[xacml] [CR] 0047:Function specification for XPath handler

[Michiharu Kudoh <KUDO@jp.ibm.com>]

I propose to add the following two functions. Both are XPath related
functions. I attached modified policy specification of Example 1 and 2
(might have mistakes). This proposal has been also agreed by Simon.

[A] Request of function additions:

- function:xpath-equal    comparison on two DOM nodes
- function:xpath-match   hierarchical comparison on two DOM nodes


[B] Function description:

- function:xpath-equal:
This function takes two arguments, the first of "xs:string" and the second
of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
expressions defined in XPath 1.0 specification [1]. This functions returns
true if a set of DOM nodes obtained by applying the first XPath expression
on the XACML Request Context includes at least one DOM node that is also
obtained by applying the second XPath expression on the XACML Request
Context. If the first XPath or the second XPath do not return DOM node set,
this function returns false. When XPath expression includes one or more
namespace prefix, then it is resolved using XPathNamespace element
specified in corresponding Policy element or PolicySet element.

For example, the following expression shall return true:
<Apply FunctionId="function:xpath-equal">
  <AttributeValue>/Request/Subject/Attribute[@AttributeId
="role"]/AttributeValue</AttributeValue>
  <AttributeValue>/Request/Subject/Attribute[@AttributeId
="role"]/AttributeValue</AttributeValue>
</Apply>

- function:xpath-match:
This function takes two arguments, the first of "xs:string" and the second
of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
expressions defined in XPath 1.0 specification [1]. This function first
extends the first argument to support pseudo hierarchical access control on
XML document structure. If "a" is an element node and it is specified as
the first argument, the function replace it with "a | a//* | a//@*" meaning
that all the element and attributes below the specified element "a". If "a"
is an attribute node, then the function does not modify the first argument.
Then this function internally calls xpath-equal function and return the
identical return value.

For example, the following expression shall return true when
"urn:...:xpath" attribute returns a md:patient element that is below a
md:record element:
<Apply FunctionId="function:xpath-match">
  <AttributeValue>//md:record</AttributeValue>
  <Apply FunctionId="function:string-one-and-only>
    <ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
  </Apply>
</Apply>

The above function is internally replaced by:

<Apply FunctionId="function:xpath-equal">
  <AttributeValue>//md:record | //md:record//* |
//md:record//@*</AttributeValue>
  <Apply FunctionId="function:string-one-and-only>
    <ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
  </Apply>
</Apply>


[C] Modified policy examples:

(Besides this proposal, I removed DataType attribute and inserted
string-one-and-only function in several places)

(See attached file: XACML-SimplePolicy.txt)(See attached file:
XACML-Rule2.txt)(See attached file: XACML-Rule3.txt)(See attached file:
XACML-rule4.txt)(See attached file: XACML-Rule1.txt)

[1] XPath 1.0, http://www.w3.org/TR/xpath

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428

Attachment: XACML-SimplePolicy.txt
Description: Binary data

Attachment: XACML-Rule2.txt
Description: Binary data

Attachment: XACML-Rule3.txt
Description: Binary data

Attachment: XACML-rule4.txt
Description: Binary data

Attachment: XACML-Rule1.txt
Description: Binary data