Possible Release Set now excludes attributes for which "deny any value" is set.

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@382 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/src/edu/internet2/middleware/shibboleth/aa/arp/ArpEngine.java b/src/edu/internet2/middleware/shibboleth/aa/arp/ArpEngine.java
index f79d900..a6b9ebd 100755 (executable)
--- a/src/edu/internet2/middleware/shibboleth/aa/arp/ArpEngine.java
+++ b/src/edu/internet2/middleware/shibboleth/aa/arp/ArpEngine.java
@@ -156,12 +156,15 @@ public class ArpEngine {
        URI[] listPossibleReleaseAttributes(Principal principal, String requester, URL resource)
                throws ArpProcessingException {
                Set possibleReleaseSet = new HashSet();
+               Set anyValueDenies = new HashSet();
                Rule[] rules = createEffectiveArp(principal, requester, resource).getAllRules();
                for (int i = 0; rules.length > i; i++) {
                        Rule.Attribute[] attributes = rules[i].getAttributes();
                        for (int j = 0; attributes.length > j; j++) {
                                if (attributes[j].releaseAnyValue()) {
                                        possibleReleaseSet.add(attributes[j].getName());
+                               } else if (attributes[j].denyAnyValue()) {
+                                       anyValueDenies.add(attributes[j].getName());
                                } else {
                                        Rule.AttributeValue[] values = attributes[j].getValues();
                                        for (int k = 0; values.length > k; k++) {
@@ -173,6 +176,7 @@ public class ArpEngine {
                                }
                        }
                }
+               possibleReleaseSet.removeAll(anyValueDenies);
                return (URI[]) possibleReleaseSet.toArray(new URI[0]);
        }
 

diff --git a/src/edu/internet2/middleware/shibboleth/aa/arp/ArpTests.java b/src/edu/internet2/middleware/shibboleth/aa/arp/ArpTests.java
index dd440e1..3e7f2f5 100755 (executable)
--- a/src/edu/internet2/middleware/shibboleth/aa/arp/ArpTests.java
+++ b/src/edu/internet2/middleware/shibboleth/aa/arp/ArpTests.java
@@ -398,6 +398,7 @@ public class ArpTests extends TestCase {
                                {
                                        new URI("urn:mace:eduPerson:1.0:eduPersonAffiliation"),
                                        new URI("urn:mace:eduPerson:1.0:eduPersonPrincipalName")};
+                       URI[] list3 = new URI[0];
                                        
                        //Test with just a site ARP
                        InputStream inStream = new FileInputStream("test/arp1.xml");
@@ -420,6 +421,17 @@ public class ArpTests extends TestCase {
                        repository.update(arp7);
                        possibleAttributes = engine.listPossibleReleaseAttributes(principal1, "shar.example.edu", url1);
                        assertTrue("Incorrectly computed possible release set.", Arrays.equals(possibleAttributes, list2));
+                       
+                       //Ensure that explicit denies on any value are not in the release set
+                       inStream = new FileInputStream("test/arp6.xml");
+                       parser.parse(new InputSource(inStream));
+                       Arp arp6 = new Arp();
+                       arp6.setPrincipal(principal1);
+                       arp6.marshall(parser.getDocument().getDocumentElement());
+                       repository.update(arp6);
+                       possibleAttributes = engine.listPossibleReleaseAttributes(principal1, "shar.example.edu", url1);
+                       assertTrue("Incorrectly computed possible release set.", Arrays.equals(possibleAttributes, list3));
+                       
                } catch (Exception e) {
                        e.printStackTrace();
                        fail("Failed to marshall ARP: " + e);

diff --git a/src/edu/internet2/middleware/shibboleth/aa/arp/Rule.java b/src/edu/internet2/middleware/shibboleth/aa/arp/Rule.java
index a67f37e..ee0b004 100755 (executable)
--- a/src/edu/internet2/middleware/shibboleth/aa/arp/Rule.java
+++ b/src/edu/internet2/middleware/shibboleth/aa/arp/Rule.java
@@ -350,6 +350,13 @@ public class Rule {
                        return false;
                }
                
+               boolean denyAnyValue() {
+                       if (anyValueRelease.equals("deny")) {
+                               return anyValue;
+                       }
+                       return false;
+               }
+               
                URI getName() {
                        return name;    
                }

diff --git a/test/arp6.xml b/test/arp6.xml
new file mode 100755 (executable)
index 0000000..cacf2f7
--- /dev/null
+++ b/test/arp6.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="ARP.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+       <Description>Any Target.  One attribute with no values.</Description>
+       <Rule>
+               <Target>
+                       <AnyTarget/>
+               </Target>
+               <Attribute name="urn:mace:eduPerson:1.0:eduPersonAffiliation">
+                       <AnyValue release="deny"/>
+               </Attribute>
+       </Rule>
+</AttributeReleasePolicy>
\ No newline at end of file

diff --git a/test/arp7.xml b/test/arp7.xml
index 6964f5c..e71630e 100755 (executable)
--- a/test/arp7.xml
+++ b/test/arp7.xml
@@ -1,3 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="ARP.xsd">
        <Description>A specific SHAR and a regex resource.</Description>
        <Rule>