1 | """NDG XACML Condition type definition |
---|
2 | |
---|
3 | NERC DataGrid |
---|
4 | """ |
---|
5 | __author__ = "P J Kershaw" |
---|
6 | __date__ = "15/04/10" |
---|
7 | __copyright__ = "(C) 2010 Science and Technology Facilities Council" |
---|
8 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
9 | __license__ = "BSD - see LICENSE file in top-level directory" |
---|
10 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
11 | __revision__ = "$Id$" |
---|
12 | from abc import ABCMeta, abstractmethod |
---|
13 | |
---|
14 | from ndg.xacml.core.context.result import Decision |
---|
15 | |
---|
16 | |
---|
17 | # Rule Combining algorithms from the XACML spec. |
---|
18 | ALGORITHMS = ( |
---|
19 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides', |
---|
20 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides', |
---|
21 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides', |
---|
22 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides', |
---|
23 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable', |
---|
24 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable', |
---|
25 | 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable', |
---|
26 | 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides', |
---|
27 | 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides', |
---|
28 | 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides', |
---|
29 | 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides', |
---|
30 | ) |
---|
31 | |
---|
32 | |
---|
33 | class RuleCombiningAlgInterface(object): |
---|
34 | """Interface class for XAML rule combining algorithms""" |
---|
35 | |
---|
36 | @abstractmethod |
---|
37 | def evaluate(self, rules, context): |
---|
38 | """Combine the input rule results to make an access control decision |
---|
39 | based. Derived classes must implement this method. This implementation |
---|
40 | returns indeterminate result. |
---|
41 | |
---|
42 | @param rules: rules from the policy. Decisions from these will be put |
---|
43 | together into a single decision by this algorithm |
---|
44 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
45 | @param context: request context to apply to the rules |
---|
46 | @type context: ndg.xacml.core.request.Request |
---|
47 | @return: resulting overall access control decision |
---|
48 | @rtype: ndg.xacml.core.context.result.Decision |
---|
49 | """ |
---|
50 | return Decision.INDETERMINATE |
---|
51 | |
---|
52 | |
---|
53 | class DenyOverridesRuleCombiningAlg(RuleCombiningAlgInterface): |
---|
54 | """Deny overrides rule combining algorithm""" |
---|
55 | |
---|
56 | def evaluate(self, rules, context): |
---|
57 | """Combine the input rule results to make an access control decision. |
---|
58 | Implementation taken direct from XACML 2.0 spec. pseudo code - Section |
---|
59 | C.1 Deny Overrides |
---|
60 | |
---|
61 | @param rules: rules from the policy. Decisions from these will be put |
---|
62 | together into a single decision by this algorithm |
---|
63 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
64 | @param context: request context to apply to the rules |
---|
65 | @type context: ndg.xacml.core.request.Request |
---|
66 | @return: resulting overall access control decision |
---|
67 | @rtype: ndg.xacml.core.context.result.Decision |
---|
68 | """ |
---|
69 | atLeastOneError = False |
---|
70 | potentialDeny = False |
---|
71 | atLeastOnePermit = False |
---|
72 | |
---|
73 | for rule in rules: |
---|
74 | decision = rule.evaluate(context) |
---|
75 | if decision == Decision.DENY: |
---|
76 | return Decision.DENY |
---|
77 | |
---|
78 | if decision == Decision.PERMIT: |
---|
79 | atLeastOnePermit = True |
---|
80 | continue |
---|
81 | |
---|
82 | if decision == Decision.NOT_APPLICABLE: |
---|
83 | continue |
---|
84 | |
---|
85 | if decision == Decision.INDETERMINATE: |
---|
86 | atLeastOneError = True |
---|
87 | |
---|
88 | if effect(rule) == Decision.DENY: |
---|
89 | potentialDeny = True |
---|
90 | |
---|
91 | continue |
---|
92 | |
---|
