Description:
A policy generated using ALFA tooling generates PolicyId attributes that are based on URLS, which WSO2 rejects. This means generated policies need further pre-processing before they can be uploaded to WSO2
Suggested Labels:
Suggested Assignees:
WSO2 Identity Server 5.11.0
Container image wso2/wso2is:latest
Steps to reproduce:
Generate a simple XACML policy using the ALFA visual studio code extension and attempt to load it into WSO2. It is rejected because the generated PolicyId attribute is considered illegal by WSO2.
An example XACML policy generated by the axiomatics ALFA Visual Studio Code tooling is as follows:
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).--><!--Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="http://axiomatics.com/alfa/identifier/AcmeCorp.buildingAccess" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<xacml3:Description/>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">door</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="AcmeCorp.buildingAccess.openMainDoor">
<xacml3:Description/>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mainDoor</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-type" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">open</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml3:AttributeValue>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
Description: A policy generated using ALFA tooling generates PolicyId attributes that are based on URLS, which WSO2 rejects. This means generated policies need further pre-processing before they can be uploaded to WSO2
Suggested Labels:
Suggested Assignees:
WSO2 Identity Server 5.11.0 Container image wso2/wso2is:latest
Steps to reproduce: Generate a simple XACML policy using the ALFA visual studio code extension and attempt to load it into WSO2. It is rejected because the generated PolicyId attribute is considered illegal by WSO2.
An example XACML policy generated by the axiomatics ALFA Visual Studio Code tooling is as follows: