I'd like to add a policy set in order to run a series of policies in sequence using a target which defines if a given policy is applicable, or not, based on the input field "resource". To begin a test I wrote a single policySet that contains one policy.
The evaluation by the WSO2 PAP fails showing a result of "NotApplicable" while I expect to receive a "Permit".
Here the policy named "cfatest0" created in XML:
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<xacml3:Description></xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.permitAll">
<xacml3:Description></xacml3:Description>
<xacml3:Target></xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Deny" RuleId="http://axiomatics.com/alfa/identifier/com.red.XACML.checkId">
<xacml3:Description></xacml3:Description>
<xacml3:Target></xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></xacml3:Function>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef#br.red.com</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
<xacml3:ObligationExpressions>
<xacml3:ObligationExpression ObligationId="obligation.displayAttributes" FulfillOn="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Access denied due to invalid UserID</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:ObligationExpression>
</xacml3:ObligationExpressions>
</xacml3:Rule>
<xacml3:AdviceExpressions>
<xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
<xacml3:AdviceExpression AdviceId="advice.displayAttributes" AppliesTo="Permit">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Valid subjectId</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
</xacml3:AdviceExpressions>
</xacml3:Policy>
Here the PolicySet named cfapolicyset1 created in XML:
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="cfapolicyset1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" Version="1.0">
<xacml3:Description></xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:PolicyIdReference>cfatest0</xacml3:PolicyIdReference>
</xacml3:PolicySet>
Below the request generated by the WSO2 "Try-It" tool under the PAP:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">claudef#br.red.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TPS_AE_REST_Policy</AttributeValue>
</Attribute>
</Attributes>
</Request>
Decision is: NotApplicable
Do I miss something in the way how I use to send a request to a PolicySet? When using the WSO2 high level policy editor, I get the same error at the response. When testing the policy isolated in the PAP "Try-It" tool, I receive the correct value, which for this policy is: "Permit".
I tried your request and policies inside the Axiomatics Policy Administration Point and I get the desired response i.e. Permit + Advice.
Could it be you forgot to load the policy inside WSO2IS?
Related
I'm trying to come up with a rule that says the string must begin with ABC but not be ABC123, ABC456, ABC789.
I'm trying write this to evaluate against a string bag, any pointers much appreciated.
You'll need two things:
A check that matches your attribute (e.g. a) with the value (ABC)
A condition that checks the same attribute is not either of ABC123, ABC456, ABC789.
There are (at least) two ways you could do this:
You could write a policy that checks the attribute starts with ABC and then have a rule that denies access if the value is one of the 3 forbidden ones or
You could write a policy that checks the attribute starts with ABC and only returns permit if the the value is not one of the 3 forbidden ones.
ALFA Example
ALFA, the abbreviated language for AuthZ, is a lightweight syntax for XACML policies. (Source: alfa, Wikipedia)
namespace com.axiomatics{
attribute a{
category = subjectCat
id = "com.axiomatics.a"
type = string
}
/**
* This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
*/
policy example{
apply firstApplicable
/**
* Deny specific values
*/
rule denySpecificValues{
target clause a == "ABC123" or a == "ABC456" or a == "ABC789"
deny
}
/**
* Allow if the string starts with ABC
*/
rule startsWithABC{
target clause stringStartsWith("ABC", a)
permit
}
}
/**
* This policy allows access if the string starts with ABC but is not ABC123, ABC456, or ABC789
*/
policy anotherExample{
apply firstApplicable
/**
* Allow if the string with ABC
*/
rule startsWithABC{
target clause stringStartsWith("ABC", a)
permit
condition not (a == "ABC123") && not(a == "ABC456") || not(a == "ABC789")
}
}
}
XACML XML Equivalent
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.example"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>This policy allows access if the string starts with
ABC but is not ABC123, ABC456, or ABC789</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Deny"
RuleId="com.axiomatics.example.denySpecificValues">
<xacml3:Description>Deny specific values</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC123</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC456</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC789</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.example.startsWithABC">
<xacml3:Description>Allow if the string starts with ABC
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">ABC</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.a"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
Assume we have a bag of booleans. Is there a function that can tell whether the number of "true" values is larger than some constant (e.g., 5)?
I came across "n-of" function, but it requires multiple separate attributes as an input and not a bag... Maybe "map" function can help, but not sure how since I didn't find a function that can reduce the number of items in a bag.
Thanks!
Michael.
To achieve what you are looking for, you need to use two functions:
a function that measures the size of the bag e.g. booleanBagSize(someAttribute)
a functiont that checks that each value of the bag is equal to true. e.g. booleanEquals used in conjunction with a higher-order function e.g. AllOf
The resulting code in ALFA would be:
namespace axiomatics{
attribute allowed{
category = subjectCat
id = "axiomatics.allowed"
type = boolean
}
policy allowIf5True{
apply firstApplicable
rule allow{
permit
condition booleanBagSize(allowed)>5 && allOf(function[booleanEqual], true, allowed)
}
}
}
And the XACML 3.0 output would be
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/axiomatics.allowIf5True.allow">
<xacml3:Description />
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-bag-size" >
<xacml3:AttributeDesignator
AttributeId="axiomatics.allowed"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">5</xacml3:AttributeValue>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:all-of" >
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#boolean">true</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="axiomatics.allowed"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
This approach only works if the bag only contains true values.
I am using XACML 3.0 with Balana in my java application.
MY XML schema is defined as follows:
<record>
<proposal>
<proposalid></proposalid>
<proposaltitle></proposaltitle>
<pi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</pi>
<copis>
<copi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</copi>
<copi>
<fullname></fullname>
<workemail></workemail>
<userid></userid>
</copi>
<copi>
<firstname></firstname>
<lastname></lastname>
<workemail></workemail>
<userid></userid>
</copi>
</copis>
</proposal>
</record>
My Application send XACML request to the PEP as follows:
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:proposal.role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Content>
<ak:record xmlns:ak="http://akpower.org">
<ak:proposal>
<ak:proposalid>5702a60865dbb30b09a492cf</ak:proposalid>
<ak:proposaltitle>Proposal 11</ak:proposaltitle>
<ak:authorprofile>
<ak:fullname>Milson Munakami</ak:fullname>
</ak:authorprofile>
<ak:pi>
<ak:fullname>Milson Munakami</ak:fullname>
<ak:workemail>milsonmun#yahoo.com</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fa</ak:userid>
</ak:pi>
<ak:copis>
<ak:copi>
<ak:fullname>PS Wang</ak:fullname>
<ak:workemail>fdsafda#yahoo.comss</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
</ak:copi>
<ak:copi>
<ak:fullname>Thomas Voltz</ak:fullname>
<ak:workemail>fdsafda#yahoo.comsss</ak:workemail>
<ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
</ak:copi>
</ak:copis>
</ak:proposal>
</ak:record>
</Content>
<Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
<AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:DeletedByPI" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTDELETED</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:SubmittedByPI" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTSUBMITTED</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Save</AttributeValue>
</Attribute>
</Attributes>
</Request>
In my policy rule I have:
<ObligationExpressions>
<ObligationExpression ObligationId="sendEmail" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes</AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="piEmail">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="piFullName">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="coPisEmail">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:copis/ak:copi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="coPisFullName">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:copis/ak:copi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
My response is as follows:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<Obligations>
<Obligation ObligationId="sendEmail">
<AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes
</AttributeAssignment>
<AttributeAssignment AttributeId="piEmail" DataType="http://www.w3.org/2001/XMLSchema#string">
milsonmun#yahoo.com
</AttributeAssignment>
<AttributeAssignment AttributeId="piFullName" DataType="http://www.w3.org/2001/XMLSchema#string">
Milson Munakami
</AttributeAssignment>
</Obligation>
</Obligations>
</Result>
</Response>
This doesn't contain any obligation values for coPisEmail and coPisFullName. Also I am not sure how can I grab those dynamic attributes' values? also how can I use those values in my applicaiton? For example does it going to return only one values with all Emails and Full Names or it going to return individual values in separate response? I think I am missing something in fucntion here:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:**function:string-one-and-only**">
<AttributeSelector MustBePresent="false"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0**:content-selector**"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
</Apply>
There is nothing special that needs to be done in XACML to return multiple values. All attributes are bags by default. If the PDP finds multiple values for a given expression (attribute designator or attribute selector), then it will return all those values.
