Confusion about comparison functions in HERAS

[walco]

Hi all,

I'm trying to test date comparisons with current-date attributes and I've written a test policy with an EnvironmentMatch that I expect to always match (e.g. all requests since 1970-01-01), but this never results in a match in HERAS:

<Environment>
   <EnvironmentMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">1970-01-01+02:00</AttributeValue>
      <EnvironmentAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#date"
         AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" />
   </EnvironmentMatch>
</Environment>

When debugging the issue, the implementation of comparison functions seemed straight-forward in the general form of "arg0.compareTo(arg1)",
but when looking at the order these arguments are passed to the function in the method org.herasaf.xacml.core.targetMatcher.impl.TargetMatcherImpl.match, the first argument passed to the function is the value in the policy, the second the actual environment attribute value, and this behavior is implemented

following the XACML 2.0 spec:

// The attribute value specified in the matching element must be
// supplied as the first argument.
//
// This part references OASIS eXtensible Access Control Markup
// Langugage (XACML) 2.0, Errata 29 June 2006
// (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#XACML20)
// on page 79 (Match evaluation, line 3371).

Additionally, in the XACML 2.0 spec:

An element of
3378 the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL
3379 be supplied to the MatchId function as its second argument, as explained below. The DataType
3380 of the <xacml:AttributeValue> SHALL match the data-type of the first argument expected by
3381 the MatchId function.

This seems very counter-intuitive when writing policies - is this a known caveat in the XACML spec and should I rewrite my match as follows?

<Environment>
   <EnvironmentMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">1970-01-01+02:00</AttributeValue>
      <EnvironmentAttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#date"
         AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" />
   </EnvironmentMatch>
</Environment>

Regards,
Walco

[Florian Huonder]

Hi Walco,

You are right that the XACML 2.0 Specification requires to pass the arguments in the described order.
The TargetMatcher follows this specification exactly. This means regardless of what order the value and designator have in the XML representation of the policy.

I'd say your approach of facing this problem is correct.

Hint: The specification made this limitation because the date-greater-than-or-euqal method argument order is specified according to IEEE 754.
Only with predetermining the order it is possible to correctly enter the arguments into the function. <AttributeValue... and <*AttributeDesignator... both result in simple values that are passed to the function.

I hope my attempt of explenation shed some light on the behavior.
Let me know.

Best regards,
Florian