Search code examples
xpathauthorizationaccess-controlxacmlabac

XACML rule check between resource and subject with XPath

I can't figure out how to write a rule that would solve this requirement :

Let's assume I have this request :

<Request>
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Content>
      <Categories>
        <Category name="cat1">
          <CategoryValue>A</CategoryValue>
          <CategoryValue>B</CategoryValue>
          <CategoryValue>C</CategoryValue>
        </Category>
        <Category name="cat2">
          <CategoryValue>B</CategoryValue>
          <CategoryValue>E</CategoryValue>
          <CategoryValue>F</CategoryValue>
        </Category>
      </Categories>
    </Content>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Content>
      <Categories>
        <Category name="cat1">
          <CategoryValue>A</CategoryValue>
        </Category>
        <Category name="cat2">
          <CategoryValue>A</CategoryValue>
          <CategoryValue>E</CategoryValue>
          <CategoryValue>F</CategoryValue>
          <CategoryValue>G</CategoryValue>
        </Category>
      </Categories>
    </Content>
  </Attributes>
</Request>

I want to write a policy that contains a rule with a Permit effect when for each of the Category elements of the resource, the subject has a Category with the same @name and if both of these Category elements has at least one common CategoryValue.

In this Example above :

  • Resource has "cat1" with "A" - Subject has "cat1" with one value that is A : Permit
  • Resource has "cat2" with "A", "E", "F", "G" - Subject has "cat2" with value E (or F) : Permit
  • Final result of the rule : Permit

My question is not on which functionId I should use, but how can I combine these conditions so that the rule behaves the way I described ? How to compare the GenericValue elements of nodes that has the same @name ?

I think I will have to use the string-at-least-one-member-of function between the values of the subject and resource "cat1", then between the subject and resource "cat2", but the real difficulty is that the PDP has no idea of the @name of the Category elements, so I can't hardcode it directly in the rule and I don't know how to select them in particular to perform the check.

Any idea on this ?

Solution

  • First of all, your request is invalid. You are missing some elements e.g.

    • ReturnPolicyIdList="true"
    • CombinedDecision="true"

    Secondly, I would recommend you do not use XPath in XACML. It makes your policies hard to write (hence your question), hard to maintain, and hard to read (audit). It defeats the purpose of XACML in a way. Let the PEP do the heavy XML processing and send in attributes with attribute values rather than XML content.

    In addition, you cannot control the iteration over the different elements / attribute values in the XML in XACML. I can implement your use case with a specific @name value but I cannot manage to do it over an array of values.

    Assuming a single value, you would have to implement a condition as follows:

    <xacml3:Rule RuleId="axiomatics-example-xacml30" Effect="Permit" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
     <xacml3:Target/>
     <xacml3:Condition >
          <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
               <xacml3:AttributeSelector Path="/Categories/Category[@name='cat1']/CategoryValue/text()" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
               <xacml3:AttributeSelector Path="/Categories/Category[@name='cat1']/CategoryValue/text()" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/>
          </xacml3:Apply>
     </xacml3:Condition>
</xacml3:Rule>

    But you cannot really iterate over the different values