Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9982

Policies: an AuthLevelCondition overrides the previous policies decisions

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0
    • Fix Version/s: None
    • Component/s: policy
    • Labels:
    • Rank:
      1|hzsf7r:

      Description

      In a policy set, I setup the 2 following policies (applying on the URL pattern "*://app.example.com:*/*") :

      • one that allows the GET to authenticated users
      • one that allows the POST to authenticated users during a defined time window
      {
          "pagedResultsCookie": null, 
          "remainingPagedResults": 0, 
          "result": [
              {
                  "actionValues": {
                      "GET": true
                  }, 
                  "active": true, 
                  "applicationName": "AuthenticationLevelEnforcement", 
                  "createdBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
                  "creationDate": "2016-10-28T12:26:34.376Z", 
                  "description": "", 
                  "lastModifiedBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
                  "lastModifiedDate": "2016-10-28T12:26:34.376Z", 
                  "name": "GET for authenticated users", 
                  "resourceTypeUuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2", 
                  "resources": [
                      "*://app.example.com:*/*"
                  ], 
                  "subject": {
                      "type": "AuthenticatedUsers"
                  }
              }, 
              {
                  "actionValues": {
                      "POST": true
                  }, 
                  "active": true, 
                  "applicationName": "AuthenticationLevelEnforcement", 
                  "condition": {
                      "endDay": "", 
                      "endTime": "14:00", 
                      "enforcementTimeZone": "Europe/Paris", 
                      "startDay": "", 
                      "startTime": "08:00", 
                      "type": "SimpleTime"
                  }, 
                  "createdBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
                  "creationDate": "2016-10-28T12:33:10.337Z", 
                  "description": "", 
                  "lastModifiedBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
                  "lastModifiedDate": "2016-10-28T12:35:17.7Z", 
                  "name": "POST during time window", 
                  "resourceTypeUuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2", 
                  "resources": [
                      "*://app.example.com:*/*"
                  ], 
                  "subject": {
                      "type": "AuthenticatedUsers"
                  }
              }
          ], 
          "resultCount": 2, 
          "totalPagedResults": -1, 
          "totalPagedResultsPolicy": "NONE"
      }
      

      Then I evaluate the policy decicison on that resource :

      • during the time window in which the POST is allowed :
        [
            {
                "actions": {
                    "GET": true, 
                    "POST": true
                }, 
                "advices": {}, 
                "attributes": {}, 
                "resource": "http://app.example.com:8000/pep/index.html", 
                "ttl": 1477670400000
            }
        ]
        

        The decision states that the authenticated user is allowed to GET and POST and that decicison is valid until Fri 28 Oct 18:00:00 CEST 2016.

      • during the time window in which the POST is not allowed :
        [
            {
                "actions": {
                    "GET": true
                }, 
                "advices": {}, 
                "attributes": {}, 
                "resource": "http://app.example.com:8000/pep/index.html", 
                "ttl": 9223372036854775807
            }
        ]
        

        Even though the authenticated user is not allowed any more to POST on the resource, I can see that he is still allowed to GET the resource.

      Then I add a 3rd policy : allow DELETE to authenticated users that have an authentication level greater or equal to 2.
      Here is the JSON definition :

      {
          "actionValues": {
              "DELETE": true
          }, 
          "active": true, 
          "applicationName": "AuthenticationLevelEnforcement", 
          "condition": {
              "authLevel": 2, 
              "type": "AuthLevel"
          }, 
          "createdBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
          "creationDate": "2016-10-28T13:01:42.830Z", 
          "description": "", 
          "lastModifiedBy": "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org", 
          "lastModifiedDate": "2016-10-28T13:14:04.800Z", 
          "name": "DELETE for authenticated users with level 2", 
          "resourceTypeUuid": "76656a38-5f8e-401b-83aa-4ccb74ce88d2", 
          "resources": [
              "*://app.example.com:*/*"
          ], 
          "subject": {
              "type": "AuthenticatedUsers"
          }
      }
      

      I evaluate the policy decision to check what my authenticated user (with authentication level 0) is allowed to do on the resource. Here is the response I get :

      [
          {
              "actions": {}, 
              "advices": {
                  "AuthLevelConditionAdvice": [
                      "2"
                  ]
              }, 
              "attributes": {}, 
              "resource": "http://app.example.com:8000/pep/index.html", 
              "ttl": 1477670400000
          }
      ]
      

      No more action is allowed to the user ! Even though he should be allowed to GET (and POST if the evaluation is requested during the correct time window). However I notice that the ttl correspond to the time limit of my policy on "POST".
      With this response, we have no choice that force the user to authenticate to an higher level even for GET or POST.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              laurent.vaills Laurent Vaills
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: