Changeset 7664
- Timestamp:
- 28/10/10 14:24:25 (9 years ago)
- Location:
- TI12-security/trunk/ndg_xacml/ndg/xacml/test
- Files:
-
- 5 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/ndg_xacml/ndg/xacml/test/__init__.py
r7087 r7664 12 12 from os import path 13 13 14 import unittest 15 14 16 THIS_DIR = path.dirname(__file__) 15 17 XACML_NDGTEST1_FILENAME = "ndg1.xml" 16 18 XACML_NDGTEST1_FILEPATH = path.join(THIS_DIR, XACML_NDGTEST1_FILENAME) 19 20 21 class XacmlContextBaseTestCase(unittest.TestCase): 22 """Base class containing common methods for test initialisation""" 23 24 def _createRequestCtx(self, 25 resourceId, 26 includeSubject=True, 27 subjectRoles=('staff',), 28 roleAttributeId=ROLE_ATTRIBUTE_ID, 29 action='read'): 30 """Create an example XACML Request Context for tests""" 31 request = Request() 32 33 if includeSubject: 34 subject = Subject() 35 openidSubjectAttribute = Attribute() 36 37 38 openidSubjectAttribute.attributeId = "urn:esg:openid" 39 openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 40 41 openidSubjectAttribute.attributeValues.append( 42 AnyUriAttributeValue()) 43 openidSubjectAttribute.attributeValues[-1].value = SUBJECT_ID 44 45 46 subject.attributes.append(openidSubjectAttribute) 47 48 for role in subjectRoles: 49 roleAttribute = Attribute() 50 51 roleAttribute.attributeId = roleAttributeId 52 roleAttribute.dataType = StringAttributeValue.IDENTIFIER 53 54 roleAttribute.attributeValues.append(StringAttributeValue()) 55 roleAttribute.attributeValues[-1].value = role 56 57 subject.attributes.append(roleAttribute) 58 59 request.subjects.append(subject) 60 61 resource = Resource() 62 resourceAttribute = Attribute() 63 resource.attributes.append(resourceAttribute) 64 65 resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID 66 67 resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 68 resourceAttribute.attributeValues.append(AnyUriAttributeValue()) 69 resourceAttribute.attributeValues[-1].value = resourceId 70 71 request.resources.append(resource) 72 73 request.action = Action() 74 actionAttribute = Attribute() 75 request.action.attributes.append(actionAttribute) 76 77 actionAttribute.attributeId = Identifiers.Action.ACTION_ID 78 actionAttribute.dataType = StringAttributeValue.IDENTIFIER 79 actionAttribute.attributeValues.append(StringAttributeValue()) 80 actionAttribute.attributeValues[-1].value = action 81 82 return request 83 84 def _createPDPfromNdgTest1Policy(self): 85 pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory) 86 return pdp 87 -
TI12-security/trunk/ndg_xacml/ndg/xacml/test/test_context.py
r7443 r7664 38 38 ROLE_ATTRIBUTE_ID = "urn:ndg:security:authz:1.0:attr" 39 39 SUBJECT_ID = 'https://my.name.somewhere.ac.uk' 40 40 41 41 42 class TestContextHandler(CtxHandlerInterface): … … 84 85 return [attrVal] 85 86 else: 86 return None 87 88 89 class XacmlContextBaseTestCase(unittest.TestCase): 90 """Base class containing common methods for test initialisation""" 91 92 def _createRequestCtx(self, 93 resourceId, 94 includeSubject=True, 95 subjectRoles=('staff',), 96 roleAttributeId=ROLE_ATTRIBUTE_ID, 97 action='read'): 98 """Create an example XACML Request Context for tests""" 99 request = Request() 100 101 if includeSubject: 102 subject = Subject() 103 openidSubjectAttribute = Attribute() 104 105 106 openidSubjectAttribute.attributeId = "urn:esg:openid" 107 openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 108 109 openidSubjectAttribute.attributeValues.append( 110 AnyUriAttributeValue()) 111 openidSubjectAttribute.attributeValues[-1].value = SUBJECT_ID 112 113 114 subject.attributes.append(openidSubjectAttribute) 115 116 for role in subjectRoles: 117 roleAttribute = Attribute() 118 119 roleAttribute.attributeId = roleAttributeId 120 roleAttribute.dataType = StringAttributeValue.IDENTIFIER 121 122 roleAttribute.attributeValues.append(StringAttributeValue()) 123 roleAttribute.attributeValues[-1].value = role 124 125 subject.attributes.append(roleAttribute) 126 127 request.subjects.append(subject) 128 129 resource = Resource() 130 resourceAttribute = Attribute() 131 resource.attributes.append(resourceAttribute) 132 133 resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID 134 135 resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 136 resourceAttribute.attributeValues.append(AnyUriAttributeValue()) 137 resourceAttribute.attributeValues[-1].value = resourceId 138 139 request.resources.append(resource) 140 141 request.action = Action() 142 actionAttribute = Attribute() 143 request.action.attributes.append(actionAttribute) 144 145 actionAttribute.attributeId = Identifiers.Action.ACTION_ID 146 actionAttribute.dataType = StringAttributeValue.IDENTIFIER 147 actionAttribute.attributeValues.append(StringAttributeValue()) 148 actionAttribute.attributeValues[-1].value = action 149 150 return request 151 152 def _createPDPfromPolicy(self): 153 pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory) 154 return pdp 87 return None 155 88 156 89 … … 184 117 185 118 def test07CreatePDPfromPolicy(self): 186 pdp = self._createPDPfrom Policy()119 pdp = self._createPDPfromNdgTest1Policy() 187 120 self.assert_(pdp) 188 189 190 class XacmlEvalPdpWithPermitOverridesPolicy(XacmlContextBaseTestCase):191 """Test PDP with permit overrides rule combining algorithm"""192 193 NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'194 195 # This could be any applicable resource value, provided there's no rule to196 # override and enable access197 PRIVATE_RESOURCE_ID = 'http://localhost/private-resource'198 199 PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted'200 NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'201 202 SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \203 'http://localhost/single-subject-role-restricted'204 ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \205 'http://localhost/action-and-single-subject-role-restricted'206 AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \207 'http://localhost/at-least-of-subject-role-restricted'208 209 def setUp(self):210 self.pdp = self._createPDPfromPolicy()211 212 def test01NotApplicable(self):213 # Set a resource Id that doesn't match the main target214 request = self._createRequestCtx(215 self.__class__.NOT_APPLICABLE_RESOURCE_ID)216 response = self.pdp.evaluate(request)217 self.failIf(response is None, "Null response")218 for result in response.results:219 self.failIf(result.decision != Decision.NOT_APPLICABLE,220 "Expecting not applicable decision")221 222 def test02PublicallyAccessibleResource(self):223 # Test a resource which has no subject restrictions224 request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID,225 includeSubject=False)226 response = self.pdp.evaluate(request)227 self.failIf(response is None, "Null response")228 for result in response.results:229 self.failIf(result.decision != Decision.PERMIT,230 "Expecting Permit decision")231 232 def test03PrivateResource(self):233 request = self._createRequestCtx(234 self.__class__.PRIVATE_RESOURCE_ID)235 response = self.pdp.evaluate(request)236 self.failIf(response is None, "Null response")237 for result in response.results:238 self.failIf(result.decision != Decision.DENY,239 "Expecting Deny decision")240 241 def test04SingleSubjectRoleRestrictedResource(self):242 # Access based on a resource ID and single subject role243 request = self._createRequestCtx(244 self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID)245 response = self.pdp.evaluate(request)246 self.failIf(response is None, "Null response")247 for result in response.results:248 self.failIf(result.decision != Decision.PERMIT,249 "Expecting Permit decision")250 251 def test05SingleSubjectRoleRestrictedResourceDeniesAccess(self):252 # Subject doesn't have the required role for access253 request = self._createRequestCtx(254 self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID,255 subjectRoles=('student',))256 response = self.pdp.evaluate(request)257 self.failIf(response is None, "Null response")258 for result in response.results:259 self.failIf(result.decision != Decision.DENY,260 "Expecting Deny decision")261 262 def test06ActionAndSingleSubjectRoleRestrictedResource(self):263 # Test restriction based on action type as well as subject role264 request = self._createRequestCtx(265 self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID)266 response = self.pdp.evaluate(request)267 self.failIf(response is None, "Null response")268 for result in response.results:269 self.failIf(result.decision != Decision.PERMIT,270 "Expecting Permit decision")271 272 def test07ActionAndSingleSubjectRoleRestrictedResourceDeniesAccess(self):273 # Test subject requests invalid action type274 request = self._createRequestCtx(275 self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID,276 action='write')277 response = self.pdp.evaluate(request)278 self.failIf(response is None, "Null response")279 for result in response.results:280 self.failIf(result.decision != Decision.DENY,281 "Expecting Deny decision")282 283 def test08AtLeastOneSubjectRoleResource(self):284 # Test at least one member function285 request = self._createRequestCtx(286 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,287 action='write')288 response = self.pdp.evaluate(request)289 self.failIf(response is None, "Null response")290 for result in response.results:291 self.failIf(result.decision != Decision.PERMIT,292 "Expecting Permit decision")293 294 def test09AtLeastOneSubjectRoleResourceDeniesAccess(self):295 # Test at least one member function where subject doesn't have one of296 # the required roles297 request = self._createRequestCtx(298 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,299 subjectRoles=('student',))300 response = self.pdp.evaluate(request)301 self.failIf(response is None, "Null response")302 for result in response.results:303 self.failIf(result.decision != Decision.DENY,304 "Expecting Deny decision")305 306 def test10PipAddsRequiredAttributeValToEnableAccess(self):307 # The PDP is part of a context handler with a PIP which adds subject308 # attributes under prescribed conditions on the evaluation of309 # subject attribute designators. In this case the addition of the PIP310 # adds an attribute value to one of the subject's attributes which means311 # they're granted access where otherwise access would be denied312 ctxHandler = TestContextHandler()313 ctxHandler.pdp = self.pdp314 315 request = self._createRequestCtx(316 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,317 subjectRoles=('student',))318 319 response = ctxHandler.handlePEPRequest(request)320 self.failIf(response is None, "Null response")321 for result in response.results:322 self.failIf(result.decision != Decision.PERMIT,323 "Expecting PERMIT decision")324 121 325 122
Note: See TracChangeset
for help on using the changeset viewer.