Support XACML <VariableRef> in <Match> via AttributeDesignator workaround

Question

Support XACML <VariableRef> in <Match> via AttributeDesignator workaround

Closed this issue 3 years ago · 0 comments

XACML does not allow <VariableRef> in a <Match> elements but only AttributeDesignator/AttributeSelector. This forces policy writers to create extra Rules/Conditions only to match Variable values...

... Unless they can use a workaround which consists to have implemented a special AttributeProvider that can resolve Variables through AttributeDesignators. What we propose here is to implement this workaround properly once and for all, i.e. make the special AttributeProvider native in AuthzForce:

Enhance the AttributeProvider API to inform the PDP engine when the provider supports any attribute in one or more specific categories (new method Set<String> getProvidedAttributeCategories())
Enhance the PDP engine's ModularAttributeProvider to call the AttributeProvider ap that supports the input attribute category (category ID matches one of ap#getProvidedAttributeCategories()), if there is any, as a fallback if no AttributeProvider supports specifically the full input AttributeDesignator (category, ID, issuer...) (doesn't match any of ap#getProvidedAttributes() for any AttributeProvider ap)
Implement the special AttributeProvider that provides the value of the XACML Variable (in the evaluation context) with VariableId matching the input AttributeDesignator's AttributeId, and the AttributeDesignator's category matching the provider's provided category (returned by getSupportedAttributeCategories()). This special category may be specified by configuration, else set to urn:ow2:authzforce:feature:pdp:category:environment-vars by default.
Unit tests