Context Navigation

← Previous Changeset
Next Changeset →

Changeset 7443

Timestamp:

03/09/10 14:42:43 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

Overhaul of test_context unit tests to make a more comprehensive test of policy rule evaluation.

Location:

TI12-security/trunk/ndg_xacml/ndg/xacml

Files:

: 3 edited

core/context/result.py (modified) (1 diff)
test/ndg1.xml (modified) (5 diffs)
test/test_context.py (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/ndg_xacml/ndg/xacml/core/context/result.py

r7108	r7443
378	378	'%r instead' % (Decision.TYPES, value))
379	379
380		return self.__value == value
	380	return self.__value == value
381	381
382	382

TI12-security/trunk/ndg_xacml/ndg/xacml/test/ndg1.xml

-                      r7351
+                      r7443
                 <!-- Pattern match all request URIs beginning with / -->
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                     <ResourceAttributeDesignator
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
 …
     <!-- Deny everything by default -->
     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
+    <Rule RuleId="DenyAllRule" Effect="Deny"/>
     <!--
         Following rules punch holes through the deny everything rule above
 …
         Policy element above
     -->
     <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit">
+    <Rule RuleId="ResourceBased" Effect="Permit">
         <!--
+            Rule target(s) define which requests apply to the particular rule
+            Resource based restriction only
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/resource-only-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+    <Rule RuleId="SingleSubjectRoleBased" Effect="Permit">
+        <!--
+            Allow access based on a single subject role
+        -->
+        <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                        <SubjectAttributeDesignator
+                            AttributeId="urn:ndg:security:authz:1.0:attr"
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/single-subject-role-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+    <Rule RuleId="SingleSubjectRoleBasedWithAction" Effect="Permit">
+        <!--
+            Allow access based on a single subject role and given action
+        -->
+        <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                        <SubjectAttributeDesignator
+                            AttributeId="urn:ndg:security:authz:1.0:attr"
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/action-and-single-subject-role-restricted</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+            <Actions>
+                <Action>
+                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
+                        <ActionAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </ActionMatch>
+                </Action>
+            </Actions>
+        </Target>
+    </Rule>
+    <Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit">
+        <!--
+            Subject must have at least one of a group of roles
+            Resource id is a regular expression
         -->
         <Target>
 …
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
 …
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
+                        <ResourceAttributeDesignator AttributeId="urn:ndg:security:authz:1.0:attr:resourceURI" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                     </ResourceMatch>
                 </Resource>

