2

I am using Authzforce 10.1.1 and i have already created some basic policies, now im trying to use the element <AttributeSelector> to compare some values of a resource that I plan to send on the request.

I have been following the documentation of xacml present in http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf and even tried some of the examples that they have for <AttributeSelector> with no success.

Policy I want to create


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
   <Target />
   <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
       <Target>
       </Target>
       <Rule RuleId="Ruleo" Effect="Permit">
           <Condition>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                       <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                     <AttributeSelector MustBePresent="false"
                     Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                     Path="md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
               </Apply>
           </Condition>
       </Rule>
   </Policy>
</PolicySet>

Error i get

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
   <message>Invalid PolicySet with PolicySetId='root', Version=1.0.5</message>
</error>

If I replace <AttributeSelector> for <AttributeDesignator> the policy is created with success, so I assume the error is in the <AttributeSelector>, but from the documentation i have read i can't find the error.

Joao Parente
  • 443
  • 4
  • 8

1 Answers1

2

Make sure you have enabled the PDP feature urn:ow2:authzforce:feature:pdp:core:xpath-eval as mentioned in the documentation on PDP properties.

UPDATE 2022-03-10

Then you need to fix a few things in the PolicySet:

  1. Specify the XPath version in a Policy(Set)Defaults / XPathVersion element. I strongly recommend XPath 2.0: <PolicySetDefaults><XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion></PolicySetDefaults>
  2. Specify the XML namespace for the prefix md in the XPath with xmlns:md="..."
  3. [UPDATE 2022-03-14] Change the AttributeSelector Path to "/md:record/md:parentGuardian/md:parentGuardianId/text()" (add a slash at the very start) or more simply "//md:parentGuardianId/text()".

Here is what the fixed PolicySet looks like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
   <PolicySetDefaults>
       <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
   </PolicySetDefaults>
   <Target />
   <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
       <Target>
       </Target>
       <Rule RuleId="Ruleo" Effect="Permit">
           <Condition>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                       <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                     <AttributeSelector MustBePresent="false"
                     Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                     Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
               </Apply>
           </Condition>
       </Rule>
   </Policy>
</PolicySet>

troubleshooting tips to help fix such errors:

  1. Quick-test your policy with AuthzForce Core CLI before pushing to AuthzForce Server. (Set xPathEnabled="true" in the PDP configuration - pdp.xml - to enable XPath support in this case.)
  2. Check logs in /var/log/tomcat9 and /var/log/tomcat9/authzforce-ce
  3. Increase log levels in /opt/authzforce-ce-server/conf/logback.xml, especially for the logger named org.ow2.authzforce.
cdan
  • 3,470
  • 13
  • 27
  • I did not have this feature enabled, I enabled it now, but it still returns the same error. – Joao Parente Mar 10 '22 at 09:53
  • Still no error in any Tomcat log file? in /var/log/tomcat9/ (not only authzforce/error.log) – cdan Mar 10 '22 at 16:42
  • I tested the policy on my side, I found a couple of issues. Please see my updated answer. – cdan Mar 10 '22 at 22:56
  • I tested the fixed policy in the Core CLI and it worked, I checked the logs no errors there, then I changed the level of the logs of the org.ow2.authzforce to DEBUG and now when I run tomcat9 I get an error and if I go see the error.log it says "org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'domainsDaoBean' " – Joao Parente Mar 11 '22 at 10:04
  • Did you try with the PolicySet I posted in my answer? Also I would need the full stacktrace of the BeanCreationException, else it is hard to know the root cause. – cdan Mar 11 '22 at 16:32
  • Rule of thumb: avoid, if you can, attribute selectors as it makes policies harder to write, audit, and understand. Let Policy Information Points or even the PEP do any heavy XML processing. – David Brossard Mar 11 '22 at 19:21
  • Yes I tried with the PolicySet you posted, on the Core CLI, it inserted the policy but when I did the request I didn't obtain the decision I was hoping, I don't know if I'm doing the request with the correct syntax for it. This is the request I'm sending: https://pastebin.com/2Ldt53TN and this is the error when I try to start the tomcat9 now that I changed the level to DEBUG on org.ow2.authzforce :https://pastebin.com/EvsuALpR – Joao Parente Mar 12 '22 at 13:49
  • I tried your request with Core CLI and got this error: `The prefix "xsi" for attribute "xsi:schemaLocation" associated with an element type "md:record" is not bound`. To fix it, remove the `xsi.schemaLocation` part (or you need a `xmlns:xsi=...` to bind it to a namespace) . After fixing, try again with Core CLI, you should get a Permit decision as I do. Then try again on Authzforce Server. If it fails again, please create a new question / issue, preferably on AuthzForce Server's Github, because it's no longer an AttributeSelector issue now. Also switch log level to INFO for now. – cdan Mar 13 '22 at 22:21
  • I removed the ```"xsi:schemaLocation"``` from the request, i tried it in the core CLI, but I get a Deny. – Joao Parente Mar 14 '22 at 10:10
  • My bad, sorry. You also have to fix the Path (XPath), i.e. add a slash at the very start: `Path="/md:record/md:parentGuardian/md:parentGuardianId/text()"` ; or simplify it like this: `Path="//md:parentGuardianId/text()"`. – cdan Mar 14 '22 at 22:35
  • Updated my answer with this fix. – cdan Mar 14 '22 at 22:56
  • Thank you very much, I tried it in the Core CLI, it worked but when I tried to insert it on the AuthZforce Server got an error. I created a question / issue, on AuthzForce Server's Github. – Joao Parente Mar 15 '22 at 10:58
  • OK I see: https://github.com/authzforce/server/issues/66 I will check it, thanks for creating the issue on the github. – cdan Mar 15 '22 at 14:03