authzforce / server Goto Github PK

View Code? Open in Web Editor NEW

56.0 7.0 17.0 1.48 MB

AuthzForce Server (Multi-tenant XACML PDP/PAP - REST API)

Home Page: https://authzforce-ce-fiware.rtfd.io/

License: GNU General Public License v3.0

Java 95.97% XSLT 3.95% HTML 0.08%

xacml rest pdp fiware authorization xml json fast-infoset rest-api restful-api

server's Introduction

AuthzForce Server

AuthzForce Server provides a multi-tenant RESTful API to Policy Administration Points (PAP) and Policy Decision Points (PDP) supporting Attribute-Based Access Control (ABAC), as defined in the OASIS XACML 3.0 standard.

This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.

Go to the releases page for specific release info: downloads (Linux packages), Docker image, release notes, and documentation.

The roadmap of this FIWARE GE is described here.

If you are interested in using an embedded XACML-compliant PDP in your Java applications, AuthzForce also provides a PDP engine as a Java library in Authzforce core project.

📚 Documentation	🎓 Academy	🐳 Docker Hub	🎯 Roadmap

Features
Limitations
Quality Assurance
Install
Documentation
Training Courses
Usage
Testing
Support
Security
Contributing
License

Features

PDP (Policy Decision Point)

Compliance with the following OASIS XACML 3.0 standards:
- XACML v3.0 Core standard
- XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile Version 1.0
- XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories (urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories).
- XACML v3.0 - JSON Profile Version 1.0, with extra security features:
  - JSON schema Draft v6 validation;
  - DoS mitigation: JSON parser variant checking max JSON string size, max number of JSON keys/array items and max JSON object depth.
- GeoXACML 1.0.1. Supported as third-party extension from Secure Dimensions
- Experimental support for:
  - XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0: only dnsName-value datatype and dnsName-value-equal function are supported;
  - XACML 3.0 Additional Combining Algorithms Profile Version 1.0: on-permit-apply-second policy combining algorithm;
  - XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision (urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision).
Safety/Security:
- Prevention of circular XACML policy references (PolicySetIdReference) as mandated by XACML 3.0;
- Control of the maximum XACML PolicySetIdReference depth;
- Prevention of circular XACML variable references (VariableReference) as mandated by XACML 3.0;
- Control of the maximum XACML VariableReference depth;
Optional strict multivalued attribute parsing: if enabled, multivalued attributes must be formed by grouping all AttributeValue elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with XACML 3.0 Core specification of Multivalued attributes (§7.3.3), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request;
Optional strict attribute Issuer matching: if enabled, AttributeDesignators without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.);
Extensibility points:
- Attribute Datatypes: you may extend the PDP engine with custom XACML attribute datatypes;
- Functions: you may extend the PDP engine with custom XACML functions;
- Combining Algorithms: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
- Attribute Providers a.k.a. PIPs (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
- Request Preprocessor: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories;
- Result Postprocessor: you may customize the processing of XACML Results after evaluation by the PDP engine, e.g. used for supporting new XACML Response formats, and/or implementing XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision.

PIP (Policy Information Point)

AuthzForce provides XACML PIP features in the form of Attribute Providers. More information in the previous section.

PAP (Policy Administration Point)

Policy management: create/read/update/delete multiple policies and references from one to another (via PolicySetIdReference)
Policy versioning: create/read/delete multiple versions per policy.
Configurable root policy ID/version: top-level policy enforced by the PDP may be any managed policy (if no version defined in configuration, the latest available is selected)
Configurable maximum number of policies;
Configurable maximum number of versions per policy.
Optional policy version rolling (when the maximum of versions per policy has been reached, oldest versions are automatically removed to make place).

REST API

Provides access to all PAP/PDP features mentioned in previous sections with possibility to have PDP-only instances (i.e. without PAP features).
Multi-tenant: allows to have multiple domains/tenants, each with its own PAP/PDP, in particular its own policy repository.
Conformance with REST Profile of XACML v3.0 Version 1.0
Supported data formats, aka content types:
- application/xml: XML based on API schema;
- application/fastinfoset: Fast Infoset based on API's XML schema;
- application/json: JSON based on API's XMLschema with a generic XML-to-JSON mapping convention
- application/xacml+xml: XACML content only, as defined by RFC 7061
- application/xacml+json: JSON format for XACML Request/Response on PDP only, as defined by XACML v3.0 - JSON Profile Version 1.0
Defined in standard Web Application Description Language and XML schema so that you can automatically generate client code.

High availability and load-balancing

Integration with file synchronization tools (e.g. csync2) or distributed filesystems (e.g. NFS and CIFS) to build clusters of AuthzForce Servers.

Limitations

The following optional features from XACML v3.0 Core standard are not supported:

Elements AttributesReferences, MultiRequests and RequestReference;
Functions urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal, urn:oasis:names:tc:xacml:3.0:function:xpath-node-match and urn:oasis:names:tc:xacml:3.0:function:access-permitted;
Algorithms planned for future deprecation.

If you are interested in those, you can ask for support.

Quality Assurance

This project is part of FIWARE and has been rated as follows:

Version Tested:
Documentation:
Responsiveness:
FIWARE Testing:

Install

Every release is packaged in various types of distribution and the installation depends on the distribution type:

Ubuntu/Debian package (recommended option): .deb. Use your usual Ubuntu/Debian APT to install the package;
Other Linux distributions: .tar.gz for any Linux distribution. More info in the documentation;
Docker image, installed/deployed with the usual docker container commands. See dist/src/docker/README.md for more info.

For download links, please go to the specific release page.

Once you downloaded the distribution of your preference, check the documentation for more information.

Documentation

For links to the documentation of a release, please go to the specific release page.

Training Courses

Academy Courses

AuthzForce

Tutorials

The following tutorials on AuthzForce Server are available:

Usage

This section gives examples of usage and PEP code with a web service authorization module.

For an example of using an AuthzForce Server's RESTful PDP API in a real-life use case, please refer to the JUnit test class RESTfulPdpBasedAuthzInterceptorTest and the Apache CXF authorization interceptor RESTfulPdpBasedAuthzInterceptor. The test class runs a test similar to @coheigea's XACML 3.0 Authorization Interceptor test but using AuthzForce Server as PDP instead of OpenAZ. In this test, a web service client requests a Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a RESTfulPdpBasedAuthzInterceptor that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision with these attributes from a remote PDP provided by AuthzForce Server, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it. For more information, see the Javadoc of RESTfulPdpBasedAuthzInterceptorTest.

Testing

To run unit tests, install Maven and type

mvn test

Support

You should use AuthzForce users' mailing list as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.

If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the OW2 Issue Tracker. Please include as much information as possible; the more we know, the better the chance of a quicker resolution:

Software version
Platform (OS and JRE)
Stack traces generally really help! If in doubt, include the whole thing; often exceptions get wrapped in other exceptions and the exception right near the bottom explains the actual error, not the first few lines at the top. It's very easy for us to skim-read past unnecessary parts of a stack trace.
Log output can be useful too; sometimes enabling DEBUG logging can help;
Your code & configuration files are often useful.

Security - Vulnerability reporting

If you want to report a vulnerability, you can do so on this Github repository by following the process: Privately reporting a security vulnerability.

Contributing

Documentation

The sources for the manuals are located in fiware repository.

Releasing

From the develop branch, prepare a release (example using a HTTP proxy):

$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start

Update the changelog with the new version according to keepachangelog.com.
Commit
Perform the software release (example using a HTTP proxy):
```
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
```
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
```
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
```
More info on jgitflow: http://jgitflow.bitbucket.org/
Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with jgitflow:release-finish
Click the Release button to release to Maven Central.
When the artifacts have been successfully published on Maven Central, follow the instructions in the Release section of fiware repository.

Build and publish the Docker image:

  $ git checkout master
  $ mvn clean package
  $ cd dist/target
  $ chmod +x release-docker.sh
  $ ./release.sh

Update the versions in badges at the top of this file.
Create a release on Github with a description based on the release description template, replacing M/m/P with the new major/minor/patch versions.

License

This project is licensed under the terms of GPL v3 except Java classes in packages org.ow2.authzforce.webapp.org.apache.cxf.jaxrs.provider.json.utils and org.ow2.authzforce.webapp.org.codehaus.jettison.mapped which are under Apache License.

Are there any legal issues with GPL 3.0? Is it safe for me to use?

There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL (or AGPL) licenses are mostly related with the fact that different people assign different interpretations on the meaning of the term “derivate work” used in these licenses. Due to this, some people believe that there is a risk in just using software under GPL or AGPL licenses (even without modifying it).

For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license wish to make a clarifying public statement as follows:

Please note that software derived as a result of modifying the source code of this software in order to fix a bug or incorporate enhancements is considered a derivative work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise unmodified version of existing software is not considered a derivative work, and therefore it does not need to be released as under the same license, or even released as open source.

server's People

Contributors

Stargazers

Watchers

Forkers

secmotic zaster fossabot jason-fox pandiyan90 iaoiui chakra-coder metedemirtas ridoo mibaltoalex amarjitghuman pengge fiware-ges erdal-pb phpboke claradiesen thaingo

server's Issues

JSONObject support

Overview

GeoXACML is an OGC standard that extends OASIS XACML with the geometry data type and related functions. The current work in progress is standardizing the v3.0.

GeoXACML allows encoding of geometries via

Well-Known-Text (String)
GML (XML)

In the OGC GeoXACML 3.0 SWG, we are currently working on a GeoJSON geometry encoding extension. The plan is to leverage the GeoJSON GeometryObject inside the Attribute Value of the XACML 3.0 JSON Profile. The following example illustrates the approach.

"Attribute": [
        {
            "AttributeId": "urn:ogc:geoxacml:3.0:subjet-location",
            "DataType": "urn:ogc:def:dataType:geoxacml:1.0:geometry",
            "Value": [
                {
                    "geometry": {
                        "type": "Point",
                        "coordinates": [102.0,0.5]
                    }
                }
            ]
        }
    ]

Issue

But, when running a request using the GeoJSON encoding on the AuthzForce Server 9.0.1 (that has loaded the GeoXACML extension) the following exception is returned:

{"error":"Unsupported type of item in Value array of attribute '[category='urn:oasis:names:tc:xacml:3.0:attribute-category:environment', issuer=null, id='urn:ogc:geoxacml:3.0:subjet-location']': JSONObject"}

AuthzForce exception for ADR with JSONObject as Attribute Value

And from the log:

Response-Code: 501
Content-Type: application/xacml+json
Headers: {Content-Type=[application/xacml+json], Date=[Mon, 08 Feb 2021 13:11:22 GMT]}
Payload: {"error":"Unsupported type of item in Value array of attribute '[category='urn:oasis:names:tc:xacml:3.0:attribute-category:environment', issuer=null, id='urn:ogc:geoxacml:3.0:subjet-location']': JSONObject"}

AuthzForce Server exception response

To reproduce the issue, please load the GeoXACML extension onto the AuthzForce Server 9.0. You can obtain the GeoXACML extension from the public Github repo: GeoXACML Basic. The INSTALL.md explains how to build and deploy the extension.

And then send the following request to the AuthzForce server:

{
    "Request": {
        "ReturnPolicyIdList": false,
        "CombinedDecision": false,
        "Category": [
            {
                "CategoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
                "Attribute": [
                    {
                        "IncludeInResult": false,
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string",
                        "Value": ["Julius Hibbert"]
                    }
                ]
            },
            {
                "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
                "Attribute": [
                    {
                        "IncludeInResult": false,
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
                        "DataType": "http://www.w3.org/2001/XMLSchema#anyURI",
                        "Value": ["http://medico.com/record/patient/BartSimpson"]
                    }
                ]
            },
            {
                "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
                "Attribute": [
                    {
                        "IncludeInResult": false,
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string",
                        "Value": ["read"]
                    }
                ]
            },
            {
                "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
                "Attribute": [
                    {
                        "IncludeInResult": false,
                        "AttributeId": "urn:ogc:geoxacml:3.0:subjet-location",
                        "DataType": "urn:ogc:def:dataType:geoxacml:1.0:geometry",
                        "Value": {
                            "geometry": {
                                "type": "Point",
                                "coordinates": [102.0,0.5]
                            }
                        }
                    }
                ]
            }
        ]
    }
}

ADR using GeoJSON geometry encoding

Resolution

Allowing any JSON Object for the Value is a potential security hazard.

Perhaps it is possible to allow a JSON Object processing where the extension would have to specify the Parser. In our case, that would be the org.wololo.jts2geojson.GeoJSONReader. Another solution perhaps would be to allow a String processing of the JSON Object?

Looking forward to a way that allows us to encode geometries via GeoJSON...

