Could you explain me please how I can use the conversion-functions from provided list of XACML for creating the Condition in Rule of Policy. For example that function.
urn:oasis:names:tc:xacml:3.0:function:integer-from-string
I'm using AuthzForce, and my Apply contains AttributeValue and AttributeDesignator. My PDP Request contains only string types and I would like to do a conversion in needed types in the policy.
I tried to do so, but I got error-message - policyset is invalid.
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:all-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">100</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:integer-from-string">
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:testvalue"
AttributeId="urn:oasis:names:tc:xacml:1.0:testvalue-category:strvalue"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</Apply>
</Apply>
</Apply>
</Condition>
If you are using AuthzForce (esp. authzforce core), the full error message should give more info about which part of the policy is invalid. Anyway, I see at least one issue (which is a very common mistake when starting with XACML): an
AttributeDesignatoris considered as Bag of values (i.e. possibly multivalued). Therefore, you cannot apply theinteger-from-stringfunction directly on it because it takes a simple string value as input, not a Bag. The fix consists to apply one of the *-one-and-onlyfunctions (which turns a single-valued bag into a single value) on theAttributeDesignatorfirst, depending on the datatype:More info