Re: [xacml-dev] Handling repetitions of Attribute Category/Id/Issuer/DataType in XACML Request

[Cyril DANGERVILLE <cyril.dangerville@gmail.com>]

Hello,

thanks Steven for your answer.
For the record, I also noticed a XACML 2.0 conformance test that confirms your answer to the second point, with an example. I assume the same holds true for XACML 3.0. This is test #24 in section A of section G on the XACML 2.0 conformance tests page [1]. Indeed, in the associated test request [2], the subject-id <Attribute> occurs twice:

...
<Subject>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>Julius Hibbert</AttributeValue>
  </Attribute>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>Zaphod Beedlebrox</AttributeValue>
  </Attribute>
  ...
</Subject>
...

In the test policy [3], the description of the rule 'urn:oasis:names:tc:xacml:1.0:conformance-test:IIIA024:rule3' reads (content omitted):

[...] (ERROR in passing multi-valued bag to one-and-only function) INDETERMINATE

The Apply with the one-and-only function that the description refers to:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
  <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>

So the conformance test is expecting an error because of a bag with too many values (two in this case) for the subject-id.

There might be other examples of such things in the conformance tests. I have not checked thoroughly, far from it.

Regards,

Cyril

[1] https://www.oasis-open.org/committees/download.php/14877/ConformanceTests.html
[2] https://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIIA024Request.xml
[3] https://tools.oasis-open.org/version-control/svn/xacml/current/tests/IIIA024Policy.xml

On Thu, Jul 9, 2015 at 9:10 AM, David Brossard <david.brossard@axiomatics.com> wrote:

I agree with Steven on both accounts.

On Jul 9, 2015 7:53 AM, "Steven Legg" <steven.legg@viewds.com> wrote:

Hi Cyril,

On 9/07/2015 9:35 AM, Cyril DANGERVILLE wrote:

Hello,
I have issues understanding what a conformant PDP should do in the cases described below according to the XACML Core specification. Could you please tell me what is the expected behavior?

1) If a given <Request> contains multiple <Attributes> elements with the same Category value, and the PDP does not support the Multiple Decision Profile? (Is the PDP supposed to merge them? Or consider it "unsupported functionality" (§7.19.1) and therefore return "Indeterminate"? Or?)

Merging the <Attributes> would not produce the effect that the PEP is expecting,
so the safe thing to do is to return Indeterminate. Better no answer than the
wrong answer.

2) If a given <Request> contains multiple <Attribute> elements with the same Category, AttributeId, DataType and Issuer (undefined or same value)? (Is the PDP supposed to merge the AttributeValues? Or consider it invalid syntax and therefore return "Indeterminate"? Or?)

The <Attribute> elements don't have a Category or DataType XML attribute. The
DataType XML attribute is on the <AttributeValue> element. Overall, the
specification isn't clear on whether multiple <Attribute> elements with the same
AttributeId and Issuer are permitted, except for Section 7.3.3:

    "If a single <Attribute> element in a request context contains multiple
     <AttributeValue> child elements, then the bag of values resulting from
     evaluation of the <Attribute> element MUST be identical to the bag of
     values that results from evaluating a context in which each <AttributeValue>
     element appears in a separate <Attribute> element, each carrying identical
     meta-data."

So it appears possible and on that basis I've implemented the attribute
designator to collect the values from all <Attribute> elements that match.

Regards,
Steven

Thanks for your help.

Regards,
Cyril

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org