source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp.py @ 7665

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp.py@7665
Revision 7665, 6.7 KB checked in by pjkersha, 10 years ago (diff)

Working tests refactored into policy and context sub-packages.

Line 
1'''
2Created on 28 Oct 2010
3
4@author: pjkersha
5'''
6import unittest
7
8from ndg.xacml.core.context.result import Decision
9from ndg.xacml.test.context import XacmlContextBaseTestCase, TestContextHandler
10
11   
12class XacmlEvalPdpWithPermitOverridesPolicyTestCase(XacmlContextBaseTestCase):
13    """Test PDP with permit overrides rule combining algorithm"""
14   
15    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
16   
17    # This could be any applicable resource value, provided there's no rule to
18    # override and enable access
19    PRIVATE_RESOURCE_ID = 'http://localhost/private-resource'
20   
21    PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted'
22    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
23       
24    SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
25        'http://localhost/single-subject-role-restricted'
26    ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
27        'http://localhost/action-and-single-subject-role-restricted'
28    AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \
29        'http://localhost/at-least-of-subject-role-restricted'
30       
31    def setUp(self):
32        self.pdp = self._createPDPfromNdgTest1Policy()
33       
34    def test01NotApplicable(self):
35        # Set a resource Id that doesn't match the main target
36        request = self._createRequestCtx(
37                                    self.__class__.NOT_APPLICABLE_RESOURCE_ID)
38        response = self.pdp.evaluate(request)
39        self.failIf(response is None, "Null response")
40        for result in response.results:
41            self.failIf(result.decision != Decision.NOT_APPLICABLE, 
42                        "Expecting not applicable decision")
43       
44    def test02PublicallyAccessibleResource(self):
45        # Test a resource which has no subject restrictions
46        request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID,
47                                         includeSubject=False)
48        response = self.pdp.evaluate(request)
49        self.failIf(response is None, "Null response")
50        for result in response.results:
51            self.failIf(result.decision != Decision.PERMIT, 
52                        "Expecting Permit decision")
53       
54    def test03PrivateResource(self):
55        request = self._createRequestCtx(
56                                    self.__class__.PRIVATE_RESOURCE_ID)
57        response = self.pdp.evaluate(request)
58        self.failIf(response is None, "Null response")
59        for result in response.results:
60            self.failIf(result.decision != Decision.DENY, 
61                        "Expecting Deny decision")
62
63    def test04SingleSubjectRoleRestrictedResource(self):
64        # Access based on a resource ID and single subject role
65        request = self._createRequestCtx(
66                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
67        response = self.pdp.evaluate(request)
68        self.failIf(response is None, "Null response")
69        for result in response.results:
70            self.failIf(result.decision != Decision.PERMIT, 
71                        "Expecting Permit decision") 
72
73    def test05SingleSubjectRoleRestrictedResourceDeniesAccess(self):
74        # Subject doesn't have the required role for access
75        request = self._createRequestCtx(
76                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
77                            subjectRoles=('student',))
78        response = self.pdp.evaluate(request)
79        self.failIf(response is None, "Null response")
80        for result in response.results:
81            self.failIf(result.decision != Decision.DENY, 
82                        "Expecting Deny decision") 
83
84    def test06ActionAndSingleSubjectRoleRestrictedResource(self):
85        # Test restriction based on action type as well as subject role
86        request = self._createRequestCtx(
87                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
88        response = self.pdp.evaluate(request)
89        self.failIf(response is None, "Null response")
90        for result in response.results:
91            self.failIf(result.decision != Decision.PERMIT, 
92                        "Expecting Permit decision")
93
94    def test07ActionAndSingleSubjectRoleRestrictedResourceDeniesAccess(self):
95        # Test subject requests invalid action type
96        request = self._createRequestCtx(
97                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
98                    action='write')
99        response = self.pdp.evaluate(request)
100        self.failIf(response is None, "Null response")
101        for result in response.results:
102            self.failIf(result.decision != Decision.DENY, 
103                        "Expecting Deny decision") 
104
105    def test08AtLeastOneSubjectRoleResource(self):
106        # Test at least one member function
107        request = self._createRequestCtx(
108                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
109                    action='write')
110        response = self.pdp.evaluate(request)
111        self.failIf(response is None, "Null response")
112        for result in response.results:
113            self.failIf(result.decision != Decision.PERMIT, 
114                        "Expecting Permit decision")             
115
116    def test09AtLeastOneSubjectRoleResourceDeniesAccess(self):
117        # Test at least one member function where subject doesn't have one of
118        # the required roles
119        request = self._createRequestCtx(
120                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
121                    subjectRoles=('student',))
122        response = self.pdp.evaluate(request)
123        self.failIf(response is None, "Null response")
124        for result in response.results:
125            self.failIf(result.decision != Decision.DENY, 
126                        "Expecting Deny decision")             
127   
128    def test10PipAddsRequiredAttributeValToEnableAccess(self):
129        # The PDP is part of a context handler with a PIP which adds subject
130        # attributes under prescribed conditions on the evaluation of
131        # subject attribute designators.  In this case the addition of the PIP
132        # adds an attribute value to one of the subject's attributes which means
133        # they're granted access where otherwise access would be denied
134        ctxHandler = TestContextHandler()
135        ctxHandler.pdp = self.pdp
136       
137        request = self._createRequestCtx(
138                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
139                    subjectRoles=('student',))
140       
141        response = ctxHandler.handlePEPRequest(request)
142        self.failIf(response is None, "Null response")
143        for result in response.results:
144            self.failIf(result.decision != Decision.PERMIT, 
145                        "Expecting PERMIT decision")         
146
147
148if __name__ == "__main__":
149    unittest.main()
Note: See TracBrowser for help on using the repository browser.