2
我已经扩展了一个策略集以包含一个新策略,这意味着我已经向策略添加了目标以确保请求的目标是正确的策略。AuthZForce PDP没有按预期运行
这里集合策略XACML:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1" Version="1.3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Description>CD Governance PolicySet</Description>
<Target/>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:date-in:july:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
<Description>Reject if the Date is July Policy</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-not-in:july:rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date"
DataType="http://www.w3.org/2001/XMLSchema#date"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:date-in:july:rule" Effect="Deny">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date" DataType="http://www.w3.org/2001/XMLSchema#date" MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-02</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-03</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-04</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-05</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-06</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-07</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-08</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-09</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-10</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-11</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-12</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-13</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-14</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-15</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-17</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-18</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-19</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-20</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-21</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-22</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-23</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-24</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-25</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-26</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-27</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-28</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-29</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-30</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2002-07-31</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy PolicyId="urn:oasis:names:tc:xacml:1.0:app-in:prod:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="01">
<Description>Reject if the Application is not allowed in Production Policy</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource"
MustBePresent="true"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-not-in:prod:rule" Effect="Deny">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="urn:oasis:names:tc:xacml:1.0:app-in:prod:rule" Effect="Permit">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CRM</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Customer Portal</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
所以,当我要检查的第二策略(一个应用程序是否被允许正式版)我发送一个请求,如:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:environment">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">prod</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:production:apps">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SAP1</AttributeValue>
</Attribute>
</Attributes>
</Request>
哪返回我的期望:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Deny</Decision>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>
到目前为止好.... 但是,当我送THI S:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-08-01</AttributeValue>
</Attribute>
</Attributes>
</Request>
我没有得到的第一个类似的反应(但许可证),我得到这个:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
<StatusMessage>Error evaluating <Target>/<AnyOf>#0</StatusMessage>
</Status>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:app-in:prod:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>
现在,你可能会认为该政策是正确定义的,所以然后我把这个:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:resource">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:target-check">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freezeCheck</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false"
AttributeId="urn:oasis:names:tc:xacml:1.0:date-in:july:current-date">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#date">2017-07-01</AttributeValue>
</Attribute>
</Attributes>
</Request>
我得到了我所期望的 - 一个拒绝与不缺少目标错误:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://www.w3.org/2005/Atom" xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6" xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/5.0">
<Result>
<Decision>Deny</Decision>
<PolicyIdentifierList>
<PolicyIdReference Version="01">urn:oasis:names:tc:xacml:1.0:date-in:july:policy</PolicyIdReference>
<PolicySetIdReference Version="1.3">P1</PolicySetIdReference>
</PolicyIdentifierList>
</Result>
</Response>
so为什么PDP对这个策略感到困惑(看起来我的眼睛和其他工作正常一样......是的,当应用程序在策略列表中时,我获得了许可证)?
为什么它认为目标的属性完全丢失(而不是错误的值)? 为什么它这样做的条件属性?
辉煌......感谢指针。 我改变了类别标识符 - 手指麻烦。 我也设置了AttributeId =“urn:oasis:names:tc:xacml:1.0:设置MustBePresent = false的环境,它修复了这个问题 我能理解所有这些,但是让我困惑的是这个错误没有这是为什么会发生这种情况?为什么会发生这种情况? –
是的,如果您指的是您的最后一个请求示例,据我所见,这与第一个策略的目标匹配('...... date-in:july:policy')。因此,PDP评估第一条规则(...date-not-in:july:rule)其条件返回false,因为请求中的date-in:july:current-date在包中,因此'不'应用返回false。因此,该规则不适用,PDP进入下一个规则:“... date-in:july:rule”。这一次,日期在包里,所以条件是真的。因此,该规则应用并评估为拒绝(规则的效果)。 – cdan
...由于策略的规则组合算法是拒绝覆盖,如果规则评估为拒绝,就像在这种情况下一样,最终的策略结果是拒绝。所以第一个政策返回拒绝。同样,由于PolicySet的策略组合算法是拒绝覆盖,并且第一个策略返回Deny,所以PolicySet结果为Deny,无需继续,第二个策略未被评估。 [有关deny-overrides算法的更多信息](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047270)。您可以通过将日志级别更改为在AuthzForce(logback.xml)上进行调试来检查评估详细信息。 – cdan