Home | Trees | Indices | Help |
|
---|
|
1 #!/usr/bin/env python 2 """NDG XACML PDP unit tests 3 4 NERC DataGrid 5 """ 6 __author__ = "P J Kershaw" 7 __date__ = "28/10/10" 8 __copyright__ = "(C) 2010 Science and Technology Facilities Council" 9 __contact__ = "Philip.Kershaw@stfc.ac.uk" 10 __license__ = "BSD - see LICENSE file in top-level directory" 11 __contact__ = "Philip.Kershaw@stfc.ac.uk" 12 __revision__ = "$Id$" 13 import unittest 14 import logging 15 logging.basicConfig(level=logging.DEBUG) 16 17 from ndg.xacml.core.context.result import Decision 18 from ndg.xacml.test.context import XacmlContextBaseTestCase, TestContextHandler 19 2022 """Test PDP with permit overrides rule combining algorithm""" 23 24 NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 25 26 # This could be any applicable resource value, provided there's no rule to 27 # override and enable access 28 PRIVATE_RESOURCE_ID = 'http://localhost/private-resource' 29 30 PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted' 31 NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 32 33 SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 34 'http://localhost/single-subject-role-restricted' 35 ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 36 'http://localhost/action-and-single-subject-role-restricted' 37 AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \ 38 'http://localhost/at-least-one-of-subject-role-restricted' 39 42155 156 157 if __name__ == "__main__": 158 unittest.main() 15944 # Set a resource Id that doesn't match the main target 45 request = self._createRequestCtx( 46 self.__class__.NOT_APPLICABLE_RESOURCE_ID) 47 response = self.pdp.evaluate(request) 48 self.failIf(response is None, "Null response") 49 for result in response.results: 50 self.failIf(result.decision != Decision.NOT_APPLICABLE, 51 "Expecting not applicable decision")5254 # Test a resource which has no subject restrictions 55 request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID, 56 includeSubject=False) 57 response = self.pdp.evaluate(request) 58 self.failIf(response is None, "Null response") 59 for result in response.results: 60 self.failIf(result.decision != Decision.PERMIT, 61 "Expecting Permit decision")6264 request = self._createRequestCtx( 65 self.__class__.PRIVATE_RESOURCE_ID) 66 response = self.pdp.evaluate(request) 67 self.failIf(response is None, "Null response") 68 for result in response.results: 69 self.failIf(result.decision != Decision.DENY, 70 "Expecting Deny decision")7173 # Access based on a resource ID and single subject role 74 request = self._createRequestCtx( 75 self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 76 response = self.pdp.evaluate(request) 77 self.failIf(response is None, "Null response") 78 for result in response.results: 79 self.failIf(result.decision != Decision.PERMIT, 80 "Expecting Permit decision")8183 # Subject doesn't have the required role for access 84 request = self._createRequestCtx( 85 self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 86 subjectRoles=('student',)) 87 response = self.pdp.evaluate(request) 88 self.failIf(response is None, "Null response") 89 for result in response.results: 90 self.failIf(result.decision != Decision.DENY, 91 "Expecting Deny decision")9294 # Test restriction based on action type as well as subject role 95 request = self._createRequestCtx( 96 self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 97 response = self.pdp.evaluate(request) 98 self.failIf(response is None, "Null response") 99 for result in response.results: 100 self.failIf(result.decision != Decision.PERMIT, 101 "Expecting Permit decision")102104 # Test subject requests invalid action type 105 request = self._createRequestCtx( 106 self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 107 action='write') 108 response = self.pdp.evaluate(request) 109 self.failIf(response is None, "Null response") 110 for result in response.results: 111 self.failIf(result.decision != Decision.DENY, 112 "Expecting Deny decision")113115 # Test at least one member function 116 request = self._createRequestCtx( 117 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 118 action='write') 119 response = self.pdp.evaluate(request) 120 self.failIf(response is None, "Null response") 121 for result in response.results: 122 self.failIf(result.decision != Decision.PERMIT, 123 "Expecting Permit decision")124126 # Test at least one member function where subject doesn't have one of 127 # the required roles 128 request = self._createRequestCtx( 129 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 130 subjectRoles=('student',)) 131 response = self.pdp.evaluate(request) 132 self.failIf(response is None, "Null response") 133 for result in response.results: 134 self.failIf(result.decision != Decision.DENY, 135 "Expecting Deny decision")136138 # The PDP is part of a context handler with a PIP which adds subject 139 # attributes under prescribed conditions on the evaluation of 140 # subject attribute designators. In this case the addition of the PIP 141 # adds an attribute value to one of the subject's attributes which means 142 # they're granted access where otherwise access would be denied 143 ctxHandler = TestContextHandler() 144 ctxHandler.pdp = self.pdp 145 146 request = self._createRequestCtx( 147 self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 148 subjectRoles=('student',)) 149 150 response = ctxHandler.handlePEPRequest(request) 151 self.failIf(response is None, "Null response") 152 for result in response.results: 153 self.failIf(result.decision != Decision.PERMIT, 154 "Expecting PERMIT decision")
Home | Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Thu Apr 5 08:44:40 2012 | http://epydoc.sourceforge.net |