Ripped out stale 1.3 XML parsing code.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 19 Sep 2006 13:56:59 +0000 (13:56 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 19 Sep 2006 13:56:59 +0000 (13:56 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2043 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

tests/edu/internet2/middleware/shibboleth/aa/arp/ArpConstraintTests.java

index 2a9090f..790c26e 100644 (file)
@@ -38,7 +38,6 @@ import org.xml.sax.InputSource;
 import edu.internet2.middleware.shibboleth.aa.AAAttribute;
 import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
 import edu.internet2.middleware.shibboleth.idp.IdPConfig;
-import edu.internet2.middleware.shibboleth.xml.Parser;
 
 /**
  * Validation suite for <code>Arp</code> Constraint processing.
@@ -48,11 +47,10 @@ import edu.internet2.middleware.shibboleth.xml.Parser;
 
 public class ArpConstraintTests extends TestCase {
 
-    Logger log = Logger.getLogger(ArpConstraintTests.class);
-       private Parser.DOMParser parser = new Parser.DOMParser(true);
+       Logger log = Logger.getLogger(ArpConstraintTests.class);
        private Element memoryRepositoryElement;
        private ArpRepository repository;
-       
+
        public ArpConstraintTests(String name) {
 
                super(name);
@@ -92,7 +90,7 @@ public class ArpConstraintTests extends TestCase {
                } catch (ParserConfigurationException e) {
                        fail("Failed to create memory-based Arp Repository configuration" + e);
                }
-               
+
                try {
                        repository = ArpRepositoryFactory.getInstance(memoryRepositoryElement);
                } catch (ArpRepositoryException e) {
@@ -100,813 +98,174 @@ public class ArpConstraintTests extends TestCase {
                }
        }
 
-       
-    /**
-     * test to ensure that attributes needed for constraints are included when listing possible attributes
-     *
-     */
-    public void testConstraintAttributeSetComputation() {
-
-        try {
-            Principal principal1 = new LocalPrincipal("TestPrincipal");
-            
-            Collection<URI> expectedAttributes = new HashSet<URI>();
-            expectedAttributes.add(new URI("urn:mace:dir:attribute-def:foo"));
-            
-            String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:foo\" matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />"
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-
-            parser.parse(new InputSource(new StringReader(rawArp)));
-            Arp arp1 = new Arp();
-            arp1.marshall(parser.getDocument().getDocumentElement());
-            repository.update(arp1);
-            ArpEngine engine = new ArpEngine(repository);
-            Collection<URI> possibleAttributes = engine.listPossibleReleaseAttributes(principal1, "shar.example.edu");
-
-            Collection<URI> constraintAttributes = engine.listRequiredConstraintAttributes(principal1, "shar.example.edu", possibleAttributes);
-            
-            assertEquals("Incorrectly computed constraint release set.", expectedAttributes, constraintAttributes);
-            
-        } catch (Exception e) {
-            e.printStackTrace();
-            fail("Failed to marshall ARP: " + e);
-        }
-
-    }
-
-    
-    /**
-     * Use Case: must have an attribute
-     * Logical expression: P (no specific value)
-     * Example:  release uid only if user has attribute "foo"
-     */
-    public void testArpConstraint1() throws Exception {
-        
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:foo\" matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 1a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 1b: ARP not applied as expected.", releaseSet2, inputSet2);
-  
-    }
-
-
-    /**
-     * Use Case: must not have an attribute
-     * Logical expression: not P
-     * Example:  release uid only if user does not have attribute "foo"
-     */
-    public void testArpConstraint2() throws Exception {
-        
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:foo\""
-                + "                                    matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\""
-                + "                                    matches=\"none\" />" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 2a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 2b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use Case: must have a specific attribute value
-     * Logical expression: Px (specific value)
-     * Example:  release uid only if user has affiliation "member"
-     */
-    public void testArpConstraint3() throws Exception {
-        
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">member</Constraint>"  
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"member"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 3a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 3b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-
-    
-    /**
-     * Use Case: must have an attribute value that matches a regular expression
-     * Logical expression: Pe (regular expression)
-     * Example:  release uid only if user has scoped affiliation matching the regular
-     *   expression ".*\@example\.edu"
-     */
-    public void testArpConstraint4() throws Exception {
-        
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:eduPersonScopedAffiliation\""
-                + "                                    matchFunction=\"urn:mace:shibboleth:arp:matchFunction:regexMatch\""
-                + "                                    matches=\"any\">.*@example\\.edu</Constraint>"
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonScopedAffiliation", new Object[]{"member@example.edu"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 4a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonScopedAffiliation", new Object[]{"member@testshib.org"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 4b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use Case: must not have a specific attribute value
-     * Logical expression: not Px
-     * Example:  release uid only if user does not have affiliation "student"
-     *   (lack of attribute is permitted)
-     */
-    public void testArpConstraint5() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
-                + "                                    matches=\"none\">student</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 5a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test another user who meets constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 5b: ARP not applied as expected.", releaseSet2, inputSet2);
-        
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "student"}));
-        
-        Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet3, principal, "shar.example.edu");
-        assertEquals("ARP application test 5c: ARP not applied as expected.", releaseSet3, inputSet3);
-    
-        
-
-    
-    }
-    
-    
-    /**
-     * Use case: must have at least one of multiple attribute values
-     * Logical expression: Px or Py
-     * Example: release uid only if user has affiliation of "faculty" or "staff"
-     */
-    public void testArpConstraint6() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
-                + "                                    matchFunction=\"urn:mace:shibboleth:arp:matchFunction:regexMatch\""
-                + "                                    matches=\"any\">(faculty|staff)</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"faculty"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 6a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 6b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use case: must have multiple specific values for the same attribute
-     * Logical expression: Px and Py
-     * Example:  release uid only if user has entitlements "urn:x:foo" and "urn:x:bar"
-     */
-    public void testArpConstraint7() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>" 
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:bar</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo", "urn:x:bar"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 7a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();        
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 7b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use case: must have one specific attribute value, but cannot have another
-     * Logical expression: Px and not Py
-     * Example:  release uid for all users who have an affilation of "staff"
-     *   AND do not have an affiliation of "student"
-     */
-    public void testArpConstraint8() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\" matches=\"any\">staff</Constraint>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\" matches=\"none\">student</Constraint>"
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "faculty"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 8a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "student"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 8b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use case: must have an attribute value, but deny a specific one
-     * Logical expression: P and not Px
-     * Example:   release uid for all users who have an affiliation (any value), 
-     *   but not for those that have an affiliation of "student"
-     *   (lack of attribute is denied)
-     */
-    public void testArpConstraint9() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
-                + "                                    matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
-                + "                                    matches=\"none\">student</Constraint>"
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 9a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "student"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 9b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-        
-        // test another user who does not meet constraint
-        Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        
-        Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet3, principal, "shar.example.edu");
-        assertEquals("ARP application test 9c: ARP not applied as expected.", releaseSet3, inputSet3);
-    
-    }
-    
-    
-    /**
-     * Use case: must have specific values for two separate attributes
-     * Logical expression: Px and Qy
-     * Example:  release uid only if user has entitlement "urn:x:foo" 
-     *   and has affiliation of "faculty"
-     */
-    public void testArpConstraint10() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>" 
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">faculty</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "faculty"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 10a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff", "student"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 10b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
-    
-    /**
-     * Use case: must have one attribute value or not a value for another attribute
-     * Logical expression: Px or not Qy
-     * Example:  release uid only if user has an affiliation of "staff" 
-     *   or if the user does not have isPrivate equal to "Y" 
-     */
-    public void testArpConstraint11() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">staff</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:isPrivate\" matches=\"none\">Y</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"Y"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 11a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test another user who meets constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"N"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
-
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 11a: ARP not applied as expected.", releaseSet2, inputSet2);
-        
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"Y"}));
-        inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
-        
-        Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
-        
-        engine.filterAttributes(inputSet3, principal, "shar.example.edu");
-        assertEquals("ARP application test 11c: ARP not applied as expected.", releaseSet3, inputSet3);
-    
-    }
-    
-    
-    /**
-     * Use case: release additional attributes for a subset of users
-     * Example:  release targetedId for all users with entitlement "urn:x:foo".
-     *   also release uid for users without ferpaSuppression
-     */
-    public void testArpConstraint12() throws Exception {
-
-        String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
-                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
-                + "         <Rule>"
-                + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:eduPersonTargetedID\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + "         <Rule>"
-                + "             <Constraint"
-                + "                                    attributeName=\"urn:mace:dir:attribute-def:ferpaSuppression\""
-                + "                                    matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\""
-                + "                                    matches=\"none\" />" 
-                + "             <Target>"
-                + "                 <AnyTarget/>"
-                + "             </Target>"
-                + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
-                + "                 <AnyValue release=\"permit\"/>"
-                + "             </Attribute>"
-                + "         </Rule>"
-                + " </AttributeReleasePolicy>";
-        
-        // Setup the engine
-        parser.parse(new InputSource(new StringReader(rawArp)));
-        Arp siteArp = new Arp();
-        siteArp.marshall(parser.getDocument().getDocumentElement());
-        repository.update(siteArp);
-        ArpEngine engine = new ArpEngine(repository);
-        
-        Principal principal = new LocalPrincipal("TestPrincipal");
-        
-        
-        // test user who meets constraint
-        Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID", new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
-        inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
-
-        Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID", new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
-
-        engine.filterAttributes(inputSet1, principal, "shar.example.edu");
-        assertEquals("ARP application test 12a: ARP not applied as expected.", releaseSet1, inputSet1);
-
-        
-        // test user who does not meet constraint
-        Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID", new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
-        inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:ferpaSuppression", new Object[]{"2006-01-01"}));
-        
-        Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
-        releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID", new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
-        
-        engine.filterAttributes(inputSet2, principal, "shar.example.edu");
-        assertEquals("ARP application test 12b: ARP not applied as expected.", releaseSet2, inputSet2);
-    
-    }
-    
        /**
-        * Use Case: must have only a specific attribute value
-        * Example:  release uid only if user has a specific value for attribute "foo", but not if it has other values
+        * test to ensure that attributes needed for constraints are included when listing possible attributes
         */
-       public void testArpConstraint13() throws Exception {
+       public void testConstraintAttributeSetComputation() {
+
+               try {
+                       Principal principal1 = new LocalPrincipal("TestPrincipal");
+
+                       Collection<URI> expectedAttributes = new HashSet<URI>();
+                       expectedAttributes.add(new URI("urn:mace:dir:attribute-def:foo"));
+
+                       String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                                       + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                                       + "         <Rule>"
+                                       + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:foo\" matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />"
+                                       + "             <Target>" 
+                                       + "                 <AnyTarget/>" 
+                                       + "             </Target>"
+                                       + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                                       + "                 <AnyValue release=\"permit\"/>" 
+                                       + "             </Attribute>"
+                                       + "         </Rule>" 
+                                       + " </AttributeReleasePolicy>";
+
+                       DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+                       factory.setValidating(false);
+                       factory.setNamespaceAware(true);
+                       Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+
+                       Arp arp1 = new Arp();
+                       arp1.marshall(doc.getDocumentElement());
+                       repository.update(arp1);
+                       ArpEngine engine = new ArpEngine(repository);
+                       Collection<URI> possibleAttributes = engine.listPossibleReleaseAttributes(principal1, "shar.example.edu");
+
+                       Collection<URI> constraintAttributes = engine.listRequiredConstraintAttributes(principal1,
+                                       "shar.example.edu", possibleAttributes);
+
+                       assertEquals("Incorrectly computed constraint release set.", expectedAttributes, constraintAttributes);
+
+               } catch (Exception e) {
+                       e.printStackTrace();
+                       fail("Failed to marshall ARP: " + e);
+               }
+
+       }
+
+       /**
+        * Use Case: must have an attribute Logical expression: P (no specific value) Example: release uid only if user has
+        * attribute "foo"
+        */
+       public void testArpConstraint1() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:foo\" matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 1a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 1b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use Case: must not have an attribute Logical expression: not P Example: release uid only if user does not have
+        * attribute "foo"
+        */
+       public void testArpConstraint2() throws Exception {
 
                String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
                                + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
                                + "         <Rule>" 
                                + "             <Constraint"
                                + "                                     attributeName=\"urn:mace:dir:attribute-def:foo\""
-                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:stringMatch\""
-                               + "                                     matches=\"all\">bar</Constraint>"
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\""
+                               + "                                     matches=\"none\" />" 
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>"
+                               + "             </Target>" 
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 2a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 2b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use Case: must have a specific attribute value Logical expression: Px (specific value) Example: release uid only
+        * if user has affiliation "member"
+        */
+       public void testArpConstraint3() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">member</Constraint>"
                                + "             <Target>" 
                                + "                 <AnyTarget/>" 
                                + "             </Target>"
@@ -917,9 +276,13 @@ public class ArpConstraintTests extends TestCase {
                                + " </AttributeReleasePolicy>";
 
                // Setup the engine
-               parser.parse(new InputSource(new StringReader(rawArp)));
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
                Arp siteArp = new Arp();
-               siteArp.marshall(parser.getDocument().getDocumentElement());
+               siteArp.marshall(doc.getDocumentElement());
                repository.update(siteArp);
                ArpEngine engine = new ArpEngine(repository);
 
@@ -928,7 +291,7 @@ public class ArpConstraintTests extends TestCase {
                // test user who meets constraint
                Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
                inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
-               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"member"}));
 
                Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
                releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
@@ -939,13 +302,657 @@ public class ArpConstraintTests extends TestCase {
                // test user who does not meet constraint
                Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
                inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
 
                Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
 
                engine.filterAttributes(inputSet2, principal, "shar.example.edu");
                assertEquals("ARP application test 3b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use Case: must have an attribute value that matches a regular expression Logical expression: Pe (regular
+        * expression) Example: release uid only if user has scoped affiliation matching the regular expression
+        * ".*\@example\.edu"
+        */
+       public void testArpConstraint4() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>" + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:eduPersonScopedAffiliation\""
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:regexMatch\""
+                               + "                                     matches=\"any\">.*@example\\.edu</Constraint>" 
+                               + "             <Target>"
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
+                               new Object[]{"member@example.edu"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 4a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
+                               new Object[]{"member@testshib.org"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 4b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use Case: must not have a specific attribute value Logical expression: not Px Example: release uid only if user
+        * does not have affiliation "student" (lack of attribute is permitted)
+        */
+       public void testArpConstraint5() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>" 
+                               + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
+                               + "                                     matches=\"none\">student</Constraint>" 
+                               + "             <Target>"
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 5a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test another user who meets constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+               releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 5b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "student"}));
+
+               Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet3, principal, "shar.example.edu");
+               assertEquals("ARP application test 5c: ARP not applied as expected.", releaseSet3, inputSet3);
+
+       }
+
+       /**
+        * Use case: must have at least one of multiple attribute values Logical expression: Px or Py Example: release uid
+        * only if user has affiliation of "faculty" or "staff"
+        */
+       public void testArpConstraint6() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>" 
+                               + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:regexMatch\""
+                               + "                                     matches=\"any\">(faculty|staff)</Constraint>" 
+                               + "             <Target>"
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
                
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"faculty"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 6a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 6b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use case: must have multiple specific values for the same attribute Logical expression: Px and Py Example:
+        * release uid only if user has entitlements "urn:x:foo" and "urn:x:bar"
+        */
+       public void testArpConstraint7() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:bar</Constraint>"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
                
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo",
+                               "urn:x:bar"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 7a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 7b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use case: must have one specific attribute value, but cannot have another Logical expression: Px and not Py
+        * Example: release uid for all users who have an affilation of "staff" AND do not have an affiliation of "student"
+        */
+       public void testArpConstraint8() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\" matches=\"any\">staff</Constraint>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\" matches=\"none\">student</Constraint>"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "faculty"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 8a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "student"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 8b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use case: must have an attribute value, but deny a specific one Logical expression: P and not Px Example: release
+        * uid for all users who have an affiliation (any value), but not for those that have an affiliation of "student"
+        * (lack of attribute is denied)
+        */
+       public void testArpConstraint9() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>" 
+                               + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\" />"
+                               + "             <Constraint" 
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\""
+                               + "                                     matches=\"none\">student</Constraint>" 
+                               + "             <Target>"
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 9a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "student"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 9b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+               // test another user who does not meet constraint
+               Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet3, principal, "shar.example.edu");
+               assertEquals("ARP application test 9c: ARP not applied as expected.", releaseSet3, inputSet3);
+
+       }
+
+       /**
+        * Use case: must have specific values for two separate attributes Logical expression: Px and Qy Example: release
+        * uid only if user has entitlement "urn:x:foo" and has affiliation of "faculty"
+        */
+       public void testArpConstraint10() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">faculty</Constraint>"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "faculty"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 10a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff",
+                               "student"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 10b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use case: must have one attribute value or not a value for another attribute Logical expression: Px or not Qy
+        * Example: release uid only if user has an affiliation of "staff" or if the user does not have isPrivate equal to
+        * "Y"
+        */
+       public void testArpConstraint11() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonAffiliation\">staff</Constraint>"
+                               + "             <Target>"
+                               + "                 <AnyTarget/>"
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>"
+                               + "             </Attribute>"
+                               + "         </Rule>"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:isPrivate\" matches=\"none\">Y</Constraint>"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"Y"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"staff"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 11a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test another user who meets constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"N"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+               releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 11a: ARP not applied as expected.", releaseSet2, inputSet2);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:isPrivate", new Object[]{"Y"}));
+               inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonAffiliation", new Object[]{"student"}));
+
+               Collection<AAAttribute> releaseSet3 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet3, principal, "shar.example.edu");
+               assertEquals("ARP application test 11c: ARP not applied as expected.", releaseSet3, inputSet3);
+
+       }
+
+       /**
+        * Use case: release additional attributes for a subset of users Example: release targetedId for all users with
+        * entitlement "urn:x:foo". also release uid for users without ferpaSuppression
+        */
+       public void testArpConstraint12() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>"
+                               + "             <Constraint attributeName=\"urn:mace:dir:attribute-def:eduPersonEntitlement\">urn:x:foo</Constraint>"
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>" 
+                               + "             </Target>"
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:eduPersonTargetedID\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + "         <Rule>" 
+                               + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:ferpaSuppression\""
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:anyValueMatch\""
+                               + "                                     matches=\"none\" />" 
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>"
+                               + "             </Target>" 
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID",
+                               new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID",
+                               new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 12a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID",
+                               new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonEntitlement", new Object[]{"urn:x:foo"}));
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:ferpaSuppression", new Object[]{"2006-01-01"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+               releaseSet2.add(new AAAttribute("urn:mace:dir:attribute-def:eduPersonTargetedID",
+                               new Object[]{"2b00042f7481c7b056c4b410d28f33cf"}));
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 12b: ARP not applied as expected.", releaseSet2, inputSet2);
+
+       }
+
+       /**
+        * Use Case: must have only a specific attribute value Example: release uid only if user has a specific value for
+        * attribute "foo", but not if it has other values
+        */
+       public void testArpConstraint13() throws Exception {
+
+               String rawArp = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                               + "<AttributeReleasePolicy xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"urn:mace:shibboleth:arp:1.0\" xsi:schemaLocation=\"urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd\">"
+                               + "         <Rule>" 
+                               + "             <Constraint"
+                               + "                                     attributeName=\"urn:mace:dir:attribute-def:foo\""
+                               + "                                     matchFunction=\"urn:mace:shibboleth:arp:matchFunction:stringMatch\""
+                               + "                                     matches=\"all\">bar</Constraint>" 
+                               + "             <Target>" 
+                               + "                 <AnyTarget/>"
+                               + "             </Target>" 
+                               + "             <Attribute name=\"urn:mace:dir:attribute-def:uid\">"
+                               + "                 <AnyValue release=\"permit\"/>" 
+                               + "             </Attribute>" 
+                               + "         </Rule>"
+                               + " </AttributeReleasePolicy>";
+
+               // Setup the engine
+               DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+               factory.setValidating(false);
+               factory.setNamespaceAware(true);
+               Document doc = factory.newDocumentBuilder().parse(new InputSource(new StringReader(rawArp)));
+               
+               Arp siteArp = new Arp();
+               siteArp.marshall(doc.getDocumentElement());
+               repository.update(siteArp);
+               ArpEngine engine = new ArpEngine(repository);
+
+               Principal principal = new LocalPrincipal("TestPrincipal");
+
+               // test user who meets constraint
+               Collection<AAAttribute> inputSet1 = new ArrayList<AAAttribute>();
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+               inputSet1.add(new AAAttribute("urn:mace:dir:attribute-def:foo", new Object[]{"bar"}));
+
+               Collection<AAAttribute> releaseSet1 = new ArrayList<AAAttribute>();
+               releaseSet1.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               engine.filterAttributes(inputSet1, principal, "shar.example.edu");
+               assertEquals("ARP application test 3a: ARP not applied as expected.", releaseSet1, inputSet1);
+
+               // test user who does not meet constraint
+               Collection<AAAttribute> inputSet2 = new ArrayList<AAAttribute>();
+               inputSet2.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));
+
+               Collection<AAAttribute> releaseSet2 = new ArrayList<AAAttribute>();
+
+               engine.filterAttributes(inputSet2, principal, "shar.example.edu");
+               assertEquals("ARP application test 3b: ARP not applied as expected.", releaseSet2, inputSet2);
+
                // test another user who does not meet constraint
                Collection<AAAttribute> inputSet3 = new ArrayList<AAAttribute>();
                inputSet3.add(new AAAttribute("urn:mace:dir:attribute-def:uid", new Object[]{"gpburdell"}));