Changeset 6805

Timestamp:

14/04/10 15:45:01 (11 years ago)

Author:

pjkersha

Message:

Working <Condition> statement processing. This means that policy rules can now be evaluated. The rule combining algorithm handling needs to be implemented to complete the PDP processing.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/apply.py (modified) (1 diff)
• core/attribute.py (modified) (1 diff)
• core/attributedesignator.py (modified) (8 diffs)
• core/attributevalue.py (modified) (2 diffs)
• core/context/pdp.py (modified) (3 diffs)
• core/functions/__init__.py (modified) (3 diffs)
• core/functions/v1/at_least_one_member_of.py (modified) (1 diff)
• core/functions/v1/bag.py (modified) (1 diff)
• core/functions/v1/regexp_match.py (modified) (3 diffs)
• test/ndg1.xml (modified) (1 diff)
• test/test_context.py (modified) (3 diffs)
• utils/__init__.py (modified) (1 diff)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/apply.py

@@ -136 +136 @@
         
         # Marshall inputs
-        funcInputs = ['']*len(self.expressions)
+        funcInputs = [None]*len(self.expressions)
 
         for i, expression in enumerate(self.expressions):

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attribute.py

@@ -35 +35 @@
         "attribute values"
         return self.__attributeValues
+     
+    @attributeValues.setter
+    def attributeValues(self, value):
+        "attribute values"
+        if not isinstance(value, TypedList):
+            raise TypeError('Expecting %r type for "attributeValues" '
+                            'attribute; got %r' % (TypedList, type(value)))
             
+        self.__attributeValues = value
+                   
     def _get_dataType(self):
         return self.__dataType

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attributedesignator.py

@@ -12 +12 @@
 from ndg.xacml.utils import TypedList
 from ndg.xacml.core.expression import Expression
-from ndg.xacml.core.attributevalue import AttributeValue
+from ndg.xacml.core.attributevalue import (AttributeValue, 
+                                           AttributeValueClassFactory)
 from ndg.xacml.core.context.request import Request
 from ndg.xacml.core.context.exceptions import MissingAttributeError
@@ -24 +25 @@
     MUST_BE_PRESENT_ATTRIB_NAME = 'MustBePresent'
     
-    __slots__ = ('__attributeId', '__issuer', '__mustBePresent')
+    __slots__ = (
+        '__attributeId', 
+        '__issuer', 
+        '__mustBePresent',
+        '__attributeValueFactory'
+    )
     
     def __init__(self):
@@ -31 +37 @@
         self.__issuer = None
         self.__mustBePresent = False
+        self.__attributeValueFactory = AttributeValueClassFactory()
 
     @property
@@ -72 +79 @@
                             'attribute; got %r' % (bool, type(value)))
             
-        self.__mustBePresent = value        
-                
+        self.__mustBePresent = value   
+             
+    @property
+    def attributeValueFactory(self):
+        """Get Attribute Value factory function"""
+        return self.__attributeValueFactory
+                    
         
 class SubjectAttributeDesignator(AttributeDesignator):
     """XACML Subject Attribute Designator type"""
     ELEMENT_LOCAL_NAME = 'SubjectAttributeDesignator'
-
+        
     def evaluate(self, context):
         """Evaluate the result of the SubjectAttributeDesignator in a condition
@@ -92 +104 @@
                             (Request, type(context)))
         
-        attributeValueBag = TypedList(AttributeValue)
-        dataType = self.dataType
+        dataType = self.dataType
+        attributeValueBag = TypedList(self.attributeValueFactory(dataType))
         attributeId = self.attributeId
         issuer = self.issuer
@@ -141 +153 @@
                             (Request, type(context)))
         
-        attributeValueBag = TypedList(AttributeValue)
-        dataType = self.dataType
+        dataType = self.dataType
+        attributeValueBag = TypedList(self.attributeValueFactory(dataType))
         attributeId = self.attributeId
         issuer = self.issuer
@@ -190 +202 @@
                             (Request, type(context)))
         
-        attributeValueBag = TypedList(AttributeValue)
-        dataType = self.dataType
+        dataType = self.dataType
+        attributeValueBag = TypedList(self.attributeValueFactory(dataType))
         attributeId = self.attributeId
         issuer = self.issuer
@@ -240 +252 @@
                             (Request, type(context)))
         
-        attributeValueBag = []
-        dataType = self.dataType
+        dataType = self.dataType
+        attributeValueBag = TypedList(self.attributeValueFactory(dataType))
         attributeId = self.attributeId
         issuer = self.issuer

TI12-security/trunk/NDG_XACML/ndg/xacml/core/attributevalue.py

@@ -51 +51 @@
             
         self.__value = None
-           
+
+    def __repr__(self):
+        return "%s = %r " % (super(AttributeValue, self).__repr__(),
+                             self.__value)
+    
     def _get_value(self):
         return self.__value
@@ -66 +70 @@
     
     def evaluate(self, context):
-        """Evaluate the result of the expression in a condition
+        """Evaluate the result of the expression in a condition.  In the case of
+        an attribute value it's simply itself
+        
         @param context: the request context
         @type context: ndg.xacml.core.context.request.Request
-        @return: attribute value(s) resulting from execution of this expression
-        in a condition
-        @rtype: AttributeValue/NoneType  
+        @return: this attribute value
+        @rtype: AttributeValue  
         """ 
-        return self.__value
+        return self
 
 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

@@ -304 +304 @@
                 _attributeMatch = self.attributeDesignatorMatchFuncFactory(
                                                 matchFunctionClass(),
-                                                childMatch.attributeValue.value,
+                                                childMatch.attributeValue,
                                                 childMatch.attributeDesignator)
                 
@@ -371 +371 @@
         
         _attributeMatch = lambda attribute: (
-            any([matchFunc.evaluate(matchAttributeValue, attrVal.value) 
+            any([matchFunc.evaluate(matchAttributeValue, attrVal) 
                  for attrVal in attribute.attributeValues]) and
             attribute.attributeId == attributeId and
@@ -403 +403 @@
          
         result = applyElem.evaluate(self.request)
-
-
-
+        
+        return result
+
+
+

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/__init__.py

@@ -16 +16 @@
 log = logging.getLogger(__name__)
 
-from ndg.xacml.core.attributevalue import AttributeValue
+from ndg.xacml.core.attributevalue import (AttributeValue, 
+                                           AttributeValueClassFactory)
 from ndg.xacml.utils import VettedDict, _isIterable
 from ndg.xacml.utils.factory import callModuleObject
@@ -349 +350 @@
                                   for n in functionSuffixParts if n])
         
+        attributeValueClassFactory = AttributeValueClassFactory()
+        
         for identifier in self.__class__.FUNCTION_NAMES:            
             # Extract the function name and the type portion of the function
@@ -356 +359 @@
             
             typeName = typePart[0].upper() + typePart[1:]
-            _type = AttributeValue.TYPE_MAP.get(typeName)
+            typeURI = AttributeValue.IDENTIFIER_PREFIX + typePart
+            _type = attributeValueClassFactory(typeURI)
             if _type is None:
                 raise TypeError('No AttributeValue.TYPE_MAP entry for %r type' %

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/at_least_one_member_of.py

@@ -16 +16 @@
 class AtLeastOneMemberOfBase(AbstractFunction):
     """Base class implementation for at least one member of XACML function -
-    check an item of a given type is contained in a given bag
+    check at least one item in one set is contained in the second set
     
     urn:oasis:names:tc:xacml:1.0:function:<type>-at-least-one-member-of
+    
+    @cvar TYPE: AttributeValue type for the sets
+    @type TYPE: AttributeValue sub-class
     """
     TYPE = None
     
-    def evaluate(self, item, bag):
+    def evaluate(self, set1, set2):
         """Check input is contained in the bag
         
-        @param item: check to see if this string is contained in the bag
-        @type item: type
-        @param bag: bag of <type> values
-        @type bag: TypedList(<type>)
+        @param set1: check to see if at least one item in this set is contained 
+        in the second set
+        @type set1: TypedList(self.__class__.TYPE)
+        @param set2: bag of self.__class__.TYPE values
+        @type set2: TypedList(self.__class__.TYPE)
         @return: True if str is in bag, False otherwise
         @rtype: bool
         """
-        if not isinstance(item, self.__class__.TYPE):
-            raise XacmlContextTypeError('Expecting %r derived type for "item"; '
-                                        'got %r' % (self.__class__.TYPE, 
-                                                    type(item)))
+        if not isinstance(set1, Bag):
+            raise XacmlContextTypeError('Expecting %r derived type for "set1"; '
+                                        'got %r' % (Bag, type(set1)))
             
-        if not isinstance(bag, Bag):
-            raise XacmlContextTypeError('Expecting %r derived type for "bag"; '
-                                        'got %r' % (Bag, type(bag)))
+        if set1.elementType != self.__class__.TYPE:
+            raise XacmlContextTypeError('Expecting %r type elements for '
+                                        '"set1"; got %r' %
+                                        (self.__class__.TYPE, set1.elementType))
             
-        if bag.elementType != self.__class__.TYPE:
-            raise XacmlContextTypeError('Expecting %r type elements for "bag"; '
-                                        'got %r' %
-                                        (self.__class__.TYPE, bag.elementType))
-        return item in bag
+        if not isinstance(set2, Bag):
+            raise XacmlContextTypeError('Expecting %r derived type for "set2"; '
+                                        'got %r' % (Bag, type(set2)))
+            
+        if set2.elementType != self.__class__.TYPE:
+            raise XacmlContextTypeError('Expecting %r type elements for '
+                                        '"set2"; got %r' %
+                                        (self.__class__.TYPE, set2.elementType))
+        
+        set2Values = [attr.value for attr in set2]
+        for i in set1:
+            if i.value in set2Values:
+                return True
+            
+        return False
     
 

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/bag.py

@@ -36 +36 @@
         bag = Bag(self.__class__.TYPE)
         for i in args:
-            if not isinstance(i, basestring):
+            if not isinstance(i, self.__class__.TYPE):
                 raise TypeError('Expecting %r derived type for bag element; '
                                 'got %r' % (self.__class__.TYPE, type(i)))

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/regexp_match.py

@@ -10 +10 @@
 __revision__ = '$Id: $'
 import re
-#import sys
 
+from ndg.xacml.core.context.exceptions import XacmlContextTypeError
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory
 from ndg.xacml.core.functions import (AbstractFunction, 
                                       FunctionClassFactoryInterface)
-from ndg.xacml.core.context.exceptions import XacmlContextTypeError
 
 
@@ -35 +35 @@
         @rtype: bool
         """
-        if not isinstance(pat, basestring):
+        if not isinstance(pat, self.__class__.TYPE):
             raise TypeError('Expecting %r derived type for "pat"; got %r' %
-                            (basestring, type(pat)))
+                            (self.__class__.TYPE, type(pat)))
             
         if not isinstance(input, self.__class__.TYPE):
@@ -43 +43 @@
                             (self.__class__.TYPE, type(input)))
             
-        return bool(re.match(pat, input))
+        return bool(re.match(pat.value, input.value))
     
+
+attributeValueClassFactory = AttributeValueClassFactory()
 
 class StringRegexMatch(RegexpMatchBase):
     FUNCTION_NS = 'urn:oasis:names:tc:xacml:1.0:function:string-regexp-match'
-    TYPE = basestring
+    TYPE = attributeValueClassFactory('http://www.w3.org/2001/XMLSchema#string')
     
     

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

@@ -75 +75 @@
             <Resources>
                 <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                         <ResourceAttributeDesignator
                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
                     </ResourceMatch>
                 </Resource>

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_context.py

@@ -71 +71 @@
                                     'http://www.w3.org/2001/XMLSchema#anyURI'
 
-        StringAttributeValue = attributeValueFactory(
+        AnyUriAttributeValue = attributeValueFactory(
                                     'http://www.w3.org/2001/XMLSchema#anyURI')
-        openidSubjectAttribute.attributeValues.append(StringAttributeValue())
+        openidSubjectAttribute.attributeValues.append(AnyUriAttributeValue())
     
         openidSubjectAttribute.attributeValues[-1].dataType = \
                                     'http://www.w3.org/2001/XMLSchema#anyURI'
+                                    
+                                    
         openidSubjectAttribute.attributeValues[-1].value = \
                                     'https://my.name.somewhere.ac.uk'
@@ -82 +84 @@
         subject.attributes.append(openidSubjectAttribute)
 
+        StringAttributeValue = attributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#string')
+
         roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
         roleAttribute.dataType = 'http://www.w3.org/2001/XMLSchema#string'
+        
         roleAttribute.attributeValues.append(StringAttributeValue())
         roleAttribute.attributeValues[-1].dataType = \
@@ -101 +107 @@
                             
         resourceAttribute.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
-        resourceAttribute.attributeValues.append(StringAttributeValue())
+        resourceAttribute.attributeValues.append(AnyUriAttributeValue())
         resourceAttribute.attributeValues[-1].value = \
                                         'http://www.localhost/test_securedURI'

TI12-security/trunk/NDG_XACML/ndg/xacml/utils/__init__.py

@@ -47 +47 @@
         self.__elementType = elementType
         super(TypedList, self).__init__(*arg, **kw)
-    
+
+    def __repr__(self):
+        return "%r type: %s" % (self.__elementType, 
+                                super(TypedList, self).__repr__())
+        
     def _getElementType(self):
         return self.__elementType