FIWARE AuthZForce doesn't check the second rule inside the same PolicySet

Question

I have created two roles, on the KeyRock, and for each of them I have linked a different permission

User1->Role1->Perm1(access to Res1)

User2->Role2->Perm2(access to Res2)

After saved, I see on AuthZforce's file system a new domain that it has 3 policies.

The first policy is cm9vdA/. It has a <PolicySet> , a <Policy> and a <Rule Effect="Permit" RuleId="permit-all" /> The last policy has a <PolicySet>, two <Policy> and two rules (one for each permission) The domain's pdp.xml contains a <policyRef> that aims to the last created policy (<policyRef>331409a9-6014-4cfd-9180-f04bb22481f4</policyRef>).

Following there is the policy's xml file.

<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="331409a9-6014-4cfd-9180-f04bb22481f4" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Policy Set for application 3829292cdc25477dace68f376ef79d8b</Description>
<Target/>
<Policy PolicyId="" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
    <Description>Role 9d2ebfde53044d2a8c22df3fe753b630 from application 3829292cdc25477dace68f376ef79d8b</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">3829292cdc25477dace68f376ef79d8b</AttributeValue>
                    <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="fe8f4ebb98054feeb26bfc01eb93cce1" Effect="Permit">
        <Description>res1</Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">res1</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
                <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">9d2ebfde53044d2a8c22df3fe753b630</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </Apply>
        </Condition>
    </Rule>
</Policy>
<Policy PolicyId="" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
    <Description>Role 729019b1a9d44380b8b74dc788053dde from application 3829292cdc25477dace68f376ef79d8b</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">3829292cdc25477dace68f376ef79d8b</AttributeValue>
                    <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="1d9bce94aaf04127b7ec8cfc63d17622" Effect="Permit">
        <Description>res2</Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">res2</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
                <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">729019b1a9d44380b8b74dc788053dde</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </Apply>
        </Condition>
    </Rule>
</Policy>

When the User1 tries to access (by Wilma PeP Proxy) to the res1, the matching is true, the condition is satisfied and the Decision is "Permit".

If User1 tries to access to the res2... the Decision is "Deny".

But....

When the User2 tries to access (by Wilma PeP Proxy) to the res2... the Decision is "Deny".

Looking the AuthZforce's log file, I see that the PolicySetId="331409a9-6014-4cfd-9180-f04bb22481f4" is correctly identified but the check stops to the first rule. Infact, it compares the requested resource "res2" with "res1" and denies because they don't match. The check doesn't continue to evaluate the next rule where there is "res2" and the comparison should be true.

Which is the problem?

Thanks for cooperation.

Answer 1

根据FIWARE问题SEC-1043 ，此问题已通过升级到KeyRock v5.4.1和AuthzForce Server v5.4.1来解决。