source: TI12-security/trunk/ndg_xacml/ndg/xacml/core/target.py @ 7260

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/ndg_xacml/ndg/xacml/core/target.py@7682
Revision 7260, 7.6 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • Fix to Target.match - no need to interact over request elements this is done by the elements' classes
  • Property svn:keywords set to Id
Line 
1'''
2Created on 24 Feb 2010
3
4@author: pjkersha
5'''
6from ndg.xacml.utils import TypedList
7"""NDG Security Target type definition
8
9NERC DataGrid
10"""
11__author__ = "P J Kershaw"
12__date__ = "25/02/10"
13__copyright__ = "(C) 2010 Science and Technology Facilities Council"
14__contact__ = "Philip.Kershaw@stfc.ac.uk"
15__license__ = "BSD - see LICENSE file in top-level directory"
16__contact__ = "Philip.Kershaw@stfc.ac.uk"
17__revision__ = "$Id$"
18import logging
19log = logging.getLogger(__name__)
20
21from ndg.xacml.core import XacmlCoreBase
22from ndg.xacml.core.action import Action
23from ndg.xacml.core.resource import Resource
24from ndg.xacml.core.subject import Subject
25from ndg.xacml.core.environment import Environment
26
27
28class Target(XacmlCoreBase):
29    """XACML Target element
30   
31    @cvar ELEMENT_LOCAL_NAME: XML local name for this element
32    @type ELEMENT_LOCAL_NAME: string
33    @cvar SUBJECTS_ELEMENT_LOCAL_NAME: XML local name for the subjects element
34    @type SUBJECTS_ELEMENT_LOCAL_NAME: string
35    @cvar ACTIONS_ELEMENT_LOCAL_NAME: XML local name for the actions element
36    @type ACTIONS_ELEMENT_LOCAL_NAME: string
37    @cvar RESOURCES_ELEMENT_LOCAL_NAME: XML local name for the resources element
38    @type RESOURCES_ELEMENT_LOCAL_NAME: string
39    @cvar ENVIRONMENTS_ELEMENT_LOCAL_NAME: XML local name for the environments
40    element
41    @type ENVIRONMENTS_ELEMENT_LOCAL_NAME: string
42    @cvar CHILD_ATTRS: list of the XML child element names for <Target/>
43    @type CHILD_ATTRS: tuple
44   
45    @ivar __subjects: list of subjects for this target
46    @type __subjects: ndg.xacml.utils.TypedList
47    @ivar __resources: list of resources for this target
48    @type __resources: ndg.xacml.utils.TypedList
49    @ivar __actions: list of actions for this target
50    @type __actions: ndg.xacml.utils.TypedList
51    @ivar __environments: list of environment settings for this target
52    @type __environments: ndg.xacml.utils.TypedList
53    """
54    ELEMENT_LOCAL_NAME = "Target"
55    SUBJECTS_ELEMENT_LOCAL_NAME = "Subjects"
56    ACTIONS_ELEMENT_LOCAL_NAME = "Actions"
57    RESOURCES_ELEMENT_LOCAL_NAME = "Resources"
58    ENVIRONMENTS_ELEMENT_LOCAL_NAME = "Environments"
59    CHILD_ATTRS = ('subjects', 'resources', 'actions', 'environments')
60   
61    __slots__ = ('__subjects', '__resources', '__actions', '__environments')
62   
63    def __init__(self):
64        """Initial attributes"""
65        self.__subjects = TypedList(Subject)
66        self.__resources = TypedList(Resource)
67        self.__actions = TypedList(Action)
68        self.__environments = TypedList(Environment)
69   
70    @property
71    def subjects(self):
72        """Get subjects
73        @return: list of subjects for this target
74        @rtype: ndg.xacml.utils.TypedList
75        """
76        return self.__subjects
77   
78    @property
79    def resources(self):
80        """Get resources
81        @return: list of resources for this target
82        @rtype: ndg.xacml.utils.TypedList
83        """
84        return self.__resources
85   
86    @property
87    def actions(self):
88        """Get actions
89        @return: list of actions for this target
90        @rtype: ndg.xacml.utils.TypedList
91        """
92        return self.__actions
93   
94    @property
95    def environments(self):
96        """Get environments
97        @return: list of environments for this target
98        @rtype: ndg.xacml.utils.TypedList
99        """
100        return self.__environments
101           
102    def match(self, request):
103        """Generic method to match a <Target> element to the request context
104       
105        @param request: XACML request context
106        @type request: ndg.xacml.core.context.request.Request
107        @return: True if request context matches the given target,
108        False otherwise
109        @rtype: bool
110        """
111       
112        # From section 5.5 of the XACML 2.0 Core Spec:
113        #
114        # For the parent of the <Target> element to be applicable to the
115        # decision request, there MUST be at least one positive match between
116        # each section of the <Target> element and the corresponding section of
117        # the <xacml-context:Request> element.
118        #
119        # Also, 7.6:
120        #
121        # The target value SHALL be "Match" if the subjects, resources, actions
122        # and environments specified in the target all match values in the
123        # request context.
124        statusValues = [False]*len(self.__class__.CHILD_ATTRS) 
125       
126        # Iterate for target subjects, resources, actions and environments
127        # elements
128        for i, attrName in enumerate(self.__class__.CHILD_ATTRS):
129            # If any one of the <Target> children is missing then it counts as
130            # a match e.g. for <Subjects> child element - Section 5.5:
131            #
132            # <Subjects> [Optional] Matching specification for the subject
133            # attributes in the context. If this element is missing,
134            # then the target SHALL match all subjects.
135            targetElem = getattr(self, attrName)
136            if len(targetElem) == 0:
137                statusValues[i] = True
138                continue
139           
140            # Iterate over each for example, subject in the list of subjects:
141            # <Target>
142            #     <Subjects>
143            #          <Subject>
144            #              ...
145            #          </Subject>
146            #          <Subject>
147            #              ...
148            #          </Subject>
149            #     ...
150            # or resource in the list of resources and so on
151            for targetSubElem in targetElem:
152                if self._matchChild(targetSubElem, request):
153                    # Within the list of e.g. subjects if one subject
154                    # matches then this counts as a subject match overall
155                    # for this target
156                    statusValues[i] = True
157 
158        # Target matches if all the children (i.e. subjects, resources, actions
159        # and environment sections) have at least one match.  Otherwise it
160        # doesn't count as a match
161        return all(statusValues)
162   
163    def _matchChild(self, targetChild, request):
164        """Match a request child element (a <Subject>, <Resource>, <Action> or
165        <Environment>) with the corresponding target's <Subject>, <Resource>,
166        <Action> or <Environment>.
167       
168        @param targetChild: Target Subject, Resource, Action or Environment
169        object
170        @type targetChild: ndg.xacml.core.TargetChildBase
171        @param request: Request context object
172        @type request: ndg.xacml.core.context.request.Request
173        @return: True if request context matches something in the target
174        @rtype: bool
175        @raise UnsupportedStdFunctionError: policy references a function type
176        which is in the XACML spec. but is not supported by this implementation
177        @raise UnsupportedFunctionError: policy references a function type which
178        is not supported by this implementation
179        """
180        if targetChild is None:
181            # Default if target child is not set is to match all children
182            return True
183       
184        matchStatusValues = [True]*len(targetChild.matches)
185       
186        # Section 7.6
187        #
188        # A subject, resource, action or environment SHALL match a value in the
189        # request context if the value of all its <SubjectMatch>,
190        # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements,
191        # respectively, are "True".
192        #
193        # e.g. for <SubjectMatch>es in <Subject> ...
194        for i, childMatch in enumerate(targetChild.matches):
195            matchStatusValues[i] = childMatch.evaluate(request)
196           
197        # Any match => overall match     
198        return any(matchStatusValues)
199
Note: See TracBrowser for help on using the repository browser.