From 1407cfe414ddffda2573adee2cc29826b8a41fd3 Mon Sep 17 00:00:00 2001 From: Cyril Dangerville <1372580+cdanger@users.noreply.github.com> Date: Tue, 14 Nov 2023 01:53:23 +0100 Subject: [PATCH] Initial change proposal for issue #3 --- 5.21 Element Rule.adoc | 8 ++++++-- 5.23 Element VariableDefinition.adoc | 2 +- 5.24 Element VariableReference.adoc | 2 +- 7.8 VariableReference Evaluation.adoc | 4 ++-- xacml-core-v3-schema-wd-17.xsd | 1 + 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/5.21 Element Rule.adoc b/5.21 Element Rule.adoc index 1b2c9d7..b33d1e0 100644 --- a/5.21 Element Rule.adoc +++ b/5.21 Element Rule.adoc @@ -1,6 +1,6 @@ = 5.21 Element = -The `` element SHALL define the individual *_rules_* in the *_policy_*. The main components of this element are the ``, ``, `` and `` elements and the `Effect` attribute. +The `` element SHALL define the individual *_rules_* in the *_policy_*. The main components of this element are the ``, ``, ``, `` and `` elements and the `Effect` attribute. A `` element may be evaluated, in which case the evaluation procedure defined in Section 7.10 SHALL be used. @@ -11,9 +11,11 @@ A `` element may be evaluated, in which case the evaluation procedure defi + - + + @@ -31,6 +33,8 @@ The `` element contains the following attributes and elements: `` [Optional]:: Identifies the set of *_decision requests_* that the `` element is intended to evaluate. If this element is omitted, then the *_target_* for the `` SHALL be defined by the `` element of the enclosing `` element. See Section 7.7 for details. +`` [Any Number]:: Common variable definitions that can be referenced from anywhere in the ``, `` and `` of this *_rule_* where an expression can be found. + `` [Optional]:: A *_predicate_* that MUST be satisfied for the *_rule_* to be assigned its `Effect` value. `` [Optional]:: A *_conjunctive sequence_* of *_obligation_* expressions which MUST be evaluated into *_obligations_* by the PDP. The corresponsding *_obligations_* MUST be fulfilled by the *_PEP_* in conjunction with the *_authorization decision_*. See Section 7.18 for a description of how the set of *_obligations_* to be returned by the *_PDP_* SHALL be determined. See section 7.2 about enforcement of *_obligations_*. diff --git a/5.23 Element VariableDefinition.adoc b/5.23 Element VariableDefinition.adoc index 4ec9540..b08f818 100644 --- a/5.23 Element VariableDefinition.adoc +++ b/5.23 Element VariableDefinition.adoc @@ -1,6 +1,6 @@ = 5.23 Element = -The `` element SHALL be used to define a value that can be referenced by a `` element. The name supplied for its `VariableId` attribute SHALL NOT occur in the `VariableId` attribute of any other `` element within the encompassing *_policy_*. The `` element MAY contain undefined `` elements, but if it does, a corresponding `` element MUST be defined later in the encompassing *_policy_*. `` elements MAY be grouped together or MAY be placed close to the reference in the encompassing *_policy_*. There MAY be zero or more references to each `` element. +The `` element SHALL be used to define a value that can be referenced by a `` element. The name supplied for its `VariableId` attribute SHALL NOT occur in the `VariableId` attribute of any other `` element within the encompassing *_policy_* or *_rule_*. To prevent circular references, a `` element MUST be defined before being referenced by a `` element in the encompassing *_policy_* or *_rule_*. `` elements MAY be grouped together or MAY be placed close to the reference in the encompassing *_policy_* or *_rule_*. There MAY be zero or more references to each `` element. [source,xml] ---- diff --git a/5.24 Element VariableReference.adoc b/5.24 Element VariableReference.adoc index 3bf7665..87e4695 100644 --- a/5.24 Element VariableReference.adoc +++ b/5.24 Element VariableReference.adoc @@ -1,6 +1,6 @@ = 5.24 Element = -The `` element is used to reference a value defined within the same encompassing `` element. The `` element SHALL refer to the `` element by *_identifier equality_* on the value of their respective `VariableId` attributes. One and only one `` MUST exist within the same encompassing `` element to which the `` refers. There MAY be zero or more `` elements that refer to the same `` element. +The `` element is used to reference a value defined within the same encompassing `` or `` element. The `` element SHALL refer to the `` element by *_identifier equality_* on the value of their respective `VariableId` attributes. One and only one `` MUST exist within the same encompassing `` or `` element to which the `` refers. There MAY be zero or more `` elements that refer to the same `` element. [source,xml] ---- diff --git a/7.8 VariableReference Evaluation.adoc b/7.8 VariableReference Evaluation.adoc index fa0916b..43680f9 100644 --- a/7.8 VariableReference Evaluation.adoc +++ b/7.8 VariableReference Evaluation.adoc @@ -1,7 +1,7 @@ = 7.8 VariableReference Evaluation = -The `` element references a single `` element contained within the same `` element. A `` that does not reference a particular `` element within the encompassing `` element is called an undefined reference. *_Policies_* with undefined references are invalid. +The `` element references a single `` element contained within the same `` or `` element. A `` that does not reference a particular `` element within the encompassing `` or `` element is called an undefined reference. *_Policies_* and *_Rules_* with undefined references are invalid. -In any place where a `` occurs, it has the effect as if the text of the `` element defined in the `` element replaces the `` element. Any evaluation scheme that preserves this semantic is acceptable. For instance, the expression in the `` element may be evaluated to a particular value and cached for multiple references without consequence. (I.e. the value of an `` element remains the same for the entire *_policy_* evaluation.) This characteristic is one of the benefits of XACML being a declarative language. +In any place where a `` occurs, it has the effect as if the text of the `` element defined in the `` element replaces the `` element. Any evaluation scheme that preserves this semantic is acceptable. For instance, the expression in the `` element may be evaluated to a particular value and cached for multiple references without consequence. (I.e. the value of an `` element remains the same for the entire evaluation of the *_policy_* or *_rule_* where the `` is defined.) This characteristic is one of the benefits of XACML being a declarative language. A variable reference containing circular references is invalid. The PDP MUST detect circular references either at policy loading time or during runtime evaluation. If the PDP detects a circular reference during runtime the variable reference evaluates to "Indeterminate" with status code urn:oasis:names:tc:xacml:1.0:status:processing-error. diff --git a/xacml-core-v3-schema-wd-17.xsd b/xacml-core-v3-schema-wd-17.xsd index aa75b71..1ccdf2c 100644 --- a/xacml-core-v3-schema-wd-17.xsd +++ b/xacml-core-v3-schema-wd-17.xsd @@ -375,6 +375,7 @@ +