Re: [xacml] Issue for Errata: XPathCategory attribute not in schema or spec + other related issues

[Steven Legg <steven.legg@viewds.com>]

Hi Rich,

On 1/05/2013 9:41 AM, rich levinson wrote:
> The XPathCategory attribute, described in:
>
>   *   section 5.30, line 2489,
>   *   Appendix A.2, line 4052
>
> which also shows up in examples:
>
>   * 4.2.2 Example RequestContext, line 967,
>   * 4.2.4.1 Rule 1, line 1089,
>   * 4.2.4.2 Rule 2, line 1253,
>   * 4.2.4.3 Rule 3, line 1418,
>   * 4.2.4.4 Rule 4, line 1588
>
> does not appear in any of the schema descriptions in the spec, nor in
> the xsd, itself.
>
> Based on the text of Appendix A.2 XPathExpression, lines 4050-4053:
>
>     "... When the value is encoded in an <AttributeValue> element,
>       the namespace context is given by the <AttributeValue> element
>       and an XML attribute called XPathCategory gives the category
>       of the <Content> element where the expression applies. ..."
>
> and the fact that the XPathCategory shows up in AttributeValue
> elements in the examples, it would seem that AttributeValue might
> need to have the XPathCategory xml attribute defined for it as
> an optional attribute.

It would be nice, but it isn't necessary. The XML Schema definition of
AttributeValueType includes this line:

	<xs:anyAttribute namespace="##any" processContents="lax"/>

which means that an <AttributeValue> with an XPathCategory XML attribute is
schema valid.

> One other related issue has to do with the description of the ContextSelectorId
> attribute that refers to XPathCategory (lines 2485-2490):
>
>     "ContextSelectorId [Optional]
>     This attribute refers to the attribute (by its AttributeId) in the request context
>       in the category given by the Category attribute.
>     The referenced attribute MUST have data type
>         urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression,
>       and must select a single node in the <Content> element.
>     The XPathCategory attribute of the referenced attribute MUST be equal to
>       the Category attribute of the attribute selector."
>
> The last sentence of the above description sounds like XPathCategory
> is an attribute of the <Attribute> element, as opposed to the <AttributeValue>
> element.

I took this to be an error because AttributeValueType allows the XPathCategory
XML attribute, but AttributeType doesn't. The preceding sentence is also wrong
in that AttributeType doesn't allow a DataType XML Attribute. The referenced
attribute is also effectively restricted to a single value. The last two
sentences should read something like this:

    "The referenced attribute MUST have a single attribute value. That attribute
     value MUST have data type urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression,
     and must select a single node in the <Content> element. The XPathCategory
     XML attribute of the attribute value MUST be equal to the Category attribute
     of the attribute selector."

Mind you, I'd still be happy if the referenced attribute were allowed to have
multiple values that collectively select more than one node in the <Content> element.

> A second related issue also has to do with the above ContextSelectorId text, except
> that the issue is implicit by the examples, where in the example rules, the construct
> used is an AttributeDesignator in a <Match> element, as opposed to an AttributeSelector.
>
> Despite the fact that the AttributeDesignator construct is not defined in the spec
> for XPathExpression, its use in the examples appears logical and I would suggest
> adding an explanation that when an AttributeDesignator contains an
> XPathExpression DataType, that the associated AttributeValue in the Match
> element can have an XPathCategory specifying which Attributes element the
> Content is that the value should be selected from.

Whether or not an AttributeValue with the xpathExpression data type is appropriate
in a Match element is determined by the MatchId, not the AttributeDesignator. As
it happens, the only standard XPath functions that are eligible to be used in a Match
take a pair of xpathExpression arguments, so either the AttributeDesignator and
AttributeValue both have xpathExpression as the DataType or neither does. However,
other functions could conceivably be defined that allow xpathExpression to be
mixed with other data types.

Regards,
Steven

>      Thanks,
>      Rich