Deny-overrides rule combining algorithm - Missing obligations in case of multiple Permit Rules and no Deny Rule

[cdanger]

Discussed in #90

^{Originally posted by zeno521 November 9, 2023}
Hi AuthzForce team,

We are working on a POC with Authzforce PDP engine. We have multiple permit rules (each with obligations) in a policy with deny overrides rule combining algorithm. We expected the obligations from all rules to be returned in the results when all the rules and policy return Permit. However, we can only see the obligations returned from the first permit rule.

Could you indicate if this is an expected behaviour please? If it is, how to return the obligations from all the rules?

Your earliest response is highly appreciated!

Tested with authzforce-ce-core-pdp-engine-20.3.2.jar.

[cdanger]

Bug confirmed when there are multiple Permit Rules and no Deny Rule, then only the obligations of the first Permit Rule are returned.

(Works as expected if there is at least one Deny Rule.)