On a side note, As a best practice, try to avoid using XPath inside XACML policies as it makes them harder to understand. XML processing should be done in the PEP or inside a PIP and the XACML policy should remain as business-focused as possible.
I'm currently trying to write a simple policy using XACML.
Unfortunately, My XACML engine doesn't seem to be finding the policy applicable for my request.
What I've done is the following :
Policy :
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="testPolicy-Quota-Storage"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
Version="3.0">
<Target></Target>
<Rule Effect="Permit" RuleId="Permit-Quota-Storage">
<Description>Quota-Storage Rule : request for storage > 2500mb implies
that if the profile of a user allows it, the storage plan is scaled
up
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">premium</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2500</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule Effect="Deny" RuleId="Deny-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fixed</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
Request :
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2500</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fixed</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice#company.com</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
I checked your policy using:
Axiomatics Policy Administration Point
A standard XML schema validator plugin via Notepad++
Validation Errors
In both instances, the validation came back with validation errors:
ERROR: Element '{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Rule':
This element is not expected. Expected is one of (
{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Description,
{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}PolicyIssuer,
{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}PolicyDefaults,
{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Target ).
The policy you wrote is not valid XACML 3.0. If you wrote the policy by hand you are missing a few elements. If you wrote the policy with a tool, I suggest you change tools. Use the ALFA plugin for Eclipse for instance. Writing policies with it is easy. See here. It's free for non-commercial use.
I fixed your policy to add the missing elements. I ran another validation and got
ERROR: Element
'{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Match': This element
is not expected. Expected is (
{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}AnyOf ).
This means your target in rule Deny-1 is not valid either. You are missing the AllOf/AnyOf elements around the Match element.
The Policy Inside the Axiomatics PAP
Once I fixed these 2 errors, I could import the policy inside the Axiomatics PAP. Once imported, the UI displays your policy as follows:
Simulating the request against the policy
I then ran your request against the policy
I can already see that your request is in fact a Multiple Decision request as described in this blog post. You probably did not intend to create such a request but rather a request with multiple subject attributes. The request should therefore be
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2600</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">premium</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice#company.com</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
Now the result of the evaluation is still NotApplicable as you noted yourself. The reason is that you did not normalize your values. For instance your request uses premium but your policy uses premium(whitespace). The whitespace matters.
Finally once this error has been fixed, you get NotApplicable because you simply did not send the right values in e.g. premium and 2500. You can see the evaluation trace in this screenshot.
I am new to XACML and getting the following error
java.lang.String cannot be cast to com.sun.xacml.ctx.Attribute
at com.sun.xacml.BasicEvaluationCtx.setupSubjects(BasicEvaluationCtx.java:252)
I have defined my attribute something like this:
Set subjects=new HashSet();
subjects.add("Julius Hibbert");
Subject subject = new Subject(subjects);
Set subjectList=new HashSet();
subjectList.add(subject);
value = new AnyURIAttribute(new URI("http://medico.com/record/patient/BartSimpson"));
Attribute resource = new Attribute(new URI("urn:oasis:names:tc:xacml:1.0:resource:resource-id"), null, null, value);
Set resourceAttrs=new HashSet();
resourceAttrs.add(resource);
Set actionAttrs=new HashSet();
DateTimeAttribute date=new DateTimeAttribute();
AttributeValue attvalue=new StringAttribute("read");
Attribute action = new Attribute(new URI("urn:oasis:names:tc:xacml:1.0:action:action-id"), "", date, attvalue);
actionAttrs.add(action);
Set env=new HashSet();
RequestCtx request = new RequestCtx(subjects, resourceAttrs,
actionAttrs, environmentAttrs);
My XACML file is:
<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"
PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Policy for Conformance Test IIA001.
</Description>
<Target/>
<Rule
RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule"
Effect="Permit">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
Where am I going wrong?I am using Sun XACML implementation.
After observing your code I found that you are trying to cast a String type to Attribute Type of class com.sun.xacml.ctx.Attribute. Pass the parameters as it is defined by the attribute class : Attribute Class
Paste your code in the Pastebin so that i can take a look.