1 | """NDG XACML Condition type definition |
---|
2 | |
---|
3 | NERC DataGrid Project |
---|
4 | """ |
---|
5 | __author__ = "P J Kershaw" |
---|
6 | __date__ = "15/04/10" |
---|
7 | __copyright__ = "(C) 2010 Science and Technology Facilities Council" |
---|
8 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
9 | __license__ = "BSD - see LICENSE file in top-level directory" |
---|
10 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
11 | __revision__ = "$Id$" |
---|
12 | from abc import ABCMeta, abstractmethod |
---|
13 | |
---|
14 | from ndg.xacml.core.context.result import Decision |
---|
15 | |
---|
16 | |
---|
17 | ALGORITHMS = ( |
---|
18 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides', |
---|
19 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides', |
---|
20 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides', |
---|
21 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides', |
---|
22 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable', |
---|
23 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable', |
---|
24 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable', |
---|
25 | 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides', |
---|
26 | 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides', |
---|
27 | 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides', |
---|
28 | 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides', |
---|
29 | ) |
---|
30 | |
---|
31 | |
---|
32 | class RuleCombiningAlgInterface(object): |
---|
33 | """Interface class for XAML rule combining algorithms""" |
---|
34 | |
---|
35 | @abstractmethod |
---|
36 | def evaluate(self, rules, context): |
---|
37 | """Combine the input rule results to make an access control decision |
---|
38 | based. Derived classes must implement this method. This implementation |
---|
39 | returns indeterminate result. |
---|
40 | |
---|
41 | @param rules: rules from the policy. Decisions from these will be put |
---|
42 | together into a single decision by this algorithm |
---|
43 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
44 | @param context: request context to apply to the rules |
---|
45 | @type context: ndg.xacml.core.request.Request |
---|
46 | @return: resulting overall access control decision |
---|
47 | @rtype: ndg.xacml.core.context.result.Decision |
---|
48 | """ |
---|
49 | return Decision.INDETERMINATE |
---|
50 | |
---|
51 | class DenyOverridesRuleCombiningAlg(RuleCombiningAlgInterface): |
---|
52 | """Deny overrides rule combining algorithm""" |
---|
53 | |
---|
54 | def evaluate(self, rules, context): |
---|
55 | """Combine the input rule results to make an access control decision. |
---|
56 | Implementation taken direct from XACML 2.0 spec. pseudo code - Section |
---|
57 | C.1 Deny Overrides |
---|
58 | |
---|
59 | @param rules: rules from the policy. Decisions from these will be put |
---|
60 | together into a single decision by this algorithm |
---|
61 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
62 | @param context: request context to apply to the rules |
---|
63 | @type context: ndg.xacml.core.request.Request |
---|
64 | @return: resulting overall access control decision |
---|
65 | @rtype: ndg.xacml.core.context.result.Decision |
---|
66 | """ |
---|
67 | atLeastOneError = False |
---|
68 | potentialDeny = False |
---|
69 | atLeastOnePermit = False |
---|
70 | |
---|
71 | for rule in rules: |
---|
72 | decision = rule.evaluate(context) |
---|
73 | if decision == Decision.DENY: |
---|
74 | return Decision.DENY |
---|
75 | |
---|
76 | if decision == Decision.PERMIT: |
---|
77 | atLeastOnePermit = True |
---|
78 | continue |
---|
79 | |
---|
80 | if decision == Decision.NOT_APPLICABLE: |
---|
81 | continue |
---|
82 | |
---|
83 | if decision == Decision.INDETERMINATE: |
---|
84 | atLeastOneError = True |
---|
85 | |
---|
86 | if effect(rule) == Decision.DENY: |
---|
