Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6806

Timestamp:

14/04/10 16:39:48 (11 years ago)

Author:

pjkersha

Message:

Moving matching and rule evaluation code out of the PDP class and into the relevant classes they pertain to e.g. target matching moved to Target class match method and so on.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml/core

Files:

: 5 edited

condition.py (modified) (1 diff)
context/pdp.py (modified) (6 diffs)
match.py (modified) (1 diff)
rule.py (modified) (2 diffs)
target.py (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDG_XACML/ndg/xacml/core/condition.py

-                      r6796
+                      r6806
                             type(value))
         self.__expression = value
+    def evaluate(self, context):
+        """Evaluate this rule condition
+        @param context: the request context
+        @type context: ndg.xacml.core.request.Request
+        @return: True/False status for whether the rule condition matched or
+        not
+        @rtype: bool
+        """
+        result = self.expression.evaluate(context)
+        return result

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

-                      r6805
+                      r6806
 from ndg.xacml.core.context.result import Result, Decision
 from ndg.xacml.core.context.result import StatusCode
-from ndg.xacml.core.functions import FunctionMap
 from ndg.xacml.core.exceptions import (UnsupportedStdFunctionError,
                                        UnsupportedFunctionError)
 …
     """
     __slots__ = ('__policy', '__request')
-    TARGET_CHILD_ATTRS = ('subjects', 'resources', 'actions', 'environments')
     def __init__(self, policy=None):
 …
         if policy is not None:
             self.policy = policy
-        self.__functionMap = FunctionMap.withLoadedMap()
         self.__request = None
 …
             log.debug('Checking policy target for match with request...')
+            target = self.policy.target
+            if not self.matchTarget(self.policy.target, request):
+            if target is None:
+                log.debug('No target set so no match with request context')
+                result.decision = Decision.NOT_APPLICABLE
+                return response
+            if not target.match(request):
                 log.debug('No match for policy target setting %r decision',
                           Decision.NOT_APPLICABLE_STR)
 …
             ruleStatusValues = [False]*len(self.policy.rules)
             for i, rule in enumerate(self.policy.rules):
+                log.debug('Checking policy rule %r for match...', rule.id)
+                if not self.matchTarget(rule.target, request):
+                    log.debug('No match to request context for target in rule '
+                              '%r', rule.id)
+                    ruleStatusValues[i] = True
+                    continue
+                # Apply the condition
+                ruleStatusValues[i] = self.evaluateCondition(rule.condition)
+                ruleStatusValues[i] = rule.evaluate()
+#                log.debug('Checking policy rule %r for match...', rule.id)
+#                if not self.matchTarget(rule.target, request):
+#                    log.debug('No match to request context for target in rule '
+#                              '%r', rule.id)
+#                    ruleStatusValues[i] = True
+#                    continue
+#
+#                # Apply the condition
+#                ruleStatusValues[i] = self.evaluateCondition(rule.condition)
         except PDPError, e:
 …
         return response
-    def matchTarget(self, target, request):
-        """Generic method to match a <Target> element to the request context
-        @param target: XACML target element
-        @type target: ndg.xacml.core.target.Target
-        @param request: XACML request context
-        @type request: ndg.xacml.core.context.request.Request
-        @return: True if request context matches the given target,
-        False otherwise
-        @rtype: bool
-        """
-        if target is None:
-            log.debug('No target set so no match with request context')
-            return False
-        # From section 5.5 of the XACML 2.0 Core Spec:
+        #
-        # For the parent of the <Target> element to be applicable to the
-        # decision request, there MUST be at least one positive match between
-        # each section of the <Target> element and the corresponding section of
-        # the <xacml-context:Request> element.
+        #
-        # Also, 7.6:
+        #
-        # The target value SHALL be "Match" if the subjects, resources, actions
-        # and environments specified in the target all match values in the
-        # request context.
-        statusValues = [False]*len(self.__class__.TARGET_CHILD_ATTRS)
-        # Iterate for target subjects, resources, actions and environments
-        # elements
-        for i, attrName in enumerate(self.__class__.TARGET_CHILD_ATTRS):
-            # If any one of the <Target> children is missing then it counts as
-            # a match e.g. for <Subjects> child element - Section 5.5:
+            #
-            # <Subjects> [Optional] Matching specification for the subject
-            # attributes in the context. If this element is missing,
-            # then the target SHALL match all subjects.
-            targetElem = getattr(target, attrName)
-            if len(targetElem) == 0:
-                statusValues[i] = True
-                continue
-            # Iterate over each for example, subject in the list of subjects:
-            # <Target>
-            #     <Subjects>
-            #          <Subject>
-            #              ...
-            #          </Subject>
-            #          <Subject>
-            #              ...
-            #          </Subject>
-            #     ...
-            # or resource in the list of resources and so on
-            for targetSubElem in targetElem:
-                # For the given subject/resource/action/environment check for a
-                # match with the equivalent in the request
-                requestElem = getattr(request, attrName)
-                for requestSubElem in requestElem:
-                    if self.matchTargetChild(targetSubElem, requestSubElem):
-                        # Within the list of e.g. subjects if one subject
-                        # matches then this counts as a subject match overall
-                        # for this target
-                        statusValues[i] = True
-        # Target matches if all the children (i.e. subjects, resources, actions
-        # and environment sections) have at least one match.  Otherwise it
-        # doesn't count as a match
-        return all(statusValues)
-    def matchTargetChild(self, targetChild, requestChild):
-        """Match a request child element (a <Subject>, <Resource>, <Action> or
-        <Environment>) with the corresponding target's <Subject>, <Resource>,
-        <Action> or <Environment>.
-        @param targetChild: Target Subject, Resource, Action or Environment
-        object
-        @type targetChild: ndg.xacml.core.TargetChildBase
-        @param requestChild: Request Subject, Resource, Action or Environment
-        object
-        @type requestChild: ndg.xacml.core.context.RequestChildBase
-        @return: True if request context matches something in the target
-        @rtype: bool
-        @raise UnsupportedElementError: AttributeSelector processing is not
-        currently supported.  If an AttributeSelector is found in the policy,
-        this exception will be raised.
-        @raise UnsupportedStdFunctionError: policy references a function type
-        which is in the XACML spec. but is not supported by this implementation
-        @raise UnsupportedFunctionError: policy references a function type which
-        is not supported by this implementation
-        """
-        if targetChild is None:
-            # Default if target child is not set is to match all children
-            return True
-        matchStatusValues = [True]*len(targetChild.matches)
-        # Section 7.6
+        #
-        # A subject, resource, action or environment SHALL match a value in the
-        # request context if the value of all its <SubjectMatch>,
-        # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements,
-        # respectively, are "True".
+        #
-        # e.g. for <SubjectMatch>es in <Subject> ...
-        for childMatch, matchStatus in zip(targetChild.matches,
-                                           matchStatusValues):
-            # Get the match function from the Match ID
-            matchFunctionClass = self.__functionMap.get(childMatch.matchId)
-            if matchFunctionClass is NotImplemented:
-                raise UnsupportedStdFunctionError('No match function class '
-                                                  'implemented for MatchId="%s"'
-                                                  % childMatch.matchId)
-            elif matchFunctionClass is None:
-                raise UnsupportedFunctionError('Match function namespace %r is '
-                                               'not recognised' %
-                                               childMatch.matchId)
-            matchAttributeValue = childMatch.attributeValue.value
-            # Create a match function based on the presence or absence of an
-            # AttributeDesignator or AttributeSelector
-            if childMatch.attributeDesignator is not None:
-                _attributeMatch = self.attributeDesignatorMatchFuncFactory(
-                                                matchFunctionClass(),
-                                                childMatch.attributeValue,
-                                                childMatch.attributeDesignator)
-            elif childMatch.attributeSelector is not None:
-                # Nb. This will require that the request provide a reference to
-                # it's XML representation and an abstraction of the XML parser
-                # for executing XPath searches into that representation
-                raise UnsupportedElementError('This PDP implementation does '
-                                              'not support <AttributeSelector> '
-                                              'elements')
-            else:
-                _attributeMatch = lambda requestChildAttribute: (
-                    matchFunc.evaluate(matchAttributeValue,
-                                    requestChildAttribute.attributeValue.value)
+                )
-            # Iterate through each attribute in the request in turn matching it
-            # against the target using the generated _attributeMatch function
+            #
-            # Any Match element NOT matching will result in an overall status of
-            # no match.
+            #
-            # Continue iterating through the whole list even if a False status
-            # is found.  The other attributes need to be checked in case an
-            # error occurs.  In this case the top-level PDP exception handling
-            # block will catch it and set an overall decision of INDETERMINATE
-            attrMatchStatusValues = [False]*len(requestChild.attributes)
-            for attribute, attrMatchStatus in zip(requestChild.attributes,
-                                                  attrMatchStatusValues):
-                attrMatchStatus = _attributeMatch(attribute)
-                if attrMatchStatus == True:
-                    if log.getEffectiveLevel() <= logging.DEBUG:
-                        log.debug('Request attribute %r set to %r matches '
-                                  'target',
-                                  attribute.attributeId,
-                                  [a.value for a in attribute.attributeValues])
-            matchStatus = all(attrMatchStatusValues)
-        # Any match => overall match
-        return any(matchStatusValues)
-    def attributeDesignatorMatchFuncFactory(self,
-                                            matchFunc,
-                                            matchAttributeValue,
-                                            attributeDesignator):
-        """Define a match function to match a given request attribute against
-        the input attribute value and AttributeDesignator defined in a policy
-        target
-        """
-        attributeId = attributeDesignator.attributeId
-        dataType = attributeDesignator.dataType
-        # Issuer is an optional match - see core spec. 7.2.4
-        issuer = attributeDesignator.issuer
-        if issuer is not None:
-            # Issuer found - set lambda to match this against the
-            # issuer setting in the request
-            _issuerMatch = lambda requestChildIssuer: (
-                                                issuer == requestChildIssuer)
-        else:
-            # No issuer set - lambda returns True regardless
-            _issuerMatch = lambda requestChildIssuer: True
-        _attributeMatch = lambda attribute: (
-            any([matchFunc.evaluate(matchAttributeValue, attrVal)
-                 for attrVal in attribute.attributeValues]) and
-            attribute.attributeId == attributeId and
-            attribute.dataType == dataType and
-            _issuerMatch(attribute.issuer)
+        )
-        return _attributeMatch
-    def evaluateCondition(self, condition):
-        """Evaluate a rule condition
-        @param condition: rule condition
-        @type condition: ndg.xacml.core.condition.Condition
-        @return: True/False status for whether the rule condition matched or
-        not
-        @rtype: bool
-        """
-        # Spec:
+        #
-        # "The condition value SHALL be "True" if the <Condition> element is
-        # absent"
-        if condition is None:
-            return True
-        applyElem = condition.expression
-        if not isinstance(applyElem, Apply):
-            raise UnsupportedElementError('%r type <Condition> sub-element '
-                                          'processing is not supported in this '
-                                          'implementation' % applyElem)
-        result = applyElem.evaluate(self.request)
-        return result

TI12-security/trunk/NDG_XACML/ndg/xacml/core/match.py

-                      r6774
+                      r6806
     matchId = property(_getMatchId, _setMatchId, None, "Match Id")
+    def evaluate(self):
+        """Evaluate the match object against the relevant element in the request
+        context
+        """
+        # Get the match function from the Match ID
+#        matchFunctionClass = self.__functionMap.get(self.matchId)
+#        if matchFunctionClass is NotImplemented:
+#            raise UnsupportedStdFunctionError('No match function class '
+#                                              'implemented for MatchId="%s"'
+#                                              % self.matchId)
+#        elif matchFunctionClass is None:
+#            raise UnsupportedFunctionError('Match function namespace %r is '
+#                                           'not recognised' %
+#                                           self.matchId)
+#
+#        matchAttributeValue = self.attributeValue.value
+        # Create a match function based on the presence or absence of an
+        # AttributeDesignator or AttributeSelector
+        if self.attributeDesignator is not None:
+#            _attributeMatch = self.attributeDesignatorMatchFuncFactory(
+#                                            matchFunctionClass(),
+#                                            self.attributeValue,
+#                                            self.attributeDesignator)
+        elif self.attributeSelector is not None:
+            # Nb. This will require that the request provide a reference to
+            # it's XML representation and an abstraction of the XML parser
+            # for executing XPath searches into that representation
+            raise UnsupportedElementError('This PDP implementation does '
+                                          'not support <AttributeSelector> '
+                                          'elements')
+        else:
+            _attributeMatch = lambda requestChildAttribute: (
+                matchFunc.evaluate(matchAttributeValue,
+                                requestChildAttribute.attributeValue.value)
+            )
+        # Iterate through each attribute in the request in turn matching it
+        # against the target using the generated _attributeMatch function
+        #
+        # Any Match element NOT matching will result in an overall status of
+        # no match.
+        #
+        # Continue iterating through the whole list even if a False status
+        # is found.  The other attributes need to be checked in case an
+        # error occurs.  In this case the top-level PDP exception handling
+        # block will catch it and set an overall decision of INDETERMINATE
+        attrMatchStatusValues = [False]*len(requestChild.attributes)
+        for attribute, attrMatchStatus in zip(requestChild.attributes,
+                                              attrMatchStatusValues):
+            attrMatchStatus = _attributeMatch(attribute)
+            if attrMatchStatus == True:
+                if log.getEffectiveLevel() <= logging.DEBUG:
+                    log.debug('Request attribute %r set to %r matches '
+                              'target',
+                              attribute.attributeId,
+                              [a.value for a in attribute.attributeValues])
+        matchStatus = all(attrMatchStatusValues)
+        return matchStatus
 class SubjectMatch(MatchBase):

TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule.py

-                      r6790
+                      r6806
             raise TypeError('Expecting %r type for "id" '
                             'attribute; got %r' % (basestring, type(value)))
         self.__id = value
 …
     description = property(_getDescription, _setDescription,
                            doc="Rule Description text")
+    def evaluate(self, context):
+        """Evaluate a rule
+        @param context: the request context
+        @type context: ndg.xacml.core.request.Request
+        @return: result of the evaluation - the decision for this rule
+        @rtype:
+        """
+        log.debug('Evaluating rule %r ...', rule.id)
+        if not self.matchTarget(self.target, request):
+            log.debug('No match to request context for target in rule '
+                      '%r', self.id)
+            #ruleStatusValues[i] = True
+            continue
+        # Apply the condition
+        ruleStatusValues[i] = self.condition.evaluate()