Best
Andreas

How to reproduce - additional info

From Andreas's message on authzforce-users mailing list:

Checkout https://github.com/securedimensions/authzforce-geoxacml-basic, follow the instructions in INSTALL.md to enable the BASIC support for geometry datatype to your server 9.0. I’ve just merged develop with master to support the latest AuthzForce version and Java 11.

Possible security issue reported by NVD CVE Analyzer

Awesome that you use Travis CI, this makes it very easy to dig into the build and test process!

While you integrate with NVD CVE Analyzer, there is a possible issue with a Spring component. However the plugin is also known for false positives. Neverthereless it makes sense to explore I think.

Log fragment:

One or more dependencies were identified with known vulnerabilities in org.ow2.authzforce:authzforce-ce-server-rest-service:

spring-core-4.3.12.RELEASE.jar (cpe:/a:vmware:springsource_spring_framework:4.3.12, cpe:/a:pivotal_software:spring_framework:4.3.12, cpe:/a:springsource:spring_framework:4.3.12, org.springframework:spring-core:4.3.12.RELEASE, cpe:/a:pivotal:spring_framework:4.3.12) : CVE-2018-1199

Complete log:
https://api.travis-ci.com/v3/job/132362640/log.txt

Support DELETE /.../policies/{policyId}/latest

Delete the latest version of a policy using 'latest' keyword

Query filter

Hello,
dos authzforce support producing filters for queries?
For example user asks for the list of all documents, and there is a policy "a user can view documents created by him only". So i wont to receive from PDP a filter "Document.CreatedBy =User.Id" to use it in my SQL query.

Documentation typos: missing XACML namespace in sample request

Fix missing XACML namespace in sample request: see https://jira.fiware.org/browse/SEC-1075
Also fix typo "namespace prefixe" in 3.3.1.
Finally recommend to use XML-schema-aware on client side for developers.

Failed to find a root PolicySet with id

Hi AuthZForce Team,

I'm trying to enter a PolicySet via the POST /pap/policies endpoint:

<?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicySetId="PolicySetWithEmailRuleAnyActionAnyResource" Version="1.0"> <Description>TestPolicySet</Description> <Target /> <Policy PolicyId="urn:oasis:names:tc:xacml:3.0:example:EmailNamespaceAnyActionAnyResource" Version="1.0" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides"> <Description>Medi Corp access control policy</Description> <Target /> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:EmailRule" Effect="Permit"> <Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" /> </Match> </AllOf> </AnyOf> </Target> </Rule> </Policy> </PolicySet>

I get the following error (400 bad request):

{ "error": { "message": "Failed to find a root PolicySet with id = 'PolicySetWithEmailRuleAnyActionAnyResource', Version=1.0,EarliestVersion=,LatestVersion=: Matched PolicySet 'PolicySetWithEmailRuleAnyActionAnyResource' (version 1.0) is invalid or its content is unavailable" } }

I don't understand this message. What is this required root and how do I add it to the XACML message? I see that there is a default policy set called "root" but I'm not sure what it is for and how to refer to it.

Strangely enough the policy set seems to have been saved anyway, I can retrieve it via GET /pap/policies/PolicySetWithEmailRuleAnyActionAnyResource/1.0 endpoint.

Ultimately I'm having problems adding even a simple policy set that returns a 200, i.e. goes through without validation errors.

Thanks for your help,
Andras Nemes

Support JSON format for API requests/responses

For better integration with JavaScript-based GUI frameworks. See feature branch JSON_SUPPORT.
/cc @hargathor

Upgrader - Support input 4.3.x and 4.4.x versions

Allow upgrade from authzforce server 4.3.x and 4.4.x

Documentation - Provide API request/response samples in JSON

Currently, there are only examples for Content-Type/Accept = application/xml in doc. Provide some for Content-Type/Accept = application/json
Plenty of raw examples in the test suite output to take from (that you can get by running maven test in webapp module after changing log level to INFO for logger org.apache.cxf in src/test/resources/authzforce-ce-server/conf/logback.xml):

TestSuite-output.txt

It is not yet certain that it is worth the trouble because:

On PAP API, the JSON format has serious limitations compared to XACML/XML.
For the PDP API, the JSON format (for XACML Requests/Responses) is the one already fully specified in this XACML standard: JSON Profile of XACML 3.0 Version 1.1. So please refer to it.

REST API - Configure custom XACML datatypes and functions

Enable clients to use new PDP feature element to enable specific XACML datatypes, functions and request filters (strict,lax,...) on the PDP.

rest-service - move maven dependency 'cxf-rt-frontend-jaxrs' to webapp

PolicySetIdReference within same policyset

I was looking at policy inheritance as defined in https://authzforce-ce-fiware.readthedocs.io/en/latest/UserAndProgrammersGuide.html#re-usable-policies-e-g-for-hierarchical-rbac

and I was wondering if it is possible to refer to a policyset within the same file instead of across 2 different ones as defined in the example

eg.

PolicySet parent
     PolicySet toInherit
     PolicySet inheriter
            PolicySetIdReference:toInherit

I tried it but computer says no (java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*])

So my question is: Is that by design?

Software version (AuthzForce Core)

Platform JRE

Platform OS

authzforce/server:release-8.1.0

Error stack trace or logs (if any)

Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Matched PolicySet 'rbacroot' (version 0.1.0) is invalid or its content is unavailable
	at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:214)
	at org.ow2.authzforce.core.pdp.api.policy.BaseStaticRefPolicyProvider.get(BaseStaticRefPolicyProvider.java:113)
	at org.ow2.authzforce.core.pdp.impl.policy.CoreRefBasedRootPolicyProvider.<init>(CoreRefBasedRootPolicyProvider.java:97)
	... 49 common frames omitted
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Invalid PolicySet in file: /opt/authzforce-ce-server/data/domains/HJW2dLuXEemloQJCrBsAAw/policies/cmJhY3Jvb3Q/0.1.0.xml
	at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:304)
	at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.access$100(FlatFileDAORefPolicyProviderModule.java:256)
	at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule.getPolicySet(FlatFileDAORefPolicyProviderModule.java:207)
	... 51 common frames omitted
Caused by: java.lang.IllegalArgumentException: PolicySet[rbacroot#v0.1.0]: Invalid child #1 (PolicySet)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1889)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1852)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2176)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
	at org.ow2.authzforce.pap.dao.flatfile.FlatFileDAORefPolicyProviderModule$PolicyEvaluatorSupplier.get(FlatFileDAORefPolicyProviderModule.java:299)
	... 53 common frames omitted
Caused by: java.lang.IllegalArgumentException: No PolicySet matching reference: id = RPS:BasicUser, Optional[Version=*,EarliestVersion=*,LatestVersion=*]
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1667)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicyRefEvaluatorFactory.getInstance(PolicyEvaluators.java:1640)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:1704)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:1771)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1914)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicyRefEvaluator(PolicyEvaluators.java:1852)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceGeneric(PolicyEvaluators.java:2132)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators.getInstanceStatic(PolicyEvaluators.java:2305)
	at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$StaticPolicySetElementEvaluatorFactory.getChildPolicySetEvaluator(PolicyEvaluators.java:1884)
	... 57 common frames omitted