87 | potentialDeny = True |
---|
88 | |
---|
89 | continue |
---|
90 | |
---|
91 | if potentialDeny: |
---|
92 | return Decision.INDETERMINATE |
---|
93 | |
---|
94 | elif atLeastOnePermit: |
---|
95 | return Decision.PERMIT |
---|
96 | |
---|
97 | elif atLeastOneError: |
---|
98 | return Decision.INDETERMINATE |
---|
99 | else: |
---|
100 | return Decision.NOT_APPLICABLE |
---|
101 | |
---|
102 | |
---|
103 | class PermitOverridesRuleCombiningAlg(RuleCombiningAlgInterface): |
---|
104 | """Implementation of permit overrides XACML rule combining algorithm""" |
---|
105 | |
---|
106 | def evaluate(self, rules, context): |
---|
107 | """Combine the input rule results to make an access control decision. |
---|
108 | Implementation taken direct from XACML 2.0 spec. pseudo code - Section |
---|
109 | C.3 |
---|
110 | |
---|
111 | @param rules: rules from the policy. Decisions from these will be put |
---|
112 | together into a single decision by this algorithm |
---|
113 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
114 | @param context: request context to apply to the rules |
---|
115 | @type context: ndg.xacml.core.request.Request |
---|
116 | @return: resulting overall access control decision |
---|
117 | @rtype: ndg.xacml.core.context.result.Decision |
---|
118 | """ |
---|
119 | atLeastOneError = False |
---|
120 | potentialPermit = False |
---|
121 | atLeastOneDeny = False |
---|
122 | |
---|
123 | for rule in rules: |
---|
124 | decision = rule.evaluate(context) |
---|
125 | if decision == Decision.DENY: |
---|
126 | atLeastOneDeny = True |
---|
127 | continue |
---|
128 | |
---|
129 | if decision == Decision.PERMIT: |
---|
130 | return Decision.PERMIT |
---|
131 | |
---|
132 | if decision == Decision.NOT_APPLICABLE: |
---|
133 | continue |
---|
134 | |
---|
135 | if decision == Decision.INDETERMINATE: |
---|
136 | atLeastOneError = True |
---|
137 | |
---|
138 | if rule.effect.value == Decision.PERMIT_STR: |
---|
139 | potentialPermit = True |
---|
140 | |
---|
141 | continue |
---|
142 | |
---|
143 | if potentialPermit: |
---|
144 | return Decision.INDETERMINATE |
---|
145 | |
---|
146 | if atLeastOneDeny: |
---|
147 | return Decision.DENY |
---|
148 | |
---|
149 | if atLeastOneError: |
---|
150 | return Decision.INDETERMINATE |
---|
151 | |
---|
152 | return Decision.NOT_APPLICABLE |
---|
153 | |
---|
154 | |
---|
155 | class RuleCombiningAlgClassFactory(object): |
---|
156 | """Class Factory mapping Rule Combining Algorithm identifiers to their |
---|
157 | class implementations""" |
---|
158 | |
---|
159 | # All algorithms are not implemented by default(!) |
---|
160 | DEFAULT_MAP = {}.fromkeys(ALGORITHMS, NotImplemented) |
---|
161 | |
---|
162 | # Permit overrides is the only one currently implemented |
---|
163 | DEFAULT_MAP.update({ |
---|
164 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides': |
---|
165 | DenyOverridesRuleCombiningAlg, |
---|
166 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides': |
---|
167 | PermitOverridesRuleCombiningAlg |
---|
168 | }) |
---|
169 | |
---|
170 | def __init__(self, map=DEFAULT_MAP): |
---|
171 | """Initialise mapping of identifiers to class implementations""" |
---|
172 | self.__map = map |
---|
173 | |
---|
174 | def __call__(self, identifier): |
---|
175 | """Return the class for a given Rule Combining Algorithm identifier |
---|
176 | @param identifier: XACML rule combining algorithm urn |
---|
177 | @type identifier: basestring |
---|
178 | @return: rule combining class corresponding to the given input |
---|
179 | identifier |
---|
180 | @rtype: RuleCombiningAlgInterface derived type or NoneType if no match |
---|
181 | is found or NotImplementedType if the identifier corresponds to a valid |
---|
182 | XACML rule combining algorithm but is not supported in this |
---|
183 | implementation |
---|
184 | """ |
---|
185 | return self.__map.get(identifier) |
---|