Attribute filter policy conditional on existence of attribute?

Baron Fujimoto baron at hawaii.edu
Fri Nov 18 01:41:04 UTC 2022 

I'd like to define an AttributeFilterPolicy that conditionally releases one
of two attributes depending on whether one of the two exists or not. In
pseudocode, essentially:

If ( defined attrFoo ) {
    permit attrFoo
}
else {
    permit attrBar
}

There's probably a best practice way to accomplish this, which isn't the
following, and I would appreciate any suggestions.

My first (failed) attempt was something like:

    <AttributeFilterPolicy id="example">
        <PolicyRequirementRule xsi:type="Requester"
                value="https://example.com/sp" />

        <AttributeRule attributeID="attrFoo">
            <PermitValueRule xsi:type="NumberOfAttributeValues"
attributeID="attrFoo" minimum="1" maximum="1" />
        </AttributeRule>

        <AttributeRule attributeID="attrBar">
            <PermitValueRule xsi:type="NumberOfAttributeValues"
attributeID="attrFoo" minimum="0" maximum="0" />
        </AttributeRule>

    </AttributeFilterPolicy>

But this resulted an error

ERROR
[net.shibboleth.utilities.java.support.service.AbstractReloadableService:232]
- Service 'shibboleth.AttributeFilterService': Reload for
shibboleth.AttributeFilterService failed
net.shibboleth.utilities.java.support.service.ServiceException: Failed to
load [file [/home/shib/idp/conf/attribute-filter.xml], class path resource
[net/shibboleth/idp/conf/attribute-filter-system.xml]]
        at
net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:387)
[...]
Caused by: org.springframework.beans.PropertyBatchUpdateException: Failed
properties: Property 'maximum' threw exception; nested exception is
net.shibboleth.utilities.java.support.logic.ConstraintViolationException:
max value must be > 0
        at
org.springframework.beans.AbstractPropertyAccessor.setPropertyValues(AbstractPropertyAccessor.java:135)

The wiki page for NumberOfAttributeValuesConfiguration at <
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631533/NumberOfAttributeValuesConfiguration>
says:
"The policy returns true iff the number of values is >= 'minimum' and  the
number of values is  <= 'maximum'." and that maximum must be a,
"Non-negative (>=0) Integer", so it seems like this should have worked? Or
are the docs incorrect and it should really be "Positive (>0) Integer"? Or
I'm missing something else (and moot, if there's a better way to accomplish
this)?

This is IdP v4.2.1
-- 
Baron Fujimoto <baron at hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221117/5147af38/attachment.htm>

More information about the users mailing list