Could you explain me please how I can use the conversion-functions from provided list of XACML for creating the Condition in Rule of Policy. For example that function. urn:oasis:names:tc:xacml:3.0:function:integer-from-string
I'm using AuthzForce, and my apply contains AttributValue and AttributeDesignator. My PDP-Request contains only string-types and I would like do conversion in needed types in the policy.
I tried do so, but I got error-message - policyset is invalid.
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:all-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">100</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</Apply>
</Apply>
</Apply>
</Condition>
CodePudding user response:
If you are using AuthzForce (esp. authzforce core), the full error message should give more info about which part of the policy is invalid. Anyway, I see at least one issue (which is a very common mistake when starting with XACML): an AttributeDesignator is considered as Bag of values (i.e. possibly multivalued). Therefore, you cannot apply the integer-from-string function directly on it because it takes a simple string value as input, not a Bag. The fix consists to apply one of the *-one-and-only functions (which turns a bag into a single value) on the AttributeDesignator first, depending on the datatype:
...
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</Apply>
</Apply>
...
More info: XACML 3.0 standard
https://www.axiomatics.com/in-xacml-what-is-the-stringoneandonly-function/
CodePudding user response:
Thank you so much. Now it is all work.
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">100</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
