[HELP-13349] FIWARE.Question.Tech.AuthZForce PDP not behaving as expected. - JIRA

Details

Type: Monitor
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 2021
Component/s: FIWARE-TECH-HELP
Labels:
- authz
- fiware
- pdp

Source URL:
https://stackoverflow.com/questions/45257114/authzforce-pdp-not-behaving-as-expected
HD-Chapter:
Security
HD-Enabler:
AuthZForce

Description

Created question in FIWARE Q/A platform on 22-07-2017 at 19:07
Please, ANSWER this question AT https://stackoverflow.com/questions/45257114/authzforce-pdp-not-behaving-as-expected

Question:
AuthZForce PDP not behaving as expected

Description:
I've extended a policy set to include a new policy, which means I've added targets to the policies to ensure that a request targets the right policy.

here is the policy set xacml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Description>CD Governance PolicySet</Description>
<Target/>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
<Description>Reject if the Date is July Policy</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-not-in:july:rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date"
DataType="http://www.w3.org/2001/XMLSchema#date"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:app-in:prod:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
<Description>Reject if the Application is not allowed in Production Policy</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
MustBePresent="true"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-not-in:prod:rule" Effect="Deny">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-in:prod:rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>

So when I want to check the second policy (whether an App is allowed in Prod) I send a request like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:environment">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP1</AttributeValue>
</Attribute>
</Attributes>
</Request>

Which returns what I expect:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Deny</Decision>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>

So far so good....
But when I send this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-08-01</AttributeValue>
</Attribute>
</Attributes>
</Request>

I don't get a similar response to the first one (but a Permit), I get this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
<StatusMessage>Error evaluating <Target>/<AnyOf>#0</StatusMessage>
</Status>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>

Now you might think that the policy is defined incorrectly, so I then sent this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
</Attribute>
</Attributes>
</Request>

I got what I expected - A Deny, with not Target missing errors:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Deny</Decision>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>

so Why is the PDP getting confused for this one policy (that looks to my eyes the same as the other that works correctly....yes I get a permit when the App is in the list in the policy)?

why does it think the attribute for the target is missing completely (instead of having just the wrong value)?
And Why is it doing this for the condition attribute?

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Backlog Manager added a comment - 12/Jan/18 7:51 PM

2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True

Show

Backlog Manager added a comment - 12/Jan/18 7:51 PM 2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True

Hide

Permalink

Backlog Manager added a comment - 12/Jan/18 7:54 PM

2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True

Show

Backlog Manager added a comment - 12/Jan/18 7:54 PM 2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True

Hide

Permalink

Backlog Manager added a comment - 12/Jan/18 8:03 PM

2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

Show

Backlog Manager added a comment - 12/Jan/18 8:03 PM 2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

FIWARE.Question.Tech.AuthZForce PDP not behaving as expected.

Details

Description

Activity

People

Dates

Agile