TI12-security/trunk/NDG_XACML/ndg/xacml/core/target.py

-                      r6770
+                      r6806
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
+import logging
+log = logging.getLogger(__name__)
 from ndg.xacml.core import XacmlCoreBase
 from ndg.xacml.core.action import Action
 …
 class Target(XacmlCoreBase):
+    """XACML Target element"""
     ELEMENT_LOCAL_NAME = "Target"
     SUBJECTS_ELEMENT_LOCAL_NAME = "Subjects"
 …
     RESOURCES_ELEMENT_LOCAL_NAME = "Resources"
     ENVIRONMENTS_ELEMENT_LOCAL_NAME = "Environments"
+    CHILD_ATTRS = ('subjects', 'resources', 'actions', 'environments')
     __slots__ = ('__subjects', '__resources', '__actions', '__environments')
     def __init__(self):
+        """Initial attributes"""
         self.__subjects = TypedList(Subject)
         self.__resources = TypedList(Resource)
 …
     def environments(self):
         return self.__environments
+class _Target(XacmlCoreBase):
+    """Define access behaviour for a resource match a given URI pattern"""
+    URI_PATTERN_LOCALNAME = "URIPattern"
+    ATTRIBUTES_LOCALNAME = "Attributes"
+    ATTRIBUTE_AUTHORITY_LOCALNAME = "AttributeAuthority"
+    __slots__ = (
+        '__uriPattern',
+        '__attributes',
+        '__regEx'
+    )
+    def __init__(self):
+        super(Target, self).__init__()
+        self.__uriPattern = None
+        self.__attributes = []
+        self.__regEx = None
+    def getUriPattern(self):
+        return self.__uriPattern
+    def setUriPattern(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "uriPattern" '
+                            'attribute; got %r' % type(value))
+        self.__uriPattern = value
+    uriPattern = property(getUriPattern,
+                          setUriPattern,
+                          doc="URI Pattern to match this target")
+    def getAttributes(self):
+        return self.__attributes
+    def setAttributes(self, value):
+        if (not isinstance(value, TypedList) and
+            not issubclass(value.elementType, Attribute.__class__)):
+            raise TypeError('Expecting TypedList(Attribute) for "attributes" '
+                            'attribute; got %r' % type(value))
+        self.__attributes = value
+    attributes = property(getAttributes,
+                          setAttributes,
+                          doc="Attributes restricting access to this target")
+    def getRegEx(self):
+        return self.__regEx
+    def setRegEx(self, value):
+        self.__regEx = value
+    regEx = property(getRegEx, setRegEx, doc="RegEx's Docstring")
+    def parse(self, root):
+        self.xmlns = QName.getNs(root.tag)
+        version1_0attributeAuthorityURI = None
+        for elem in root:
+            localName = QName.getLocalPart(elem.tag)
+            if localName == Target.URI_PATTERN_LOCALNAME:
+                self.uriPattern = elem.text.strip()
+                self.regEx = re.compile(self.uriPattern)
+    def match(self, request):
+        """Generic method to match a <Target> element to the request context
+        @param target: XACML target element
+        @type target: ndg.xacml.core.target.Target
+        @param request: XACML request context
+        @type request: ndg.xacml.core.context.request.Request
+        @return: True if request context matches the given target,
+        False otherwise
+        @rtype: bool
+        """
+        # From section 5.5 of the XACML 2.0 Core Spec:
+        #
+        # For the parent of the <Target> element to be applicable to the
+        # decision request, there MUST be at least one positive match between
+        # each section of the <Target> element and the corresponding section of
+        # the <xacml-context:Request> element.
+        #
+        # Also, 7.6:
+        #
+        # The target value SHALL be "Match" if the subjects, resources, actions
+        # and environments specified in the target all match values in the
+        # request context.
+        statusValues = [False]*len(self.__class__.CHILD_ATTRS)
+        # Iterate for target subjects, resources, actions and environments
+        # elements
+        for i, attrName in enumerate(self.__class__.CHILD_ATTRS):
+            # If any one of the <Target> children is missing then it counts as
+            # a match e.g. for <Subjects> child element - Section 5.5:
+            #
+            # <Subjects> [Optional] Matching specification for the subject
+            # attributes in the context. If this element is missing,
+            # then the target SHALL match all subjects.
+            targetElem = getattr(self, attrName)
+            if len(targetElem) == 0:
+                statusValues[i] = True
+                continue
+            # Iterate over each for example, subject in the list of subjects:
+            # <Target>
+            #     <Subjects>
+            #          <Subject>
+            #              ...
+            #          </Subject>
+            #          <Subject>
+            #              ...
+            #          </Subject>
+            #     ...
+            # or resource in the list of resources and so on
+            for targetSubElem in targetElem:
+            elif localName == Target.ATTRIBUTES_LOCALNAME:
+                for attrElem in elem:
+                    if self.xmlns == Target.VERSION_1_1_XMLNS:
+                        self.attributes.append(Attribute.Parse(attrElem))
+                    else:
+                        attribute = Attribute()
+                        attribute.name = attrElem.text.strip()
+                        self.attributes.append(attribute)
+            elif localName == Target.ATTRIBUTE_AUTHORITY_LOCALNAME:
