Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-6013

Resource types are missing in XACML exported policy and it is not possible to import it

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: policy
    • Labels:
    • Environment:
      OpenAM 13.0.0-SNAPSHOT Build 13878 (2015-May-20 02:54)
    • Support Ticket IDs:

      Description

      Resource types are missing in XACML exported policy and it is not possible to import it

      STEPS TO REPRODUCE:
      1.) Create a policy
      e.g:

      Name=testPolicy, 
      Resource Types=URL,  
      PATTERNS=*://*:*/*, 
      Actions=POST,GET, 
      Subject=Authenticated Users
      

      2.) Export policy

      curl \
        --request GET \
        --header "iPlanetDirectoryPro: <ADMIN TOKEN>" \
        --header "Content-Type: application/json" \
        http://openam.example.com:8080/openam/xacml/policies
      

      Exported policy

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="2015.05.20.09.01.51.020" PolicySetId="/:2015.05.20.09.01.51.020">
          <Target/>
          <Policy RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="2015.05.20.09.00.18.553" PolicyId="testPolicy">
              <Description></Description>
              <Target>
                  <AnyOf>
                      <AllOf>
                          <Match MatchId="urn:sun:opensso:entitlement:json-subject-match">
                              <AttributeValue DataType="urn:sun:opensso:entitlement:json-subject-type:org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers">{}</AttributeValue>
                              <AttributeDesignator MustBePresent="true" DataType="urn:sun:opensso:entitlement:json-subject-type:org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers" AttributeId="urn:sun:opensso:entitlement:json-subject" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
                          </Match>
                      </AllOf>
                  </AnyOf>
                  <AnyOf>
                      <AllOf>
                          <Match MatchId="urn:sun:opensso:entitlement:resource-match:application:iPlanetAMWebAgentService">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">*://*:*/*</AttributeValue>
                              <AttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/>
                          </Match>
                      </AllOf>
                  </AnyOf>
                  <AnyOf>
                      <AllOf>
                          <Match MatchId="urn:sun:opensso:application-match">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">iPlanetAMWebAgentService</AttributeValue>
                              <AttributeDesignator MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:sun:opensso:application-id" Category="urn:sun:opensso:application-category"/>
                          </Match>
                      </AllOf>
                  </AnyOf>
                  <AnyOf>
                      <AllOf>
                          <Match MatchId="urn:sun:opensso:entitlement:action-match:application:iPlanetAMWebAgentService">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
                              <AttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"/>
                          </Match>
                      </AllOf>
                      <AllOf>
                          <Match MatchId="urn:sun:opensso:entitlement:action-match:application:iPlanetAMWebAgentService">
                              <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                              <AttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"/>
                          </Match>
                      </AllOf>
                  </AnyOf>
              </Target>
              <VariableDefinition VariableId="sun.opensso.entitlement.applicationName">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">iPlanetAMWebAgentService</AttributeValue>
              </VariableDefinition>
              <VariableDefinition VariableId="sun.opensso.privilege.createdBy">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org</AttributeValue>
              </VariableDefinition>
              <VariableDefinition VariableId="sun.opensso.privilege.lastModifiedBy">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org</AttributeValue>
              </VariableDefinition>
              <VariableDefinition VariableId="sun.opensso.privilege.creationDate">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2015-05-20T09:00:18.553</AttributeValue>
              </VariableDefinition>
              <VariableDefinition VariableId="sun.opensso.privilege.lastModifiedDate">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2015-05-20T09:00:18.553</AttributeValue>
              </VariableDefinition>
              <Rule Effect="Permit" RuleId="null:permit-rule">
                  <Description>Permit Rule</Description>
                  <Target>
                      <AnyOf>
                          <AllOf>
                              <Match MatchId="urn:sun:opensso:entitlement:action-match:application:iPlanetAMWebAgentService">
                                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
                                  <AttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"/>
                              </Match>
                          </AllOf>
                          <AllOf>
                              <Match MatchId="urn:sun:opensso:entitlement:action-match:application:iPlanetAMWebAgentService">
                                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
                                  <AttributeDesignator MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"/>
                              </Match>
                          </AllOf>
                      </AnyOf>
                  </Target>
                  <Condition>
                      <Apply FunctionId="urn:sun:opensso:entitlement:json-subject-and-condiiton-satisfied">
                          <AttributeValue DataType="urn:sun:opensso:entitlement:json-subject-type:org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers" privilegeComponent="entitlementSubject">{}</AttributeValue>
                      </Apply>
                  </Condition>
              </Rule>
          </Policy>
      </PolicySet>
      

      3.) Save the output to the xml file (test.xml)
      4.) Delete created policy (testPolicy)
      5.) Import policy from file

       curl \
        --request POST \
        --header "iPlanetDirectoryPro: <ADMIN TOKEN>" \
        --header "Content-Type: application/xml" \
        --data @test.xml http://openam.example.com:8080/openam/xacml/policies
      

      Observed result:
      resource type is null

      <?xml version="1.0" encoding="UTF-8"?><error><code>400</code><reason>Bad Request</reason><message>Invalid resource type null, must be one from the set defined against the containing application.
      

      Expected Result:
      Policy is imported

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major
                Reporter:
                richard.hruza Richard Hruza
                QA Assignee:
                Richard Hruza
              • Votes:
                0 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: