Strange behavior with dateTime

[mascanc]

I have a strange issue with the policy attached (pol.xml) and the request.

Actually, with these two files, everything is working fine, and I have the following trace:

Code:

18:50:01.583 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Target match resulted in: MATCH
18:50:01.583 [main] DEBUG o.h.x.c.c.r.i.RulePermitOverridesAlgorithm - Starting evaluation of: eGP patient rule
18:50:01.583 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Starting target match.
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting subjects match.
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No subjects present.
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Subjects match resulted in: true
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting recources match.
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting resource match. (id:org.herasaf.xacml.core.policy.impl.ResourceType@4adf2940)
18:50:01.583 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Matching with function: urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal
18:50:01.584 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Match function resulted in true with policy attribute datatype:http://www.w3.org/2001/XMLSchema#dateTime value:2012-01-30T16:44:20.000Z and request attribute value:2012-01-30T16:44:20.000+01:00
18:50:01.584 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Matching with function: urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal
18:50:01.585 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Match function resulted in true with policy attribute datatype:http://www.w3.org/2001/XMLSchema#dateTime value:2012-01-29T23:00:00.000Z and request attribute value:2012-01-30T16:44:20.000+01:00
18:50:01.585 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Resource match resulted in: true
18:50:01.585 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Resources match resulted in: true
18:50:01.585 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting actions match.
18:50:01.585 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No actions present.
18:50:01.586 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Actions match resulted in: true
18:50:01.586 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting environments match.
18:50:01.586 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No environments present.
18:50:01.586 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Environments match resulted in: true
18:50:01.586 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Target match resulted in: MATCH
18:50:01.586 [main] DEBUG o.h.x.c.c.r.i.RulePermitOverridesAlgorithm - Evaluation of eGP patient rule was: PERMIT
18:50:01.586 [main] DEBUG o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm - Evaluation of eGP_Patient was: PERMIT
18:50:01.586 [main] DEBUG o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm - Evaluation of urn:pap:template:eGP_ooe_policyTemplate:1327942232559 was: PERMIT
18:50:01.586 [main] DEBUG o.h.x.c.c.p.i.PolicyDenyOverridesAlgorithm - Evaluation of urn:ooe:policy-id:R1YxMzI3OTM0MzI5MzQ2MS0xLjEuMS4xLjEuMy4xLTEuMS4x was: PERMIT
18:50:01.587 [main] DEBUG o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm - Evaluation of FakePolID was: PERMIT
Took Herasaf: 1057
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
  <Result>
    <Decision>Permit</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
  </Result>
</Response>
Permit

If I uncomment the following:

Code:

<!--<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2012-01-30T16:44:20.000Z</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:creationTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime"/>
              </Apply>-->

(and of course I remove the rule's target), I obtain a INDETERMINATE.

Code:

G o.h.x.c.t.impl.TargetMatcherImpl - Resources match resulted in: true
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting actions match.
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No actions present.
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Actions match resulted in: true
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Starting environments match.
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - No environments present.
18:54:19.456 [main] DEBUG o.h.x.c.t.impl.TargetMatcherImpl - Environments match resulted in: true
18:54:19.456 [main] DEBUG o.h.x.c.c.AbstractCombiningAlgorithm - Target match resulted in: MATCH
18:54:19.457 [main] DEBUG o.h.x.c.c.r.i.RulePermitOverridesAlgorithm - Evaluation of eGP patient rule was: INDETERMINATE
18:54:19.457 [main] DEBUG o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm - Evaluation of eGP_Patient was: INDETERMINATE
18:54:19.457 [main] DEBUG o.h.x.c.c.p.i.PolicyPermitOverridesAlgorithm - Evaluation of urn:pap:template:eGP_ooe_policyTemplate:1327942232559 was: DENY
18:54:19.458 [main] DEBUG o.h.x.c.c.p.i.PolicyDenyOverridesAlgorithm - Evaluation of urn:ooe:policy-id:R1YxMzI3OTM0MzI5MzQ2MS0xLjEuMS4xLjEuMy4xLTEuMS4x was: DENY
18:54:19.458 [main] DEBUG o.h.x.c.c.p.i.PolicyOnlyOneApplicableAlgorithm - Evaluation of FakePolID was: DENY

I'm using herasaf-xacml-core-1.0.0-M2.jar. Can you please point me at the error?

Thanks

[Florian Huonder]

Hi,

I have set up a small test project with your policy and sent your request against the PDP that has your policy deployed.
When the snippet with the function is commented-out then the result of the evaluation is PERMIT. When I make the apply active the result is DENY.
Is this what you expected?
If so there must be something other wrong than the policy or the request. Maybe you could send me a small project that reproduces the error?
I attached my small test-project (see the only test case) maybe that helps you out.

Best regards,
Florian

[mascanc]

Thanks for your answer. The idea is that with the snippet code commented in, we should have a PERMIT, because the snippet is just the Resource Target
moved to the condition.

WE have DENY because of the DENY-ALL policy at the beginning. The fact is that the same function (dateTime-greather-than-or-equal) is giving FALSE if in the Conditions or is giving TRUE if is in the rule's target.

[Florian Huonder]

Hi,

Now I saw your error.
In the condition you have to change to function to:

Code:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2012-01-30T16:44:20.000Z</AttributeValue>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only">
        <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:creationTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime"/>
    </Apply>
</Apply>

The reason is that in the target the one-and-only function is done automatically, according to the specification.
In the condition the attribute-designators return a bag (collection).
Therefore you have to call the one-and-only function.

Best regards,
Florian

[mascanc]

Thanks a lot!