Strange behavior with XPATH

[mascanc]

Hi All,

I am in trouble using xpath expressions. I'm not able to get a permit.

I have the following policy:

<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<Policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 PolicyId="urn:oid:wst-validation"
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
    <Description xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">The wst request is valid if</Description>
    <PolicyDefaults>
        <XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
    </PolicyDefaults>
    <Target xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
        <Subjects>
            <Subject>
                <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">wst-request</AttributeValue>
                    <SubjectAttributeDesignator AttributeId="urn:subject:type"
                        DataType="http://www.w3.org/2001/XMLSchema#string"/>
                </SubjectMatch>
            </Subject>
        </Subjects>
        <Resources>
            <Resource>
                <ResourceMatch
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                    <AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:message_type</AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                </ResourceMatch>
               
            </Resource>
        </Resources>
    </Target>
    <Rule RuleId="urn:oid:1.2.3.4-rule" Effect="Permit">
        <Target/>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <AttributeSelector RequestContextPath="//*[local-name()='RequestType']/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                </Apply>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>


and the following request
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd">
    <Subject>
        <Attribute AttributeId="urn:subject:type" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>wst-request</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
       
   
        <ResourceContent>
            <RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
                <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
            </RequestSecurityToken>
        </ResourceContent>
        <Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="http://www.w3.org/2001/XMLSchema#anyURI">
            <AttributeValue>urn:message_type</AttributeValue>
        </Attribute>
    </Resource>
    <Action/>
    <Environment/>
</Request>


but the result is indeterminate:

7:24:55.819 [main] WARN  o.h.x.c.s.MapBasedSimplePolicyRepository - This policy repository (org.herasaf.xacml.core.simplePDP.MapBasedSimplePolicyRepository) must not be used in a productive environment.
17:24:56.103 [main] INFO  o.h.x.c.s.i.FunctionsJAXBInitializer - 209 functions are initialized.
17:24:56.579 [main] INFO  o.h.x.c.s.i.PolicyCombiningAlgorithmsJAXBInitializer - 6 policy combining algorithms are initialized.
17:24:56.586 [main] INFO  o.h.x.c.s.i.RuleCombiningAlgorithmsJAXBInitializer - 5 rule combining algorithms are initialized.
17:24:56.597 [main] INFO  o.h.x.c.s.i.DataTypesJAXBInitializer - 16 DataTypeAttributes are initialized.
17:24:56.598 [main] WARN  o.h.xacml.core.simplePDP.SimplePDP - No PIP is set. Attributes that are not present in the request cannot be resolved.
17:24:56.598 [main] WARN  o.h.xacml.core.simplePDP.SimplePDP - This PDP runs with a Java version > 1.5.0. This may lead to an unspecific behavior when using the data type http://www.w3.org/2001/XMLSchema#time.
17:24:56.598 [main] INFO  o.h.xacml.core.simplePDP.SimplePDP - Using custom status code comparator.
1380 [main] DEBUG SpiritDcmServices.A  - Going to decide
17:24:56.664 [main] DEBUG o.h.xacml.core.simplePDP.SimplePDP - Evaluating Request:
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
    <Subject>
        <Attribute DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:subject:type">
            <AttributeValue>wst-request</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <ResourceContent>
            <RequestSecurityToken:RequestSecurityToken xmlns:RequestSecurityToken="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
                <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
            </RequestSecurityToken:RequestSecurityToken>
        </ResourceContent>
        <Attribute DataType="http://www.w3.org/2001/XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
            <AttributeValue>urn:message_type</AttributeValue>
        </Attribute>
    </Resource>
    <Action/>
    <Environment>
        <Attribute DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time">
            <AttributeValue>17:24:56.659+02:00</AttributeValue>
        </Attribute>
        <Attribute DataType="http://www.w3.org/2001/XMLSchema#date" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date">
            <AttributeValue>2011-06-08+02:00</AttributeValue>
        </Attribute>
        <Attribute DataType="http://www.w3.org/2001/XMLSchema#dateTime" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime">
            <AttributeValue>2011-06-08T17:24:56.660+02:00</AttributeValue>
        </Attribute>
    </Environment>
</Request>

17:24:56.665 [main] DEBUG o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm - Starting evaluation of: urn:oid:wst-validation
17:24:56.666 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Starting target match.
17:24:56.666 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting subjects match.
17:24:56.666 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting subject match. (id:org.herasaf.xacml.core.policy.impl.SubjectType@48baa31b)
17:24:56.666 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Matching with function: urn:oasis:names:tc:xacml:1.0:function:string-equal
17:24:56.666 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Match function resulted in true with policy attribute datatype:http://www.w3.org/2001/XMLSchema#string value:wst-request and request attribute value:wst-request
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Subject match resulted in: true
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Subjects match resulted in: true
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting recources match.
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting resource match. (id:org.herasaf.xacml.core.policy.impl.ResourceType@552a66ea)
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Matching with function: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Match function resulted in true with policy attribute datatype:http://www.w3.org/2001/XMLSchema#anyURI value:urn:message_type and request attribute value:urn:message_type
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Resource match resulted in: true
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Resources match resulted in: true
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting actions match.
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No actions present.
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Actions match resulted in: true
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting environments match.
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No environments present.
17:24:56.667 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Environments match resulted in: true
17:24:56.668 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Target match resulted in: MATCH
17:24:56.668 [main] DEBUG o.h.x.c.c.r.i.RulePermitOverridesAlgorithm - Starting evaluation of: urn:oid:1.2.3.4-rule
17:24:56.668 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Starting target match.
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting subjects match.
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No subjects present.
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Subjects match resulted in: true
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting recources match.
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No resources present.
17:24:56.668 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Resources match resulted in: true
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting actions match.
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No actions present.
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Actions match resulted in: true
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting environments match.
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No environments present.
17:24:56.669 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Environments match resulted in: true
17:24:56.669 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Target match resulted in: MATCH
17:24:56.670 [main] DEBUG o.h.x.c.c.r.i.RulePermitOverridesAlgorithm - Evaluation of urn:oid:1.2.3.4-rule was: INDETERMINATE
17:24:56.670 [main] DEBUG o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm - Evaluation of urn:oid:wst-validation was: INDETERMINATE
Took Herasaf: 1017
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Result>
    <Decision>Indeterminate</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
    </Status>
  </Result>
</Response>
Indeterminate

[mascanc]

And the xpath expressions says:

SystemID: /Users/max/Desktop/req.xml Severity: info Description: /Request[1]/Resource[1]/ResourceContent[1]/RequestSecurityToken[1]/RequestType[1]/text()[1] - http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue Start location: 16:30 End location: 16:84

so the xpath expression is ok...

[Florian Huonder]

Hi,

The reason is that the XACML engine does currently not support AttributeSelectors.

http://dev.herasaf.org/browse/XACMLCORE-24

Currently you have to implement it on your own or you have to look for another approach that is reachable with the AttributeDesignators.
If we can help you in any kind let us know.

Best regards,
Florian