I'm trying to encode my own resource hierarchy in XACML based on the RBAC profile by Oasis using WSO2 identity server. However whenever I use or I get unexpected values.
This is a plolicySet with a reference to another policySet
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="DPS4" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Orders</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<PolicySetIdReference>PPS4</PolicySetIdReference>
</PolicySet>
This is the referred PoilicySet, which refer to another Policy
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" PolicySetId="PPS4" Version="1.0">
<Target/>
<PolicyIdReference>PAP4</PolicyIdReference>
</PolicySet>
And this is the final Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="PAP4" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target/>
<Rule Effect="Permit" RuleId="PermitOrders">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Emplyee</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
The response should be Permit however I'm getting a Deny!!
Any suggestions?
Related
We are using WSO2 IS as the Identity Bus for our solutions. We use WSO2 ESB and EI to implement our Integration and use OAuth mediator to connect an API from EI to IS.
Everything works fine in the EI, but we want to create an XACML policy to do two kinds of restrictions at the same time. First, authorize the user against the URI which can be hardcoded in the XACML or saved as a property in user claims. Secondly, authorize the user against the origin IP of the user, I mean imagine that every user saves its IP in its claims, then we check the invoker IP to match the user IP.
TO SUMMARIZE:
We make REST API in WSO2-ESB to implement our Integration and use OAuth mediator in that for securing our API. In WSO2-IS we create a service provider as sp1 and apply XACML policy to that. I want to create XACML policy to permit incoming requests just when client_ip is xxx.xxx.xxx.xxx and request URI is http://wso2ESB.uri/sampleApi/app and method is GET.
NOTE: Reading from values from a claim is not a big deal here!
Regarding your second requirement, You can define XACML policy as below by pointing IP address in subject category (since IP address can be retrieved from user profile). By default WSO2 Identity Server PIP (Policy Information Point) is underline user store.
XACML Request contains only username and XACML Policy contains IP Address therefore PIP resolve IP Address for given user.
XACML Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="TestPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">192.168.1.1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/ipAddress" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">test-resource</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"></Rule>
</Policy>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">test-resource</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">gboss</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
</Attribute>
</Attributes>
</Request>
[![enter image description here][1]][1]
enter image description here
Refer to the "Configuring Access Control Policy for a Service Provider" section of WSO2's documentation to enable the XACML based access control for Service provider. You need to enable "Enable Authorization" under "Local and Outbound Authentication Configuration" of your service provider and configure the XACML policy.
(In the policy, as you want to have the URI and IP as user claims, then create two new claims. Let's say http://wso2.org/claims/uri and http://wso2.org/claims/ip)
Then change the policy provided to check for these claims,
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">APP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_uri_and_ip">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">URI</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/uri" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IP</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/ip" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"/>
</Policy>
Then publish the policy. You can also refer to "Writing XACML3 Policies in WSO2 Identity Server" to get an understanding about writing the XACML policies.
When using XACML V.3 "Condition" logic that contains multiple statements I receive an error at saving a new policy. The WSO2 XML editor, as well as the policy "Upload" function, reject the source code attached below, throwing the following error message:
Error
Policy uploading failed. Unsupported Entitlement Policy. Policy can not be parsed
or
Entitlement policy is not updated. Error is :Unsupported Entitlement Policy. Policy can not be parsed
Below you find a sample code of a policy that makes use of a "Condition" logic. The source code was previously validated with the XACML version 3 schema and was found as valid.
Source Code Sample:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="cfatest4" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target></Target>
<Rule Effect="Deny" RuleId="Deny-Rule1">
<Target></Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">myGroup</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="http://w3.RED.com/subject/groupsUserBelong"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Apply>
</Apply>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression FulfillOn="Deny" ObligationId="groupscheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1 - The groups validation error</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression ObligationId="debug1" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="debug1">
<AttributeDesignator AttributeId="http://w3.RED.com/subject/groupsUserBelong" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<Rule Effect="Permit" RuleId="Permit-Rule1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="countrycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Rule 1: The Bluegroups validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="allchecks">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The overall validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>
The error started after adding additional parser logic into the "Condition" block.
When adding a set of obligations into an existing XACML Policy using the WSO2 XML Web Editor as described in the instructions for OASIS XACML Version 3 syntax, the WSO2 editor throws the following error:
Entitlement policy is not updated. Error is :Invalid Entitlement Policy. Policy is not valid according to XACML schema
The following statements are placed right before the tag at the end of the Policy definition, see the lines added:
Other, version 3 compliant syntax also throws the same error. Is there any further configuration required, some .xml or schema file adjustment, to make the editor recognize the Obligation statements as a valid syntax? This is WSO2 IS version 5.
Update: Statement in error:
<Obligations>
<Obligation ObligationId="send-email" FulfillOn="Deny">
<AttributeAssignment AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">myid#red.com</AttributeAssignment>
</Obligation>
</Obligations>
Update:
Below you find the working XACML V3 compliant policy after correcting the syntax of the Obligations statement:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="RedLDAPPolicySaoPaulo" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Singapore</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Permit-Rule1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</AttributeValue>
<AttributeDesignator AttributeId="http://w3.red.com/subject/employeeCountryCode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"></Rule>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="citycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The validation passed successfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression FulfillOn="Deny" ObligationId="countrycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The IDs country code is not valid</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>
After checking the manual from OASIS XACML version 3, I found that the error was causes by missing syntax compliance. I've updated the statements to the latest specifications and my very simple example, as printed below, started to execute, adding an attribute with a comment string to the result.
Below a code example:
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="citycheck">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">The validation passed sucessfully</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
Below the result copied from the WSO2 "Try It" console:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
<Obligations>
<Obligation ObligationId="citycheck">
<AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
The validation passed successfully</AttributeAssignment>
</Obligation>
</Obligations>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ldap</AttributeValue>
</Attribute>
</Attributes>
</Result>
</Response>
I am new in XACML.I am planing to implement RBAC in our organization applications using XACML policy and Wso2 ID server. I had read many articles on creating different different XACML policy using wso2 and I also try many policy example.but after go through all the available example I didn't find proper way to creating XACML policyset and reuest for policy set. I try it by my self to create XACML PolicySet but when I try to execute this policyset in wso2 Id server then it gives me 'not applicable' error every time.I try a lot for creating XACML policyset in different way but when i create request for that then it not gives me proper result.
Help me to give proper example of XACML policyset and it's request.
Here I added my policyset and policy and also it's request. please let me know what was wrong in it.
Role Created in wso2Id is :- testRole
and assign this role to testUser
PolicySet is :-
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" PolicySetId="PolicySetExample" Version="1.0">
<Description>TestPolicySet</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<PolicyIdReference>ComplexPolicy</PolicyIdReference>
</PolicySet>
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="ComplexPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="PermitForTestUser">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testRole</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
PolicySet Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testU</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Attribute>
</Attributes>
If you are using Policy Set with WSO2IS, Please note following.
You need to publish both Policy Set policy and reference policies in to PDP.
Then you need to enable the Policy Set in the PDP. You can keep the reference policies as disabled policies.
Please refer more detail from here as well
If you are going to implement RBAC and ABAC with WSO2 Identity Server, I recommnad for you to go through this to get more understanding.
I tested your policy using the Axiomatics Policy Server (see screenshot):
I then tested the policy set using our simulator:
I received Indeterminate back as a response. The root cause of the Indeterminate is that your Condition inside the Rule has a flag called MustBePresent set to true on the http://wso2.org/claims/role attribute and that for some reason the evaluation did not retrieve any values.
It seems like the WSO2 IS is not retrieving the values for the role attribute. You want to check your configuration w/in WSO2 IS. Alternatively, test out the Axiomatics Policy Server.
HTH
I want to import policy into WSo2IS using the SOAP importPolicyFromRegistry API
I've first created 1 template policy using the wso2 editor which is working. Then I want to import copies of them by changing just the PolicyId and some attributeValue.
The ImportPolicyFromRegistry API seems to be exactly what I'm looking for,
Unfortunatly is seems that the policyRegistryPath must be set to a specific value (internal wso2 registry path).
When I try to set a place lime /tmp/mypolicy.xml I get an "index out of range -1". Looking at the wso2 java code it seems that this API is looking for a path containing CONFIG_REGISTRY_IDENTIFIER global parameter ...
If you could give me some example or guide here that would help me a lot .!!
Thanks
vpl
Here is what I was looking for .
I finally succeeded by using your java example but sending to a dummy http address and tracing the traffic with wireskark ...
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Body>
<ns3:addPolicy xmlns:ns3="http://org.apache.axis2/xsd">
<ns3:policyDTO>
<ns1:policy xmlns:ns1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="policy-3" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/tenant-3/*</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="rule-31">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">turlututu</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
</Policy>
]]>
</ns1:policy>
</ns3:policyDTO>
</ns3:addPolicy>
</soapenv:Body>
</soapenv:Envelope>
If you are using importPolicyFromRegistry method, It means that your policy must be in the WSO2 registry location. First, you must upload your policy in to WSO2 registry and then you can use above method to upload policy in to the actual PDP. You need to provide policy path as a registry resource path... It means, if the policy is in config registry. policy path would be conf:/{path to policy} if the policy is in governance registry, gov:/{path to policy}
Also, if your are creating the policy using a template policy, I guess you can use the addPolicy method to do it. You can find the policy administration java client from here
Here is what I was looking for.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="testAnd" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Test And</Description>
<Target></Target>
<Rule Effect="Permit" RuleId="primary-group-emps-rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/Customers/getEmployees</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
<AttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:example-group" MustBePresent="true"></AttributeDesignator>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"></Rule>
</Policy>
With regards
Vpl