search

wso2 / balana

Apache License 2.0
122 stars 108 forks source link

Fatal errors in evaluating Obligations do not propigate up to the policy #147

Open jimsch opened 4 years ago

jimsch commented 4 years ago

Description: I have an obligation which generates an attribute missing but MustBePresent set to true. The policy generates an effect of "Permit" according to the rule. I believe that this is incorrect behavior and it should result in Indeterminate possibly with a Status about the missing attribute.

Suggested Assignees: With hints about how to go about this I would be willing to try and fix.

Affected Product Version: Current Development tree

OS, DB, other environment details and versions:
Windows 10

Steps to reproduce: Rule in question is:

  <Rule RuleId="ResourceDirectory_4" Effect="Permit">
    <Description>
      Scope with no endpoint given - Get EP name from attributes
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/rd</AttributeValue>
            <AttributeDesignator AttributeId="http://augustcellars.com/ace/scopeName" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <ObligationExpressions>
      <ObligationExpression ObligationId="NewScope" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="http://augustcellars.com/ace/scopeName" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
          <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:string-concatenate">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/rd?ep=</AttributeValue>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
              <AttributeDesignator AttributeId="http://augustcellars.com/ace/endpoint" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
          </Apply>
        </AttributeAssignmentExpression>
      </ObligationExpression>
    </ObligationExpressions>
  </Rule>

Request

<?xml version="1.0"?>
<Request CombinedDecision="false" ReturnPolicyIdList="true" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute IncludeInResult="true" AttributeId="http://augustcellar.com/ace/endpoint">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ep1</AttributeValue>
  </Attribute>
  <Attribute IncludeInResult="true" AttributeId="http://augustcellars.com/ace/audience">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ResourceDirectory1</AttributeValue>
  </Attribute>
  <Attribute IncludeInResult="true" AttributeId="http://augustcellars.com/ace/resourceId">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1008</AttributeValue>
  </Attribute>
  <Attribute IncludeInResult="true" AttributeId="http://augustcellars.com/ace/scopeName">  
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/rd</AttributeValue>
  </Attribute>
  <Attribute IncludeInResult="true" AttributeId="http://augustcellars.com/ace/scopeAction">
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">99</AttributeValue>
  </Attribute>
 </Attributes>
</Request>

Reponse is

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><Result><Decision>Permit</Decision><Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status><Obligations><Obligation ObligationId="NewScope"></Obligation></Obligations><PolicyIdentifierList><PolicyIdReference>Resource#6</PolicyIdReference></PolicyIdentifierList><Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"><Attribute AttributeId="http://augustcellars.com/ace/resourceId" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1008</AttributeValue></Attribute>
<Attribute AttributeId="http://augustcellars.com/ace/audience" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ResourceDirectory1</AttributeValue></Attribute>
<Attribute AttributeId="http://augustcellars.com/ace/scopeName" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/rd</AttributeValue></Attribute>
<Attribute AttributeId="http://augustcellar.com/ace/endpoint" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ep1</AttributeValue></Attribute>
<Attribute AttributeId="http://augustcellars.com/ace/scopeAction" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">99</AttributeValue></Attribute>
</Attributes></Result></Response>

Related Issues: I am not aware of any