RE: [xacml-dev] Conformance Tests for V1

["diego gonzalez" <diegog@lagash.com>]

Hi Seth,

Thanks for your help, in CT#IIIF007 it was a bug in my XPath handling
related with the Namespaces.

But regarding IIIA014, why do you say "Policy2 Obligations are Permit
Obligations", here is the list of Obligations (I've removed the
AttributeAssignment elements)

<Obligation
ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli
cy2:obligation-1" FulfillOn="Permit">
</Obligation>

<Obligation
ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli
cy2:obligation-2" FulfillOn="Permit">
</Obligation>

<Obligation
ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli
cy2:obligation-3" ulfillOn="Deny">
</Obligation>

<Obligation
ObligationId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA014:poli
cy2:obligation-4" FulfillOn="Deny">
</Obligation>

There are 4 obligations, 2 of them are for Permit and 2 for Deny. Since
the Policy2 will evaluate as Permit, obligations 3 and 4 must be
returned. 

Am I ok?

Thanks in advance,
Diego Gonzalez
Lagash Systems SA

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
Sent: Monday, October 25, 2004 8:29 AM
To: diego gonzalez
Cc: xacml-dev@lists.oasis-open.org
Subject: RE: [xacml-dev] Conformance Tests for V1


I can't provide answers to all these, but I'll tell you what I know...

On Wed, 2004-10-20 at 16:52, diego gonzalez wrote:
> [...]
> *	IIIF005. Xpath compilation error. "//md:record[?]/..." I have an
> invalid token error, I think is the "?", this is probably related to
the
> version of XPath supported by .Net. On the other hand, the Xpath
version
> supported in XACML is 1.0 (as described in the XPathVersion element
> description) and quantifiers as predcates are not supported in Xpath
> 1.0, they were added in Xpath 2.0. Seems the conformance test is using
> an Xpath 2.0 feature.

I'm not an XPath expert, so I don't know what the answer is here. I've
mainly tested XPath handling using Apache's implementation, and I guess
I never paid attention to the ? predicate. Is anyone else on this list
able to comment?

> *	IIIF007. Context node issue. The xpath is
> "./xacml-context/Resource" which seems the context node (./) is the
> Resource element. In the spec says the context node will be Request
> element. So the Condition for the only Rule in this Policy will not
find
> any node since all the Xpaths will fail. What do you do to pass this
> test?

In the version of the tests I'm looking at, all the paths in IIIF007 are
"./xacml-context:Resource" which is fine, since if the "context node" is
the Request, then the path refers to Request/Resource. I had to write a
little custom code to handle all the possible root/namespace cases, and
this definately bit me the first time around, but I think the path here
is correct.

> *	IIIA014. The result in the conformance test have 4 Obligations,
> and my implementation is returning 6. I'm passing all the other
samples
> related to Obligations except this one. I{m not able to understand why
I
> have to return 4 obligations in this test. Here's the execution steps:
> There are 3 policies within a policy set. Each policy have 4
> Obligations, 2 on Deny and 2 on Permit. The PolicySet also have 4
> Obligations 2 on Deny and 2 on Permit. Policy1 is NotApplicable which
> does not add any Obligation, Policy2 is Permit which adds 2
Obligations
> and Policy3 is Deny which adds 2 Obligations. Since the PolicySet is
> Deny it will add 2 Obligations which sums 6. The 6 Obligations that
I'm
> returning are:
> policy2:obligation-1, policy2:obligation-2,  policy3:obligation-3,
> policy3:obligation-4, policyset:obligation3 and policyset:obligation4.
> 
> The ConfotmanceTest does not have the policy2:obligation-1 and
> policy2:obligation-2. Can you tell me if the execution steps are
> incorrect?

I'm afriad your steps are slightly wrong. Specifically, you should only
return Obligations that have the same FulfillOn Effect as the Effect in
your Decision. In this case, the PDP is returning Deny, so only the Deny
Obligations are returned, and therefore you don't include the Policy2
Obligations (since they are Permit Obligations). Yeah, I know, it's not
obvious from reading the spec that this is the right behavior, but trust
me on this one :) In general, the way this works is that at each node in
the tree, you should only propigate up the Obligations that match the
Effect that you're returning at that node. Does this help?


seth