DEVHIDE
Login Or Sign up

Access request policy not being invoked in AuthZForce PDP

169 Views Asked by At

Ive created this policy in the Domain of the AuthZForce PDP:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
 xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 PolicySetId="P1"
 Version="1.0"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
 <Description>Reject if the Date is July PolicySet</Description>
 <Target />
 <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="01">
<Description>Reject if the Date is July Policy</Description>
<Target />
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
     <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in" />
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" 
    DataType="http://www.w3.org/2001/XMLSchema#date" 
    MustBePresent="true"
    Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>

and the response is:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<link xmlns="http://www.w3.org/2005/Atom" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0" rel="item" href="P1/1.0" title="Policy 'P1' v1.0"/>

So I know that the policy is defined in the PDP.

However, when I run this request against the PDP domain, The policy is not evaluated, only the default allow-all:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
   <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
      <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
      </Attribute>
   </Attributes>
</Request>

response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:Response xmlns="http://www.w3.org/2005/Atom" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <ns3:Result>
        <ns3:Decision>Permit</ns3:Decision>
        <ns3:PolicyIdentifierList>
            <ns3:PolicyIdReference Version="0.1.0">permit-all</ns3:PolicyIdReference>
            <ns3:PolicySetIdReference Version="0.1.0">root</ns3:PolicySetIdReference>
        </ns3:PolicyIdentifierList>
    </ns3:Result>
</ns3:Response>

why is this?

fiware authz pdp
Original Q&A
1

There are 1 best solutions below

4
On BEST ANSWER

Similar to question #15 on AuthzForce GitHub. The PDP is still using policy with PolicySetId = 'root' as root policy, i.e. the policy where the PDP starts the evaluation. You can verify what the current root policy is (and related applicable policies used by it) at anytime, and change it if necessary, as told in the doc.

Only the root policy (specified by the PDP property rootPolicyRefExpression) or policies referenced by it (via PolicySetIdReference) are used actually by the PDP for evaluation. Therefore, if you want the PDP to evaluate your policy (P1 in your case), either you change the rootPolicyRefExpression value to P1 (the version is optional, the latest is used by default), or you can update the default policy root directly by re-uploading your policy with PolicySetId root instead of P1, and Version greater than the current version of policy root on the server.

Also your policy is not valid because date-is-in only takes 2 arguments, and the rule combining algorithm is deprecated and not supported by AuthzForce any longer. I understand you want to check whether your custom current-date is in a list of dates, here is a fixed version of the policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="P1" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Description>Reject if the Date is July PolicySet</Description>
<Target />
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
  <Description>Reject if the Date is July Policy</Description>
  <Target />
  <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
     <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
              <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
           </Apply>
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
           </Apply>
        </Apply>
     </Condition>
  </Rule>
</Policy>
</PolicySet>

Related Questions in FIWARE

Related Questions in AUTHZ

Related Questions in PDP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.