[ https://jira.fiware.org/browse/HELP-13349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fernando Lopez reassigned HELP-13349:
-------------------------------------
Assignee: Cyril Dangerville
> [fiware-stackoverflow] AuthZForce PDP not behaving as expected
> --------------------------------------------------------------
>
> Key: HELP-13349
> URL: https://jira.fiware.org/browse/HELP-13349
> Project: Help-Desk
> Issue Type: Monitor
> Components: FIWARE-TECH-HELP
> Reporter: Backlog Manager
> Assignee: Cyril Dangerville
> Labels: authz, fiware, pdp
>
> Created question in FIWARE Q/A platform on 22-07-2017 at 19:07
> {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/45257114/authzforce-pdp-not-behaving-as-expected
> +Question:+
> AuthZForce PDP not behaving as expected
> +Description:+
> I've extended a policy set to include a new policy, which means I've added targets to the policies to ensure that a request targets the right policy.
> here is the policy set xacml:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
> <Description>CD Governance PolicySet</Description>
> <Target/>
> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
> <Description>Reject if the Date is July Policy</Description>
> <Target>
> <AnyOf>
> <AllOf>
> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
> <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check"
> DataType="http://www.w3.org/2001/XMLSchema#string"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
> MustBePresent="false"
> />
> </Match>
> </AllOf>
> </AnyOf>
> </Target>
> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-not-in:july:rule" Effect="Permit">
> <Condition>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
> <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date"
> DataType="http://www.w3.org/2001/XMLSchema#date"
> MustBePresent="true"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
> </Apply>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
> </Apply>
> </Apply>
> </Apply>
> </Apply>
> </Condition>
> </Rule>
> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
> <Condition>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
> </Apply>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
> </Apply>
> </Apply>
> </Condition>
> </Rule>
> </Policy>
> <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:app-in:prod:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
> <Description>Reject if the Application is not allowed in Production Policy</Description>
> <Target>
> <AnyOf>
> <AllOf>
> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
> <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:environment"
> DataType="http://www.w3.org/2001/XMLSchema#string"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
> MustBePresent="true"
> />
> </Match>
> </AllOf>
> </AnyOf>
> </Target>
> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-not-in:prod:rule" Effect="Deny">
> <Condition>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
> <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
> DataType="http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
> </Apply>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
> </Apply>
> </Apply>
> </Apply>
> </Apply>
> </Condition>
> </Rule>
> <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-in:prod:rule" Effect="Permit">
> <Condition>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
> <AttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
> DataType="http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
> </Apply>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
> </Apply>
> </Apply>
> </Condition>
> </Rule>
> </Policy>
> </PolicySet>
> So when I want to check the second policy (whether an App is allowed in Prod) I send a request like:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> CombinedDecision="false" ReturnPolicyIdList="true">
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:environment">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
> </Attribute>
> </Attributes>
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP1</AttributeValue>
> </Attribute>
> </Attributes>
> </Request>
> Which returns what I expect:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
> <Result>
> <Decision>Deny</Decision>
> <PolicyIdentifierList>
> <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
> <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
> </PolicyIdentifierList>
> </Result>
> </Response>
> So far so good....
> But when I send this:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> CombinedDecision="false" ReturnPolicyIdList="true">
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
> </Attribute>
> </Attributes>
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-08-01</AttributeValue>
> </Attribute>
> </Attributes>
> </Request>
> I don't get a similar response to the first one (but a Permit), I get this:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
> <Result>
> <Decision>Indeterminate</Decision>
> <Status>
> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
> <StatusMessage>Error evaluating <Target>/<AnyOf>#0</StatusMessage>
> </Status>
> <PolicyIdentifierList>
> <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
> <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
> <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
> </PolicyIdentifierList>
> </Result>
> </Response>
> Now you might think that the policy is defined incorrectly, so I then sent this:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> CombinedDecision="false" ReturnPolicyIdList="true">
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
> </Attribute>
> </Attributes>
> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
> <Attribute IncludeInResult="false"
> AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
> </Attribute>
> </Attributes>
> </Request>
> I got what I expected - A Deny, with not Target missing errors:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
> <Result>
> <Decision>Deny</Decision>
> <PolicyIdentifierList>
> <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
> <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
> </PolicyIdentifierList>
> </Result>
> </Response>
> so Why is the PDP getting confused for this one policy (that looks to my eyes the same as the other that works correctly....yes I get a permit when the App is in the list in the policy)?
> why does it think the attribute for the target is missing completely (instead of having just the wrong value)?
> And Why is it doing this for the condition attribute?
--
This message was sent by Atlassian JIRA
(v6.4.1#64016)
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy