Changeset 6792

Timestamp:

31/03/10 16:41:23 (11 years ago)

Author:

pjkersha

Message:

Made ndg.xacml.core.expression.Expression abstract: derived classes must implement the evaluate method used to evaluate a result in a rule condition.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/attribute.py (modified) (2 diffs)
• core/attributedesignator.py (modified) (1 diff)
• core/attributevalue.py (modified) (1 diff)
• core/context/pdp.py (modified) (7 diffs)
• core/expression.py (modified) (4 diffs)
• core/functions/v1/string_bag.py (added)
• core/functions/v1/string_equal.py (modified) (1 diff)
• core/functions/v2/anyuri_regexp_match.py (modified) (1 diff)
• test/ndg1.xml (modified) (5 diffs)
• test/test_context.py (modified) (3 diffs)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attribute.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
+from ndg.xacml.utils import TypedList
 from ndg.xacml.core import XacmlCoreBase
 from ndg.xacml.core.attributevalue import AttributeValue
@@ -22 +23 @@
     ISSUER_ATTRIB_NAME = 'Issuer'
     
-    __slots__ = ('__attributeValue', '__dataType', '__attributeId', '__issuer')
+    __slots__ = ('__attributeValues', '__dataType', '__attributeId', '__issuer')
     
     def __init__(self):
-        self.__attributeValue = None
+        self.__attributeValues = TypedList(AttributeValue)
         self.__dataType = None
         self.__attributeId = None
         self.__issuer = None
 
-    def _get_attributeValue(self):
-        return self.__attributeValue
-
-    def _set_attributeValue(self, value):
-        if not isinstance(value, AttributeValue):
-            raise TypeError('Expecting %r type for "attributeValue" '
-                            'attribute; got %r' % (AttributeValue, type(value)))
-            
-        self.__attributeValue = value
-
-    attributeValue = property(_get_attributeValue, _set_attributeValue, None, 
-                              "attribute value")
+    @property
+    def attributeValues(self):
+        "attribute values"
+        return self.__attributeValues
             
     def _get_dataType(self):

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attributedesignator.py

@@ -69 +69 @@
             
         self.__mustBePresent = value        
+
+    
+    def evaluate(self, context):
+        """Evaluate the result of the expression in a condition
+        
+        TODO: implement this placeholder
+        
+        @param context: the request context
+        @type context: ndg.xacml.core.context.request.Request
+        @return: attribute value(s) resulting from execution of this expression
+        in a condition
+        @rtype: AttributeValue/NoneType  
+        """ 
+        return self.__value
         
         

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attributevalue.py

@@ -32 +32 @@
         self.__value = value  
 
-    value = property(_get_value, _set_value, None, "expression value")    
+    value = property(_get_value, _set_value, None, "expression value") 
+    
+    def evaluate(self, context):
+        """Evaluate the result of the expression in a condition
+        @param context: the request context
+        @type context: ndg.xacml.core.context.request.Request
+        @return: attribute value(s) resulting from execution of this expression
+        in a condition
+        @rtype: AttributeValue/NoneType  
+        """ 
+        return self.__value

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

@@ -16 +16 @@
 
 from ndg.xacml.core.context.pdpinterface import PDPInterface
-from ndg.xacml.core.rule import Effect
 from ndg.xacml.core.policy import Policy
 from ndg.xacml.core.apply import Apply
@@ -64 +63 @@
     def __init__(self, *arg, **kw):
         super(UnsupportedFunctionError, self).__init__(*arg, **kw)
-        self.response.results[0].status.statusCode = StatusCode.PROCESSING_ERROR
+        self.response.results[0].status.statusCode.value = \
+                                                    StatusCode.PROCESSING_ERROR
 
 
@@ -76 +76 @@
     def __init__(self, *arg, **kw):
         super(UnsupportedElementError, self).__init__(*arg, **kw)
-        self.response.results[0].status.statusCode = StatusCode.SYNTAX_ERROR
+        self.response.results[0].status.statusCode.value = \
+                                                    StatusCode.SYNTAX_ERROR
 
 
@@ -433 +434 @@
         
         _attributeMatch = lambda attribute: (
-            matchFunc.evaluate(matchAttributeValue, 
-                               attribute.attributeValue.value) and
+            any([matchFunc.evaluate(matchAttributeValue, attrVal.value) 
+                 for attrVal in attribute.attributeValues]) and
             attribute.attributeId == attributeId and
             attribute.dataType == dataType and
@@ -489 +490 @@
         
         # Marshall inputs
-        funcInputs = ('',)*len(applyElem.expressions)
+        funcInputs = ['',]*len(applyElem.expressions)
         for i, expression in enumerate(applyElem.expressions):
             marshaller = inputMarshallerMap.get(expression.__class__)
@@ -506 +507 @@
             
         # Execute function on the retrieved inputs
-        result = func(*funcInputs)
+        result = func(*tuple(funcInputs))
         
         # Pass the result back to the parent <Apply> element
@@ -524 +525 @@
         if isinstance(attributeDesignator, SubjectAttributeDesignator):
             for i in self.request.subjects:
-                attributeValues.extend(
-                    [j.attributeValue for j in i.attributes
-                     if j.attributeValue.dataType == dataType])
+                for j in i.attributes:
+                    attributeValues.extend([k.value for k in j.attributeValues
+                                            if k.dataType == dataType])
 
         elif isinstance(attributeDesignator, ResourceAttributeDesignator):
             for i in self.request.resources:
-                attributeValues.extend(
-                    [j.attributeValue for j in i.attributes
-                     if j.attributeValue.dataType == dataType])
+                for j in i.attributes:
+                    attributeValues.extend([k.value for k in j.attributeValues
+                                            if k.dataType == dataType])
 
         elif isinstance(attributeDesignator, ActionAttributeDesignator):
-            attributeValues.append([j.attributeValue for j in i.attributes
-                                    if j.attributeValue.dataType == dataType])
+            for j in i.attributes:
+                attributeValues.extend([k.value for k in j.attributeValues
+                                        if k.dataType == dataType])
             
         elif isinstance(attributeDesignator, EnvironmentAttributeDesignator):
-            attributeValues.append([j.attributeValue for j in i.attributes
-                                    if j.attributeValue.dataType == dataType])
+            for j in i.attributes:
+                attributeValues.extend([k.value for k in j.attributeValues
+                                        if k.dataType == dataType])
         else:
             raise TypeError('Expecting %r derived type got %r' %

TI12-security/trunk/NDG_XACML/ndg/xacml/core/expression.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
+from abc import ABCMeta, abstractmethod
+
 from ndg.xacml.core import XacmlCoreBase
 
@@ -15 +17 @@
 class Expression(XacmlCoreBase):
     """XACML Expression type"""
+    __metaclass__ = ABCMeta
     ELEMENT_LOCAL_NAME = None
     DATA_TYPE_ATTRIB_NAME = 'DataType'
@@ -21 +24 @@
     
     def __init__(self):
+        super(Expression, self).__init__()
         self.__dataType = None
         
@@ -35 +39 @@
     dataType = property(_get_dataType, _set_dataType, None, 
                         "expression value data type")  
-          
+    
+    @abstractmethod
+    def evaluate(self, context):
+        """Evaluate the result of the expression in a condition.  Derived 
+        classes must implement
+        
+        @param context: the request context
+        @type context: ndg.xacml.core.context.request.Request
+        @return: attribute value(s) resulting from execution of this expression
+        in a condition
+        @rtype: AttributeValue/NoneType
+        """
+        raise NotImplementedError()

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/string_equal.py

@@ -9 +9 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
-import re
-
 from ndg.xacml.core.functions import AbstractFunction
 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v2/anyuri_regexp_match.py

@@ -29 +29 @@
         @rtype: bool
         """
+        if not isinstance(uriPat, basestring):
+            raise TypeError('Expecting %r derived type for "uriPat"; got %r' %
+                            (basestring, type(uri1)))
+            
+        if not isinstance(uri, basestring):
+            raise TypeError('Expecting %r derived type for "uri"; got %r' %
+                            (basestring, type(uri)))
+            
         return bool(re.match(uriPat, uri))
     

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

@@ -20 +20 @@
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
-                        ^http://www.localhost/.*$
-                    </AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://www.localhost/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -29 +27 @@
     
