fiwarexacml3authzforcefiware-wilmafiware-keyrock

Check Request Headers using XACML in Fiware platform


I'm trying to integrate AuthzForce with Keyrock for advanced PDP and wanted to know how custom headers check rule can be made in XACML policies. As per my understanding and documentation, they've specified that with AuthzForce its possible to check the body, match time of request and more. But nowhere i could find a resource on how a policy/rule can be made to check custom headers. Any suggestion or link for any documentation is appreciated.


Solution

  • @cdan is correct - the Authzforce PDP, like any PDP can only adjudicate on matters if it is passed the appropriate information. The PEP Proxy you use will need to obtain and forward the information needed to adjudicate. For example, in the Wilma PEP Proxy, the payload for Authzforce is defined here

    In the Wilma PEP Proxy the the XACML Policy is defined in JavaScript as shown below and then translated into XML before being sent to Authzforce:

    const XACMLPolicy = {
        Request: {
          xmlns: 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
          CombinedDecision: 'false',
          ReturnPolicyIdList: 'false',
          Attributes: [
            {
              Category: 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject',
              Attribute: [
                {
                    "AttributeId":"urn:oasis:names:tc:xacml:1.0:subject:subject-id",
                    "IncludeInResult": "false",
                    "AttributeValue":{
                        "DataType":"http://www.w3.org/2001/XMLSchema#string",
                        "$t":"joe"
                    }
                }
              ]
            },
            {
              Category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:resource',
              Attribute: [
                {
                  AttributeId: 'urn:oasis:names:tc:xacml:1.0:resource:resource-id',
                  IncludeInResult: 'false',
                  AttributeValue: {
                    DataType: 'http://www.w3.org/2001/XMLSchema#string',
                    $t: appId
                  }
                },
                {
                  AttributeId: 'urn:thales:xacml:2.0:resource:sub-resource-id',
                  IncludeInResult: 'false',
                  AttributeValue: {
                    DataType: 'http://www.w3.org/2001/XMLSchema#string',
                    $t: escapeXML(resource)
                  }
                }
              ]
            },
            {
              Category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:action',
              Attribute: {
                AttributeId: 'urn:oasis:names:tc:xacml:1.0:action:action-id',
                IncludeInResult: 'false',
                AttributeValue: {
                  DataType: 'http://www.w3.org/2001/XMLSchema#string',
                  $t: action
                }
              }
            },
            {
              Category: 'urn:oasis:names:tc:xacml:3.0:attribute-category:environment'
            }
          ]
        }
      };
    

    Each Attribute in this payload is something that may need to be checked. To add a check for a custom header, you'll need to extract it from the incoming payload and add another attribute (of category urn:oasis:names:tc:xacml:3.0:attribute-category:resource) with an appropriate AttributeId.

    Of course the XACML rules you define will also need to refer to this same new Attribute Id when setting the access policy e.g. "if custom header present then PERMIT else DENY".