source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/__init__.py @ 3897

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/__init__.py@3897
Revision 3897, 4.3 KB checked in by pjkersha, 14 years ago (diff)

Working version with independent Policy Enforcement Point (Gatekeeper) + Polciy Decision Point for Pylons Browse code stack

python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py: extra help info in message for login error

python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py: mod to SignatureHandler? init due to change in WSSecurityConfig interface

python/Tests/authtest/authtest/controllers/test2.py,
python/Tests/authtest/authtest/lib/template.py: missed out on last check in

python/ndg.security.common/ndg/security/common/authz/pdp/proftp.py: udpate to init following change to PDPInterface class for browse code

python/ndg.security.common/ndg/security/common/authz/pdp/init.py: PDPInterface takes cfg keyword which can be file path or a ConfigParser? object

python/ndg.security.common/ndg/security/common/authz/pdp/browse.py:

  • fixes to XPath queries.
  • BrowsePDP now does some more of the work done previously by ows_server.models.ndgInterface.GateKeep and queries directly for role and AA values direct from the doc root
  • made fix to WS-Security settings - may be picked up from the same config file as the PDP settings

python/ndg.security.common/ndg/security/common/authz/pep.py,
python/ndg.security.common/ndg/security/common/wsSecurity.py: allow generic cfg keyword for file path / config obj input

Line 
1"""NDG Policy Decision Point Package - contains abstract interface to PEP
2
3The PDP makes authorisation decisions based on the access constraints applying
4to a resource and the access rights of a user requesting it
5
6Adapted from original gatekeeper.py code
7
8NERC Data Grid Project
9"""
10__author__ = "P J Kershaw"
11__date__ = "04/04/08"
12__copyright__ = "(C) 200* STFC & NERC"
13__contact__ = "P.J.Kershaw@rl.ac.uk"
14__license__ = \
15"""This software may be distributed under the terms of the Q Public
16License, version 1.0 or later."""
17__contact__ = "P.J.Kershaw@rl.ac.uk"
18__revision__ = "$Id:gatekeeper.py 3079 2007-11-30 09:39:46Z pjkersha $"
19
20import logging
21log = logging.getLogger(__name__)
22
23class PDPError(Exception):
24    """Base class for PDP exceptions"""
25   
26class PDPUserAccessDenied(PDPError):
27    """Access Denied"""
28    def __init__(self, msg=None):
29        PDPError.__init__(self, msg or PDPUserAccessDenied.__doc__)
30 
31class PDPUserInsufficientPrivileges(PDPError):
32    """Insufficient privileges to access resource"""
33    def __init__(self, msg=None):
34        PDPError.__init__(self, msg or PDPUserInsufficientPrivileges.__doc__)
35   
36class PDPUserNotLoggedIn(PDPError):
37    """User is not logged in"""
38    def __init__(self, msg=None):
39        PDPError.__init__(self, msg or PDPUserNotLoggedIn.__doc__)
40
41class PDPMissingResourceConstraints(PDPError):
42    """Access constraints for resource are not set correctly"""
43    def __init__(self, msg=None):
44        PDPError.__init__(self, msg or PDPMissingResourceConstraints.__doc__)
45
46class PDPUnknownResourceType(PDPError):
47    """The type for requested resource is not known"""
48    def __init__(self, msg=None):
49        PDPError.__init__(self, msg or PDPUnknownResourceType.__doc__)
50           
51 
52class PDPInterface(object):
53    """PEP (Gatekeeper) abstract interface to a Policy Decision Point
54   
55    PDPs must adhere to this interface by subclassing from it"""
56   
57    def __init__(self, 
58                 cfg=None, 
59                 cfgSection='DEFAULT',
60                 **cfgKw):
61        """PDPInterface(cfgFilePath|cfg|**cfgKw)
62       
63        @type cfg: string / ConfigParser
64        @param cfg:
65        @type cfg: file path to configuration file or ConfigParser object to
66        retrieve parameters from
67        @type cfgSection: string
68        @param cfgSection: sets the section name to retrieve config params
69        from
70        @type cfgKw: dict
71        @param cfgKw: set parameters as key value pairs."""
72        raise NotImplementedError("%s\n%s" % (PDPInterface.__doc__,
73                                              PDPInterface.__init__.__doc__))
74   
75       
76    def accessPermitted(self, resrcHandle, userHandle, accessType, *arg, **kw):
77        """Make an Access control decision with this behaviour:
78       
79        @type resrcHandle: any - determined by derived class PDP
80        @param resrcHandle: a handle to the resource to make access decision
81        for.  This could be for example a resource ID string, or a dict or
82        other object to hold resource information required by the PDP
83       
84        @type userHandle: any - determined by derived class PDP
85        @param userHandle: a handle to the user requesting access. 
86        e.g. a user ID, an attribute certificate or a handle to a service
87        which can be interrogated to get the required information
88       
89        @type accessType: any - determined by derived class PDP
90        @param accessType: the type of access being requested e.g. read,
91        read/write, put etc.
92       
93        @rtype: bool
94        @return: True if access permitted; False if denied or else raise
95        an Exception
96       
97        Nb.
98       
99         * *arg and **kw are included to enable further customisation,
100        resrcHandle, userHandle and accessType are merely indicators.
101       
102         * The alias to this method 'accessPermitted'
103         
104         * Derived classes should keep to the exception types in this file
105         where possible.  New exception types should inherit from PDPError.
106         Detailed error information should be left out of the exception
107         message and put in the error log instead"""
108        raise NotImplementedError("%s\n%s" % (PDPInterface.__doc__,
109                                  PDPInterface.accessPermitted.__doc__))
110        return False
111   
112    # Alias for convenience
113    __call__ = accessPermitted
Note: See TracBrowser for help on using the repository browser.