1

Could you explain me please how I can use the conversion-functions from provided list of XACML for creating the Condition in Rule of Policy. For example that function.

urn:oasis:names:tc:xacml:3.0:function:integer-from-string

I'm using AuthzForce, and my Apply contains AttributeValue and AttributeDesignator. My PDP Request contains only string types and I would like to do a conversion in needed types in the policy.

I tried to do so, but I got error-message - policyset is invalid.

<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:all-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"/>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">100</AttributeValue>
            <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">         
                <AttributeDesignator
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="true"/>
            </Apply>
        </Apply>
    </Apply>
</Condition>
David Brossard
  • 13,584
  • 6
  • 55
  • 88
Horbatenko V.
  • 11
  • 2
  • 1
    Could you give the full error message? There should be more information about which part of the policy is invalid. Anyway, I see at list one mistake, see my answer. – cdan Feb 03 '22 at 14:23

1 Answers1

1

If you are using AuthzForce (esp. authzforce core), the full error message should give more info about which part of the policy is invalid. Anyway, I see at least one issue (which is a very common mistake when starting with XACML): an AttributeDesignator is considered as Bag of values (i.e. possibly multivalued). Therefore, you cannot apply the integer-from-string function directly on it because it takes a simple string value as input, not a Bag. The fix consists to apply one of the *-one-and-only functions (which turns a single-valued bag into a single value) on the AttributeDesignator first, depending on the datatype:

...
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">
   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">         
                <AttributeDesignator
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="true"/>
            </Apply>
    </Apply>
...

More info

David Brossard
  • 13,584
  • 6
  • 55
  • 88
cdan
  • 3,470
  • 13
  • 27