authorizationaccess-controlxacmlabacauthzforce

What does a HTTP 409 mean when adding a new XACML request to Authzforce


I'm testing the Authzforce Server application to enter XACML policies and test XACML decision requests. I'm trying to enter my first XACML policy set. The problem is that I always get a 409 Conflict response with no response body, although the policy set was apparently saved in the data store successfully when I retrieve it by ID and version.

Here's the policy set I've entered:

<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="PolicySetExample" Version="1.0" PolicyCombiningAlgId="identifier:policy-combining-algorithm:deny-overrides">
 <Target/>
  <Policy PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1" Version="1.0" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
   <Target/>
   <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:MyRule" Effect="Permit">
     <Target>
      <AnyOf>
       <AllOf>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Medical record</AttributeValue> 
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctor</AttributeValue>
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
        </AllOf>
       </AnyOf>
     </Target>
     <Condition>
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
         <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
      </Apply>
     </Condition>
    </Rule>
   </Policy>
</PolicySet>

...using the service endpoint POST /domains/domain-id/pap/policies. The service responds with a 409 with no details on the actual conflict but when I try to retrieve the policy using...

GET /domains/domain-id/pap/policies/PolicySetExample/1.0

...then I see that the policy set has been saved, I get the policy set document with a policy ID reference to the policy called "ComplexPolicy":

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:PolicySet xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns4="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns5="http://www.w3.org/2005/Atom" PolicySetId="PolicySetExample" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides">
    <ns4:Description>TestPolicySet</ns4:Description>
    <ns4:Target>
        <ns4:AnyOf>
            <ns4:AllOf>
                <ns4:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <ns4:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</ns4:AttributeValue>
                    <ns4:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </ns4:Match>
            </ns4:AllOf>
        </ns4:AnyOf>
    </ns4:Target>
    <ns4:PolicyIdReference>ComplexPolicy</ns4:PolicyIdReference>
</ns4:PolicySet>

I've checked the Authzforce log file in /var/log/tomcat8/authzforce-ce/error.log but there's nothing related to this specific error.

Any ideas and pointers are welcome.

EDIT: can it be that the conflict is with the default "root" policy set of the Authzforce?

Thanks, Andras


Solution

  • As far as I understand, you already did POST a PolicySet 'PolicySetExample' in Version '1.0' successfully, since this is the one you get with GET .../PolicySetExample/1.0. Now you are trying to POST a PolicySet 'PolicySetExample' in Version '1.0' again (but new content), which fails because the REST API interprets that as an attempt to create a new PolicySet (PolicySet resource) with same PolicySetId and Version as another, whereas the (PolicySetId,Version) tuple should be unique on the domain. So in your case it's likely a Version conflict.

    2 options:

    1. If you want to replace/overwrite the previous PolicySet content, remove the existing .../PolicySetExample/1.0 on the server with DELETE method, then upload/create the PolicySet again with POST method.
    2. If you want to upload a new version (and keep the old one on the server), increment the Version attribute. Be aware that: a) you can have multiple versions of a PolicySet (with same PolicySetId but different Version I mean); b) if you use it in a PolicySetIdReference, always the latest Version is used by default in AuthzForce, unless you specify the Version explicitly (or use EarliestVersion/LatestVersion as per XACML standard but I don't recommend to use them).