This question already has an answer here:
Using XACML to express policy which is a logical expression
(1 answer)
Closed 4 years ago.
The function not in XACML asks for a boolean argument. However, I want to express a policy like "not string" such as "not male". I can't use "not gender == male" to instead that. I searched google and stackoverflow, but I failed to solve this problem. How could I do that?
When you send a XACML request, you always send a set of attributes with one or more values. You would either send:
an attribute with identifier gender, datatype string, and category subject, or
an attribute with identifier male, datatype boolean, and category subject.
Either way you still send an attribute. In one case the value is a string. In the other the value is a string. In the explanation below, I take the string approach. If you want the boolean approach, just replace gender=="male" with male.
Note that in XACML, attributes may possibly not have a value. This makes XACML booleans more than just boolean. Male could be true, false, or undefined. Keep that in mind when you write a policy / rule.
To express negative conditions e.g. not(gender==male), you have two options:
either the set of possible values is finite e.g. true/false, male/female, hot/warm/cold and you are happy building a policy or rule per case.
or the set of possible values is too long or infinite e.g. a numerical value or a list of citizenships (180+ of those).
In the former case you can write the following (pseudo-code in ALFA):
policy checkGender{
apply firstApplicable
rule male{
target clause gender=="male"
permit
}
rule female{
target clause gender=="female"
permit
}
/**
* Optionally add a catch all case
*/
rule other{
target clause ... // Here you'd have to define other checks you are interested in
}
}
In the latter case, you need to write a negative condition. To do that you need to use a XACML condition. Since XACML conditions only live inside rules, you need to go down to the XACML Rule level.
policy checkGender{
apply firstApplicable
rule notMale{
condition not(gender=="male")
permit
}
}
Related
In my cloudformation code (yaml file) I want to write condition that check if string parameter is longer than some value(lets say 15) and I did not find any way to do it.
Two main questions are,
How to get string parameter length?
After I have the length, how can I write condition that check if this length is longer/smaller than specific value?
I wish cloudformation has a Fn like LongerThan or something like this
Conditions:
isLongerThanParam:
'Fn::LongerThan':
- {Ref: Param}
- '15'
But they only support these functions: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-conditions.html
I did not find any way to do it
There is no such functionality in CFN. You already provided the link to available conditional checks, and there are no condition to check if something is greater or lower then something else.
Some possible workaround would possibly involve development of CloudFormation macro, which would be in the form of a lambda function. The function would take your Fn::LongerThan, and performed some transformations of it based on how you want it to behave. As an outcome of the macro, the valid conditions would be returned, whether or not Fn::LongerThan is satisfied.
How to get a rule like that working:
rule adminCanViewAllExams {
condition (integerOneAndOnly(my.company.attributes.subject.rights) & 0x00000040) == 0
permit
}
Syntax highlighter complains it doesn't know those items:
& (This is a binary math operation)
0x00000040 (this is the hexadecimal representation of an integer)
EDIT
(adding OP's comment inside the question)
I want to keep as much as possible in my current application. Meaning, I don't want to change a lot in my database model. I just want to implement the PEP and PDP part new. So, currently the rights of the user are stored in a Long. Each bit in the number represents a right. To get the right we do a binary &-operation which masks the other bits in the Long. We might redesign this part, but it's still good to know how far the support for mathematic operations goes
XACML does not support bitwise logic. It can do boolean logic (AND and OR) but that's about it.
To achieve what you are looking for, you could use a Policy Information Point which would take in my.company.attributes.subject.rights and 0x00000040. It would return an attribute called allowed.
Alternatively, you can extend XACML (and ALFA) to add missing datatypes and functions. But I would recommend going for human-readable policies.
I tried to use ANTLR4 to identify a range notation like <1..100>, and here is my attempt:
#parser::members {
def evalRange(self, minnum, maxnum, num):
if minnum <= num <= maxnum:
return True
return False
}
range_1_100 : INT { self.evalRange(1, 100, $INT.int) }? ;
But it does not work for more than one range like:
some_rule : range_1_100 | range_200_300 ;
When I input a number (200), it just stops at the first rule:
200
line 3:0 rule range_1_100 failed predicate: { self.evalRange(1, 100, $INT.int) }?
(top (range_1_100 200))
It is not as I expected. How can I make the token match the next rule (range_200_300)?
Here's an excerpt from the docs (emphasis mine):
Predicates can appear anywhere within a parser rule just like actions can, but only those appearing on the left edge of alternatives can affect prediction (choosing between alternatives).
[...]
ANTLR's general decision-making strategy is to find all viable alternatives and then ignore the alternatives guarded with predicates that currently evaluate to false. (A viable alternative is one that matches the current input.) If more than one viable alternative remains, the parser chooses the alternative specified first in the decision.
Which basically means your predicate must be the first item in the alternation to be taken into account during the prediction phase.
Of course, you won't be able to use $INT as it wasn't matched yet at this point, but you can replace it with something like _input.LA(1) instead (lookahead of one token) - the exact syntax depends on your language target.
As a side note, I'd advise you to not validate the input through the grammar, it's easier and better to perform a separate validation pass after the parse. Let the grammar handle the syntax, not the semantics.
In ANTLR4, it seems that predicates can only be placed at the front of sub-rules in order for them to cause the sub-rule to be skipped. In my grammar, some predicates depend on a token that appears near the end of the sub-rule, with one or more rule invocations in front of it. For example:
date :
{isYear(_input.LT(3).getText())}?
month day=INTEGER year=INTEGER { ... }
In this particular example, I know that month is always one single token, so it is always Token 3 that needs to be checked by isYear(). In general, though, I won't know the number of tokens making up a rule like month until runtime. Is there a way to get its token count?
There is no built-in way to get the length of the rule programmatically. You could use the documentation for ATNState in combination with the _ATN field in your parser to calculate all paths through a rule - if all paths through the rule contain the same number of tokens the you have calculated the exact number of tokens used by the rule.
I'm trying to understand OR LDAP queries (specifically Blind LDAP injection).
Am I right in saying that in order to infer about the value objectClass can assume (here U) the following filter sent to the LDAP server, is correct?
(|(objectClass=void)(objectClass=U))(&(objectClass=void)(type=P*))
Supposing the web application returns an object, can I safely say that the LDAP directory includes a category called U?...Is my reasoning correct?
Thanks a lot
Is my reasoning correct?
No. 'Or' is 'or'. As you have written it, either (i) the object class will be void (whatever that means), or (ii) the object class will be U.
The remainder of the filter isn't valid. There is an inner OR filter and an inner AND filter, but there is no outer operator to state how they are joined. A filter parser might be justified in stopping at the first )) for example, as there is no valid continuation of the parse.
If your goal is to understand the OR-operator (per se) inside a LDAP-query, I found the article "or-operator in LDAP queries" very helpful:
To summarize, "&" is the "And" operator, "!" is the "Not" operator,
"|" is the "Or" operator, and "*" is the wildcard. Conditions can be
nested in parentheses. The wildcard cannot be used in DN attributes.
Example: (|(givenName=foo*)(middlename=foo*)(mail=foo*)) implements a threefold OR gives back all occurrences, where foo appears in eather the given name, the middlename, or the mail address. For more details, see post "LDAP multiple or syntax".