source: TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/__init__.py @ 6805

"""NDG XACML package for functions

NERC DataGrid Project
"""
__author__ = "P J Kershaw"
__date__ = "26/03/10"
__copyright__ = "(C) 2010 Science and Technology Facilities Council"
__contact__ = "Philip.Kershaw@stfc.ac.uk"
__license__ = "BSD - see LICENSE file in top-level directory"
__contact__ = "Philip.Kershaw@stfc.ac.uk"
__revision__ = "$Id: $"
from abc import ABCMeta, abstractmethod
from datetime import datetime, timedelta
import traceback
import logging
log = logging.getLogger(__name__)

from ndg.xacml.core.attributevalue import (AttributeValue, 
                                           AttributeValueClassFactory)
from ndg.xacml.utils import VettedDict, _isIterable
from ndg.xacml.utils.factory import callModuleObject


class AbstractFunction(object):
    """Base class for all XACML matching functions"""
    
    __metaclass__ = ABCMeta
    FUNCTION_NS = None
    V1_0_FUNCTION_NS = "urn:oasis:names:tc:xacml:1.0:function:"
    V2_0_FUNCTION_NS = "urn:oasis:names:tc:xacml:2.0:function:"
    
    def __init__(self):
        if self.__class__.FUNCTION_NS is None:
            raise TypeError('"FUNCTION_NS" class variable must be defined in '
                            'derived classes')
            
    @abstractmethod
    def evaluate(self, *inputs):
        """Evaluate the function from the given input arguments and context
        @param inputs: input arguments need to evaluate the function
        @type inputs: tuple
        @return: True for match, False otherwise
        @rtype: bool
        """
        
class XacmlFunctionNames(object):
    """XACML standard match function names"""
    FUNCTION_NAMES = (
'urn:oasis:names:tc:xacml:1.0:function:string-equal',
'urn:oasis:names:tc:xacml:1.0:function:boolean-equal',
'urn:oasis:names:tc:xacml:1.0:function:integer-equal',
'urn:oasis:names:tc:xacml:1.0:function:double-equal',
'urn:oasis:names:tc:xacml:1.0:function:date-equal',
'urn:oasis:names:tc:xacml:1.0:function:time-equal',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-equal',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-equal',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-equal',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal',
'urn:oasis:names:tc:xacml:1.0:function:integer-add',
'urn:oasis:names:tc:xacml:1.0:function:double-add',
'urn:oasis:names:tc:xacml:1.0:function:integer-subtract',
'urn:oasis:names:tc:xacml:1.0:function:double-subtract',
'urn:oasis:names:tc:xacml:1.0:function:integer-multiply',
'urn:oasis:names:tc:xacml:1.0:function:double-multiply',
'urn:oasis:names:tc:xacml:1.0:function:integer-divide',
'urn:oasis:names:tc:xacml:1.0:function:double-divide',
'urn:oasis:names:tc:xacml:1.0:function:integer-mod',
'urn:oasis:names:tc:xacml:1.0:function:integer-abs',
'urn:oasis:names:tc:xacml:1.0:function:double-abs',
'urn:oasis:names:tc:xacml:1.0:function:round',
'urn:oasis:names:tc:xacml:1.0:function:floor',
'urn:oasis:names:tc:xacml:1.0:function:string-normalize-space',
'urn:oasis:names:tc:xacml:1.0:function:string-normalize-to-lower-case',
'urn:oasis:names:tc:xacml:1.0:function:double-to-integer',
'urn:oasis:names:tc:xacml:1.0:function:integer-to-double',
'urn:oasis:names:tc:xacml:1.0:function:or',
'urn:oasis:names:tc:xacml:1.0:function:and',
'urn:oasis:names:tc:xacml:1.0:function:n-of',
'urn:oasis:names:tc:xacml:1.0:function:not',
'urn:oasis:names:tc:xacml:1.0:function:integer-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:integer-less-than',
'urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:double-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:double-less-than',
'urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration', 
'urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration',
'urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration',
'urn:oasis:names:tc:xacml:1.0:function:string-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:string-less-than',
'urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:time-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:time-less-than',
'urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal',
'urn:oasis:names:tc:xacml:2.0:function:time-in-range',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:date-greater-than',
'urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:date-less-than',
'urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal',
'urn:oasis:names:tc:xacml:1.0:function:string-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:string-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:string-is-in',
'urn:oasis:names:tc:xacml:1.0:function:string-bag',
'urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:boolean-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:boolean-is-in',
'urn:oasis:names:tc:xacml:1.0:function:boolean-bag',
'urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:integer-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:integer-is-in',
'urn:oasis:names:tc:xacml:1.0:function:integer-bag',
'urn:oasis:names:tc:xacml:1.0:function:double-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:double-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:double-is-in',
'urn:oasis:names:tc:xacml:1.0:function:double-bag',
'urn:oasis:names:tc:xacml:1.0:function:time-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:time-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:time-is-in',
'urn:oasis:names:tc:xacml:1.0:function:time-bag',
'urn:oasis:names:tc:xacml:1.0:function:date-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:date-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:date-is-in',
'urn:oasis:names:tc:xacml:1.0:function:date-bag',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-is-in',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-bag',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-is-in',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-bag',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-is-in',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-bag',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-is-in',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-bag',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-is-in',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-bag',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-is-in',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-bag',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-is-in',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-bag',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-one-and-only',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-bag-size',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-is-in',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-bag',
'urn:oasis:names:tc:xacml:2.0:function:string-concatenate',
'urn:oasis:names:tc:xacml:2.0:function:uri-string-concatenate',
'urn:oasis:names:tc:xacml:1.0:function:any-of',
'urn:oasis:names:tc:xacml:1.0:function:all-of',
'urn:oasis:names:tc:xacml:1.0:function:any-of-any',
'urn:oasis:names:tc:xacml:1.0:function:all-of-any',
'urn:oasis:names:tc:xacml:1.0:function:any-of-all',
'urn:oasis:names:tc:xacml:1.0:function:all-of-all',
'urn:oasis:names:tc:xacml:1.0:function:map',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-match',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match',
'urn:oasis:names:tc:xacml:1.0:function:string-regexp-match',
'urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match',
'urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match',
'urn:oasis:names:tc:xacml:2.0:function:dnsName-regexp-match',
'urn:oasis:names:tc:xacml:2.0:function:rfc822Name-regexp-match',
'urn:oasis:names:tc:xacml:2.0:function:x500Name-regexp-match',
'urn:oasis:names:tc:xacml:1.0:function:xpath-node-count',
'urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal',
'urn:oasis:names:tc:xacml:1.0:function:xpath-node-match',
'urn:oasis:names:tc:xacml:1.0:function:string-intersection',
'urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:string-union',
'urn:oasis:names:tc:xacml:1.0:function:string-subset',
'urn:oasis:names:tc:xacml:1.0:function:string-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:boolean-intersection',
'urn:oasis:names:tc:xacml:1.0:function:boolean-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:boolean-union',
'urn:oasis:names:tc:xacml:1.0:function:boolean-subset',
'urn:oasis:names:tc:xacml:1.0:function:boolean-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:integer-intersection',
'urn:oasis:names:tc:xacml:1.0:function:integer-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:integer-union',
'urn:oasis:names:tc:xacml:1.0:function:integer-subset',
'urn:oasis:names:tc:xacml:1.0:function:integer-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:double-intersection',
'urn:oasis:names:tc:xacml:1.0:function:double-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:double-union',
'urn:oasis:names:tc:xacml:1.0:function:double-subset',
'urn:oasis:names:tc:xacml:1.0:function:double-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:time-intersection',
'urn:oasis:names:tc:xacml:1.0:function:time-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:time-union',
'urn:oasis:names:tc:xacml:1.0:function:time-subset',
'urn:oasis:names:tc:xacml:1.0:function:time-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:date-intersection',
'urn:oasis:names:tc:xacml:1.0:function:date-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:date-union',
'urn:oasis:names:tc:xacml:1.0:function:date-subset',
'urn:oasis:names:tc:xacml:1.0:function:date-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-intersection',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-union',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-subset',
'urn:oasis:names:tc:xacml:1.0:function:dateTime-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-intersection',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-union',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-subset',
'urn:oasis:names:tc:xacml:1.0:function:anyURI-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-intersection',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-union',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-subset',
'urn:oasis:names:tc:xacml:1.0:function:hexBinary-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-intersection',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-union',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-subset',
'urn:oasis:names:tc:xacml:1.0:function:base64Binary-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-intersection',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-union',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-subset',
'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-intersection',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-union',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-subset',
'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-intersection',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-union',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-subset',
'urn:oasis:names:tc:xacml:1.0:function:x500Name-set-equals',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-intersection',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-at-least-one-member-of',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-union',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-subset',
'urn:oasis:names:tc:xacml:1.0:function:rfc822Name-set-equals',
    )


class FunctionClassFactoryInterface(object):
    """Interface class for function module class factory class
    """
    __meta__ = ABCMeta
    
    @abstractmethod
    def __call__(self, identifier):
        '''Create class for the given XACML function identifier
        
        @param identifier: XACML function identifier
        @type identifier: basestring
        @return: at least one member of class corresponding to the given input
        identifier
        @rtype: AbstractFunction derived type or None if no match is 
        found
        '''
        return None
    

class FunctionClassFactoryBase(FunctionClassFactoryInterface):
    """Base implementation for XACML Function Class Factory.  Derived types 
    should be implemented in sub-modules of ndg.xacml.core.functions 
    
    e.g.
    
    for urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of a 
    class factory should exist,
    
    ndg.xacml.core.functions.v1.at_least_one_member_of.FunctionClassFactory
    
    which will be capable of returning an AbstractFunction derived type:
    
    StringAtLeastOneMemberOf    
    
    This class is for convenience only some function factories are better 
    derived directly from FunctionClassFactoryInterface
    
    Derived classes MUST define these class variables:
    
    @cvar FUNCTION_NAMES: list of function identifiers that this factory can
    produce classes for e.g.:
    
    ('urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of', ...)
    
    @type FUNCTION_NAMES: NoneType (but list in derived class)
   
    @cvar FUNCTION_NS_SUFFIX: urn suffix for the family of function to define
    e.g. -at-least-one-member-of is the suffix for the URN:
    
    urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of
    @type FUNCTION_NS_SUFFIX: NoneType (but basestring in derived class)
    
    @cvar FUNCTION_BASE_CLASS: base class for this family of functions e.g for
    urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of,
    ndg.xacml.core.functions.v1.at_least_one_member_of.AtLeastOneMemberOfBase
    @type FUNCTION_BASE_CLASS: NoneType (but AbstractFunction derived type in 
    derived function facotry class)
    """
    
    FUNCTION_NS_SUFFIX = None
    FUNCTION_NAMES = None
    FUNCTION_BASE_CLASS = None
    
    URN_SEP = ':'
    FUNCTION_NAME_SEP = '-'

    def __init__(self):
        """Create classes for each <type>-at-least-one-member-of function and
        place in a look-up table
        """
        if None in (self.__class__.FUNCTION_NS_SUFFIX, 
                    self.__class__.FUNCTION_BASE_CLASS):
            raise TypeError('"FUNCTION_NS_SUFFIX" and "FUNCTION_BASE_CLASS" '
                            'must be defined in a derived implementation of '
                            'FunctionClassFactoryBase.  See '
                            'FunctionClassFactoryBase.__doc__ contents')
        
        if not _isIterable(self.__class__.FUNCTION_NAMES):
            raise TypeError('"FUNCTION_NAMES" class variable must be an '
                            'iterable of string type function identifiers; got '
                            '%r' % self.__class__.FUNCTION_NAMES)
            
        self.__map = {}
        functionSuffixParts = self.__class__.FUNCTION_NS_SUFFIX.split(
                                            self.__class__.FUNCTION_NAME_SEP)
        functionSuffix = ''.join([n[0].upper() + n[1:] 
                                  for n in functionSuffixParts if n])
        
        attributeValueClassFactory = AttributeValueClassFactory()
        
        for identifier in self.__class__.FUNCTION_NAMES:            
            # Extract the function name and the type portion of the function
            # name in order to make an implementation of a class to handle it
            functionName = identifier.split(self.__class__.URN_SEP)[-1]
            typePart = functionName.split(self.__class__.FUNCTION_NS_SUFFIX)[0]
            
            typeName = typePart[0].upper() + typePart[1:]
            typeURI = AttributeValue.IDENTIFIER_PREFIX + typePart
            _type = attributeValueClassFactory(typeURI)
            if _type is None:
                raise TypeError('No AttributeValue.TYPE_MAP entry for %r type' %
                                typeName)
              
