Changeset 6771 for TI12-security/trunk

Timestamp:

25/03/10 08:27:00 (10 years ago)

Author:

pjkersha

Message:

Added request subject, resource, action and environment types

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/context/__init__.py (modified) (1 diff)
• core/context/action.py (added)
• core/context/environment.py (added)
• core/context/handler.py (modified) (2 diffs)
• core/context/resource.py (added)
• core/context/result.py (modified) (1 diff)
• core/context/subject.py (added)
• core/pdp.py (modified) (1 diff)
• core/policy.py (modified) (1 diff)
• test/test_xacml.py (modified) (6 diffs)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/__init__.py

@@ -15 +15 @@
 class XacmlContextBase(object):
     """Base class for XACML Request and Response types"""
+    ELEMENT_LOCAL_NAME = None
     __slots__ = ()
+    
+    def __init__(self):
+        if self.__class__.ELEMENT_LOCAL_NAME is None:
+            raise NotImplementedError('Set "ELEMENT_LOCAL_NAME" in a derived '
+                                      'type')
     
     

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/handler.py

@@ -39 +39 @@
        
        
-class AbstractContextHandler:
+class AbstractContextHandler(object):
     """Context Handler Abstract Base class"""
     __metaclass__ = ABCMeta
+    __slots__ = ('__pdp',)
     
+    def __init__(self):
+        self.__pdp = None
+        
     @classmethod
     def __subclasshook__(cls, C):
@@ -54 +58 @@
             
         return NotImplemented
-
-
-
-# Set up new class as an abstract base itself             
-PEPInterface.register(AbstractContextHandler)
+    
+    def _getPDP(self):
+        return self.__pdp
+    
+    def _setPDP(self, value):
+        if not isinstance(value, PDPInterface):
+            raise TypeError('Expecting %r derived type for "pdp" attribute; '
+                            'got %r' % (PDPInterface, type(pdp))
+        
+        self.__pdp = value
+        
+    pdp = property(_getPDP, _setPDP, doc="Interface to PDP")

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/result.py

@@ -288 +288 @@
     
     ELEMENT_LOCAL_NAME  = 'Result'
+    OBLIGATIONS_ELEMENT_LOCAL_NAME = 'Obligations'
     REOSURCE_ID_ATTRIB_NAME = 'ResourceId'
     

TI12-security/trunk/NDG_XACML/ndg/xacml/core/pdp.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
+from abc import ABCMeta, abstractmethod
+from ndg.xacml.core.context.request import Request
 
+
+class PDPInterface:
+    __metaclass__ = ABCmeta
+    
+    @classmethod
+    def __subclasshook__(cls, C):
+        """Derived class must implement __call__"""
+        if cls is PDPInterface:
+            if any("evaluate" in B.__dict__ for B in C.__mro__):
+                return True
+            
+        return NotImplemented
+
+    @abstractmethod
+    def evaluate(self, request):
+        '''evaluate the input request and return an access control decision
+        in the returned response
+        
+        @param request: XACML context request
+        @type request: ndg.xacml.core.context.request.Request
+        @return: XACML context response
+        @rtype: ndg.xacml.core.context.response.Response
+        '''
+        if not isinstance(request, Request):
+            raise TypeError('Expecting %r type for input request; got %r '
+                            'instead' % (Request, type(request))
+                            
+

TI12-security/trunk/NDG_XACML/ndg/xacml/core/policy.py

@@ -42 +42 @@
     # Plan to support permit overrides in a future release
     RULE_COMBINING_ALG_IDS = (
-#    "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides",
+    "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides",
     "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides",
     )

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_xacml.py

@@ -20 +20 @@
 from ndg.xacml.parsers.etree.factory import ReaderFactory
 
+from ndg.xacml.core.attribute import Attribute
 from ndg.xacml.core.context.request import Request
-from ndg.xacml.core.subject import Subject
-from ndg.xacml.core.resource import Resource
-from ndg.xacml.core.action import Action
+from ndg.xacml.core.context.response import Response
+from ndg.xacml.core.context.result import Result, Decision
+from ndg.xacml.core.context.subject import Subject
+from ndg.xacml.core.context.resource import Resource
+from ndg.xacml.core.context.action import Action
 
 THIS_DIR = path.dirname(__file__)
@@ -42 +45 @@
     def test01ETreeParseRule1Policy(self):
         PolicyReader = ReaderFactory.getReader(Policy)
-        policy = PolicyReader.parse(XACMLTestCase.XACML_TEST1_FILEPATH)
+        policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST1_FILEPATH)
         self.assert_(policy)
         
@@ -91 +94 @@
     def test02ETreeParseRule2Policy(self):
         PolicyReader = ReaderFactory.getReader(Policy)
-        policy = PolicyReader.parse(XACMLTestCase.XACML_TEST2_FILEPATH)
+        policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST2_FILEPATH)
         self.assert_(policy)
         
@@ -244 +247 @@
         
         try:
-            policy = PolicyReader.parse(XACMLTestCase.XACML_TEST3_FILEPATH)
+            policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST3_FILEPATH)
             self.assert_(policy)
         except NotImplementedError, e:
@@ -251 +254 @@
     def test04ETreeParseRule4Policy(self):
         PolicyReader = ReaderFactory.getReader(Policy)
-        policy = PolicyReader.parse(XACMLTestCase.XACML_TEST4_FILEPATH)
+        policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST4_FILEPATH)
         self.assert_(policy)
                     
@@ -258 +261 @@
         # resources for NDG
         PolicyReader = ReaderFactory.getReader(Policy)
-        policy = PolicyReader.parse(XACMLTestCase.XACML_NDGTEST1_FILEPATH)
+        policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_NDGTEST1_FILEPATH)
         self.assert_(policy)
-
+        
+        
+class MyPDP(PDPInterface):
+    
+    def __init__(self):
+        self.policy = None
+        
+    @classmethod
+    def fromPolicy(cls, source):
+        pdp = cls()
+        self.policy = ReaderFactory.getReader(Policy).parse(source)
+        
+    def evaluate(self, request):
+        response = Response
+        result = Result()
+        response.results.append(result)
+        result.decision = Decision.INDETERMINATE
+        
+        # Check policy target for match
+        if not self.matchTarget(self.policy.target, request):
+            result.decision = Decision.NOT_APPLICABLE
+            return response
+        
+        # Check rules
+        for rule in self.policy.rules:
+            if not self.matchTarget(rule.target, request):
+                continue
+            
+        return response
+    
+    def matchTarget(self, target, request):
+        if target is None:
+            return False
+        
+        for targetSubject in target.subjects:
+            for requestSubject in request.subjects:
+                if subject.
+                
+class TestContextHandler(AbstractContextHandler):
+    """Test implementation of Context Handler"""
+    
+    def __init__(self):
+        super(TestContextHandler, self).__init__()
+        self.pip = None        
+        
+    def handlePEPRequest(self, myRequest):
+        
+        # Convert myRequest to XACML context request
+        request = myRequest
+        
+        if self.pdp is None:
+            raise TypeError('No "pdp" attribute set')
+        
+        response = self.pdp.evaluate(request)
+        
+        # Convert XACML context response to domain specific request
+        myResponse = response
+        
+        return myResponse
+    
 
 class XACMLContextTestCase(unittest.TestCase):
     """Test PDP, PAP, PIP and Context handler"""
     
-    def test01(self):
+    def test01CreateRequest(self):
         request = Request()
         
         subject = Subject()
-        subject.
+        subjectAttribute = Attribute()
+        subject.attributes.append(subjectAttribute)
+        subjectAttribute.attributeId = \
+                            "urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+        subjectAttribute.dataType = \
+                            "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
+        subjectAttribute.attributeValue = 'bs@simpsons.com'
+        
         request.subjects.append(subject)
-
-        request.resources.append(Resource())
+        
+        resource = Resource()
+        resourceAttribute = Attribute()
+        resource.attributes.append(resourceAttribute)
+        
+        resourceAttribute.attributeId = \
+                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            
+        resourceAttribute.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
+        resourceAttribute.attributeValue = \
+                            'file://example/med/record/patient/BartSimpson'
+
+        request.resources.append(resource)
+        
         request.action = Action()
+        actionAttribute = Attribute()
+        request.action.append(actionAttribute)
+        
+        requestAttribute.attributeId = \
+                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
+        requestAttribute.dataType = "http://www.w3.org/2001/XMLSchema#string"
+        requestAttribute.attributeValue = 'read'
+        
+    def test02CreateResponse(self):
+        response = Response()
+        result = Result()
+        response.results.append(result)
+        result.decision = Decision.value = Decision.NOT_APPLICABLE
+        
+    def test03CreateContextHandler(self):
+