Search code examples
xacml3balana

XACML 3.0 and rfc822Name attribute

I am new to XACML. I'm using Balana and I think I got the basic so I am experimenting with Target, Rule and Condition. My policy is made by two rules. First rule applies to everyone have med.example.com (yes the basic example OASIS provides) in ther subject's name and if your subject's name is [email protected] you get a PERMIT as response. I known it is redundant. Second rule says everyone won't satisfy first rule's condition will get back a DENY. What I want to do is to use a rfc822Name attribute both in Target and Condition. Is it possible? This is my policy definition:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17
  http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
  PolicyId="urn:oasis:names:tc:xacml:3.0:example:PolicyWithDENYRule" 
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>
    Medi Corp access control policy
</Description>
<Target />
<Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:OnlyJimShallPass"
    Effect="Permit">
    <Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
                    <AttributeDesignator MustBePresent="false"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]</AttributeValue>
                    <AttributeDesignator MustBePresent="false"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                        DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
        </Apply>
    </Condition>
</Rule>
<Rule Effect="Deny" RuleId="defaultRule" />

While I try to evaluate my request I got this exception:

java.lang.IllegalArgumentException: second arg has to be a bag
2017-05-19 09:33:34 ERROR FileBasedPolicyFinderModule:248 - Fail to load policy : /home/pezzati/workspace/SecurityProofOfConcept/src/test/resources/policywithdenyrule/policy.xml
java.lang.IllegalArgumentException: illegal parameter
at org.wso2.balana.cond.FunctionBase.checkInputsNoBag(FunctionBase.java:419)
at org.wso2.balana.cond.HigherOrderFunction.checkInputs(HigherOrderFunction.java:421)
at org.wso2.balana.cond.Apply.<init>(Apply.java:89)
at org.wso2.balana.cond.Apply.getInstance(Apply.java:227)
at org.wso2.balana.cond.Apply.getInstance(Apply.java:188)
at org.wso2.balana.cond.ExpressionHandler.parseExpression(ExpressionHandler.java:53)
at org.wso2.balana.cond.Condition.getInstance(Condition.java:177)
at org.wso2.balana.Rule.getInstance(Rule.java:237)
at org.wso2.balana.Policy.<init>(Policy.java:303)
at org.wso2.balana.Policy.getInstance(Policy.java:382)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.loadPolicy(FileBasedPolicyFinderModule.java:242)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.loadPolicies(FileBasedPolicyFinderModule.java:202)
at org.wso2.balana.finder.impl.FileBasedPolicyFinderModule.init(FileBasedPolicyFinderModule.java:91)
at org.wso2.balana.finder.PolicyFinder.init(PolicyFinder.java:149)
at org.wso2.balana.PDP.<init>(PDP.java:97)
at edu.pezzati.sec.xaml.XacmlTest.getPDP(XacmlTest.java:20)
at edu.pezzati.sec.xaml.PolicyWithDenyRule.init(PolicyWithDenyRule.java:37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:675)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)

Why this exception? XACML 3.0 says you can use AttributeDesignator in Condition. Is there any restriction I miss? Complete project can be found here. Look at the PolicyWithDenyRule test.

Solution

  • I made it works. I was confronting two values of different type. I changed my Condition this way:

    <Condition>
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
    <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal"/>
    <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">[email protected]</AttributeValue>
    <AttributeDesignator MustBePresent="false"
      Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
      AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
      DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" />
  </Apply>
</Condition>

    I changed the main function from string-equal to rfc822Name-equal and change the AttributeValue who holds [email protected] from string to rfc822Name. This way main condition's function can check a rfc822Name attribute against a rfc822Name bag of attributes behaving as expected. I also update my project on github, now it works.