Changeset 7050 for TI12-security


Ignore:
Timestamp:
21/06/10 16:38:55 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • added deny overrides rule implementation
Location:
TI12-security/trunk/NDG_XACML/ndg/xacml/core
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDG_XACML/ndg/xacml/core/policy.py

    r6825 r7050  
    183183        ruleCombiningAlgClass = self.__ruleCombiningAlgFactory( 
    184184                                                    self.__ruleCombiningAlgId) 
    185         if not issubclass(ruleCombiningAlgClass, RuleCombiningAlgInterface): 
     185        if (not isinstance(ruleCombiningAlgClass, type) or  
     186            not issubclass(ruleCombiningAlgClass, RuleCombiningAlgInterface)): 
    186187            raise TypeError('Expecting %r derived type for rule combining ' 
    187                             'algorithm class; got %r' % 
     188                            'algorithm class; got %r type' % 
    188189                            (RuleCombiningAlgInterface, ruleCombiningAlgClass)) 
    189190             
  • TI12-security/trunk/NDG_XACML/ndg/xacml/core/rule_combining_alg.py

    r6823 r7050  
    4848        """ 
    4949        return Decision.INDETERMINATE 
     50 
     51class DenyOverridesRuleCombiningAlg(RuleCombiningAlgInterface): 
     52    """Deny overrides rule combining algorithm""" 
     53     
     54    def evaluate(self, rules, context): 
     55        """Combine the input rule results to make an access control decision. 
     56        Implementation taken direct from XACML 2.0 spec. pseudo code - Section 
     57        C.1 Deny Overrides 
     58         
     59        @param rules: rules from the policy.  Decisions from these will be put 
     60        together into a single decision by this algorithm 
     61        @type rules: TypedList(<ndg.xacml.core.rule.Rule>) 
     62        @param context: request context to apply to the rules 
     63        @type context: ndg.xacml.core.request.Request 
     64        @return: resulting overall access control decision 
     65        @rtype: ndg.xacml.core.context.result.Decision 
     66        """ 
     67        atLeastOneError = False 
     68        potentialDeny = False 
     69        atLeastOnePermit = False 
     70         
     71        for rule in rules: 
     72            decision = rule.evaluate(context) 
     73            if decision == Decision.DENY: 
     74                return Decision.DENY 
     75 
     76            if decision == Decision.PERMIT: 
     77                atLeastOnePermit = True 
     78                continue 
     79             
     80            if decision == Decision.NOT_APPLICABLE: 
     81                continue 
     82             
     83            if decision == Decision.INDETERMINATE: 
     84                atLeastOneError = True 
     85     
     86                if effect(rule) == Decision.DENY: 
     87                    potentialDeny = True 
     88                     
     89                continue 
     90 
     91        if potentialDeny: 
     92            return Decision.INDETERMINATE 
     93 
     94        elif atLeastOnePermit: 
     95            return Decision.PERMIT 
     96         
     97        elif atLeastOneError: 
     98            return Decision.INDETERMINATE 
     99        else: 
     100            return Decision.NOT_APPLICABLE 
    50101 
    51102 
     
    110161     
    111162    # Permit overrides is the only one currently implemented 
    112     DEFAULT_MAP[ 
    113         'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides' 
    114         ] = PermitOverridesRuleCombiningAlg 
     163    DEFAULT_MAP.update({ 
     164    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides': 
     165        DenyOverridesRuleCombiningAlg,       
     166    'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides': 
     167        PermitOverridesRuleCombiningAlg 
     168    }) 
    115169     
    116170    def __init__(self, map=DEFAULT_MAP): 
Note: See TracChangeset for help on using the changeset viewer.