source: TI12-security/trunk/ndg_xacml/ndg/xacml/core/target.py @ 7108

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/ndg_xacml/ndg/xacml/core/target.py@7108
Revision 7108, 7.8 KB checked in by pjkersha, 11 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • updating epydoc ready for release.
  • Property svn:keywords set to Id
Line 
1'''
2Created on 24 Feb 2010
3
4@author: pjkersha
5'''
6from ndg.xacml.utils import TypedList
7"""NDG Security Target type definition
8
9NERC DataGrid
10"""
11__author__ = "P J Kershaw"
12__date__ = "25/02/10"
13__copyright__ = "(C) 2010 Science and Technology Facilities Council"
14__contact__ = "Philip.Kershaw@stfc.ac.uk"
15__license__ = "BSD - see LICENSE file in top-level directory"
16__contact__ = "Philip.Kershaw@stfc.ac.uk"
17__revision__ = "$Id$"
18import logging
19log = logging.getLogger(__name__)
20
21from ndg.xacml.core import XacmlCoreBase
22from ndg.xacml.core.action import Action
23from ndg.xacml.core.resource import Resource
24from ndg.xacml.core.subject import Subject
25from ndg.xacml.core.environment import Environment
26
27
28class Target(XacmlCoreBase):
29    """XACML Target element
30   
31    @cvar ELEMENT_LOCAL_NAME: XML local name for this element
32    @type ELEMENT_LOCAL_NAME: string
33    @cvar SUBJECTS_ELEMENT_LOCAL_NAME: XML local name for the subjects element
34    @type SUBJECTS_ELEMENT_LOCAL_NAME: string
35    @cvar ACTIONS_ELEMENT_LOCAL_NAME: XML local name for the actions element
36    @type ACTIONS_ELEMENT_LOCAL_NAME: string
37    @cvar RESOURCES_ELEMENT_LOCAL_NAME: XML local name for the resources element
38    @type RESOURCES_ELEMENT_LOCAL_NAME: string
39    @cvar ENVIRONMENTS_ELEMENT_LOCAL_NAME: XML local name for the environments
40    element
41    @type ENVIRONMENTS_ELEMENT_LOCAL_NAME: string
42    @cvar CHILD_ATTRS: list of the XML child element names for <Target/>
43    @type CHILD_ATTRS: tuple
44   
45    @ivar __subjects: list of subjects for this target
46    @type __subjects: ndg.xacml.utils.TypedList
47    @ivar __resources: list of resources for this target
48    @type __resources: ndg.xacml.utils.TypedList
49    @ivar __actions: list of actions for this target
50    @type __actions: ndg.xacml.utils.TypedList
51    @ivar __environments: list of environment settings for this target
52    @type __environments: ndg.xacml.utils.TypedList
53    """
54    ELEMENT_LOCAL_NAME = "Target"
55    SUBJECTS_ELEMENT_LOCAL_NAME = "Subjects"
56    ACTIONS_ELEMENT_LOCAL_NAME = "Actions"
57    RESOURCES_ELEMENT_LOCAL_NAME = "Resources"
58    ENVIRONMENTS_ELEMENT_LOCAL_NAME = "Environments"
59    CHILD_ATTRS = ('subjects', 'resources', 'actions', 'environments')
60   
61    __slots__ = ('__subjects', '__resources', '__actions', '__environments')
62   
63    def __init__(self):
64        """Initial attributes"""
65        self.__subjects = TypedList(Subject)
66        self.__resources = TypedList(Resource)
67        self.__actions = TypedList(Action)
68        self.__environments = TypedList(Environment)
69   
70    @property
71    def subjects(self):
72        """Get subjects
73        @return: list of subjects for this target
74        @rtype: ndg.xacml.utils.TypedList
75        """
76        return self.__subjects
77   
78    @property
79    def resources(self):
80        """Get resources
81        @return: list of resources for this target
82        @rtype: ndg.xacml.utils.TypedList
83        """
84        return self.__resources
85   
86    @property
87    def actions(self):
88        """Get actions
89        @return: list of actions for this target
90        @rtype: ndg.xacml.utils.TypedList
91        """
92        return self.__actions
93   
94    @property
95    def environments(self):
96        """Get environments
97        @return: list of environments for this target
98        @rtype: ndg.xacml.utils.TypedList
99        """
100        return self.__environments
101           
102    def match(self, request):
103        """Generic method to match a <Target> element to the request context
104       
105        @param request: XACML request context
106        @type request: ndg.xacml.core.context.request.Request
107        @return: True if request context matches the given target,
108        False otherwise
109        @rtype: bool
110        """
111       
112        # From section 5.5 of the XACML 2.0 Core Spec:
113        #
114        # For the parent of the <Target> element to be applicable to the
115        # decision request, there MUST be at least one positive match between
116        # each section of the <Target> element and the corresponding section of
117        # the <xacml-context:Request> element.
