source: TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule_combining_alg.py @ 7108

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule_combining_alg.py@7108
Revision 7108, 7.2 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • updating epydoc ready for release.
  • Property svn:keywords set to Id
RevLine 
[6822]1"""NDG XACML Condition type definition
2
[7087]3NERC DataGrid
[6822]4"""
5__author__ = "P J Kershaw"
6__date__ = "15/04/10"
7__copyright__ = "(C) 2010 Science and Technology Facilities Council"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
[7064]11__revision__ = "$Id$"
[6822]12from abc import ABCMeta, abstractmethod
13
14from ndg.xacml.core.context.result import Decision
15
16
[7108]17# Rule Combining algorithms from the XACML spec.
[6822]18ALGORITHMS = (
19'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides',
20'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides',
21'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides',
22'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides',
23'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable',
24'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable',
25'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable',
26'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides',
27'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides',
28'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides',
29'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides',
30)
31
32
33class RuleCombiningAlgInterface(object):
34    """Interface class for XAML rule combining algorithms"""
35   
36    @abstractmethod
37    def evaluate(self, rules, context):
38        """Combine the input rule results to make an access control decision
39        based.  Derived classes must implement this method.  This implementation
40        returns indeterminate result.
41       
42        @param rules: rules from the policy.  Decisions from these will be put
43        together into a single decision by this algorithm
44        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
45        @param context: request context to apply to the rules
46        @type context: ndg.xacml.core.request.Request
47        @return: resulting overall access control decision
48        @rtype: ndg.xacml.core.context.result.Decision
49        """
50        return Decision.INDETERMINATE
51
[7108]52
[7050]53class DenyOverridesRuleCombiningAlg(RuleCombiningAlgInterface):
54    """Deny overrides rule combining algorithm"""
55   
56    def evaluate(self, rules, context):
57        """Combine the input rule results to make an access control decision.
58        Implementation taken direct from XACML 2.0 spec. pseudo code - Section
59        C.1 Deny Overrides
60       
61        @param rules: rules from the policy.  Decisions from these will be put
62        together into a single decision by this algorithm
63        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
64        @param context: request context to apply to the rules
65        @type context: ndg.xacml.core.request.Request
66        @return: resulting overall access control decision
67        @rtype: ndg.xacml.core.context.result.Decision
68        """
69        atLeastOneError = False
70        potentialDeny = False
71        atLeastOnePermit = False
72       
73        for rule in rules:
74            decision = rule.evaluate(context)
75            if decision == Decision.DENY:
76                return Decision.DENY
[6822]77
[7050]78            if decision == Decision.PERMIT:
79                atLeastOnePermit = True
80                continue
81           
82            if decision == Decision.NOT_APPLICABLE:
83                continue
84           
85            if decision == Decision.INDETERMINATE:
86                atLeastOneError = True
87   
88                if effect(rule) == Decision.DENY:
89                    potentialDeny = True
90                   
91                continue
92
93        if potentialDeny:
94            return Decision.INDETERMINATE
95
96        elif atLeastOnePermit:
97            return Decision.PERMIT
98       
99        elif atLeastOneError:
100            return Decision.INDETERMINATE
101        else:
102            return Decision.NOT_APPLICABLE
103
104
[6823]105class PermitOverridesRuleCombiningAlg(RuleCombiningAlgInterface):
[6822]106    """Implementation of permit overrides XACML rule combining algorithm"""
107   
108    def evaluate(self, rules, context):
109        """Combine the input rule results to make an access control decision.
110        Implementation taken direct from XACML 2.0 spec. pseudo code - Section
111        C.3
112       
113        @param rules: rules from the policy.  Decisions from these will be put
114        together into a single decision by this algorithm
115        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
116        @param context: request context to apply to the rules
117        @type context: ndg.xacml.core.request.Request
118        @return: resulting overall access control decision
119        @rtype: ndg.xacml.core.context.result.Decision
120        """
121        atLeastOneError = False
122        potentialPermit = False
123        atLeastOneDeny = False
124       
[6823]125        for rule in rules:
[6822]126            decision = rule.evaluate(context)
127            if decision == Decision.DENY:
128                atLeastOneDeny = True
129                continue
130           
131            if decision == Decision.PERMIT:
132                return Decision.PERMIT
133           
134            if decision == Decision.NOT_APPLICABLE:
135                continue
136           
137            if decision == Decision.INDETERMINATE:
138                atLeastOneError = True
139               
140                if rule.effect.value == Decision.PERMIT_STR:
141                    potentialPermit = True
142               
143                continue
144       
145        if potentialPermit:
146            return Decision.INDETERMINATE
147       
148        if atLeastOneDeny:
149            return Decision.DENY
150       
151        if atLeastOneError:
152            return Decision.INDETERMINATE
153       
154        return Decision.NOT_APPLICABLE
155
156   
157class RuleCombiningAlgClassFactory(object):
158    """Class Factory mapping Rule Combining Algorithm identifiers to their
159    class implementations"""
[6823]160   
161    # All algorithms are not implemented by default(!)
[6822]162    DEFAULT_MAP = {}.fromkeys(ALGORITHMS, NotImplemented)
[6823]163   
164    # Permit overrides is the only one currently implemented
[7050]165    DEFAULT_MAP.update({
166    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides':
167        DenyOverridesRuleCombiningAlg,     
168    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides':
169        PermitOverridesRuleCombiningAlg
170    })
[7108]171    __slots__ = ('__map',)
[6822]172   
173    def __init__(self, map=DEFAULT_MAP):
[7108]174        """Initialise mapping of identifiers to class implementations
175       
176        @param map: mapping of rule combining algorithms IDs to classes.  Set
177        this to override the default taken from the DEFAULT_MAP class variable
178        """
[6822]179        self.__map = map
180   
181    def __call__(self, identifier):
182        """Return the class for a given Rule Combining Algorithm identifier
[6823]183        @param identifier: XACML rule combining algorithm urn
184        @type identifier: basestring
185        @return: rule combining class corresponding to the given input
186        identifier
187        @rtype: RuleCombiningAlgInterface derived type or NoneType if no match
188        is found or NotImplementedType if the identifier corresponds to a valid
189        XACML rule combining algorithm but is not supported in this
190        implementation
[6822]191        """
[6823]192        return self.__map.get(identifier)
Note: See TracBrowser for help on using the repository browser.