Same XACML request different response when I use wso2is and Java application - xacml3

Hi I’m having problem understand why I get different response when I use the (org.xacmlinfo.xacml.pep.agent.PEPAgent.java) and the tryit function in WSO2IS 5.0.0. They are querying the same policy.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="OfficeHours" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Description>denyOutsideOfficeHours</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="PermitInOfficeHours">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">12:00:00</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
PEPAgent
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute>
</Attributes>
</Request>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>
</Status>
</Result>
</Response>
Tryit
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo.com</AttributeValue>
</Attribute></Attributes></Request>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result><Decision>Permit</Decision><Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status><PolicyIdentifierList>
<PolicyIdReference>OfficeHours</PolicyIdReference>
</PolicyIdentifierList>
</Result>
</Response>

First of all here are a few comments regarding your policy and rule:
the policy description doesn't match the rule description. In one case you say deny, in the other you say Permit.
you use a Condition where in fact a Target would be enough.
Now, as for the different responses: in one case your code (PEPAgent) doesn't send the current time value and the server (is that the PDP?) doesn't add the time either. In the second case, the Tryit client still doesn't send time but obviously the receiving end (another PDP?) fills in the missing time value.
If you look more closely at your first response, you will notice the following error message:
<StatusMessage>urn:oasis:names:tc:xacml:1.0:function:time-one-and-only expects a bag that contains a single element, got a bag with 0 elements</StatusMessage>
This means that you didn't pass in any value for current-time.
I tested this using the Axiomatics Policy Server and I received the expected behavior.

Related

wso2esb enrich mediator deletes node soap:Header

I have 2 child wsse:Security in soap:Header and trying to delete one. I tried to do this with Enrich Mediator, but instead of replace soap:Header it deletes. Here is simple example that reproduces it:
<inSequence>
<enrich>
<source type="inline" clone="true">
<soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<foo/>
</soapenv:Header>
</source>
<target xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xpath="//soapenv:Header"/>
</enrich>
<log level="full"/>
</inSequence>
Log mediator logs message without Header. If I add to target action="child", everything work just as expected. So i have 2 questions:
1. Why enrich mediator act like that?
2. How can i change header with other way?
You should use header mediator to change SOAP Headers
Have a look there : https://docs.wso2.com/display/ESB481/Header+Mediator
Sample to add a custom header :
<header xmlns:myns="http://com/header" name="myns:MyHeader" value="0"/>
Sample to remove it :
<header xmlns:myns="http://com/header" name="myns:MyHeader" action="remove"/>
You can use this mediator to change http headers : just add a scope attribute with a value equals to 'transport'

Adding a VersionOne expression using the REST API

I am trying to create a new 'Expression' in VersionOne - effectively adding a new 'comment' to a conversation.
In theory, the rest-1.v1/Data API should allow this, but I can't figure out how to do it - there is precious little documentation about using the API (using POST) to create objects.
FWIW, here's what I'm doing (after successfully accessing the server with valid credentials):
URL:
/rest-1.v1/Data/Expression
XML:
<Asset href="<Server Base URI>/rest-1.v1/Data/Expression">
<Attribute name="AssetType">Expression</Attribute>
<Relation name="InReplyTo" />
<Attribute name="AuthoredAt">2014-05-28T21:48:37.940</Attribute>
<Attribute name="Content">A new comment</Attribute>
<Attribute name="AssetState">64</Attribute>
<Relation name="Author">
<Asset href="<Server Base URI>/rest-1.v1/Data/Member/2015" idref="Member:2015" />
</Relation>
<Relation name="BelongsTo">
<Asset href="<Server Base URI>/rest-1.v1/Data/Conversation/2018" idref="Conversation:2018" />
</Relation>
<Attribute name="Author.Name">user#example.com</Attribute>
<Attribute name="Author.Nickname">User Name</Attribute>
<Relation name="Mentions">
<Asset href="<Server Base URI>/rest-1.v1/Data/Story/2017" idref="Story:2017" />
</Relation>
</Asset>
I keep getting a 400 Bad Request the following error:
<Error href="<Server Base URI>/rest-1.v1/Data/Expression">
<Message>Violation'Required'AttributeDefinition'Content'Expression</Message>
<Exception class="VersionOne.DataException">
<Message>Violation'Required'AttributeDefinition'Content'Expression</Message>
</Exception>
</Error>
I assume I'm missing something obvious - does anyone know what it is?
IF you examine the metadata for a VersionOne Expression, you will see 3 required fields (Author,AuthoredAt,Content). Logically this makes sense to be able to just create a single, zombie expression but I witnessed otherwise. This might be a mistake in the stylesheet or just my browser because it seems POSTing with only those three will return a 400 error. To get a guaranteed working payload, include the relation "inReplyTo" and that is all that you will need to create an expression within the context of a particular Conversation.
Given that you are responding to an existing expression (comment) This should work fine.
POST to rest-1.v1/Data/Expression
<Asset>
<Relation name="Author" act="set">
<Asset idref="Member:2015" />
</Relation>
<Attribute name="AuthoredAt">2014-05-02T21:48:37.940</Attribute>
<Attribute name="Content" act="set">A new comment</Attribute>
<Relation name="InReplyTo" act="set">
<Asset idref="Expression:xxxxx" />
</Relation>
</Asset>
You don't need Asset state or mentions or belongs to. AssetState is readonly, and BelongsTo is filled in automatically after your Expression is created. It inherits a reference to the containing Conversation from the Expression object entered in the InReplyTo field and the Mentions relation is optional.
FYI,
I believe that you didn't see the Legend on the right hand side of a the meta query output as seen in a browser. Real quick here, when you do a meta query, the items with * are required to Post, Bold items are Read/Write optional, the italicized items are readonly, and the bold items towards the bottom that are appended with ": operation" is the operation that you are allow to do against that particular asset.

