Use MapBasedSimplePolicyRepository to Store referenced policies

[d95776]

We have use case as the following
Policy A ->(reference) Policy 1
Policy B ->(reference) Policy 1

During policy deployment, we resolve policy 1 reference in policy A, and have a new policy instance policy A1, add policy A1 to MapBasedSimplePolicyRespository. Then
get policy 1 instance from the MapBasedSimplePolicyRespository, use it to resolve policy B's reference to policy 1 and have a new policy instance policy B1. When we add policy B1 to the MapBasedSimplePolicyRespository, we get the following error:

Exception in thread "main" org.herasaf.xacml.core.PolicyRepositoryException: The ID must be unique over all PolicySets and Policies.
   at org.herasaf.xacml.core.simplePDP.MapBasedSimplePolicyRepository.checkEvaluatable(MapBasedSimplePolicyRepository.java:128)
   at org.herasaf.xacml.core.simplePDP.MapBasedSimplePolicyRepository.deploy(MapBasedSimplePolicyRepository.java:141)
   at com.dfs.test.xacml.heras.RBACTest.loadPolicy(RBACTest.java:97)
   at com.dfs.test.xacml.heras.RBACTest.main(RBACTest.java:53)

It looks like we can not use the MapBasedSimplePolicyRespository to hold policies that references to the same policy. If the MapBasedSimplePolicyRespository can not be used, what's the proper solution for this use case?

[Florian Huonder]

Hi,

The exception is very clear ".PolicyRepositoryException: The ID must be unique over all PolicySets and Policies.".
The XACML specification demands the IDs over PolicySet and Policy to be unique.
When you deploy Policy A1 and Policy B1 to the repository it fails because both contain a policy with ID "Policy 1".

If you want to have a policy repository that is able of looking up remote references and store them you have to implement your own implementation of the PolicyRepository or PolicyRetrievalPoint interface (and do not use our simple map based repo) and do the handling as you need it.

Best regards,
Florian

[d95776]

The problem is the way of class MapBasedSimplePolicyRespository to ensure the unique of policy id is wrong. If Policy A and Policy B uses the same instance of Policy 1, then they are all valid even the repository sees the same policy id twice. It is not just of simply a matter of policy id comparesion. It looks MapBasedSimplePolicyRespository class can only be used to held a policy but with some unnecessary implemenation. Am I right?

[Florian Huonder]

Hi,

It is, as its name says, a simple policy repository. It is not recommended to use it in a productive environment.
Handling of remote references is not a simple functionality.
Due to this it is not possible to reach your goals with using our provided implementation. You are forced to implement a new repository from scratch.

Best regards,
Florian

[René Eggenschwiler]

Hi,

I think it's not necessary to wirte a PolicyRepository completely on your own.
You can extend from our MapBasedSimplePolicyRepository. Then you have to override the checkReferenceConsistency Method.

You will also then extend the getEvaluatable and getEvaluatables methods, so that they resolve remote references on demand (meanig lazy).
The returned policies should then be already resolved when the return happens.

Important is that you mustn't deploy resolved references into the repository. Remote references should every time be resolved when getEvaluatables is called.

Hint: Look at the java comments in  MapBasedSimplePolicyRepository: http://dev.herasaf.org/source/browse/XACMLCORE/trunk/src/main/java/org/herasaf/xacml/core/simplePDP/MapBasedSimplePolicyRepository.java?hb=true. That should give you a clear idea about how it behaves and how you could hook it up for your needs.

Regards,
René

PS: Make sure that you follow exactly the XACML specification.