AuthZForce PDP not behaving as expected

Question

I've extended a policy set to include a new policy, which means I've added targets to the policies to ensure that a request targets the right policy.

here is the policy set xacml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="P1" Version="1.3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Description>CD Governance PolicySet</Description>
<Target/>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
    <Description>Reject if the Date is July Policy</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
                        MustBePresent="false"
                        />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-not-in:july:rule" Effect="Permit">
     <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
                        <AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" 
                            DataType="http://www.w3.org/2001/XMLSchema#date" 
                            MustBePresent="true"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
                    </Apply>
                </Apply>
            </Apply>
        </Apply>
       </Condition>
    </Rule>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
     <Condition>    
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
              <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
           </Apply>
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
           </Apply>
        </Apply>
     </Condition>
  </Rule>
</Policy>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:app-in:prod:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
    <Description>Reject if the Application is not allowed in Production Policy</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:environment"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
                        MustBePresent="true"
                        />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-not-in:prod:rule" Effect="Deny">
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                            <AttributeDesignator 
                                AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps" 
                                DataType="http://www.w3.org/2001/XMLSchema#string" 
                                MustBePresent="true"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                        </Apply>
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
                        </Apply>
                    </Apply>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-in:prod:rule" Effect="Permit">
        <Condition>    
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps" 
                        DataType="http://www.w3.org/2001/XMLSchema#string" 
                        MustBePresent="true"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
</Policy>
</PolicySet>

So when I want to check the second policy (whether an App is allowed in Prod) I send a request like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:environment">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP1</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Which returns what I expect:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Deny</Decision>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

So far so good.... But when I send this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-08-01</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

I don't get a similar response to the first one (but a Permit), I get this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
            <StatusMessage>Error evaluating &lt;Target&gt;/&lt;AnyOf&gt;#0</StatusMessage>
        </Status>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

Now you might think that the policy is defined incorrectly, so I then sent this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

I got what I expected - A Deny, with not Target missing errors:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Deny</Decision>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

so Why is the PDP getting confused for this one policy (that looks to my eyes the same as the other that works correctly....yes I get a permit when the App is in the list in the policy)?

why does it think the attribute for the target is missing completely (instead of having just the wrong value)? And Why is it doing this for the condition attribute?

score 1 · Accepted Answer · answered Jul 23 '17 at 00:49

1

As the StatusCode/StatusMessage/PolicyIdentifierList say, you get an Indeterminate decision because of a missing attribute that is required to evaluate the (first AnyOf of the) Target of Policy urn:oasis:names:tc:xacml:1.0:app-in:prod:policy. Since MustBePresent=true on the AttributeDesignator in this Target/AnyOf, it is considered an error if no matching attribute is present in the request context (and I assume there is no Attribute Provider enabled). Indeed, there is no attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment" in Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource" in your second Request. Therefore, either you supply such attribute in the request, or set MustBePresent=false (or change the AttributeDesignator), depending on what you want.

Btw, please try to use standard identifiers when possible, so that we don't get confused when looking at your policies; e.g. the standard resource category identifier is urn:oasis:names:tc:xacml:3.0:attribute-category:resource (not urn:oasis:names:tc:xacml:1.0:subject-category:resource).

answered Jul 23 '17 at 00:49

cdan

3,470
13
27

Brilliant...thanks for the pointers. I have changed the category identifiers - finger trouble. I've also set AttributeId="urn:oasis:names:tc:xacml:1.0:environment to set MustBePresent=false, which fixed it. I can understand all this, but what confused me was that this error didn't occur for when the date was in the date-bag. why would this happen? – Paul Pogonoski Jul 23 '17 at 09:37
Yes, if you are referring to your last Request example, as far as I can see, this matches the Target of the first Policy (`...date-in:july:policy`). So the PDP evaluates the first rule (...date-not-in:july:rule) whose condition returns false because the date-in:july:current-date from the request is in the bag, and therefore the 'not' Apply returns false. So the rule does not apply, the PDP goes to the next rule `...date-in:july:rule`. This time, the date is in the bag, so the Condition is true. Therefore, the rule applies and evaluates to Deny (the rule's Effect). – cdan Jul 24 '17 at 17:22
... Since the Policy's rule combining algorithm is deny-overrides, if a rule evaluates to Deny, like in this case, the final Policy result is Deny. So the first Policy returns Deny. Similary, since the PolicySet's policy combining algorithm is deny-overrides, and the first policy returns Deny, the PolicySet result is Deny, no need to go further, the second Policy is not evaluated. [More info on deny-overrides algo](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047270). You can check the evaluation details by changing log level to debug on AuthzForce (logback.xml). – cdan Jul 24 '17 at 17:28
Btw, since you are reusing the same big date bag twice (I think), you can use a VariableDefinition/VariableReference in XACML to avoid such duplicate. – cdan Jul 24 '17 at 17:29

AuthZForce PDP not behaving as expected

1 Answers1