xacmlauthzforce

Obtain all Obligations from all the policies


Basically, I have 1 Policyset with 2 policies and I want to return all the obligations of both policies if they give a permit decision.

So I'm running an image of authzforce/server:release-10.1.1 and I inserted this policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
PolicySetId="root" 
Version="1.0.77" 
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">

    <Target/>
   
        <Policy PolicyId="p1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
            <Target/>
            <Rule RuleId="B1" Effect="Permit"/>

            <ObligationExpressions>
                <ObligationExpression ObligationId="aaaaaaa" FulfillOn="Permit">

                </ObligationExpression>
            </ObligationExpressions>

        </Policy>
        <Policy PolicyId="p2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
            <Target/>
            <Rule RuleId="B2" Effect="Permit"/>

            <ObligationExpressions>
                <ObligationExpression ObligationId="bbbb" FulfillOn="Permit">
                   
                </ObligationExpression>
            </ObligationExpressions>

        </Policy>
    
</PolicySet>
                   

So when i do a request I obtain:

{
    "Response": {
        "Result": {
            "Decision": "Permit",
            "Obligations": {
                "Obligation": {
                    "@ObligationId": "aaaaaaa"
                }
            }
        }
    }
}

But I want to get an array of "Obligations" with the Obligation "aaaaaaa" and the Obligation "bbbb". Is this even posible?


Solution

  • In order to collect all of the obligations associated with permit decisions you will need to change the combining algorithm or your root policy to deny-overrides because policy evaluation is stoping on the first permit with the current deny-unless-permit. Using deny-overrides will force evaluation down the second branch looking for a deny decision which will then collect the second obligation in the process.