Search code examples
authorizationaccess-controlxacmlabacalfa

XACML Rule for Time In Range as a Condition

I would like to write a rule that use a condition statement to build an XACML function: "urn:oasis:names:tc:xacml:2.0:function:time-in-range" using the ALFA language syntax. For reason of easy obligation handling, I would prefer to use it inside condition function, and not in a target expression.
Is this possible? I did not find any reference to it in the manual.

at @David Brossard. Following the scheme below I've tested the policy using the following ALFA code: 

namespace com.ibm.XACML {
import Attributes.*
import attributes.*
import com.ibm.XACML.Attributes.*
  attribute currentTime {
            id = "urn:oasis:names:tc:xacml:1.0:environment:current-time"
            type = time
            category = environmentCat
        }   

function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean                
// lowerBound = "09:00:00-03:00"
// upperBound = "18:00:00-03:00"    
// current-time = "02:00:00-03:00" decision permit 
// current-time = "10:00:00-03:00" decision permit  
// current-time = "22:00:00-03:00" decision permit      

policy checkTimeInRange{
    apply firstApplicable
    rule allowWithinRange{
        permit
        condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(timeBag("09:00:00-03:00":time)), timeOneAndOnly(timeBag("19:00:00-03:00":time)))
        }
    }
}

The syntax validation runs OK, but there is an error in the evaluation results that return from the WSO2 PDP code, giving a "Permit" for all of the three tests, 02:00:00, 10:00:00 and 22:00:00.

I've isolated the issue. The WSO2 Try-It tool generates "String" as default while the XACML expects a time data type. To fix it, a manual request must be placed and the logic shown by @David Brossard worked perfectly. Here a sample request, generating a "Permit". 

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">11:00:00-03:00</AttributeValue>
</Attribute>
</Attributes>
</Request>

The "TimeInRange" function combined with a Condition statement is very helpful.

Solution

  • From the XACML standard I can read

    urn:oasis:names:tc:xacml:2.0:function:time-in-range

    This function SHALL take three arguments of data-type time and SHALL return a boolean. It SHALL return True if the first argument falls in the range defined inclusively by the second and third arguments. Otherwise, it SHALL return “False”.

    Regardless of its value, the third argument SHALL be interpreted as a time that is equal to, or later than by less than twenty-four hours, the second argument. If no time zone is provided for the first argument, it SHALL use the default time zone at the context handler. If no time zone is provided for the second or third arguments, then they SHALL use the time zone from the first argument.

    ALFA also has that function. It is defined as

    function timeInRange = "urn:oasis:names:tc:xacml:2.0:function:time-in-range" : time time time -> boolean

    To use it, simply do:

    policy checkTimeInRange{
    apply firstApplicable
    rule allowWithinRange{
        permit
        condition timeInRange(timeOneAndOnly(currentTime), timeOneAndOnly(lowerBound), timeOneAndOnly(upperBound))
    }
}

    Note that if you are missing any of these values, the PDP will reply with Indeterminate.