wso2editoridentityxacmlwso2-identity-server
WSO2 Identity / XACML Evaluation for Standard Editor / Any Debug Feature Available?
having difficulties to interpret the "Try It" result data from a policy definition made by a WSO2 XACML standard editor.
Questions about the handling of the XACML engine and definitions:
- Is there a debug support available that shows the partial results from each rule and statement evaluation?
- Does the boolean logic apply to "or", "and" combinations?
- Is there a tool available to modify the default attribute values (string), like for example the use of "current-time" attribute as a valid environment setting?
Policy (typed by Standard Editor)
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="TodaysPolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Description>Standard Editor Doctor Rule </Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(http:)</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="DoctorAdmin">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(http:)</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-greater-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">07:00:00 05:00</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-less-than">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">20:00:00 05:00</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Request (generated by Try It)
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">08:00:00 05:00</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:9444/medicalrecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
Results via [Test Evaluate]
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>NotApplicable</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>
Thanks in advance for your guidance.
Solution
The debug feature is missing indeed in WSO2. I write and test all my policies using the Axiomatics Policy Administration Point and its alfa plugin.
I tried your policy within the PAP. This is what it looks like when expanded inside the PAP.
Now I checked your XACML request too.
There one major reason why your policy won't work.
- the policy expects a resource id but your request sends in an environment id.
That said, there are other issues with your policy:
- first of all you use a string-regexp-match on resource-id but in fact you should use string-starts-with since what you want to do is check that the string starts with http://. You would also want to make that an anyURI type not a string.
- secondly you do the check twice: once in the policy and once in the rule. Once is enough, not twice.
- thirdly you compare subject-id to doctor. Doctor is a role not a subject id so create an attribute for that
- you use environment-id to convey the current time when in fact there is an attribute in XACML for that called urn:oasis:names:tc:xacml:1.0:environment:current-time.
- you use conditions for things you could easily express in a target.
- lastly you put too much logic in the condition e.g. the 4 different actions which you could split across 4 rules.
- Can't Loop over JSON Array from JSON Property in WSO2 ESB
- How to increase CARBON_LOGFILE when building docker image from base image?
- UserNotFound Error for Existing Role in WSO2 IS 7.0.0 XACML Policy
- How to get username of API caller in wso2 apim in Basic Authorization?
- WSO2 calls not showing on fiddler
- Compatibility Issue: WSO2 MI 4.1 with MongoDB Connector v2.0.0 and MongoDB 6.x Driver
- What exactly is the difference between "WSO2 API Manager" and "WSO2 Data Analytics Server" and "WSO2 Application Server"?
- How to pass a value from inSequence to outSequence in WSO2 ESB?
- Import Backend services description into WSO2 APIM
- Is there a way to add username in API Log in WSO2 APIM?
- Not able to setup WSO2 APIM Analytics
- WSO2 Enterprise Integrator (wso2ei-6.6.0) - Deploying a Clustered Setup
- WSO2 ESB: Handling Retries and Error Codes in Message Processor with Multiple Message Stores
- How to make gRPC request in WSO2 micro-integrator via Postman?
- How to pass Authorization Header WSO2 (API Manager) to my backend service?
- Prevent WSO2 AM of dropping authorization token from request
- Does WSO2 APK(API Platform for Kubernetes) have Graphical User Interface such as DevPortal and Publisher and Admin , ....?
- How to remove <?xml version='1.0' encoding='UTF-8'?> tag from the dss output in WSO2 MI
- WSO2 Multipart Binary Passthrough and MultipartFormData
- receive and pass JWT response through WSO2
- WSO2 Enterprise Integrator (wso2ei-6.6.0) - Query Parameters Not Getting Passed Properly
- The WSO2 EI Iterate Mediator does not end after completing the process. How can I resolve this?
- WSO2 Loop through Json array
- ELK Stack Integration not working with WSO2 API Manager
- Why "save" button is disabled in WSO2 APIM Publisher at Runtime tab.? In some APIs button is disabled
- Web Socket API - does not work when adding a variable
- wso2 custom class mediator database connection issue and external jar not picking
- WSO2 APIM 4.2.0 update to 4.3.0
- Pass query parameters to wso2 dss service
- "Could not add subscription" error when WSO2 API Manager starts