+                # Expecting first element to contain the URI
+                warnings.warn(
+                        Target.ATTRIBUTE_AUTHORITY_LOCALNAME_DEPRECATED_MSG,
+                        PendingDeprecationWarning)
+                # For the given subject/resource/action/environment check for a
+                # match with the equivalent in the request
+                requestElem = getattr(request, attrName)
+                for requestSubElem in requestElem:
+                    if self._matchChild(targetSubElem, requestSubElem):
+                        # Within the list of e.g. subjects if one subject
+                        # matches then this counts as a subject match overall
+                        # for this target
+                        statusValues[i] = True
+        # Target matches if all the children (i.e. subjects, resources, actions
+        # and environment sections) have at least one match.  Otherwise it
+        # doesn't count as a match
+        return all(statusValues)
+    def _matchChild(self, targetChild, requestChild):
+        """Match a request child element (a <Subject>, <Resource>, <Action> or
+        <Environment>) with the corresponding target's <Subject>, <Resource>,
+        <Action> or <Environment>.
+        @param targetChild: Target Subject, Resource, Action or Environment
+        object
+        @type targetChild: ndg.xacml.core.TargetChildBase
+        @param requestChild: Request Subject, Resource, Action or Environment
+        object
+        @type requestChild: ndg.xacml.core.context.RequestChildBase
+        @return: True if request context matches something in the target
+        @rtype: bool
+        @raise UnsupportedElementError: AttributeSelector processing is not
+        currently supported.  If an AttributeSelector is found in the policy,
+        this exception will be raised.
+        @raise UnsupportedStdFunctionError: policy references a function type
+        which is in the XACML spec. but is not supported by this implementation
+        @raise UnsupportedFunctionError: policy references a function type which
+        is not supported by this implementation
+        """
+        if targetChild is None:
+            # Default if target child is not set is to match all children
+            return True
+        matchStatusValues = [True]*len(targetChild.matches)
+        # Section 7.6
+        #
+        # A subject, resource, action or environment SHALL match a value in the
+        # request context if the value of all its <SubjectMatch>,
+        # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements,
+        # respectively, are "True".
+        #
+        # e.g. for <SubjectMatch>es in <Subject> ...
+        for childMatch, matchStatus in zip(targetChild.matches,
+                                           matchStatusValues):
+            matchStatusValues[i] = childMatch.evaluate(requestChild)
+        # Any match => overall match
+        return any(matchStatusValues)
+                version1_0attributeAuthorityURI = elem[-1].text.strip()
+            else:
+                raise TargetParseError("Invalid Target attribute: %s" %
+                                       localName)
+        if self.xmlns == Target.VERSION_1_0_XMLNS:
+            msg = ("Setting all attributes with Attribute Authority "
+                   "URI set read using Version 1.0 schema.  This will "
+                   "be deprecated in future releases")
+            warnings.warn(msg, PendingDeprecationWarning)
+            log.warning(msg)
+            if version1_0attributeAuthorityURI is None:
+                raise TargetParseError("Assuming version 1.0 schema "
+                                       "for Attribute Authority URI setting "
+                                       "but no URI has been set")
+            for attribute in self.attributes:
+                attribute.attributeAuthorityURI = \
+                    version1_0attributeAuthorityURI
+    @classmethod
+    def Parse(cls, root):
+        resource = cls()
+        resource.parse(root)
+        return resource
+    def __str__(self):
+        return str(self.uriPattern)
+    def attributeDesignatorMatchFuncFactory(self,
+                                            matchFunc,
+                                            matchAttributeValue,
+                                            attributeDesignator):
+        """Define a match function to match a given request attribute against
+        the input attribute value and AttributeDesignator defined in a policy
+        target
+        """
+        attributeId = attributeDesignator.attributeId
+        dataType = attributeDesignator.dataType
+        # Issuer is an optional match - see core spec. 7.2.4
+        issuer = attributeDesignator.issuer
+        if issuer is not None:
+            # Issuer found - set lambda to match this against the
+            # issuer setting in the request
+            _issuerMatch = lambda requestChildIssuer: (
+                                                issuer == requestChildIssuer)
+        else:
+            # No issuer set - lambda returns True regardless
+            _issuerMatch = lambda requestChildIssuer: True
+        _attributeMatch = lambda attribute: (
+            any([matchFunc.evaluate(matchAttributeValue, attrVal)
+                 for attrVal in attribute.attributeValues]) and
+            attribute.attributeId == attributeId and
+            attribute.dataType == dataType and
+            _issuerMatch(attribute.issuer)
+        )
+        return _attributeMatch

Note: See TracChangeset for help on using the changeset viewer.