118        #
119        # Also, 7.6:
120        #
121        # The target value SHALL be "Match" if the subjects, resources, actions
122        # and environments specified in the target all match values in the
123        # request context.
124        statusValues = [False]*len(self.__class__.CHILD_ATTRS) 
125       
126        # Iterate for target subjects, resources, actions and environments
127        # elements
128        for i, attrName in enumerate(self.__class__.CHILD_ATTRS):
129            # If any one of the <Target> children is missing then it counts as
130            # a match e.g. for <Subjects> child element - Section 5.5:
131            #
132            # <Subjects> [Optional] Matching specification for the subject
133            # attributes in the context. If this element is missing,
134            # then the target SHALL match all subjects.
135            targetElem = getattr(self, attrName)
136            if len(targetElem) == 0:
137                statusValues[i] = True
138                continue
139           
140            # Iterate over each for example, subject in the list of subjects:
141            # <Target>
142            #     <Subjects>
143            #          <Subject>
144            #              ...
145            #          </Subject>
146            #          <Subject>
147            #              ...
148            #          </Subject>
149            #     ...
150            # or resource in the list of resources and so on
151            for targetSubElem in targetElem:
152               
153                # For the given subject/resource/action/environment check for a
154                # match with the equivalent in the request
155                requestElem = getattr(request, attrName) 
156                for requestSubElem in requestElem:
157                    if self._matchChild(targetSubElem, request):
158                        # Within the list of e.g. subjects if one subject
159                        # matches then this counts as a subject match overall
160                        # for this target
161                        statusValues[i] = True
162 
163        # Target matches if all the children (i.e. subjects, resources, actions
164        # and environment sections) have at least one match.  Otherwise it
165        # doesn't count as a match
166        return all(statusValues)
167   
168    def _matchChild(self, targetChild, request):
169        """Match a request child element (a <Subject>, <Resource>, <Action> or
170        <Environment>) with the corresponding target's <Subject>, <Resource>,
171        <Action> or <Environment>.
172       
173        @param targetChild: Target Subject, Resource, Action or Environment
174        object
175        @type targetChild: ndg.xacml.core.TargetChildBase
176        @param request: Request context object
177        @type request: ndg.xacml.core.context.request.Request
178        @return: True if request context matches something in the target
179        @rtype: bool
180        @raise UnsupportedStdFunctionError: policy references a function type
181        which is in the XACML spec. but is not supported by this implementation
182        @raise UnsupportedFunctionError: policy references a function type which
183        is not supported by this implementation
184        """
185        if targetChild is None:
186            # Default if target child is not set is to match all children
187            return True
188       
189        matchStatusValues = [True]*len(targetChild.matches)
190       
191        # Section 7.6
192        #
193        # A subject, resource, action or environment SHALL match a value in the
194        # request context if the value of all its <SubjectMatch>,
195        # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements,
196        # respectively, are "True".
197        #
198        # e.g. for <SubjectMatch>es in <Subject> ...
199        for i, childMatch in enumerate(targetChild.matches):
200            matchStatusValues[i] = childMatch.evaluate(request)
201           
202        # Any match => overall match     
203        return any(matchStatusValues)
204
Note: See TracBrowser for help on using the repository browser.