<Policy PolicyId="access-public"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
  xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
  xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd       urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd">
  <Description>A bootstrap policy to allow public users to read the repository itself (not necessarily any items within)</Description>
  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>
      <Subject>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>
      <Subject>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticated user</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>
      <Subject>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticated user</AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>      
    </Subjects>
    <Actions>
      <Action>
        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
          <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ActionMatch>
      </Action>
    </Actions>
  </Target>
  <Rule Effect="Permit" RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
	<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
	  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
	    <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
	      DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
	    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WORKFLOW</AttributeValue>
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WORKFLOW_TMPL</AttributeValue>
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ISLANDORACM</AttributeValue>
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">COLLECTION_POLICY</AttributeValue>
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">COLLECTION_POLICY_TMPL</AttributeValue>
	      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">FESLPOLICY</AttributeValue>
	    </Apply>
	  </Apply>
	</Apply>
	<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
	  <EnvironmentAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
	    DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
	  <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
	    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0:0:0:0:0:0:0:1</AttributeValue>
	    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
	  </Apply>
	</Apply>	
      </Apply>
    </Condition>
  </Rule>
</Policy>