Context Navigation

← Previous Change
Next Change →

Changeset 6783 for TI12-security/trunk/NDG_XACML

Timestamp:

29/03/10 17:07:31 (10 years ago)

Author:

pjkersha

Message:

Started work on processing for <Condition> statement of <Rule>.
Fixed ndg1.xml for correct Condition statement for setting a - user must have at least one of these roles - condition.

Location:

TI12-security/trunk/NDG_XACML/ndg/xacml

Files:

: 1 added
: 11 edited

core/__init__.py (modified) (5 diffs)
core/context/__init__.py (modified) (1 diff)
core/context/pdp.py (modified) (13 diffs)
core/context/result.py (modified) (4 diffs)
core/rule.py (modified) (2 diffs)
core/variabledefinition.py (modified) (2 diffs)
core/variablereference.py (added)
parsers/etree/applyreader.py (modified) (2 diffs)
parsers/etree/reader.py (modified) (2 diffs)
test/ndg1.xml (modified) (2 diffs)
test/rule2.xml (modified) (1 diff)
test/test_context.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDG_XACML/ndg/xacml/core/init.py

-                      r6774
+                      r6783
 class XacmlCoreBase(object):
+    """Base class for Policy and Policy subelements"""
+    XACML_2_0_XMLNS = "urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+    """Base class for all XACML types"""
+    XACML_1_0_NS_PREFIX = "urn:oasis:names:tc:xacml:1.0"
+    XACML_2_0_NS_PREFIX = "urn:oasis:names:tc:xacml:2.0"
     __slots__ = ('__xmlns', '__reader', '__writer', '__elem')
 …
     def __init__(self):
         self.__xmlns = XacmlCoreBase.XACML_2_0_XMLNS
+        self.__xmlns = None
         self.__reader = None
         self.__writer = None
 …
     def _getXmlns(self):
+        """XML Namespace for this XACML type"""
         return self.__xmlns
     def _setXmlns(self, value):
+        """XML Namespace for this XACML type"""
         if not isinstance(value, basestring):
             raise TypeError('Expecting string type for "xmlns" '
 …
         self.__elem = value
+class XacmlPolicyBase(XacmlCoreBase):
+    """Base class for policy types"""
+    XACML_2_0_POLICY_NS = XACML_2_0_NS_PREFIX + ":policy:schema:os"
+    def __init__(self):
+        super(XacmlPolicyBase, self).__init__()
+        self.xmlns = XacmlPolicyBase.XACML_2_0_POLICY_NS
+class TargetChildBase(XacmlCoreBase):
+class TargetChildBase(XacmlPolicyBase):
     """Base type for XACML Policy Subject, Resource, Action and Environment
     types"""
 …
     def __init__(self):
+        super(TargetChildBase, self).__init__()
         # Derived types can specify the type for matches via the MATCH_TYPE
         # class variable

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/init.py

-                      r6776
+                      r6783
 __revision__ = "$Id: $"
 from ndg.xacml.utils import TypedList
+from ndg.xacml.core import XacmlContextBase
 from ndg.xacml.core.attribute import Attribute
 class XacmlContextBase(object):
+class XacmlContextBase(XacmlCoreBase):
     """Base class for XACML Request and Response types"""
     ELEMENT_LOCAL_NAME = None

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/pdp.py

-                      r6782
+                      r6783
 from ndg.xacml.core.context.pdpinterface import PDPInterface
+from ndg.xacml.core.rule import Effect
 from ndg.xacml.core.policy import Policy
+from ndg.xacml.core.apply import Apply
+from ndg.xacml.core.attributevalue import AttributeValue
+from ndg.xacml.core.variablereference import VariableReference
+from ndg.xacml.core.attributedesignator import AttributeDesignator
+from ndg.xacml.core.attributeselector import AttributeSelector
 from ndg.xacml.core.context.request import Request
 from ndg.xacml.core.context.response import Response
 from ndg.xacml.core.context.result import Result, Decision
+from ndg.xacml.core.context.result import StatusCode
 from ndg.xacml.core.functions import FunctionMap
-from ndg.xacml.parsers import AbstractReader
+class PDPError(Exception):
+    """Base class for PDP class exceptions"""
+    def __init__(self, *arg, **kw):
+        super(PDPError, self).__init__(*arg, **kw)
+        self.__response = Response()
+        self.__response.results.append(Result.createInitialised())
+        if len(arg) > 0:
+            self.__response.results[0].status.statusMessage = arg[0]
+    @property
+    def response(self):
+        """Context response object associated with this exception
+        """
+        return self.__response
+    @response.setter
+    def response(self, value):
+        if not isinstance(value, Response):
+            raise TypeError('Expecting %r type for "response" attribute; got '
+                            '%r instead' % (Response, type(Response)))
+        self.__response = value
+class UnsupportedFunctionError(PDPError):
+    """Encountered a function type that is not supported in this implementation
+    """
+    def __init__(self, *arg, **kw):
+        super(UnsupportedFunctionError, self).__init__(*arg, **kw)
+        self.response.results[0].status.statusCode = StatusCode.PROCESSING_ERROR
+class UnsupportedStdFunctionError(UnsupportedFunctionError):
+    """Encountered a function type that is not supported even though it is part
+    of the XACML spec."""
+class UnsupportedElementError(PDPError):
+    """Element type is not supported in this implementation"""
+    def __init__(self, *arg, **kw):
+        super(UnsupportedElementError, self).__init__(*arg, **kw)
+        self.response.results[0].status.statusCode = StatusCode.SYNTAX_ERROR
+class UnsupportedStdElementError(UnsupportedElementError):
+    """Element type is part of the XACML spec but is not suppored in this
+    implementation"""
 class PDP(PDPInterface):
     """A XACML Policy Decision Point implementation.  It supports the use of a
 …
             self.policy = policy
         self.matchFunc = FunctionMap.withLoadedMap()
+        self.functionMap = FunctionMap.withLoadedMap()
 …
             if not self.matchTarget(self.policy.target, request):
                 log.debug('No match for policy target setting Decision=%s',
+                log.debug('No match for policy target setting %r decision',
                           Decision.NOT_APPLICABLE_STR)
 …
             # Check rules
+            for rule in self.policy.rules:
+            ruleEffects = [Effect()]*len(self.policy.rules)
+            for rule, effect in zip(self.policy.rules, ruleEffects):
                 log.debug('Checking policy rule %r for match...', rule.id)
                 if not self.matchTarget(rule.target, request):
                     log.debug('No match to request context for target in rule '
                               '%r', rule.id)
+                    effect.value = Effect.PERMIT_STR
                     continue
                 # Apply the condition
+                self.appyCondition(rule.condition)
+        except:
+                effect = self.applyCondition(rule.condition)
+        except PDPError, e:
             log.error('Exception raised evaluating request context, returning '
                       'Decision=%s:%s',
+                      '%r decision:%s',
                       Decision.INDETERMINATE_STR,
                       traceback.format_exc())
             result.decision = Decision.INDETERMINATE
+            result.status.statusCode = e.response.results[0].status.statusCode
+        except Exception:
+            # Catch all so that nothing is handled from within the scope of this
+            # method
+            log.error('No PDPError type exception raised evaluating request '
+                      'context, returning %r decision:%s',
+                      Decision.INDETERMINATE_STR,
+                      traceback.format_exc())
+            result.decision = Decision.INDETERMINATE
+            result.status.statusCode = StatusCode.PROCESSING_ERROR
         return response
 …
                 continue
+            # Iterate over each for example, subject in the list of subjects or
+            # for example, resource in the list of resources and so on
+            # Iterate over each for example, subject in the list of subjects:
+            # <Target>
+            #     <Subjects>
+            #          <Subject>
+            #              ...
+            #          </Subject>
+            #          <Subject>
+            #              ...
+            #          </Subject>
+            #     ...
+            # or for example, resource in the list of resources and so on
             for targetSubElem in targetElem:
 …
     def matchTargetChild(self, targetChild, requestChild):
+        """Match a child (Subject, Resource, Action or Environment) from the
+        request context with a given target's child
+        """Match a request child element (a <Subject>, <Resource>, <Action> or
+        <Environment>) with the corresponding target's <Subject>, <Resource>,
+        <Action> or <Environment>.
         @param targetChild: Target Subject, Resource, Action or Environment
 …
         @return: True if request context matches something in the target
         @rtype: bool
         @raise NotImplementedError: AttributeSelector processing is not
+        @raise UnsupportedElementError: AttributeSelector processing is not
         currently supported.  If an AttributeSelector is found in the policy,
         this exception will be raised.
+        """
+        matchStatus = True
+        @raise UnsupportedStdFunctionError: policy references a function type
+        which is in the XACML spec. but is not supported by this implementation
+        @raise UnsupportedFunctionError: policy references a function type which
+        is not supported by this implementation
+        """
         if targetChild is None:
 …
             return True
+        matchStatusValues = [True]*len(targetChild.matches)
         # Section 7.6
 …
         # request context if the value of all its <SubjectMatch>,
         # <ResourceMatch>, <ActionMatch> or <EnvironmentMatch> elements,
+        # respectively, are âTrueâ.
+        for childMatch in targetChild.matches:
+        # respectively, are "True".
+        #
+        # e.g. for <SubjectMatch>es in <Subject> ...
+        for childMatch, matchStatus in zip(targetChild.matches,
+                                           matchStatusValues):
             # Get the match function from the Match ID
             matchFunc = self.matchFunc.get(childMatch.matchId)
+            matchFunc = self.functionMap.get(childMatch.matchId)
             if matchFunc is NotImplemented:
+                raise NotImplementedError('No match function implemented for '
+                                          'MatchId="%s"' % childMatch.matchId)
+            if matchFunc is None:
+                raise Exception('Match function namespace %r is not recognised'
+                                % childMatch.matchId)
+                raise UnsupportedStdFunctionError('No match function '
+                                                  'implemented for MatchId="%s"'
+                                                  % childMatch.matchId)
+            elif matchFunc is None:
+                raise UnsupportedFunctionError('Match function namespace %r is '
+                                               'not recognised' %
+                                               childMatch.matchId)
             matchAttributeValue = childMatch.attributeValue.value
 …
                 dataType = childMatch.attributeDesignator.dataType
                 # Issuer is an optional match - see core spec 7.2.4
+                # Issuer is an optional match - see core spec. 7.2.4
                 issuer = childMatch.attributeDesignator.issuer
                 if issuer is not None:
 …
                 # it's XML representation and an abstraction of the XML parser
                 # for executing XPath searches into that representation
                 raise NotImplementedError('This PDP implementation does not '
                                           'support <AttributeSelector> '
                                           'elements')
+                raise UnsupportedElementError('This PDP implementation does '
+                                              'not support <AttributeSelector> '
+                                              'elements')
             else:
                 _attributeMatch = lambda requestChildAttribute: (
 …
                                     requestChildAttribute.attributeValue.value)
+                )
+            for attribute in requestChild.attributes:
+                if _attributeMatch(attribute) == True:
+            # Iterate through each attribute in the request in turn matching it
+            # against the target using the generated _attributeMatch function
+            #
+            # Any Match element NOT matching will result in an overall status of
+            # no match.
+            #
+            # Continue iterating through the whole list even if a False status
+            # is found.  The other attributes need to be checked in case an
+            # error occurs.  In this case the top-level PDP exception handling
+            # block will catch it and set an overall decision of INDETERMINATE
+            attrMatchStatusValues = [False]*len(requestChild.attributes)
+            for attribute, attrMatchStatus in zip(requestChild.attributes,
+                                                  attrMatchStatusValues):
+                attrMatchStatus = _attributeMatch(attribute)
+                if attrMatchStatus == True:
                     if log.getEffectiveLevel() <= logging.DEBUG:
                         log.debug('Request attribute %r set to %r matches '
 …
                                   attribute.attributeValue.value)
+                    # Default status is True - any *Match element NOT matching
+                    # will result in an overall status of no match
+                else:
+                    # Don't return here but set the status to False.  The other
+                    # attributes need to be checked in case an error occurs.
+                    # In this case the top-level PDP exception handling block
+                    # will catch it and set an overall decision of INDETERMINATE
+                    matchStatus = False
+        return matchStatus
+    def applyCondition(self, condition):
+        """Apply a rule condition"""
+            matchStatus = all(attrMatchStatusValues)
+        # Any match => overall match
+        return any(matchStatusValues)
+    def evaluateCondition(self, condition):
+        """Evaluate a rule condition"""
+        # Spec:
+        #
+        # "The condition value SHALL be "True" if the <Condition> element is
+        # absent"
+        if condition is None:
+            return True
+        applyElem = condition.expression
+        if not isinstance(applyElem, Apply):
+            raise UnsupportedElementError('%r type <Condition> sub-element '
+                                          'processing is not supported in this '
+                                          'implementation' % applyElem)
+        result = self.evaluateApplyStatement(applyElem)
+    def evaluateApplyStatement(self, applyElem):
+        """Evaluate a given Condition <Apply> statement"""
+        # Get function for this <Apply> statement
+        func = self.functionMap.get(applyElem.functionId)
+        if func is NotImplemented:
+            raise UnsupportedStdFunctionError('No match function '
+                                              'implemented for MatchId="%s"'
+                                              % applyElem.functionId)
+        elif func is None:
+            raise UnsupportedFunctionError('<Apply> function namespace %r is '
+                                           'not recognised' %
+                                           applyElem.functionId)
+        inputMarshallerMap = {
+            Apply: self.evaluateApplyStatement,
+            AttributeValue: self.evaluateAttributeValueStatement,
+            AttributeDesignator: self.evaluateAttributeDesignator,
+            AttributeSelector: NotImplemented,
+            VariableReference: NotImplemented
+        }
+        # Marshall inputs
+        funcInputs = ()*len(applyElem.expressions)
+        for i, expression in enumerate(applyElem.expressions):
+            marshaller = inputMarshallerMap.get(expression.__class__)
+            if marshaller is NotImplemented:
+                raise UnsupportedStdElementError('%r type <Apply> sub-element '
+                                                 'processing is not supported '
+                                                 'in this implementation' %
+                                                 expression)
+            elif marshaller is None:
+                raise UnsupportedElementError('%r type <Apply> sub-element '
+                                              'processing is not supported in '
+                                              'this implementation' %
+                                              expression)
+            funcInputs[i] = marshaller(self, expression)
+        # Execute function on the retrieved inputs
+        result = func(*funcInputs)
+        # Pass the result back to the parent <Apply> element
+        return result
+    def evaluateAttributeValueStatement(self, attributeValue):
+        return
+    def evaluateAttributeDesignator(self):
+        pass

TI12-security/trunk/NDG_XACML/ndg/xacml/core/context/result.py

-                      r6777
+                      r6783
 log = logging.getLogger(__name__)
+from ndg.xacml.core import XacmlBase
 from ndg.xacml.core.context import XacmlContextBase
 from ndg.xacml.core.obligation import Obligation
 …
     ELEMENT_LOCAL_NAME = "StatusCode"
+    IDENTIFIER_PREFIX = XacmlContextBase.XACML_1_0_NS_PREFIX + ':status'
+    OK = IDENTIFIER_PREFIX + ":ok"
+    MISSING_ATTRIBUTE = IDENTIFIER_PREFIX + ":missing-attribute"
+    PROCESSING_ERROR = IDENTIFIER_PREFIX + ":processing-error"
+    SYNTAX_ERROR = IDENTIFIER_PREFIX + ":syntax-error"
+    CODES = (OK, MISSING_ATTRIBUTE, PROCESSING_ERROR, SYNTAX_ERROR)
     __slots__ = ('__value', '__childStatusCode',)
 …
         self.__statusDetail = None
+    @classmethod
+    def createInitialised(cls, code=StatusCode.OK, message='', detail=''):
+        """Create with an empty StatusCode object set
+        """
+        status = cls()
+        status.statusCode = StatusCode()
+        status.statusCode.value = code
+        status.statusCode.statusMessage = message
+        status.statusCode.statusDetail = detail
+        return status
     def _getStatusCode(self):
         '''
 …
         self.__obligations = None
+    @classmethod
+    def createInitialised(cls,
+                          decision=Decision.NOT_APPLICABLE,
+                          resourceId='',
+                          obligations=None
+                          **kw):
+        """Create a result object populated with all it's child elements
+        rather than set to None as is the default from __init__
+        @return: new result object with all its child attributes created
+        @rtype: ndg.xacml.core.context.result.Result
+        """
+        result = cls()
+        result.decision = Decision()
+        result.decision.value = decision
+        result.status = Status.createInitialised(**kw)
+        if obligations is not None:
+            result.obligations = obligations
+        return result
     @property
     def resourceId(self):

TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule.py

-                      r6770
+                      r6783
 from ndg.xacml.core.target import Target
 from ndg.xacml.core.condition import Condition
+class Effect(object):
+    """Rule Effect"""
+    DENY_STR = 'Deny'
+    PERMIT_STR = 'Permit'
+    TYPES = (DENY_STR, PERMIT_STR)
+    __slots__ = ('__value',)
+    def __init__(self):
+        self.__value = Effect.DENY_STR
+    def __getstate__(self):
+        '''Enable pickling'''
+        _dict = {}
+        for attrName in Effect.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_Effect" + attrName
+            _dict[attrName] = getattr(self, attrName)
+        return _dict
+    def __setstate__(self, attrDict):
+        '''Enable pickling'''
+        for attrName, val in attrDict.items():
+            setattr(self, attrName, val)
+    def _setValue(self, value):
+        if isinstance(value, Effect):
+            # Cast to string
+            value = str(value)
+        elif not isinstance(value, basestring):
+            raise TypeError('Expecting string or Effect instance for '
+                            '"value" attribute; got %r instead' % type(value))
+        if value not in self.__class__.TYPES:
+            raise AttributeError('Permissable effect types are %r; got '
+                                 '%r instead' % (Effect.TYPES, value))
+        self.__value = value
+    def _getValue(self):
+        return self.__value
+    value = property(fget=_getValue, fset=_setValue, doc="Effect value")
+    def __str__(self):
+        return self.__value
+    def __eq__(self, effect):
+        if isinstance(effect, Effect):
+            # Cast to string
+            value = effect.value
+        elif isinstance(effect, basestring):
+            value = effect
+        else:
+            raise TypeError('Expecting string or Effect instance for '
+                            'input effect value; got %r instead' % type(value))
+        if value not in self.__class__.TYPES:
+            raise AttributeError('Permissable effect types are %r; got '
+                                 '%r instead' % (Effect.TYPES, value))
+        return self.__value == value
+class PermitEffect(Effect):
+    """Permit authorisation Effect"""
+    __slots__ = ()
+    def __init__(self):
+        super(PermitEffect, self).__init__(Effect.PERMIT_STR)
+    def _setValue(self):
+        raise AttributeError("can't set attribute")
+class DenyEffect(Effect):
+    """Deny authorisation Effect"""
+    __slots__ = ()
+    def __init__(self):
+        super(DenyEffect, self).__init__(Effect.DENY_STR)
+    def _setValue(self, value):
+        raise AttributeError("can't set attribute")
+# Add instances of each for convenience
+Effect.PERMIT = PermitEffect()
+Effect.DENY = DenyEffect()
 …
     def _set_effect(self, value):
         if not isinstance(value, basestring):
+        if not isinstance(value, Effect):
             raise TypeError('Expecting %r type for "effect" '
                             'attribute; got %r' % (basestring, type(value)))

TI12-security/trunk/NDG_XACML/ndg/xacml/core/variabledefinition.py

-                      r6745
+                      r6783
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
+from ndg.xacml.core import XacmlPolicyBase
+class VariableDefinition(object):
+    '''
     classdocs
+class VariableDefinition(XacmlPolicyBase):
+    '''XACML Variable Definition Type
     '''
     ELEMENT_LOCAL_NAME = "VariableDefinition"
 …
     def __init__(self):
+        '''
+        Constructor
+        '''
+        '''This class not needed yet'''
+        raise NotImplementedError()

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/etree/applyreader.py

-                      r6774
+                      r6783
 from ndg.xacml.core.apply import Apply
 from ndg.xacml.core.attributevalue import AttributeValue
+from ndg.xacml.core.variablereference import VariableReference
 from ndg.xacml.core.attributeselector import AttributeSelector
 from ndg.xacml.core.attributedesignator import (SubjectAttributeDesignator,
 …
                                           'implemented', localName)
+            elif (localName ==
+                  self.__class__.VARIABLE_REFERENCE_ELEMENT_LOCAL_NAME):
+            elif (localName == VariableReference.ELEMENT_LOCAL_NAME):
                 raise NotImplementedError('%r Apply sub-element not '
                                           'implemented', localName)

TI12-security/trunk/NDG_XACML/ndg/xacml/parsers/etree/reader.py

-                      r6770
+                      r6783
 from xml.etree import ElementTree
 from ndg.xacml.core import XacmlCoreBase
+from ndg.xacml.core import XacmlPolicyBase
 from ndg.xacml.parsers import AbstractReader
 …
         self.__namespace_map_backup = ElementTree._namespace_map.copy()
         ElementTree._namespace_map[''] = XacmlCoreBase.XACML_2_0_XMLNS
+        ElementTree._namespace_map[''] = XacmlPolicyBase.XACML_2_0_POLICY_NS
     def __del__(self):

TI12-security/trunk/NDG_XACML/ndg/xacml/test/ndg1.xml

-                      r6782
+                      r6783
             something more specific
         -->
         <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+        <Condition>
             <!--
                 The user must have at least one of the roles set - in this
 …
                     Issuer="https://localhost:7443/AttributeAuthority"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <!--
-                        A custom attribute type is used for NDG Security because
-                        the PDP needs to ask the PIP to retrieve user attributes
-                        from the applicable issuing attribute authority
-                    -->
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
+                        urn:siteA:security:authz:1.0:attr:staff
+                        staff
+                    </AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
+                        admin
+                    </AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
+                        postdoc
                     </AttributeValue>
                 </Apply>

TI12-security/trunk/NDG_XACML/ndg/xacml/test/rule2.xml

-                      r6754
+                      r6783
     PolicyId="urn:oasis:names:tc:xacml:2.0:example:policyid:2"
     RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+<!--
     <PolicyDefaults>
         <XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</XPathVersion>
     </PolicyDefaults>
+-->
     <Target/>
 <!--
+<!-- VariableDefinition is not currently implemented 29/03/10
     <VariableDefinition VariableId="17590035">
         <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:date-less-or-equal">

TI12-security/trunk/NDG_XACML/ndg/xacml/test/test_context.py

-                      r6782
+                      r6783
         result = Result()
         response.results.append(result)
+        result.decision = Decision.value = Decision.NOT_APPLICABLE
+        result.decision = Decision()
+        result.decision.value = Decision.NOT_APPLICABLE
     def test03AbstractCtxHandler(self):

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: