommend XPath 2.0:
<PolicySetDefaults><XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion></PolicySetDefaults>
Specify the XML namespace for the prefix md in the XPath with xmlns:md="..."
[UPDATE 2022-03-14] Change the AttributeSelector Path to "/md:record/md:parentGuardian/md:parentGuardianId/text()" (add a slash at the very start) or more simply "//md:parentGuardianId/text()".
Here is what the fixed PolicySet looks like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<PolicySetDefaults>
<XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
</PolicySetDefaults>
<Target />
<Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
</Target>
<Rule RuleId="Ruleo" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
troubleshooting tips to help fix such errors:
Quick-test your policy with AuthzForce Core CLI before pushing to AuthzForce Server. (Set xPathEnabled="true" in the PDP configuration - pdp.xml - to enable XPath support in this case.)
Check logs in /var/log/tomcat9 and /var/log/tomcat9/authzforce-ce
Increase log levels in /opt/authzforce-ce-server/conf/logback.xml, especially for the logger named org.ow2.authzforce.
Related
How do I combine these two rules
(1) Any user can access (read, write, etc.) to the resources http://www.example.com/info1 and http://www.example.com/info2
(2) Any reading action (read) to any resource can only be accessed by users which belong to the group admin and manager.
in a single one?
What I have done so far is this:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Policy 1</Description>
<Target />
<!--Punto d.1,2-->
<Rule Effect="Permit" RuleId="Rule Permit #1" >
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Rule Deny #1" />
</Policy>
How do I made the Condition optional when any user with any action -read, write, etc.-, try to access any of the two URLs?
And, how do I validate when an access request with read action, it can only be accessed when user (subject) belongs to the groups, or admin?
There are several ways you can achieve your scenario. The easiest might yet be to create a structure for your policies. For instance, you might say that you have a policy for http://www.example.com/info1 and another for http://www.example.com/info2. Each policy could have rules for read, write, delete... Or if you do not want to specify any action then you could skip it. In your case, you want to restrict read to administrators and managers.
Using the ALFA syntax, this gives you:
namespace so{
attribute group{
category = subjectCat
id = "group"
type = string
}
// Standard XACML attributes e.g. resource-id
import Attributes.*
policyset resources{
apply firstApplicable
policy info1{
target clause resourceId == "http://www.example.com/info1"
apply firstApplicable
rule read{
target clause Attributes.actionId=="read"
clause group=="admin" or group=="manager"
permit
}
// Add other rules for other actions here
}
policy info2{
target clause resourceId == "http://www.example.com/info2"
apply firstApplicable
rule read{
target clause Attributes.actionId=="read"
clause group=="admin" or group=="manager"
permit
}
// Add other rules for other actions here
}
}
}
That said this does not answer your question exactly. Firstly it is not combined in a single rule (doing that is not great BTW, I wouldn't do it - define a good structure, it is more manageable). And in my approach, you have to explicitly list all other actions.
Here is another approach
policy allowAccess{
target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
apply firstApplicable
rule allowRead{
target clause group=="admin" and group=="manager" and Attributes.actionId=="read"
permit
}
rule allowOtherActions{
condition not(Attributes.actionId=="read")
permit
}
}
A final condensed version would be
policy allowAccess2{
apply firstApplicable
rule allow{
target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read"))
permit
}
}
The XACML output is:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
I have a XACML 3.0 policy defined like this:
<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="Proposal-Rules" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>Policy for any proposal.</Description>
<PolicyDefaults>
<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
</PolicyDefaults>
<Target />
<Rule Effect="Permit" RuleId="ApproveProposalByDepartmentChair-Rule13a">
<Description>"Department Chair" can "Approve" a "Whole Proposal" when ApprovedByDepartmentChair = READYFORAPPROVAL and where condition check all department chairs are not approved.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
<AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="//ak:signedByAllChairs/text()" DataType="http://www.w3.org/2001/XMLSchema#boolean"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">false</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
My XACML request looks like this with an extra AttributeId="group" containing value "Computer Engineering".
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:group" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Computer Engineering</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Content>
<record xmlns:ak="http://akpower.org">
<proposal>
<signedByAllChairs>false</signedByAllChairs>
</proposal>
</record>
</Content>
<Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
<AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
</Attribute>
</Attributes>
</Request>
I was hoping the PEP going to return NotApplicable but on contrary it returns following response: with PERMIT
Even though the defined Policy Rule doesn't contain any Attribute called "group" as Rule Target whereas the request is sending "group" attribute with value "Computer Engineering" and even it is returning match and PERMIT response!
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
Is there something I am missing? I could not figure it out. I am currently using Balana as PEP implementation for my application.
I have now managed to import your policy inside the Axiomatics Policy Administration Point.
Basic Issues
You had several mistakes:
Your XPath expressions uses a prefix ak: (Path="//ak:signedByAllChairs/text()") but the XPath doesn't contain the definition for ak:
The AttributeSelector is marked as a boolean but text() in XPath returns a string, not a boolean. You need to change to string.
The XML snippet part of the XACML request <Content/> does not actually use the ak: prefix. It does define a namespace with that prefix but never uses it.