TI12-security/trunk/ndg_xacml/ndg/xacml/test/test_context.py

-                      r7111
+                      r7443
 from ndg.xacml.test import XACML_NDGTEST1_FILEPATH
 from ndg.xacml.parsers.etree.factory import ReaderFactory
+from ndg.xacml.core import Identifiers
 from ndg.xacml.core.context.pdpinterface import PDPInterface
 from ndg.xacml.core.context.pdp import PDP
 from ndg.xacml.core.context.handler import CtxHandlerInterface
 from ndg.xacml.core.attribute import Attribute
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory
+from ndg.xacml.core.attributevalue import (AttributeValue,
+                                           AttributeValueClassFactory)
 from ndg.xacml.core.context.request import Request
 from ndg.xacml.core.context.response import Response
 …
 from ndg.xacml.core.context.action import Action
+attributeValueFactory = AttributeValueClassFactory()
+AnyUriAttributeValue = attributeValueFactory(AttributeValue.ANY_TYPE_URI)
+StringAttributeValue = attributeValueFactory(AttributeValue.STRING_TYPE_URI)
+ROLE_ATTRIBUTE_ID = "urn:ndg:security:authz:1.0:attr"
+SUBJECT_ID = 'https://my.name.somewhere.ac.uk'
 class TestContextHandler(CtxHandlerInterface):
+    """Test implementation of Context Handler"""
+    """Test implementation of Context Handler which includes an implemented PIP
+    interface"""
     def __init__(self):
 …
         # Convert myRequest to XACML context request - var assignment here is
         # representative of this process rather than actually doing anything.
         request = myRequest
+        xacmlRequest = myRequest
         if self.pdp is None:
             raise TypeError('No "pdp" attribute set')
+        response = self.pdp.evaluate(request)
+        # Add a reference to this context so that the PDP can invoke queries
+        # back to the PIP
+        xacmlRequest.ctxHandler = self
+        xacmlResponse = self.pdp.evaluate(xacmlRequest)
         # Convert XACML context response to domain specific request
         myResponse = response
+        myResponse = xacmlResponse
         return myResponse
+class XACMLContextTestCase(unittest.TestCase):
+    """Test PDP, PAP, PIP and Context handler"""
+    def _createRequestCtx(self):
+    def pipQuery(self, request, designator):
+        '''PIP adds admin attribute value for given attribute ID and for any
+        subject'''
+        if designator.attributeId == ROLE_ATTRIBUTE_ID:
+            attrVal = StringAttributeValue(value='admin')
+            return [attrVal]
+        else:
+            return None
+class XacmlContextBaseTestCase(unittest.TestCase):
+    """Base class containing common methods for test initialisation"""
+    def _createRequestCtx(self,
+                          resourceId,
+                          includeSubject=True,
+                          subjectRoles=('staff',),
+                          roleAttributeId=ROLE_ATTRIBUTE_ID,
+                          action='read'):
+        """Create an example XACML Request Context for tests"""
         request = Request()
+        subject = Subject()
+        attributeValueFactory = AttributeValueClassFactory()
+        openidSubjectAttribute = Attribute()
+        roleAttribute = Attribute()
+        openidSubjectAttribute.attributeId = "urn:esg:openid"
+        AnyUriAttributeValue = attributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#anyURI')
+        openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
+        openidSubjectAttribute.attributeValues.append(AnyUriAttributeValue())
+        openidSubjectAttribute.attributeValues[-1].value = \
+                                    'https://my.name.somewhere.ac.uk'
+        subject.attributes.append(openidSubjectAttribute)
+        StringAttributeValue = attributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#string')
+        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
+        roleAttribute.dataType = StringAttributeValue.IDENTIFIER
+        roleAttribute.attributeValues.append(StringAttributeValue())
+        roleAttribute.attributeValues[-1].value = 'staff'
+        subject.attributes.append(roleAttribute)
+        request.subjects.append(subject)
+        if includeSubject:
+            subject = Subject()
+            openidSubjectAttribute = Attribute()
+            openidSubjectAttribute.attributeId = "urn:esg:openid"
+            openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
+            openidSubjectAttribute.attributeValues.append(
+                                                        AnyUriAttributeValue())
+            openidSubjectAttribute.attributeValues[-1].value = SUBJECT_ID
+            subject.attributes.append(openidSubjectAttribute)
+            for role in subjectRoles:
+                roleAttribute = Attribute()
+                roleAttribute.attributeId = roleAttributeId
+                roleAttribute.dataType = StringAttributeValue.IDENTIFIER
+                roleAttribute.attributeValues.append(StringAttributeValue())
+                roleAttribute.attributeValues[-1].value = role
+                subject.attributes.append(roleAttribute)
+            request.subjects.append(subject)
         resource = Resource()
 …
         resource.attributes.append(resourceAttribute)
+        resourceAttribute.attributeId = \
+                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+        resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID
         resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
         resourceAttribute.attributeValues.append(AnyUriAttributeValue())
+        resourceAttribute.attributeValues[-1].value = \
+                                            'http://localhost/test_securedURI'
+        resourceAttribute.attributeValues[-1].value = resourceId
         request.resources.append(resource)
 …
         request.action.attributes.append(actionAttribute)
+        actionAttribute.attributeId = \
+                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
+        actionAttribute.attributeId = Identifiers.Action.ACTION_ID
         actionAttribute.dataType = StringAttributeValue.IDENTIFIER
         actionAttribute.attributeValues.append(StringAttributeValue())
         actionAttribute.attributeValues[-1].value = 'read'
+        actionAttribute.attributeValues[-1].value = action
         return request
+    def _createPDPfromPolicy(self):
+        pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory)
+        return pdp
+class XacmlContextTestCase(XacmlContextBaseTestCase):
+    """Test PDP, PAP, PIP and Context handler"""
     def test01CreateRequest(self):
         requestCtx = self._createRequestCtx()
+        requestCtx = self._createRequestCtx("http://localhost")
         self.assert_(requestCtx)
 …
         self.assert_(pdp)
-    def _createPDPfromPolicy(self):
-        pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory)
-        return pdp
     def test07CreatePDPfromPolicy(self):
         pdp = self._createPDPfromPolicy()
         self.assert_(pdp)
+    def test08EvaluatePDP(self):
+        request = self._createRequestCtx()
+        pdp = self._createPDPfromPolicy()
+        response = pdp.evaluate(request)
+        self.assert_(response)
+class XacmlEvalPdpWithPermitOverridesPolicy(XacmlContextBaseTestCase):
+    """Test PDP with permit overrides rule combining algorithm"""
+    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
+    # This could be any applicable resource value, provided there's no rule to
+    # override and enable access
+    PRIVATE_RESOURCE_ID = 'http://localhost/private-resource'
+    PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted'
+    NOT_APPLICABLE_RESOURCE_ID = 'https://localhost'
+    SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
+        'http://localhost/single-subject-role-restricted'
+    ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \
+        'http://localhost/action-and-single-subject-role-restricted'
+    AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \
+        'http://localhost/at-least-of-subject-role-restricted'
+    def setUp(self):
+        self.pdp = self._createPDPfromPolicy()
+    def test01NotApplicable(self):
+        # Set a resource Id that doesn't match the main target
+        request = self._createRequestCtx(
+                                    self.__class__.NOT_APPLICABLE_RESOURCE_ID)
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.NOT_APPLICABLE,
+                        "Expecting not applicable decision")
+    def test02PublicallyAccessibleResource(self):
+        # Test a resource which has no subject restrictions
+        request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID,
+                                         includeSubject=False)
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.PERMIT,
+                        "Expecting Permit decision")
+    def test03PrivateResource(self):
+        request = self._createRequestCtx(
+                                    self.__class__.PRIVATE_RESOURCE_ID)
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.DENY,
+                        "Expecting Deny decision")
+    def test04SingleSubjectRoleRestrictedResource(self):
+        # Access based on a resource ID and single subject role
+        request = self._createRequestCtx(
+                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.PERMIT,
+                        "Expecting Permit decision")
+    def test05SingleSubjectRoleRestrictedResourceDeniesAccess(self):
+        # Subject doesn't have the required role for access
+        request = self._createRequestCtx(
+                            self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
+                            subjectRoles=('student',))
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.DENY,
+                        "Expecting Deny decision")
+    def test06ActionAndSingleSubjectRoleRestrictedResource(self):
+        # Test restriction based on action type as well as subject role
+        request = self._createRequestCtx(
+                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID)
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.PERMIT,
+                        "Expecting Permit decision")
+    def test07ActionAndSingleSubjectRoleRestrictedResourceDeniesAccess(self):
+        # Test subject requests invalid action type
+        request = self._createRequestCtx(
+                    self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID,
+                    action='write')
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.DENY,
+                        "Expecting Deny decision")
+    def test08AtLeastOneSubjectRoleResource(self):
+        # Test at least one member function
+        request = self._createRequestCtx(
+                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
+                    action='write')
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.PERMIT,
+                        "Expecting Permit decision")
+    def test09AtLeastOneSubjectRoleResourceDeniesAccess(self):
+        # Test at least one member function where subject doesn't have one of
+        # the required roles
+        request = self._createRequestCtx(
+                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
+                    subjectRoles=('student',))
+        response = self.pdp.evaluate(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.DENY,
+                        "Expecting Deny decision")
+    def test10PipAddsRequiredAttributeValToEnableAccess(self):
+        # The PDP is part of a context handler with a PIP which adds subject
+        # attributes under prescribed conditions on the evaluation of
+        # subject attribute designators.  In this case the addition of the PIP
+        # adds an attribute value to one of the subject's attributes which means
+        # they're granted access where otherwise access would be denied
+        ctxHandler = TestContextHandler()
+        ctxHandler.pdp = self.pdp
+        request = self._createRequestCtx(
+                    self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID,
+                    subjectRoles=('student',))
+        response = ctxHandler.handlePEPRequest(request)
+        self.failIf(response is None, "Null response")
+        for result in response.results:
+            self.failIf(result.decision != Decision.PERMIT,
+                        "Expecting PERMIT decision")
 if __name__ == "__main__":
     unittest.main()

Note: See TracChangeset for help on using the changeset viewer.