Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-13351

FIWARE.Question.Tech.Access request policy not being invoked in AuthZForce PDP.

        Details

          Description

          Created question in FIWARE Q/A platform on 14-07-2017 at 16:07
          Please, ANSWER this question AT https://stackoverflow.com/questions/45105078/access-request-policy-not-being-invoked-in-authzforce-pdp

          Question:
          Access request policy not being invoked in AuthZForce PDP

          Description:
          Ive created this policy in the Domain of the AuthZForce PDP:

          <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
          <PolicySet
          xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
          PolicySetId="P1"
          Version="1.0"
          PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
          <Description>Reject if the Date is July PolicySet</Description>
          <Target />
          <Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="01">
          <Description>Reject if the Date is July Policy</Description>
          <Target />
          <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
          <Condition>
          <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
          <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in" />
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
          <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date"
          DataType="http://www.w3.org/2001/XMLSchema#date"
          MustBePresent="true"
          Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
          </Apply>
          </Condition>
          </Rule>
          </Policy>
          </PolicySet>

          and the response is:

          <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
          <link xmlns="http://www.w3.org/2005/Atom" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0" rel="item" href="P1/1.0" title="Policy 'P1' v1.0"/>

          So I know that the policy is defined in the PDP.

          However, when I run this request against the PDP domain, The policy is not evaluated, only the default allow-all:

          <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
          CombinedDecision="false" ReturnPolicyIdList="true">
          <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
          <Attribute IncludeInResult="false"
          AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
          </Attribute>
          </Attributes>
          </Request>

          response:

          <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
          <ns3:Response xmlns="http://www.w3.org/2005/Atom" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
          <ns3:Result>
          <ns3:Decision>Permit</ns3:Decision>
          <ns3:PolicyIdentifierList>
          <ns3:PolicyIdReference Version="0.1.0">permit-all</ns3:PolicyIdReference>
          <ns3:PolicySetIdReference Version="0.1.0">root</ns3:PolicySetIdReference>
          </ns3:PolicyIdentifierList>
          </ns3:Result>
          </ns3:Response>

          why is this?

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 19:51|CREATED monitor | # answers= 1, accepted answer= True
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 19:54|UPDATED status: transition Answer| # answers= 1, accepted answer= True
            Hide
            Permalink
            backlogmanager Backlog Manager added a comment -

            2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

            Show
            backlogmanager Backlog Manager added a comment - 2018-01-12 20:03|UPDATED status: transition Finish| # answers= 1, accepted answer= True

              People

              • Assignee:
                cdangerville Cyril Dangerville
                Reporter:
                backlogmanager Backlog Manager
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: