Changeset 7351

Timestamp:

20/08/10 15:46:35 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• important fix to ndg.xacml.core.rule.Rule.evaluate: return NotApplicable? where Target matches but Condition does not match
• optimised ndg.xacml.core.functions.v1.at_least_one_member_of.AtLeastOneMemberOfBase? to use set and '&' operator for this function.
• fix to ndg.xacml.core.functions.FunctionMap?.loadFunction to catch function namespace not recognised.

Location:

TI12-security/trunk/ndg_xacml/ndg/xacml

Files:

• core/apply.py (modified) (1 diff)
• core/attributedesignator.py (modified) (3 diffs)
• core/attributevalue.py (modified) (1 diff)
• core/exceptions.py (deleted)
• core/functions/__init__.py (modified) (3 diffs)
• core/functions/v1/at_least_one_member_of.py (modified) (1 diff)
• core/functions/v1/match.py (modified) (1 diff)
• core/functions/v1/regexp_match.py (modified) (1 diff)
• core/match.py (modified) (2 diffs)
• core/policy.py (modified) (1 diff)
• core/rule.py (modified) (2 diffs)
• test/ndg1.xml (modified) (1 diff)

TI12-security/trunk/ndg_xacml/ndg/xacml/core/apply.py

@@ -12 +12 @@
 from ndg.xacml.utils import TypedList
 from ndg.xacml.core.expression import Expression
-from ndg.xacml.core.functions import FunctionMap
-from ndg.xacml.core.exceptions import (UnsupportedStdFunctionError,
-                                       UnsupportedFunctionError)
+from ndg.xacml.core.functions import (FunctionMap, UnsupportedStdFunctionError,
+                                      UnsupportedFunctionError)
 
 

TI12-security/trunk/ndg_xacml/ndg/xacml/core/attributedesignator.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id$"
+import logging
+log = logging.getLogger(__name__)
+
 from ndg.xacml.utils import TypedList
 from ndg.xacml.core.expression import Expression
@@ -162 +165 @@
         issuer = self.issuer
         
+        log.debug("In SubjectAttributeDesignator for attribute %r", attributeId)
+        
         if issuer is not None:
             _issuerMatch = lambda _issuer: issuer == _issuer
@@ -182 +187 @@
                 # designator can be retrieved externally. If retrieved, they're 
                 # added to the bag.
+                log.debug("Making query to PIP for additional subject "
+                          "attributes to satify match")
+                
                 attributeValues = context.ctxHandler.pipQuery(context, self)
                 if attributeValues is not None:
-                    attributeValueBag.extend(attributeValues)
+                    log.debug("PIP retrieved additional subject attributes: %r",
+                              attributeValues)
+                    
+                    # Weed out any duplicates
+                    if len(attributeValueBag) > 0:
+                        filtAttributeValues = [attrVal 
+                                           for attrVal in attributeValues 
+                                           if attrVal not in attributeValueBag]
+                        
+                    attributeValueBag.extend(filtAttributeValues)
                     
         if len(attributeValueBag) == 0 and self.mustBePresent:

TI12-security/trunk/ndg_xacml/ndg/xacml/core/attributevalue.py

@@ -131 +131 @@
         return "%s = %r " % (super(AttributeValue, self).__repr__(),
                              self.__value)
+
+    def __eq__(self, attrVal):
+        """Check for equality by comparing the value attributes"""
+        if not isinstance(attrVal, self.__class__):
+            raise TypeError('Expecting %r type for "value" '
+                            'attribute; got %r' % (self.__class__.TYPE, 
+                                                   type(attrVal)))
+            
+        return self.__value == attrVal.value
     
     def _get_value(self):

TI12-security/trunk/ndg_xacml/ndg/xacml/core/functions/__init__.py

@@ -278 +278 @@
     )
 
-
+from ndg.xacml import XacmlError
+
+
+class UnsupportedFunctionError(XacmlError):
+    """Encountered a function type that is not recognised as part of the XACML
+    specification and is not supported in this implementation"""
+
+ 
+class UnsupportedStdFunctionError(UnsupportedFunctionError): 
+    """Encountered a function type that is not supported even though it is
+    part of the XACML specification"""
+    
+    
+def unsupportedFunctionErrorFactory(identifier, msg=None):
+    """Factory function to return an unsupported function exception based on
+    the function identifier passed in
+    
+    @param identifier: XACML function namespace to check
+    @type identifier: basestring
+    
+    @return: unsupported function exception instance
+    @rtype: UnsupportedFunctionError or UnsupportedStdFunctionError depending
+    on the identifier passed
+    """
+    if identifier in XacmlFunctionNames.FUNCTION_NAMES:
+        if msg is None:
+            msg = "%s: %s" % (UnsupportedStdFunctionError.__doc__, identifier)
+            
+        raise UnsupportedStdFunctionError(msg)
+    else:
+        if msg is None:
+            msg = "%s: %s" % (UnsupportedFunctionError.__doc__, identifier)
+            
+        raise UnsupportedFunctionError(msg)
+    
+    
 class FunctionClassFactoryInterface(object):
     """Interface class for function module class factory class
@@ -443 +478 @@
             
     def __call__(self, identifier):
-        """Return the class for the given XACML *-at-least-one-member-of type
-        function identifier
+        """Return the class for the given XACML type function identifier
+        
         @param identifier: XACML *-at-least-one-member-of type function
         identifier
@@ -622 +657 @@
             self[functionNs] = NotImplemented
         else:
-            self[functionNs] = functionFactory(functionNs)
+            function = functionFactory(functionNs)
+            if function is None:
+                raise unsupportedFunctionErrorFactory(functionNs)
+                
+            self[functionNs] = function
             self.__classFactoryMap[functionNs] = functionFactory
                        

TI12-security/trunk/ndg_xacml/ndg/xacml/core/functions/v1/at_least_one_member_of.py

@@ -54 +54 @@
                                         '"set2"; got %r' %
                                         (self.__class__.TYPE, set2.elementType))
+            
+        _set1 = set([attr.value for attr in set1])
+        _set2 = set([attr.value for attr in set2])
         
-        set2Values = [attr.value for attr in set2]
-        for i in set1:
-            if i.value in set2Values:
-                return True
-            
-        return False
+        return len(list(_set1 & _set2)) > 0
     
 

TI12-security/trunk/ndg_xacml/ndg/xacml/core/functions/v1/match.py

@@ -24 +24 @@
     TYPE = None
     
-    def evaluate(self, string1, string2):
-        """Match input strings
+    def evaluate(self, input1, input2):
+        """Match two inputs of type self.__class__.TYPE
         
-        @param string1: first of two strings to match
-        @type string1: basestring
-        @param string2: second string
-        @type string2: basestring
-        @return: True if strings match, False otherwise
+        @param input1: first of two inputs to match
+        @type input1: self.__class__.TYPE
+        @param input2: second input
+        @type input2: self.__class__.TYPE
+        @return: True if inputs match, False otherwise
         @rtype: bool
         """
-        if not isinstance(string1, basestring):
+        if not isinstance(input1, self.__class__.TYPE):
             raise XacmlContextTypeError('Expecting %r derived type for '
-                                        '"string1"; got %r' %
+                                        '"input1"; got %r' %
                                         (self.__class__.TYPE, 
-                                         type(string1)))
+                                         type(input1)))
             
-        if not isinstance(string2, self.__class__.TYPE):
+        if not isinstance(input2, self.__class__.TYPE):
             raise XacmlContextTypeError('Expecting %r derived type for '
-                                        '"string2"; got %r' %
+                                        '"input2"; got %r' %
                                         (self.__class__.TYPE, 
-                                         type(string2)))
+                                         type(input2)))
             
-        return string1 == string2
+        return input1 == input2
  
     

TI12-security/trunk/ndg_xacml/ndg/xacml/core/functions/v1/regexp_match.py

@@ -89 +89 @@
         @type identifier: basestring
         @return: at least one member of class corresponding to the given input
-        identifier
-        @rtype: ndg.xacml.core.functions.v1.round.Round
+        identifier, if no match is found returns None
+        @rtype: ndg.xacml.core.functions.v1.regexp_match.StringRegexMatch / None
         '''
         if identifier == StringRegexMatch.FUNCTION_NS:

TI12-security/trunk/ndg_xacml/ndg/xacml/core/match.py

@@ -17 +17 @@
 from ndg.xacml.core.attributedesignator import AttributeDesignator
 from ndg.xacml.core.attributeselector import AttributeSelector
-from ndg.xacml.core.functions import FunctionMap
+from ndg.xacml.core.functions import (FunctionMap, UnsupportedStdFunctionError,
+                                      UnsupportedFunctionError)
 from ndg.xacml.core.context.exceptions import XacmlContextError
-from ndg.xacml.core.exceptions import (UnsupportedStdFunctionError,
-                                       UnsupportedFunctionError)
 
 
@@ -335 +334 @@
                               self.matchId)
         
-        # Need check for len() because any([]) yields True!           
+        # Need check for len() because all([]) yields True!           
         matchStatus = (len(attrMatchStatusValues) > 0 and 
                        all(attrMatchStatusValues))

TI12-security/trunk/ndg_xacml/ndg/xacml/core/policy.py

@@ -23 +23 @@
 from ndg.xacml.core.rule_combining_alg import (RuleCombiningAlgClassFactory,
                                                RuleCombiningAlgInterface)
-from ndg.xacml.core.exceptions import (UnsupportedStdFunctionError,
-                                       UnsupportedFunctionError)
+from ndg.xacml.core.functions import (UnsupportedStdFunctionError,
+                                      UnsupportedFunctionError)
 
 # Evaluation of a request context

TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule.py

@@ -353 +353 @@
             log.debug('Evaluating rule %r ...', self.id)
             
-            # Default to indeterminate
+            # Instantiation implicitly sets to default value of Indeterminate
             decision = Decision()
             
@@ -384 +384 @@
                 conditionStatus = True
                 
+            # Ref. Spec. 7.9 Rule evaluation, Nb. to get this far, the target
+            # must evaluated as True
             if conditionStatus:
                 decision = Decision(decision=self.effect.value)
+            else:
+                decision = Decision.NOT_APPLICABLE
                 
             return decision

TI12-security/trunk/ndg_xacml/ndg/xacml/test/ndg1.xml

@@ -58 +58 @@
             
             The user must have at least one of the roles set - in this
-            case 'urn:siteA:security:authz:1.0:attr:staff'
+            case 'staff'
         -->
         <Condition>