[xacml] List of mandatory date/duration functions

[Anne Anderson <Anne.Anderson@Sun.com>]

Attached is an updated copy of ConformanceTests.html, which
contains an updated list of mandatory functions.

Please review to see if this is correct.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

Title: XACML Conformance Tests

XACML Conformance Tests

Version: 1.6, 02/07/25 (yy/mm/dd) Author: Anne Anderson Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.ConformanceTests.html

Contents

1. Description of Tests
2. Mandatory-to-Implement Functionality Tests
   1. Attribute References
   2. Target Matching
   3. Function Evaluation
   4. Combining Algorithms
   5. Schema components
3. Optional Functionality Tests
   1. Obligations
   2. Advice
   3. Multiple Decisions
   4. Protecting XML documents
   5. Non-mandatory Functions
   6. Non-standard Combining Algorithms
   7. Non-standard Combining Algorithms

---

Description of Tests

Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional functionality. All conforming implementations MUST support all Mandatory-to-Implement functionality. Conforming implementations MAY support specific Optional functionality areas.

Tests are divided into groups based on the primary area of functionality or schema being exercised.

Each test case consists of three XML documents:

1. An XACML Request
2. An XACML Policy or set of Policy documents
3. An XACML Response

A conforming implementation of an XACML Policy Decision Point (PDP) must be able to:

1. Accept the given Request as input
2. Accept the given Policy as input
3. Produce the given Response as output

A conforming implementation of an XACML Policy Administration Point (PAP) must be able to generate each given XACML Policy example except for those marked INVALID.

---

Mandatory-to-Implement Functionality Tests

This section contains tests of all mandatory-to-implement functionality. All conforming implementations must pass all these tests.

Attribute References

These tests exercise referencing of attribute values in the Request by a policy.
1. Case: Simple type attribute element present in Request
2. Case: Simple type attribute element not present in Request, but retrievable by Attribute Authority
3. Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority
4. Case: INVALID syntax for Attribute Selector
5. Case: INVALID syntax for Request attribute

Target Matching

These tests exercise various forms of Target matching.
1. Case: match: anySubject, anyResource, anyAction
2. Case: match: anySubject, anyResource, specified action
3. Case: no match: anySubject, anyResource, specified action
4. Case: match: specific Subject type
5. Case: no match: specific Subject type
6. Case: match: multiple specific Subject types
7. Case: no match: multiple specific Subject types
8. Case: match: specific Subject identifier
9. Case: no match: specific Subject identifier
10. Case: match: specific Subject attribute
11. Case: no match: specific Subject attribute
12. Case: match: specific Subject identifier and attribute
13. Case: no match: specific Subject identifier and attribute
14. Case: match: specific resource
15. Case: no match: specific resource
16. Case: match: specific Resource attribute
17. Case: no match: specific Resource attribute
18. Case: match: multiple specific resources
19. Case: no match: multiple specific resources
20. Case: match: impliedAction
21. Case: no match: impliedAction
22. Case: match: specific action
23. Case: no match: specific action
24. Case: match: multiple specific actions
25. Case: no match: multiple specific actions

Function Evaluation

These tests exercise each of the functions.
1. Case: Function with Function argument
2. Case: Function with Attribute argument
3. Case: Function with AttributeDesignator argument
4. Case: true: Condition Evaluation
5. Case: false: Condition Evaluation
6. Case: Condition Evaluation - non-boolean datatype
7. Case: function:integer-add
8. Case: function:integer-add - non-integer datatype
9. Case: function:decimal-add
10. Case: function:add-dayTimeDuration-to-time
11. Case: function:add-dayTimeDuration-to-dateTime
12. Case: function:add-yearMonthDurations
13. Case: function:add-dayTimeDurations
14. Case: function:integer-subtract
15. Case: function:decimal-subtract
16. Case: function:time-subtract
17. Case: function:subtract-dayTimeDuration-from-time
18. Case: function:subtract-yearMonthDurations
19. Case: function:subtract-dayTimeDurations
20. Case: function:integer-multiply
21. Case: function:decimal-multiply
22. Case: function:multiply-yearMonthDurations
23. Case: function:multiply-dayTimeDurations
24. Case: function:numeric-divide
25. Case: function:divide-yearMonthDurations
26. Case: function:divide-dayTimeDurations
27. Case: function:integer-mod
28. Case: function:decimal-mod
29. Case: function:round
30. Case: function:floor
31. Case: function:decimal
32. Case: true: function:integer-equal
33. Case: false: function:integer-equal
34. Case: true: function:decimal-equal
35. Case: false: function:decimal-equal
36. Case: true: function:boolean-equal
37. Case: false: function:boolean-equal
38. Case: true: function:string-equal: literal string
39. Case: true: function:string-equal: regExp
40. Case: false: function:string-equal: literal string
41. Case: false: function:string-equal: regExp string
42. Case: true: function:xpath-equal
43. Case: false: function:xpath-equal
44. Case: true: function:rfc822Name-equal
45. Case: true: function:rfc822Name-equal - dominance
46. Case: false: function:rfc822Name-equal
47. Case: false: function:rfc822Name-equal - dominance
48. Case: true: function:x500Name-equal
49. Case: true: function:x500Name-equal - dominance
50. Case: false: function:x500Name-equal
51. Case: false: function:x500Name-equal - dominance
52. Case: true: function:date-equal
53. Case: false: function:date-equal
54. Case: true: function:time-equal
55. Case: false: function:time-equal
56. Case: true: function:datetime-equal
57. Case: false: function:datetime-equal
58. Case: true: function:yearMonthDuration-equal
59. Case: false: function:yearMonthDuration-equal
60. Case: true: function:dayTimeDuration-equal
61. Case: false: function:dayTimeDuration-equal
62. Case: true: function:gregorian-equal
63. Case: false: function:gregorian-equal
64. Case: true: function:hex-binary-equal
65. Case: false: function:hex-binary-equal
66. Case: true: function:base64-binary-equal
67. Case: false: function:base64-binary-equal
68. Case: true: function:anyURI-equal
69. Case: false: function:anyURI-equal
70. Case: true: function:QName-equal
71. Case: false: function:QName-equal
72. Case: true: function:NOTATION-equal
73. Case: false: function:NOTATION-equal
74. Case: true: function:integer-greater-than
75. Case: false: function:integer-greater-than
76. Case: true: function:decimal-greater-than
77. Case: false: function:decimal-greater-than
78. Case: true: function:boolean-greater-than
79. Case: false: function:boolean-greater-than
80. Case: true: function:string-greater-than
81. Case: false: function:string-greater-than
82. Case: true: function:date-greater-than
83. Case: false: function:date-greater-than
84. Case: true: function:time-greater-than
85. Case: false: function:time-greater-than
86. Case: true: function:datetime-greater-than
87. Case: false: function:datetime-greater-than
88. Case: true: function:yearMonthDuration-greater-than
89. Case: false: function:yearMonthDuration-greater-than
90. Case: true: function:dayTimeDuration-greater-than
91. Case: false: function:dayTimeDuration-greater-than
92. Case: true: function:integer-greater-than-or-equal
93. Case: false: function:integer-greater-than-or-equal
94. Case: true: function:decimal-greater-than-or-equal
95. Case: false: function:decimal-greater-than-or-equal
96. Case: true: function:string-greater-than-or-equal
97. Case: false: function:string-greater-than-or-equal
98. Case: true: function:date-greater-than-or-equal
99. Case: false: function:date-greater-than-or-equal
100. Case: true: function:time-greater-than-or-equal
101. Case: false: function:time-greater-than-or-equal
102. Case: true: function:datetime-greater-than-or-equal
103. Case: false: function:datetime-greater-than-or-equal
104. Case: true: function:yearMonthDuration-greater-than-or-equal
105. Case: false: function:yearMonthDuration-greater-than-or-equal
106. Case: true: function:dayTimeDuration-greater-than-or-equal
107. Case: false: function:dayTimeDuration-greater-than-or-equal
108. Case: true: function:string-match: literal string
109. Case: true: function:string-match: regExp
110. Case: false: function:string-match: literal string
111. Case: false: function:string-match: regExp
112. Case: true: function:and
113. Case: false: function:and
114. Case: true: function:or
115. Case: false: function:or
116. Case: true: function:ordered-or
117. Case: false: function:ordered-or
118. Case: true: function:n-of
119. Case: false: function:n-of
120. Case: true: function:not
121. Case: false: function:not
122. Case: true: function:present
123. Case: false: function:present
124. Case: true: function:subset
125. Case: false: function:subset
126. Case: true: function:superset
127. Case: false: function:superset
128. Case: true: function:non-null-set-intersection
129. Case: false: function:non-null-set-intersection

Combining Algorithms

These tests exercise each of the mandatory Combining Algorithms.
1. Case: true: Policy DenyOverrides
2. Case: false: Policy DenyOverrides
3. Case: true: PolicySet DenyOverrides
4. Case: false: PolicySet DenyOverrides
5. Case: true: Policy PermitOverrides
6. Case: false: Policy PermitOverrides
7. Case: true: PolicySet PermitOverrides
8. Case: false: PolicySet PermitOverrides

Schema components

This section lists test cases for certain components of the schema not exercised by tests cases above.
1. Case: RuleDesignator
2. Case: PolicyStatementDesignator
3. Case: PolicySetStatementDesignator
4. Case: PolicyStatement inside Assertion
5. Case: PolicySetStatement inside Assertion
6. Case: PolicySet including PolicySetId
7. Case: PolicySet including PolicyId
8. Case: PolicySet including PolicySetStatement
9. Case: PolicySet including PolicyStatement
10. Case: PolicySet including PolicySetAssertion
11. Case: PolicySet including PolicyAssertion
12. Case: PolicySet including PolicySetAssertion reference
13. Case: PolicySet including PolicyAssertion reference
14. Case: RuleSet containing Rule
15. Case: RuleSet containing RuleDesignator
16. Case: RuleDesignator containing RuleDigest
17. Case: Request SubjectId containing Format
18. Case: Request SubjectId containing Qualifier
19. Case: Request Subject containing ds:KeyInfo
20. Case: Request Subject containing AuthenticationInfo Method
21. Case: Request Subject containing AuthenticationInfo Instant
22. Case: Request Attribute containing Issuer
23. Case: Request Attribute containing IssueInstant
24. Case: Request ResourceSpecifier containing Format
25. Case: Request ResourceSpecifier containing Scope:Immediate
26. Case: Request ResourceSpecifier containing Scope:Children
27. Case: Request ResourceSpecifier containing Scope:Descendants
28. Case: Response containing DecisionType Indeterminate
29. Case: match: EnvironmentAttribute
30. Case: no match: EnvironmentAttribute

---

Optional Functionality Tests

These tests exercise areas of functionality that are not mandatory-to-implement.

Obligations

1. Case: Obligation containing AttributeDesignator
2. Case: Obligation containing AttributeAssignment

Advice

Multiple Decisions

Protecting XML documents

1. Case: AttributeDesignator pointing into XML document
2. Case: Resource as subspace of an XML document

Non-mandatory Functions

Functions on Dates

In XACML 1.0, we mandate support for time and duration functions and data types, but do not mandate support for functions on dates. In the future, support for functions on dates will be mandatory.
1. Case: function:add-dayTimeDuration-to-date
2. Case: function:add-yearMonthDuration-to-date
3. Case: function:add-yearMonthDuration-to-dateTime
4. Case: function:add-dayTimeDuration-to-dateTime
5. Case: function:subtract-yearMonthDuration-from-date
6. Case: function:subtract-dayTimeDuration-from-date
7. Case: function:date-subtract
8. Case: function:datetime-subtract
9. Case: function:subtract-yearMonthDuration-from-dateTime
10. Case: function:subtract-dayTimeDuration-from-dateTime

Non-standard Combining Algorithms

---

Anne Anderson

Last modified: Tue Jul 23 14:55:32 EDT 2002

Non-standard Combining Algorithms

---

Anne Anderson

Last modified: Thu Jul 25 14:46:15 EDT 2002