Attached is an html document listing my proposed conformance test cases. Before I get too far on creating the test documents for each case, I would appreciate some feedback. Is this list too thorough? If so, what should be cut? Is this list not thorough enough? Remember, we never promised an exhaustive test suite. If you answer yes to this question, you are probably going to get the job of making it more thorough. Are there particular test cases that should be added? What are they? I plan to develop the tests for mandatory functionality. I will roll them out gradually so I can get feedback from implementors. I do not plan to develop the tests for non-mandatory functionality. If one of these areas is important to you or your organization, I invite you to volunteer for developing the tests for those test cases. Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Title: XACML Conformance Tests XACML Conformance Tests Version: %I%, %E% (yy/mm/dd) Author: Anne Anderson Source: %P% Contents Description of tests Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional functionality. All conforming implementations MUST support all Mandatory-to-Implement functionality. Conforming implementations MAY support specific Optional functionality areas. Tests are divided into groups based on the primary area of functionality or schema being exercised. An XACML Request An XACML Policy or set of Policy documents An XACML Response A conforming implementation of an XACML Policy Decision Point (PDP) must be able to: Accept the given Request as input Accept the given Policy as input Produce the given Response as output A conforming implementation of an XACML Policy Administration Point (PAP) must be able to generate each given XACML Policy example except for those marked INVALID . Mandatory-to-Implement Functionality Tests Attribute References These tests exercise referencing of attribute values in the Request by a policy. Case: Simple type attribute element present in Request Case: Simple type attribute element not present in Request, but retrievable by Attribute Authority Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority Case: INVALID syntax for Attribute Selector Case: INVALID syntax for Request attribute Target Matching These tests exercise various forms of Target matching. Case: match: anySubject, anyResource, anyAction Case: match: anySubject, anyResource, specified action Case: no match: anySubject, anyResource, specified action Case: match: specific Subject type Case: no match: specific Subject type Case: match: specific Subject identifier Case: no match: specific Subject identifier Case: match: specific Subject attribute Case: no match: specific Subject attribute Case: match: specific Subject identifier and attribute Case: no match: specific Subject identifier and attribute Case: match: specific resource Case: no match: specific resource Case: match: impliedAction Case: no match: impliedAction Case: match: specific action Case: no match: specific action Function Evaluation Case: true: Condition Evaluation Case: false: Condition Evaluation Case: Condition Evaluation - non-boolean datatype Case: function:integer-add Case: function:integer-add - non-integer datatype Case: function:decimal-add Case: function:add-dayTimeDuration-to-time Case: function:add-dayTimeDuration-to-dateTime Case: function:add-yearMonthDurations Case: function:add-dayTimeDurations Case: function:integer-subtract Case: function:decimal-subtract Case: function:time-subtract Case: function:subtract-dayTimeDuration-from-time Case: function:subtract-yearMonthDurations Case: function:subtract-dayTimeDurations Case: function:integer-multiply Case: function:decimal-multiply Case: function:multiply-yearMonthDurations Case: function:multiply-dayTimeDurations Case: function:numeric-divide Case: function:divide-yearMonthDurations Case: function:divide-dayTimeDurations Case: function:integer-mod Case: function:decimal-mod Case: function:round Case: function:floor Case: function:decimal Case: true: function:integer-equal Case: false: function:integer-equal Case: true: function:decimal-equal Case: false: function:decimal-equal Case: true: function:boolean-equal Case: false: function:boolean-equal Case: true: function:string-equal: literal string Case: true: function:string-equal: regExp Case: false: function:string-equal: literal string Case: false: function:string-equal: regExp string Case: true: function:xpath-equal Case: false: function:xpath-equal Case: true: function:rfc822Name-equal Case: true: function:rfc822Name-equal - dominance Case: false: function:rfc822Name-equal Case: false: function:rfc822Name-equal - dominance Case: true: function:x500Name-equal Case: true: function:x500Name-equal - dominance Case: false: function:x500Name-equal Case: false: function:x500Name-equal - dominance Case: true: function:date-equal Case: false: function:date-equal Case: true: function:time-equal Case: false: function:time-equal Case: true: function:datetime-equal Case: false: function:datetime-equal Case: true: function:yearMonthDuration-equal Case: false: function:yearMonthDuration-equal Case: true: function:dayTimeDuration-equal Case: false: function:dayTimeDuration-equal Case: true: function:gregorian-equal Case: false: function:gregorian-equal Case: true: function:hex-binary-equal Case: false: function:hex-binary-equal Case: true: function:base64-binary-equal Case: false: function:base64-binary-equal Case: true: function:anyURI-equal Case: false: function:anyURI-equal Case: true: function:QName-equal Case: false: function:QName-equal Case: true: function:NOTATION-equal Case: false: function:NOTATION-equal Case: true: function:integer-greater-than Case: false: function:integer-greater-than Case: true: function:decimal-greater-than Case: false: function:decimal-greater-than Case: true: function:boolean-greater-than Case: false: function:boolean-greater-than Case: true: function:string-greater-than Case: false: function:string-greater-than Case: true: function:date-greater-than Case: false: function:date-greater-than Case: true: function:time-greater-than Case: false: function:time-greater-than Case: true: function:datetime-greater-than Case: false: function:datetime-greater-than Case: true: function:yearMonthDuration-greater-than Case: false: function:yearMonthDuration-greater-than Case: true: function:dayTimeDuration-greater-than Case: false: function:dayTimeDuration-greater-than Case: true: function:integer-greater-than-or-equal Case: false: function:integer-greater-than-or-equal Case: true: function:decimal-greater-than-or-equal Case: false: function:decimal-greater-than-or-equal Case: true: function:string-greater-than-or-equal Case: false: function:string-greater-than-or-equal Case: true: function:date-greater-than-or-equal Case: false: function:date-greater-than-or-equal Case: true: function:time-greater-than-or-equal Case: false: function:time-greater-than-or-equal Case: true: function:datetime-greater-than-or-equal Case: false: function:datetime-greater-than-or-equal Case: true: function:yearMonthDuration-greater-than-or-equal Case: false: function:yearMonthDuration-greater-than-or-equal Case: true: function:dayTimeDuration-greater-than-or-equal Case: false: function:dayTimeDuration-greater-than-or-equal Case: true: function:string-match: literal string Case: true: function:string-match: regExp Case: false: function:string-match: literal string Case: false: function:string-match: regExp Case: true: function:and Case: false: function:and Case: true: function:or Case: false: function:or Case: true: function:ordered-or Case: false: function:ordered-or Case: true: function:n-of Case: false: function:n-of Case: true: function:not Case: false: function:not Case: true: function:present Case: false: function:present Case: true: function:subset Case: false: function:subset Case: true: function:superset Case: false: function:superset Case: true: function:non-null-set-intersection Case: false: function:non-null-set-intersection Combining Algorithms Case: true: DenyOverrides Case: false: DenyOverrides Case: true: PermitOverrides Case: false: PermitOverrides Designators Case: RuleDesignator Case: PolicyStatementDesignator Case: PolicySetStatementDesignator Case: PolicyStatement inside Assertion Case: PolicySetStatement inside Assertion Optional Functionality Tests Obligations Multiple Decisions Protecting XML documents Case: AttributeDesignator pointing into XML document Case: Resource as subspace of an XML document Non-mandatory Functions Durations Case: function:add-dayTimeDuration-to-date Case: function:add-yearMonthDuration-to-date Case: function:add-yearMonthDuration-to-dateTime Case: function:add-dayTimeDuration-to-dateTime Case: function:subtract-yearMonthDuration-from-date Case: function:subtract-dayTimeDuration-from-date Case: function:date-subtract Case: function:datetime-subtract Case: function:subtract-yearMonthDuration-from-dateTime Case: function:subtract-dayTimeDuration-from-dateTime Non-standard Combining Algorithms Anne Anderson Last modified: Tue Jul 23 14:55:32 EDT 2002