允许访问 XACML 失败

Posted 2023-04-13

【中文标题】允许访问 XACML 失败

【英文标题】：Failed Permitted Access XACML

【发布时间】：2018-05-14 08:48:39

【问题描述】：

我目前正在尝试为应用程序实现 XACML，并且刚刚开始使用 AuthZForce 库来解决它。我有一个示例策略，例如：

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
    <Description>
        Policy for Conformance Test IIA001.
    </Description>
    <Target/>
    <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
        <Description>
            Julius Hibbert can read or write Bart Simpson's medical record.
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="false"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
</Policy>

所以我尝试根据此策略创建 XACML 请求，希望 PDP 允许，代码如下：

System.setProperty("javax.xml.accessExternalSchema", "http");

        File a = new File("pdp.xml");


        final PdpEngineConfiguration pdpEngineConf = PdpEngineConfiguration.getInstance(a.toURI().toString()); 
        final BasePdpEngine pdp = new BasePdpEngine(pdpEngineConf);
        final DecisionRequestBuilder<?> requestBuilder = pdp.newRequestBuilder(-1, -1);
        String issuer="Julius Hibbert";

        final AttributeFqn subjectIdAttributeId = AttributeFqns.newInstance(XACML_1_0_ACCESS_SUBJECT.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_SUBJECT_ID.value());
        final AttributeBag<?> subjectIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("Julius Hibbert"));
        requestBuilder.putNamedAttributeIfAbsent(subjectIdAttributeId, subjectIdAttributeValues);

        final AttributeFqn resourceIdAttributeId = AttributeFqns.newInstance(XACML_3_0_RESOURCE.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_RESOURCE_ID.value());
        final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));
        requestBuilder.putNamedAttributeIfAbsent(resourceIdAttributeId, resourceIdAttributeValues);

        // Add action ID attribute (action category), no issuer, string value "GET"
        final AttributeFqn actionIdAttributeId = AttributeFqns.newInstance(XACML_3_0_ACTION.value(), Optional.ofNullable(issuer), XacmlAttributeId.XACML_1_0_ACTION_ID.value());
        final AttributeBag<?> actionIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("write"));
        requestBuilder.putNamedAttributeIfAbsent(actionIdAttributeId, actionIdAttributeValues);

        // No more attribute, let's finalize the request creation
        final DecisionRequest request = requestBuilder.build(false);
        // Evaluate the request
        final DecisionResult result = pdp.evaluate(request);
        if(result.getDecision() == DecisionType.PERMIT) 
            // This is a Permit :-)
            System.out.println("ok");
         else 
            // Not a Permit :-( (maybe Deny, NotApplicable or Indeterminate)
            System.out.println("not ok");
        

但是当我运行代码时，它给出了 NotApplicable 的结果，但我不知道为什么。我的代码有错误吗？

【问题讨论】：

您使用什么工具来编写策略？

@DavidBrossard 我是从这里得到的 github.com/authzforce/core/blob/develop/pdp-testutils/src/test/… 所以我认为应该没问题

【参考方案1】：

resource-id 属性的数据类型在您的代码中是错误的。您将其设置为string，而在策略中匹配需要anyURI。所以只需更改这行代码：

final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("http://medico.com/record/patient/BartSimpson"));

到

final AttributeBag<?> resourceIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.ANYURI, new AnyUriValue("http://medico.com/record/patient/BartSimpson"));

另外，您将属性的颁发者设置为Julius Hibbert 的任何特殊原因？否则将其设置为 null 并且不用担心。

String issuer = null;

【讨论】：

我认为 issuer 是请求者的名字，在这种情况下是 Julius Hibbert。这不正确吗？

(忽略前面的评论) 请求者的名字，即subject-id属性值，由这个代码设置：final AttributeBag<?> subjectIdAttributeValues = Bags.singletonAttributeBag(StandardDatatypes.STRING, new StringValue("Julius Hibbert")); 但是属性发布者（可选，参见XACML 3.0标准的§5.46 ) 由第二个参数设置为 AttributeFqns.newInstance(...,Optional.ofNullable(issuer),...)。

【参考方案2】：

我使用 Axiomatics 运行您的策略，这就是我得到的

属性汇总

JSON 格式的示例 XACML 请求

    "Request": 
        "ReturnPolicyIdList": true,
        "AccessSubject": 
            "Attribute": [
                
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
                    "Value": "Julius Hibbert"
                
            ]
        ,
        "Resource": 
            "Attribute": [
                
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                    "Value": "http://medico.com/record/patient/BartSimpson",
                    "DataType": "http://www.w3.org/2001/XMLSchema#anyURI"
                
            ]
        ,
        "Action": 
            "Attribute": [
                
                    "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                    "Value": "read"
                
            ]
        ,
        "Environment": 
            "Attribute": []
        
    

JSON 格式的 XACML 响应

  "Response" : 
    "Decision" : "Permit",
    "Status" : 
      "StatusCode" : 
        "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
        "StatusCode" : 
          "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
        
      
    ,
    "PolicyIdentifierList" : 
      "PolicyIdReference" : 
        "Id" : "urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy",
        "Version" : "1.0"
      
    
  

请求编辑器

【讨论】：

我无法使用其他程序测试该策略，尤其是我之前研究过的 Axiomatics，它是“付费”服务

它是一个商业产品，是的。没有免费的午餐