source: TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule_combining_alg.py @ 7087

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule_combining_alg.py@7087
Revision 7087, 6.9 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • updating epydoc ready for release.
  • Property svn:keywords set to Id
Line 
1"""NDG XACML Condition type definition
2
3NERC DataGrid
4"""
5__author__ = "P J Kershaw"
6__date__ = "15/04/10"
7__copyright__ = "(C) 2010 Science and Technology Facilities Council"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = "$Id$"
12from abc import ABCMeta, abstractmethod
13
14from ndg.xacml.core.context.result import Decision
15
16
17ALGORITHMS = (
18'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides',
19'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides',
20'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides',
21'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides',
22'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable',
23'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable',
24'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable',
25'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides',
26'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides',
27'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides',
28'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides',
29)
30
31
32class RuleCombiningAlgInterface(object):
33    """Interface class for XAML rule combining algorithms"""
34   
35    @abstractmethod
36    def evaluate(self, rules, context):
37        """Combine the input rule results to make an access control decision
38        based.  Derived classes must implement this method.  This implementation
39        returns indeterminate result.
40       
41        @param rules: rules from the policy.  Decisions from these will be put
42        together into a single decision by this algorithm
43        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
44        @param context: request context to apply to the rules
45        @type context: ndg.xacml.core.request.Request
46        @return: resulting overall access control decision
47        @rtype: ndg.xacml.core.context.result.Decision
48        """
49        return Decision.INDETERMINATE
50
51class DenyOverridesRuleCombiningAlg(RuleCombiningAlgInterface):
52    """Deny overrides rule combining algorithm"""
53   
54    def evaluate(self, rules, context):
55        """Combine the input rule results to make an access control decision.
56        Implementation taken direct from XACML 2.0 spec. pseudo code - Section
57        C.1 Deny Overrides
58       
59        @param rules: rules from the policy.  Decisions from these will be put
60        together into a single decision by this algorithm
61        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
62        @param context: request context to apply to the rules
63        @type context: ndg.xacml.core.request.Request
64        @return: resulting overall access control decision
65        @rtype: ndg.xacml.core.context.result.Decision
66        """
67        atLeastOneError = False
68        potentialDeny = False
69        atLeastOnePermit = False
70       
71        for rule in rules:
72            decision = rule.evaluate(context)
73            if decision == Decision.DENY:
74                return Decision.DENY
75
76            if decision == Decision.PERMIT:
77                atLeastOnePermit = True
78                continue
79           
80            if decision == Decision.NOT_APPLICABLE:
81                continue
82           
83            if decision == Decision.INDETERMINATE:
84                atLeastOneError = True
85   
86                if effect(rule) == Decision.DENY:
87                    potentialDeny = True
88                   
89                continue
90
91        if potentialDeny:
92            return Decision.INDETERMINATE
93
94        elif atLeastOnePermit:
95            return Decision.PERMIT
96       
97        elif atLeastOneError:
98            return Decision.INDETERMINATE
99        else:
100            return Decision.NOT_APPLICABLE
101
102
103class PermitOverridesRuleCombiningAlg(RuleCombiningAlgInterface):
104    """Implementation of permit overrides XACML rule combining algorithm"""
105   
106    def evaluate(self, rules, context):
107        """Combine the input rule results to make an access control decision.
108        Implementation taken direct from XACML 2.0 spec. pseudo code - Section
109        C.3
110       
111        @param rules: rules from the policy.  Decisions from these will be put
112        together into a single decision by this algorithm
113        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
114        @param context: request context to apply to the rules
115        @type context: ndg.xacml.core.request.Request
116        @return: resulting overall access control decision
117        @rtype: ndg.xacml.core.context.result.Decision
118        """
119        atLeastOneError = False
120        potentialPermit = False
121        atLeastOneDeny = False
122       
123        for rule in rules:
124            decision = rule.evaluate(context)
125            if decision == Decision.DENY:
126                atLeastOneDeny = True
127                continue
128           
129            if decision == Decision.PERMIT:
130                return Decision.PERMIT
131           
132            if decision == Decision.NOT_APPLICABLE:
133                continue
134           
135            if decision == Decision.INDETERMINATE:
136                atLeastOneError = True
137               
138                if rule.effect.value == Decision.PERMIT_STR:
139                    potentialPermit = True
140               
141                continue
142       
143        if potentialPermit:
144            return Decision.INDETERMINATE
145       
146        if atLeastOneDeny:
147            return Decision.DENY
148       
149        if atLeastOneError:
150            return Decision.INDETERMINATE
151       
152        return Decision.NOT_APPLICABLE
153
154   
155class RuleCombiningAlgClassFactory(object):
156    """Class Factory mapping Rule Combining Algorithm identifiers to their
157    class implementations"""
158   
159    # All algorithms are not implemented by default(!)
160    DEFAULT_MAP = {}.fromkeys(ALGORITHMS, NotImplemented)
161   
162    # Permit overrides is the only one currently implemented
163    DEFAULT_MAP.update({
164    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides':
165        DenyOverridesRuleCombiningAlg,     
166    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides':
167        PermitOverridesRuleCombiningAlg
168    })
169   
170    def __init__(self, map=DEFAULT_MAP):
171        """Initialise mapping of identifiers to class implementations"""
172        self.__map = map
173   
174    def __call__(self, identifier):
175        """Return the class for a given Rule Combining Algorithm identifier
176        @param identifier: XACML rule combining algorithm urn
177        @type identifier: basestring
178        @return: rule combining class corresponding to the given input
179        identifier
180        @rtype: RuleCombiningAlgInterface derived type or NoneType if no match
181        is found or NotImplementedType if the identifier corresponds to a valid
182        XACML rule combining algorithm but is not supported in this
183        implementation
184        """
185        return self.__map.get(identifier)
Note: See TracBrowser for help on using the repository browser.