Commit c37e69c9 authored by cdanger's avatar cdanger

Added unit tests for issue OW2 #23

parent 8499efca
...@@ -24,6 +24,11 @@ import java.util.List; ...@@ -24,6 +24,11 @@ import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Map.Entry; import java.util.Map.Entry;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.AttributeGUID; import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter; import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.ImmutableIndividualDecisionRequest; import org.ow2.authzforce.core.pdp.api.ImmutableIndividualDecisionRequest;
...@@ -38,11 +43,6 @@ import org.ow2.authzforce.core.pdp.api.value.DatatypeFactoryRegistry; ...@@ -38,11 +43,6 @@ import org.ow2.authzforce.core.pdp.api.value.DatatypeFactoryRegistry;
import com.koloboke.collect.map.hash.HashObjObjMaps; import com.koloboke.collect.map.hash.HashObjObjMaps;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/** /**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular) * Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
* *
...@@ -52,8 +52,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter ...@@ -52,8 +52,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
{ {
/** /**
* *
* Factory for this type of request filter that allows duplicate <Attribute> with same meta-data in the same * Factory for this type of request filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec,
* <Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3). * §7.3.3).
* *
*/ */
public static final class LaxFilterFactory implements RequestFilter.Factory public static final class LaxFilterFactory implements RequestFilter.Factory
...@@ -70,12 +70,10 @@ public final class DefaultRequestFilter extends BaseRequestFilter ...@@ -70,12 +70,10 @@ public final class DefaultRequestFilter extends BaseRequestFilter
} }
@Override @Override
public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final Processor xmlProcessor) final Processor xmlProcessor)
{ {
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
requireContentForXPath, xmlProcessor);
} }
/** /**
...@@ -87,8 +85,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter ...@@ -87,8 +85,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
/** /**
* *
* Factory for this type of request filter that does NOT allow duplicate <Attribute> with same meta-data in * Factory for this type of request filter that does NOT allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying fully with XACML
* the same <Attributes> element of a Request (NOT complying fully with XACML 3.0 core spec, §7.3.3). * 3.0 core spec, §7.3.3).
* *
*/ */
public static final class StrictFilterFactory implements RequestFilter.Factory public static final class StrictFilterFactory implements RequestFilter.Factory
...@@ -102,63 +100,54 @@ public final class DefaultRequestFilter extends BaseRequestFilter ...@@ -102,63 +100,54 @@ public final class DefaultRequestFilter extends BaseRequestFilter
} }
@Override @Override
public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, public RequestFilter getInstance(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final boolean strictAttributeIssuerMatch, final boolean requireContentForXPath,
final Processor xmlProcessor) final Processor xmlProcessor)
{ {
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
requireContentForXPath, xmlProcessor);
} }
} }
private DefaultRequestFilter(final DatatypeFactoryRegistry datatypeFactoryRegistry, private DefaultRequestFilter(final DatatypeFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates,
final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates,
final boolean requireContentForXPath, final Processor xmlProcessor) final boolean requireContentForXPath, final Processor xmlProcessor)
{ {
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
xmlProcessor);
} }
/** {@inheritDoc} */ /** {@inheritDoc} */
@Override @Override
public List<? extends IndividualDecisionRequest> filter(final List<Attributes> attributesList, public List<? extends IndividualDecisionRequest> filter(final List<Attributes> attributesList, final JaxbXACMLAttributesParser xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned,
final JaxbXACMLAttributesParser xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
final boolean combinedDecision, final XPathCompiler xPathCompiler,
final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{ {
final Map<AttributeGUID, Bag<?>> namedAttributes = HashObjObjMaps.newUpdatableMap(attributesList.size()); final Map<AttributeGUID, Bag<?>> namedAttributes = HashObjObjMaps.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashObjObjMaps.newUpdatableMap(attributesList.size()); final Map<String, XdmNode> extraContentsByCategory = HashObjObjMaps.newUpdatableMap(attributesList.size());
final List<Attributes> attributesToIncludeInResult = new ArrayList<>(); /*
* attributesToIncludeInResult.size() <= attributesList.size()
*/
final List<Attributes> attributesToIncludeInResult = new ArrayList<>(attributesList.size());
for (final Attributes jaxbAttributes : attributesList) for (final Attributes jaxbAttributes : attributesList)
{ {
final String categoryName = jaxbAttributes.getCategory(); final String categoryName = jaxbAttributes.getCategory();
final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
.parseAttributes(jaxbAttributes, xPathCompiler);
if (categorySpecificAttributes == null) if (categorySpecificAttributes == null)
{ {
// skip this empty Attributes // skip this empty Attributes
continue; continue;
} }
final XdmNode oldVal = extraContentsByCategory.put(categoryName, final XdmNode oldVal = extraContentsByCategory.put(categoryName, categorySpecificAttributes.getExtraContent());
categorySpecificAttributes.getExtraContent());
/* /*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple * No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
* Decision Profile. So we must check duplicate attribute categories.
