source: TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule_combining_alg.py @ 6823

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule_combining_alg.py@6823
Revision 6823, 5.1 KB checked in by pjkersha, 10 years ago (diff)

Working XACML implementation with permit-overrides rule combining algorithm.

Line 
1"""NDG XACML Condition type definition
2
3NERC DataGrid Project
4"""
5__author__ = "P J Kershaw"
6__date__ = "15/04/10"
7__copyright__ = "(C) 2010 Science and Technology Facilities Council"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = "$Id: $"
12from abc import ABCMeta, abstractmethod
13
14from ndg.xacml.core.context.result import Decision
15
16
17ALGORITHMS = (
18'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides',
19'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides',
20'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides',
21'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides',
22'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable',
23'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable',
24'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable',
25'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides',
26'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides',
27'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides',
28'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides',
29)
30
31
32class RuleCombiningAlgInterface(object):
33    """Interface class for XAML rule combining algorithms"""
34   
35    @abstractmethod
36    def evaluate(self, rules, context):
37        """Combine the input rule results to make an access control decision
38        based.  Derived classes must implement this method.  This implementation
39        returns indeterminate result.
40       
41        @param rules: rules from the policy.  Decisions from these will be put
42        together into a single decision by this algorithm
43        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
44        @param context: request context to apply to the rules
45        @type context: ndg.xacml.core.request.Request
46        @return: resulting overall access control decision
47        @rtype: ndg.xacml.core.context.result.Decision
48        """
49        return Decision.INDETERMINATE
50
51
52class PermitOverridesRuleCombiningAlg(RuleCombiningAlgInterface):
53    """Implementation of permit overrides XACML rule combining algorithm"""
54   
55    def evaluate(self, rules, context):
56        """Combine the input rule results to make an access control decision.
57        Implementation taken direct from XACML 2.0 spec. pseudo code - Section
58        C.3
59       
60        @param rules: rules from the policy.  Decisions from these will be put
61        together into a single decision by this algorithm
62        @type rules: TypedList(<ndg.xacml.core.rule.Rule>)
63        @param context: request context to apply to the rules
64        @type context: ndg.xacml.core.request.Request
65        @return: resulting overall access control decision
66        @rtype: ndg.xacml.core.context.result.Decision
67        """
68        atLeastOneError = False
69        potentialPermit = False
70        atLeastOneDeny = False
71       
72        for rule in rules:
73            decision = rule.evaluate(context)
74            if decision == Decision.DENY:
75                atLeastOneDeny = True
76                continue
77           
78            if decision == Decision.PERMIT:
79                return Decision.PERMIT
80           
81            if decision == Decision.NOT_APPLICABLE:
82                continue
83           
84            if decision == Decision.INDETERMINATE:
85                atLeastOneError = True
86               
87                if rule.effect.value == Decision.PERMIT_STR:
88                    potentialPermit = True
89               
90                continue
91       
92        if potentialPermit:
93            return Decision.INDETERMINATE
94       
95        if atLeastOneDeny:
96            return Decision.DENY
97       
98        if atLeastOneError:
99            return Decision.INDETERMINATE
100       
101        return Decision.NOT_APPLICABLE
102
103   
104class RuleCombiningAlgClassFactory(object):
105    """Class Factory mapping Rule Combining Algorithm identifiers to their
106    class implementations"""
107   
108    # All algorithms are not implemented by default(!)
109    DEFAULT_MAP = {}.fromkeys(ALGORITHMS, NotImplemented)
110   
111    # Permit overrides is the only one currently implemented
112    DEFAULT_MAP[
113        'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides'
114        ] = PermitOverridesRuleCombiningAlg
115   
116    def __init__(self, map=DEFAULT_MAP):
117        """Initialise mapping of identifiers to class implementations"""
118        self.__map = map
119   
120    def __call__(self, identifier):
121        """Return the class for a given Rule Combining Algorithm identifier
122        @param identifier: XACML rule combining algorithm urn
123        @type identifier: basestring
124        @return: rule combining class corresponding to the given input
125        identifier
126        @rtype: RuleCombiningAlgInterface derived type or NoneType if no match
127        is found or NotImplementedType if the identifier corresponds to a valid
128        XACML rule combining algorithm but is not supported in this
129        implementation
130        """
131        return self.__map.get(identifier)
Note: See TracBrowser for help on using the repository browser.