Changeset 6790

Timestamp:

30/03/10 17:16:31 (11 years ago)

Author:

pjkersha

Message:

• Added marshalling function for condition <Apply> to marshall inputs for given functionId.
• implemented string-at-least-one-member-of function.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/__init__.py (modified) (1 diff)
• core/attributedesignator.py (modified) (1 diff)
• core/context/__init__.py (modified) (1 diff)
• core/context/pdp.py (modified) (21 diffs)
• core/context/result.py (modified) (5 diffs)
• core/functions/__init__.py (modified) (1 diff)
• core/functions/v1/anyuri_equal.py (modified) (1 diff)
• core/functions/v1/string_at_least_one_member_of.py (added)
• core/rule.py (modified) (2 diffs)
• parsers/etree/rulereader.py (modified) (2 diffs)
• test/ndg1.xml (modified) (1 diff)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/__init__.py

@@ -93 +93 @@
 class XacmlPolicyBase(XacmlCoreBase):
     """Base class for policy types"""
-    XACML_2_0_POLICY_NS = XACML_2_0_NS_PREFIX + ":policy:schema:os"
+    XACML_2_0_POLICY_NS = (XacmlCoreBase.XACML_2_0_NS_PREFIX +
+                           ":policy:schema:os")
+    
     def __init__(self):
         super(XacmlPolicyBase, self).__init__()

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attributedesignator.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
-
 from ndg.xacml.core.expression import Expression
 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/__init__.py

@@ -12 +12 @@
 __revision__ = "$Id: $"
 from ndg.xacml.utils import TypedList
-from ndg.xacml.core import XacmlContextBase
+from ndg.xacml.core import XacmlCoreBase
 from ndg.xacml.core.attribute import Attribute
 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

@@ -21 +21 @@
 from ndg.xacml.core.attributevalue import AttributeValue
 from ndg.xacml.core.variablereference import VariableReference
-from ndg.xacml.core.attributedesignator import AttributeDesignator
+from ndg.xacml.core.attributedesignator import (AttributeDesignator,
+                                                SubjectAttributeDesignator,
+                                                ResourceAttributeDesignator,
+                                                ActionAttributeDesignator,
+                                                EnvironmentAttributeDesignator)
 from ndg.xacml.core.attributeselector import AttributeSelector
 from ndg.xacml.core.context.request import Request
@@ -37 +41 @@
         self.__response.results.append(Result.createInitialised())
         
+        self.__response.results[0].decision = Decision.INDETERMINATE
         if len(arg) > 0:
             self.__response.results[0].status.statusMessage = arg[0]
@@ -75 +80 @@
 
 class UnsupportedStdElementError(UnsupportedElementError):
-    """Element type is part of the XACML spec but is not suppored in this 
+    """Element type is part of the XACML spec. but is not supported in this 
     implementation"""  
+    
+
+class MissingAttributeError(PDPError):
+    """AttributeDesignator or AttributeSelector has specified MustBePresent
+    but the request context contains no match for required attribute XPath
+    respectively
+    """
     
     
@@ -83 +95 @@
     single policy but not policy sets
     """
-    __slots__ = ('__policy',)
+    __slots__ = ('__policy', '__functionMap', '__request')
     TARGET_CHILD_ATTRS = ('subjects', 'resources', 'actions', 'environments')
     
@@ -96 +108 @@
             self.policy = policy
             
-        self.functionMap = FunctionMap.withLoadedMap()
-
-        
+        self.__functionMap = FunctionMap.withLoadedMap()
+        self.__request = None
+
     @classmethod
     def fromPolicySource(cls, source, readerFactory):
@@ -125 +137 @@
                             '%r instead' % (Policy, type(value)))
         self.__policy = value
-                    
+    
+    @property
+    def functionMap(self):
+        """functionMap object for PDP to retrieve functions from given XACML
+        function URNs"""
+        return self.__functionMap
+    
+    @functionMap.setter
+    def functionMap(self, value):
+        '''functionMap object for PDP to retrieve functions from given XACML
+        function URNs'''
+        if not isinstance(value, FunctionMap):
+            raise TypeError('Expecting %r derived type for "functionMap" '
+                            'input; got %r instead' % (FunctionMap, 
+                                                       type(value)))
+        self.__functionMap = value
+
+    
+    @property
+    def request(self):
+        """request context"""
+        return self.__request
+    
+    @request.setter
+    def request(self, value):
+        '''request context'''
+        if not isinstance(value, Request):
+            raise TypeError('Expecting %r derived type for "request" '
+                            'input; got %r instead' % (Request, 
+                                                       type(value)))
+        self.__request = value
+                                        
     def evaluate(self, request):
         """Make an access control decision for the given request based on the
@@ -136 +179 @@
         """
         response = Response()
-        result = Result()
+        result = Result.createInitialised(decision=Decision.NOT_APPLICABLE)
         response.results.append(result)
-        result.decision = Decision.NOT_APPLICABLE
-        
-        if not isinstance(request, Request):
-            log.error('Expecting %r derived type for "reader" input; got '
-                      '%r instead' % Request, type(request))
+        
+        try:
+            self.request = request
+            
+        except AttributeError, e:
+            log.error(str(e))
             result.decision = Decision.INDETERMINATE
             return response
@@ -151 +195 @@
             log.debug('Checking policy target for match with request...')
             
+            
             if not self.matchTarget(self.policy.target, request):
                 log.debug('No match for policy target setting %r decision',
@@ -161 +206 @@
             
             # Check rules
-            ruleEffects = [Effect()]*len(self.policy.rules)
-            for rule, effect in zip(self.policy.rules, ruleEffects):
+            ruleStatusValues = [False]*len(self.policy.rules)
+            for i, rule in enumerate(self.policy.rules):
                 log.debug('Checking policy rule %r for match...', rule.id)
                 if not self.matchTarget(rule.target, request):
                     log.debug('No match to request context for target in rule '
                               '%r', rule.id)
-                    effect.value = Effect.PERMIT_STR
+                    ruleStatusValues[i] = True
                     continue   
                 
                 # Apply the condition
-                effect = self.applyCondition(rule.condition) 
+                ruleStatusValues[i] = self.evaluateCondition(rule.condition) 
                      
         except PDPError, e:
             log.error('Exception raised evaluating request context, returning '
                       '%r decision:%s', 
-                      Decision.INDETERMINATE_STR, 
+                      e.response.results[0].decision, 
                       traceback.format_exc())
             
-            result.decision = Decision.INDETERMINATE
-            result.status.statusCode = e.response.results[0].status.statusCode
+            result = e.response.results[0]
             
         except Exception:
@@ -191 +235 @@
                        
             result.decision = Decision.INDETERMINATE
-            result.status.statusCode = StatusCode.PROCESSING_ERROR
+            result.status.statusCode.value = StatusCode.PROCESSING_ERROR
             
         return response
@@ -226 +270 @@
         # Iterate for target subjects, resources, actions and environments 
         # elements
-        for i, status in zip(self.__class__.TARGET_CHILD_ATTRS, statusValues):
+        for i, attrName in enumerate(self.__class__.TARGET_CHILD_ATTRS):
             # If any one of the <Target> children is missing then it counts as
             # a match e.g. for <Subjects> child element - Section 5.5:
@@ -233 +277 @@
             # attributes in the context. If this element is missing,
             # then the target SHALL match all subjects.
-            targetElem = getattr(target, i)
+            targetElem = getattr(target, attrName)
             if len(targetElem) == 0:
-                status = True
+                statusValues[i] = True
                 continue
             
@@ -248 +292 @@
             #          </Subject>
             #     ...
-            # or for example, resource in the list of resources and so on
+            # or resource in the list of resources and so on
             for targetSubElem in targetElem:
                 
                 # For the given subject/resource/action/environment check for a
                 # match with the equivalent in the request
-                requestElem = getattr(request, i) 
+                requestElem = getattr(request, attrName) 
                 for requestSubElem in requestElem:
                     if self.matchTargetChild(targetSubElem, requestSubElem):
@@ -259 +303 @@
                         # matches then this counts as a subject match overall 
                         # for this target
-                        status = True
+                        statusValues[i] = True
  
         # Target matches if all the children (i.e. subjects, resources, actions
@@ -287 +331 @@
         is not supported by this implementation
         """
-        
         if targetChild is None:
             # Default if target child is not set is to match all children
             return True
-        
         
         matchStatusValues = [True]*len(targetChild.matches)
@@ -322 +364 @@
             # AttributeDesignator or AttributeSelector
             if childMatch.attributeDesignator is not None:
-                attributeId = childMatch.attributeDesignator.attributeId
-                dataType = childMatch.attributeDesignator.dataType
-                
-                # Issuer is an optional match - see core spec. 7.2.4
-                issuer = childMatch.attributeDesignator.issuer
-                if issuer is not None:
-                    # Issuer found - set lambda to match this against the 
-                    # issuer setting in the request
-                    _issuerMatch = lambda requestChildIssuer: (issuer == 
-                                                            requestChildIssuer)
-                else:
-                    # No issuer set - lambda returns True regardless
-                    _issuerMatch = lambda requestChildIssuer: True
-                    
-                    
-                _attributeMatch = lambda requestChildAttribute: (
-                    matchFunc.evaluate(matchAttributeValue, 
-                              requestChildAttribute.attributeValue.value) and
-                    requestChildAttribute.attributeId == attributeId and
-                    requestChildAttribute.dataType == dataType and
-                    _issuerMatch(requestChildAttribute.issuer)
-                )
+                _attributeMatch = self.attributeDesignatorMatchFuncFactory(
+                                                matchFunc,
+                                                childMatch.attributeValue.value,
+                                                childMatch.attributeDesignator)
                 
             elif childMatch.attributeSelector is not None:
@@ -384 +408 @@
         # Any match => overall match      
         return any(matchStatusValues)
-
+                
+    def attributeDesignatorMatchFuncFactory(self,
+                                            matchFunc,
+                                            matchAttributeValue, 
+                                            attributeDesignator):
+        """Define a match function to match a given request attribute against 
+        the input attribute value and AttributeDesignator defined in a policy 
+        target
+        """            
+        attributeId = attributeDesignator.attributeId
+        dataType = attributeDesignator.dataType
+        
+        # Issuer is an optional match - see core spec. 7.2.4
+        issuer = attributeDesignator.issuer
+        if issuer is not None:
+            # Issuer found - set lambda to match this against the 
+            # issuer setting in the request
+            _issuerMatch = lambda requestChildIssuer: (
+                                                issuer == requestChildIssuer)
+        else:
+            # No issuer set - lambda returns True regardless
+            _issuerMatch = lambda requestChildIssuer: True
+        
+        
+        _attributeMatch = lambda attribute: (
+            matchFunc.evaluate(matchAttributeValue, 
+                               attribute.attributeValue.value) and
+            attribute.attributeId == attributeId and
+            attribute.dataType == dataType and
+            _issuerMatch(attribute.issuer)
+        )
+        
+        return _attributeMatch
+    
     def evaluateCondition(self, condition):
-        """Evaluate a rule condition"""
+        """Evaluate a rule condition
+        @param condition: rule condition
+        @type condition: ndg.xacml.core.condition.Condition
+        @return: True/False status for whether the rule condition matched or
+        not
+        @rtype: bool
+        """
         
         # Spec: 
@@ -420 +483 @@
             Apply: self.evaluateApplyStatement,
             AttributeValue: self.evaluateAttributeValueStatement,
-            AttributeDesignator: self.evaluateAttributeDesignator,
+            SubjectAttributeDesignator: self.evaluateAttributeDesignator,
             AttributeSelector: NotImplemented,
             VariableReference: NotImplemented
@@ -426 +489 @@
         
         # Marshall inputs
-        funcInputs = ()*len(applyElem.expressions)
+        funcInputs = ('',)*len(applyElem.expressions)
         for i, expression in enumerate(applyElem.expressions):
             marshaller = inputMarshallerMap.get(expression.__class__)
@@ -440 +503 @@
                                               expression)
             
-            funcInputs[i] = marshaller(self, expression)
+            funcInputs[i] = marshaller(expression)
             
         # Execute function on the retrieved inputs
@@ -448 +511 @@
         return result
             
-    def evaluateAttributeValueStatement(self, attributeValue):
-        return 
-    
-    def evaluateAttributeDesignator(self):
-        pass
-
+    evaluateAttributeValueStatement = lambda self, attributeValue: (
+        attributeValue.value
+    )
+    
+    def evaluateAttributeDesignator(self, attributeDesignator):
+        '''Retrieve string attribute bag for a given attribute designator
+        TODO: possible refactor as AttributeDesignator or ContextHandler method
+        '''
+        attributeValues = []
+        dataType = attributeDesignator.dataType
+        
+        if isinstance(attributeDesignator, SubjectAttributeDesignator):
+            for i in self.request.subjects:
+                attributeValues.extend(
+                    [j.attributeValue for j in i.attributes
+                     if j.attributeValue.dataType == dataType])
+
+        elif isinstance(attributeDesignator, ResourceAttributeDesignator):
+            for i in self.request.resources:
+                attributeValues.extend(
+                    [j.attributeValue for j in i.attributes
+                     if j.attributeValue.dataType == dataType])
+
+        elif isinstance(attributeDesignator, ActionAttributeDesignator):
+            attributeValues.append([j.attributeValue for j in i.attributes
+                                    if j.attributeValue.dataType == dataType])
+            
+        elif isinstance(attributeDesignator, EnvironmentAttributeDesignator):
+            attributeValues.append([j.attributeValue for j in i.attributes
+                                    if j.attributeValue.dataType == dataType])
+        else:
+            raise TypeError('Expecting %r derived type got %r' %
+                            (AttributeDesignator, type(attributeDesignator)))
+               
+        if len(attributeValues) == 0 and attributeDesignator.mustBePresent:
+            raise MissingAttributeError('No match for AttributeDesignator '
+                                        'attributeId=%r, dataType=%r and '
+                                        'issuer=%r' % 
+                                        (attributeDesignator.attributeId,
+                                         attributeDesignator.dataType,
+                                         attributeDesignator.issuer)) 
+                        
+        return attributeValues
+

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/result.py

@@ -13 +13 @@
 log = logging.getLogger(__name__)
 
-from ndg.xacml.core import XacmlBase
 from ndg.xacml.core.context import XacmlContextBase
 from ndg.xacml.core.obligation import Obligation
@@ -65 +64 @@
             raise TypeError("\"value\" must be a basestring derived type, "
                             "got %r" % value.__class__)
-            
+        
+        if value not in self.__class__.CODES:
+            raise AttributeError('Status code expected values are %r; got %r' %
+                                 (self.__class__.CODES, value))
+                
         self.__value = value
 
@@ -98 +101 @@
         status.statusCode = StatusCode()
         status.statusCode.value = code
-        status.statusCode.statusMessage = message
-        status.statusCode.statusDetail = detail
+        status.statusMessage = message
+        status.statusDetail = detail
         
         return status
@@ -190 +193 @@
     __slots__ = ('__value',)
     
-    def __init__(self, decisionType):
+    def __init__(self, decision=INDETERMINATE_STR):
         self.__value = None
-        self.value = decisionType
+        self.value = decision
 
     def __getstate__(self):
@@ -323 +326 @@
                           decision=Decision.NOT_APPLICABLE,
                           resourceId='', 
-                          obligations=None
+                          obligations=None,
                           **kw):
         """Create a result object populated with all it's child elements

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/__init__.py

@@ -286 +286 @@
         """Force function entries to derive from AbstractFunction and IDs to
         be string type
-        """
-        def keyFilter(key):
-            """Enforce string type keys"""
-            if not isinstance(key, basestring):
-                raise TypeError('Expecting %r type for key; got %r' % 
-                                (basestring, type(key))) 
-            return True 
-        
-        def valueFilter(value):
-            """Enforce AbstractFunction derived types for match functions"""
-
-            if not isinstance(value, 
-                              (AbstractFunction, NotImplemented.__class__)):
-                raise TypeError('Expecting %r derived type for value; got %r' % 
-                                (AbstractFunction, type(value))) 
-            return True 
-                     
-        super(FunctionMap, self).__init__(keyFilter, valueFilter)
-        
+        """        
+        # Filters are defined as staticmethods but reference via self here to 
+        # enable derived class to override them as standard methods without
+        # needing to redefine this __init__ method            
+        super(FunctionMap, self).__init__(self.keyFilter, self.valueFilter)
+        
+    @staticmethod
+    def keyFilter(key):
+        """Enforce string type keys"""
+        if not isinstance(key, basestring):
+            raise TypeError('Expecting %r type for key; got %r' % 
+                            (basestring, type(key))) 
+        return True 
+    
+    @staticmethod
+    def valueFilter(value):
+        """Enforce AbstractFunction derived types for match functions"""
+
+        if not isinstance(value, 
+                          (AbstractFunction, NotImplemented.__class__)):
+            raise TypeError('Expecting %r derived type for value; got %r' % 
+                            (AbstractFunction, type(value))) 
+        return True 
+           
     def load(self):
         """Load function map with implementations from the relevant function

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/anyuri_equal.py

@@ -14 +14 @@
 
 
-class AnyuriEqual(AbstractFunction):
+class AnyURIEqual(AbstractFunction):
     """Any URI equal matching function -
     

TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule.py

@@ -23 +23 @@
     __slots__ = ('__value',)
     
-    def __init__(self):
-        self.__value = Effect.DENY_STR
+    def __init__(self, effect=DENY_STR):
+        self.__value = None
+        self.value = effect
 
     def __getstate__(self):
@@ -176 +177 @@
         if not isinstance(value, Effect):
             raise TypeError('Expecting %r type for "effect" '
-                            'attribute; got %r' % (basestring, type(value)))
+                            'attribute; got %r' % (Effect, type(value)))
             
         self.__effect = value   

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/etree/rulereader.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
-from ndg.xacml.core.rule import Rule
+from ndg.xacml.core.rule import Rule, Effect
 from ndg.xacml.core.condition import Condition
 from ndg.xacml.core.target import Target
@@ -51 +51 @@
                 
             attributeValues.append(attributeValue) 
-                   
-        rule.id, rule.effect = attributeValues
+        
+        rule.effect = Effect()        
+        rule.id, rule.effect.value = attributeValues
             
         # Parse sub-elements

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

@@ -69 +69 @@
                 <SubjectAttributeDesignator 
                     AttributeId="urn:siteA:security:authz:1.0:attr" 
-                    MustBePresent="false" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"
-                    Issuer="https://localhost:7443/AttributeAuthority"/>
+                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">