source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/xacml.py @ 5005

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp/xacml.py@5005
Revision 5005, 3.8 KB checked in by pjkersha, 12 years ago (diff)

More work on Policy and Effect classes

Line 
1"""XACML Policy Decision Point module
2
3NERC DataGrid Project
4"""
5__author__ = "P J Kershaw"
6__date__ = "13/02/09"
7__copyright__ = "(C) 2009 Science and Technology Facilities Council"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = "$Id$"
12
13import logging
14log = logging.getLogger(__name__)
15
16from ndg.security.common.authz.pdp import PDPInterface
17       
18class Subject(object):
19    '''XACML Subject designator'''
20
21class Resource(object):
22    '''XACML Resource designator'''
23
24class Action(object):
25    '''XACML Action designator'''
26
27class Environment(object):
28    '''XACML Environment designator'''
29
30class Policy(object):
31    def __init__(self):
32        self.description = None
33        self.rules = []
34        self.algID = None
35        self.obligations = []
36        self.target = None
37
38    def encode(self):
39        '''Encode the policy'''
40        raise NotImplemented()
41   
42class Target(object):
43    def __init__(self):
44        self.subject = Subject()
45        self.resource = Resource()
46        self.action = Action()
47
48   
49class Effect(object):
50    def __str__(self):
51        raise NotImplementedError()
52       
53class DenyEffect(object):
54    def __str__(self):
55        return 'deny'
56       
57class PermitEffect(object):
58    def __str__(self):
59        return 'permit'
60
61class Rule(object):
62    '''Consists of a condition, an effect, and a target.
63    '''
64    def __init__(self):
65        # Conditions are statements about attributes that upon evaluation
66        # return either True, False, or Indeterminate.
67        self.conditions = []
68        # Effect is the intended consequence of the satisfied rule. It can
69        # either take the value Permit or Deny.
70        self.effect = DenyEffect()
71       
72        # Target, as in the case of a policy, helps in determining whether or
73        # not a rule is relevant for a request. The mechanism for achieving
74        # this is also similar to how it is done in the case of a target for a
75        # policy.
76        self.target = Target()
77       
78       
79class Request(object):
80    '''XACML Request object
81   
82    TODO: refactor from this initial placeholder'''
83    def __init__(self):
84        self.subject = Subject()
85        self.resource = Resource()
86        self.action = Action()
87        self.environment = Environment()
88       
89class PDP(PDPInterface):
90    '''Modify PDPInterface to use the four XACML request designators: subject,
91    resource, action and environment
92   
93    This is an initial iteration toward a complete XACML implementation'''
94    def __init__(self, *arg, **kw):
95        pass
96   
97    def accessPermitted(self, subject, resource, action, environment):
98        '''Make access control decision - override this in a derived class to
99        implement the decision logic but this method may be called within
100        the derived method to check input types
101       
102        @param subject: entity making the request e.g. user or user agent
103        @type subject: Subject
104        @param resource: resource to be accessed
105        @type resource: Resource
106        @param action: action to be carried out on the resource
107        @type action: Action
108        @param environ: environment settings
109        @type environ: Environment
110        @raise TypeError: incorrect inputs
111        '''
112        if not isinstance(subject, Subject):
113            raise TypeError("Input subject must of type %r" % Subject)
114
115        if not isinstance(resource, Resource):
116            raise TypeError("Input resource must of type %r" % Resource)
117
118        if not isinstance(action, Action):
119            raise TypeError("Input action must of type %r" % Action)
120
121        if not isinstance(environment, Environment):
122            raise TypeError("Input environment must of type %r" % Environment)
123       
124        # Default to denied
125        return False
Note: See TracBrowser for help on using the repository browser.