AuthzForce XACML 响应不确定

Posted 2023-04-13

技术标签:

【中文标题】AuthzForce XACML 响应不确定【英文标题】：AuthzForce XACML Response is Indeterminate 【发布时间】：2018-01-25 12:22:33 【问题描述】：

我正在探索 Authzforce XACML3.0，但我遇到了一些问题。我不断得到我的回答不确定。下面是我的设置和它抛出的异常跟踪。任何帮助表示赞赏。

请求文件：

<?xml version="1.0" encoding="utf-8"?>
<Request  ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">46</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>

政策文件：

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">
    <Description>
        Policy for Conformance Test IIA011.
    </Description>
    <Target />
    <Rule Effect="Permit"
        RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
        <Description>
            Anyone who is 45 integer years old may perform any
            action on any resource.
        </Description>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
                </Apply>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>

PDP 配置文件：

<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
    <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>

异常跟踪：

org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-equal: indeterminate arg
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:662)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evaluate(BaseFirstOrderFunctionCall.java:359)
    at org.ow2.authzforce.core.pdp.impl.expression.ApplyExpressions$VariableApplyExpression.evaluate(ApplyExpressions.java:87)
    at org.ow2.authzforce.core.pdp.impl.rule.ConditionEvaluators$BooleanExpressionEvaluator.evaluate(ConditionEvaluators.java:94)
    at org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator.evaluate(RuleEvaluator.java:535)
    at org.ow2.authzforce.core.pdp.impl.combining.CombiningAlgEvaluators$RulesWithSameEffectEvaluator.evaluate(CombiningAlgEvaluators.java:134)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:764)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:881)
    at org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluators$StaticView.findAndEvaluate(RootPolicyEvaluators.java:190)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$IndividualDecisionRequestEvaluator.evaluateInNewContext(BasePdpEngine.java:685)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$NonCachingIndividualDecisionRequestEvaluator.evaluate(BasePdpEngine.java:730)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.evaluate(BasePdpEngine.java:984)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:128)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
    at XACMLTester.main(XACMLTester.java:29)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Indeterminate arg #0
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evalPrimitiveArgs(BaseFirstOrderFunctionCall.java:94)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.access$200(BaseFirstOrderFunctionCall.java:53)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:658)
    ... 14 more
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only: Invalid arg #0: empty bag or bag size > 1. Required: one and only one value in bag.
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions$SingletonBagToPrimitive.<init>(FirstOrderBagFunctions.java:82)
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions.getFunctions(FirstOrderBagFunctions.java:554)
    at org.ow2.authzforce.core.pdp.impl.func.StandardFunction.getRegistry(StandardFunction.java:901)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:286)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:479)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:519)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:551)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:687)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:704)
    at XACMLTester.main(XACMLTester.java:23)

异常表示 Bag 为空或超过 1，但我不认为这是问题，因为我根据需要提供数据。任何帮助表示赞赏

【问题讨论】：

【参考方案1】：

这很简单。您发送 2 个年龄。您只需发送一个年龄。请尝试以下操作：

<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

【讨论】：

【参考方案2】：

大卫是对的。为了您自己了解策略评估的工作原理，异常堆栈跟踪中的根本原因消息表明 arg #0，即传递给函数 integer-one 的第一个（也是唯一一个）参数-and-only，它是一个袋子，它没有应有的唯一值，即 它要么是空的，要么有多个。

确实，在您的 Policy 中，您将此参数定义为 AttributeDesignator，即属性 ...:conformance-test:age; 的值包；在您的请求中，您为此属性提供了 2 个不同的值。因此 AttributeDesignator 计算为一个包含 2 个值的包，这对于函数 integer-one-and-only 无效。太多了。

【讨论】：

嘿 cdan，这很有见地。您是否有任何可以帮助我理解 XACML 设置中策略和请求的结构和工作的参考资料。官方参考是XACML 3.0 core specification。在您的情况下，我会说，最相关的部分是第 5.29 节（AttributeDesignator）和 A.3.10（*-one-and-only 函数）。

以上是关于AuthzForce XACML 响应不确定的主要内容，如果未能解决你的问题，请参考以下文章

XACML Authzforce PDP 自定义策略

使用 Authzforce 实现 geo XACML 并将其托管在 heroku 上

WSO2 身份服务器 XACML JSON 请求导致“不确定”[找不到 AttributeDesignator 属性]

如何评估 XACML 策略

允许访问 XACML 失败

XACML 开源框架或替代方案