missing attributes

[Erwan G]

Hi,

We are currently thinking to integrate a PIP service to our system.
To allow the PEP to resolves missing attributes through the PIP, the PDP must send missing attributes description into to decision response. But it seems that the PDP doesn’t automatically add these descriptions to the response.

Is there something to configure, or do we have to implement it?
If we have to implement it, what will be the best way to do it?

Best regards,
Erwan


PS: we use the version 0.13.0 of the HERAS-AF XACML component.

[Florian Huonder]

Hi Erwan,

The HERAS-AF XACML implementation does support Missing Attributes.

A response of indeterminate with missing attributes is only sent if the attribute has the flag MustBePresent set to true. Otherwise the attribute designator returns an empty bag.
See XACML specification section "5.37.Complex type AttributeDesignatorType".

If you'd like you can attach a simple example that reproduces your problem to this thread and I could have a look at it.

I hope I could help you.

Regards,
Florian

[Erwan G]

Hi Florian,

and thank you for your quick answer,
here is the policySet I use in my test :

Code:

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"
 xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 xmlns:db="db_upe2"
 xmlns:context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"
 PolicySetId="MainUPE2B2CPolicySet">
<Target>
<Resources>
   <Resource>
     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FR</AttributeValue>
       <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
     </ResourceMatch>
   </Resource>
</Resources>
</Target>
  <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable" PolicySetId="UserIdAPolicySet">
    <Target>
      <Resources>
        <Resource>
          <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">toto</AttributeValue>
            <ResourceAttributeDesignator AttributeId="xacml:2.0:interop:example:resource:owner-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
          </ResourceMatch>
        </Resource>
      </Resources>
    </Target>
    <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable" PolicySetId="Chronopost3rdPartySvcPolicySet">
        <Target>
        <Subjects>
          <Subject>
            <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">chronopost</AttributeValue>
              <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true" />
            </SubjectMatch>
          </Subject>
        </Subjects>
      </Target>
      <Policy PolicyId="RichPPResourceFamilyPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides" xmlns:db="db_upe2">
        <Target>
          <Resources>
            <Resource>
              <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PersonalBilling</AttributeValue>
                <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
              </ResourceMatch>
            </Resource>
          </Resources>
        </Target>
        <Rule Effect="Permit" RuleId="Chronopost-RichPP-LastName">
          <Target>
          <Resources>
              <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LastName</AttributeValue>
                  <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                </ResourceMatch>
              </Resource>
            </Resources>
            <Actions>
              <Action>
                <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue>
                  <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
                </ActionMatch>
              </Action>
            </Actions>
          </Target>  
        </Rule>
      </Policy>
    </PolicySet>
  </PolicySet>
</PolicySet>

and the request I evaluate :

Code:

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
        access_control-xacml-2.0-context-schema-os.xsd">
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>chronopost</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>chronopost-iphoneee</AttributeValue>
        </Attribute>
</Subject>
<Resource>
<Attribute AttributeId="xacml:2.0:interop:example:resource:owner-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>toto</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>PersonalBilling</AttributeValue>
</Attribute>

<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:target-namespace" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>FR</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Read</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>

and the response :

Code:

<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:ns2="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
        </Status>
    </Result>
</Response>

The request doen't have the resource-id attribute and I expect an "Indeterminate" answer with a missing-attribute status so there is no problem about the decision
but the problem is that there is no information about which attribute is missing. I surely have missed something but I can't seen what 

Regards,
Erwan

[Florian Huonder]

Hi Erwan,

I had a closer look at this problem and found a bug.
The missing attributes are going lost on their way up in the policy tree.

I am going to fix this (hopefully today) and let you then know.

Regards,
Florian