search

oasis-tcs / xacml-spec

OASIS XACML TC: List for tracking issues and features for the OASIS XACML TC. https://github.com/oasis-tcs/xacml-spec
Other
4 stars 0 forks source link

Add shortcut functions for testing bag sizes. #23

Open steven-legg opened 2 months ago

steven-legg commented 2 months ago

I regularly need to test whether a bag of values (usually from an attribute designator) is empty or non-empty. With the current XACML functions that means comparing the bag size to zero.

<!-- empty -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
    <AttributeDesignator
                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                AttributeId="http://example.com/some-attribute"
                DataType="http://www.w3.org/2001/XMLSchema#string"  MustBePresent="false"/>
   </Apply>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer"
    >0</AttributeValue>
</Apply>

<!-- non-empty -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
    <AttributeDesignator
                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                AttributeId="http://example.com/some-attribute"
                DataType="http://www.w3.org/2001/XMLSchema#string"  MustBePresent="false"/>
   </Apply>
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer"
    >0</AttributeValue>
</Apply>

There would be less clutter if there were shortcut functions to perform these tests, which could be added to both XACML 3.0 and XACML 4.0 .

urn:oasis:names:tc:xacml:3.0:function:empty-bag
urn:oasis:names:tc:xacml:3.0:function:non-empty-bag

An alternative name for non-empty-bag would be populated-bag. It would be a simple matter to define a pair of functions that take bags of any data type rather than a pair for each data-type.

<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:empty-bag">
  <AttributeDesignator
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              AttributeId="http://example.com/some-attribute"
              DataType="http://www.w3.org/2001/XMLSchema#string"  MustBePresent="false"/>
 </Apply>

<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:non-empty-bag">
  <AttributeDesignator
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              AttributeId="http://example.com/some-attribute"
              DataType="http://www.w3.org/2001/XMLSchema#string"  MustBePresent="false"/>
</Apply>
steven-legg commented 2 months ago

The XPath test for a non-empty sequence is called "exists". The test is analogous to an LDAP present match.

cdanger commented 2 weeks ago

Just a suggestion: I'm ok with this, but considering there is the alternative with the bag-size function, should we rather specify these shortcut functions as optional / not mandatory? Part of a profile?