AuthzForce XACML Response is Indeterminate

I am exploring Authzforce XACML3.0 and I have been running into issues. I keep getting my responses as indeterminate. Below is my setup and the Exception trace which it throws. Any help is appreciated.

Request File:

<?xml version="1.0" encoding="utf-8"?>
<Request  ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
    </Attribute>
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">46</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>

Policy File:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
    Version="1.0">
    <Description>
        Policy for Conformance Test IIA011.
    </Description>
    <Target />
    <Rule Effect="Permit"
        RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule">
        <Description>
            Anyone who is 45 integer years old may perform any
            action on any resource.
        </Description>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
                    <AttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false" />
                </Apply>
                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue>
            </Apply>
        </Condition>
    </Rule>
</Policy>

PDP Config File:

<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
    <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="policy.xml" />
</pdp>

Exception Trace:

org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-equal: indeterminate arg
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:662)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evaluate(BaseFirstOrderFunctionCall.java:359)
    at org.ow2.authzforce.core.pdp.impl.expression.ApplyExpressions$VariableApplyExpression.evaluate(ApplyExpressions.java:87)
    at org.ow2.authzforce.core.pdp.impl.rule.ConditionEvaluators$BooleanExpressionEvaluator.evaluate(ConditionEvaluators.java:94)
    at org.ow2.authzforce.core.pdp.impl.rule.RuleEvaluator.evaluate(RuleEvaluator.java:535)
    at org.ow2.authzforce.core.pdp.impl.combining.CombiningAlgEvaluators$RulesWithSameEffectEvaluator.evaluate(CombiningAlgEvaluators.java:134)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:764)
    at org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators$BaseTopLevelPolicyElementEvaluator.evaluate(PolicyEvaluators.java:881)
    at org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluators$StaticView.findAndEvaluate(RootPolicyEvaluators.java:190)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$IndividualDecisionRequestEvaluator.evaluateInNewContext(BasePdpEngine.java:685)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine$NonCachingIndividualDecisionRequestEvaluator.evaluate(BasePdpEngine.java:730)
    at org.ow2.authzforce.core.pdp.impl.BasePdpEngine.evaluate(BasePdpEngine.java:984)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:128)
    at org.ow2.authzforce.core.pdp.api.io.BasePdpEngineAdapter.evaluate(BasePdpEngineAdapter.java:149)
    at XACMLTester.main(XACMLTester.java:29)
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Indeterminate arg #0
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.evalPrimitiveArgs(BaseFirstOrderFunctionCall.java:94)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall.access$200(BaseFirstOrderFunctionCall.java:53)
    at org.ow2.authzforce.core.pdp.api.func.BaseFirstOrderFunctionCall$EagerSinglePrimitiveTypeEval.evaluate(BaseFirstOrderFunctionCall.java:658)
    ... 14 more
Caused by: org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException: Function urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only: Invalid arg #0: empty bag or bag size > 1. Required: one and only one value in bag.
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions$SingletonBagToPrimitive.<init>(FirstOrderBagFunctions.java:82)
    at org.ow2.authzforce.core.pdp.api.func.FirstOrderBagFunctions.getFunctions(FirstOrderBagFunctions.java:554)
    at org.ow2.authzforce.core.pdp.impl.func.StandardFunction.getRegistry(StandardFunction.java:901)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.<init>(PdpEngineConfiguration.java:286)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:479)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:519)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:551)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:687)
    at org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration.getInstance(PdpEngineConfiguration.java:704)
    at XACMLTester.main(XACMLTester.java:23)

The Exception says that the Bag is either empty or more than 1 but i do not see that as the problem as I am providing the data as needed. Any help is appreciated

回答1:

This is quite simple. You are sending 2 ages. You need to send one age only. Try the following:

<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
         <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
      </xacml-ctx:Attribute>
   </xacml-ctx:Attributes>
</xacml-ctx:Request>

回答2:

David is right. For your own understanding on how the policy evaluation works, the root cause message in the exception stacktrace says that arg #0, i.e. the first (and only) argument passed to the function integer-one-and-only, which is a bag, does NOT have one and only value as it should, i.e. it is either empty or has more than one.

Indeed, in your Policy, you define this argument as an AttributeDesignator, i.e. the bag of values of attribute ...:conformance-test:age; and in your Request, you are giving 2 different values to this attribute. So the AttributeDesignator evaluates to a bag of 2 values, which is not valid for the function integer-one-and-only. It is too much.