Your code and/or AuthzForce-specific configuration file(s)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="rbacroot" Version="0.1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
  <Description>Root RBAC PolicySet</Description>
  <Target/>
  <PolicySet PolicySetId="RPS:BasicUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <Description>
      BasicUser Role PolicySet
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=BasicUser,dc=org1,dc=com</AttributeValue>
            <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                 DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Policy PolicyId="PPS:BasicUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
      <Description>Permissions specific to BasicUser role</Description>
      <Target/>
      <Rule RuleId="service1" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service1</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
      <Rule RuleId="service2" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service2</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
    </Policy>
  </PolicySet>
  <PolicySet PolicySetId="RPS:SuperUser" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
    <Description>
      SuperUser Role PolicySet
    </Description>
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=SuperUser,dc=org1,dc=com</AttributeValue>
            <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                                 DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
    <Policy PolicyId="PPS:SuperUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
      <Description>Permissions specific to SuperUser role</Description>
      <Target/>
      <Rule RuleId="service3" Effect="Permit">
        <Target>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service3</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
          <AnyOf>
            <AllOf>
              <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                     DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
              </Match>
            </AllOf>
          </AnyOf>
        </Target>
      </Rule>
    </Policy>
    <PolicySetIdReference>RPS:BasicUser</PolicySetIdReference>
  </PolicySet>
</PolicySet>

transferred from authzforce/core#48

Policy with Attribute Selector

I was trying to insert a policy in Authzforce 10.1.1 that uses attribute selectors, but with no success. I tried the same policy in the Core CLI 20.0.0, and it worked and even tested it with a request.

Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:md="urn:example:med:schemas:record" PolicySetId="root" Version="1.0.5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
   <PolicySetDefaults>
       <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
   </PolicySetDefaults>
   <Target />
   <Policy PolicyId="polo" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
       <Target>
       </Target>
       <Rule RuleId="Ruleo" Effect="Permit">
           <Condition>
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                       <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
                   <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                     <AttributeSelector MustBePresent="false"
                     Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                     Path="/md:record/md:parentGuardian/md:parentGuardianId/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
                   </Apply>
               </Apply>
           </Condition>
       </Rule>
   </Policy>
</PolicySet>

AuthZforce returns:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/7">
    <message>Invalid PolicySet with PolicySetId='root', Version=2.0.1</message>
</error>

If I go check the /var/log/tomcat9/error.log it says:
error.log

...
Caused by: net.sf.saxon.trans.XPathException: Namespace prefix 'md' has not been declared
...

But I think that the "md" namespace is declared with xmlns:md="urn:example:med:schemas:record" in line 2 of the policy.

rules inherited from PolicySetIdReference don't seem to be applied

I have user policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="User" Version="0.1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
  <Description>
    User Role PolicySet
  </Description>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=User,dc=mydomain,dc=com</AttributeValue>
          <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                               DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Policy PolicyId="PPS:User" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
    <Description>Permissions specific to User role</Description>
    <Target/>
    <Rule RuleId="permission1" Effect="Permit">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource1</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>
    <Rule RuleId="permission2" Effect="Permit">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource2</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>

  </Policy>
</PolicySet>

and super user:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="SuperUser" Version="0.1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
  <Description>
    SuperUser Role PolicySet
  </Description>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cn=SuperUser,dc=mydomain,dc=com</AttributeValue>
          <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                               DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <PolicySetIdReference>User</PolicySetIdReference>
  <Policy PolicyId="PPS:SuperUser" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
    <Description>Permissions specific to SuperUser role</Description>
    <Target/>
    <Rule RuleId="permission3" Effect="Permit">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource3</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>
    <Rule RuleId="permission4" Effect="Permit">
      <Target>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource4</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
        <AnyOf>
          <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
              <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                                   DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Match>
          </AllOf>
        </AnyOf>
      </Target>
    </Rule>

  </Policy>
</PolicySet>

so I'd expect:

User to have permission1 and permission2
SuperUser to have permission1 and permission2
Superuser to have permission3 and permission4

(1) and (3) work as expected, however (2) does not: authzforce replies Deny

authzforce-ce/error.log shows

2020-07-14 11:03:17,812|WARN |http-nio-8080-exec-1|org.ow2.authzforce.core.pdp.impl.IndividualDecisionRequestContext:154|Attempt to override value of AttributeDesignator [category='urn:oasis:names:tc:xacml:1.0:subject-category:access-subject', issuer=null, id='urn:oasis:names:tc:xacml:2.0:subject:role'] already set in evaluation context. Overriding value: Bag(elementType='http://www.w3.org/2001/XMLSchema#string', elements=[cn=SuperUser,dc=mydomain,dc=com], causeForEmpty=null)|

Update1: Request is

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Issuer="xacml-sdk-5.0.0"
                   IncludeInResult="true">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SuperUser</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Issuer="xacml-sdk-5.0.0"
                   IncludeInResult="true">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Issuer="xacml-sdk-5.0.0"
                   IncludeInResult="true">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource1</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

root policy is

<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="rbacroot" Version="0.1.0"
           PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
  <Description>Root RBAC PolicySet</Description>
  <Target/>
  <PolicySetIdReference>User</PolicySetIdReference>
  <PolicySetIdReference>SuperUser</PolicySetIdReference>
</PolicySet>

update2:

Note I am using ldap to get role for user

   <ns3:attributeProvider xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:LdapAttributeProvider" url="ldap://ldap:389" bindDN="cn=admin,dc=mydomain,dc=com"
                         bindPassword="password" connectTimeoutMs="1000" searchBaseDN="dc=mydomain,dc=com" searchScope="SUBTREE" maxSearchResultEntryCount="100" searchTimeoutMs="1000"
                         id="ldap">
    <ns2:providedAttribute fromLdapAttributeID="memberOf">
      <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
                           DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
    </ns2:providedAttribute>
    <ns2:searchFilter>(&amp;(objectClass=person)(cn={0}))</ns2:searchFilter>
    <ns2:searchFilterArg>
      <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
                           DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
    </ns2:searchFilterArg>
    <ns2:cache maxSize="1000" ttlSec="1"/>
  </ns3:attributeProvider>

In case this is important dir structure is:

HJW2dLuXEemloQJCrBsAAw/
├── pdp.xml
├── policies
│   ├── cmJhY3Jvb3Q
│   │   └── 0.1.0.xml
│   ├── VXNlcg==
│   │   └── 0.1.0.xml
│   ├── U3VwZXJVc2Vy
│       └── 0.1.0.xml
└── properties.xml

Performance and Components

Hi,

Is there a way to clearly separate Xacml-PeP, PAP, PDP and PIP ? If i want to detach or deploy them separately, how is that feasible ? Also, wondering have you done any performance benchmarking around this implementation ?

[MUST] Update README on master branch

Several PRs have been accepted into develop, but no release has been made since 8.0.1, therefore some fixed issues do not display as fixed on the master branch

For example:

README must have a QA section
README must have a training section

This is just a placeholder to indicate that a release is required to complete the fix. Please close this issue once a new release has been completed.

Release 8.0.1 Versioned Documentation is inactive on RTD

On the Authzforce ReadtheDocs project, release 8.0.1 versioned documentation is not displayed

Goto https://readthedocs.org/projects/authzforce-ce-fiware/versions/
Ensure that active checkmark is ticked against relevant release tag

Link#Title in getDomains() returns same value as Link#HREF

I was looking at getDomains, specially in reference to authzforce/java-xacml-sdk#17 and I noticed that getDomains returns something like

GET http://localhost:8082/authzforce-ce/domains/

HTTP/1.1 200 
Date: Mon, 18 May 2020 19:01:52 GMT
Content-Type: application/xml
Content-Length: 540

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:resources xmlns="http://www.w3.org/2005/Atom" xmlns:ns2="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/6.0"
               xmlns:ns4="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <link rel="item" href="HJW2dLuXEemloQJCrBsAAw" title="HJW2dLuXEemloQJCrBsAAw"/>
  <link rel="item" href="SV4T35k1EeqozAJCrBDuBQ" title="SV4T35k1EeqozAJCrBDuBQ"/>
</ns2:resources>

yet getDomains/{domainID}

returns something like

GET http://localhost:8082/authzforce-ce/domains/SV4T35k1EeqozAJCrBDuBQ

HTTP/1.1 200 
Date: Mon, 18 May 2020 19:16:31 GMT
Content-Type: application/xml
Content-Length: 736

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<domain xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5" xmlns:ns2="http://www.w3.org/2005/Atom" xmlns:ns3="http://authzforce.github.io/core/xmlns/pdp/6.0"
        xmlns:ns4="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <properties externalId="myTestDomain1">
    <description>test domain</description>
  </properties>
  <childResources>
    <ns2:link rel="item" href="/properties" title="Domain properties"/>
    <ns2:link rel="item" href="/pap" title="Policy Administration Point"/>
    <ns2:link rel="http://docs.oasis-open.org/ns/xacml/relation/pdp" href="/pdp" title="Policy Decision Point"/>
  </childResources>
</domain>

Is this by design? I guess I expected the response of getDomains to be something like

 <link rel="item" href="SV4T35k1EeqozAJCrBDuBQ" title="myTestDomain1"/>

Upgrade Spring 4.3.4 -> 4.3.5

https://pivotal.io/security/cve-2016-9878

PDP - PAP separation (optional)

Possibility to separate PDP from PAP, e.g. a AuthzForce server instance with only PDPs and another one with PAPs (and possibly PDPs). Solution proposed: new configuration parameter of type boolean enablePdpOnly (default: false).

If you only want PDPs only on your instance, set the enablePdpOnly=true.
Else you want PAPs on your instance, and it is logical to have an associated PDPs as well to test your policies and PDP configuration right away, before deploying/applying the changes to the instance with PDPs only and waiting for synchronization to happen; so enablePdpOnly=false.

Error while starting-up the authzforce ce server

Hi,

I am trying to startup the authzforce server. But before that, I have built the v5.4.1 distribution with maven and configured my tomcat 8.0.35 (and openjdk 8) installation (that is placing the context.xml file to $catalina.base/conf/Catalina/localhost/authzforce-ce.xml). Now, when I start the tomcat server, following error is occurred under the catalina.out file.

27-May-2017 16:06:21.629 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying configuration descriptor /home/user/apache-tomcat-8.0.35/conf/Catalina/localhost/authzforce-ce.xml
27-May-2017 16:06:27.162 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
27-May-2017 16:06:29.069 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more listeners failed to start. Full details will be found in the appropriate container log file
27-May-2017 16:06:29.073 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [/authzforce-ce] startup failed due to previous errors
27-May-2017 16:06:29.089 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of configuration descriptor /home/user/apache-tomcat-8.0.35/conf/Catalina/localhost/authzforce-ce.xml has finished in 7,460 ms

and under the error.log file:

2017-05-27 16:06:29,066|ERROR|localhost-startStop-1|org.springframework.web.context.ContextLoader:319|Context initialization failed|
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'tazService': Invocation of init method failed; nested exception is org.apache.cxf.service.factory.ServiceConstructionException
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1488) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:524) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:461) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:626) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932) ~[spring-context-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479) ~[spring-context-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) [spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4813) [catalina.jar:8.0.35]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5272) [catalina.jar:8.0.35]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) [catalina.jar:8.0.35]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) [catalina.jar:8.0.35]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) [catalina.jar:8.0.35]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) [catalina.jar:8.0.35]
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) [catalina.jar:8.0.35]
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) [catalina.jar:8.0.35]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_112]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: null
at org.apache.cxf.jaxrs.JAXRSServerFactoryBean.create(JAXRSServerFactoryBean.java:219) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_112]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_112]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_112]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_112]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1614) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1555) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1485) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE]
... 25 common frames omitted
Caused by: java.lang.NullPointerException: null
at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011) ~[na:1.8.0_112]
at java.util.concurrent.ConcurrentHashMap.putAll(ConcurrentHashMap.java:1084) ~[na:1.8.0_112]
at org.apache.cxf.jaxrs.AbstractJAXRSFactoryBean.createEndpoint(AbstractJAXRSFactoryBean.java:223) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0]
at org.apache.cxf.jaxrs.JAXRSServerFactoryBean.create(JAXRSServerFactoryBean.java:165) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0]
... 32 common frames omitted

Any help would be appreciated.

Thanks,
Shiraz

License?

Is this repo/code licensed under a specific license? AuthZForce Core seems to be licensed Apache 2.0, is the server the same?

Thanks!

Publish docker image for new release 9.0.1

Wrong error code and message for invalid/unsupported function ID

API returns Internal Server Error (500), instead of Bad Request (400) when activating PolicySet with invalid function.
Example: urn:oasis:names:tc:xacml:1.0:function:any-of
Error message should tell which function is invalid.

[MUST] Credits are missing

According to the contribution requirements, credit must be given to developers who contribute to the development of each component. A simple way to do this is to add and maintain a CREDITS file.

The list of previous contributors can be obtained using the following command:

git shortlog -cse

MUST Requirement from the TSC

Problem with updating pdp.properties

When I try updating pdp.properties file via PUT request using xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <pdpPropertiesUpdate xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"> <rootPolicyRefExpression>valid_policySet_id</rootPolicyRefExpression> </pdpPropertiesUpdate>

It return Internal server error with message:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><error xmlns="http://authzforce.github.io/rest-api-model/xmlns/authz/5"><message>Internal Server error. Retry later or contact the administrator.</message></error>

Is anyone else experiencing this issue. Any help would be appreciated

[MUST] Roadmap is missing

A roadmap for the project for the short (3 months) , medium (one year) and long term should be added to the repository and publicly available.

Startup failure when offline - UnknownHostException raw.githubusercontent.com

XACML/JSON schema loading fails when offline (no Internet connection), preventing AuthzForce Server to start. More info in the attached error log:
authzforce_error.log

This is linked to incorrect behavior in the JSON schema validation library when the 'id' property in the schema is a URL :

everit-org/json-schema#88

org.ow2.authzforce.domains.xacmlJsonSchemaRelativePath has no effect

Software version (AuthzForce Core)

21.2.0

Platform JRE

Platform OS

MAC

Error stack trace or logs (if any)

The Request.schema.json seems not to get loaded from the location specified in the authzforce-ce.xml context deployment.
When submitting a JSON request with additional attribute SRS, the request is still validated against the schema loaded from classpath and not from the configured location.

2022-12-01 16:09:36,761|DEBUG|http-nio-8080-exec-2|org.apache.cxf.service.invoker.AbstractInvoker:175|Invoking method public abstract org.json.JSONObject org.ow2.authzforce.rest.api.jaxrs.PdpResource.requestPolicyDecisionXacmlJson(org.json.JSONObject) on object org.ow2.authzforce.rest.service.jaxrs.DomainResourceImpl@259f6a82 with params [{"Request":{"CombinedDecision":false,"Category":[{"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject","Attribute":[{"SRS":"EPSG:4326","AttributeId":"subject-location","Value":"POINT (10 1)","DataType":"urn:ogc:def:dataType:geoxacml:3.0:geometry","IncludeInResult":false}]}],"ReturnPolicyIdList":false}}].|
2022-12-01 16:10:28,510|DEBUG|http-nio-8080-exec-2|org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor:203|{
    "schemaLocation": "classpath://org/ow2/authzforce/xacml/json/model/common-std.schema.json#/definitions/AttributeType",
    "pointerToViolation": "#/Request/Category/0/Attribute/0",
    "causingExceptions": [],
    "keyword": "additionalProperties",
    "message": "extraneous key [SRS] is not permitted"
}|
2022-12-01 16:10:28,512|INFO |http-nio-8080-exec-2|org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter:149|Invalid or unsupported input XACML Request syntax|
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Invalid Request
    at org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor.process(BaseXacmlJsonRequestPreprocessor.java:204)
    at org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor.process(BaseXacmlJsonRequestPreprocessor.java:47)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:145)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:193)
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileBasedDomainsDao$PdpBundle.evaluate(FlatFileBasedDomainsDao.java:563)
    at org.ow2.authzforce.pap.dao.flatfile.FlatFileBasedDomainsDao$FileBasedDomainDaoImpl.evaluatePolicyDecision(FlatFileBasedDomainsDao.java:2605)
    at org.ow2.authzforce.rest.service.jaxrs.DomainResourceImpl.requestPolicyDecisionXacmlJson(DomainResourceImpl.java:270)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
    at java.base/java.lang.reflect.Method.invoke(Method.java:578)
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:286)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:286)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
    at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:709)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:223)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158)
    at org.ow2.authzforce.webapp.ExceptionFilter.doFilter(ExceptionFilter.java:64)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1762)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:1589)
Caused by: org.everit.json.schema.ValidationException: #/Request/Category/0/Attribute/0: extraneous key [SRS] is not permitted
    at org.everit.json.schema.ValidationException.copy(ValidationException.java:486)
    at org.everit.json.schema.DefaultValidator.performValidation(Validator.java:73)
    at org.everit.json.schema.Schema.validate(Schema.java:152)
    at org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonRequestPreprocessor.process(BaseXacmlJsonRequestPreprocessor.java:199)
    ... 52 common frames omitted

Your code and/or AuthzForce-specific configuration file(s)

In .../Catalina/localhost/authzforce-ce.xml the following element should define the location of the JSON request schema used for the JSON request validation.

<Environment name="org.ow2.authzforce.domains.xacmlJsonSchemaRelativePath" value="GeoXACML/Request.schema.json" type="java.lang.String" override="false"
                 description="Path to JSON schema file for XACML JSON Profile's Request validation, relative to ${org.ow2.authzforce.config.dir} (if undefined/empty value, the Request.schema.json file from authzforce-ce-xacml-json-model project is used by default)" />

Help:Problem with updating root policy

Hi,

When trying to update my root policy I get a message telling me that the content of the new policy is invalid. I figured out that the problem was in the Condition that I used ( commenting that would prevent the error). Any ideas on what could be a potential error.

My Condition:
<ns4:Condition> <ns4:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <ns4:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"> <ns4:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="true"/> <ns4:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</ns4:AttributeValue> </ns4:Apply> <ns4:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal"> <ns4:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="true"/> <ns4:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">40</ns4:AttributeValue> </ns4:Apply> </ns4:Apply> </ns4:Condition>

Need Help in

Hi,

I am unable to debug and run my own custom test cases on my IDE. Is there any documentation available to run them on our IDE?

