From 36b223930f3e7c2603746808063d15de9b7c48a7 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 5 May 2016 14:10:37 -0400
Subject: [PATCH] SSPCPP-697 - Align the filter schema(s) and functor types
 where feasible.

https://issues.shibboleth.net/jira/browse/SSPCPP-697

Brought over some of the schema changes since V3.
Added AttributeIssuerRegistrationAuthority for SP use.
---
 schemas/shibboleth-2.0-afp-mf-basic.xsd |  48 ++------------
 schemas/shibboleth-2.0-afp-mf-saml.xsd  | 109 +++++++++++++++++++++++++++++++-
 2 files changed, 114 insertions(+), 43 deletions(-)

diff --git a/schemas/shibboleth-2.0-afp-mf-basic.xsd b/schemas/shibboleth-2.0-afp-mf-basic.xsd
index 24d1526..608b1c8 100644
--- a/schemas/shibboleth-2.0-afp-mf-basic.xsd
+++ b/schemas/shibboleth-2.0-afp-mf-basic.xsd
@@ -28,7 +28,7 @@
         </annotation>
         <complexContent>
             <extension base="afp:MatchFunctorType">
-                <choice minOccurs="2" maxOccurs="unbounded">
+                <choice maxOccurs="unbounded">
                     <element name="Rule" type="afp:MatchFunctorType">
                         <annotation>
                             <documentation>
@@ -56,18 +56,18 @@
         </annotation>
         <complexContent>
             <extension base="afp:MatchFunctorType">
-                <choice minOccurs="2" maxOccurs="unbounded">
+                <choice maxOccurs="unbounded">
                     <element name="Rule" type="afp:MatchFunctorType">
                         <annotation>
                             <documentation>
-                                The set of match function rules to be ANDed.
+                                The set of match function rules to be ORed.
                             </documentation>
                         </annotation>
                     </element>
                     <element name="RuleReference" type="afp:ReferenceType">
                         <annotation>
                             <documentation>
-                                The set of match function rules to be ANDed.
+                                The set of match function rules to be ORed.
                             </documentation>
                         </annotation>
                     </element>
@@ -88,14 +88,14 @@
                     <element name="Rule" type="afp:MatchFunctorType">
                         <annotation>
                             <documentation>
-                                The set of match function rules to be ANDed.
+                                The set of match function rules to be negated.
                             </documentation>
                         </annotation>
                     </element>
                     <element name="RuleReference" type="afp:ReferenceType">
                         <annotation>
                             <documentation>
-                                The set of match function rules to be ANDed.
+                                The set of match function rules to be negated.
                             </documentation>
                         </annotation>
                     </element>
@@ -304,42 +304,6 @@
         </complexContent>
     </complexType>
 
-    <!-- Misc. Functions -->
-    <complexType name="Script">
-        <annotation>
-            <documentation>
-                A match function that evaluates a script to determine if some criteria is met. The script MUST return a
-                boolean.
-            </documentation>
-        </annotation>
-        <complexContent>
-            <extension base="afp:MatchFunctorType">
-                <choice>
-                    <element name="Script" type="string" minOccurs="0">
-                        <annotation>
-                            <documentation>The script to evaluate to construct the attribute.</documentation>
-                        </annotation>
-                    </element>
-                    <element name="ScriptFile" type="string" minOccurs="0">
-                        <annotation>
-                            <documentation>
-                                The filesystem path to the script to evaluate to construct the attribute.
-                            </documentation>
-                        </annotation>
-                    </element>
-                </choice>
-                <attribute name="language" type="string">
-                    <annotation>
-                        <documentation>
-                            The JSR-233 name for the scripting language that will be used. By default "javascript" is
-                            supported.
-                        </documentation>
-                    </annotation>
-                </attribute>
-            </extension>
-        </complexContent>
-    </complexType>
-
     <complexType name="NumberOfAttributeValues">
         <annotation>
             <documentation>
diff --git a/schemas/shibboleth-2.0-afp-mf-saml.xsd b/schemas/shibboleth-2.0-afp-mf-saml.xsd
index 9494070..86380b1 100644
--- a/schemas/shibboleth-2.0-afp-mf-saml.xsd
+++ b/schemas/shibboleth-2.0-afp-mf-saml.xsd
@@ -1,5 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:afp="urn:mace:shibboleth:2.0:afp" targetNamespace="urn:mace:shibboleth:2.0:afp:mf:saml" elementFormDefault="qualified">
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+	xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+	xmlns:afp="urn:mace:shibboleth:2.0:afp"
+	targetNamespace="urn:mace:shibboleth:2.0:afp:mf:saml"
+	elementFormDefault="qualified"
+	version="2.6">
 