            className = typeName + functionSuffix
            classVars = {
                'TYPE': _type,
                'FUNCTION_NS': identifier
            }
            
            functionClass = type(className, 
                                 (self.__class__.FUNCTION_BASE_CLASS, ), 
                                 classVars)
            
            self.__map[identifier] = functionClass
            
    def __call__(self, identifier):
        """Return the class for the given XACML *-at-least-one-member-of type
        function identifier
        @param identifier: XACML *-at-least-one-member-of type function
        identifier
        @type identifier: basestring
        @return: at least one member of class corresponding to the given input
        identifier
        @rtype: AtLeastOneMemberOfBase derived type or None if no match is 
        found
        """
        return self.__map.get(identifier)
        
    
class FunctionMapError(Exception):
    """Generic Error exception class for FunctionMap"""
    
    
class FunctionMapConfigError(FunctionMapError):
    """Configuration related exception for FunctionMap"""
        
        
class FunctionMap(VettedDict):
    """Map function IDs to their implementations"""
    FUNCTION_PKG_PREFIX = 'ndg.xacml.core.functions.'
    
    V1_0_PKG_PREFIX = FUNCTION_PKG_PREFIX + 'v1.'
    V2_0_PKG_PREFIX = FUNCTION_PKG_PREFIX + 'v2.'
    
    SUPPORTED_NSS = {
        AbstractFunction.V1_0_FUNCTION_NS: V1_0_PKG_PREFIX,
        AbstractFunction.V2_0_FUNCTION_NS: V2_0_PKG_PREFIX
    }
    
    # Each function module is expected to have a class factory for obtaining
    # a class for the given function identifier associated with that module
    FUNCTION_CLASS_FACTORY_CLASSNAME = 'FunctionClassFactory'
    
    def __init__(self):
        """Force function entries to derive from AbstractFunction and IDs to
        be string type
        """        
        # Filters are defined as staticmethods but reference via self here to 
        # enable derived class to override them as standard methods without
        # needing to redefine this __init__ method            
        super(FunctionMap, self).__init__(self.keyFilter, self.valueFilter)
        
    @staticmethod
    def keyFilter(key):
        """Enforce string type keys"""
        if not isinstance(key, basestring):
            raise TypeError('Expecting %r type for key; got %r' % 
                            (basestring, type(key))) 
            
        return True 
    
    @staticmethod
    def valueFilter(value):
        """Enforce AbstractFunction derived types for match functions"""
        if value is NotImplemented:
            return True
        
        elif not issubclass(value, AbstractFunction):
            raise TypeError('Expecting %r derived type for value; got %r' % 
                            (AbstractFunction, value)) 
            
        return True 
           
    def load(self):
        """Load function map with implementations from the relevant function
        package"""
        
        for functionNs in XacmlFunctionNames.FUNCTION_NAMES:
            self._loadFunction(functionNs)
            
    @classmethod
    def withLoadedMap(cls):
        """Return a pre-loaded map"""
        functionMap = cls()
        functionMap.load()
        return functionMap
            
    def _loadFunction(self, functionNs):
        """Get package to retrieve function class from for given namespace
        """
        cls = FunctionMap
        classPath = None
        
        for namespacePrefix, pkgNamePrefix in cls.SUPPORTED_NSS.items():
            if functionNs.startswith(namespacePrefix):
                # Namespace is recognised - translate into a path to a function
                # class in the right functions package
                functionName = functionNs.split(namespacePrefix)[-1]
                functionNameParts = functionName.split('-')
                
                if len(functionNameParts) == 1:
                    moduleName = functionNameParts[0]
                else:
                    moduleName = '_'.join(functionNameParts[1:]).lower()
                    
                classPath = pkgNamePrefix + moduleName + '.' + \
                            cls.FUNCTION_CLASS_FACTORY_CLASSNAME
                break

        if classPath is None:
            raise FunctionMapConfigError('Namespace for function not '
                                         'recognised: %r' % functionNs) 
                       
        # Try instantiating the function class and loading it into the 
        # map
        try:
            functionFactory = callModuleObject(classPath)
                      
        except (ImportError, AttributeError):
            log.error("Error importing function factory class %r for function "
                      "identifier %r: %s", classPath, functionNs, 
                      traceback.format_exc())
            
            # No implementation exists - default to Abstract function
            self[functionNs] = NotImplemented
        else:
            self[functionNs] = functionFactory(functionNs)