*/ */
if (oldVal != null) if (oldVal != null)
{ {
throw new IndeterminateEvaluationException( throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
"Unsupported repetition of Attributes[@Category='" + categoryName + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",
StatusHelper.STATUS_SYNTAX_ERROR);
} }
/* /*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee * Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* that attribute values remain constant during the evaluation of the request, as mandated by the XACML * mandated by the XACML spec, section 7.3.5: <p> <i>
* spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)" * "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p> * </i></p>
*/ */
...@@ -167,15 +156,13 @@ public final class DefaultRequestFilter extends BaseRequestFilter ...@@ -167,15 +156,13 @@ public final class DefaultRequestFilter extends BaseRequestFilter
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue()); namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
} }
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null) if (catSpecificAttrsToIncludeInResult != null)
{ {
attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult); attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult);
} }
} }
return Collections.singletonList(new ImmutableIndividualDecisionRequest(namedAttributes, return Collections.singletonList(new ImmutableIndividualDecisionRequest(namedAttributes, extraContentsByCategory, attributesToIncludeInResult, isApplicablePolicyIdListReturned));
extraContentsByCategory, attributesToIncludeInResult, isApplicablePolicyIdListReturned));
} }
} }
...@@ -36,6 +36,8 @@ import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg; ...@@ -36,6 +36,8 @@ import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg; import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter; import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import com.google.common.base.Preconditions;
/** /**
* This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny to take precedence over any number of permit, not applicable or indeterminate * This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny to take precedence over any number of permit, not applicable or indeterminate
* results. Note that since this implementation does an ordered evaluation, this class also supports the Ordered-Deny-Overrides-algorithm. * results. Note that since this implementation does an ordered evaluation, this class also supports the Ordered-Deny-Overrides-algorithm.
...@@ -137,7 +139,7 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable> ...@@ -137,7 +139,7 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements) public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException throws UnsupportedOperationException, IllegalArgumentException
{ {
return new Evaluator(combinedElements); return new Evaluator(Preconditions.checkNotNull(combinedElements));
} }
} }
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="policyset-with-duplicate-PolicyId-across-PolicySets"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicySetId across PolicySets
</Description>
<Target />
<PolicySet PolicySetId="PS1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId within PolicySet
</Description>
<Target />
<Policy PolicyId="P1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P3" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
</PolicySet>
<PolicySet PolicySetId="PS2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId within PolicySet
</Description>
<Target />
<Policy PolicyId="P2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P4" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
</PolicySet>
</PolicySet>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="policyset-with-duplicate-PolicyId"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId within PolicySet
</Description>
<Target />
<Policy PolicyId="P1" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P2" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P3" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P4" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P2" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
<Policy PolicyId="P5" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Target />
</Policy>
</PolicySet>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="policyset-with-duplicate-PolicySetId-within-PolicySet"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicySetId within a PolicySet
</Description>
<Target />
<PolicySet PolicySetId="PS1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS4" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
</PolicySet>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="policyset-with-duplicate-PolicySetId-in-PolicySet-branch"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicySetId within a branch of PolicySets
</Description>
<Target />
<PolicySet PolicySetId="PS1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
<PolicySet PolicySetId="PS2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
<PolicySet PolicySetId="PS3" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
<PolicySet PolicySetId="PS4" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
<PolicySet PolicySetId="PS2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
<PolicySet PolicySetId="PS5" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Target />
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>
</PolicySet>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="policyset-with-duplicate-PolicyId-across-PolicySets"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId across PolicySets
</Description>
<Target />
<PolicySet PolicySetId="PS0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId within PolicySet
</Description>
<Target />
<PolicySet PolicySetId="PS1" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS2" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS3" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Target />
</PolicySet>
</PolicySet>
<PolicySet PolicySetId="PS4" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" Version="1.0">
<Description>
Purpose: Test detection of duplicate PolicyId within PolicySet
</Description>
<Target />
<PolicySet PolicySetId="PS2" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Target />
</PolicySet>
<PolicySet PolicySetId="PS5" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<Target />
</PolicySet>
</PolicySet>
</PolicySet>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="policy-with-duplicate-RuleId" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"
Version="1.0">
<Description>
Purpose: Test detection of duplicate RuleId within Policy
</Description>
<Target />
<Rule Effect="Permit" RuleId="rule1" />
<Rule Effect="Permit" RuleId="rule2" />
<Rule Effect="Permit" RuleId="rule3" />
<Rule Effect="Permit" RuleId="rule4" />
<Rule Effect="Permit" RuleId="rule5" />
<Rule Effect="Permit" RuleId="rule3" />
<Rule Effect="Permit" RuleId="rule6" />
</Policy>
...@@ -7,7 +7,7 @@ https://github.com/att/XACML/wiki/XACML-TEST-Project-Information ...@@ -7,7 +7,7 @@ https://github.com/att/XACML/wiki/XACML-TEST-Project-Information
For a description of the tests, see file `ConformanceTests.html` which is the original HTML description published on the OASIS xacml-comments mailing list. For a description of the tests, see file `ConformanceTests.html` which is the original HTML description published on the OASIS xacml-comments mailing list.