Looking forward to hearing back from you.

Best

Policy editor UI

Hi,

is it possible to perform operations on policies (e.g. CRUD) and domains with some WebUI (apart from the REST interface)? in addition to that, can one (graphically) assign domains or policy sets to a particular set of users to manage their application related policies? Furthermore, do you plan to implement such UI?

Please also note that I have a separate user identity management server in place, which can act as a SAML IdP and/or OAuth2/OIDC authorization server. So, if there exists a authzforce UI that understands any of the given protocols, the integration of authzforce and the idm can be realised.

Thanks,
Shiraz

Namespace declaration error for structured Attributes

The GeoXACML extension supports the data type Geometry. The encoding for the Geometry AttributeValue can be done via String or XML:

String: Based on Well Knwon Text
XML: Based on Geography Markup Language

The GeoXACML extension can be build via mvn install and be deployed onto the AuthzForce CE Server as described in the documentation.

When loading the GeoXACML policy for validating the Geometry encoding via GML, the following exception is thrown by the AuthzForce Server:

To reproduce the error,

load the GeoXACML extension onto the server
update the pdp.properties with the file from the folder /src/main/resources/updateProperties.xml
upload the GeoXACML policy from the folder /src/main/resources/conformance/geoxacml-3.0/core/policy-broken.xml

When loading the policy, the server throws the exception Duplicate declaration of namespace prefix 'gml' (empty string refers to default namespace)

Best
Andreas

REST API - Configure custom XACML Combining Algorithms, Request & Result filters

Enable clients to use new PDP feature element mentioned in authzforce/rest-api-model#1 to enable specific XACML combining algorithms, or Request/Result filters on the PDP.

Unable to send simple request in JSON format

Im'm using Authzforce 8.0.1 on docker.
I try to to send this request to pdp:
{ "Request" : { "ReturnPolicyIdList" : false } }
and the response are:
{ "error":{ "message": "Invalid parameters: cvc-complex-type.4: Attribute 'ReturnPolicyIdList' must appear on element 'Request'." } }
is a bug? I'm unable to send any type of request.

Thanks

Cannot initiate service on Docker

Issue related here.

Thanks

doubts about xacml and orion

Hello, I would like to carry out two types of policies but I do not achieve them. One would be, to make a POST request to wilma to / v2 / entities where it is intended to create an entity with a series of attributes, the policy that I want to carry out is to restrict this request, for example, a user registered can only create entities if it has as an attribute by example user_id = 1234, if it is another value, you do not have permissions to create that entity. The other policy that I want to carry out is a GET request, it would be the same case, but knowing that the entity has already been created, now it is intended to obtain the information of said entity, for example the user can only make a GET request to / v2 / entities / if the entity has the attribute id_usr = 1234, in case no entity has said attribute, it does not have permission to see said information.

Validate all policies on upload

https://gitlab.ow2.org/authzforce/server/issues/1

(even if not immediately enforced by PDP)

Policy without PolicySet

Hi AuthZForce Team.

In the documentation of the XACML (OASIS) has several examples of policies without policySet. This same behavior is allowed in the WSO IS, however, to try add a policy without PolicySet the AZF (release 7.1.0 / Docker) show the following error:

Cannot cast oasis.names.tc.xacml._3_0.core.schema.wd_17.Policy to oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet

Is there any way to disable this PolicySet requirement?

Problem with Authzforce installation

I tried to install by package (authzforce-ce-server-dist-8.1.0.deb) and I get an error in tomcat, /var/log/tomcat8/authzforce-ce/error.log:

2020-07-17 11:05:20,822|ERROR|localhost-startStop-1|org.springframework.web.context.ContextLoader:351|Context initialization failed|
org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/beans.xml]; nested exception is org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class [org.apache.cxf.bus.spring.NamespaceHandler] for namespace [http://cxf.apache.org/core]: problem with handler class file or dependent class; nested exception is java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:414)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:336)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:304)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:181)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:217)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:188)
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:94)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:129)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:613)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:514)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:444)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:326)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4770)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5236)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class [org.apache.cxf.bus.spring.NamespaceHandler] for namespace [http://cxf.apache.org/core]: problem with handler class file or dependent class; nested exception is java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
at org.springframework.beans.factory.xml.DefaultNamespaceHandlerResolver.resolve(DefaultNamespaceHandlerResolver.java:140)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1406)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1401)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:172)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.doRegisterBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:142)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:94)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:508)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:392)
... 26 common frames omitted
Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
at org.apache.cxf.bus.spring.NamespaceHandler.init(NamespaceHandler.java:33)
at org.springframework.beans.factory.xml.DefaultNamespaceHandlerResolver.resolve(DefaultNamespaceHandlerResolver.java:131)
... 33 common frames omitted
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.JAXBException
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1364)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1185)
... 35 common frames omitted
2020-07-17 11:05:21,172|WARN |localhost-startStop-1|org.springframework.web.context.support.XmlWebApplicationContext:1005|Exception thrown from LifecycleProcessor on context close|
java.lang.IllegalStateException: LifecycleProcessor not initialized - call 'refresh' before invoking lifecycle methods via the context: Root WebApplicationContext: startup date [Fri Jul 17 11:05:17 CEST 2020]; root of context hierarchy
at org.springframework.context.support.AbstractApplicationContext.getLifecycleProcessor(AbstractApplicationContext.java:417)
at org.springframework.context.support.AbstractApplicationContext.doClose(AbstractApplicationContext.java:1002)
at org.springframework.context.support.AbstractApplicationContext.close(AbstractApplicationContext.java:961)
at org.springframework.web.context.ContextLoader.closeWebApplicationContext(ContextLoader.java:581)
at org.springframework.web.context.ContextLoaderListener.contextDestroyed(ContextLoaderListener.java:116)
at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4817)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5474)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:226)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)

Saves policy on POST /pap/policies despite invalid PolicySet and 400 Bad Request

Affects AuthzForce Server 8.1.0.

As reported in #45 , when POSTing an invalid PolicySet, the server still saves the policy anyway, although it replies with 400 Bad Request. Besides, the error message is misleading (saying it's a root policyset) and not very helpful.

