Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate Resource on XACML request should give Indeterminate response #976

Open
Tracked by #758
jonkjetiloye opened this issue Aug 8, 2024 · 0 comments
Open
Tracked by #758

Duplicate Resource on XACML request should give Indeterminate response #976

jonkjetiloye opened this issue Aug 8, 2024 · 0 comments
Labels
kind/bug Used when something isn't working

Comments

@jonkjetiloye
Copy link
Member

jonkjetiloye commented Aug 8, 2024
edited
Loading

Description of the bug

If a XACML request specifies more than one resource attribute:

"Resource": [
            {
                "Attribute": [
                    {
                        "AttributeId": "urn:altinn:resource",
                        "Value": "jks-test-resource",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    },
                    {
                        "AttributeId": "urn:altinn:resource",
                        "Value": "test_resourceid",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    },
                    {
                        "AttributeId": "urn:altinn:organization:identifier-no",
                        "Value": "910459880",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        ]

Only one of the resource attributes are actually used to authorized for access, but which one?.
This should instead have resulted in a "decision": "Indeterminate", response with a "statusMessage": explaining that multiple resources in a single request is not allowed. To authorize multiple resource a multi-request should be used.

Steps To Reproduce

URL PDP Decision (internal PDP API): {{baseUrl}}/authorization/api/v1/decision
URL PDP Authorize (external PDP API): {{baseUrl}}/authorization/api/v1/authorize

Token (Authorize API requires serviceowner token with scope: altinn:authorization/authorize)

Header (Both APIs requiresubscription key header for the test-environment):
Ocp-Apim-Subscription-Key

Testuser Resource Request Body example:

{
    "Request": {
        "ReturnPolicyIdList": false,
        "AccessSubject": [
            {
                "Attribute": [
                    {
                        "AttributeId": "urn:altinn:person:identifier-no",
                        "Value": "02056260016",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        ],
        "Action": [
            {
                "Attribute": [
                    {
                        "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                        "Value": "read",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        ],
        "Resource": [
            {
                "Attribute": [
                    {
                        "AttributeId": "urn:altinn:resource",
                        "Value": "test_resourceid",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    },
                    {
                        "AttributeId": "urn:altinn:resource",
                        "Value": "jks-test-resource",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    },
                    
                    {
                        "AttributeId": "urn:altinn:organization:identifier-no",
                        "Value": "910459880",
                        "DataType": "http://www.w3.org/2001/XMLSchema#string"
                    }
                ]
            }
        ]
    }
}

Additional Information

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Used when something isn't working
Projects
Team Tilgangsstyring & Kontroll
Status: New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonkjetiloye