[xacml] [CR] Additional Functions

[Michiharu Kudoh <KUDO@jp.ibm.com>]

I propose to include the following functions (all relevant to XPath) in the
spec as non-mandatory to implement functions. The original proposal (a
little different from this proposal) was posted on 29th July and it
described more in detail.
http://lists.oasis-open.org/archives/xacml/200207/msg00162.html

function:general-string-equal xs:boolean  object(*1)  object            A
= B
function:node-boolean         xs:boolean  object
function:node-match           xs:boolean  object            object

========================
(*1) "object" type is defined in Introduction section of [2] as:

"... object, which has one of the following four basic types:
node-set (an unordered collection of nodes without duplicates)
boolean (true or false)
number (a floating-point number)
string (a sequence of UCS characters)"

[1] XQuery 1.0 and XPath 2.0 Data Model,
http://www.w3.org/TR/xquery-operators/
[2] XPath 1.0, http://www.w3.org/TR/xpath

We here assume that boolean is xs:boolean, number is xs:decimal and string
is xs:string.
========================

----------------------
    Function Definitions
----------------------

<1>. Function:general-string-equal

boolean: general-string-equal(object, object)

The general-string-equal(A,B) is true for set A and B if the
string-equal(a,b) is true for some item a in A and some item b in B.
Otherwise, general-string-equal(A,B) is false. When performing the
string-equal function, apply the following rules in order:

1. Simple String Atomization (SSA) is applied to each operand, resulting in
a single atomic value or an empty set for each operand.
2. If either operand is an empty set, the result is an empty set.
3. Cast each operand to xs:string
4. If the cast fails, the error value is returned.
5. The result of string-equal is true if the value of the first operand is
equal to the value of the second operand; otherwise the result of the
string-equal is false.

Simple String Atomization (SSA):

1. If the value is a single atomic value or an empty set, atomization
simply returns the value.
2. If the value is a single node, it must be an element node, attribute
node or a text node.
  2.1  If the value is a text node, returns the string content of the text
node.
  2.2  If the value is an attribute node, returns its string value.
  2.3  If the value is an element node that does not contain element node
below, returns the string content of the text node.
  2.4  If the value is an element node that contain one or more element
node below, returns error value as defined in [1]
3. If the value is not a single node, return error value as defined in [1]

Example:
<a>
  <b1>January</b1>
  <b1>February</b1>
  <b2>
    <c>January</c>
    <c>March</c>
  </b2>
  <b3 d="February"/>
  <b3 d="April"/>
</a>

A := "/a/b1"
B := "/a/b2/c"
C := "/a/b3/@d"
D := "/a/b2"

(1) general-string-equal(A,B) ==> true
(2) general-string-equal(A,C) ==> true
(3) general-string-equal(B,C) ==> false
(4) general-string-equal(A,"February") ==> true
(5) general-string-equal(A,D) ==> Error value

(1) A returns two nodes: two <b1> elements. The SSA is applied to the first
<b1> item, which returns "January". The SSA is applied to the second <b1>
item, which returns "February". B returns two nodes: two <c> elements. The
SSA is applied to the first <c> item, which returns "January". The SSA is
applied to the second <c> item, which returns "March". String casting
succeeds. Since the first value of the first operand is equal to the first
value of the second operand, general-string-equal returns true.
(2) C returns two nodes: two d attributes. The SSA is applied to each item,
which returns "February" and "March", respectively. Since the second value
of the first operand is equal to the first value of the second operand,
general-string-equal returns true.
(3) Since there is no identical value pair in the first operand and the
second operand, general-string-equal returns false.
(4) The second operand is a single atomic value "February". Since it is
equal to the second value of the first operand, general-string-equal
returns true.
(5) The second operand returns one <b2> element that contains two <c>
element. This raises error from SSA step 2.4. Therefore,
general-string-equal returns error value.

An example specification for case (1):
<Rule>
  <Target>
    <Resources MatchId="function:general-string-equal" DataType
="xs:boolean">
      <AttributeSelector RequestContextPath="/a/b1"/>
      <AttributeSelector RequestContextPath="/a/b2/c"/>
    </Resource>
  </Target>
</Rule>

<2>. Function:node-boolean

boolean node-boolean(object)

The node-boolean function converts its argument to a boolean as follows:
1. a number is true if and only if it is neither positive or negative zero
nor NaN
2. a node-set is true if and only if it is non-empty
3. a string is true if and only if its length is non-zero
4. an object of a type other than the four basic types is converted to a
boolean in a way that is dependent on that type

An example specification for the case (1) is:
<Rule>
  <Target>
    <Resources MatchId="function:node-boolean" DataType="xs:boolean">
      <AttributeSelector RequestContextPath="/a/b1[ . = /a/b2/c])"/>
    </Resource>
  </Target>
</Rule>

<3>. Function:node-match

boolean node-match(object, object)

The result of a node-match is defined by applying the following rules, in
order:
1. Both operands must be either a single node or an empty set; otherwise
the error value is returned.
2. If either operand is an empty set, the result of the comparison is an
empty set.
3. A comparison is true if the two operands are nodes that have the same
single node; otherwise it is false.

An example specification is:
<Rule>
  <Target>
    <Resources MatchId="function:node-match" DataType="xs:boolean">
      <AttributeSelector RequestContextPath="//b1"/>
      <AttributeSelector RequestContextPath="/a/b1"/>
    </Resource>
  </Target>
</Rule>
If "//b1" and "/a/b1" contains one or more intersection node, then the
node-match function returns true, otherwise returns false.

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428