ging
Rules created through the GUI are ignored if any XACML code is inserted as permission definition
We are using IdM + PEP Proxy + Authzforce. Speaking about the IdM, rules created through the GUI are ignored if any XACML code is inserted as permission definition.
To reproduce the issue: a) create two roles (e.g., Role1 and Role2) b) create a permission1 (e.g., "GET-POST-PUT /api/role1") Insert the following XACML code (as you can see there is not any CONDITION tag):
<Rule RuleId="85359bad-019f-4ec4-80a4-e008fe09a4db" Effect="Permit">
<Description>GET-POST-PUT /api/role1</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/api/role1</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PUT</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
c) create a permission2 (e.g., "GET-POST-PUT /api/role2") Insert the following XACML code (as you can see there is not any CONDITION tag):
<Rule RuleId="85359bad-019f-4ec4-80a4-e008fe09a4db" Effect="Permit">
<Description>GET-POST-PUT /api/role2</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-starts-with">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/api/role2</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PUT</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
d) assign permission1 to Role1 and permission2 to Role2 e) go into the application view and press "Authorize" f) assign Role1 to user1 and Role2 to user2 g) try to open Postman and obtain a token through user1 credentials h) try to make a GET request to both /api/role1 and /api/role2 i) You will be able to access both paths. l) Do the same with user2.
Thus, the association among roles and permissions assigned through the GUI is completely ignored. The only way to let things work is to add a CONDITION to the permission, but you have to know the ID of the role assigned in the database (to be inserted in the "AttributeValue" tag.
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">8fd8088a-9751-4894-ba95-343483619789</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Apply>
</Condition>
The actual problem is: what happens if you have 10 permissions to be assigned to 20 roles (so, for example 1 permission should be assigned to more than 1 role). In this way you to create as much permission as roles) To be clear, if I have to assign ROLE1 - permission1 ROLE2 - permission1 ROLE3 - permission1 ROLE4 - permission2 ROLE5 - permission2 You have to create 5 permissions, one for each association (I'm not mentioning mixing groups just for clarity)
Hi @tmontanaro,
when you create an advance XACML rule through the interface, Keyrock sends a request to create that rule in AuthzForce. By default, the PEP Proxy is able to check a basic rule with AuthZforce. For advanced cases as yours, you need to edit the PEP Proxy source code to make a different request to AuthZforce (check this link. We provide a simple template to be filled and you need to change your PEP Proxy configuration of authorization.
I hope this will help you with this issue.
Ok, so you are saying that we have to recompile the whole PEP Proxy source code to simply create such a kind of rules? I thought that, simply, the GUI could be able to create the rules with the specified conditions (based on the associations made by graphic) when a condition was not specified in the XACML, for example.
However, even though it is not possible a simple WARNING message saying that the rules defined through the GUI are not respected if any XACML code is specified could be at least useful. :D
Yes, the PEP Proxy by default is only able to check simply action/resource rules. If you need a more complex rule you need to re-coded the PEP Proxy. Currently, when you create such rules through the GUI, Keyrock just sends the rule as you have introduced in the web with no conditions added. We take note to do the WARNING message, but the best solution would be to add the condition based on the association made. Maybe, and if you want, you can contribute with this in a PR!