search

authzforce / server

AuthzForce Server (Multi-tenant XACML PDP/PAP - REST API)
https://authzforce-ce-fiware.rtfd.io/
GNU General Public License v3.0
56 stars 17 forks source link

Policy with Attribute Selector #66

Closed Joao-Parente closed 2 years ago

Joao-Parente commented 2 years ago

I was trying to insert a policy in Authzforce 10.1.1 that uses attribute selectors, but with no success. I tried the same policy in the Core CLI 20.0.0, and it worked and even tested it with a request.

Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
   <PolicySetDefaults>
       <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
   </PolicySetDefaults>
   <Target />
   <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
       <Target>
       </Target>
       <Rule RuleId="Ruleo" Effect="Permit">
           <Condition>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                       <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                     <AttributeSelector MustBePresent="false"
                     Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                     Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
               </Apply>
           </Condition>
       </Rule>
   </Policy>
</PolicySet>

AuthZforce returns: 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
    <message>Invalid PolicySet with PolicySetId='root', Version=2.0.1</message>
</error>

If I go check the /var/log/tomcat9/error.log it says: error.log

...
Caused by: net.sf.saxon.trans.XPathException: Namespace prefix 'md' has not been declared
...

But I think that the "md" namespace is declared with xmlns:md="urn:example:med:schemas:record" in line 2 of the policy.

cdanger commented 2 years ago

Thanks for reporting this. Looks like a bug in AuthzForce Server. I am preparing a new release with the latest version of AuthzForce Core (which was a bit outdated) that should include a fix for this issue.

In the meantime, you can use this workaround: change the AttributeSelector Path to this:

/*:record/*:parentGuardian/*:parentGuardianId/text()