ABAC Service Access Strategy not working as expected?

[Baron Fujimoto]

I'm trying to create a CAS service access strategy that achieves the following:

- require an attribute to have a specific "allow" value

and yet also

- deny if  an attribute as a specific "deny" value

i.e., both conditions must be met for successful AuthN.

I have been using the following documentation as a reference guide:

<https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-ABAC.html>

I believe that documentation's section on rejected attributes provides an example that conceptually implements our desired outcome.

I have been successful if I try to implement only one of the conditions. I.e., both of these work as expected:

Required ABAC attribute value:

  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "requiredAttributes" : {
    "@class" : "java.util.HashMap",
      "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ]
    },
  }

Deny if ABAC attribute value:

  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "rejectedAttributes" : {
      "@class" : "java.util.HashMap",
      "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ]
    }
  }

ABAC_Attribute in our case is a multivalued attribute that can take arbitrary values, including those used above.

However, once they are combined as suggested based by the ABAC documentation's rejected attributes example as so:

  "accessStrategy" : {
    "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "requiredAttributes" : {
    "@class" : "java.util.HashMap",
      "ABAC_Attribute" : [ "java.util.HashSet", [ "required_allow_value" ] ]
    },
    "rejectedAttributes" : {
      "@class" : "java.util.HashMap",
      "ABAC_Attribute" : [ "java.util.HashSet", [ "rejected_deny_value" ] ]
    }
  }

Then CAS still lets the AuthN succeed even if ABAC_Attribute==required_allow_value is not satisfied.

Does anyone know what I might be missing or misunderstanding here? How do I achieve our desired effect?

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[Ray Bon]

Baron,

Without looking at the code, this may be treated as an 'or'. That is, user does not have allow [ false ] but also does not have reject [ ! false ].

You may be able to use a groovy condition (described on the same page) or a custom solution, https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-Custom.html

Could the same attribute used for allow and deny be an issue (unless those attribute name are examples).

Ray

On Fri, 2024-02-16 at 17:06 -1000, Baron Fujimoto wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Baron Fujimoto]

Nope, I apparently erred in my testing. It does in fact seem to work as expected. I went over the permutations once again (more meticulously this time), and recorded the following results:

required: ABAC_attribute == "required_allow_value"
reject: ABAC_attribute   != "rejected_deny_value"
desired result:          Y  Access is allowed.

required: ABAC_attribute != "required_allow_value"
reject: ABAC_attribute   != "rejected_deny_value"
desired result:          Y  Access is denied. The principal does not have the required attributes [{ABAC_attribute=[required_allow_value]}]

required: ABAC_attribute != "required_allow_value"
reject: ABAC_attribute   == "rejected_deny_value"
desired result:          Y  Access is denied. The principal carries attributes that would reject service access

required: ABAC_attribute == "required_allow_value"
reject: ABAC_attribute   == "rejected_deny_value"
desired result:          Y  Access is denied. The principal carries attributes that would reject service access

My apologies for the confusion. Mea culpa.

It doesn't appear that unauthorizedRedirectUrl may be scoped to either requiredAttributes nor rejectedAttributes, but is instead scoped to accessStrategy, so we're not yet able to differentiate our redirectUrls to specific cause of failure, but I think we should probably be able to craft a dynamic URL for that.

<https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html#dynamic-urls>

On Tue, Feb 20, 2024 at 11:01 AM Baron Fujimoto <ba...@hawaii.edu> wrote:

At least the way the documentation is written for the provided example, it does not suggest a logical OR when evaluating the conditions (in my interpretation).

"The principal *also* must not have an attribute role whose value matches the pattern deny.+."

In our case it is in fact the same (multivalued) attribute, but we're trying to use differing possible values to construct this conditional.

FWIW, I'd like to ultimately redirect the user to a different unauthorizedRedirectUrl depending on which condition was matched, but first I need to get the basic compound conditional policy working as desired.

<https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html>

I'm not opposed to a groovy script, but I have very little experience with that. I'm not even sure how to know what I have available to work with from CAS. Like, how would I access those attribute values? Are there any help examples in the documentation (I find very difficult to find this sort of stuff in CAS's current docs)

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel%40uvic.ca.

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[Baron Fujimoto]

At least the way the documentation is written for the provided example, it does not suggest a logical OR when evaluating the conditions (in my interpretation).

"The principal *also* must not have an attribute role whose value matches the pattern deny.+."

In our case it is in fact the same (multivalued) attribute, but we're trying to use differing possible values to construct this conditional.

FWIW, I'd like to ultimately redirect the user to a different unauthorizedRedirectUrl depending on which condition was matched, but first I need to get the basic compound conditional policy working as desired.

<https://apereo.github.io/cas/7.0.x/services/Service-Access-Strategy-URL.html>

I'm not opposed to a groovy script, but I have very little experience with that. I'm not even sure how to know what I have available to work with from CAS. Like, how would I access those attribute values? Are there any help examples in the documentation (I find very difficult to find this sort of stuff in CAS's current docs)

On Sun, Feb 18, 2024 at 7:16 AM Ray Bon <rb...@uvic.ca> wrote:

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/48c5b03588667afbae87b85335d1f46873a47a9a.camel%40uvic.ca.