2022-09-30

Authzforce condition evaluation of matchAny in multi-valued string

I'm looking for a way to define a condition in a policy rule, so that when we pass a multiple string value in our certificate and try to authenticate authzforce against that rule, assuming the string value in the condition is equal to one of the string values we passed in the certificate, I want the rule to evaluate to 'true'. For example if the attribute value of the condition is "DNS:google.com" and the multiple value string we receive from the certificate are: ["DNS:google.nl" ,"DNS:google.com"], I would expect to get the rule evaluated to 'true' as one of those values are equal to the value of the condition ("DNS:google.com").

I tried to achieve this defining a rule with this condition:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
  <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>

I used the 'string-is-in' XACML operator in the condition, however the rule evaluates to false. The attributes I send via the certificate using the crypto library look like this when they reach the PDP:

  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
    </Attribute>
  </Attributes>

Right now, the way I defined the condition rule and the the way I sent the multi-string in the certificate, I manage to get the rulet to evaluate to 'true' only if ALL values of the certificate are equal or contain the string value of the condition as a substring. So its more of a "matchAll". That is not what I want - I would like the rule to be evaluated to 'true' if we even have one string on the multi-string in the certificate equal to the string in the condition - meaning a an i'm looking to implement a "matchAny" approach rather than the "matchAll" approach I have here.

Could you please advise me why the rule evaluates to 'false' with my current implementation and how to correct it, using perhaps a different XACML operator? Pasting the policy below as well as in the comments.

<PolicySet PolicySetId="root" Version="0.1.2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit"
    xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Target/>
    <Policy PolicyId="dbfcb643-cb39-4560-9c11-95112df970d0" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" MaxDelegationDepth="10">
        <Description>Policy for EAP authentications by SAN dns domains</Description>
        <Target/>
        <Rule RuleId="86ef9adb-2acb-43a1-aac6-b01fdeab9a44" Effect="Permit">
            <Description>Permit by certificate's SAN dns domain</Description>
            <Condition>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
                    <Description>new condition</Description>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
                        <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EAP</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:radius-auth-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Apply>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
                        <AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Apply>
                </Apply>
            </Condition>
            <AdviceExpressions>
                <AdviceExpression AdviceId="authorization-result" AppliesTo="Permit">
                    <AttributeAssignmentExpression AttributeId="profile-id">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bbfc5e21-0e9f-40a6-a5c6-fedd921bff2c</AttributeValue>
                    </AttributeAssignmentExpression>
                </AdviceExpression>
            </AdviceExpressions>
        </Rule>
    </Policy>


Posted by on
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)