How to achieve security level 3 in FIWARE?

Question

I am deploying FIWARE security GEs (i.e., Wilma, AuthzForce, Keyrock) in my computer. Security level 2 (Basic Authorization) is working well, but now I need security level 3 (Advanced Authorization) using XACML.

Long story short, I want a tutorial of implementation security level 3. However, as far as I know, any tutorial or document about security level 3 does not exist.

For now, I create my policy with PAP's API, and change 'custom_policy' option in config.js from 'undefined' to 'policy.js'. And then I create 'policy.js' file into 'PEP/policies', but don't change anything compared with its template file because I don't know what this code does exactly. I think I should make XACML Request form using 'xml' variable. But in my case, PEP gives me the error when I make the XACML Request using 'xml' variable, and return this variable. Here is my error of PEP:

Error: Root - Error in AZF communication <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/S" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"><message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.</message></error>

And here is my 'getPolicy' code (XACML Request) in policy.js. I just made very simple request whether response is permit or not because I'm not sure what I'm doing at that time.:

exports.getPolicy = function (roles, req, app_id) {
    var xml = xmlBuilder.create('Request', {
            'xmlns': 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17',
            'CombinedDecision': 'false',
            'ReturnPolicyIdList': 'false'})
    .ele('Attributes', {
            'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});

So, anyone can give me any information about implementation of security level 3?

Which version of Wilma are you using? – cdan Jul 06 '17 at 20:30 — cdan, Jul 06 '17 at 20:30
Keyrock is 5.4.1, Wilma is 5.4 and AuthzForce is 5.4.1 now. – weepi Jul 08 '17 at 07:56 — weepi, Jul 08 '17 at 07:56

score 3 · Accepted Answer · answered Jul 09 '17 at 00:00

Upgrade to Wilma 6.2 (bug fixing).

Reuse the code from lib/azf.js which is known to work, and adapt the Request content to your needs. The variable is wrongly called XACMLPolicy there, but don't be mistaken, this is an actual XACML Request. This is using xml2json package to convert the JSON to XML, whereas in your code you seem to use a different one, xmlbuilder maybe? You didn't paste the full code - where does this xmlBuilder variable come from? - so I'm just guessing.

If you are indeed using xmlbuilder package and want to stick with it, I notice that in the example using namespaces, the xmlns attribute is put in a different way:

var xmlBuilder = require('xmlbuilder');

var xml = xmlBuilder.create('Request', { encoding: 'utf-8' })
.att('xmlns', 'urn:oasis:names:tc:xacml:3.0:core:schema:wd-17')
.att('CombinedDecision': 'false')
.att('ReturnPolicyIdList': 'false')
.ele('Attributes', {'Category': 'urn:oasis:names:tc:xacml:1.0:subject-category:access-subject'});

Maybe this makes a difference, I didn't check.

Also feel free to create an issue with your question on Wilma's github to get help from the dev team. (I am not one of them but we've worked together for AuthzForce integration.)

Wow, Thanks for your answer. I will try this later. And I have one more question. There is XACML section when I create permission in Keyrock (below verb+path section), what is it? I need to write something in the section to achieve level 3? — weepi, Jul 11 '17 at 03:40
Is the section title only "XACML" or "XACML rule"? This should be where you can write a XACML Rule manually (without xmlns stuff), e.g. `...`. It will be combined with the other permissions. Every one in verb+path form is converted to a XACML Rule (cf. [conversion templates](https://github.com/ging/horizon/tree/master/openstack_dashboard/templates/access_control) ). — cdan, Jul 15 '17 at 12:32
In the end, you get one XACML Rule per permission, one per role (combining all those Rules); and one for the application (combining all those s); and this PolicySet is the piece that is sent to AuthzForce. — cdan, Jul 15 '17 at 12:32

score 0 · Answer 2 · answered Jul 05 '17 at 17:14

0

The error you are getting is really

Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Request'.

This is a simple XML validation issue. You need to make sure that the XACML request you send contains the right namespace declaration.

You'll see there is another question on this topic here.

Can you paste your XACML request so we can tell whether it is valid?

answered Jul 05 '17 at 17:14

David Brossard

13,584
6
55
88

Thanks for your answer. I edited my content, and I will check your advice. – weepi Jul 08 '17 at 08:06

How to achieve security level 3 in FIWARE?

2 Answers2

Linked