     <!-- Deny everything by default -->
-    <!--
     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
-    -->
     <!-- 
         Following rules punch holes through the deny everything rule above
@@ -48 +44 @@
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
-                            ^http://localhost/test_securedURI.*$
-                        </AttributeValue>
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -60 +54 @@
             The condition narrows down the constraints layed down in the target to
             something more specific
+            
+            The user must have at least one of the roles set - in this
+            case 'urn:siteA:security:authz:1.0:attr:staff'
         -->
-        <Condition>
-            <!-- 
-                The user must have at least one of the roles set - in this
-                case 'urn:siteA:security:authz:1.0:attr:staff'
-            -->
-            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
-                <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
-                        staff
-                    </AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
-                        admin
-                    </AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
-                        postdoc
-                    </AttributeValue>
-                </Apply>
+        <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+            <SubjectAttributeDesignator 
+                AttributeId="urn:ndg:security:authz:1.0:attr" 
+                DataType="http://www.w3.org/2001/XMLSchema#string"/>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
             </Apply>
         </Condition>
@@ -88 +73 @@
             <Resources>
                 <Resource>
-                    <ResourceMatch 
-                        MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                         <ResourceAttributeDesignator
                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
-                            ^/test_accessDeniedToSecuredURI$
-                        </AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
             </Resources>
         </Target>
-        <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:equal">
-            <!-- 
-                The user must have at least one of the roles set - in this
-                case 'urn:siteA:security:authz:1.0:attr:forbidden' or
-                'urn:siteA:security:authz:1.0:attr:keepout'
-            -->
-            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
-                <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
-                    MustBePresent="false" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue 
-                        DataType="urn:ndg:security:1.0:authz:attributeType">
-                        <name DataType="http://www.w3.org/2001/XMLSchema#string">
-                            urn:siteA:security:authz:1.0:attr:forbidden
-                        </name>
-                        <issuer DataType="http://www.w3.org/2001/XMLSchema#string">
-                            http://localhost:7443/AttributeAuthority
-                        </issuer>
-                    </AttributeValue>
-                    <AttributeValue 
-                        DataType="urn:ndg:security:1.0:authz:attributeType">
-                        <name DataType="http://www.w3.org/2001/XMLSchema#string">
-                            urn:siteA:security:authz:1.0:attr:keepout
-                        </name>
-                        <issuer DataType="http://www.w3.org/2001/XMLSchema#string">
-                            http://localhost:7443/AttributeAuthority
-                        </issuer>
-                    </AttributeValue>
-                </Apply>
+        <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+            <SubjectAttributeDesignator 
+                AttributeId="urn:ndg:security:authz:1.0:attr" 
+                DataType="http://www.w3.org/2001/XMLSchema#string"/>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
+                <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
             </Apply>
         </Condition>

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_context.py

@@ -59 +59 @@
     def _createRequestCtx(self):
         request = Request()
+        subject = Subject()
         
-        subject = Subject()
-        subjectAttribute = Attribute()
-        subject.attributes.append(subjectAttribute)
-        subjectAttribute.attributeId = \
-                            "urn:oasis:names:tc:xacml:1.0:subject:subject-id"
-        subjectAttribute.dataType = \
-                            "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
-        subjectAttribute.attributeValue = AttributeValue()
-        subjectAttribute.attributeValue.value = 'bs@simpsons.com'
+        openidSubjectAttribute = Attribute()
+        roleAttribute = Attribute()
         
+        openidSubjectAttribute.attributeId = "urn:esg:openid"
+        openidSubjectAttribute.dataType = \
+                                    'http://www.w3.org/2001/XMLSchema#anyURI'
+        openidSubjectAttribute.attributeValues.append(AttributeValue())
+        openidSubjectAttribute.attributeValues[-1].dataType = \
+                                    'http://www.w3.org/2001/XMLSchema#anyURI'
+        openidSubjectAttribute.attributeValues[-1].value = \
+                                    'https://my.name.somewhere.ac.uk'
+        
+        subject.attributes.append(openidSubjectAttribute)
+
+        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
+        roleAttribute.dataType = 'http://www.w3.org/2001/XMLSchema#string'
+        roleAttribute.attributeValues.append(AttributeValue())
+        roleAttribute.attributeValues[-1].dataType = \
+                                    'http://www.w3.org/2001/XMLSchema#string'
+        roleAttribute.attributeValues[-1].value = 'staff' 
+        
+        subject.attributes.append(roleAttribute)
+                                  
         request.subjects.append(subject)
         
@@ -80 +94 @@
                             
         resourceAttribute.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
-        resourceAttribute.attributeValue = AttributeValue()
-        resourceAttribute.attributeValue.value = \
+        resourceAttribute.attributeValues.append(AttributeValue())
+        resourceAttribute.attributeValues[-1].value = \
                                         'http://www.localhost/test_securedURI'
 
@@ -93 +107 @@
                                 "urn:oasis:names:tc:xacml:1.0:action:action-id"
         actionAttribute.dataType = "http://www.w3.org/2001/XMLSchema#string"
-        actionAttribute.attributeValue = AttributeValue()
-        actionAttribute.attributeValue.value = 'read'
+        actionAttribute.attributeValues.append(AttributeValue())
+        actionAttribute.attributeValues[-1].value = 'read'
         
         return request