stackoom
  简体   繁体   中英

XACML Editor using <Condition> and String Comparison

 原文  2016-01-28 20:28:00       authorization/ wso2is/ access-control/ xacml/ abac

Question

Referring to the implementation of the <condition> logic (true/false) in the WSO2 editor. why does XACML Version 3 polices editor reject any other string oriented compare function, except the use of "urn:oasis:names:tc:xacml:1.0:function:string-is-in" ?

Example: Accepted syntax 

<Rule Effect="Deny" RuleId="Deny-Rule1">
  <Target></Target>
   <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
               <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://w3.red.com/subject/groupsUserBelong" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Apply>
         </Apply>
      </Condition>
      ..

Example of syntax causing error: all other string comparison function, including REGEX function: 

     <Rule Effect="Deny" RuleId="Deny-Rule1">
       <Target></Target>
         <Condition>
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
                <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:string-contains">
                   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
                   <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://w3.red.com/subject/groupsUserBelong" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                </Apply>
             </Apply>
          </Condition>
          ..

The present error often cause a need to revert the the general policy scheme moving from a "Deny" effect to a "Permit" effect, in combination with a "match" logic, which is not welcome from a developer standpoint, as the "Deny" rules use to have a much richer functionality like detailed ObligationExpressions for error handling. To apply the <Condition> statement use to produce more comprehensive code in this situation.

I appreciate to get an advice how to use <Condition> statement together with general String comparison functions, like: 

. urn:oasis:names:tc:xacml:1.0:function:string-equal
. urn:oasis:names:tc:xacml:3.0:function:string-contains
. urn:oasis:names:tc:xacml:1.0:function:string-regexp-match
. urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case

or other String related operation that generate a boolean outcome.

Trying to achieve the same logic with ALFA, here the source: 

namespace com.red.XACML {
    import Attributes.*
    import attributes.*
    import com.red.XACML.Attributes.*

    rule notBGroups { 
            deny
        }
    rule bGroupsCobMail {
        target 
    condition
        stringOneAndOnly(subjectAttributes.groupsUserBelong)=="myGroup"
        permit

    }

    policy bGroups { 
        apply firstApplicable
        bGroupsCobMail
        notBGroups
            }       
        }

This also throws the same error message as via WSO2 Try-It function: 

<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:string-one-and-only expects a bag that contains a single element, got a bag with 7 elements</StatusMessage>
</Status>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myname@red.com</AttributeValue>
</Attribute>
</Attributes>
</Result>
</Response>

Looks like the AttributeDesignator bag needs another cycle of iterations to be able to parse the elements. How we can achieve this?

Latest update: Got into some circle here, not haveing advance in the testing due to syntax rejection at the WSO2 XML editor.

The issue is that the Attribute Designator for the AttributeID " http://w3.red.com/subject/groupsUserBelong " returns a list of seven elements. The seven elements reflects all data for the subject, so logically the value of 7 makes sense.

My logic is as follows: I have defined a group name variable, indeed a String like "myGroup", then I need to iterate the 7 elements of the LinkedHashSet returning from the PIP, relevant or not, and scan each of the elements searching for a pattern (or word) like "myGroup". Once found equality, a boolean "true" is set as outcome. Now at outer section of the condition, I plan to add a NOT function to reverse the boolean state so the condition will generate a "Deny" case the group is not found, by this trigger the ObligationEpression with detailed error messages.

Looks like the core issue is how to iterate the list of seven elements and how to find the word inside one element as the string-subset is not finding the word and other functions are not accepted. 

 <Condition> 
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> 
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> 
                  <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://w3.ibm.com/subject/groupsUserBelong" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator> 
               </Apply> 
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue> 
            </Apply> 
         </Apply> 
      </Condition> 

<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:string-one-and-only expects a bag that contains a single element, got a bag with 7 elements</StatusMessage>
</Status>

   <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
            <!--Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset"-->
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
                  </Apply>
                  <AttributeDesignator AttributeId="http://w3.ibm.com/subject/groupsUserBelong" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Apply>
            </Apply>
         </Condition>
<Result>
<Decision>Deny</Decision>
 Conclusion: the condition did not find the group.

Other syntax constructions are rejected by the editor by this message: 

Entitlement policy is not updated. Error is :Unsupported Entitlement Policy. Policy can not be parsed

Latest Update: This behaviour looks like a bug in the WSO2 Policy XML Editor. The tool misses support for:

A.3.12 Higher-order bag functions

for example: sample any-of-any

for supported logic see: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

The issue can be simulated with the following "Condition" statements: 

<Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
               </Apply>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
               </Apply>
            </Apply>
      </Condition>

1 answers

solution1
 1  2016-01-29 22:20:42

If you want to compare 2 bags, eg

  • userCitizenship
  • allowedCitizenships

you can do the following:

Case #1

  • userCitizenship is single-valued
  • allowedCitizenships is single-valued

You can use stringOneAndOnly(userCitizenship)==stringOneAndOnly(allowedCitizenships)

Case #2

  • userCitizenship is single-valued
  • allowedCitizenships is multi-valued

(or the other way round)

  1. You can use stringIsIn(stringOneAndOnly(userCitizenship), allowedCitizenships) .
  2. You can also use a higher-order function eg anyOf or allOf as follows anyOf(function[stringEquals], allowedCitizenships, stringOneAndOnly(userCitizenship)) .

Case #3

  • Both bags are multi-valued.

    Here are your options:

    1. You can use stringAtLeastOneMemberOf(userCitizenship, allowedCitizenships) . This functions works on bags.
    2. You can use a higher-order function AnyOfAny(function[stringEquals], userCitizenship, allowedCitizenships) .

There are many more higher-order functions you can use in XACML to achieve the exact behavior you are looking for.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question XACML Rule for Time In Range as a Condition Difference between target and condition in XACML Complex Authorization using XACML WSO2 Identity XACML - Support for Condition Statement? XACML - Difference between AND condition and Two Rules Xacml policy test occurence of string in string bag Generating XACML advice string dynamically in a policy or rule Open source policy editor tool for XACML 3.0 policy creation How to add string/URI matching in XACML How to Automate a XACML String Manipulation Function in ALFA?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM