Basically, I have 1 Policyset with 2 policies and I want to return all the obligations of both policies if they give a permit decision.
So I'm running an image of authzforce/server:release-10.1.1 and I inserted this policy:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="root"
Version="1.0.77"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Target/>
<Policy PolicyId="p1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target/>
<Rule RuleId="B1" Effect="Permit"/>
<ObligationExpressions>
<ObligationExpression ObligationId="aaaaaaa" FulfillOn="Permit">
</ObligationExpression>
</ObligationExpressions>
</Policy>
<Policy PolicyId="p2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target/>
<Rule RuleId="B2" Effect="Permit"/>
<ObligationExpressions>
<ObligationExpression ObligationId="bbbb" FulfillOn="Permit">
</ObligationExpression>
</ObligationExpressions>
</Policy>
</PolicySet>
So when i do a request I obtain:
{
"Response": {
"Result": {
"Decision": "Permit",
"Obligations": {
"Obligation": {
"@ObligationId": "aaaaaaa"
}
}
}
}
}
But I want to get an array of "Obligations" with the Obligation "aaaaaaa" and the Obligation "bbbb". Is this even posible?
In order to collect all of the obligations associated with permit decisions you will need to change the combining algorithm or your root policy to deny-overrides because policy evaluation is stoping on the first permit with the current deny-unless-permit. Using deny-overrides will force evaluation down the second branch looking for a deny decision which will then collect the second obligation in the process.