[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Conformance Tests for V1
Hi Seth, Thanks for your help, in CT#IIIF007 it was a bug in my XPath handling related with the Namespaces. But regarding IIIA014, why do you say "Policy2 Obligations are Permit Obligations", here is the list of Obligations (I've removed the AttributeAssignment elements) <Obligation ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli cy2:obligation-1" FulfillOn="Permit"> </Obligation> <Obligation ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli cy2:obligation-2" FulfillOn="Permit"> </Obligation> <Obligation ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli cy2:obligation-3" ulfillOn="Deny"> </Obligation> <Obligation ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli cy2:obligation-4" FulfillOn="Deny"> </Obligation> There are 4 obligations, 2 of them are for Permit and 2 for Deny. Since the Policy2 will evaluate as Permit, obligations 3 and 4 must be returned. Am I ok? Thanks in advance, Diego Gonzalez Lagash Systems SA -----Original Message----- From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] Sent: Monday, October 25, 2004 8:29 AM To: diego gonzalez Cc: xacml-dev@lists.oasis-open.org Subject: RE: [xacml-dev] Conformance Tests for V1 I can't provide answers to all these, but I'll tell you what I know... On Wed, 2004-10-20 at 16:52, diego gonzalez wrote: > [...] > * IIIF005. Xpath compilation error. "//md:record[?]/..." I have an > invalid token error, I think is the "?", this is probably related to the > version of XPath supported by .Net. On the other hand, the Xpath version > supported in XACML is 1.0 (as described in the XPathVersion element > description) and quantifiers as predcates are not supported in Xpath > 1.0, they were added in Xpath 2.0. Seems the conformance test is using > an Xpath 2.0 feature. I'm not an XPath expert, so I don't know what the answer is here. I've mainly tested XPath handling using Apache's implementation, and I guess I never paid attention to the ? predicate. Is anyone else on this list able to comment? > * IIIF007. Context node issue. The xpath is > "./xacml-context/Resource" which seems the context node (./) is the > Resource element. In the spec says the context node will be Request > element. So the Condition for the only Rule in this Policy will not find > any node since all the Xpaths will fail. What do you do to pass this > test? In the version of the tests I'm looking at, all the paths in IIIF007 are "./xacml-context:Resource" which is fine, since if the "context node" is the Request, then the path refers to Request/Resource. I had to write a little custom code to handle all the possible root/namespace cases, and this definately bit me the first time around, but I think the path here is correct. > * IIIA014. The result in the conformance test have 4 Obligations, > and my implementation is returning 6. I'm passing all the other samples > related to Obligations except this one. I{m not able to understand why I > have to return 4 obligations in this test. Here's the execution steps: > There are 3 policies within a policy set. Each policy have 4 > Obligations, 2 on Deny and 2 on Permit. The PolicySet also have 4 > Obligations 2 on Deny and 2 on Permit. Policy1 is NotApplicable which > does not add any Obligation, Policy2 is Permit which adds 2 Obligations > and Policy3 is Deny which adds 2 Obligations. Since the PolicySet is > Deny it will add 2 Obligations which sums 6. The 6 Obligations that I'm > returning are: > policy2:obligation-1, policy2:obligation-2, policy3:obligation-3, > policy3:obligation-4, policyset:obligation3 and policyset:obligation4. > > The ConfotmanceTest does not have the policy2:obligation-1 and > policy2:obligation-2. Can you tell me if the execution steps are > incorrect? I'm afriad your steps are slightly wrong. Specifically, you should only return Obligations that have the same FulfillOn Effect as the Effect in your Decision. In this case, the PDP is returning Deny, so only the Deny Obligations are returned, and therefore you don't include the Policy2 Obligations (since they are Permit Obligations). Yeah, I know, it's not obvious from reading the spec that this is the right behavior, but trust me on this one :) In general, the way this works is that at each node in the tree, you should only propigate up the Obligations that match the Effect that you're returning at that node. Does this help? seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]