CODEWITHSUNDEEP
wso2xacmlwso2-identity-server
Claudio Venturini
Claudio Venturini

Reputation: 698

XACML - How to get the list of policies used in the decision?

The XACML standard states that if the request specifies the attribute ReturnPolicyIdList="true", the PDP should return a list of all fully applicable policies and policy sets which were used in the decision.

I tried it with WSO IS 5.0 (with the latest service pack), but it seems to work only in a few cases. This is the first test policy: it permits write access to user admin on every file ending with .dcm.

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="PolicyTest" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
    <Target></Target>
    <Rule RuleId="Rule1" Effect="Permit">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^.*.dcm$</AttributeValue>
                        <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="DefaultRule" Effect="Deny"></Rule>
</Policy>

And this is the example request (read access on file.dcm):

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject1">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action1">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource1">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">file.dcm</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

If this is the only policy active in the PDP, the XACML response is correct (permit) and includes the list of IDs of all the policies used for the decision:

<Response>
    <Result>
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
        </Status>
        <PolicyIdentifierList>
            <PolicyIdReference>PolicyTest</PolicyIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

If I add any other policy (whose target is applicable for the request) I get an error. Specifically I tried to add a policy identical to the first one, except that it refers to write actions instead of read:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="PolicyTest" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
    <Target></Target>
    <Rule RuleId="Rule1" Effect="Permit">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^.*.dcm$</AttributeValue>
                        <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                        <AttributeDesignator MustBePresent="true" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
                <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="DefaultRule" Effect="Deny"></Rule>
</Policy>

The log shows the following 2 errors (I omit the complete stack trace, but I can post it if you need it).

1st error:

TID[-1234] [IS] [2015-07-03 12:41:34,550] ERROR {org.apache.axis2.rpc.receivers.RPCMessageReceiver} - Exception occurred while trying to invoke service method getDecision
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)

2nd error:

TID[-1234] [IS] [2015-07-03 12:41:34,558] ERROR {org.wso2.carbon.identity.entitlement.ui.client.EntitlementServiceClient} - Error occurred while policy evaluation

How can I get it to work? Is there any setting to change or it's a bug?

Thank you!

Upvotes: 1

Views: 635

Answers (1)

David Brossard
David Brossard

Reputation: 13834

According to the XACML standard, if you set ReturnPolicyIdList to true, then the PDP shall reply with the list of policy and policy set identifiers used in the request.

Here is a sample XACML 3.0 request (it's empty, i.e. it doesn't have any attributes)

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" 
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

And here is a sample response.

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <xacml-ctx:Result>
    <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
    <xacml-ctx:Status>
      <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </xacml-ctx:Status>
    <xacml-ctx:PolicyIdentifierList>
      <xacml-ctx:PolicyIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/f8d86878-d458-472a-968d-1fd6c9655669</xacml-ctx:PolicyIdReference>
      <xacml-ctx:PolicySetIdReference Version="1.0">http://www.axiomatics.com/automatic-unique-id/21e6e472-d363-4ea9-990d-3fa03512b747</xacml-ctx:PolicySetIdReference>
    </xacml-ctx:PolicyIdentifierList>
  </xacml-ctx:Result>
</xacml-ctx:Response>

The response clearly conatins the list of policy identifiers inside the PolicyIdentifierList element.

I tested this on the Axiomatics Policy Server and it works just fine. WSO2 IS is only a partial implementation so either it's a missing feature or a bug.

Upvotes: 1

Related Questions