Error when having Non-Predicate Functions in Policy/Rule Target Element

[d95776]

We have the following policy and request. We expect to get Permit result but Heras-af implementation returns Deny.

[Edited by Moderator]
Double posted. Relevant post see below.

[d95776]

We have the following policy and request. The expected result should be permit but we get Indeterminate by using heras-as implementation

Code:

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" PolicySetId="http://com.dfs.ria.policy.multiattrs" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd ">
  <Target />
  <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" PolicySetId="RPS:DFS:RIA:Test:Role1">
    <Description>Access Policy defined for Role1 to test DFS RIA security</Description>
    <Target>
      <Subjects>
        <Subject>
         <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Role1</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
         </SubjectMatch>
        </Subject>
      </Subjects>
    </Target>
    <Policy PolicyId="PPS:DFS:RIA:Test:Role1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
      <Description>Permissions defined for Role1</Description>
      <Target />
      <Rule Effect="Permit" RuleId="urn:DFS:RIA:Test:Rule1">
        <Description>Allow to access (read/write/delete/etc.) Application1,Tile1; and Application2, Tile2.</Description>
        <Target>
          <Resources>
            <Resource>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App1</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile1</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
            </Resource>
            <Resource>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App2</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile2</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
            </Resource>
          </Resources>
          <Actions>
           <Action>
           <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
           <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
           </ActionMatch>
           </Action>
          </Actions>
        </Target>
      </Rule>
    </Policy>
  </PolicySet>
  <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides" PolicySetId="RPS:DFS:RIA:Test:Role2">
    <Description>Access Policy defined for Role2 to test DFS RIA security</Description>
    <Target>
      <Subjects>
        <Subject>
         <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Role2</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
         </SubjectMatch>
        </Subject>
      </Subjects>
    </Target>
    <Policy PolicyId="PPS:DFS:RIA:Test:Role2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
      <Description>Permissions defined for Role2</Description>
      <Target />
      <Rule Effect="Permit" RuleId="urn:DFS:RIA:Test:Rule2">
        <Description>Allow to access (read/write/delete/etc.) Application1, Tile2; and Application2, Tile1;</Description>
        <Target>
          <Resources>
            <Resource>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App1</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile2</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
            </Resource>
            <Resource>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App2</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile1</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
              </ResourceMatch>
            </Resource>
          </Resources>
          <Actions>
           <Action>
           <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
           <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
           </ActionMatch>
           </Action>
          </Actions>
        </Target>
      </Rule>
    </Policy>
  </PolicySet>
</PolicySet>

Code:

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd ">
  <Subject
   SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
   <Attribute DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"><AttributeValue>Role1</AttributeValue></Attribute>
  </Subject>
  <Resource>
   <Attribute DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"><AttributeValue>App1</AttributeValue><AttributeValue>Tile1</AttributeValue></Attribute>
  </Resource>
  <Action>
   <Attribute DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"><AttributeValue>access</AttributeValue></Attribute>
  </Action>
  <Environment/>
</Request>

[René Eggenschwiler]

Hi d95776

I'm investigating your case. I'll get back to you as in a few hours when I have some results.

Regards,
René

[René Eggenschwiler]

Hi again

I have tested your example in a small maven project (the project is attached as zip). I got the result indeterminate but expected also a permit. I'll have to go through the code and have a look what's exactly happening.
I'll get back to you as soon asa I have news.

There's an interesting part in the log file:

Code:

11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Processing error occurred.

I expect that the processing error in that rule1 is responsible for the unexpected result.

Here's the full output of the log file:

Code:

11:35:39.451 WARN  Logger[o.h.x.c.s.MapBasedSimplePolicyRepository]
- Request[]
- EvaluatableId[]
- RuleId[] This policy repository (org.herasaf.xacml.core.simplePDP.MapBasedSimplePolicyRepository) must not be used in a productive environment.
11:35:39.590 INFO  Logger[o.h.x.c.s.i.FunctionsJAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] 209 functions are initialized.
11:35:40.009 INFO  Logger[o.h.x.c.s.i.JAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] PolicyMarshaller is configured with JAXB Marshaller Configuration {formattedOutput = true, fragment = true, validateParsing = true, validateWriting = true, schema = classpath:/access_control-xacml-2.0-policy-schema-os.xsd, writeSchemaLocation = false, schemaLocation = }
11:35:40.102 WARN  Logger[o.h.x.c.u.JAXBMarshallerConfiguration]
- Request[]
- EvaluatableId[]
- RuleId[] Validating turned off because schema could not be initialized.
11:35:40.102 INFO  Logger[o.h.x.c.s.i.JAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] RequestMarshaller is configured with JAXB Marshaller Configuration {formattedOutput = true, fragment = true, validateParsing = false, validateWriting = false, schema = classpath:/access_control-xacml-2.0-context-schema-os.xsd, writeSchemaLocation = false, schemaLocation = }
11:35:40.180 WARN  Logger[o.h.x.c.u.JAXBMarshallerConfiguration]
- Request[]
- EvaluatableId[]
- RuleId[] Validating turned off because schema could not be initialized.
11:35:40.180 INFO  Logger[o.h.x.c.s.i.JAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] ResponseMarshaller is configured with JAXB Marshaller Configuration {formattedOutput = true, fragment = true, validateParsing = false, validateWriting = false, schema = classpath:/access_control-xacml-2.0-context-schema-os.xsd, writeSchemaLocation = false, schemaLocation = }
11:35:40.195 INFO  Logger[o.h.x.c.s.i.PolicyCombiningAlgorithmsJAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] 6 policy combining algorithms are initialized.
11:35:40.195 INFO  Logger[o.h.x.c.s.i.RuleCombiningAlgorithmsJAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] 5 rule combining algorithms are initialized.
11:35:40.211 INFO  Logger[o.h.x.c.s.i.DataTypesJAXBInitializer]
- Request[]
- EvaluatableId[]
- RuleId[] 16 DataTypeAttributes are initialized.
11:35:40.211 WARN  Logger[o.h.xacml.core.simplePDP.SimplePDP]
- Request[]
- EvaluatableId[]
- RuleId[] No PIP is set. Attributes that are not present in the request cannot be resolved.
11:35:40.211 WARN  Logger[o.h.xacml.core.simplePDP.SimplePDP]
- Request[]
- EvaluatableId[]
- RuleId[] This PDP runs with a Java version > 1.5.0. This may lead to an unspecific behavior when using the data type http://www.w3.org/2001/XMLSchema#time.
11:35:40.211 INFO  Logger[o.h.xacml.core.simplePDP.SimplePDP]
- Request[]
- EvaluatableId[]
- RuleId[] Using custom status code comparator.
11:35:40.257 DEBUG Logger[o.h.xacml.core.simplePDP.SimplePDP]
- Request[1303896940257]
- EvaluatableId[]
- RuleId[] Evaluating Request: org.herasaf.xacml.core.context.impl.RequestType@1a5db4b
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting evaluation of: http://com.dfs.ria.policy.multiattrs
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting target match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting subjects match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] No subjects present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Subjects match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting recources match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] No resources present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Resources match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting actions match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] No actions present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Actions match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Starting environments match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] No environments present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Environments match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Target match resulted in: MATCH
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting evaluation of: RPS:DFS:RIA:Test:Role1
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting target match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting subjects match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting subject match. (id:org.herasaf.xacml.core.policy.impl.SubjectType@1cebc9f)
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Matching with function: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Match function resulted in true with policy attribute datatype:http://www.w3.org/2001/XMLSchema#anyURI value:Role1 and request attribute value:Role1
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Subject match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Subjects match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting recources match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] No resources present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Resources match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting actions match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] No actions present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Actions match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Starting environments match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] No environments present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Environments match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Target match resulted in: MATCH
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting evaluation of: PPS:DFS:RIA:Test:Role1
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting target match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting subjects match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] No subjects present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Subjects match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting recources match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] No resources present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Resources match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting actions match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] No actions present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Actions match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Starting environments match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] No environments present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Environments match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Target match resulted in: MATCH
11:35:40.257 DEBUG Logger[o.h.x.c.c.r.i.RulePermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Starting evaluation of: urn:DFS:RIA:Test:Rule1
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Starting target match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Starting subjects match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] No subjects present.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Subjects match resulted in: true
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Starting recources match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Starting resource match. (id:org.herasaf.xacml.core.policy.impl.ResourceType@1c1ac46)
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Matching with function: urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Processing error occurred.
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Target match resulted in: INDETERMINATE
11:35:40.257 DEBUG Logger[o.h.x.c.c.r.i.RulePermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[urn:DFS:RIA:Test:Rule1] Evaluation of urn:DFS:RIA:Test:Rule1 was: INDETERMINATE
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[PPS:DFS:RIA:Test:Role1]
- RuleId[] Evaluation of PPS:DFS:RIA:Test:Role1 was: INDETERMINATE
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role1]
- RuleId[] Evaluation of RPS:DFS:RIA:Test:Role1 was: INDETERMINATE
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Starting evaluation of: RPS:DFS:RIA:Test:Role2
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Starting target match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Starting subjects match.
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Starting subject match. (id:org.herasaf.xacml.core.policy.impl.SubjectType@57ea52)
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Matching with function: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Match function resulted in false with policy attribute datatype:http://www.w3.org/2001/XMLSchema#anyURI value:Role2 and request attribute value:Role1
11:35:40.257 DEBUG Logger[o.h.x.c.t.impl.TargetMatcherImpl]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Subjects match resulted in: false
11:35:40.257 DEBUG Logger[o.h.x.c.c.AbstractCombiningAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Target match resulted in: NO_MATCH
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm]
- Request[1303896940257]
- EvaluatableId[RPS:DFS:RIA:Test:Role2]
- RuleId[] Evaluation of RPS:DFS:RIA:Test:Role2 was: NOT_APPLICABLE
11:35:40.257 DEBUG Logger[o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm]
- Request[1303896940257]
- EvaluatableId[http://com.dfs.ria.policy.multiattrs]
- RuleId[] Evaluation of http://com.dfs.ria.policy.multiattrs was: INDETERMINATE

