search

authzforce / server

AuthzForce Server (Multi-tenant XACML PDP/PAP - REST API)
https://authzforce-ce-fiware.rtfd.io/
GNU General Public License v3.0
56 stars 17 forks source link

PolicySetIdReference within same policyset #51

Closed DemianTinkiel closed 4 years ago

DemianTinkiel commented 4 years ago

I was looking at policy inheritance as defined in https://authzforce-ce-fiware.readthedocs.io/en/latest/UserAndProgrammersGuide.html#re-usable-policies-e-g-for-hierarchical-rbac

and I was wondering if it is possible to refer to a policyset within the same file instead of across 2 different ones as defined in the example

eg.

PolicySet parent
     PolicySet toInherit
     PolicySet inheriter
            PolicySetIdReference:toInherit

I tried it but computer says no (java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*])

So my question is: Is that by design?

Software version (AuthzForce Core)

Platform JRE

Platform OS

authzforce/server:release-8.1.0

Error stack trace or logs (if any)

Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Matched PolicySet 'rbacroot' (version 0.1.0) is invalid or its content is unavailable
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:214)
    at org.ow2.authzforce.core.pdp.api.policy.BaseStaticRefPolicyProvider.get(BaseStaticRefPolicyProvider.java:113)
    at org.ow2.authzforce.core.pdp.impl.policy.CoreRefBasedRootPolicyProvider.<init>(CoreRefBasedRootPolicyProvider.java:97)
    ... 49 common frames omitted
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Invalid PolicySet in file: /opt/authzforce-ce-server/data/domains/HJW2dLuXEemloQJCrBsAAw/policies/cmJhY3Jvb3Q/0.1.0.xml
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:304)
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.access$100(FlatFileDAORefPolicyProviderModule.java:256)
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:207)
    ... 51 common frames omitted
Caused by: java.lang.IllegalArgumentException: PolicySet[rbacroot#v0.1.0]: Invalid child #1 (PolicySet)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1889)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1852)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2176)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:299)
    ... 53 common frames omitted
Caused by: java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*]
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1667)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1640)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:1704)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:1771)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1914)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1852)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2132)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1884)
    ... 57 common frames omitted

Your code and/or AuthzForce-specific configuration file(s)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="rbacroot" Version="0.1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
  <Description>Root RBAC PolicySet</Description>
  <Target/>
  <PolicySet PolicySetId="RPS:BasicUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <Description>
      BasicUser Role PolicySet
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=BasicUser,dc=org1,dc=com</AttributeValue>
            <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                 DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Policy PolicyId="PPS:BasicUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
      <Description>Permissions specific to BasicUser role</Description>
      <Target/>
      <Rule RuleId="service1" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service1</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
      <Rule RuleId="service2" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service2</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
    </Policy>
  </PolicySet>
  <PolicySet PolicySetId="RPS:SuperUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <Description>
      SuperUser Role PolicySet
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=SuperUser,dc=org1,dc=com</AttributeValue>
            <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                 DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Policy PolicyId="PPS:SuperUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
      <Description>Permissions specific to SuperUser role</Description>
      <Target/>
      <Rule RuleId="service3" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service3</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
    </Policy>
    <PolicySetIdReference>RPS:BasicUser</PolicySetIdReference>
  </PolicySet>
</PolicySet>

transferred from https://github.com/authzforce/core/issues/48

cdanger commented 4 years ago

Yes, this is by design, only standalone policysets (with URL like .../policies/P1 for latest version or .../policies/P1/X.Y for specific version X.Y) may be used in policy references from other policies. FYI, the policy provider used in this case is FlatFileDAORefPolicyProviderModule. Could be improved.

DemianTinkiel commented 4 years ago

I see, thanks for the answer. If you have any improvements in mind for the provider assign me a ticket and we can discuss it there, might as well do something useful with my isolation time 😋

cdanger commented 4 years ago

Alright, I'll keep that in mind :-)