xacmlauthzforce

Authzforce - XACML AttributeSelector


I am using Authzforce 10.1.1 and i have already created some basic policies, now im trying to use the element <AttributeSelector> to compare some values of a resource that I plan to send on the request.

I have been following the documentation of xacml present in http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf and even tried some of the examples that they have for <AttributeSelector> with no success.

Policy I want to create


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
   <Target />
   <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
       <Target>
       </Target>
       <Rule RuleId="Ruleo" Effect="Permit">
           <Condition>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                       <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                     <AttributeSelector MustBePresent="false"
                     Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                     Path="md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
               </Apply>
           </Condition>
       </Rule>
   </Policy>
</PolicySet>

Error i get

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
   <message>Invalid PolicySet with PolicySetId='root', Version=1.0.5</message>
</error>

If I replace <AttributeSelector> for <AttributeDesignator> the policy is created with success, so I assume the error is in the <AttributeSelector>, but from the documentation i have read i can't find the error.


Solution

  • Make sure you have enabled the PDP feature urn:ow2:authzforce:feature:pdp:core:xpath-eval as mentioned in the documentation on PDP properties.

    UPDATE 2022-03-10

    Then you need to fix a few things in the PolicySet:

    1. Specify the XPath version in a Policy(Set)Defaults / XPathVersion element. I strongly recommend XPath 2.0: <PolicySetDefaults><XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion></PolicySetDefaults>
    2. Specify the XML namespace for the prefix md in the XPath with xmlns:md="..."
    3. [UPDATE 2022-03-14] Change the AttributeSelector Path to "/md:record/md:parentGuardian/md:parentGuardianId/text()" (add a slash at the very start) or more simply "//md:parentGuardianId/text()".

    Here is what the fixed PolicySet looks like:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
       <PolicySetDefaults>
           <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
       </PolicySetDefaults>
       <Target />
       <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
           <Target>
           </Target>
           <Rule RuleId="Ruleo" Effect="Permit">
               <Condition>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                           <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                       </Apply>
                       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                         <AttributeSelector MustBePresent="false"
                         Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                         Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                       </Apply>
                   </Apply>
               </Condition>
           </Rule>
       </Policy>
    </PolicySet>
    

    troubleshooting tips to help fix such errors:

    1. Quick-test your policy with AuthzForce Core CLI before pushing to AuthzForce Server. (Set xPathEnabled="true" in the PDP configuration - pdp.xml - to enable XPath support in this case.)
    2. Check logs in /var/log/tomcat9 and /var/log/tomcat9/authzforce-ce
    3. Increase log levels in /opt/authzforce-ce-server/conf/logback.xml, especially for the logger named org.ow2.authzforce.