Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable PDP extensions (e.g. Functions) to return an error about invalid attribute values in form of XACML <StatusDetail> / <MissingAttributeDetail>s #69

Closed
securedimensions opened this issue Nov 24, 2022 · 3 comments
Assignees

Comments

@securedimensions
Copy link

Additional feature request

When the processing is aborted inside a function with Indeterminate, the current implementation does not support to provide further detailed information <StatusDetail> inside the IndeterminateEvaluationException / ImmutableXacmlStatus.

Asked Feature

Support to populate <MissingAttributeDetail> inside the <StatusDetail>

Example

In the context of implementing an extension for GeoXACML, the following response is an example stating that the AttributeValue "subject-location" was missing from the request. The specific aspect is that an AttributeValue must be encoded using a particular CRS. This example "tells" the PEP that the Attribute 'subject-location' must be sent with CRS=3857 encoded coordinates.

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd ">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="crs-error"/>
            <StatusMessage>Function 'urn:ogc:def:function:geoxacml:3.0:geometry-equal' expects same SRS for both geometry parameters</StatusMessage>
            <StatusDetail xmlns:geoxacml="http://www.opengis.net/spec/geoxacml/3.0">
                <MissingAttributeDetail Category="access-subject" AttributeId="subject-location" DataType="urn:ogc:def:dataType:geoxacml:3.0:geometry">
                    <AttributeValue DataType="urn:ogc:def:dataType:geoxacml:3.0:geometry" geoxacml:srid="3857"></AttributeValue>
                </MissingAttributeDetail>
            </StatusDetail>
        </Status>
    </Result>
</Response>
@cdanger cdanger self-assigned this Nov 28, 2022
cdanger added a commit to authzforce/core-pdp-api that referenced this issue Dec 5, 2022
….g. Functions) to return an error about invalid attribute values in form of XACML <StatusDetail> / <MissingAttributeDetail>s)

- BaseXacmlJaxbRequestPreprocessor class: new constructor arg: custom parser of named Attributes, to customize how XACML Attributes are converted into instance of AuthzForce internal Attribute class
- Missing-attribute errors from AttributeDesignator expressions now returned in XACML StatusDetail/MissingAttributeDetail
- API enhancement: ImmutableXacmlStatus and IndeterminateEvaluationException classes: new constructors supporting XACML MissingAttributeDetail element
cdanger added a commit that referenced this issue Dec 5, 2022
…n error about invalid attribute values in form of XACML <StatusDetail> / <MissingAttributeDetail>s) with example of custom RequestPreprocessor (CustomTestRequestPreprocessorFactory) and custom function (TestExtensibleSimpleValueEqualFunction) for unit test

- Added use of StatusDetail/MissingAttributeDetail in AttributeSelector expression evaluation when missing named Attribute(s)
- Upgraded dependency authzforce-ce-core-pdp-api: 21.3.0
- SingleDecisionXacmlJaxbRequestPreprocessor class improved: new constructor with argument `namedAttributeParser` (custom parser of named Attributes, to customize how XACML Attributes are converted into instance of AuthzForce internal Attribute class)
@cdanger
Copy link
Member

cdanger commented Dec 6, 2022

Now supported in latest release 20.2.0. See the example of custom RequestPreprocessor (PDP extension) adding AttributeId/Category to custom AttributeValues (PDP extension) and the custom function (PDP extension) using this info to throw a standard missing-attribute error with <MissingAttributeDetail> inside a <StatusDetail> element; and also the example of XACML response and PDP configuration.

@cdanger cdanger closed this as completed Dec 6, 2022
@securedimensions
Copy link
Author

Great! Thank you very much for this quick turnaround!

At the moment I am using these dependencies:

<dependency>
            <groupId>org.ow2.authzforce</groupId>
            <artifactId>authzforce-ce-core-pdp-api</artifactId>
            <version>21.2.0</version>
        </dependency>
        <dependency>
            <groupId>org.ow2.authzforce</groupId>
            <artifactId>authzforce-ce-core-pdp-testutils</artifactId>
            <version>20.1.1</version>
        </dependency>

and I do not see any new version at Maven Repository...

Which would be the corresponding versions for my dependencies once this new feature is out on Maven?

@cdanger
Copy link
Member

cdanger commented Dec 9, 2022

Version 20.2.0 of authzforce-ce-core-pdp-engine for XACML/XML;
Version 20.2.0 of authzforce-ce-core-pdp-io-xacml-json for XACML/JSON.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants