Debug

[XACML] Permit and Deny Policy

Debug

For debugging purpose, it is good to have a permit and deny decision at a certain point. This can be done easily with programming by setting your boolean variable to either true or false but not the case for XACML (you are welcome to comment if you know otherwise). The following are two policies that I compose: Permit policy and Deny policy.

### Warning, do not use this in a production system. Use for debugging purpose only. ###

Permit policy

<Policy
        xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"          
        PolicyId="http://doublemomentum.com/Testing/Permit"          
        Version="1.0"          
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
    <Description>Permit Policy</Description>
    <Target/>
    <Rule RuleId="http://doublemomentum.com/Testing/Rule1" Effect="Permit">
        <Description>##### WARNING: This policy result in permit and for testing only#####</Description>
        <Target/>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Value</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Value</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>

Deny policy

<Policy
        xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"          
        PolicyId="http://doublemomentum.com/Testing/Deny"          
        Version="1.0"          
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
    <Description>Permit Policy</Description>
    <Target/>
    <Rule RuleId="http://doublemomentum.com/Testing/Rule2" Effect="Permit">         
        <Description>##### WARNING: This policy result in deny and for testing only#####</Description>
        <Target/>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Value</AttributeValue>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Another Value</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>

[XACML] Attributes Comparisons

Screen Shot 2015-01-25 at 2.43.20 pm

XACML has too many functions and sometime it can be headache. I was trying to compare a subject designator to a bag of values and spent a lot of time get it right. Look how similar they are especially the last three of them. The answer is the last one “string-at-least-one-member-of”. Here’s what have tried:

string-equal
string-
string-is-in
string-set-equals
string-at-least-one-member-of

The worst thing is the answer was not found on Oasis document. Instead it takes along time to crawl through existing website or people’s Q&A. Try googling “FileReader java”, the answer is the first result. And you get Policy Template Profile Examples when you search “string-at-least-one-member-of XACML”, usefulness is debatable. How about “string-at-least-one-member-of” on their own wiki? nothing. How about on their search service? nothing.

XACML is great but the lack of search-ability hindering the speed of implementation, and adoption.

I have also included code that i found useful below (they are from everything…):

<Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
            <AttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:example-group" MustBePresent="true"></AttributeDesignator>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin_emps</AttributeValue>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
            </Apply>
         </Apply>
      </Condition>

[http://pushpalankajaya.blogspot.com.au/2013/06/xacml-30-policies-restricting.html]

<Condition> 
     <Apply FunctionId= "urn:oasis:names:tc:xacml:1.0:function:string-is-in"> 
          <SubjectAttributeDesignator DataType= "http://www.w3.org/2001/XMLSchema#string"> 
               urn:oasis:names:tc:xacml:1.0:subject:subject-id 
          </SubjectAttributeDesignator> 
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> 
                   Michelle 
               </AttributeValue> 
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> 
                   Peter 
               </AttributeValue> 
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> 
                   Diane 
               </AttributeValue> 
          </Apply> 
      </Apply> 
 </Condition> 

[https://community.emc.com/docs/DOC-7410]

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <EnvironmentAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">128.84.103.11</AttributeValue>
        </Apply>
    </Apply>
</Condition>

[http://www.fedora.info/download/2.2/userdocs/server/security/XACMLPolicyGuide.htm]