fiware - AuthZForce PDP not behaving as expected

Question

I've extended a policy set to include a new policy, which means I've added targets to the policies to ensure that a request targets the right policy.

here is the policy set xacml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicySetId="P1" Version="1.3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Description>CD Governance PolicySet</Description>
<Target/>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
    <Description>Reject if the Date is July Policy</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
                        MustBePresent="false"
                        />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-not-in:july:rule" Effect="Permit">
     <Condition>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
                        <AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" 
                            DataType="http://www.w3.org/2001/XMLSchema#date" 
                            MustBePresent="true"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
                    </Apply>
                </Apply>
            </Apply>
        </Apply>
       </Condition>
    </Rule>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
     <Condition>    
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
              <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
                 Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
           </Apply>
           <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
           </Apply>
        </Apply>
     </Condition>
  </Rule>
</Policy>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:app-in:prod:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
    <Description>Reject if the Application is not allowed in Production Policy</Description>
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:environment"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
                        MustBePresent="true"
                        />
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-not-in:prod:rule" Effect="Deny">
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                            <AttributeDesignator 
                                AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps" 
                                DataType="http://www.w3.org/2001/XMLSchema#string" 
                                MustBePresent="true"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                        </Apply>
                        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
                            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
                        </Apply>
                    </Apply>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-in:prod:rule" Effect="Permit">
        <Condition>    
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps" 
                        DataType="http://www.w3.org/2001/XMLSchema#string" 
                        MustBePresent="true"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
</Policy>
</PolicySet>

So when I want to check the second policy (whether an App is allowed in Prod) I send a request like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:environment">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP1</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Which returns what I expect:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Deny</Decision>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

So far so good.... But when I send this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-08-01</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

I don't get a similar response to the first one (but a Permit), I get this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
            <StatusMessage>Error evaluating &lt;Target&gt;/&lt;AnyOf&gt;#0</StatusMessage>
        </Status>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

Now you might think that the policy is defined incorrectly, so I then sent this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="true">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute IncludeInResult="false"
                 AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

I got what I expected - A Deny, with not Target missing errors:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
    <Result>
        <Decision>Deny</Decision>
        <PolicyIdentifierList>
            <PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
            <PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
        </PolicyIdentifierList>
    </Result>
</Response>

so Why is the PDP getting confused for this one policy (that looks to my eyes the same as the other that works correctly....yes I get a permit when the App is in the list in the policy)?

why does it think the attribute for the target is missing completely (instead of having just the wrong value)? And Why is it doing this for the condition attribute?

Answer 1

正如 StatusCode/StatusMessage/PolicyIdentifierList 所说，由于缺少评估 Policy 的（第一个 AnyOf 的）目标所需的属性，您会得到一个 Indeterminate 决定urn:oasis:names:tc:xacml:1.0:app-in:prod:policy。由于MustBePresent=true在此 Target/AnyOf 中的 AttributeDesignator 上，如果请求上下文中不存在匹配的属性（并且我假设未启用任何属性提供程序），则将其视为错误。实际上，您的第二个请求AttributeId="urn:oasis:names:tc:xacml:1.0:environment"中没有属性。Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"因此，您要么在请求中提供此类属性，要么设置 MustBePresent=false（或更改 AttributeDesignator），具体取决于您想要什么。

顺便说一句，请尽可能使用标准标识符，以免我们在查看您的政策时感到困惑；例如，标准资源类别标识符是urn:oasis:names:tc:xacml:3.0:attribute-category:resource（不是urn:oasis:names:tc:xacml:1.0:subject-category:resource）。