93 | if potentialDeny: |
---|
94 | return Decision.INDETERMINATE |
---|
95 | |
---|
96 | elif atLeastOnePermit: |
---|
97 | return Decision.PERMIT |
---|
98 | |
---|
99 | elif atLeastOneError: |
---|
100 | return Decision.INDETERMINATE |
---|
101 | else: |
---|
102 | return Decision.NOT_APPLICABLE |
---|
103 | |
---|
104 | |
---|
105 | class PermitOverridesRuleCombiningAlg(RuleCombiningAlgInterface): |
---|
106 | """Implementation of permit overrides XACML rule combining algorithm""" |
---|
107 | |
---|
108 | def evaluate(self, rules, context): |
---|
109 | """Combine the input rule results to make an access control decision. |
---|
110 | Implementation taken direct from XACML 2.0 spec. pseudo code - Section |
---|
111 | C.3 |
---|
112 | |
---|
113 | @param rules: rules from the policy. Decisions from these will be put |
---|
114 | together into a single decision by this algorithm |
---|
115 | @type rules: TypedList(<ndg.xacml.core.rule.Rule>) |
---|
116 | @param context: request context to apply to the rules |
---|
117 | @type context: ndg.xacml.core.request.Request |
---|
118 | @return: resulting overall access control decision |
---|
119 | @rtype: ndg.xacml.core.context.result.Decision |
---|
120 | """ |
---|
121 | atLeastOneError = False |
---|
122 | potentialPermit = False |
---|
123 | atLeastOneDeny = False |
---|
124 | |
---|
125 | for rule in rules: |
---|
126 | decision = rule.evaluate(context) |
---|
127 | if decision == Decision.DENY: |
---|
128 | atLeastOneDeny = True |
---|
129 | continue |
---|
130 | |
---|
131 | if decision == Decision.PERMIT: |
---|
132 | return Decision.PERMIT |
---|
133 | |
---|
134 | if decision == Decision.NOT_APPLICABLE: |
---|
135 | continue |
---|
136 | |
---|
137 | if decision == Decision.INDETERMINATE: |
---|
138 | atLeastOneError = True |
---|
139 | |
---|
140 | if rule.effect.value == Decision.PERMIT_STR: |
---|
141 | potentialPermit = True |
---|
142 | |
---|
143 | continue |
---|
144 | |
---|
145 | if potentialPermit: |
---|
146 | return Decision.INDETERMINATE |
---|
147 | |
---|
148 | if atLeastOneDeny: |
---|
149 | return Decision.DENY |
---|
150 | |
---|
151 | if atLeastOneError: |
---|
152 | return Decision.INDETERMINATE |
---|
153 | |
---|
154 | return Decision.NOT_APPLICABLE |
---|
155 | |
---|
156 | |
---|
157 | class RuleCombiningAlgClassFactory(object): |
---|
158 | """Class Factory mapping Rule Combining Algorithm identifiers to their |
---|
159 | class implementations""" |
---|
160 | |
---|
161 | # All algorithms are not implemented by default(!) |
---|
162 | DEFAULT_MAP = {}.fromkeys(ALGORITHMS, NotImplemented) |
---|
163 | |
---|
164 | # Permit overrides is the only one currently implemented |
---|
165 | DEFAULT_MAP.update({ |
---|
166 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides': |
---|
167 | DenyOverridesRuleCombiningAlg, |
---|
168 | 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides': |
---|
169 | PermitOverridesRuleCombiningAlg |
---|
170 | }) |
---|
171 | __slots__ = ('__map',) |
---|
172 | |
---|
173 | def __init__(self, map=DEFAULT_MAP): |
---|
174 | """Initialise mapping of identifiers to class implementations |
---|
175 | |
---|
176 | @param map: mapping of rule combining algorithms IDs to classes. Set |
---|
177 | this to override the default taken from the DEFAULT_MAP class variable |
---|
178 | """ |
---|
179 | self.__map = map |
---|
180 | |
---|
181 | def __call__(self, identifier): |
---|
182 | """Return the class for a given Rule Combining Algorithm identifier |
---|
183 | @param identifier: XACML rule combining algorithm urn |
---|
184 | @type identifier: basestring |
---|
185 | @return: rule combining class corresponding to the given input |
---|
186 | identifier |
---|
187 | @rtype: RuleCombiningAlgInterface derived type or NoneType if no match |
---|
188 | is found or NotImplementedType if the identifier corresponds to a valid |
---|
189 | XACML rule combining algorithm but is not supported in this |
---|
190 | implementation |
---|
191 | """ |
---|
192 | return self.__map.get(identifier) |
---|