Changeset 7682 for TI12-security/trunk/ndg_xacml/ndg

Timestamp:

01/11/10 16:30:22 (10 years ago)

Author:

pjkersha

Message:

Working and tested version with functionality for adding custom attribute value types and functions.

Location:

TI12-security/trunk/ndg_xacml/ndg/xacml

Files:

• core/attributevalue.py (modified) (1 diff)
• core/functions/__init__.py (modified) (1 diff)
• core/rule.py (modified) (1 diff)
• core/rule_combining_alg.py (modified) (4 diffs)
• parsers/etree/policyreader.py (modified) (1 diff)
• test/__init__.py (modified) (2 diffs)
• test/context/test_pdp.py (modified) (1 diff)
• test/context/test_pdp_with_custom_attributevalue_types.py (modified) (4 diffs)
• test/esgf1.xml (modified) (2 diffs)
• test/ndg1.xml (modified) (1 diff)
• test/policy/test_policy.py (modified) (3 diffs)

TI12-security/trunk/ndg_xacml/ndg/xacml/core/attributevalue.py

@@ -150 +150 @@
     def __repr__(self):
         return "%s = %r " % (super(AttributeValue, self).__repr__(),
-                             self.__value)
+                             self.value)
 
     def __eq__(self, attrVal):

TI12-security/trunk/ndg_xacml/ndg/xacml/core/functions/__init__.py

@@ -611 +611 @@
         @type functionNs: basestring
         """
+        # Try map for custom function class
+        if functionNs in self:
+            return self[functionNs]
+        
+        # else try the class factory - there is one factory per family of 
+        # functions e.g. bag functions, at least one member of functions etc.
         functionFactory = self.__classFactoryMap.get(functionNs)
         if functionFactory is not None:

TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule.py

@@ -390 +390 @@
             else:
                 decision = Decision.NOT_APPLICABLE
-                
+               
+            log.debug('Rule %r evaluates to %s', self.id, decision) 
             return decision
         

TI12-security/trunk/ndg_xacml/ndg/xacml/core/rule_combining_alg.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id$"
-from abc import ABCMeta, abstractmethod
+import logging
+log = logging.getLogger(__name__)
+
+from abc import abstractmethod
 
 from ndg.xacml.core.context.result import Decision
@@ -86 +89 @@
                 atLeastOneError = True
     
-                if effect(rule) == Decision.DENY:
+                if rule.effect.value == Decision.DENY:
                     potentialDeny = True
                     
@@ -130 +133 @@
             
             if decision == Decision.PERMIT:
+                log.debug("Rule %r permits, returning overall permit decision",
+                          rule.id)
                 return Decision.PERMIT
             
@@ -144 +149 @@
         
         if potentialPermit:
+            log.debug('Rule found with potential permit but it evaluates to '
+                      'indeterminate, returning overall indeterminate decision')
             return Decision.INDETERMINATE
         
         if atLeastOneDeny:
+            log.debug('At least one rule with a deny decision found, returning '
+                      'overall deny decision')
             return Decision.DENY
         
         if atLeastOneError:
-            return Decision.INDETERMINATE
-        
+            log.debug('At least one rule with an error found, returning '
+                      'overall indeterminate decision')
+            return Decision.INDETERMINATE
+        
+        log.debug('No rules were applicable to the request, returning '
+                  'overall not applicable decision')
         return Decision.NOT_APPLICABLE
 

TI12-security/trunk/ndg_xacml/ndg/xacml/parsers/etree/policyreader.py

@@ -98 +98 @@
             elif localName == Rule.ELEMENT_LOCAL_NAME:
                 RuleReader = ReaderFactory.getReader(Rule)
-                policy.rules.append(RuleReader.parse(childElem))
+                rule = RuleReader.parse(childElem)
+                if rule.id in [_rule.id for _rule in policy.rules]:
+                    raise XMLParseError("Duplicate Rule ID %r found" % rule.id)
+                    
+                policy.rules.append(rule)
                    
             elif localName == xacmlType.OBLIGATIONS_LOCAL_NAME:

TI12-security/trunk/ndg_xacml/ndg/xacml/test/__init__.py

@@ -14 +14 @@
 from ndg.xacml.core.attributevalue import (AttributeValueClassFactory, 
                                            AttributeValue)
+from ndg.xacml.core.functions.v1.bag import BagBase
+from ndg.xacml.core.functions.v1.at_least_one_member_of import \
+    AtLeastOneMemberOfBase 
+    
 from ndg.xacml.parsers import XMLParseError
 from ndg.xacml.parsers.etree import QName
@@ -46 +50 @@
     def value(self):
         """Override default value property to give custom result.  Also,
-        'value' becomes a read-only property"""
-        return self.group, self.value
+        'value' becomes a read-only property.  Making this change is critical
+        to the function of the GroupRoleAtLeastOneMemberOf class below - it
+        relies on being able to make comparison of the value attribute of 
+        different GroupRoleAttributeValue instances.  Defined this way, 
+        comparison is by group,role to group,role tuple
+        """
+        return self.group, self.role
     
+
+class GroupRoleBag(BagBase):
+    """Bag function for Group/Role custom attribute value type"""
+    TYPE = GroupRoleAttributeValue
+    FUNCTION_NS = 'urn:grouprole-bag'
+
+  
+class GroupRoleAtLeastOneMemberOf(AtLeastOneMemberOfBase):
+    """At least one member of function for Group/Role custom attribute value 
+    type"""
+    TYPE = GroupRoleAttributeValue
+    FUNCTION_NS = 'urn:grouprole-bag'
+
     
 class ETreeGroupRoleDataTypeReader(ETreeDataTypeReaderBase):

TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp.py

@@ -36 +36 @@
         'http://localhost/action-and-single-subject-role-restricted'
     AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \
-        'http://localhost/at-least-of-subject-role-restricted'
+        'http://localhost/at-least-one-of-subject-role-restricted'
         
     def setUp(self):

TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp_with_custom_attributevalue_types.py

@@ -20 +20 @@
 from ndg.xacml.core.attributevalue import AttributeValueClassFactory
 from ndg.xacml.core.functions import functionMap
-from ndg.xacml.core.functions.v1.bag import BagBase
-from ndg.xacml.core.functions.v1.at_least_one_member_of import \
-    AtLeastOneMemberOfBase 
 from ndg.xacml.core.context.request import Request
 from ndg.xacml.core.context.subject import Subject
@@ -35 +32 @@
 from ndg.xacml.test import (XACML_ESGFTEST1_FILEPATH,  
                             GroupRoleAttributeValue, 
-                            ETreeGroupRoleDataTypeReader)
+                            ETreeGroupRoleDataTypeReader,
+                            GroupRoleBag,
+                            GroupRoleAtLeastOneMemberOf)
 from ndg.xacml.test.context import (AnyUriAttributeValue, StringAttributeValue,
                                     SUBJECT_ID)
 
-
+    
 class XacmlEvalPdpWithCustomAttrTypes(unittest.TestCase):
     """Evaluate a policy which contains custom XACML Attribute Value Data types
     """
     AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \
-        'http://localhost/at-least-of-subject-role-restricted'       
-         
+        'http://localhost/at-least-one-of-subject-role-restricted'       
+    SUBJECT_DOES_NOT_HAVE_ANY_OF_SPECIFIED_ROLES_ID = \
+        'http://localhost/subject-does-not-have-any-of-specified-roles'
+        
     @staticmethod
     def _createRequestCtx(resourceId, 
@@ -121 +122 @@
         
         # Add extra matching and bag functions
+        functionMap['urn:grouprole-bag'] = GroupRoleBag
+        functionMap['urn:grouprole-at-least-one-member-of'
+                    ] = GroupRoleAtLeastOneMemberOf
         
         # Example policy with custom attribute value type used with ESGF 
@@ -135 +139 @@
             self.failIf(result.decision != Decision.PERMIT, 
                         "Expecting Permit decision")    
-            
+                    
+    def test02SubjectDoesNotHaveAnyOfSpecifiedRolesForResource(self):
+        # Test at least one member function
+        request = self._createRequestCtx(
+        self.__class__.SUBJECT_DOES_NOT_HAVE_ANY_OF_SPECIFIED_ROLES_ID,
+        action='write')
+        
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.DENY, 
+                        "Expecting Deny decision")    
+           
             
 if __name__ == "__main__":

TI12-security/trunk/ndg_xacml/ndg/xacml/test/esgf1.xml

@@ -45 +45 @@
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-one-of-subject-role-restricted.*$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
@@ -83 +83 @@
         </Condition>
     </Rule>
+    <Rule RuleId="Subject doesn't have any of specified roles" Effect="Permit">
+        <!-- 
+            Example where test subject doesn't have the required roles
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Pattern match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/subject-does-not-have-any-of-specified-roles.*$</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        
+        <!-- 
+            The condition narrows down the constraints layed down in the target to
+            something more specific
+            
+            The user must have at least one of the roles set - in this
+            case 'staff'
+        -->
+        <Condition>
+            <Apply FunctionId="urn:grouprole-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:esg:attr"
+                    DataType="urn:grouprole"/>
+                <Apply FunctionId="urn:grouprole-bag">
+                    <AttributeValue DataType="urn:grouprole">
+                        <esg:groupRole>
+                            <esg:group>ACME</esg:group>
+                            <esg:role>PrincipalInvestigator</esg:role>
+                        </esg:groupRole>
+                    </AttributeValue>
+                    <AttributeValue DataType="urn:grouprole">
+                        <esg:groupRole>
+                            <esg:group>Staff</esg:group>
+                            <esg:role>Administrator</esg:role>
+                        </esg:groupRole>
+                    </AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
 </Policy>

TI12-security/trunk/ndg_xacml/ndg/xacml/test/ndg1.xml

@@ -131 +131 @@
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-one-of-subject-role-restricted.*$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

TI12-security/trunk/ndg_xacml/ndg/xacml/test/policy/test_policy.py

@@ -17 +17 @@
 
 from ndg.xacml.core.policy import Policy
+from ndg.xacml.core.functions import functionMap
 from ndg.xacml.core.attributedesignator import SubjectAttributeDesignator
 from ndg.xacml.core.attributeselector import AttributeSelector
@@ -26 +27 @@
 from ndg.xacml.test import (XACML_NDGTEST1_FILEPATH, THIS_DIR, 
                             GroupRoleAttributeValue, 
-                            ETreeGroupRoleDataTypeReader)
+                            ETreeGroupRoleDataTypeReader,
+                            GroupRoleBag,
+                            GroupRoleAtLeastOneMemberOf)
                                
     
@@ -275 +278 @@
                                 ETreeGroupRoleDataTypeReader)
         
+        # Add extra matching and bag functions
+        functionMap['urn:grouprole-bag'] = GroupRoleBag
+        functionMap['urn:grouprole-at-least-one-member-of'
+                    ] = GroupRoleAtLeastOneMemberOf
+                            
         PolicyReader = ReaderFactory.getReader(Policy)
         policy = PolicyReader.parse(self.__class__.XACML_ESGFTEST1_FILEPATH)