How to achieve security level 3 in FIWARE?

Question

I am deploying FIWARE security GEs (ie, Wilma, AuthzForce, Keyrock) in my computer. Security level 2 (Basic Authorization) is working well, but now I need security level 3 (Advanced Authorization) using XACML.

Long story short, I want a tutorial of implementation security level 3. However, as far as I know, any tutorial or document about security level 3 does not exist.

For now, I create my policy with PAP's API, and change 'custom_policy' option in config.js from 'undefined' to 'policy.js'. And then I create 'policy.js' file into 'PEP/policies', but don't change anything compared with its template file because I don't know what this code does exactly. I think I should make XACML Request form using 'xml' variable. But in my case, PEP gives me the error when I make the XACML Request using 'xml' variable, and return this variable. Here is my error of PEP:

Error: Root - Error in AZF communication <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/S" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.</message></error>

And here is my 'getPolicy' code (XACML Request) in policy.js. I just made very simple request whether response is permit or not because I'm not sure what I'm doing at that time.:

exports.getPolicy = function (roles, req, app_id) {
    var xml = xmlBuilder.create('Request', {
            'xmlns': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
            'CombinedDecision': 'false',
            'ReturnPolicyIdList': 'false'})
    .ele('Attributes', {
            'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});

So, anyone can give me any information about implementation of security level 3?

Answer 1

Upgrade to Wilma 6.2 (bug fixing).

Reuse the code from lib/azf.js which is known to work, and adapt the Request content to your needs. The variable is wrongly called XACMLPolicy there, but don't be mistaken, this is an actual XACML Request . This is using xml2json package to convert the JSON to XML, whereas in your code you seem to use a different one, xmlbuilder maybe? You didn't paste the full code - where does this xmlBuilder variable come from? - so I'm just guessing.

If you are indeed using xmlbuilder package and want to stick with it, I notice that in the example using namespaces , the xmlns attribute is put in a different way:

var xmlBuilder = require('xmlbuilder');

var xml = xmlBuilder.create('Request', { encoding: 'utf-8' })
.att('xmlns', 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17')
.att('CombinedDecision': 'false')
.att('ReturnPolicyIdList': 'false')
.ele('Attributes', {'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});

Maybe this makes a difference, I didn't check.

Also feel free to create an issue with your question on Wilma's github to get help from the dev team. (I am not one of them but we've worked together for AuthzForce integration.)

Answer 2

The error you are getting is really

Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.

This is a simple XML validation issue. You need to make sure that the XACML request you send contains the right namespace declaration.

You'll see there is another question on this topic here .

Can you paste your XACML request so we can tell whether it is valid?