search

wso2 / balana

Apache License 2.0
122 stars 108 forks source link

XACML generated from ALFA parsing issue: Condition handling #156

Open Vaevictus opened 2 years ago

Vaevictus commented 2 years ago

Description: ALFA code as follows will generate XACML that is not uploadable via policy administration:

namespace AcmeCorp 
{
    import intelfs.attributes.*

    import Attributes.*

    policy buildingAccess 
    {
        target clause iie.resourceType == "door"
        apply denyOverrides

        rule openMainDoor 
        {
            target clause iie.resourceType == "mainDoor" and actionId == "open"
            permit
            condition user.role == "employee" 
        }
    }
}

the generated XACML is as follows:

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).--><!--Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="AcmeCorp.buildingAccess" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
    <xacml3:Description/>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">door</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Rule Effect="Permit" RuleId="AcmeCorp.buildingAccess.openMainDoor">
        <xacml3:Description/>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mainDoor</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">open</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Condition>
            <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
                <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml3:AttributeValue>
            </xacml3:Apply>
        </xacml3:Condition>
    </xacml3:Rule>
</xacml3:Policy>

when uploading via Home > Policy Administration -> Add new entitlement policy in WSO2 the following error is visible:

 ERROR {org.wso2.carbon.identity.entitlement.pap.PAPPolicyReader} - Error while parsing the policy java.lang.IllegalArgumentException: The arguments can be are either primitive data types or bags of primitive types. urn:oasis:names:tc:xacml:3.0:function:any-of-any

at org.wso2.balana.cond.xacml3.XACML3HigherOrderFunction.checkInputs(XACML3HigherOrderFunction.java:171) (truncated)

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions: WSO2 identity server v 5.11.0 via the docker container wso2/wso2is:latest

Steps to reproduce: Generate XACML via Visual Studio Code axiomatics ALFA extension and attempt to load the policy. (first fix the bad policyId string that I will log in a separate issue)

Related Issues:

TBD