-1

I would like to get some help with a ABAC, XACML project i have, where i'm trying to get a request and response back from the server, while talking to it through a PHP script as seen below. 

<?php 
$postdata = '<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="true"  xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
 <xacml-ctx:Attribute AttributeId="http://www.axiomatics.com/acs/role" IncludeInResult="true">
 <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Jimi</xacml-ctx:AttributeValue>
  </xacml-ctx:Attribute>
 </xacml-ctx:Attributes>
 <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
  <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
     <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
  </xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
  <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
     <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bank account</xacml-ctx:AttributeValue>
  </xacml-ctx:Attribute>
 </xacml-ctx:Attributes>
</xacml-ctx:Request>';

This part is the request, the policy that i have stored in de Policy Administration Point is the following: 

$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-type:     application/xml'));
curl_setopt($ch, CURLOPT_URL, 'http://localhost:8080/pdp/?type=config');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);

echo $data;


    <xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://www.axiomatics.com/automatic-unique-id/5ec8c01d-456c-4800-b28b-ad3d289ecba3" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
    <xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
      <xacml3:Target>
        <xacml3:AnyOf>
          <xacml3:AllOf>
            <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bank account</xacml3:AttributeValue>
              <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </xacml3:Match>
            <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml3:AttributeValue>
              <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </xacml3:Match>
            <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Jimi</xacml3:AttributeValue>
              <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="http://www.axiomatics.com/acs/role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </xacml3:Match>
          </xacml3:AllOf>
        </xacml3:AnyOf>
      </xacml3:Target>
      <xacml3:Rule RuleId="51179cb3-5319-4a35-a13e-ac1db27b5d93" Effect="Permit">
        <xacml3:Description>doctor can view medicalrecord</xacml3:Description>
        <xacml3:Target/>
      </xacml3:Rule>
      <xacml3:Rule RuleId="a2af1648-41c0-4843-ba4f-c1284d367957" Effect="Deny">
        <xacml3:Target/>
      </xacml3:Rule>
    </xacml3:Policy>

The original request was with the name "teller". Whenever i change the name in teller the system will respond with: "permit". Now my problem is, is when i change the name in the policy that is stored in the PAP, and in the php script to "jimi". I get the following error: 

<?xml version="1.0" encoding="UTF-8"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
            <StatusMessage>No matching root policy found</StatusMessage>
        </Status>
    </Result>
</Response>

Whenever i change the policy, i dont get a "deny", but a no matching root policy. While i clearly changed the name in the policy to mine.. What am i doing wrong here? Where else could the name teller still be named instead of my name?

David Brossard
  • 13,584
  • 6
  • 55
  • 88
chr0nk
  • 27
  • 7

1 Answers1

0

Your policy

I inspected your policy with the Axiomatics Policy Editor and this is what came back: Policy Structure - Axiomatics Policy Editor

My first comment is that you should add descriptions to all your policies. You can see here that you have 1 policy with a combining algorithm of deny-unless-permit. The policy contains a Permit rule and a Deny rule.

Now, if we inspect the parent policy, we can see there is a target set. The target states that the policy will apply if the incoming user's role is Jimi doing action view on resource-id bank account. This does not make sense given the first rule inside the policy deals with doctors and medical records. It seems like the rule's description is old given that the rule's target is empty. Also, it does not make sense to have 2 empty rules the way you do. You need to fix this

Details of the policy inside the Axiomatics Policy Editor

Your request

I loaded your first request into the Axiomatics Simulation tool and got this:

XACML Request inside the Policy Administration Point

If I run the request, I get Permit. Simulation inside the Axiomatics Policy Administration Point

Now, if I change the request to user teller instead of Jimi, then I get NotApplicable.

Which PDP are you using? Getting Indeterminate is not according to spec.

David Brossard
  • 13,584
  • 6
  • 55
  • 88