**WARNING**: There are several issues with these original conformance tests (as of 26 September 2015) and changes done to adapt to our PDP implementation: **WARNING**: There are several issues with these original conformance tests (as of 26 September 2015) and therefore have been fixed to adapt to our PDP implementation:
1. For all tests testing the validation of XACML policy syntax, our PDP implementation is expected to reject the policy at initialization time, before receiving any Request. For these tests, the original Request.xml and Response.xml have been renamed to Request.xml.ignore and Response.xml.ignore to indicate to our test framework that an invalid policy syntax is expected. 1. For all tests testing the validation of XACML policy syntax, our PDP implementation is expected to reject the policy at initialization time, before receiving any Request. For these tests, the original Request.xml and Response.xml have been renamed to Request.xml.ignore and Response.xml.ignore to indicate to our test framework that an invalid policy syntax is expected.
1. For tests testing the validation of XACML Request syntax, our PDP implementation is expected to reject the request before evaluation. For these tests, the original Policy.xml and Response.xml have been renamed to Policy.xml.ignore and Response.xml.ignore to indicate to our test framework that an invalid Request syntax is expected. 1. For tests testing the validation of XACML Request syntax, our PDP implementation is expected to reject the request before evaluation. For these tests, the original Policy.xml and Response.xml have been renamed to Policy.xml.ignore and Response.xml.ignore to indicate to our test framework that an invalid Request syntax is expected.
...@@ -22,6 +22,7 @@ For a description of the tests, see file `ConformanceTests.html` which is the or ...@@ -22,6 +22,7 @@ For a description of the tests, see file `ConformanceTests.html` which is the or
1. IIA023Request.xml using timezone -14:30 in AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-dateTime" and "urn:oasis:names:tc:xacml:1.0:environment:current-time" with datatype "http://www.w3.org/2001/XMLSchema#dateTime" and "http://www.w3.org/2001/XMLSchema#time" respectively. This is not valid per XML schema dateTime and time definitions. We fixed it here replacing them with timezone -14:00. 1. IIA023Request.xml using timezone -14:30 in AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-dateTime" and "urn:oasis:names:tc:xacml:1.0:environment:current-time" with datatype "http://www.w3.org/2001/XMLSchema#dateTime" and "http://www.w3.org/2001/XMLSchema#time" respectively. This is not valid per XML schema dateTime and time definitions. We fixed it here replacing them with timezone -14:00.
1. IIA023Request.xml contains c\_clown@NOSE\_MEDICO.COM in one of the urn:oasis:names:tc:xacml:1.0:subject:subject-rfc822Name attributes, which is not valid (underscore is illegal in Domain name). Fixed here by replacing with "c\_clown@NOSE.MEDICO.COM". 1. IIA023Request.xml contains c\_clown@NOSE\_MEDICO.COM in one of the urn:oasis:names:tc:xacml:1.0:subject:subject-rfc822Name attributes, which is not valid (underscore is illegal in Domain name). Fixed here by replacing with "c\_clown@NOSE.MEDICO.COM".
1. IIB010Policy.xml and IIB011Policy.xml mention SubjectCategory in Description, which is not valid in XACML 3.0 schema (errata in section 8) 1. IIB010Policy.xml and IIB011Policy.xml mention SubjectCategory in Description, which is not valid in XACML 3.0 schema (errata in section 8)
1. IID312Policy.xml not valid because of duplicate Rule with RuleId = ...rule-5.
1. IID321-329 missing. 1. IID321-329 missing.
1. IID334-339 missing. 1. IID334-339 missing.
1. IIE tests concern Policy(Set)IdReference, therefore require configuration of the referenced policies in a separate repository. In the original conformance tests provided by AT&T, this is done in the ATT-specific way with a IIEXXXRepository.properties file. We use a directory named 'IIEXXXRepository' containing all the referenced policies instead. For more advanced tests on Policy references, see the 'others' directory. 1. IIE tests concern Policy(Set)IdReference, therefore require configuration of the referenced policies in a separate repository. In the original conformance tests provided by AT&T, this is done in the ATT-specific way with a IIEXXXRepository.properties file. We use a directory named 'IIEXXXRepository' containing all the referenced policies instead. For more advanced tests on Policy references, see the 'others' directory.
......
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"
PolicySetId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIB300:policyset" PolicySetId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIB300:policyset"
Version="1.0" Version="1.0"
......
...@@ -133,32 +133,5 @@ ...@@ -133,32 +133,5 @@
</Target> </Target>
</Rule> </Rule>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:rule5">
<Description>
A subject who is at least 5 years older than Bart
Simpson may read Bart Simpson's medical record. PERMIT.
</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bart-simpson-age" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</Apply>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">5</AttributeValue>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression FulfillOn="Permit" ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:obligation-2">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID312:assignment2">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment2</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy> </Policy>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment