Changeset 6782 for TI12-security/trunk

Timestamp:

26/03/10 16:34:43 (10 years ago)

Author:

pjkersha

Message:

Fixes to PDP target processing following spec. Started Condition processing

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

• core/context/pdp.py (modified) (7 diffs)
• core/functions/v1/anyuri_equal.py (added)
• core/functions/v1/string_equal.py (modified) (1 diff)
• core/functions/v2/anyuri_regexp_match.py (modified) (1 diff)
• test/ndg1.xml (modified) (4 diffs)
• test/test_context.py (modified) (1 diff)
• test/test_policypy (deleted)

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

@@ -94 +94 @@
         # INDETERMINATE response from any exceptions raised
         try:
-            log.debug('Checking policy target for match...')
+            log.debug('Checking policy target for match with request...')
             
             if not self.matchTarget(self.policy.target, request):
@@ -102 +102 @@
                 result.decision = Decision.NOT_APPLICABLE
                 return response
+            
+            log.debug('Request matches the Policy target')
             
             # Check rules
@@ -109 +111 @@
                     log.debug('No match to request context for target in rule '
                               '%r', rule.id)
-                    continue         
+                    continue   
+                
+                # Apply the condition
+                self.appyCondition(rule.condition)      
         except:
             log.error('Exception raised evaluating request context, returning '
@@ -139 +144 @@
         # decision request, there MUST be at least one positive match between 
         # each section of the <Target> element and the corresponding section of 
-        # the <xacml-context:Request> element.       
-        for i in self.__class__.TARGET_CHILD_ATTRS:
-            for targetChild in getattr(target, i):
-                for requestChild in getattr(request, i):
-                    if self.matchTargetChild(targetChild, requestChild):
-                        return True
+        # the <xacml-context:Request> element.
+        # 
+        # Also, 7.6:
+        #
+        # The target value SHALL be "Match" if the subjects, resources, actions 
+        # and environments specified in the target all match values in the 
+        # request context. 
+        statusValues = [False]*len(self.__class__.TARGET_CHILD_ATTRS) 
+        
+        # Iterate for target subjects, resources, actions and environments 
+        # elements
+        for i, status in zip(self.__class__.TARGET_CHILD_ATTRS, statusValues):
+            # If any one of the <Target> children is missing then it counts as
+            # a match e.g. for <Subjects> child element - Section 5.5:
+            #
+            # <Subjects> [Optional] Matching specification for the subject 
+            # attributes in the context. If this element is missing,
+            # then the target SHALL match all subjects.
+            targetElem = getattr(target, i)
+            if len(targetElem) == 0:
+                status = True
+                continue
+            
+            # Iterate over each for example, subject in the list of subjects or
+            # for example, resource in the list of resources and so on
+            for targetSubElem in targetElem:
+                
+                # For the given subject/resource/action/environment check for a
+                # match with the equivalent in the request
+                requestElem = getattr(request, i) 
+                for requestSubElem in requestElem:
+                    if self.matchTargetChild(targetSubElem, requestSubElem):
+                        # Within the list of e.g. subjects if one subject 
+                        # matches then this counts as a subject match overall 
+                        # for this target
+                        status = True
  
-        return False
+        # Target matches if all the children (i.e. subjects, resources, actions
+        # and environment sections) have at least one match.  Otherwise it 
+        # doesn't count as a match
+        return all(statusValues)
     
     def matchTargetChild(self, targetChild, requestChild):
@@ -164 +202 @@
         this exception will be raised.
         """
+        matchStatus = True
+        
         if targetChild is None:
             # Default if target child is not set is to match all children
             return True
         
+        
+        # Section 7.6
+        #
+        # A subject, resource, action or environment SHALL match a value in the
+        # request context if the value of all its <SubjectMatch>, 
+        # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements, 
+        # respectively, are “True”.
         for childMatch in targetChild.matches:
             # Get the match function from the Match ID
@@ -187 +234 @@
                 dataType = childMatch.attributeDesignator.dataType
                 
+                # Issuer is an optional match - see core spec 7.2.4
+                issuer = childMatch.attributeDesignator.issuer
+                if issuer is not None:
+                    # Issuer found - set lambda to match this against the 
+                    # issuer setting in the request
+                    _issuerMatch = lambda requestChildIssuer: (issuer == 
+                                                            requestChildIssuer)
+                else:
+                    # No issuer set - lambda returns True regardless
+                    _issuerMatch = lambda requestChildIssuer: True
+                    
+                    
                 _attributeMatch = lambda requestChildAttribute: (
                     matchFunc.evaluate(matchAttributeValue, 
                               requestChildAttribute.attributeValue.value) and
                     requestChildAttribute.attributeId == attributeId and
-                    requestChildAttribute.dataType == dataType 
+                    requestChildAttribute.dataType == dataType and
+                    _issuerMatch(requestChildAttribute.issuer)
                 )
                 
@@ -208 +268 @@
                 
             for attribute in requestChild.attributes:
-                if _attributeMatch(attribute):
-                    return True
-                    
-        return False
-
+                if _attributeMatch(attribute) == True:
+                    if log.getEffectiveLevel() <= logging.DEBUG:
+                        log.debug('Request attribute %r set to %r matches '
+                                  'target',
+                                  attribute.attributeId,
+                                  attribute.attributeValue.value)
+                        
+                    # Default status is True - any *Match element NOT matching
+                    # will result in an overall status of no match
+                else:        
+                    # Don't return here but set the status to False.  The other
+                    # attributes need to be checked in case an error occurs.
+                    # In this case the top-level PDP exception handling block
+                    # will catch it and set an overall decision of INDETERMINATE
+                    matchStatus = False
+                    
+        return matchStatus
+
+    def applyCondition(self, condition):
+        """Apply a rule condition"""
+        

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v1/string_equal.py

@@ -4 +4 @@
 """
 __author__ = "P J Kershaw"
-__date__ = "02/04/09"
+__date__ = "26/03/10"
 __copyright__ = ""
 __license__ = "BSD - see LICENSE file in top-level directory"

TI12-security/trunk/NDG_XACML/ndg/xacml/core/functions/v2/anyuri_regexp_match.py

@@ -4 +4 @@
 """
 __author__ = "P J Kershaw"
-__date__ = "02/04/09"
+__date__ = "26/03/10"
 __copyright__ = ""
 __license__ = "BSD - see LICENSE file in top-level directory"

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

@@ -18 +18 @@
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                     <ResourceAttributeDesignator
-                        AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
-                        ^/.*$
+                        ^http://www.localhost/.*$
                     </AttributeValue>
                 </ResourceMatch>
@@ -45 +45 @@
                 <Resource>
                     <!-- Pattern match the request URI -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                         <ResourceAttributeDesignator
-                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
-                            ^/test_securedURI.*$
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
+                            ^http://localhost/test_securedURI.*$
                         </AttributeValue>
                     </ResourceMatch>
@@ -70 +70 @@
                     AttributeId="urn:siteA:security:authz:1.0:attr" 
                     MustBePresent="false" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    DataType="http://www.w3.org/2001/XMLSchema#string"
+                    Issuer="https://localhost:7443/AttributeAuthority"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                     <!-- 
@@ -77 +78 @@
                         from the applicable issuing attribute authority
                     -->
-                    <AttributeValue
-                        DataType="urn:ndg:security:1.0:authz:attributeType">
-                        <name DataType="http://www.w3.org/2001/XMLSchema#string">
-                            urn:siteA:security:authz:1.0:attr:staff
-                        </name>
-                        <issuer DataType="http://www.w3.org/2001/XMLSchema#string">
-                            http://localhost:7443/AttributeAuthority
-                        </issuer>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
+                        urn:siteA:security:authz:1.0:attr:staff
                     </AttributeValue>
                 </Apply>

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_context.py

@@ -82 +82 @@
         resourceAttribute.attributeValue = AttributeValue()
         resourceAttribute.attributeValue.value = \
-                            'file://example/med/record/patient/BartSimpson'
+                                        'http://www.localhost/test_securedURI'
 
         request.resources.append(resource)