From 4117211bb7becf5a849000bf6945896e122d2159 Mon Sep 17 00:00:00 2001
From: Ahoo Wang <ahoowang@qq.com>
Date: Sun, 8 Jan 2023 00:58:00 +0800
Subject: [PATCH] Refactor: Remove `Statement.conditions` (#63)

* Refactor: Remove `Statement.conditions`
---
 README.md                                     | 130 ++++++++--------
 README.zh-CN.md                               | 130 ++++++++--------
 .../me/ahoo/cosec/api/policy/Statement.kt     |   8 -
 .../cosec/policy/DefaultPolicyEvaluator.kt    |   4 +-
 .../me/ahoo/cosec/policy/StatementData.kt     |   3 +-
 .../serialization/JsonStatementSerializer.kt  |  12 --
 .../me/ahoo/cosec/policy/StatementDataTest.kt |  13 +-
 .../serialization/CoSecJsonSerializerTest.kt  | 139 ++++++++++--------
 document/cosec-policy.schema.json             |   6 -
 document/design/assets/Modeling.svg           |  18 +--
 document/design/uml/modeling.puml             |   2 +-
 gradle.properties                             |   2 +-
 12 files changed, 212 insertions(+), 255 deletions(-)

diff --git a/README.md b/README.md
index a01f96fc..254b21e5 100644
--- a/README.md
+++ b/README.md
@@ -81,11 +81,9 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "pattern": "/user/#{principal.id}/*"
         }
       ],
-      "conditions": [
-        {
-          "type": "authenticated"
-        }
-      ]
+      "condition": {
+        "type": "authenticated"
+      }
     },
     {
       "name": "Developer",
@@ -95,15 +93,13 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "in",
-          "part": "context.principal.id",
-          "in": [
-            "developerId"
-          ]
-        }
-      ]
+      "condition": {
+        "type": "in",
+        "part": "context.principal.id",
+        "in": [
+          "developerId"
+        ]
+      }
     },
     {
       "name": "RequestOriginDeny",
@@ -113,14 +109,12 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "reg",
-          "negate": true,
-          "part": "request.origin",
-          "pattern": "^(http|https)://github.com"
-        }
-      ]
+      "condition": {
+        "type": "reg",
+        "negate": true,
+        "part": "request.origin",
+        "pattern": "^(http|https)://github.com"
+      }
     },
     {
       "name": "IpBlacklist",
@@ -130,18 +124,16 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "path",
-          "part": "request.remoteIp",
-          "path": {
-            "caseSensitive": false,
-            "separator": ".",
-            "decodeAndParseSegments": false
-          },
-          "pattern": "192.168.0.*"
-        }
-      ]
+      "condition": {
+        "type": "path",
+        "part": "request.remoteIp",
+        "path": {
+          "caseSensitive": false,
+          "separator": ".",
+          "decodeAndParseSegments": false
+        },
+        "pattern": "192.168.0.*"
+      }
     },
     {
       "name": "RegionWhitelist",
@@ -151,14 +143,12 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "negate": true,
-          "type": "reg",
-          "part": "request.attributes.ipRegion",
-          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
-        }
-      ]
+      "condition": {
+        "negate": true,
+        "type": "reg",
+        "part": "request.attributes.ipRegion",
+        "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
+      }
     },
     {
       "name": "AllowDeveloperOrIpRange",
@@ -168,37 +158,35 @@ RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "bool",
-          "bool": {
-            "and": [
-              {
-                "type": "authenticated"
-              }
-            ],
-            "or": [
-              {
-                "type": "in",
-                "part": "context.principal.id",
-                "in": [
-                  "developerId"
-                ]
+      "condition": {
+        "type": "bool",
+        "bool": {
+          "and": [
+            {
+              "type": "authenticated"
+            }
+          ],
+          "or": [
+            {
+              "type": "in",
+              "part": "context.principal.id",
+              "in": [
+                "developerId"
+              ]
+            },
+            {
+              "type": "path",
+              "part": "request.remoteIp",
+              "path": {
+                "caseSensitive": false,
+                "separator": ".",
+                "decodeAndParseSegments": false
               },
-              {
-                "type": "path",
-                "part": "request.remoteIp",
-                "path": {
-                  "caseSensitive": false,
-                  "separator": ".",
-                  "decodeAndParseSegments": false
-                },
-                "pattern": "192.168.0.*"
-              }
-            ]
-          }
+              "pattern": "192.168.0.*"
+            }
+          ]
         }
-      ]
+      }
     }
   ]
 }
diff --git a/README.zh-CN.md b/README.zh-CN.md
index 5c0b9109..5f507d62 100644
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -81,11 +81,9 @@
           "pattern": "/user/#{principal.id}/*"
         }
       ],
-      "conditions": [
-        {
-          "type": "authenticated"
-        }
-      ]
+      "condition": {
+        "type": "authenticated"
+      }
     },
     {
       "name": "Developer",
@@ -95,15 +93,13 @@
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "in",
-          "part": "context.principal.id",
-          "in": [
-            "developerId"
-          ]
-        }
-      ]
+      "condition": {
+        "type": "in",
+        "part": "context.principal.id",
+        "in": [
+          "developerId"
+        ]
+      }
     },
     {
       "name": "RequestOriginDeny",
@@ -113,14 +109,12 @@
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "reg",
-          "negate": true,
-          "part": "request.origin",
-          "pattern": "^(http|https)://github.com"
-        }
-      ]
+      "condition": {
+        "type": "reg",
+        "negate": true,
+        "part": "request.origin",
+        "pattern": "^(http|https)://github.com"
+      }
     },
     {
       "name": "IpBlacklist",
@@ -130,18 +124,16 @@
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "path",
-          "part": "request.remoteIp",
-          "path": {
-            "caseSensitive": false,
-            "separator": ".",
-            "decodeAndParseSegments": false
-          },
-          "pattern": "192.168.0.*"
-        }
-      ]
+      "condition": {
+        "type": "path",
+        "part": "request.remoteIp",
+        "path": {
+          "caseSensitive": false,
+          "separator": ".",
+          "decodeAndParseSegments": false
+        },
+        "pattern": "192.168.0.*"
+      }
     },
     {
       "name": "RegionWhitelist",
@@ -151,14 +143,12 @@
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "negate": true,
-          "type": "reg",
-          "part": "request.attributes.ipRegion",
-          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
-        }
-      ]
+      "condition": {
+        "negate": true,
+        "type": "reg",
+        "part": "request.attributes.ipRegion",
+        "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
+      }
     },
     {
       "name": "AllowDeveloperOrIpRange",
@@ -168,37 +158,35 @@
           "type": "all"
         }
       ],
-      "conditions": [
-        {
-          "type": "bool",
-          "bool": {
-            "and": [
-              {
-                "type": "authenticated"
-              }
-            ],
-            "or": [
-              {
-                "type": "in",
-                "part": "context.principal.id",
-                "in": [
-                  "developerId"
-                ]
+      "condition": {
+        "type": "bool",
+        "bool": {
+          "and": [
+            {
+              "type": "authenticated"
+            }
+          ],
+          "or": [
+            {
+              "type": "in",
+              "part": "context.principal.id",
+              "in": [
+                "developerId"
+              ]
+            },
+            {
+              "type": "path",
+              "part": "request.remoteIp",
+              "path": {
+                "caseSensitive": false,
+                "separator": ".",
+                "decodeAndParseSegments": false
               },
-              {
-                "type": "path",
-                "part": "request.remoteIp",
-                "path": {
-                  "caseSensitive": false,
-                  "separator": ".",
-                  "decodeAndParseSegments": false
-                },
-                "pattern": "192.168.0.*"
-              }
-            ]
-          }
+              "pattern": "192.168.0.*"
+            }
+          ]
         }
-      ]
+      }
     }
   ]
 }
diff --git a/cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt b/cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt
index e3152193..497bbaa8 100644
--- a/cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt
+++ b/cosec-api/src/main/kotlin/me/ahoo/cosec/api/policy/Statement.kt
@@ -22,19 +22,11 @@ interface Statement : Named, PermissionVerifier {
     val effect: Effect
     val actions: List<ActionMatcher>
     val condition: ConditionMatcher
-    val conditions: List<ConditionMatcher>
 
     override fun verify(request: Request, securityContext: SecurityContext): VerifyResult {
         if (!condition.match(request, securityContext)) {
             return VerifyResult.IMPLICIT_DENY
         }
-        conditions.any {
-            !it.match(request, securityContext)
-        }.let { anyNotMatched ->
-            if (anyNotMatched) {
-                return VerifyResult.IMPLICIT_DENY
-            }
-        }
         actions.any {
             it.match(request, securityContext)
         }.let { anyMatched ->
diff --git a/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/DefaultPolicyEvaluator.kt b/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/DefaultPolicyEvaluator.kt
index 318b6a50..c2854971 100644
--- a/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/DefaultPolicyEvaluator.kt
+++ b/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/DefaultPolicyEvaluator.kt
@@ -53,9 +53,7 @@ object DefaultPolicyEvaluator : PolicyEvaluator {
                 it.match(mockRequest, mockContext)
             }
 
-            statement.conditions.forEach {
-                it.match(mockRequest, mockContext)
-            }
+            statement.condition.match(mockRequest, mockContext)
         }
     }
 }
diff --git a/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/StatementData.kt b/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/StatementData.kt
index 902a6f71..dec54236 100644
--- a/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/StatementData.kt
+++ b/cosec-core/src/main/kotlin/me/ahoo/cosec/policy/StatementData.kt
@@ -23,6 +23,5 @@ data class StatementData(
     override val name: String = "",
     override val effect: Effect = Effect.ALLOW,
     override val actions: List<ActionMatcher> = listOf(),
-    override val condition: ConditionMatcher = AllConditionMatcher.INSTANCE,
-    override val conditions: List<ConditionMatcher> = listOf(),
+    override val condition: ConditionMatcher = AllConditionMatcher.INSTANCE
 ) : Statement
diff --git a/cosec-core/src/main/kotlin/me/ahoo/cosec/serialization/JsonStatementSerializer.kt b/cosec-core/src/main/kotlin/me/ahoo/cosec/serialization/JsonStatementSerializer.kt
index 3f74e49b..becca8b7 100644
--- a/cosec-core/src/main/kotlin/me/ahoo/cosec/serialization/JsonStatementSerializer.kt
+++ b/cosec-core/src/main/kotlin/me/ahoo/cosec/serialization/JsonStatementSerializer.kt
@@ -31,7 +31,6 @@ const val STATEMENT_NAME = "name"
 const val STATEMENT_EFFECT_KEY = "effect"
 const val STATEMENT_ACTIONS_KEY = "actions"
 const val STATEMENT_CONDITION_KEY = "condition"
-const val STATEMENT_CONDITIONS_KEY = "conditions"
 
 object JsonStatementSerializer : StdSerializer<Statement>(Statement::class.java) {
     override fun serialize(value: Statement, gen: JsonGenerator, provider: SerializerProvider) {
@@ -46,13 +45,6 @@ object JsonStatementSerializer : StdSerializer<Statement>(Statement::class.java)
             gen.writeEndArray()
         }
         gen.writePOJOField(STATEMENT_CONDITION_KEY, value.condition)
-        if (value.conditions.isNotEmpty()) {
-            gen.writeArrayFieldStart(STATEMENT_CONDITIONS_KEY)
-            value.conditions.forEach {
-                gen.writeObject(it)
-            }
-            gen.writeEndArray()
-        }
         gen.writeEndObject()
     }
 }
@@ -66,9 +58,6 @@ object JsonStatementDeserializer : StdDeserializer<Statement>(Statement::class.j
         val condition =
             jsonNode.get(STATEMENT_CONDITION_KEY)?.traverse(p.codec)?.readValueAs(ConditionMatcher::class.java)
                 ?: AllConditionMatcher.INSTANCE
-        val conditions = jsonNode.get(STATEMENT_CONDITIONS_KEY)?.map {
-            it.traverse(p.codec).readValueAs(ConditionMatcher::class.java)
-        }.orEmpty()
 
         return StatementData(
             name = jsonNode.get(STATEMENT_NAME)?.asText().orEmpty(),
@@ -77,7 +66,6 @@ object JsonStatementDeserializer : StdDeserializer<Statement>(Statement::class.j
             }.traverse(p.codec).readValueAs(Effect::class.java),
             actions = actions,
             condition = condition,
-            conditions = conditions
         )
     }
 }
diff --git a/cosec-core/src/test/kotlin/me/ahoo/cosec/policy/StatementDataTest.kt b/cosec-core/src/test/kotlin/me/ahoo/cosec/policy/StatementDataTest.kt
index 23cf4a56..bede4070 100644
--- a/cosec-core/src/test/kotlin/me/ahoo/cosec/policy/StatementDataTest.kt
+++ b/cosec-core/src/test/kotlin/me/ahoo/cosec/policy/StatementDataTest.kt
@@ -23,6 +23,7 @@ import me.ahoo.cosec.configuration.JsonConfiguration
 import me.ahoo.cosec.configuration.JsonConfiguration.Companion.asConfiguration
 import me.ahoo.cosec.policy.action.AllActionMatcher
 import me.ahoo.cosec.policy.action.PathActionMatcherFactory
+import me.ahoo.cosec.policy.condition.AllConditionMatcher
 import me.ahoo.cosec.policy.condition.SpelConditionMatcherFactory
 import org.hamcrest.MatcherAssert.assertThat
 import org.hamcrest.Matchers.*
@@ -36,7 +37,7 @@ internal class StatementDataTest {
         assertThat(statementData.name, equalTo(""))
         assertThat(statementData.effect, equalTo(Effect.ALLOW))
         assertThat(statementData.actions, equalTo(listOf()))
-        assertThat(statementData.conditions, equalTo(listOf()))
+        assertThat(statementData.condition, instanceOf(AllConditionMatcher::class.java))
         assertThat(statementData.verify(mockk(), mockk()), `is`(VerifyResult.IMPLICIT_DENY))
     }
 
@@ -67,12 +68,10 @@ internal class StatementDataTest {
                     ).asConfiguration()
                 )
             ),
-            conditions = listOf(
-                SpelConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_PATTERN_KEY to "context.principal.authenticated()"
-                    ).asConfiguration()
-                )
+            condition = SpelConditionMatcherFactory().create(
+                mapOf(
+                    MATCHER_PATTERN_KEY to "context.principal.authenticated()"
+                ).asConfiguration()
             )
         )
         val request = mockk<Request> {
diff --git a/cosec-core/src/test/kotlin/me/ahoo/cosec/serialization/CoSecJsonSerializerTest.kt b/cosec-core/src/test/kotlin/me/ahoo/cosec/serialization/CoSecJsonSerializerTest.kt
index b0b3e20e..9c68132c 100644
--- a/cosec-core/src/test/kotlin/me/ahoo/cosec/serialization/CoSecJsonSerializerTest.kt
+++ b/cosec-core/src/test/kotlin/me/ahoo/cosec/serialization/CoSecJsonSerializerTest.kt
@@ -30,6 +30,9 @@ import me.ahoo.cosec.policy.action.NoneActionMatcherFactory
 import me.ahoo.cosec.policy.action.PathActionMatcherFactory
 import me.ahoo.cosec.policy.action.RegularActionMatcherFactory
 import me.ahoo.cosec.policy.condition.AllConditionMatcherFactory
+import me.ahoo.cosec.policy.condition.BOOL_CONDITION_MATCHER_AND_KEY
+import me.ahoo.cosec.policy.condition.BoolConditionMatcher
+import me.ahoo.cosec.policy.condition.BoolConditionMatcherFactory
 import me.ahoo.cosec.policy.condition.NoneConditionMatcherFactory
 import me.ahoo.cosec.policy.condition.OgnlConditionMatcherFactory
 import me.ahoo.cosec.policy.condition.SpelConditionMatcherFactory
@@ -73,16 +76,17 @@ internal class CoSecJsonSerializerTest {
         assertThat(input.type, `is`(actionMatcher.type))
     }
 
-    @ParameterizedTest
-    @MethodSource("serializeConditionMatcherProvider")
-    fun serializeConditionMatcher(conditionMatcher: ConditionMatcher) {
+    @Test
+    fun serializeConditionMatcher() {
+        val conditionMatcher = serializeConditionMatcherProvider()
         val output = CoSecJsonSerializer.writeValueAsString(conditionMatcher)
         val input = CoSecJsonSerializer.readValue(
             output,
             ConditionMatcher::class.java
         )
-        assertThat(input, instanceOf(conditionMatcher.javaClass))
+        assertThat(input, instanceOf(BoolConditionMatcher::class.java))
         assertThat(input.type, `is`(conditionMatcher.type))
+        assertThat((input as BoolConditionMatcher).and.size, equalTo(10))
     }
 
     @ParameterizedTest
@@ -96,7 +100,7 @@ internal class CoSecJsonSerializerTest {
         assertThat(input, instanceOf(statement.javaClass))
         assertThat(input.effect, `is`(statement.effect))
         assertThat(input.actions, hasSize(statement.actions.size))
-        assertThat(input.conditions, hasSize(statement.conditions.size))
+        assertThat(input.condition, notNullValue())
     }
 
     @ParameterizedTest
@@ -195,64 +199,71 @@ internal class CoSecJsonSerializerTest {
         }
 
         @JvmStatic
-        fun serializeConditionMatcherProvider(): Stream<ConditionMatcher> {
-            return Stream.of(
-                AllConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to AllConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                NoneConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to NoneConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                AuthenticatedConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to AuthenticatedConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                InDefaultTenantConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to InDefaultTenantConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                InPlatformTenantConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to InPlatformTenantConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                InUserTenantConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to InUserTenantConditionMatcherFactory.TYPE
-                    ).asConfiguration()
-                ),
-                InConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to InConditionMatcherFactory.TYPE,
-                        CONDITION_MATCHER_PART_KEY to RequestParts.REMOTE_IP,
-                        "in" to setOf("remoteIp", "remoteIp1")
-                    ).asConfiguration()
-                ),
-                RegularConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to RegularConditionMatcherFactory.TYPE,
-                        CONDITION_MATCHER_PART_KEY to RequestParts.REMOTE_IP,
-                        MATCHER_PATTERN_KEY to "192\\.168\\.0\\.[0-9]*"
-                    ).asConfiguration()
-                ),
-                SpelConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to SpelConditionMatcherFactory.TYPE,
-                        MATCHER_PATTERN_KEY to "context.principal.id=='1'"
-                    ).asConfiguration()
-                ),
-                OgnlConditionMatcherFactory().create(
-                    mapOf(
-                        MATCHER_TYPE_KEY to OgnlConditionMatcherFactory.TYPE,
-                        MATCHER_PATTERN_KEY to "path == \"auth/login\""
-                    ).asConfiguration()
-                )
+        fun serializeConditionMatcherProvider(): ConditionMatcher {
+            return BoolConditionMatcherFactory().create(
+                mapOf(
+                    MATCHER_TYPE_KEY to BoolConditionMatcherFactory.TYPE,
+                    BoolConditionMatcherFactory.TYPE to mapOf(
+                        BOOL_CONDITION_MATCHER_AND_KEY to listOf(
+                            AllConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to AllConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            NoneConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to NoneConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            AuthenticatedConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to AuthenticatedConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            InDefaultTenantConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to InDefaultTenantConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            InPlatformTenantConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to InPlatformTenantConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            InUserTenantConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to InUserTenantConditionMatcherFactory.TYPE
+                                ).asConfiguration()
+                            ),
+                            InConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to InConditionMatcherFactory.TYPE,
+                                    CONDITION_MATCHER_PART_KEY to RequestParts.REMOTE_IP,
+                                    "in" to setOf("remoteIp", "remoteIp1")
+                                ).asConfiguration()
+                            ),
+                            RegularConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to RegularConditionMatcherFactory.TYPE,
+                                    CONDITION_MATCHER_PART_KEY to RequestParts.REMOTE_IP,
+                                    MATCHER_PATTERN_KEY to "192\\.168\\.0\\.[0-9]*"
+                                ).asConfiguration()
+                            ),
+                            SpelConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to SpelConditionMatcherFactory.TYPE,
+                                    MATCHER_PATTERN_KEY to "context.principal.id=='1'"
+                                ).asConfiguration()
+                            ),
+                            OgnlConditionMatcherFactory().create(
+                                mapOf(
+                                    MATCHER_TYPE_KEY to OgnlConditionMatcherFactory.TYPE,
+                                    MATCHER_PATTERN_KEY to "path == \"auth/login\""
+                                ).asConfiguration()
+                            )
+                        )
+                    )
+                ).asConfiguration()
             )
         }
 
@@ -263,7 +274,7 @@ internal class CoSecJsonSerializerTest {
                 StatementData(
                     effect = Effect.DENY,
                     actions = serializeActionMatcherProvider().toList(),
-                    conditions = serializeConditionMatcherProvider().toList()
+                    condition = serializeConditionMatcherProvider()
                 )
             )
         }
diff --git a/document/cosec-policy.schema.json b/document/cosec-policy.schema.json
index 28e0fbd6..bdf86dd2 100644
--- a/document/cosec-policy.schema.json
+++ b/document/cosec-policy.schema.json
@@ -249,12 +249,6 @@
         },
         "condition": {
           "$ref": "#/definitions/conditionMatcher"
-        },
-        "conditions": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/conditionMatcher"
-          }
         }
       }
     }
diff --git a/document/design/assets/Modeling.svg b/document/design/assets/Modeling.svg
index eb7c1713..c3212994 100644
--- a/document/design/assets/Modeling.svg
+++ b/document/design/assets/Modeling.svg
@@ -21,14 +21,14 @@ cluster authorization--><g id="cluster_authorization"><path d="M74.5,644.2656 L1
 cluster authentication--><g id="cluster_authentication"><path d="M1270.5,263.2656 L1375.5,263.2656 A3.75,3.75 0 0 1 1378,265.7656 L1385,285.7539 L1904.5,285.7539 A2.5,2.5 0 0 1 1907,288.2539 L1907,599.7656 A2.5,2.5 0 0 1 1904.5,602.2656 L1270.5,602.2656 A2.5,2.5 0 0 1 1268,599.7656 L1268,265.7656 A2.5,2.5 0 0 1 1270.5,263.2656 " fill="none" style="stroke:#000000;stroke-width:1.5;"/><line style="stroke:#000000;stroke-width:1.5;" x1="1268" x2="1385" y1="285.7539" y2="285.7539"/><text fill="#000000" font-family="sans-serif" font-size="14" font-weight="bold" lengthAdjust="spacing" textLength="104" x="1272" y="278.8008">authentication</text></g><!--MD5=[a8904d412b6bac905c960d0a15a57f60]
 class Tenant--><g id="elem_Tenant"><rect codeLine="10" fill="#F1F1F1" height="113.9531" id="Tenant" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="215" x="344.5" y="91.2656"/><ellipse cx="423.75" cy="107.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M419.6777,103.0308 L419.6777,100.8726 L427.0571,100.8726 L427.0571,103.0308 L424.5918,103.0308 L424.5918,111.1074 L427.0571,111.1074 L427.0571,113.2656 L419.6777,113.2656 L419.6777,111.1074 L422.1431,111.1074 L422.1431,103.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="48" x="444.25" y="112.5566">Tenant</text><line style="stroke:#181818;stroke-width:0.5;" x1="345.5" x2="558.5" y1="123.2656" y2="123.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="129" x="350.5" y="140.8008">val tenantId: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="203" x="350.5" y="157.2891">val isPlatformTenant: Boolean</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="194" x="350.5" y="173.7773">val isDefaultTenant: Boolean</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="176" x="350.5" y="190.2656">val isUserTenant: Boolean</text><line style="stroke:#181818;stroke-width:0.5;" x1="345.5" x2="558.5" y1="197.2188" y2="197.2188"/></g><!--MD5=[2ee7de80ccb219b57973144fcb0a9e81]
 class TenantCapable--><g id="elem_TenantCapable"><rect codeLine="16" fill="#F1F1F1" height="64.4883" id="TenantCapable" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="136" x="384" y="290.2656"/><ellipse cx="399" cy="306.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M394.9277,302.0308 L394.9277,299.8726 L402.3071,299.8726 L402.3071,302.0308 L399.8418,302.0308 L399.8418,310.1074 L402.3071,310.1074 L402.3071,312.2656 L394.9277,312.2656 L394.9277,310.1074 L397.3931,310.1074 L397.3931,302.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="104" x="413" y="311.5566">TenantCapable</text><line style="stroke:#181818;stroke-width:0.5;" x1="385" x2="519" y1="322.2656" y2="322.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="123" x="390" y="339.8008">val tenant: Tenant</text><line style="stroke:#181818;stroke-width:0.5;" x1="385" x2="519" y1="346.7539" y2="346.7539"/></g><path d="M116.5,130.7656 L116.5,156.0762 A0,0 0 0 0 116.5,156.0762 L309.5,156.0762 A0,0 0 0 0 309.5,156.0762 L309.5,148.7656 L348.5,151.998 L309.5,140.7656 L309.5,140.7656 L299.5,130.7656 L116.5,130.7656 A0,0 0 0 0 116.5,130.7656 " fill="#FEFFDD" style="stroke:#181818;stroke-width:0.5;"/><path d="M299.5,130.7656 L299.5,140.7656 L309.5,140.7656 L299.5,130.7656 " fill="#FEFFDD" style="stroke:#181818;stroke-width:0.5;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacing" textLength="172" x="122.5" y="148.334">Is it a root platform tenant?</text><!--MD5=[891844a5ce18d50d477bdacc29a03b64]
-class PolicyType--><g id="elem_PolicyType"><rect codeLine="28" fill="#F1F1F1" height="97.4648" id="PolicyType" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="104" x="2674" y="464.2656"/><ellipse cx="2689" cy="480.2656" fill="#EB937F" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2693.1143,486.2656 L2685.3945,486.2656 L2685.3945,473.8726 L2693.1143,473.8726 L2693.1143,476.0308 L2687.8433,476.0308 L2687.8433,478.7036 L2692.6162,478.7036 L2692.6162,480.8618 L2687.8433,480.8618 L2687.8433,484.1074 L2693.1143,484.1074 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="72" x="2703" y="485.5566">PolicyType</text><line style="stroke:#181818;stroke-width:0.5;" x1="2675" x2="2777" y1="496.2656" y2="496.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="54" x="2680" y="513.8008">SYSTEM</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="60" x="2680" y="530.2891">CUSTOM</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="53" x="2680" y="546.7773">GLOBAL</text><line style="stroke:#181818;stroke-width:0.5;" x1="2675" x2="2777" y1="553.7305" y2="553.7305"/></g><!--MD5=[9445d644bbe92584b3fa45e77778917b]
-class Policy--><g id="elem_Policy"><rect codeLine="33" fill="#F1F1F1" height="146.9297" id="Policy" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="230" x="2497" y="646.2656"/><ellipse cx="2588.25" cy="662.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2584.1777,658.0308 L2584.1777,655.8726 L2591.5571,655.8726 L2591.5571,658.0308 L2589.0918,658.0308 L2589.0918,666.1074 L2591.5571,666.1074 L2591.5571,668.2656 L2584.1777,668.2656 L2584.1777,666.1074 L2586.6431,666.1074 L2586.6431,658.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="39" x="2608.75" y="667.5566">Policy</text><line style="stroke:#181818;stroke-width:0.5;" x1="2498" x2="2726" y1="678.2656" y2="678.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="85" x="2503" y="695.8008">val id: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="110" x="2503" y="712.2891">val name: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="132" x="2503" y="728.7773">val type: PolicyType</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="149" x="2503" y="745.2656">val description: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="125" x="2503" y="761.7539">val tenantId:String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="218" x="2503" y="778.2422">val statements: Set&lt;Statement&gt;</text><line style="stroke:#181818;stroke-width:0.5;" x1="2498" x2="2726" y1="785.1953" y2="785.1953"/></g><!--MD5=[354ba6fe2710e9f7c691253c66156a32]
+class PolicyType--><g id="elem_PolicyType"><rect codeLine="28" fill="#F1F1F1" height="97.4648" id="PolicyType" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="104" x="2650" y="464.2656"/><ellipse cx="2665" cy="480.2656" fill="#EB937F" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2669.1143,486.2656 L2661.3945,486.2656 L2661.3945,473.8726 L2669.1143,473.8726 L2669.1143,476.0308 L2663.8433,476.0308 L2663.8433,478.7036 L2668.6162,478.7036 L2668.6162,480.8618 L2663.8433,480.8618 L2663.8433,484.1074 L2669.1143,484.1074 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="72" x="2679" y="485.5566">PolicyType</text><line style="stroke:#181818;stroke-width:0.5;" x1="2651" x2="2753" y1="496.2656" y2="496.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="54" x="2656" y="513.8008">SYSTEM</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="60" x="2656" y="530.2891">CUSTOM</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="53" x="2656" y="546.7773">GLOBAL</text><line style="stroke:#181818;stroke-width:0.5;" x1="2651" x2="2753" y1="553.7305" y2="553.7305"/></g><!--MD5=[9445d644bbe92584b3fa45e77778917b]
+class Policy--><g id="elem_Policy"><rect codeLine="33" fill="#F1F1F1" height="146.9297" id="Policy" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="230" x="2485" y="646.2656"/><ellipse cx="2576.25" cy="662.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2572.1777,658.0308 L2572.1777,655.8726 L2579.5571,655.8726 L2579.5571,658.0308 L2577.0918,658.0308 L2577.0918,666.1074 L2579.5571,666.1074 L2579.5571,668.2656 L2572.1777,668.2656 L2572.1777,666.1074 L2574.6431,666.1074 L2574.6431,658.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="39" x="2596.75" y="667.5566">Policy</text><line style="stroke:#181818;stroke-width:0.5;" x1="2486" x2="2714" y1="678.2656" y2="678.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="85" x="2491" y="695.8008">val id: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="110" x="2491" y="712.2891">val name: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="132" x="2491" y="728.7773">val type: PolicyType</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="149" x="2491" y="745.2656">val description: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="125" x="2491" y="761.7539">val tenantId:String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="218" x="2491" y="778.2422">val statements: Set&lt;Statement&gt;</text><line style="stroke:#181818;stroke-width:0.5;" x1="2486" x2="2714" y1="785.1953" y2="785.1953"/></g><!--MD5=[354ba6fe2710e9f7c691253c66156a32]
 class Effect--><g id="elem_Effect"><rect codeLine="41" fill="#F1F1F1" height="80.9766" id="Effect" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="70" x="2349" y="281.7656"/><ellipse cx="2364" cy="297.7656" fill="#EB937F" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2368.1143,303.7656 L2360.3945,303.7656 L2360.3945,291.3726 L2368.1143,291.3726 L2368.1143,293.5308 L2362.8433,293.5308 L2362.8433,296.2036 L2367.6162,296.2036 L2367.6162,298.3618 L2362.8433,298.3618 L2362.8433,301.6074 L2368.1143,301.6074 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="38" x="2378" y="303.0566">Effect</text><line style="stroke:#181818;stroke-width:0.5;" x1="2350" x2="2418" y1="313.7656" y2="313.7656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="47" x="2355" y="331.3008">ALLOW</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="37" x="2355" y="347.7891">DENY</text><line style="stroke:#181818;stroke-width:0.5;" x1="2350" x2="2418" y1="354.7422" y2="354.7422"/></g><!--MD5=[dd3a6102b68975fd8f1a6314072b340a]
 class RequestMatcher--><g id="elem_RequestMatcher"><rect codeLine="45" fill="#F1F1F1" height="64.4883" id="RequestMatcher" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="295" x="2665.5" y="116.2656"/><ellipse cx="2753.75" cy="132.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2749.6777,128.0308 L2749.6777,125.8726 L2757.0571,125.8726 L2757.0571,128.0308 L2754.5918,128.0308 L2754.5918,136.1074 L2757.0571,136.1074 L2757.0571,138.2656 L2749.6777,138.2656 L2749.6777,136.1074 L2752.1431,136.1074 L2752.1431,128.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="110" x="2774.25" y="137.5566">RequestMatcher</text><line style="stroke:#181818;stroke-width:0.5;" x1="2666.5" x2="2959.5" y1="148.2656" y2="148.2656"/><line style="stroke:#181818;stroke-width:0.5;" x1="2666.5" x2="2959.5" y1="156.2656" y2="156.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="283" x="2671.5" y="173.8008">match(Request,SecurityContext): Boolean</text></g><!--MD5=[226a4eef5279541003c62db16c270ea5]
 class ActionMatcher--><g id="elem_ActionMatcher"><rect codeLine="48" fill="#F1F1F1" height="48" id="ActionMatcher" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="131" x="2182.5" y="298.2656"/><ellipse cx="2197.5" cy="314.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2193.4277,310.0308 L2193.4277,307.8726 L2200.8071,307.8726 L2200.8071,310.0308 L2198.3418,310.0308 L2198.3418,318.1074 L2200.8071,318.1074 L2200.8071,320.2656 L2193.4277,320.2656 L2193.4277,318.1074 L2195.8931,318.1074 L2195.8931,310.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="99" x="2211.5" y="319.5566">ActionMatcher</text><line style="stroke:#181818;stroke-width:0.5;" x1="2183.5" x2="2312.5" y1="330.2656" y2="330.2656"/><line style="stroke:#181818;stroke-width:0.5;" x1="2183.5" x2="2312.5" y1="338.2656" y2="338.2656"/></g><!--MD5=[ce15d4ae5e7b4627c02fd240cc319742]
 class ConditionMatcher--><g id="elem_ConditionMatcher"><rect codeLine="49" fill="#F1F1F1" height="48" id="ConditionMatcher" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="155" x="2805.5" y="298.2656"/><ellipse cx="2820.5" cy="314.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2816.4277,310.0308 L2816.4277,307.8726 L2823.8071,307.8726 L2823.8071,310.0308 L2821.3418,310.0308 L2821.3418,318.1074 L2823.8071,318.1074 L2823.8071,320.2656 L2816.4277,320.2656 L2816.4277,318.1074 L2818.8931,318.1074 L2818.8931,310.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="123" x="2834.5" y="319.5566">ConditionMatcher</text><line style="stroke:#181818;stroke-width:0.5;" x1="2806.5" x2="2959.5" y1="330.2656" y2="330.2656"/><line style="stroke:#181818;stroke-width:0.5;" x1="2806.5" x2="2959.5" y1="338.2656" y2="338.2656"/></g><!--MD5=[a5f8f54a8c595155ff6d10bcb2300aea]
 class VerifyResult--><g id="elem_VerifyResult"><rect codeLine="50" fill="#F1F1F1" height="97.4648" id="VerifyResult" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="115" x="2515.5" y="99.7656"/><ellipse cx="2531.4" cy="115.7656" fill="#EB937F" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2535.5143,121.7656 L2527.7945,121.7656 L2527.7945,109.3726 L2535.5143,109.3726 L2535.5143,111.5308 L2530.2433,111.5308 L2530.2433,114.2036 L2535.0162,114.2036 L2535.0162,116.3618 L2530.2433,116.3618 L2530.2433,119.6074 L2535.5143,119.6074 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="81" x="2545.6" y="121.0566">VerifyResult</text><line style="stroke:#181818;stroke-width:0.5;" x1="2516.5" x2="2629.5" y1="131.7656" y2="131.7656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="47" x="2521.5" y="149.3008">ALLOW</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="103" x="2521.5" y="165.7891">EXPLICIT_DENY</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="102" x="2521.5" y="182.2773">IMPLICIT_DENY</text><line style="stroke:#181818;stroke-width:0.5;" x1="2516.5" x2="2629.5" y1="189.2305" y2="189.2305"/></g><!--MD5=[a61a298976b7d1d94498f45c2ebfa10b]
-class Statement--><g id="elem_Statement"><rect codeLine="55" fill="#F1F1F1" height="113.9531" id="Statement" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="281" x="2357.5" y="455.7656"/><ellipse cx="2459.25" cy="471.7656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2455.1777,467.5308 L2455.1777,465.3726 L2462.5571,465.3726 L2462.5571,467.5308 L2460.0918,467.5308 L2460.0918,475.6074 L2462.5571,475.6074 L2462.5571,477.7656 L2455.1777,477.7656 L2455.1777,475.6074 L2457.6431,475.6074 L2457.6431,467.5308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="69" x="2479.75" y="477.0566">Statement</text><line style="stroke:#181818;stroke-width:0.5;" x1="2358.5" x2="2637.5" y1="487.7656" y2="487.7656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="110" x="2363.5" y="505.3008">val name: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="107" x="2363.5" y="521.7891">val effect: Effect</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="222" x="2363.5" y="538.2773">val actions: Set&lt;ActionMatcher&gt;</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="269" x="2363.5" y="554.7656">val conditions: Set&lt;ConditionMatcher&gt;</text><line style="stroke:#181818;stroke-width:0.5;" x1="2358.5" x2="2637.5" y1="561.7188" y2="561.7188"/></g><!--MD5=[25907446179e7e8284c1a5a6eb221e77]
+class Statement--><g id="elem_Statement"><rect codeLine="55" fill="#F1F1F1" height="113.9531" id="Statement" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="234" x="2381" y="455.7656"/><ellipse cx="2459.25" cy="471.7656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2455.1777,467.5308 L2455.1777,465.3726 L2462.5571,465.3726 L2462.5571,467.5308 L2460.0918,467.5308 L2460.0918,475.6074 L2462.5571,475.6074 L2462.5571,477.7656 L2455.1777,477.7656 L2455.1777,475.6074 L2457.6431,475.6074 L2457.6431,467.5308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="69" x="2479.75" y="477.0566">Statement</text><line style="stroke:#181818;stroke-width:0.5;" x1="2382" x2="2614" y1="487.7656" y2="487.7656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="110" x="2387" y="505.3008">val name: String</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="107" x="2387" y="521.7891">val effect: Effect</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="222" x="2387" y="538.2773">val actions: Set&lt;ActionMatcher&gt;</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="219" x="2387" y="554.7656">val condition: ConditionMatcher</text><line style="stroke:#181818;stroke-width:0.5;" x1="2382" x2="2614" y1="561.7188" y2="561.7188"/></g><!--MD5=[25907446179e7e8284c1a5a6eb221e77]
 class PermissionVerifier--><g id="elem_PermissionVerifier"><rect codeLine="62" fill="#F1F1F1" height="64.4883" id="PermissionVerifier" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="316" x="2454" y="290.2656"/><ellipse cx="2545.25" cy="306.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2541.1777,302.0308 L2541.1777,299.8726 L2548.5571,299.8726 L2548.5571,302.0308 L2546.0918,302.0308 L2546.0918,310.1074 L2548.5571,310.1074 L2548.5571,312.2656 L2541.1777,312.2656 L2541.1777,310.1074 L2543.6431,310.1074 L2543.6431,302.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="125" x="2565.75" y="311.5566">PermissionVerifier</text><line style="stroke:#181818;stroke-width:0.5;" x1="2455" x2="2769" y1="322.2656" y2="322.2656"/><line style="stroke:#181818;stroke-width:0.5;" x1="2455" x2="2769" y1="330.2656" y2="330.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="304" x="2460" y="347.8008">verify(Request,SecurityContext): VerifyResult</text></g><!--MD5=[4a8e06406f0c0425d99e01150b1292e5]
 class PolicyEvaluator--><g id="elem_PolicyEvaluator"><rect codeLine="65" fill="#F1F1F1" height="64.4883" id="PolicyEvaluator" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="135" x="2012.5" y="290.2656"/><ellipse cx="2027.5" cy="306.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M2023.4277,302.0308 L2023.4277,299.8726 L2030.8071,299.8726 L2030.8071,302.0308 L2028.3418,302.0308 L2028.3418,310.1074 L2030.8071,310.1074 L2030.8071,312.2656 L2023.4277,312.2656 L2023.4277,310.1074 L2025.8931,310.1074 L2025.8931,302.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="103" x="2041.5" y="311.5566">PolicyEvaluator</text><line style="stroke:#181818;stroke-width:0.5;" x1="2013.5" x2="2146.5" y1="322.2656" y2="322.2656"/><line style="stroke:#181818;stroke-width:0.5;" x1="2013.5" x2="2146.5" y1="330.2656" y2="330.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="106" x="2018.5" y="347.8008">evaluate(Policy)</text></g><!--MD5=[79431584796416a68bc6cb91e9d847cd]
 class PolicyCapable--><g id="elem_PolicyCapable"><rect codeLine="68" fill="#F1F1F1" height="64.4883" id="PolicyCapable" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="179" x="1947.5" y="116.2656"/><ellipse cx="1985.9" cy="132.2656" fill="#B4A7E5" rx="11" ry="11" style="stroke:#181818;stroke-width:1.0;"/><path d="M1981.8277,128.0308 L1981.8277,125.8726 L1989.2071,125.8726 L1989.2071,128.0308 L1986.7418,128.0308 L1986.7418,136.1074 L1989.2071,136.1074 L1989.2071,138.2656 L1981.8277,138.2656 L1981.8277,136.1074 L1984.2931,136.1074 L1984.2931,128.0308 Z " fill="#000000"/><text fill="#000000" font-family="sans-serif" font-size="14" font-style="italic" lengthAdjust="spacing" textLength="95" x="2005.1" y="137.5566">PolicyCapable</text><line style="stroke:#181818;stroke-width:0.5;" x1="1948.5" x2="2125.5" y1="148.2656" y2="148.2656"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="167" x="1953.5" y="165.8008">val policies: Set&lt;String&gt;</text><line style="stroke:#181818;stroke-width:0.5;" x1="1948.5" x2="2125.5" y1="172.7539" y2="172.7539"/></g><g id="elem_GMN29"><path d="M2162,135.7656 L2162,161.0762 L2480,161.0762 L2480,145.7656 L2470,135.7656 L2162,135.7656 " fill="#FEFFDD" style="stroke:#181818;stroke-width:0.5;"/><path d="M2470,135.7656 L2470,145.7656 L2480,145.7656 L2470,135.7656 " fill="#FEFFDD" style="stroke:#181818;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="13" lengthAdjust="spacing" textLength="297" x="2168" y="153.334">Used to evaluate the effectiveness of the Policy</text></g><!--MD5=[52681581877b3e7248987c87e027ce58]
@@ -50,9 +50,9 @@ reverse link RequestMatcher to ConditionMatcher--><g id="link_RequestMatcher_Con
 reverse link PermissionVerifier to Statement--><g id="link_PermissionVerifier_Statement"><path codeLine="73" d="M2582.2,372.5456 C2566.83,397.9656 2548.01,429.0756 2532.06,455.4456 " fill="none" id="PermissionVerifier-backto-Statement" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="none" points="2576.05,369.1756,2592.39,355.6856,2588.03,376.4256,2576.05,369.1756" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[e4eaaab51f62ef0fd17f62ea5476519c]
 link Effect to Statement--><g id="link_Effect_Statement"><path codeLine="74" d="M2415.51,375.3756 C2428.2,396.3456 2456.9154,443.8402 2456.9154,443.8402 " fill="none" id="Effect-Statement" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2408.96,364.5356,2410.1936,374.3069,2411.547,368.8143,2417.0396,370.1677,2408.96,364.5356" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2411.547" x2="2415.685" y1="368.8143" y2="375.6606"/><polygon fill="#181818" points="2463.13,454.1056,2463.4445,446.9014,2456.9154,443.8402,2456.6009,451.0445,2463.13,454.1056" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[421c707edf9dcb67c653879c9588b357]
 link ActionMatcher to Statement--><g id="link_ActionMatcher_Statement"><path codeLine="75" d="M2290.3,355.1656 C2323.45,380.1556 2412.2974,447.1424 2412.2974,447.1424 " fill="none" id="ActionMatcher-Statement" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2280.37,347.6656,2285.1435,356.2804,2284.3607,350.6779,2289.9632,349.8952,2280.37,347.6656" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2284.3607" x2="2290.75" y1="350.6779" y2="355.4956"/><polygon fill="#181818" points="2421.88,454.3656,2419.4964,447.5598,2412.2974,447.1424,2414.681,453.9482,2421.88,454.3656" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[04f4abb29adabcf38a547a8eb9430c3b]
-link ConditionMatcher to Statement--><g id="link_ConditionMatcher_Statement"><path codeLine="76" d="M2838.93,354.2456 C2823.48,363.7256 2805.57,373.2256 2788,379.2656 C2732.47,398.3356 2711.55,374.5656 2657,396.2656 C2626.76,408.2956 2570.8164,447.1766 2570.8164,447.1766 " fill="none" id="ConditionMatcher-Statement" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2849.48,347.5256,2839.7408,348.9911,2845.264,350.2136,2844.0415,355.7367,2849.48,347.5256" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2845.264" x2="2838.515" y1="350.2136" y2="354.5106"/><polygon fill="#181818" points="2561.33,454.5256,2568.5229,454.0133,2570.8164,447.1766,2563.6235,447.689,2561.33,454.5256" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[e3680ece5eb6e2539ae6dce9363554de]
-link PolicyType to Policy--><g id="link_PolicyType_Policy"><path codeLine="77" d="M2692.47,574.0556 C2682.15,592.6256 2659.0611,634.1276 2659.0611,634.1276 " fill="none" id="PolicyType-Policy" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2698.68,562.8956,2690.8107,568.8179,2696.2504,567.2656,2697.8027,572.7053,2698.68,562.8956" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2696.2504" x2="2692.365" y1="567.2656" y2="574.2556"/><polygon fill="#181818" points="2653.23,644.6156,2659.6415,641.3153,2659.0611,634.1276,2652.6495,637.4279,2653.23,644.6156" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[a7b3af78aa4d03cb0e67dc6b5e1b33d1]
-link Statement to Policy--><g id="link_Statement_Policy"><path codeLine="78" d="M2536.21,582.4856 C2545.36,598.9256 2564.9889,634.2532 2564.9889,634.2532 " fill="none" id="Statement-Policy" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2530.04,571.3756,2530.9173,581.1853,2532.4696,575.7456,2537.9093,577.2979,2530.04,571.3756" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2532.4696" x2="2536.355" y1="575.7456" y2="582.7356"/><polygon fill="#181818" points="2570.83,644.7356,2571.4036,637.5474,2564.9889,634.2532,2564.4153,641.4415,2570.83,644.7356" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[f6501252c65be42b38a34c7ff3f78362]
+link ConditionMatcher to Statement--><g id="link_ConditionMatcher_Statement"><path codeLine="76" d="M2839.38,354.2156 C2823.84,363.7856 2805.78,373.3556 2788,379.2656 C2722.24,401.1256 2696.6,368.7356 2633,396.2656 C2606.24,407.8456 2558.8938,446.2238 2558.8938,446.2238 " fill="none" id="ConditionMatcher-Statement" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2849.97,347.4256,2840.2344,348.9149,2845.7605,350.1239,2844.5516,355.65,2849.97,347.4256" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2845.7605" x2="2839.025" y1="350.1239" y2="354.4356"/><polygon fill="#181818" points="2550.06,454.3456,2557.1842,453.2293,2558.8938,446.2238,2551.7696,447.3401,2550.06,454.3456" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[e3680ece5eb6e2539ae6dce9363554de]
+link PolicyType to Policy--><g id="link_PolicyType_Policy"><path codeLine="77" d="M2671.84,574.3756 C2662.68,592.7856 2642.2607,633.8446 2642.2607,633.8446 " fill="none" id="PolicyType-Policy" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2677.54,562.9256,2669.9435,569.1941,2675.3083,567.4,2677.1025,572.7648,2677.54,562.9256" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2675.3083" x2="2671.75" y1="567.4" y2="574.5656"/><polygon fill="#181818" points="2636.91,644.5856,2643.1657,640.9987,2642.2607,633.8446,2636.005,637.4315,2636.91,644.5856" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[a7b3af78aa4d03cb0e67dc6b5e1b33d1]
+link Statement to Policy--><g id="link_Statement_Policy"><path codeLine="78" d="M2532.34,582.7756 C2540.41,598.9956 2557.8098,633.9493 2557.8098,633.9493 " fill="none" id="Statement-Policy" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="2526.68,571.4056,2527.103,581.2454,2528.9051,575.8832,2534.2672,577.6853,2526.68,571.4056" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="2528.9051" x2="2532.475" y1="575.8832" y2="583.0506"/><polygon fill="#181818" points="2563.15,644.6956,2564.062,637.5424,2557.8098,633.9493,2556.8978,641.1025,2563.15,644.6956" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[f6501252c65be42b38a34c7ff3f78362]
 link GMN29 to PolicyEvaluator--><g id="link_GMN29_PolicyEvaluator"><path d="M2284.87,161.1856 C2251.63,173.2556 2202.03,194.1456 2165,222.2656 C2139.92,241.3056 2117.02,268.8556 2101.32,290.0656 " fill="none" id="GMN29-PolicyEvaluator" style="stroke:#181818;stroke-width:1.0;stroke-dasharray:7.0,7.0;"/></g><!--MD5=[017c10c76ce2d36bd60f0dc62a4a72a8]
 reverse link java.security.Principal to CoSecPrincipal--><g id="link_java.security.Principal_CoSecPrincipal"><path codeLine="99" d="M837.11,198.9556 C825.11,219.6056 811.12,243.6656 798.74,264.9556 " fill="none" id="java.security.Principal-backto-CoSecPrincipal" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="none" points="831.03,195.4956,847.13,181.7256,843.13,202.5256,831.03,195.4956" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[5b5054689bf2020954aca84a99bf32ab]
 reverse link TenantCapable to TenantPrincipal--><g id="link_TenantCapable_TenantPrincipal"><path codeLine="100" d="M539.53,363.3356 C560.02,373.4856 581.54,384.7856 601,396.2656 C649.93,425.1456 703.23,463.8956 735.63,488.3556 " fill="none" id="TenantCapable-backto-TenantPrincipal" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="none" points="536.58,369.6856,521.66,354.6456,542.7,357.0956,536.58,369.6856" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[e7f6508ff043c461a5f165263bc71b5b]
@@ -66,7 +66,7 @@ reverse link Request to Authorization--><g id="link_Request_Authorization"><path
 reverse link SecurityContext to Authorization--><g id="link_SecurityContext_Authorization"><path codeLine="139" d="M391.3,575.4356 C369.32,612.3656 342.31,657.7456 324.65,687.4256 " fill="none" id="SecurityContext-backto-Authorization" style="stroke:#181818;stroke-width:1.0;stroke-dasharray:7.0,7.0;"/><polygon fill="#181818" points="393.73,571.3556,385.6835,577.0348,391.1681,575.6494,392.5535,581.134,393.73,571.3556" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[6b6dcf69d22c7b7e80e54001a420a613]
 reverse link CoSecPrincipal to Authentication--><g id="link_CoSecPrincipal_Authentication"><path codeLine="156" d="M897.38,376.5256 C901.27,377.5156 905.15,378.4356 909,379.2656 C1054.74,410.6356 1101.21,353.4056 1244,396.2656 C1296.96,412.1656 1350.61,445.2156 1388.36,471.9056 " fill="none" id="CoSecPrincipal-backto-Authentication" style="stroke:#181818;stroke-width:1.0;stroke-dasharray:7.0,7.0;"/><polygon fill="#181818" points="892.71,375.2856,900.3777,381.4667,897.5416,376.5722,902.4362,373.7361,892.71,375.2856" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[615981591744dbfd257bd758771ab80b]
 reverse link Credentials to Authentication--><g id="link_Credentials_Authentication"><path codeLine="157" d="M1440,352.9056 C1440,384.9456 1440,436.2156 1440,471.8056 " fill="none" id="Credentials-backto-Authentication" style="stroke:#181818;stroke-width:1.0;stroke-dasharray:7.0,7.0;"/><polygon fill="#181818" points="1440,348.2756,1436,357.2756,1440,353.2756,1444,357.2756,1440,348.2756" style="stroke:#181818;stroke-width:1.0;"/></g><!--MD5=[40d5522495084d761aba8f9786b248b8]
-link Authentication to AuthenticationProvider--><g id="link_Authentication_AuthenticationProvider"><path codeLine="158" d="M1610.93,512.7656 C1612.8,512.7656 1617.3,512.7656 1617.3,512.7656 " fill="none" id="Authentication-AuthenticationProvider" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="1597.94,512.7656,1606.94,516.7656,1602.94,512.7656,1606.94,508.7656,1597.94,512.7656" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="1602.94" x2="1610.94" y1="512.7656" y2="512.7656"/><polygon fill="#181818" points="1629.3,512.7656,1623.3,508.7656,1617.3,512.7656,1623.3,516.7656,1629.3,512.7656" style="stroke:#181818;stroke-width:1.0;"/></g><a href="https://github.com/Ahoo-Wang/CoSec" target="_top" title="https://github.com/Ahoo-Wang/CoSec" xlink:actuate="onRequest" xlink:href="https://github.com/Ahoo-Wang/CoSec" xlink:show="new" xlink:title="https://github.com/Ahoo-Wang/CoSec" xlink:type="simple"><text fill="#808080" font-family="sans-serif" font-size="10" lengthAdjust="spacing" text-decoration="underline" textLength="189" x="1390.5" y="824.9336">https://github.com/Ahoo-Wang/CoSec</text></a><!--MD5=[7795edae75c4d4dfed5a78e91966cc05]
+link Authentication to AuthenticationProvider--><g id="link_Authentication_AuthenticationProvider"><path codeLine="158" d="M1610.93,512.7656 C1612.8,512.7656 1617.3,512.7656 1617.3,512.7656 " fill="none" id="Authentication-AuthenticationProvider" style="stroke:#181818;stroke-width:1.0;"/><polygon fill="#181818" points="1597.94,512.7656,1606.94,516.7656,1602.94,512.7656,1606.94,508.7656,1597.94,512.7656" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="1602.94" x2="1610.94" y1="512.7656" y2="512.7656"/><polygon fill="#181818" points="1629.3,512.7656,1623.3,508.7656,1617.3,512.7656,1623.3,516.7656,1629.3,512.7656" style="stroke:#181818;stroke-width:1.0;"/></g><a href="https://github.com/Ahoo-Wang/CoSec" target="_top" title="https://github.com/Ahoo-Wang/CoSec" xlink:actuate="onRequest" xlink:href="https://github.com/Ahoo-Wang/CoSec" xlink:show="new" xlink:title="https://github.com/Ahoo-Wang/CoSec" xlink:type="simple"><text fill="#808080" font-family="sans-serif" font-size="10" lengthAdjust="spacing" text-decoration="underline" textLength="189" x="1390.5" y="824.9336">https://github.com/Ahoo-Wang/CoSec</text></a><!--MD5=[f41e9cfb460b549490c5a54ba01a5ee2]
 @startuml
 !include layout.puml
 
@@ -126,7 +126,7 @@ package policy{
         val name: String
         val effect: Effect
         val actions: Set<ActionMatcher>
-        val conditions: Set<ConditionMatcher>
+        val condition: ConditionMatcher
     }
 
     interface PermissionVerifier {
@@ -297,7 +297,7 @@ package policy{
         val name: String
         val effect: Effect
         val actions: Set<ActionMatcher>
-        val conditions: Set<ConditionMatcher>
+        val condition: ConditionMatcher
     }
 
     interface PermissionVerifier {
diff --git a/document/design/uml/modeling.puml b/document/design/uml/modeling.puml
index d4268893..9b17f892 100644
--- a/document/design/uml/modeling.puml
+++ b/document/design/uml/modeling.puml
@@ -57,7 +57,7 @@ package policy{
         val name: String
         val effect: Effect
         val actions: Set<ActionMatcher>
-        val conditions: Set<ConditionMatcher>
+        val condition: ConditionMatcher
     }
 
     interface PermissionVerifier {
diff --git a/gradle.properties b/gradle.properties
index b242bf87..d18b3787 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -11,7 +11,7 @@
 # limitations under the License.
 #
 group=me.ahoo.cosec
-version=1.9.3
+version=1.10.0
 description=RBAC-based And Policy-based Multi-Tenant Reactive Security Framework
 website=https://github.com/Ahoo-Wang/CoSec
 issues=https://github.com/Ahoo-Wang/CoSec/issues