source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp.py @ 7666

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ndg_xacml/ndg/xacml/test/context/test_pdp.py@7666
Revision 7666, 7.0 KB checked in by pjkersha, 10 years ago (diff)

Started testing PDP with custom Group/Role? Attribute Value type. Custom match and Bag functions are needed to enable evaluation of rules using the custom type.

Line 
1#!/usr/bin/env python
2"""NDG XACML PDP unit tests
3
4NERC DataGrid
5"""
6__author__ = "P J Kershaw"
7__date__ = "28/10/10"
8__copyright__ = "(C) 2010 Science and Technology Facilities Council"
9__contact__ = "Philip.Kershaw@stfc.ac.uk"
10__license__ = "BSD - see LICENSE file in top-level directory"
11__contact__ = "Philip.Kershaw@stfc.ac.uk"
12__revision__ = "$Id$"
13import unittest
14import logging
15logging.basicConfig(level=logging.DEBUG)
16
17from ndg.xacml.core.context.result import Decision
18from ndg.xacml.test.context import XacmlContextBaseTestCase, TestContextHandler
19
20   
21class XacmlEvalPdpWithPermitOverridesPolicyTestCase(XacmlContextBaseTestCase):
22    """Test PDP with permit overrides rule combining algorithm"""
23   
24    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
25   
26    # This could be any applicable resource value, provided there's no rule to
27    # override and enable access
28    PRIVATE_RESOURCE_ID = 'http://localhost/private-resource'
29   
30    PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted'
31    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
32       
33    SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
34        'http://localhost/single-subject-role-restricted'
35    ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
36        'http://localhost/action-and-single-subject-role-restricted'
37    AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \
38        'http://localhost/at-least-of-subject-role-restricted'
39       
40    def setUp(self):
41        self.pdp = self._createPDPfromNdgTest1Policy()
42       
43    def test01NotApplicable(self):
44        # Set a resource Id that doesn't match the main target
45        request = self._createRequestCtx(
46                                    self.__class__.NOT_APPLICABLE_RESOURCE_ID)
47        response = self.pdp.evaluate(request)
48        self.failIf(response is None, "Null response")
49        for result in response.results:
50            self.failIf(result.decision != Decision.NOT_APPLICABLE, 
51                        "Expecting not applicable decision")
52       
53    def test02PublicallyAccessibleResource(self):
54        # Test a resource which has no subject restrictions
55        request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID,
56                                         includeSubject=False)
57        response = self.pdp.evaluate(request)
58        self.failIf(response is None, "Null response")
59        for result in response.results:
60            self.failIf(result.decision != Decision.PERMIT, 
61                        "Expecting Permit decision")
62       
63    def test03PrivateResource(self):
64        request = self._createRequestCtx(
65                                    self.__class__.PRIVATE_RESOURCE_ID)
66        response = self.pdp.evaluate(request)
67        self.failIf(response is None, "Null response")
68        for result in response.results:
69            self.failIf(result.decision != Decision.DENY, 
70                        "Expecting Deny decision")
71
72    def test04SingleSubjectRoleRestrictedResource(self):
73        # Access based on a resource ID and single subject role
74        request = self._createRequestCtx(
75                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
76        response = self.pdp.evaluate(request)
77        self.failIf(response is None, "Null response")
78        for result in response.results:
79            self.failIf(result.decision != Decision.PERMIT, 
80                        "Expecting Permit decision") 
81
82    def test05SingleSubjectRoleRestrictedResourceDeniesAccess(self):
83        # Subject doesn't have the required role for access
84        request = self._createRequestCtx(
85                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
86                            subjectRoles=('student',))
87        response = self.pdp.evaluate(request)
88        self.failIf(response is None, "Null response")
89        for result in response.results:
90            self.failIf(result.decision != Decision.DENY, 
91                        "Expecting Deny decision") 
92
93    def test06ActionAndSingleSubjectRoleRestrictedResource(self):
94        # Test restriction based on action type as well as subject role
95        request = self._createRequestCtx(
96                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
97        response = self.pdp.evaluate(request)
98        self.failIf(response is None, "Null response")
99        for result in response.results:
100            self.failIf(result.decision != Decision.PERMIT, 
101                        "Expecting Permit decision")
102
103    def test07ActionAndSingleSubjectRoleRestrictedResourceDeniesAccess(self):
104        # Test subject requests invalid action type
105        request = self._createRequestCtx(
106                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
107                    action='write')
108        response = self.pdp.evaluate(request)
109        self.failIf(response is None, "Null response")
110        for result in response.results:
111            self.failIf(result.decision != Decision.DENY, 
112                        "Expecting Deny decision") 
113
114    def test08AtLeastOneSubjectRoleResource(self):
115        # Test at least one member function
116        request = self._createRequestCtx(
117                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
118                    action='write')
119        response = self.pdp.evaluate(request)
120        self.failIf(response is None, "Null response")
121        for result in response.results:
122            self.failIf(result.decision != Decision.PERMIT, 
123                        "Expecting Permit decision")             
124
125    def test09AtLeastOneSubjectRoleResourceDeniesAccess(self):
126        # Test at least one member function where subject doesn't have one of
127        # the required roles
128        request = self._createRequestCtx(
129                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
130                    subjectRoles=('student',))
131        response = self.pdp.evaluate(request)
132        self.failIf(response is None, "Null response")
133        for result in response.results:
134            self.failIf(result.decision != Decision.DENY, 
135                        "Expecting Deny decision")             
136   
137    def test10PipAddsRequiredAttributeValToEnableAccess(self):
138        # The PDP is part of a context handler with a PIP which adds subject
139        # attributes under prescribed conditions on the evaluation of
140        # subject attribute designators.  In this case the addition of the PIP
141        # adds an attribute value to one of the subject's attributes which means
142        # they're granted access where otherwise access would be denied
143        ctxHandler = TestContextHandler()
144        ctxHandler.pdp = self.pdp
145       
146        request = self._createRequestCtx(
147                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
148                    subjectRoles=('student',))
149       
150        response = ctxHandler.handlePEPRequest(request)
151        self.failIf(response is None, "Null response")
152        for result in response.results:
153            self.failIf(result.decision != Decision.PERMIT, 
154                        "Expecting PERMIT decision")           
155       
156       
157if __name__ == "__main__":
158    unittest.main()
Note: See TracBrowser for help on using the repository browser.