xmlxacmlabacauthzforce

Authzforce - Simple ABAC policy creation fails


I am using Authzforce 8.1.0 and I have already created a couple of RBAC policy scenarios based on the examples given in Users' and Programmers Guider but I would like to create a simple ABAC scenario.

As a newbie into XACML language, I am trying to follow some examples from here. More specifically I am trying to implement a policy similar to 4.1.1 Example policy.

Policy I want to create

Assume that a corporation named Medi Corp (identified by its domain name: med.example.com) has an access control policy that states, in English:

Any user with an e-mail name in the "med.example.com" namespace is allowed to perform any action on any resource.

<?xml version="1.0" encoding="UTF-8"?>
   <Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
           http://docs.oasis-open.org/xacml/FIXME.xsd"
           PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
           Version="1.0"
           RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
     <Description>
       Medi Corp access control policy
     </Description>
     <Target/>
      <Rule
       RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
       Effect="Permit">
       <Description>
         Any subject with an e-mail name in the med.example.com domain
         can perform any action on any resource.
       </Description>
       <Target>
         <AnyOf>
           <AllOf>
             <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
                <AttributeValue  DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
                <AttributeDesignator
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                    DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
                </Match>
           </AllOf>
         </AnyOf>
       </Target>
      </Rule>
    </Policy>

When I am trying to POST this policy on {ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies I am getting the following error

Error

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>

All the the examples I have seen in authzforce so far start with a <PolicySet> declaration (in which we can declare multiple <Policy> blocks, so I thought that this may be a problem and tried to include the policy in a policySet as shown below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
 xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 PolicySetId="first_policyset_id"
 Version="1.0"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
 <Description>Policy for Github</Description>
 <Target />
 <Policy
   PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
           Version="1.0"
           RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
  <Description>
       Medi Corp access control policy
     </Description>
     <Target/>
      <Rule
       RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
       Effect="Permit">
       <Description>
         Any subject with an e-mail name in the med.example.com domain
         can perform any action on any resource.
       </Description>
       <Target>
         <AnyOf>
           <AllOf>
             <Match
               MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
                <AttributeValue  DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
                <AttributeDesignator
                    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                    MustBePresent="false"
                    DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
                </Match>
           </AllOf>
         </AnyOf>
       </Target>
      </Rule>
    </Policy>
</PolicySet>

but now I am getting the following:

Response

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
    <message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>

Which is the right format of a XACML request to make such a simple ABAC policy scenario? An example of a policy access request on this would be also greatly appreciated, thanks in advance!


Solution

  • This example from section 4.1.1 has known issues unfortunately, some of them I've reported on the xacml-comment mailing list. It should be fixed in the next version of the XACML spec. In the meantime, you need to fix these:

    1. Remove the xsi:schemaLocation altogether. Because the location http://docs.oasis-open.org/xacml/FIXME.xsd is wrong and AuthzForce uses its own location for the XACML schema already.
    2. The RuleCombiningAlgId identifier:rule-combining-algorithm:deny-overrides is wrong. Replace with urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides.

    I also confirm that AuthzForce Server's REST API accepts only PolicySets as input on the /pap/policies endpoint, so you have to wrap your Policy in a PolicySet, as you did. But you should change the PolicyCombiningAlgId to urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable if you want the result of the PolicySet to be equivalent to the Policy.

    --EDIT 2020-04-06--

    So the fixed PolicySet is this:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <PolicySet 
     xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
     PolicySetId="PolicySet_1"
     Version="1.0"
     PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable">
     <Description>Sample PolicySet</Description>
     <Target />
     <Policy 
      PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
      Version="1.0"
      RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
      <Description>Medi Corp access control policy</Description>
      <Target/>
      <Rule
       RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
       Effect="Permit">
       <Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
       <Target>
         <AnyOf>
           <AllOf>
             <Match
              MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
              <AttributeValue  DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
              <AttributeDesignator
               Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
               AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
               DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
               MustBePresent="true"/>
             </Match>
           </AllOf>
         </AnyOf>
       </Target>
      </Rule>
     </Policy>
    </PolicySet>