Changeset 6777

Timestamp:

26/03/10 14:09:05 (11 years ago)

Author:

pjkersha

Message:

Added matching functions component.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/context/pdp.py (modified) (9 diffs)
• core/context/request.py (modified) (4 diffs)
• core/context/response.py (modified) (1 diff)
• core/context/result.py (modified) (3 diffs)
• core/functions (added)
• core/functions/__init__.py (added)
• core/functions/v1 (added)
• core/functions/v1/__init__.py (added)
• core/functions/v1/string_equal.py (added)
• core/functions/v2 (added)
• core/functions/v2/__init__.py (added)
• core/functions/v2/anyuri_regexp_match.py (added)
• core/policy.py (modified) (2 diffs)
• parsers/__init__.py (modified) (3 diffs)
• parsers/etree/factory.py (modified) (2 diffs)
• test/ndg1.xml (modified) (2 diffs)
• test/test_xacml.py (modified) (6 diffs)
• utils/__init__.py (modified) (3 diffs)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

@@ -20 +20 @@
 from ndg.xacml.core.context.response import Response
 from ndg.xacml.core.context.result import Result, Decision
+from ndg.xacml.core.functions import FunctionMap
 from ndg.xacml.parsers import AbstractReader
                             
@@ -39 +40 @@
         if policy is not None:
             self.policy = policy
+            
+        self.matchFunc = FunctionMap.withLoadedMap()
+
         
     @classmethod
-    def fromPolicy(cls, source, reader):
+    def fromPolicySource(cls, source, readerFactory):
         """Create a new PDP instance with a given policy
         @param source: source for policy
         @type source: type (dependent on the reader set, it could be for example
         a file path string, file object, XML element instance)
-        @param reader: the reader instance to use to read this policy
-        @type reader: ndg.xacml.parsers.AbstractReader derived type
-        """
-        if not isinstance(reader, AbstractReader):
-            raise TypeError('Expecting %r derived type for "reader" input; got '
-                            '%r instead' % (AbstractReader, type(reader)))
-            
+        @param readerFactory: reader factory returns the reader to use to read 
+        this policy
+        @type readerFactory: ndg.xacml.parsers.AbstractReader derived type
+        """           
         pdp = cls()
-        pdp.policy = reader.parse(source)
+        pdp.policy = Policy.fromSource(source, readerFactory)
         return pdp
     
@@ -79 +80 @@
         @rtype: ndg.xacml.core.context.response.Response
         """
-        response = Response
+        response = Response()
         result = Result()
         response.results.append(result)
@@ -96 +97 @@
             
             if not self.matchTarget(self.policy.target, request):
-                log.debug('No match for policy target setting Decision=%r',
+                log.debug('No match for policy target setting Decision=%s',
                           Decision.NOT_APPLICABLE_STR)
                 
@@ -111 +112 @@
         except:
             log.error('Exception raised evaluating request context, returning '
-                      'Decision=%r:%s', 
+                      'Decision=%s:%s', 
                       Decision.INDETERMINATE_STR, 
                       traceback.format_exc())
@@ -147 +148 @@
         return False
     
-    @classmethod
-    def matchTargetChild(cls, targetChild, requestChild):
+    def matchTargetChild(self, targetChild, requestChild):
         """Match a child (Subject, Resource, Action or Environment) from the 
         request context with a given target's child
@@ -169 +169 @@
         
         for childMatch in targetChild.matches:
-            attributeValue = childMatch.attributeValue
+            # Get the match function from the Match ID
+            matchFunc = self.matchFunc.get(childMatch.matchId)
+            if matchFunc is NotImplemented:
+                raise NotImplementedError('No match function implemented for '
+                                          'MatchId="%s"' % childMatch.matchId)
+                
+            if matchFunc is None:
+                raise Exception('Match function namespace %r is not recognised' 
+                                % childMatch.matchId)
+                
+            matchAttributeValue = childMatch.attributeValue.value
             