Regards,
René

[d95776]

Yes, The error happens during rule1 evaluation. There's nothing wrong with the rule1 defined in the policy. The problem is your API does something not propert during processing ResourceMatch elements. Your API does not handle the bag values of ResourceAttributeDesignator properly. Please have a look into your code.

[René Eggenschwiler]

Hi again

Unfortunately I have to disappoint you. There's no error in our code. Your rule is not proper.

Your Policy does not meet the XACML specification.

As specified in chapter 7.5 "Match Evaluation" in the XACML 2.0 Specification, ONLY standard functions are allowed to be used in the target element.

Here's the out-take from the specification:

Code:

7.5. Match evaluation
Attribute matching elements appear in the <Target> element of rules, policies and policy sets.  They are the following:
<SubjectMatch>
<ResourceMatch>
<ActionMatch>
<EnvironmentMatch>
These elements represent Boolean expressions over attributes of the subject, resource, action and environment, respectively.  A matching element contains a MatchId attribute that specifies the function to be used in performing the match evaluation, an <xacml:AttributeValue> and an <AttributeDesignator> or <AttributeSelector> element that specifies the attribute in the context that is to be matched against the specified value.
The MatchId attribute SHALL specify a function that compares two arguments, returning a result type of "http://www.w3.org/2001/XMLSchema#boolean".   The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument.  An element of the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL be supplied to the MatchId function as its second argument, as explained below.   The DataType of the <xacml:AttributeValue> SHALL match the data-type of the first argument expected by the MatchId function.  The DataType of the <AttributeDesignator> or <AttributeSelector> element SHALL match the data-type of the second argument expected by the MatchId function.
The XACML standard functions that meet the requirements for use as a MatchId attribute value are:
        urn:oasis:names:tc:xacml:2.0:function:-type-equal
        urn:oasis:names:tc:xacml:2.0:function:-type-greater-than
        urn:oasis:names:tc:xacml:2.0:function:-type-greater-than-or-equal
        urn:oasis:names:tc:xacml:2.0:function:-type-less-than
        urn:oasis:names:tc:xacml:2.0:function:-type-less-than-or-equal
        urn:oasis:names:tc:xacml:2.0:function:-type-match
In addition, functions that are strictly within an extension to XACML MAY appear as a value for the MatchId attribute, and those functions MAY use data-types that are also extensions, so long as the extension function returns a Boolean result and takes two single base types as its inputs.  The function used as the value for the MatchId attribute SHOULD be easily indexable.  Use of non-indexable or complex functions may prevent efficient evaluation of decision requests.