Microsoft Dynamics CRM 2011 PlugIn RetrieveMultiple Does not return custom attribute on pricelist

I am writing a simple PlugIn for Dynamics CRM 2011 which should retrieve a custom attribute which I customized in the pricelist entity.
When I execute the following code, all standard attributes are returned, but not the one custom attribute which I customized (and published of course). I don't get an error, but simply the attribute 'axi_submarketid' is not returned. If I read data from a completely custom entity, I have no problem.
string fetch = string.Format(#"<fetch version='1.0' output-format='xml-platform' mapping='logical' distinct='false'>
<entity name='pricelevel'>
<attribute name='name' />
<attribute name='transactioncurrencyid' />
<attribute name='enddate' />
<attribute name='begindate' />
<attribute name='statecode' />
<attribute name='pricelevelid' />
<attribute name='axi_submarketid' />
<order attribute='name' descending='false' />
<filter type='and'>
<condition attribute='pricelevelid' operator='eq' uiname='10 Stromlieferung' uitype='pricelevel' value='{0}' />
</filter>
</entity>
</fetch>", pricelevelid);
EntityCollection pricelevel = _service.RetrieveMultiple(new FetchExpression(fetch));
What am I doing wrong?
Thanks for help,
Peter
I solved my issue myself and it is a bit embarassing :-)
The expected attribute was not deliverd, because it had no content. Meaning, not only in the direct context of a PlugIn, but also when requesting data in general: if in an attribute there is no data, the attribute is not sent back, for example if the attribute is NULL or has no value in it.
Thanks anyway, hope this question and answer helps someone else.
Regards,
Peter

Wikipedia API: how to retrieve multiple titles AND resolve redirects in 1 call?

It appears from the MediaWiki API:Query page that you can only resolve a redirect one at a time.
The document even says "The example below isn't really useful because it doesn't use any query modules, but shows how the redirects parameter works."
But how can you get the redirect information -- using a query module that does return multiple results?
If you have any result that returns pages, then you can just append redirects to the query and it resolves the redirects. If you don't have results that returns pages, you can usually convert it to that by using a generator.
For example, the query
http://en.wikipedia.org/w/api.php?action=query&list=categorymembers&cmtitle=Category:Redirects_from_gender&redirects
returns something like (shortened)
<api>
<query>
<categorymembers>
<cm pageid="648" ns="0" title="Actress" />
<cm pageid="19887132" ns="0" title="Administratrix" />
</categorymembers>
</query>
</api>
If you convert that into a generator
http://en.wikipedia.org/w/api.php?action=query&generator=categorymembers&gcmtitle=Category:Redirects_from_gender
you get
<api>
<query>
<pages>
<page pageid="648" ns="0" title="Actress" />
<page pageid="19887132" ns="0" title="Administratrix" />
</pages>
</query>
</api>
And if you now add redirects
http://en.wikipedia.org/w/api.php?action=query&generator=categorymembers&gcmtitle=Category:Redirects_from_gender&redirects
you get
<api>
<query>
<redirects>
<r from="Actress" to="Actor" />
<r from="Administratrix" to="Administrator (law)" />
</redirects>
<pages>
<page pageid="21504235" ns="0" title="Actor" />
<page pageid="6676496" ns="0" title="Administrator (law)" />
</pages>
</query>
</api>
You can also use prop=redirects with any generator, e.g. generator=allpages. This is a new feature since MW-1.23, fixing bug T59057.
When using generator=allpages with max limits (gaplimit=max and rdlimit=max) and apihighlimits right is available, all redirects on ArchWiki are resolved in a single query ;)
https://wiki.archlinux.org/api.php?action=query&generator=allpages&gapfilterredir=nonredirects&gaplimit=max&prop=redirects&rdprop=pageid|title|fragment&rdlimit=max

what is the metadata attribute pair in MQFTE ? Why is it used?

I am working with wmqfte. While creating a transfer there is a parameter for metadata attribute pair. Why is this used for ?
One of the FTE engagements I worked on required email notifications of transfer status. Our approach to this was to add an email step in the transfer and the way we passed in the source and destination addresses was with metadata pairs. The transfer XML is provided below for an example:
<?xml version="1.0" encoding="UTF-8"?><request version="4.00" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FileTransfer.xsd">
<!DOCTYPE request>
<managedTransfer>
<originator>
<hostName>host.example.com</hostName>
<userID>me</userID>
</originator>
<sourceAgent QMgr="QMGR01" agent="AGENT01"/>
<destinationAgent QMgr="QMGR02" agent="AGENT02"/>
<transferSet priority="5">
<metaDataSet>
<metaData key="email.from">fteadmin#example.com</metaData>
<metaData key="email.to">"dept#example.com</metaData>
</metaDataSet>
<item checksumMethod="MD5" mode="binary">
<source disposition="delete" recursive="false">
<file>/root/path/file</file>
</source>
<destination exist="overwrite" type="directory">
<file>/root/path/</file>
</destination>
</item>
</transferSet>
<job>
<name>Your Job Name Here</name>
</job>
</managedTransfer>
</request>
A better way of sending status emails is to watch the transfer notifications published at the Coordination QMgr. However this example does show one possible use for the metadata pairs.