             # Create a match function based on the presence or absence of an
@@ -178 +188 @@
                 
                 _attributeMatch = lambda requestChildAttribute: (
-                    requestChildAttribute.attributeValue == attributeValue and
+                    matchFunc(matchAttributeValue, 
+                              requestChildAttribute.attributeValue.value) and
                     requestChildAttribute.attributeId == attributeId and
                     requestChildAttribute.dataType == dataType 
@@ -192 +203 @@
             else:
                 _attributeMatch = lambda requestChildAttribute: (
-                    requestChildAttribute.attributeValue == attributeValue
+                    matchFunc(matchAttributeValue, 
+                              requestChildAttribute.attributeValue.value)
                 )
                 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/request.py

@@ -15 +15 @@
 from ndg.xacml.utils import TypedList
 from ndg.xacml.core.context import XacmlContextBase
-from ndg.xacml.core.subject import Subject
-from ndg.xacml.core.resource import Resource
-from ndg.xacml.core.action import Action
-from ndg.xacml.core.environment import Environment
+from ndg.xacml.core.context.subject import Subject
+from ndg.xacml.core.context.resource import Resource
+from ndg.xacml.core.context.action import Action
+from ndg.xacml.core.context.environment import Environment
 
 
@@ -24 +24 @@
     """XACML Request class"""
     __slots__ = ('__subjects', '__resources', '__action', '__environment')
+    ELEMENT_LOCAL_NAME = 'Request'
     
     def __init__(self):
+        super(Request, self).__init__()
+        
         self.__subjects = TypedList(Subject)
         self.__resources = TypedList(Resource)
@@ -52 +55 @@
             raise TypeError('Expecting %r type for request "action" '
                             'attribute; got %r' % (Action, type(value)))
+            
+        self.__action = value
                                     
     @property
@@ -63 +68 @@
         if not isinstance(value, Environment):
             raise TypeError('Expecting %r type for request "environment" '
-                            'attribute; got %r' % (Environment, type(value)))    
+                            'attribute; got %r' % (Environment, type(value)))
+             
+        self.__environment = value   

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/response.py

@@ -25 +25 @@
     
     def __init__(self):
+        super(Response, self).__init__()
         self.__results = TypedList(Result)
         

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/result.py

@@ -292 +292 @@
     
     def __init__(self):
+        super(Result, self).__init__()
         self.__decision = None
         self.__status = None
@@ -322 +323 @@
             raise TypeError('Expecting %r type for result "decision" '
                             'attribute; got %r' % (Decision, type(value)))
-                                    
+        self.__decision = value
+        
     @property
     def status(self):
@@ -334 +336 @@
             raise TypeError('Expecting %r type for result "status" '
                             'attribute; got %r' % (Status, type(value)))
+            
+        self.__status = value
                                     
     @property
-    def obligation(self):
+    def obligations(self):
         """Result obligation"""
-        return self.__obligation
-    
-    @obligation.setter
-    def obligation(self, value):
+        return self.__obligations
+    
+    @obligations.setter
+    def obligations(self, value):
         """Result obligation"""
         if not isinstance(value, Obligation):
-            raise TypeError('Expecting %r type for result "obligation" '
+            raise TypeError('Expecting %r type for result "obligations" '
                             'attribute; got %r' % (Obligation, type(value)))
+            
+        self.__obligations = value

TI12-security/trunk/NDG_XACML/ndg/xacml/core/policy.py

@@ -11 +11 @@
 __revision__ = "$Id: $"
 from ndg.xacml.utils import TypedList
+from ndg.xacml.parsers import AbstractReaderFactory, AbstractReader
 from ndg.xacml.core import XacmlCoreBase
 from ndg.xacml.core.policydefaults import PolicyDefaults
@@ -71 +72 @@
         self.__obligations = TypedList(Obligation)
 
+    @classmethod
+    def fromSource(cls, source, readerFactory):
+        """Create a new policy from the input source parsing it using a 
+        reader from the required reader factory e.g. ETreeReaderFactory to use
+        ElementTree based parsing
+        
+        @param source: source from which to read the policy - file path,
+        file object, XML node or other dependent on the reader factory selected
+        @type source: string, file, XML node type
+        @param readerFactory: factory class returns reader class used to parse 
+        the policy
+        @type readerFactory: ndg.xacml.parsers.AbstractReaderFactory
+        @return: new policy instance
+        @rtype: ndg.xacml.core.policy.Policy
+        """
+        if not issubclass(readerFactory, AbstractReaderFactory):
+            raise TypeError('Expecting %r derived class for reader factory '
+                            'method; got %r' % (AbstractReaderFactory, 
+                                                readerFactory))
+            
+        reader = readerFactory.getReader(cls)
+        if not issubclass(reader, AbstractReader):
+            raise TypeError('Expecting %r derived class for reader class; '
+                            'got %r' % (AbstractReader, reader))
+            
+        return reader.parse(source)
+        
     def _getPolicyId(self):
         return self.__policyId

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/__init__.py

@@ -15 +15 @@
 
 from ndg.xacml import XACMLError
- 
+from ndg.xacml.core import XacmlCoreBase
+
     
 class XMLParseError(XACMLError):
@@ -21 +22 @@
 
 
-class AbstractReader:
-    """Abstract base class for ElementTree implementation of XACML reader"""
+class AbstractReader(object):
+    """Abstract base class for XACML reader"""
     __metaclass__ = ABCMeta
     
@@ -51 +52 @@
         reader = cls()
         return reader(obj)
+    
+    
+class AbstractReaderFactory(object):
+    """Abstract base class XACML reader factory"""
+    __metaclass__ = ABCMeta
+    
+    @classmethod
+    @abstractmethod
+    def getReader(cls, xacmlType):
+        """Get the reader class for the given XACML input type
+        @param xacmlType: XACML type to retrieve a reader for
+        @type xacmlType: ndg.xaml.core.XacmlCoreBase derived
+        @return: reader class
+        @rtype: ndg.xacml.parsers.AbstractReader derived type
+        """
+        if not issubclass(xacmlType, XacmlCoreBase):
+            raise TypeError('Expecting %r derived class for getReader method; '
+                            'got %r' % (XacmlCoreBase, xacmlType))

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/etree/factory.py

@@ -13 +13 @@
 log = logging.getLogger(__name__)
 
+from ndg.xacml.parsers import AbstractReaderFactory
 from ndg.xacml.utils.factory import importModuleObject
 
@@ -26 +27 @@
 
 
-class ReaderFactory(object):
+class ReaderFactory(AbstractReaderFactory):
     """Parser factory for ElementTree based parsers for XACML types"""
     

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

@@ -16 +16 @@
             <Resource>
                 <!-- Pattern match all request URIs beginning with / -->
-                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
+                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                     <ResourceAttributeDesignator
                         AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
-                        DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
+                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
                         ^/.*$
                     </AttributeValue>
@@ -29 +29 @@
     
     <!-- Deny everything by default -->
+    <!--
     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
-    
+    -->
     <!-- 
         Following rules punch holes through the deny everything rule above

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_xacml.py

@@ -317 +317 @@
                             
         resourceAttribute.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
-        resourceAttribute.attributeValue = \
+        resourceAttribute.attributeValue = AttributeValue()
+        resourceAttribute.attributeValue.value = \
                             'file://example/med/record/patient/BartSimpson'
 
@@ -324 +325 @@
         request.action = Action()
         actionAttribute = Attribute()
-        request.action.append(actionAttribute)
-        
-        requestAttribute.attributeId = \
+        request.action.attributes.append(actionAttribute)
+        
+        actionAttribute.attributeId = \
                                 "urn:oasis:names:tc:xacml:1.0:action:action-id"
-        requestAttribute.dataType = "http://www.w3.org/2001/XMLSchema#string"
-        requestAttribute.attributeValue = 'read'
+        actionAttribute.dataType = "http://www.w3.org/2001/XMLSchema#string"
+        actionAttribute.attributeValue = AttributeValue()
+        actionAttribute.attributeValue.value = 'read'
         
         return request
@@ -344 +346 @@
         
     def test03AbstractCtxHandler(self):
-        self.assertRaises(AbstractContextHandler(), NotImplementedError)
+        self.assertRaises(TypeError, AbstractContextHandler)
         
     def test04CreateCtxHandler(self):
@@ -350 +352 @@
         
     def test04PDPInterface(self):
-        self.assertRaises(PDPInterface(), NotImplementedError)
+        self.assertRaises(TypeError, PDPInterface)
         
     def test05CreatePDP(self):
@@ -357 +359 @@
         
     def _createPDPfromPolicy(self):
-        pdp = PDP.fromPolicy(XACML_NDGTEST1_FILEPATH)
+        pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory)
         return pdp
         
@@ -366 +368 @@
     def test07EvaluatePDP(self):
         request = self._createRequestCtx()
+        pdp = self._createPDPfromPolicy()
         response = pdp.evaluate(request)
         self.assert_(response)
         
-        
+from ndg.xacml.core.functions import FunctionMap
+from ndg.xacml.core.functions.v2.anyuri_regexp_match import AnyURIRegexpMatch
+
+
+class FunctionTestCase(unittest.TestCase):
+    """Test XACML match functions implementation"""
+    
+    def test01(self):   
+        funcMap = FunctionMap()
+        funcMap.load()
+        anyUriMatchNs = \
+            'urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match'
+            
+        self.assert_(isinstance(funcMap.get(anyUriMatchNs), AnyURIRegexpMatch))
 
         

TI12-security/trunk/NDG_XACML/ndg/xacml/utils/__init__.py

@@ -1 @@
-"""Utilities package for NDG Security
+"""Utilities package for NDG XACML
 
 NERC DataGrid Project
@@ -77 +77 @@
         return super(TypedList, self).append(item)
 
+
 class RestrictedKeyNamesDict(dict):
     """Utility class for holding a constrained list of key names
@@ -104 +105 @@
         
         dict.update(self, d, **kw)
+        
+
+_isIterable = lambda obj: getattr(obj, '__iter__', False)
+
+  
+class VettedDict(dict):
+    """Enforce custom checking on keys and items before addition to the 
+    dictionary"""
+    
+    def __init__(self, *args):
+        """Initialise setting the allowed type or types for keys and items
+        
+        @param args: two arguments: the first is a callable which filters for 
+        permissable keys in this dict, the second sets the type or list of
+        types permissable for items in this dict
+        @type args: tuple
+        """
+        super(VettedDict, self).__init__()
+        
+        if len(args) != 2:
+            raise TypeError('__init__() takes 2 arguments, KeyFilter and '
+                            'valueFilter (%d given)' % len(args))
+        
+        # Validation of inputs
+        for arg, argName in zip(args, ('KeyFilter', 'valueFilter')):
+            if not callable(arg):
+                raise TypeError('Expecting callable for %r input; got %r' % 
+                                (argName, type(arg)))
+
+        self.__KeyFilter, self.__valueFilter = args
+        
+    def _verifyKeyValPair(self, key, val):
+        """Check given key value pair and return False if they should be 
+        filtered out.  Filter functions may also raise an exception if they
+        wish to abort completely
+        """
+        if not self.__KeyFilter(key):
+            return False
+        
+        elif not self.__valueFilter(val):
+            return False
+        
+        else:
+            return True
+                  
+    def __setitem__(self, key, val):
+        """Override base class implementation to enforce type checking"""       
+        if self._verifyKeyValPair(key, val):
+            dict.__setitem__(self, key, val)
+
+    def update(self, d, **kw): 
+        """Override base class implementation to enforce type checking"""       
+        for dictArg in (d, kw):
+            for key, val in dictArg.items():
+                if not self._verifyKeyValPair(key, val):
+                    del dictArg[key]
+        
+        dict.update(self, d, **kw)        
+