Context Navigation

← Previous Change
Next Change →

Changeset 6774 for TI12-security/trunk

Timestamp:

25/03/10 15:22:31 (10 years ago)

Author:

pjkersha

Message:

Work on test PDP currently in unittests but will be moved into context package.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

: 4 edited

core/__init__.py (modified) (3 diffs)
core/match.py (modified) (4 diffs)
parsers/etree/applyreader.py (modified) (2 diffs)
test/test_xacml.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDG_XACML/ndg/xacml/core/init.py

-                      r6770
+                      r6774
     XACML_2_0_XMLNS = "urn:oasis:names:tc:xacml:2.0:policy:schema:os"
     __slots__ = ('__xmlns', '__reader', '__writer')
+    __slots__ = ('__xmlns', '__reader', '__writer', '__elem')
     ELEMENT_LOCAL_NAME = None
 …
         self.__reader = None
         self.__writer = None
+        self.__elem = None
         if not isinstance(self.__class__.ELEMENT_LOCAL_NAME, basestring):
 …
         self.__writer(self, obj)
+    @property
+    def elem(self):
+        """XML Node for as represented by parser/writer specified with the
+        reader/writer attributes.  Readers of context elements should set this
+        element if a policy uses AttributeSelectors to do XPath queries into
+        the request context
+        """
+        return self.__elem
+    @elem.setter
+    def elem(self, value):
+        """"XML Node for as represented by parser/writer specified with the
+        reader/writer attributes
+        @param value: XML node instance
+        @type value: type (governed by reader/writer set for this XACML object)
+        """
+        self.__elem = value
 class TargetChildBase(XacmlCoreBase):

TI12-security/trunk/NDG_XACML/ndg/xacml/core/match.py

-                      r6770
+                      r6774
     @attributeDesignator.setter
     def attributeDesignator(self, value):
+        """Set match attribute designator.  Match may have an
+        attributeDesignator or an attributeSelector setting a designator DELETES
+        any attributeSelector previously set
+        """
         if not isinstance(value, AttributeDesignator):
             raise TypeError('Expecting %r type for "attributeDesignator" '
 …
         self.__attributeDesignator = value
+        self.__attributeSelector = None
     @property
 …
     @attributeSelector.setter
     def attributeSelector(self, value):
+        """Set match attribute selector.  Match may have an
+        attributeDesignator or an attributeSelector setting a selector DELETES
+        any attributeDesignator previously set
+        """
         if not isinstance(value, AttributeSelector):
             raise TypeError('Expecting %r type for "matchId" '
 …
         self.__attributeSelector = value
+        self.__attributeDesignator = None
     def _getMatchId(self):

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/etree/applyreader.py

-                      r6766
+                      r6774
     '''
     TYPE = Apply
+    # These two are not currently implemented.  When an implementation is made
+    # the ELEMENT_LOCAL_NAME may be referenced from the native class rather than
+    # a class variable here
+    FUNCTION_ELEMENT_LOCAL_NAME = 'Function'
+    VARIABLE_REFERENCE_ELEMENT_LOCAL_NAME = 'VariableReference'
     def __call__(self, obj):
 …
                 applyObj.expressions.append(
                             EnvironmentAttributeDesignatorReader.parse(subElem))
             elif localName == AttributeSelector.ELEMENT_LOCAL_NAME:
                 AttributeSelectorReader = ReaderFactory.getReader(
                                                             AttributeSelector)
                 applyObj.expressions.append(
+                                        AttributeSelectorReader.parse(subElem))
+                                        AttributeSelectorReader.parse(subElem))
+            elif localName == Condition.ELEMENT_LOCAL_NAME:
+                ConditionReader = ReaderFactory.getReader(Condition)
+                applyObj.expressions.append(ConditionReader.parse(subElem))
+            elif localName == self.__class__.FUNCTION_ELEMENT_LOCAL_NAME:
+                raise NotImplementedError('%r Apply sub-element not '
+                                          'implemented', localName)
+            elif (localName ==
+                  self.__class__.VARIABLE_REFERENCE_ELEMENT_LOCAL_NAME):
+                raise NotImplementedError('%r Apply sub-element not '
+                                          'implemented', localName)
             else:
                 raise NotImplementedError('%r Apply sub-element not '
                                           'recognised', localName)
+                raise XMLParseError('%r Apply sub-element not recognised',
+                                    localName)
         return applyObj

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_xacml.py

-                      r6771
+                      r6774
     def evaluate(self, request):
+        """Make an access control decision for the given request based on the
+        policy set
+        @param request: XACML request context
+        @type request: ndg.xacml.core.context.request.Request
+        @return: XACML response instance
+        @rtype: ndg.xacml.core.context.response.Response
+        """
         response = Response
         result = Result()
         response.results.append(result)
+        result.decision = Decision.INDETERMINATE
+        # Check policy target for match
+        if not self.matchTarget(self.policy.target, request):
+            result.decision = Decision.NOT_APPLICABLE
+            return response
+        # Check rules
+        for rule in self.policy.rules:
+            if not self.matchTarget(rule.target, request):
+                continue
+        result.decision = Decision.NOT_APPLICABLE
+        # Exception block around all rule processing in order to set
+        # INDETERMINATE response from any exceptions raised
+        try:
+            # Check policy target for match
+            log.debug('Checking policy target for match...')
+            if not self.matchTarget(self.policy.target, request):
+                log.debug('No match for policy target setting Decision=%r',
+                          Decision.NOT_APPLICABLE_STR)
+                result.decision = Decision.NOT_APPLICABLE
+                return response
+            # Check rules
+            for rule in self.policy.rules:
+                log.debug('Checking policy rule %r for match...', rule.id)
+                if not self.matchTarget(rule.target, request):
+                    log.debug('No match to request context for target in rule '
+                              '%r', rule.id)
+                    continue
+        except:
+            log.error('Exception raised evaluating request context, returning '
+                      'Decision=%r:%s',
+                      Decision.INDETERMINATE_STR,
+                      traceback.format_exc())
+            result.decision = Decision.INDETERMINATE
         return response
     def matchTarget(self, target, request):
         if target is None:
+            log.debug('No target set so no match with request context')
             return False
+        for targetSubject in target.subjects:
+            for requestSubject in request.subjects:
+                if subject.
+        # From section 5.5 of the XACML 2.0 Core Spec:
+        #
+        # For the parent of the <Target> element to be applicable to the
+        # decision request, there MUST be at least one positive match between
+        # each section of the <Target> element and the corresponding section of
+        # the <xacml-context:Request> element.
+        for i in ('subjects', 'resources', 'actions', 'environments'):
+            for targetChild in getattr(target, i):
+                for requestChild in getattr(request, i):
+                    if self.matchTargetChild(targetChild, requestChild):
+                        return True
+        return False
+    @classmethod
+    def matchTargetChild(cls, targetChild, requestChild):
+        """Match a child (Subject, Resource, Action or Environment) from the
+        request context with a given target's child
+        @param targetChild: Target Subject, Resource, Action or Environment
+        object
+        @type targetChild: ndg.xacml.core.TargetChildBase
+        @param requestChild: Request Subject, Resource, Action or Environment
+        object
+        @type requestChild: ndg.xacml.core.context.RequestChildBase
+        @return: True if request context matches something in the target
+        @rtype: bool
+        @raise NotImplementedError: AttributeSelector processing is not
+        currently supported.  If an AttributeSelector is found in the policy,
+        this exception will be raised.
+        """
+        if targetChild is None:
+            # Default if target child is not set is to match all children
+            return True
+        for childMatch in targetChild.matches:
+            attributeValue = childMatch.attributeValue
+            # Create a match function based on the presence or absence of an
+            # AttributeDesignator or AttributeSelector
+            if childMatch.attributeDesignator is not None:
+                attributeId = childMatch.attributeDesignator.attributeId
+                dataType = childMatch.attributeDesignator.dataType
+                _attributeMatch = lambda requestChildAttribute: (
+                    requestChildAttribute.attributeValue == attributeValue and
+                    requestChildAttribute.attributeId == attributeId and
+                    requestChildAttribute.dataType == dataType
+                )
+            elif childMatch.attributeSelector is not None:
+                # Nb. This will require that the request provide a reference to
+                # it's XML representation and an abstraction of the XML parser
+                # for executing XPath searches into that representation
+                raise NotImplementedError('This PDP implementation does not '
+                                          'support <AttributeSelector> '
+                                          'elements')
+            else:
+                _attributeMatch = lambda requestChildAttribute: (
+                    requestChildAttribute.attributeValue == attributeValue
+                )
+            for attribute in requestChild.attributes:
+                if _attributeMatch(attribute):
+                    return True
+        return False
 class TestContextHandler(AbstractContextHandler):

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: