Search code examples
xacml3wso2-identity-server

Same XACML request different response when I use wso2is and Java application

Hi I’m having problem understand why I get different response when I use the (org.xacmlinfo.xacml.pep.agent.PEPAgent.java) and the tryit function in WSO2IS 5.0.0. They are querying the same policy. 

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="OfficeHours" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" Version="1.0">
  <Description>denyOutsideOfficeHours</Description>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
          <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule Effect="Permit" RuleId="PermitInOfficeHours">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">12:00:00</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
          <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"></AttributeDesignator>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>

PEPAgent

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute>
</Attributes>
</Request>

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>
</Status>
</Result>
</Response>

Tryit 

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute></Attributes></Request> 

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result><Decision>Permit</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status><PolicyIdentifierList>
<PolicyIdReference>OfficeHours</PolicyIdReference>
</PolicyIdentifierList>
</Result>
</Response>
Solution

  • First of all here are a few comments regarding your policy and rule:

    • the policy description doesn't match the rule description. In one case you say deny, in the other you say Permit.
    • you use a Condition where in fact a Target would be enough.

    Graphical view of the policy in the Axiomatics Policy Server

    Now, as for the different responses: in one case your code (PEPAgent) doesn't send the current time value and the server (is that the PDP?) doesn't add the time either. In the second case, the Tryit client still doesn't send time but obviously the receiving end (another PDP?) fills in the missing time value.

    If you look more closely at your first response, you will notice the following error message:

    <StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>

    This means that you didn't pass in any value for current-time.

    I tested this using the Axiomatics Policy Server and I received the expected behavior.