If you would use such a function our code behaves absolutely correct.

In our domain model we call these standard functions "predicate functions". In the future we would like to distinguish these functions from the others.
In our issue tracking sytsem this task has the id XACMLCORE-136. See http://dev.herasaf.org/browse/XACMLCORE-136.

Regards,
René

[René Eggenschwiler]

Hi again

If you try the corrected policy below you will see that it works.
We changed the target element to use only predicate functions and moved the part with the bag functions into conditions.

Then it works as expected.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="http://com.dfs.ria.policy.multiattrs"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd ">

<Target />

<PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="RPS:DFS:RIA:Test:Role1">
<Description>Access Policy defined for Role1 to test DFS RIA security
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Role1</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<Policy PolicyId="PPS:DFS:RIA:Test:Role1"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>Permissions defined for Role1</Description>
<Target />
<Rule Effect="Permit" RuleId="urn:DFS:RIA:Test:Rule1">
<Description>Allow to access (read/write/delete/etc.)
Application1,Tile1; and Application2, Tile2.</Description>
<Target>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>

<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<!-- Resource matching -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- Resources Matches -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- Resources Matches -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App2</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile2</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
<PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="RPS:DFS:RIA:Test:Role2">
<Description>Access Policy defined for Role2 to test DFS RIA security
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Role2</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<Policy PolicyId="PPS:DFS:RIA:Test:Role2"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>Permissions defined for Role2</Description>
<Target />
<Rule Effect="Permit" RuleId="urn:DFS:RIA:Test:Rule2">
<Description>Allow to access (read/write/delete/etc.) Application1,
Tile2; and Application2, Tile1;</Description>
<Target>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
<ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" />
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<!-- Resource matching -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- Resources Matches -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- Resources Matches -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">App2</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">Tile2</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
</PolicySet>

Again regards,
René

[d95776]

Here are the specification said:

3375 The MatchId attribute SHALL specify a function that compares two arguments, returning a result
3376 type of "http://www.w3.org/2001/XMLSchema#boolean". The attribute value specified in the
3377 matching element SHALL be supplied to the MatchId function as its first argument. An element of
3378 the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL
3379 be supplied to the MatchId function as its second argument, as explained below. The DataType
3380 of the <xacml:AttributeValue> SHALL match the data-type of the first argument expected by
3381 the MatchId function. The DataType of the <AttributeDesignator> or
3382 <AttributeSelector> element SHALL match the data-type of the second argument expected
3383 by the MatchId function.

string-is-in function meets above requirements.

3392 In addition, functions that are strictly within an extension to XACML MAY appear as a value for the
3393 MatchId attribute, and those functions MAY use data-types that are also extensions, so long as
3394 the extension function returns a Boolean result and takes two single base types as its inputs. The
3395 function used as the value for the MatchId attribute SHOULD be easily indexable.

string-is-in function can be reteated as the extension to those standard functions listed in the spec. So I think your xacml api does not support extensionf fucntions beside those standard functions.

[René Eggenschwiler]

Important is the part:


3393 MatchId attribute, and those functions MAY use data-types that are also extensions, so long as
3394 the extension function returns a Boolean result and takes two single base types as its inputs.

A bag is not a single Base type.

That means bag-functions cannot ne used in the target element. That makes our implementation xacml 2.0 compliant.
If you prefer we can discuss this at the oasis mailing list.
 

[d95776]

Why is a uri or string not a single base type? They are.

[René Eggenschwiler]

They are base types.
But a BAG of strings or uris is not a SINGLE base type.
A bag is a collection of multiple base types.
The type-is-in functions require a bag as parameter. For that reason these functions cannot be used in target elements.