OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

[xacml] List of mandatory date/duration functions

  • 1.  [xacml] List of mandatory date/duration functions

    Posted 07-25-2002 21:02
    Attached is an updated copy of ConformanceTests.html, which contains an updated list of mandatory functions. Please review to see if this is correct. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Title: XACML Conformance Tests XACML Conformance Tests Version: 1.6, 02/07/25 (yy/mm/dd) Author: Anne Anderson Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.ConformanceTests.html Contents Description of Tests Mandatory-to-Implement Functionality Tests Attribute References Target Matching Function Evaluation Combining Algorithms Schema components Optional Functionality Tests Obligations Advice Multiple Decisions Protecting XML documents Non-mandatory Functions Non-standard Combining Algorithms Non-standard Combining Algorithms Description of Tests Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional functionality. All conforming implementations MUST support all Mandatory-to-Implement functionality. Conforming implementations MAY support specific Optional functionality areas. Tests are divided into groups based on the primary area of functionality or schema being exercised. Each test case consists of three XML documents: An XACML Request An XACML Policy or set of Policy documents An XACML Response A conforming implementation of an XACML Policy Decision Point (PDP) must be able to: Accept the given Request as input Accept the given Policy as input Produce the given Response as output A conforming implementation of an XACML Policy Administration Point (PAP) must be able to generate each given XACML Policy example except for those marked INVALID . Mandatory-to-Implement Functionality Tests This section contains tests of all mandatory-to-implement functionality. All conforming implementations must pass all these tests. Attribute References These tests exercise referencing of attribute values in the Request by a policy. Case: Simple type attribute element present in Request Case: Simple type attribute element not present in Request, but retrievable by Attribute Authority Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority Case: INVALID syntax for Attribute Selector Case: INVALID syntax for Request attribute Target Matching These tests exercise various forms of Target matching. Case: match: anySubject, anyResource, anyAction Case: match: anySubject, anyResource, specified action Case: no match: anySubject, anyResource, specified action Case: match: specific Subject type Case: no match: specific Subject type Case: match: multiple specific Subject types Case: no match: multiple specific Subject types Case: match: specific Subject identifier Case: no match: specific Subject identifier Case: match: specific Subject attribute Case: no match: specific Subject attribute Case: match: specific Subject identifier and attribute Case: no match: specific Subject identifier and attribute Case: match: specific resource Case: no match: specific resource Case: match: specific Resource attribute Case: no match: specific Resource attribute Case: match: multiple specific resources Case: no match: multiple specific resources Case: match: impliedAction Case: no match: impliedAction Case: match: specific action Case: no match: specific action Case: match: multiple specific actions Case: no match: multiple specific actions Function Evaluation These tests exercise each of the functions. Case: Function with Function argument Case: Function with Attribute argument Case: Function with AttributeDesignator argument Case: true: Condition Evaluation Case: false: Condition Evaluation Case: Condition Evaluation - non-boolean datatype Case: function:integer-add Case: function:integer-add - non-integer datatype Case: function:decimal-add Case: function:add-dayTimeDuration-to-time Case: function:add-dayTimeDuration-to-dateTime Case: function:add-yearMonthDurations Case: function:add-dayTimeDurations Case: function:integer-subtract Case: function:decimal-subtract Case: function:time-subtract Case: function:subtract-dayTimeDuration-from-time Case: function:subtract-yearMonthDurations Case: function:subtract-dayTimeDurations Case: function:integer-multiply Case: function:decimal-multiply Case: function:multiply-yearMonthDurations Case: function:multiply-dayTimeDurations Case: function:numeric-divide Case: function:divide-yearMonthDurations Case: function:divide-dayTimeDurations Case: function:integer-mod Case: function:decimal-mod Case: function:round Case: function:floor Case: function:decimal Case: true: function:integer-equal Case: false: function:integer-equal Case: true: function:decimal-equal Case: false: function:decimal-equal Case: true: function:boolean-equal Case: false: function:boolean-equal Case: true: function:string-equal: literal string Case: true: function:string-equal: regExp Case: false: function:string-equal: literal string Case: false: function:string-equal: regExp string Case: true: function:xpath-equal Case: false: function:xpath-equal Case: true: function:rfc822Name-equal Case: true: function:rfc822Name-equal - dominance Case: false: function:rfc822Name-equal Case: false: function:rfc822Name-equal - dominance Case: true: function:x500Name-equal Case: true: function:x500Name-equal - dominance Case: false: function:x500Name-equal Case: false: function:x500Name-equal - dominance Case: true: function:date-equal Case: false: function:date-equal Case: true: function:time-equal Case: false: function:time-equal Case: true: function:datetime-equal Case: false: function:datetime-equal Case: true: function:yearMonthDuration-equal Case: false: function:yearMonthDuration-equal Case: true: function:dayTimeDuration-equal Case: false: function:dayTimeDuration-equal Case: true: function:gregorian-equal Case: false: function:gregorian-equal Case: true: function:hex-binary-equal Case: false: function:hex-binary-equal Case: true: function:base64-binary-equal Case: false: function:base64-binary-equal Case: true: function:anyURI-equal Case: false: function:anyURI-equal Case: true: function:QName-equal Case: false: function:QName-equal Case: true: function:NOTATION-equal Case: false: function:NOTATION-equal Case: true: function:integer-greater-than Case: false: function:integer-greater-than Case: true: function:decimal-greater-than Case: false: function:decimal-greater-than Case: true: function:boolean-greater-than Case: false: function:boolean-greater-than Case: true: function:string-greater-than Case: false: function:string-greater-than Case: true: function:date-greater-than Case: false: function:date-greater-than Case: true: function:time-greater-than Case: false: function:time-greater-than Case: true: function:datetime-greater-than Case: false: function:datetime-greater-than Case: true: function:yearMonthDuration-greater-than Case: false: function:yearMonthDuration-greater-than Case: true: function:dayTimeDuration-greater-than Case: false: function:dayTimeDuration-greater-than Case: true: function:integer-greater-than-or-equal Case: false: function:integer-greater-than-or-equal Case: true: function:decimal-greater-than-or-equal Case: false: function:decimal-greater-than-or-equal Case: true: function:string-greater-than-or-equal Case: false: function:string-greater-than-or-equal Case: true: function:date-greater-than-or-equal Case: false: function:date-greater-than-or-equal Case: true: function:time-greater-than-or-equal Case: false: function:time-greater-than-or-equal Case: true: function:datetime-greater-than-or-equal Case: false: function:datetime-greater-than-or-equal Case: true: function:yearMonthDuration-greater-than-or-equal Case: false: function:yearMonthDuration-greater-than-or-equal Case: true: function:dayTimeDuration-greater-than-or-equal Case: false: function:dayTimeDuration-greater-than-or-equal Case: true: function:string-match: literal string Case: true: function:string-match: regExp Case: false: function:string-match: literal string Case: false: function:string-match: regExp Case: true: function:and Case: false: function:and Case: true: function:or Case: false: function:or Case: true: function:ordered-or Case: false: function:ordered-or Case: true: function:n-of Case: false: function:n-of Case: true: function:not Case: false: function:not Case: true: function:present Case: false: function:present Case: true: function:subset Case: false: function:subset Case: true: function:superset Case: false: function:superset Case: true: function:non-null-set-intersection Case: false: function:non-null-set-intersection Combining Algorithms These tests exercise each of the mandatory Combining Algorithms. Case: true: Policy DenyOverrides Case: false: Policy DenyOverrides Case: true: PolicySet DenyOverrides Case: false: PolicySet DenyOverrides Case: true: Policy PermitOverrides Case: false: Policy PermitOverrides Case: true: PolicySet PermitOverrides Case: false: PolicySet PermitOverrides Schema components This section lists test cases for certain components of the schema not exercised by tests cases above. Case: RuleDesignator Case: PolicyStatementDesignator Case: PolicySetStatementDesignator Case: PolicyStatement inside Assertion Case: PolicySetStatement inside Assertion Case: PolicySet including PolicySetId Case: PolicySet including PolicyId Case: PolicySet including PolicySetStatement Case: PolicySet including PolicyStatement Case: PolicySet including PolicySetAssertion Case: PolicySet including PolicyAssertion Case: PolicySet including PolicySetAssertion reference Case: PolicySet including PolicyAssertion reference Case: RuleSet containing Rule Case: RuleSet containing RuleDesignator Case: RuleDesignator containing RuleDigest Case: Request SubjectId containing Format Case: Request SubjectId containing Qualifier Case: Request Subject containing ds:KeyInfo Case: Request Subject containing AuthenticationInfo Method Case: Request Subject containing AuthenticationInfo Instant Case: Request Attribute containing Issuer Case: Request Attribute containing IssueInstant Case: Request ResourceSpecifier containing Format Case: Request ResourceSpecifier containing Scope:Immediate Case: Request ResourceSpecifier containing Scope:Children Case: Request ResourceSpecifier containing Scope:Descendants Case: Response containing DecisionType Indeterminate Case: match: EnvironmentAttribute Case: no match: EnvironmentAttribute Optional Functionality Tests These tests exercise areas of functionality that are not mandatory-to-implement. Obligations Case: Obligation containing AttributeDesignator Case: Obligation containing AttributeAssignment Advice Multiple Decisions Protecting XML documents Case: AttributeDesignator pointing into XML document Case: Resource as subspace of an XML document Non-mandatory Functions Functions on Dates In XACML 1.0, we mandate support for time and duration functions and data types, but do not mandate support for functions on dates. In the future, support for functions on dates will be mandatory. Case: function:add-dayTimeDuration-to-date Case: function:add-yearMonthDuration-to-date Case: function:add-yearMonthDuration-to-dateTime Case: function:add-dayTimeDuration-to-dateTime Case: function:subtract-yearMonthDuration-from-date Case: function:subtract-dayTimeDuration-from-date Case: function:date-subtract Case: function:datetime-subtract Case: function:subtract-yearMonthDuration-from-dateTime Case: function:subtract-dayTimeDuration-from-dateTime Non-standard Combining Algorithms Anne Anderson Last modified: Tue Jul 23 14:55:32 EDT 2002 Non-standard Combining Algorithms Anne Anderson Last modified: Thu Jul 25 14:46:15 EDT 2002