WSO2 Identity Server XACML Request results in Indeterminate/Couldn't find AttributeDesignator attribute if more than one policy enabled

1
votes

I'm trying to build a policy that would receive from the request a list of attributes and an attribute, check if the single attribute is inside the list and permit based on that. I'm still a newbie, so I might have overlooked something.

What I've come up with is a slightly modified version of XACML type for bags.

When evaluated with the WSO2 TryIt tool by itself, the result is Permit. Same thing happens if this is the only enabled policy on the server. If I enable other policies it responds with Indeterminate/Couldn't find AttributeDesignator attribute.

The same does not happen when I make requests that hit other policies. Other policies returns the expected results, although none include lists.

Why does it do that and how can I mitigate it?

Policy:

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="county-based-3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <xacml3:Description></xacml3:Description>
   <xacml3:Target>
      <xacml3:AnyOf>
         <xacml3:AllOf>
            <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bay</xacml3:AttributeValue>
               <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></xacml3:AttributeDesignator>
            </xacml3:Match>
         </xacml3:AllOf>
      </xacml3:AnyOf>
   </xacml3:Target>
   <xacml3:Rule Effect="Permit" RuleId="http://axiomatics.com/alfa/identifier/stackoverflow.example.checkGroup">
      <xacml3:Description></xacml3:Description>
      <xacml3:Target></xacml3:Target>
      <xacml3:Condition>
         <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:county" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" MustBePresent="false"></xacml3:AttributeDesignator>
            <xacml3:AttributeDesignator AttributeId="test:xacml:1.0:counties" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" MustBePresent="false"></xacml3:AttributeDesignator>
         </xacml3:Apply>
      </xacml3:Condition>
   </xacml3:Rule>
   <xacml3:Rule Effect="Deny" RuleId="deny-rule"></xacml3:Rule>
</xacml3:Policy>

The request that goes with it:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute AttributeId="test:xacml:1.0:county" IncludeInResult="false">
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="test:xacml:1.0:counties" IncludeInResult="false">

        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">travis</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brazoria</AttributeValue>
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">dallas</AttributeValue>

    </Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bay</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Indeterminate response:

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
            <StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
        </Status>
    </Result>
</Response>

An example Policy and Request that, when enabled, make the server exhibit this problem:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="TestingStuff" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">creaky</AttributeValue>
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Match>
            </AllOf>
        </AnyOf>
    </Target>
    <Rule Effect="Permit" RuleId="Stuff">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grease</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">break</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Apply>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">someHuman</AttributeValue>
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Apply>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Martin</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
        <AdviceExpressions>
            <AdviceExpression AdviceId="role" AppliesTo="Permit">
                <AttributeAssignmentExpression AttributeId="role">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mechanic</AttributeValue>
                </AttributeAssignmentExpression>
            </AdviceExpression>
        </AdviceExpressions>
    </Rule>
</Policy>

The request:

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grease</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Martin</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">creaky</AttributeValue>
        </Attribute>
    </Attributes>
</Request>
1
wso2isxacmlxacml3

1 Answers

1
votes

That is weird indeed. If I import the first policy into Axiomatics policy authoring tool (disclaimer: I work for Axiomatics) and use the simulation feature, I get the results as expected.

The simulation shows that the evaluation follows the path as shown:

enter image description here

I am not sure why you are seeing the behaviour you described, at your side. One thing I am not sure of is what you meant when you said "If I enable other policies" Do you reference this second policy from within the first?