Having issues with the XACML Version 3 syntax validator inside the WSO2 XML editor, which rejects insertion of a statement. I plan to add an attribute list in place of a single attribute check. Below a printout of the statements that gets rejected by the XACML syntax validator:
This simple condition with a "string-bag" is throwing a schema error:
<xacml3:Condition>
<xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<xacml3:Apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Bahia</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Belem</xacml3:AttributeValue>
</xacml3:Apply>
<xacml3:AttributeDesignator Category=" urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Condition>
The error message displayed is:
Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema
This condition using an "or" logical operator is working fine:
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Curitiba</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Brasilia</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
The statements that describe the condition, as shown above, are inserted right before the as a final section of that rule.
Does the WSO2 PAP support use of Attribute lists, and case yes, could this error be explained by an error in the syntax construction?
Looking for a public syntax and schema validator at the Web, a utility tool that could be helpful to debug similar issues with XACML V3 syntax compliance.
The Axiomatics Policy Administration Point tells you exactly where the error in your condition is:
org.xml.sax.SAXParseException; lineNumber: 13; columnNumber: 99; cvc-complex-type.3.2.2: Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.processAttributes(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.startElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importInputStream(PolicyImporter.java:285)
at com.axiomatics.delegent.client.commons.importer.PolicyImporter.importFile(PolicyImporter.java:264)
More specifically it says:
Attribute 'functionid' is not allowed to appear in element 'xacml3:Apply'.
This is an XML validation error. The XACML schema does not expect an XML attribute called functionid inside the XML element Apply.
Rather it expects FunctionId. All you have to do is apply the right capitalization and then the policy imports like a charm.
BTW any reason why you are using urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of?