Representation of the policy in APS
Simulating the policy
I simulated your policy and did not get a Permit back. I get Indeterminate. Here is the evaluation trace. There must be something wrong in WSO2 IS or you forgot to deploy the new policy.
Now, if I clean up the XML you send to have exactly this:
<record xmlns:ak="http://akpower.org">
<proposal>
<signedByAllChairs>false</signedByAllChairs>
</proposal>
</record>
then I get Permit back from the policy.
I am trying to upload below given XACML policy in wso2is-5.1.0. I am getting "Policy uploading failed. Invalid Entitlement Policy. Policy is not valid according to XACML schema" error message. I am not able to figure out, what is the problem with my XACML. On console, i found [2016-06-20 18:50:06,142] ERROR {org.wso2.carbon.identity.entitlement.EntitlementUtil} - Invalid Namespace in policy message.
<Policy PolicyId="BankUseCasePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" xmlns="urn:oasis:names:tc:xacml:3.0:policy:schema:os">
<Rule Effect="Permit" RuleId="Rule_On_Withdrew">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">BankService/withdrew</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule_On_Deposit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">BankService/deposit</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">executive</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny_Rule"/>
<Target>
<Environments>
<Environment>
<EnvironmentMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">wso2.org</AttributeValue>
<EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</EnvironmentMatch>
</Environment>
</Environments>
</Target>
</Policy>
Seems like you are failing from the below point [1], where your schema is null. Your schema is not mapped properly.
Please double check your policy, whether its compatiple with XACML 3.0
[1] https://github.com/wso2-attic/carbon-identity/blob/master/components/entitlement/org.wso2.carbon.identity.entitlement/src/main/java/org/wso2/carbon/identity/entitlement/EntitlementUtil.java#L237
I'm developing an XACML policy and I'm using a sun.xacml library.
i want to compare two attributes: one for the subject and one for the resource for permit the access on the resources.
I have generated this XACML file
<?xml version="1.0"?>
<Policy PolicyId="GeneratedPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>Policy che permette la lettura del file ai client che hanno un livello di permesso maggiore o uguale al livello di permesso del file richiesto</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId="canRead" Effect="Permit">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator AttributeId="level-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">4</AttributeValue>
</Condition>
</Rule>
<Rule RuleId="FinalRule" Effect="Deny"/>
</Policy>
The problem is that a resource have a level-permission and i want to compare subject's level-permission and resource's level-permission but i don't know how do it.
thanks a lot
You are almost there. Whenever you need to compare 2 attributes together e.g. user-clearance and resource-classification, you need to use a XACML Condition. You did try to do that in your example but you compared the attribute to a static value.
Here is a simple example in ALFA (Axiomatics Language for Authorization).
policy documentAccess{
apply firstApplicable
rule allowAccessIfClearanceSufficient{
condition user.clearance>document.classification
permit
}
}
I define my attributes as follows:
attribute classification{
category = resourceCat
id = "document.classification"
type = integer
}
and
attribute clearance{
category = subjectCat
id = "user.clearance"
type = integer
}
Note that I use an integer here instead of string. It's more efficient and safer.
The output in XACML 3.0 is the following:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/example.documentAccess"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/example.documentAccess.allowAccessIfClearanceSufficient">
<xacml3:Description />
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than"/>
<xacml3:AttributeDesignator
AttributeId="user.clearance"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="document.classification"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
first I would like to mention that this certainly a novice question, but I was looking for hours now and I do not have an answer.
I just started trying XACML for academic purposes. I use the editor provided with wso2-is to write some policies and to evaluate them against some requests.
I created this policy to express that the subject u can read or write from a resource d
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="test-bis" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="read-or-write">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny"/>
</Policy>
While matching to this simple request "Can u read from d" I got not applicable as result !
Here is the request:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
</Attribute>
</Attributes>
</Request>
Anyone can help me on understanding what I'm doing wrong?
Thank you all!
I tested the policy and the request you sent in the Axiomatics Policy Server (disclaimer: I work for Axiomatics). The answer should in fact be Deny. Both rules triggered. You combined the rules inside a policy with a deny-overrides combining algorithm which means that Deny wins over Permit.
You can see below a screenshot of the policy simulation in APS which shows both rules being triggered and the second rule winning over the first one.
If you are interested in understanding combining algorithms better, here's the "truth table" for deny-overrides:
As you are getting "Not Applicable" it seems that your policy is either not enabled in WSO2 IS or not promoted to PDP for testing. Just check if the policy is enabled and promoted to PDP for test. You may also test the policy without promoting to PDP but in both the cases it should be in enabled mode.
I tried your policy in WSo2 IS 4.0.0 and its giving "Deny". And yes as David mentioned its because your policy combining algorithm is "deny-overrides" which is always getting "Deny" as per your default rule as below:
<Rule Effect="Deny" RuleId="deny"/>
So either you need to make your policy combining algorithm as "permit-overrides" or drop the last rule.
Yuor Request is fine and here's the Policy for your Reqirement.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="9f654de2-06d3-45c9-bb7f-947c9a9b247a" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:root-resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule_write">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule_read">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue></Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue></Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Rule_Deny_All"/>
</Policy>