Distribution - Change .tar.gz extension to .tgz

change tarball extension to .tgz

[MUST] Default content missing from README

For standardization and convenience, the README is encouraged to follow Standard-readme or similar, the readme is currently missing a few mandatory sections, compare with this which is compact, but has full compliance.

No Table of contents
No text on how to run unit tests
No text on main Usage of the component
No text on how to Install the component

[SHOULD] Double tag FIWARE Release

Could you please add an additional tags to indicate which version aligns with which FIWARE release- you can see a similar examples here:

IoT Agent JSON

af26edd - FIWARE 7.5.1, FIWARE_7.5, FIWARE_7.4

Every PDP request results in permit

Hello, I recently got started using the AuthZForce PDP/PAP API's, and for some reason every request is resulting in a permit. As an example, here is a policy I created:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
 xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 PolicySetId="P1"
 Version="1.0"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
 <Description>Test Policy Set</Description>
 <Target />
 <Policy
  PolicyId="FileAccessApp"
  Version="1.0"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
  <Description>Policy for FileAccessApp</Description>
  <Target>
   <AnyOf>
    <AllOf>
     <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      <AttributeValue
       DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
      <AttributeDesignator
       Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
       AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string"
       MustBePresent="true" />
     </Match>
    </AllOf>
   </AnyOf>
  </Target>
  <Rule RuleId="Must_Be_US" Effect="Permit">
   <Description>Only US Citizens may access files.</Description>
   <Target>
    <AnyOf>
     <AllOf>
      <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
       <AttributeValue
        DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
       <AttributeDesignator
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
        AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id"
        DataType="http://www.w3.org/2001/XMLSchema#string"
        MustBePresent="true" />
      </Match>
     </AllOf>
    </AnyOf>
    <AnyOf>
     <AllOf>
      <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
       <AttributeValue
        DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
       <AttributeDesignator
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
        AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
        DataType="http://www.w3.org/2001/XMLSchema#string"
        MustBePresent="true" />
      </Match>
     </AllOf>
    </AnyOf>
   </Target>
   <Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
     <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
      <AttributeValue
       DataType="http://www.w3.org/2001/XMLSchema#string">US_Citizen</AttributeValue>
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
       DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"
       Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
    </Apply>
   </Condition>
  </Rule>
 </Policy>
</PolicySet>

And yet, the request below results in a Permit

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="false">
 <Attributes
  Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   IncludeInResult="false">
   <AttributeValue
   DataType="http://www.w3.org/2001/XMLSchema#string">Dave</AttributeValue>
  </Attribute>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
   IncludeInResult="false"> <AttributeValue
   DataType="http://www.w3.org/2001/XMLSchema#string">Not_Us_Citizen</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
  </Attribute>
  <Attribute
   AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>

If I enable ReturnPolicyIfList I see the line <PolicyIdReference Version="0.1.0">permit-all</PolicyIdReference>

How to disable this? Will just manually removing the 0.1.0.xml file and restarting Tomcat do it or is there a specific API call I need to make?

Adding Policies by coping the xml of the policies to local files.

So I have been following the documentation in:https://authzforce-ce-fiware.readthedocs.io/en/latest/InstallationAndAdministrationGuide.html#high-availability, to add policies to an authzforce server 10.1.1 by copyng the files of the policies to the server, the problem that I'm facing is that the files with the policies(e.g 0.1.0.xml) are inside folders that have names that appear to be a hash, (e.g /opt/authzforce-ce-server/data/domains/{domainID}/policies/cm9vdA), so if I try to create a new folder (e.g /opt/authzforce-ce-server/data/domains/{domainID}/policies/policiy1), when I make a request to get all the policies of this domain, the policy1 href appears as a bunch of random char's,

How can I, generate the hash to create the folder to put inside the xml of the policy?

Bulk import XACML policies

Hi,

Is it possible to bulk import xacml 3.0 policies into the server database? If yes, can you provide some pointers? Thanks!

Authzforce seems not to recognize roles

Hi, I wanted to develop a simple testbed in which there is an user A with admin privileges and an user B without any privilege: so user B can only make GET requests against Orion Context Broker and user A can make GET,POST,PUT,DELETE.
In order to make this, I manually (because the graphical interface didn't allow me) created another user, "utenteprova", which is the user B, as above and assigned it the role "basic" (via terminal). I assigned the user "idm" (the user A) the role "admin" as explained in the images #1 and #2.
Then I moved to Horizon interface. I created a role "admin" and a role "basic", that weren't present and I created a simple permission that allows GET requests to basic users, using, as resource, "http://localhost:8081/", which is my PEP Proxy address, that protects Orion. I did it right? Image #3 explains it.
Finally, I tested it. After getting the token from IdM, I make this request:

curl http://localhost:8081/v2/entities -H 'Accept: application/json' -H 'X-Auth-Token: .......' | python -m json.tool

With this request I should be able to get all my Orion entities, but I receive the following messages:

image #4 for the admin user (idm) and image #5 for the trial user (utenteprova).

Now, there are some strange things! My admin user should have "admin" as role and not "provider", as my PEP says, and my trial user should have "basic", but in the response there's no role even!!

Why, in you opinion, this is happening?
Thank you so much,
Giuseppe

Domain not found for application

I'm using Orion Context Broker, Keyrock IdM, Wilma PEP Proxy and Authzforce for the PDP.
When I wanted to perform any action from PEP proxy to PDP I receive the following message: "AZF domain not created for application ...". I tried several strategies to solve the problem, but without considerable results. What's the solution?
Thank you,
Giuseppe

authzforce / server Goto Github PK

server's Introduction

AuthzForce Server

Contents

Features

PDP (Policy Decision Point)

PIP (Policy Information Point)

PAP (Policy Administration Point)

REST API

High availability and load-balancing

Limitations

Quality Assurance

Install

Documentation

Training Courses

Academy Courses

Tutorials

Usage

Testing

Support

Security - Vulnerability reporting

Contributing

Documentation

Releasing

License

Are there any legal issues with GPL 3.0? Is it safe for me to use?

server's People

Contributors

Stargazers

Watchers

Forkers

server's Issues

Overview

Issue

Resolution

How to reproduce - additional info

Software version (AuthzForce Core)

Platform JRE

Platform OS

Error stack trace or logs (if any)

Your code and/or AuthzForce-specific configuration file(s)

Software version (AuthzForce Core)

Platform JRE

Platform OS

Error stack trace or logs (if any)

Your code and/or AuthzForce-specific configuration file(s)

Recommend Projects

Recommend Topics

Recommend Org