     <import namespace="urn:mace:shibboleth:2.0:afp" schemaLocation="classpath:/schema/shibboleth-2.0-afp.xsd" />
 
@@ -22,11 +27,25 @@
         </complexContent>
     </complexType>
 
+    <complexType name="EntityAttributeExactMatch">
+        <annotation>
+            <documentation>
+                A match function that checks if the attribute requester contains an entity attribute with the
+                specified value.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:EntityAttributeExactMatchType"/>
+        </complexContent>
+    </complexType>
+
     <complexType name="AttributeRequesterEntityAttributeExactMatch">
         <annotation>
             <documentation>
                 A match function that checks if the attribute requester contains an entity attribute with the
                 specified value.
+                
+                Deprecated in favor of "EntityAttributeExactMatch".
             </documentation>
         </annotation>
         <complexContent>
@@ -68,11 +87,25 @@
         </complexContent>
     </complexType>
 
+    <complexType name="EntityAttributeRegexMatch">
+        <annotation>
+            <documentation>
+                A match function that checks if the attribute requester contains an entity attribute with a
+                value that matches the given regular expression.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:EntityAttributeRegexMatchType"/>
+        </complexContent>
+    </complexType>
+
     <complexType name="AttributeRequesterEntityAttributeRegexMatch">
         <annotation>
             <documentation>
                 A match function that checks if the attribute requester contains an entity attribute with a
                 value that matches the given regular expression.
+                
+                Deprecated in favor of "EntityAttributeRegexMatch".
             </documentation>
         </annotation>
         <complexContent>
@@ -115,11 +148,25 @@
         </complexContent>
     </complexType>
 
+    <complexType name="NameIDFormatExactMatch">
+        <annotation>
+            <documentation>
+                A match function that evaluates to true if the attribute requester supports a specified
+                NameID format.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:NameIDFormatExactMatchType"/>
+        </complexContent>
+    </complexType>
+
     <complexType name="AttributeRequesterNameIDFormatExactMatch">
         <annotation>
             <documentation>
                 A match function that evaluates to true if the attribute requester supports a specified
                 NameID format.
+                
+                Deprecated in favor of "NameIDFormatExactMatch".
             </documentation>
         </annotation>
         <complexContent>
@@ -144,6 +191,8 @@
             <documentation>
                 A match function that evaluates to true if the attribute requester is found in metadata and is a member
                 of the given entity group.
+                
+                Deprecated in favor of "InEntityGroup".
             </documentation>
         </annotation>
         <complexContent>
@@ -151,6 +200,18 @@
         </complexContent>
     </complexType>
 
+    <complexType name="InEntityGroup">
+        <annotation>
+            <documentation>
+                A match function that evaluates to true if the attribute requester is found in metadata and
+                is a member of the given entity group.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:EntityGroupMatchType"/>
+        </complexContent>
+    </complexType>
+
     <complexType name="AttributeIssuerInEntityGroup">
         <annotation>
             <documentation>
@@ -186,6 +247,48 @@
         </complexContent>
     </complexType>
 
+    <complexType name="AttributeIssuerRegistrationAuthority">
+        <annotation>
+            <documentation>
+                A match function that matches the attribute issuer's MDRPI content against a list of potential values.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:RegistrationAuthorityMatchType" />
+        </complexContent>
+    </complexType>
+
+    <complexType name="RegistrationAuthority">
+        <annotation>
+            <documentation>
+                A match function that matches the SP (requester) MDRPI against a list of potential values.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="saml:RegistrationAuthorityMatchType" />
+        </complexContent>
+    </complexType>
+
+    <complexType name="RegistrationAuthorityMatchType" abstract="true">
+        <complexContent>
+            <extension base="afp:MatchFunctorType">
+                <attribute name="registrars" type="saml:anyURIListType" use="required">
+                    <annotation>
+                        <documentation>The string values to match.</documentation>
+                    </annotation>
+                </attribute>
+                <attribute name="matchIfMetadataSilent" type="boolean">
+                    <annotation>
+                        <documentation>
+                            A boolean flag indicating whether a match should occur if the metadata does
+                            not contain an MDRPI statement (coded) default is false.
+                        </documentation>
+                    </annotation>
+                </attribute>
+            </extension>
+        </complexContent>
+    </complexType>
+
     <complexType name="NameIDQualifierString">
         <annotation>
             <documentation>
@@ -260,4 +363,8 @@
         </complexContent>
     </complexType>
     
+    <simpleType name="anyURIListType">
+        <list itemType="string"/>
+    </simpleType>
+    
 </schema>
\ No newline at end of file
-- 
2.1.4