XACML Policy - is it correct?

Question

I have a question about XACML policies which I am using with WSO2 Balana library.

Having a policy:

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Policy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
    <Target>
        <AnyOf>
            <AllOf>
                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</AttributeValue>
                    <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
                                    Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                </Match>            
            </AllOf>
        </AnyOf>
    </Target>
    <Rule Effect="Permit" RuleId="RuleFor_user1_myapp">
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user1</AttributeValue>
                        <AttributeDesignator AttributeId="http://example.site.com/id/user" 
                                       Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                                       DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>           
            </AnyOf>
        </Target>
        <Apply  FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>                                
            </Apply>
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
        </Apply>
    </Rule>   
</Policy>   

It should define that user1 has only READ permission on MyApp.

I have a request to evaluate, which asks if user1 has READ permissions, and I am getting "Permit" in the response, which is OK.

But when I have a request to evaluate which asks if user1 has WRITE permissions, I am getting also "Permit", instead of "Not applicable".

Can someone tell me is the policy is correct to produce an outcome I have just described?

Thank you in advance!

Best regards, Jurica Krizanic

Answer 1

You can use http://validator.xacml.eu/ to verify that your XACML policy is either XACML 2.0 or XACML 3.0 conformant.

Also, I'd recommend you use ALFA to write policies - it's easier and it integrates with Eclipse.

The ALFA code looks like this:

namespace sample{
    // Import standard XACML attributes
    import Attributes.*

    /**
     * Define custom attributes here
     */
    attribute user{
        category = subjectCat
        id = "http://example.site.com/id/user"
        type = string
    }

    /**
     * MyApp Policy
     */
    policy Policy1{
        target clause resourceId=="MyApp"
        apply firstApplicable
        /**
         * This rule grants READ access for user 1
         */
        rule RuleFor_user1_myapp{
            target clause user=="user1" and actionId=="READ"
            permit
        }
    }
}

And the generated XACML 3.0 looks like this:

<?xml version="1.0" encoding="UTF-8"?>
 <!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
 Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    PolicyId="http://axiomatics.com/alfa/identifier/sample.Policy1"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
    Version="1.0">
    <xacml3:Description>MyApp Policy</xacml3:Description>
    <xacml3:PolicyDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
    </xacml3:PolicyDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">MyApp</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator 
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        MustBePresent="false"
                    />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Rule 
            Effect="Permit"
            RuleId="http://axiomatics.com/alfa/identifier/sample.Policy1.RuleFor_user1_myapp">
        <xacml3:Description>This rule grants READ access for user 1</xacml3:Description>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">user1</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="http://example.site.com/id/user"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                    <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">READ</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator 
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            MustBePresent="false"
                        />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
    </xacml3:Rule>
</xacml3:Policy>

Answer 2

First thing is that, Policy is not a valid one with the XACML3 schema. You need to have element that is enclosed by Apply element in the rule. Rule basically contains the Target and Condition element. Balana is not doing schema validation with your policy. It build the object module using policy element. As it can not find a element in the Rule, it has ignored your elements. So Your Rule actually has only the target element that evaluate only the subject attribute. Please use as following. Also When you are uploading policy in to WSO2 Identity server, it does schema validation. You can just upload or create a policy with it easily.