0

I'm currently trying to write a simple policy using XACML. Unfortunately, My XACML engine doesn't seem to be finding the policy applicable for my request.

What I've done is the following :

Policy :

    <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="testPolicy-Quota-Storage"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
    Version="3.0">
<Target></Target>
    <Rule Effect="Permit" RuleId="Permit-Quota-Storage">
        <Description>Quota-Storage Rule : request for storage > 2500mb implies
            that if the profile of a user allows it, the storage plan is scaled
            up
        </Description>
        <Target>
            <AnyOf>
                <AllOf>


                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">premium</AttributeValue>
                        <AttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
                    </Match>


                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</AttributeValue>
                        <AttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
                    </Match>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">

                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2500</AttributeValue>

                        <AttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                            DataType="http://www.w3.org/2001/XMLSchema#integer"
                            MustBePresent="false" />

                    </Match>

                </AllOf>
            </AnyOf>
        </Target>

    </Rule>
    <Rule Effect="Deny" RuleId="Deny-1">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fixed</AttributeValue>
                        <AttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
                    </Match>
                </AllOf>
            </AnyOf>

        </Target>
    </Rule>

</Policy>

Request :

 <xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2500</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fixed</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice@company.com</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>
Neil
  • 332
  • 2
  • 15

1 Answers1

1

I checked your policy using:

  • Axiomatics Policy Administration Point
  • A standard XML schema validator plugin via Notepad++

Validation Errors

In both instances, the validation came back with validation errors:

ERROR: Element '{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Rule': This element is not expected. Expected is one of ( {urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Description, {urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}PolicyIssuer, {urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}PolicyDefaults, {urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Target ).

The policy you wrote is not valid XACML 3.0. If you wrote the policy by hand you are missing a few elements. If you wrote the policy with a tool, I suggest you change tools. Use the ALFA plugin for Eclipse for instance. Writing policies with it is easy. See here. It's free for non-commercial use.

I fixed your policy to add the missing elements. I ran another validation and got

ERROR: Element '{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Match': This element is not expected. Expected is ( {urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}AnyOf ).

This means your target in rule Deny-1 is not valid either. You are missing the AllOf/AnyOf elements around the Match element.

The Policy Inside the Axiomatics PAP

Once I fixed these 2 errors, I could import the policy inside the Axiomatics PAP. Once imported, the UI displays your policy as follows:

Axiomatics Policy Administration Point

Simulating the request against the policy

I then ran your request against the policy

The XACML request inside the Axiomatics PAP Simulator

I can already see that your request is in fact a Multiple Decision request as described in this blog post. You probably did not intend to create such a request but rather a request with multiple subject attributes. The request should therefore be

<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2600</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">store</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">premium</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice@company.com</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

Now the result of the evaluation is still NotApplicable as you noted yourself. The reason is that you did not normalize your values. For instance your request uses premium but your policy uses premium(whitespace). The whitespace matters.

Finally once this error has been fixed, you get NotApplicable because you simply did not send the right values in e.g. premium and 2500. You can see the evaluation trace in this screenshot.

enter image description here

David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • its a greater than fonction so using 2600 should be okey, but my engine still gives NotApplicable, the wso2 identity manager that i just installed however is giving me deny for a deny request. But not applicable for a Permit one.. i updated my main post with the one currently used. – Neil Sep 16 '15 at 14:16
  • What engine are you using? – David Brossard Sep 16 '15 at 15:07
  • WSO2 IS uses Balana so you shouldn't notice any difference in behavior. Try another engine e.g. Heras AF, SunXACML or Axiomatics. – David Brossard Sep 17 '15 at 07:17
  • Well, Axiomatics is not a freeware, SunXacml i snot compliant with xacml 3.. Heras is not compatible with my app right now, so ... I 'll see what I can do.. – Neil Sep 17 '15 at 07:18
  • Balana is not XACML 3.0 compliant either (partial XACML 3.0 and very buggy at that). Try AT&T then. Oh and there is no free lunch – David Brossard Sep 17 '15 at 07:24
  • We use what we have :) Unlimited budget are not available in every country :) – Neil Sep 17 '15 at 07:54
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/89885/discussion-between-david-brossard-and-sasuke256). – David Brossard Sep 17 '15 at 08:22