XACML 1.1 Committee Specification Conformance Tests

Version: 1.55, 02/12/12 (yy/mm/dd) Author: Anne Anderson This document describes and provides links to a suite of tests intended to aid implementers in conforming to the XACML 1.1 Committee Specification.

Contents

  1. Description of Tests
    1. Test Case Groupings
    2. How to Use the Tests
    3. Preparing Tests for Execution
    4. Bugs in the Tests
  2. Mandatory-to-Implement Functionality Tests
    1. Attribute References
    2. Target Matching
    3. Function Evaluation
    4. Combining Algorithms
    5. Schema components
  3. Optional, but Normative Functionality Tests
    1. Obligations
    2. DefaultsType
    3. <ResourceContent> Element
    4. Multiple Decisions
    5. XPath Functionality
    6. Non-mandatory Functions

  1. Description of Tests

    2. These tests are provided as an aid in achieving conformance to the XACML 1.1 Committee Specification. The tests may aid in determining whether an implementation is correctly interpreting the intent of the Specification, and may provide a basic level of interoperability testing. These tests do not constitute a full test of conformance to the XACML Specification: a full description of the requirements for conformance is included in Section 10. Conformance of the XACML 1.1 Committee Specification itself. There is no OASIS- or XACML TC- sponsored branding or certification program for XACML.

    1. Test Case Groupings

      2. Tests are divided into those that exercise Mandatory-to-Implement functionality and those that exercise Optional, but normative functionality. All implementations that claim conformance to the XACML Specification MUST support all Mandatory-to-Implement functionality. Conforming implementations MAY additionally support specific Optional functionality areas.

      Tests are divided into groups based on the primary area of functionality or schema being exercised.

      Each test case consists of three XML documents (or sets of documents):

      1. An XACML Request
      2. An XACML Policy or set of Policy documents
      3. An XACML Response

      Each XML document is named according to the section of this document in which it occurs. For example, the XML documents for the test in Part II (Mandatory to implement), Section B (Target Matching), Test Case 8 (Case: match: multiple actions) are named:

    2. How to Use the Tests

      3. An implementation of an XACML Policy Decision Point (PDP) should be able to:

      1. Accept the given Request, or input consistent with the given Request, as input.
      2. Accept the given Policy or Policies (these files may contain one or more XACML Policies or PolicySets) as input.
      3. Produce the given Response, or output consistent with the given Response, as output.

      Explanation of consistent with:

      The Request and Response need not be instances of the XACML Context Schema. The request and response should, however, contain exactly the same information as the given Request and Response, and should exercise the XACML policy evaluation functionality that the test is intended to exercise. It should be possible, at least conceptually, to mechanically convert the request and response used in the implementation to the given XACML Request and Response instances.

    3. Preparing Tests for Execution

      4. In general, for each test,

      1. Either,
        1. store the *Policy.xml file for the given test in the repository you use for policies, such that the specified *Policy.xml is the only policy that will be retrieved by the PDP, or
        2. configure the PDP with the *Policy.xml file as its initial policy.

      2. Send the *Request.xml file (or its semantic equivalent in your system) to the Context Handler component of the XACML PDP via your access control decision request API.

      3. Compare the result returned from the PDP with the specified *Response.xml file (or its semantic equivalent in your system).

      4. The test passes if your system's result is semantically equivalent to the specified *Response.xml file.

      Some of the tests have special instructions associated with them. They modify the instructions given above for the given test.

    4. Bugs in the Tests

      5. Following are the known bugs:

      1. The <Description> in many *Policy.xml files is incorrect: instead of "read or write Bart Simpson's medical record", the description should say "perform any action on any resource".

      If you believe any test does not correctly interpret the intent of the XACML 1.1 Committee Specification, or if you find any additional errors in these tests, please submit a report to the xacml-comment@lists.oasis-open.org mailing list.

      Copies of corrected conformance test files will be attached to a response to each error report that is submitted to the xacml-comment@lists.oasis-open.org mailing list. Periodically, an updated copy of the entire Conformance Test Suite, containing all corrections to date, will be posted to the XACML TC Web Site. Anyone may request to have updates to the full Conformance Test Suite directly e-mailed to them at the same time that the update is submitted to the XACML TC web site maintainer: e-mail a request to Anne.Anderson@Sun.COM

  2. Mandatory-to-Implement Functionality Tests

    3. This section contains tests of all mandatory-to-implement functionality. All implementations that conform to the XACML Specification should pass all these tests except as explained in any associated Special Instructions (<test ID>Special.txt) file.

    1. Attribute References

      2. These tests exercise referencing of attribute values in the Request by a policy.

      1. Case: Simple type attribute element present in Request Request,Policy,Response
      2. Case: Simple type attribute element not present in original decision Request, but retrievable from Attribute repository Request,Policy,Response, Special Instructions
      3. Case: Simple type attribute element not present in Request and not retrievable by Attribute Authority Request,Policy,Response
      4. Case: INVALID syntax for Attribute Designator Request,Policy,Response,Special Instructions
      5. Case: INVALID syntax for Request attribute Request,Policy,Response
      6. Case: TRUE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
      7. Case: FALSE: "MustBePresent" XML attribute in Target Designator Request,Policy,Response
      8. Case: TRUE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
      9. Case: FALSE: "MustBePresent" XML attribute in Condition Designator Request,Policy,Response
      10. Case: Permit: Multiple attributes match except for DataType Request,Policy,Response
      11. Case: Indeterminate: Multiple attributes match except for DataType Request,Policy,Response
      12. Case: Permit: Multiple subjects with same subject-category: different attribute in each Request,Policy,Response
      13. Case: Indeterminate: Multiple subjects with same subject-category: same attributes in each Request,Policy,Response
      14. Case: Permit: SubjectAttributeDesignator with SubjectCategory XML attribute Request,Policy,Response
      15. Case: Permit: SubjectAttributeDesignator without SubjectCategory XML attribute Request,Policy,Response
      16. Case: explicit environment:current-time attribute Request,Policy,Response
      17. Case: implicit environment:current-time attribute Request,Policy,Response
      18. Case: explicit environment:current-date attribute Request,Policy,Response
      19. Case: implicit environment:current-date attribute Request,Policy,Response
      20. Case: explicit environment:current-dateTime attribute Request,Policy,Response
      21. Case: implicit environment:current-dateTime attribute Request,Policy,Response

    2. Target Matching

      3. These tests exercise various forms of Target matching.

      1. Case: match: anySubject, anyResource, anyAction Request,Policy,Response

      2. Case: match: anySubject, anyResource, specified Action value Request,Policy,Response
      3. Case: no match: anySubject, anyResource, specified Action value Request,Policy,Response
      4. Case: match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
      5. Case: no match: anySubject, anyResource, two specified Action attributes Request,Policy,Response
      6. Case: match: impliedAction Request,Policy,Response
      7. Case: no match: impliedAction Request,Policy,Response
      8. Case: match: multiple actions Request,Policy,Response
      9. Case: no match: multiple actions Request,Policy,Response

      10. Case: match: Subject with specific SubjectCategory Request,Policy,Response
      11. Case: no match: Subject with specific SubjectCategory Request,Policy,Response
      12. Case: match: Subject with specific SubjectId value Request,Policy,Response
      13. Case: no match: Subject with specific SubjectID value Request,Policy,Response
      14. Case: match: Subject with non-string SubjectId DataType and value Request,Policy,Response
      15. Case: no match: Subject with non-string SubjectId DataType and value Request,Policy,Response
      16. Case: match: Subject with specific KeyInfo value Request,Policy,Response
      17. Case: no match: Subject with specific KeyInfo value Request,Policy,Response
      18. Case: match: Subject AttributeId Request,Policy,Response
      19. Case: no match: Subject AttributeId Request,Policy,Response
      20. Case: match: Subject AttributeId and Issuer Request,Policy,Response
      21. Case: no match: Subject AttributeId and Issuer Request,Policy,Response
      22. Case: match: Subject AttributeId and IssueInstant Request,Policy,Response
      23. Case: no match: Subject AttributeId and IssueInstant Request,Policy,Response
      24. Case: match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
      25. Case: no match: Subject AttributeId, Issuer, and IssueInstant Request,Policy,Response
      26. Case: match: Subject identifier value and attribute value Request,Policy,Response
      27. Case: no match: Subject identifier value and attribute value Request,Policy,Response
      28. Case: match: multiple Subjects Request,Policy,Response
      29. Case: no match: multiple Subjects Request,Policy,Response

      30. Case: match: ResourceId Request,Policy,Response
      31. Case: no match: ResourceId Request,Policy,Response
      32. Case: match: ResourceId with specific DataType Request,Policy,Response
      33. Case: no match: ResourceId with specific DataType Request,Policy,Response
      34. Case: match: Resource AttributeId Request,Policy,Response
      35. Case: no match: Resource AttributeId Request,Policy,Response
      36. Case: match: Resource AttributeId and Issuer Request,Policy,Response
      37. Case: no match: Resource AttributeId and Issuer Request,Policy,Response
      38. Case: match: Resource AttributeId and IssueInstant Request,Policy,Response
      39. Case: no match: Resource AttributeId and IssueInstant Request,Policy,Response
      40. Case: match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
      41. Case: no match: Resource AttributeId, Issuer, and IssueInstant Request,Policy,Response
      42. Case: match: Resource identifier value and attribute value Request,Policy,Response
      43. Case: no match: Resource identifier value and attribute value Request,Policy,Response
      44. Case: match: multiple resources Request,Policy,Response
      45. Case: no match: multiple resources Request,Policy,Response

      46. Case: match: specified Subject and Resource Request,Policy,Response
      47. Case: no match: specified Subject and Resource Request,Policy,Response
      48. Case: match: specified Subject, Action Request,Policy,Response
      49. Case: no match: specified Subject, Action Request,Policy,Response
      50. Case: match: specified Resource, Action Request,Policy,Response
      51. Case: no match: specified Resource, Action Request,Policy,Response
      52. Case: match: specified Subject, Resource, Action Request,Policy,Response
      53. Case: no match: specified Subject, Resource, Action Request,Policy,Response

    3. Function Evaluation

      4. These tests exercise each of the mandatory-to-implement functions.

        GENERAL APPLY TESTS
      1. Case: Apply with Apply argument Request,Policy,Response
      2. Case: Apply with AttributeValue argument Request,Policy,Response
      3. Case: Apply with single-element bag where function expects primitive type Request, Policy, Response, Special Instructions
      4. Case: Apply with SubjectAttributeDesignator argument Request,Policy,Response
      5. Case: Apply with ResourceAttributeDesignator argument Request,Policy,Response
      6. Case: Apply with ActionAttributeDesignator argument Request,Policy,Response
      7. Case: Apply with EnvironmentAttributeDesignator argument Request,Policy,Response
      8. Case: Apply with empty bag argument Request,Policy,Response
      9. Case: Apply with multiple-element bag argument Request,Policy,Response
      10. Case: true: Condition Evaluation Request,Policy,Response
      11. Case: false: Condition Evaluation Request,Policy,Response
      12. Case: ERROR: Condition Evaluation - non-boolean datatype Request,Policy,Response, Special Instructions

        ARITHMETIC FUNCTIONS

      13. Case: function:integer-add Request,Policy,Response
      14. Case: ERROR: function:integer-add - non-integer datatype Request,Policy,Response, Special Instructions
      15. Case: function:double-add Request,Policy,Response
      16. Case: function:integer-subtract Request,Policy,Response
      17. Case: function:double-subtract Request,Policy,Response
      18. Case: function:integer-multiply Request,Policy,Response
      19. Case: function:double-multiply Request,Policy,Response
      20. Case: function:integer-divide Request,Policy,Response
      21. Case: function:double-divide Request,Policy,Response
      22. Case: function:integer-mod Request,Policy,Response
      23. Case: function:double-mod: IIC023*.xml: TEST DELETED
      24. Case: function:round Request,Policy,Response
      25. Case: function:floor Request,Policy,Response
      26. Case: function:integer-abs Request,Policy,Response
      27. Case: function:double-abs Request,Policy,Response

        ARITHMETIC CONVERSION FUNCTIONS

      28. Case: function:double-to-integer Request,Policy,Response
      29. Case: function:integer-to-double Request,Policy,Response

        EQUALITY FUNCTIONS

      30. Case: true: function:integer-equal Request,Policy,Response
      31. Case: false: function:integer-equal Request,Policy,Response
      32. Case: true: function:double-equal Request,Policy,Response
      33. Case: false: function:double-equal Request,Policy,Response
      34. Case: true: function:boolean-equal Request,Policy,Response
      35. Case: false: function:boolean-equal Request,Policy,Response
      36. Case: true: function:string-equal Request,Policy,Response
      37. Case: false: function:string-equal Request,Policy,Response
      38. Case: true: function:rfc822Name-equal Request,Policy,Response
      39. Case: false: function:rfc822Name-equal Request,Policy,Response
      40. Case: true: function:x500Name-equal Request,Policy,Response
      41. Case: false: function:x500Name-equal Request,Policy,Response
      42. Case: true: function:date-equal Request,Policy,Response
      43. Case: false: function:date-equal Request,Policy,Response
      44. Case: true: function:time-equal Request,Policy,Response
      45. Case: false: function:time-equal Request,Policy,Response
      46. Case: true: function:dateTime-equal Request,Policy,Response
      47. Case: false: function:dateTime-equal Request,Policy,Response
      48. Case: true: function:hexBinary-equal Request,Policy,Response
      49. Case: false: function:hexBinary-equal Request,Policy,Response
      50. Case: true: function:base64Binary-equal Request,Policy,Response
      51. Case: false: function:base64Binary-equal Request,Policy,Response
      52. Case: true: function:anyURI-equal Request,Policy,Response
      53. Case: false: function:anyURI-equal Request,Policy,Response
      54. Case: true: function:QName-equal: IIC054*.xml: TEST DELETED
      55. Case: false: function:QName-equal: IIC055*.xml: TEST DELETED

        REGEXP-STRING-MATCH FUNCTION

      56. Case: true: function:regexp-string-match Request,Policy,Response
      57. Case: false: function:regexp-string-match Request,Policy,Response

        COMPARISON FUNCTIONS: GREATER THAN, GREATER THAN OR EQUAL

      58. Case: true: function:integer-greater-than Request,Policy,Response
      59. Case: false: function:integer-greater-than Request,Policy,Response
      60. Case: true: function:double-greater-than Request,Policy,Response
      61. Case: false: function:double-greater-than Request,Policy,Response
      62. Case: true: function:string-greater-than Request,Policy,Response
      63. Case: false: function:string-greater-than Request,Policy,Response
      64. Case: true: function:date-greater-than Request,Policy,Response
      65. Case: false: function:date-greater-than Request,Policy,Response
      66. Case: true: function:time-greater-than Request,Policy,Response
      67. Case: false: function:time-greater-than Request,Policy,Response
      68. Case: true: function:dateTime-greater-than Request,Policy,Response
      69. Case: false: function:dateTime-greater-than Request,Policy,Response
      70. Case: true: function:integer-greater-than-or-equal Request,Policy,Response
      71. Case: false: function:integer-greater-than-or-equal Request,Policy,Response
      72. Case: true: function:double-greater-than-or-equal Request,Policy,Response
      73. Case: false: function:double-greater-than-or-equal Request,Policy,Response
      74. Case: true: function:string-greater-than-or-equal Request,Policy,Response
      75. Case: false: function:string-greater-than-or-equal Request,Policy,Response
      76. Case: true: function:date-greater-than-or-equal Request,Policy,Response
      77. Case: false: function:date-greater-than-or-equal Request,Policy,Response
      78. Case: true: function:time-greater-than-or-equal Request,Policy,Response
      79. Case: false: function:time-greater-than-or-equal Request,Policy,Response
      80. Case: true: function:dateTime-greater-than-or-equal Request,Policy,Response
      81. Case: false: function:dateTime-greater-than-or-equal Request,Policy,Response

        rfc822Name and x500Name MATCHING FUNCTIONS

      82. Case: true: function:rfc822Name-match Request,Policy,Response
      83. Case: false: function:rfc822Name-match Request,Policy,Response
      84. Case: true: function:x500Name-match Request,Policy,Response
      85. Case: false: function:x500Name-match Request,Policy,Response

        LOGICAL FUNCTIONS

      86. Case: true: function:and Request,Policy,Response
      87. Case: false: function:and Request,Policy,Response
      88. Case: true: function:ordered-and: IIC088*.xml: TEST DELETED
      89. Case: false: function:ordered-and: IIC089*.xml: TEST DELETED
      90. Case: true: function:or Request,Policy,Response
      91. Case: false: function:or Request,Policy,Response
      92. Case: true: function:ordered-or: IIC092*.xml: TEST DELETED
      93. Case: false: function:ordered-or: IIC093*.xml: TEST DELETED
      94. Case: true: function:n-of Request,Policy,Response
      95. Case: false: function:n-of Request,Policy,Response
      96. Case: true: function:not Request,Policy,Response
      97. Case: false: function:not Request,Policy,Response
      98. Case: true: function:present: IIC098*.xml: TEST DELETED
      99. Case: false: function:present: IIC099*.xml: TEST DELETED

        STRING NORMALIZATION FUNCTIONS

      100. Case: function:string-normalize-space Request,Policy,Response
      101. Case: function:string-normalize-to-lower-case Request,Policy,Response

        DURATION FUNCTIONS

      102. Case: function:dateTime-add-dayTimeDuration Request,Policy,Response
      103. Case: function:dateTime-add-yearMonthDuration Request,Policy,Response
      104. Case: function:dateTime-subtract-dayTimeDuration Request,Policy,Response
      105. Case: function:dateTime-subtract-yearMonthDuration Request,Policy,Response
      106. Case: function:date-add-yearMonthDuration Request,Policy,Response
      107. Case: function:date-subtract-yearMonthDuration Request,Policy,Response

        COMPARISON FUNCTIONS: LESS THAN, LESS THAN OR EQUAL

      108. Case: function:string-less-than Request,Policy,Response
      109. Case: function:string-less-than-or-equal Request,Policy,Response
      110. Case: function:integer-less-than Request,Policy,Response
      111. Case: function:double-less-than Request,Policy,Response
      112. Case: function:integer-less-than-or-equal Request,Policy,Response
      113. Case: function:double-less-than-or-equal Request,Policy,Response
      114. Case: function:time-less-than Request,Policy,Response
      115. Case: function:time-less-than-or-equal Request,Policy,Response
      116. Case: function:dateTime-less-than Request,Policy,Response
      117. Case: function:dateTime-less-than-or-equal Request,Policy,Response
      118. Case: function:date-less-than Request,Policy,Response
      119. Case: function:date-less-than-or-equal Request,Policy,Response

        BAG FUNCTIONS

      120. Case: function:string-bag-size Request,Policy,Response
      121. Case: function:string-bag Request,Policy,Response
      122. Case: function:boolean-one-and-only Request,Policy,Response
      123. Case: function:boolean-bag-size Request,Policy,Response
      124. Case: function:boolean-is-in Request,Policy,Response
      125. Case: function:boolean-bag Request,Policy,Response
      126. Case: function:integer-bag-size Request,Policy,Response
      127. Case: function:integer-is-in Request,Policy,Response
      128. Case: function:integer-bag Request,Policy,Response
      129. Case: function:double-bag-size Request,Policy,Response
      130. Case: function:double-is-in Request,Policy,Response
      131. Case: function:double-bag Request,Policy,Response
      132. Case: function:date-bag-size Request,Policy,Response
      133. Case: function:date-is-in Request,Policy,Response
      134. Case: function:date-bag Request,Policy,Response
      135. Case: function:time-bag-size Request,Policy,Response
      136. Case: function:time-is-in Request,Policy,Response
      137. Case: function:time-bag Request,Policy,Response
      138. Case: function:dateTime-bag-size Request,Policy,Response
      139. Case: function:dateTime-is-in Request,Policy,Response
      140. Case: function:dateTime-bag Request,Policy,Response
      141. Case: function:anyURI-bag-size Request,Policy,Response
      142. Case: function:anyURI-is-in Request,Policy,Response
      143. Case: function:anyURI-bag Request,Policy,Response
      144. Case: function:hexBinary-bag-size Request,Policy,Response
      145. Case: function:hexBinary-is-in Request,Policy,Response
      146. Case: function:hexBinary-bag Request,Policy,Response
      147. Case: function:base64Binary-bag-size Request,Policy,Response
      148. Case: function:base64Binary-is-in Request,Policy,Response
      149. Case: function:base64Binary-bag Request,Policy,Response
      150. Case: function:dayTimeDuration-one-and-only Request,Policy,Response
      151. Case: function:dayTimeDuration-bag-size Request,Policy,Response
      152. Case: function:dayTimeDuration-is-in Request,Policy,Response
      153. Case: function:dayTimeDuration-bag Request,Policy,Response
      154. Case: function:yearMonthDuration-one-and-only Request,Policy,Response
      155. Case: function:yearMonthDuration-bag-size Request,Policy,Response
      156. Case: function:yearMonthDuration-is-in Request,Policy,Response
      157. Case: function:yearMonthDuration-bag Request,Policy,Response
      158. Case: function:x500Name-bag-size Request,Policy,Response
      159. Case: function:x500Name-is-in Request,Policy,Response
      160. Case: function:x500Name-bag Request,Policy,Response
      161. Case: function:rfc822Name-bag-size Request,Policy,Response
      162. Case: function:rfc822Name-is-in Request,Policy,Response
      163. Case: function:rfc822Name-bag Request,Policy,Response

        HIGHER-ORDER BAG FUNCTIONS

      164. Case: function:any-of Request,Policy,Response
      165. Case: function:all-of Request,Policy,Response
      166. Case: function:any-of-any Request,Policy,Response
      167. Case: function:all-of-any Request,Policy,Response
      168. Case: function:any-of-all Request,Policy,Response
      169. Case: function:all-of-all Request,Policy,Response
      170. Case: function:map Request,Policy,Response

        SET FUNCTIONS

      171. Case: function:string-intersection Request,Policy,Response
      172. Case: function:string-at-least-one-member-of Request,Policy,Response
      173. Case: function:string-union Request,Policy,Response
      174. Case: function:string-subset Request,Policy,Response
      175. Case: function:string-set-equals Request,Policy,Response
      176. Case: function:boolean-intersection Request,Policy,Response
      177. Case: function:boolean-at-least-one-member-of Request,Policy,Response
      178. Case: function:boolean-union Request,Policy,Response
      179. Case: function:boolean-subset Request,Policy,Response
      180. Case: function:boolean-set-equals Request,Policy,Response
      181. Case: function:integer-intersection Request,Policy,Response
      182. Case: function:integer-at-least-one-member-of Request,Policy,Response
      183. Case: function:integer-union Request,Policy,Response
      184. Case: function:integer-subset Request,Policy,Response
      185. Case: function:integer-set-equals Request,Policy,Response
      186. Case: function:double-intersection Request,Policy,Response
      187. Case: function:double-at-least-one-member-of Request,Policy,Response
      188. Case: function:double-union Request,Policy,Response
      189. Case: function:double-subset Request,Policy,Response
      190. Case: function:double-set-equals Request,Policy,Response
      191. Case: function:date-intersection Request,Policy,Response
      192. Case: function:date-at-least-one-member-of Request,Policy,Response
      193. Case: function:date-union Request,Policy,Response
      194. Case: function:date-subset Request,Policy,Response
      195. Case: function:date-set-equals Request,Policy,Response
      196. Case: function:time-intersection Request,Policy,Response
      197. Case: function:time-at-least-one-member-of Request,Policy,Response
      198. Case: function:time-union Request,Policy,Response
      199. Case: function:time-subset Request,Policy,Response
      200. Case: function:time-set-equals Request,Policy,Response
      201. Case: function:dateTime-intersection Request,Policy,Response
      202. Case: function:dateTime-at-least-one-member-of Request,Policy,Response
      203. Case: function:dateTime-union Request,Policy,Response
      204. Case: function:dateTime-subset Request,Policy,Response
      205. Case: function:dateTime-set-equals Request,Policy,Response
      206. Case: function:anyURI-intersection Request,Policy,Response
      207. Case: function:anyURI-at-least-one-member-of Request,Policy,Response
      208. Case: function:anyURI-union Request,Policy,Response
      209. Case: function:anyURI-subset Request,Policy,Response
      210. Case: function:anyURI-set-equals Request,Policy,Response
      211. Case: function:x500Name-intersection Request,Policy,Response
      212. Case: function:x500Name-at-least-one-member-of Request,Policy,Response
      213. Case: function:x500Name-union Request,Policy,Response
      214. Case: function:x500Name-subset Request,Policy,Response
      215. Case: function:x500Name-set-equals Request,Policy,Response
      216. Case: function:rfc822Name-intersection Request,Policy,Response
      217. Case: function:rfc822Name-at-least-one-member-of Request,Policy,Response
      218. Case: function:rfc822Name-union Request,Policy,Response
      219. Case: function:rfc822Name-subset Request,Policy,Response
      220. Case: function:rfc822Name-set-equals Request,Policy,Response
      221. Case: function:hexBinary-intersection Request,Policy,Response
      222. Case: function:hexBinary-at-least-one-member-of Request,Policy,Response
      223. Case: function:hexBinary-union Request,Policy,Response
      224. Case: function:hexBinary-subset Request,Policy,Response
      225. Case: function:hexBinary-set-equals Request,Policy,Response
      226. Case: function:base64Binary-intersection Request,Policy,Response
      227. Case: function:base64Binary-at-least-one-member-of Request,Policy,Response
      228. Case: function:base64Binary-union Request,Policy,Response
      229. Case: function:base64Binary-subset Request,Policy,Response
      230. Case: function:base64Binary-set-equals Request,Policy,Response

        DURATION-EQUALS TESTS

      231. Case: function:dayTimeDuration-equals
      232. Case: function:yearMonthDuration-equals

    4. Combining Algorithms

      5. These tests exercise each of the mandatory Combining Algorithms.

      1. Case: Permit: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      2. Case: Deny: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      3. Case: NotApplicable: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      4. Case: Indeterminate: RuleCombiningAlgorithm DenyOverrides Request,Policy,Response
      5. Case: Permit: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      6. Case: Deny: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      7. Case: NotApplicable: PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      8. Case: Another Deny (can't return Indeterminate): PolicyCombiningAlgorithm DenyOverrides Request,Policy,Response
      9. Case: Permit: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      10. Case: Deny: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      11. Case: NotApplicable: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      12. Case: Indeterminate: RuleCombiningAlgorithm PermitOverrides Request,Policy,Response
      13. Case: Permit: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      14. Case: Deny: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      15. Case: NotApplicable: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      16. Case: Indeterminate: PolicyCombiningAlgorithm PermitOverrides Request,Policy,Response
      17. Case: Permit: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      18. Case: Deny: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      19. Case: NotApplicable: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      20. Case: Indeterminate: RuleCombiningAlgorithm FirstApplicable Request,Policy,Response
      21. Case: Permit: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      22. Case: Deny: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      23. Case: NotApplicable: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      24. Case: Indeterminate: PolicyCombiningAlgorithm FirstApplicable Request,Policy,Response
      25. Case: Permit: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      26. Case: Deny: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      27. Case: NotApplicable: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      28. Case: Indeterminate: PolicyCombiningAlgorithm OnlyOneApplicablePolicy Request,Policy,Response
      29. Case: Permit: Multiple initial policies, but only one applies Request, Policy1, Policy2, Response, Special Instructions
      30. Case: Indeterminate: Multiple initial policies, more than one applies Request, Policy1, Policy2, Response, Special Instructions

    5. Schema components

      6. This section lists test cases for certain elements of the schema not exercised by test cases above.

      1. Case: policy element PolicySetIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions
      2. Case: policy element PolicyIdReference Request,Policy,PolicyId1,PolicySetId1,Response,Special Instructions

  3. Optional, but Normative Functionality Tests

    4. These tests exercise areas of functionality that are not mandatory-to-implement, but that are normative when implemented. Submissions of tests for this section are invited.

    1. Obligations

      1. Case: Obligation containing AttributeAssignment
      2. Case: Obligations from an applicable Policy where Effect of PolicySet is different from Effect of the Policy
      3. Case: Multiple Obligations from one Policy
      4. Case: Multiple Obligations from different Policies

    2. DefaultsType

      1. Case: PolicySetDefaults XPathVersion
      2. Case: PolicyDefaults XPathVersion
      3. Case: PolicyDefaults XPathVersion differs from parent PolicySetDefaults XPathVersion

    3. <ResourceContent> Element

      1. Case: Scope="Immediate"
      2. Case: Scope="Children"
      3. Case: Scope="Descendants"

    4. Multiple Decisions

    5. XPath Functionality

      1. Case: Match: Target Match element with AttributeSelector argument
      2. Case: No Match: Target Match element with AttributeSelector argument
      3. Case: Match: Apply with AttributeSelector argument
      4. Case: No Match: Apply with AttributeSelector argument
      5. Case: Syntax error in XPath expression

    6. Non-mandatory Functions

      1. Case: xpath-node-count
      2. Case: Match: xpath-node-equal
      3. Case: No Match: xpath-node-equal
      4. Case: Match: xpath-node-match
      5. Case: No Match: xpath-node-match
      Author: Anne Anderson
      Last modified: Thu Dec 12 13:20:15 EST 2002