1

我有一个这样定义的 XACML 3.0 策略:

<?xml version="1.0" encoding="UTF-8"?>
<Policy 
  xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
  xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="Proposal-Rules" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
  <Description>Policy for any proposal.</Description>
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
  </PolicyDefaults>
  <Target />
  <Rule Effect="Permit" RuleId="ApproveProposalByDepartmentChair-Rule13a">
    <Description>"Department Chair" can "Approve" a "Whole Proposal" when ApprovedByDepartmentChair = READYFORAPPROVAL and where condition check all department chairs are not approved.</Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only">
          <AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="//ak:signedByAllChairs/text()" DataType="http://www.w3.org/2001/XMLSchema#boolean"/>
        </Apply>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">false</AttributeValue>
      </Apply>
    </Condition>
  </Rule>
</Policy>

我的 XACML 请求看起来像这样,带有一个包含值“计算机工程”的额外 AttributeId="group"。

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
                <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:position.title" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Department Chair</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:group" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Computer Engineering</AttributeValue>
                    </Attribute>
                </Attributes>
                <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
                    <Content>
                        <record xmlns:ak="http://akpower.org">
                            <proposal>  
                                <signedByAllChairs>false</signedByAllChairs>
                            </proposal>
                        </record>
                    </Content>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
                        <AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ApprovedByDepartmentChair" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READYFORAPPROVAL</AttributeValue>
                    </Attribute>
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
                    </Attribute>
                </Attributes>
                <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
                    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Approve</AttributeValue>
                    </Attribute>
                </Attributes>
    </Request>

我希望 PEP 将返回NotApplicable但相反它返回以下响应:使用PERMIT 即使定义的策略规则不包含任何名为“组”的属性作为规则目标,而请求正在发送“组”属性值“计算机工程”,甚至它正在返回匹配和许可响应!

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Permit</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
        </Status>       
    </Result>
</Response>

有什么我想念的吗?我想不通。我目前正在使用Balana作为我的应用程序的 PEP 实现。

4

1 回答 1

2

我现在已经设法在 Axiomatics Policy Administration Point 中导入您的策略。

基本问题

你有几个错误:

  1. 您的 XPath 表达式使用前缀ak:( Path="//ak:signedByAllChairs/text()") 但 XPath 不包含 ak 的定义:
  2. AttributeSelector 被标记为布尔值,但 XPath 中的 text() 返回一个字符串,而不是布尔值。您需要更改为字符串。
  3. XACML 请求的 XML 片段部分<Content/>实际上并未使用 ak: 前缀。它确实使用该前缀定义了一个命名空间,但从不使用它。

APS 中的策略表示

政策的表示

模拟策略

我模拟了您的政策,但没有拿回许可证。我不确定。这是评估跟踪。WSO2 IS 中一定有问题,或者您忘记部署新策略。

评估跟踪 - Axiomatics Policy Server

现在,如果我清理您发送的 XML,则完全符合以下条件:

<record xmlns:ak="http://akpower.org">
    <proposal>                  
        <signedByAllChairs>false</signedByAllChairs>                    
    </proposal>
</record>

然后我从政策中获得许可证。

于 2016-08-01T00:42:29.003 回答