Home       Trees       Indices       Help   
NDG XACML
Package ndg :: Package xacml :: Package test :: Package context :: Module test_pdp
[hide private]

Source Code for Module ndg.xacml.test.context.test_pdp

  1  #!/usr/bin/env python 
  2  """NDG XACML PDP unit tests  
  3   
  4  NERC DataGrid 
  5  """ 
  6  __author__ = "P J Kershaw" 
  7  __date__ = "28/10/10" 
  8  __copyright__ = "(C) 2010 Science and Technology Facilities Council" 
  9  __contact__ = "Philip.Kershaw@stfc.ac.uk" 
 10  __license__ = "BSD - see LICENSE file in top-level directory" 
 11  __contact__ = "Philip.Kershaw@stfc.ac.uk" 
 12  __revision__ = "$Id$" 
 13  import unittest 
 14  import logging 
 15  logging.basicConfig(level=logging.DEBUG) 
 16   
 17  from ndg.xacml.core.context.result import Decision 
 18  from ndg.xacml.test.context import XacmlContextBaseTestCase, TestContextHandler 
 19   
 20       

 21 -class XacmlEvalPdpWithPermitOverridesPolicyTestCase(XacmlContextBaseTestCase): 

 22      """Test PDP with permit overrides rule combining algorithm""" 
 23       
 24      NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 
 25       
 26      # This could be any applicable resource value, provided there's no rule to 
 27      # override and enable access 
 28      PRIVATE_RESOURCE_ID = 'http://localhost/private-resource' 
 29       
 30      PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted' 
 31      NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 
 32           
 33      SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 34          'http://localhost/single-subject-role-restricted' 
 35      ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 36          'http://localhost/action-and-single-subject-role-restricted' 
 37      AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 38          'http://localhost/at-least-one-of-subject-role-restricted' 
 39           

 40 -    def setUp(self): 

 42           

 43 -    def test01NotApplicable(self): 

 44          # Set a resource Id that doesn't match the main target 
 45          request = self._createRequestCtx( 
 46                                      self.__class__.NOT_APPLICABLE_RESOURCE_ID) 
 47          response = self.pdp.evaluate(request) 
 48          self.failIf(response is None, "Null response") 
 49          for result in response.results: 
 50              self.failIf(result.decision != Decision.NOT_APPLICABLE,  
 51                          "Expecting not applicable decision") 

 52           

 54          # Test a resource which has no subject restrictions 
 55          request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID, 
 56                                           includeSubject=False) 
 57          response = self.pdp.evaluate(request) 
 58          self.failIf(response is None, "Null response") 
 59          for result in response.results: 
 60              self.failIf(result.decision != Decision.PERMIT,  
 61                          "Expecting Permit decision") 

 62           

 63 -    def test03PrivateResource(self): 

 64          request = self._createRequestCtx( 
 65                                      self.__class__.PRIVATE_RESOURCE_ID) 
 66          response = self.pdp.evaluate(request) 
 67          self.failIf(response is None, "Null response") 
 68          for result in response.results: 
 69              self.failIf(result.decision != Decision.DENY,  
 70                          "Expecting Deny decision") 

 71   

 73          # Access based on a resource ID and single subject role 
 74          request = self._createRequestCtx( 
 75                              self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 
 76          response = self.pdp.evaluate(request) 
 77          self.failIf(response is None, "Null response") 
 78          for result in response.results: 
 79              self.failIf(result.decision != Decision.PERMIT,  
 80                          "Expecting Permit decision")   

 81   

 83          # Subject doesn't have the required role for access 
 84          request = self._createRequestCtx( 
 85                              self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 
 86                              subjectRoles=('student',)) 
 87          response = self.pdp.evaluate(request) 
 88          self.failIf(response is None, "Null response") 
 89          for result in response.results: 
 90              self.failIf(result.decision != Decision.DENY,  
 91                          "Expecting Deny decision")   

 92   

 94          # Test restriction based on action type as well as subject role 
 95          request = self._createRequestCtx( 
 96                      self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 
 97          response = self.pdp.evaluate(request) 
 98          self.failIf(response is None, "Null response") 
 99          for result in response.results: 
100              self.failIf(result.decision != Decision.PERMIT,  
101                          "Expecting Permit decision") 

102   

104          # Test subject requests invalid action type 
105          request = self._createRequestCtx( 
106                      self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 
107                      action='write') 
108          response = self.pdp.evaluate(request) 
109          self.failIf(response is None, "Null response") 
110          for result in response.results: 
111              self.failIf(result.decision != Decision.DENY,  
112                          "Expecting Deny decision")   

113   

115          # Test at least one member function 
116          request = self._createRequestCtx( 
117                      self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 
118                      action='write') 
119          response = self.pdp.evaluate(request) 
120          self.failIf(response is None, "Null response") 
121          for result in response.results: 
122              self.failIf(result.decision != Decision.PERMIT,  
123                          "Expecting Permit decision")              

124   

126          # Test at least one member function where subject doesn't have one of 
127          # the required roles 
128          request = self._createRequestCtx( 
129                      self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 
130                      subjectRoles=('student',)) 
131          response = self.pdp.evaluate(request) 
132          self.failIf(response is None, "Null response") 
133          for result in response.results: 
134              self.failIf(result.decision != Decision.DENY,  
135                          "Expecting Deny decision")              

136       

138          # The PDP is part of a context handler with a PIP which adds subject 
139          # attributes under prescribed conditions on the evaluation of  
140          # subject attribute designators.  In this case the addition of the PIP 
141          # adds an attribute value to one of the subject's attributes which means 
142          # they're granted access where otherwise access would be denied 
143          ctxHandler = TestContextHandler() 
144          ctxHandler.pdp = self.pdp 
145           
146          request = self._createRequestCtx( 
147                      self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 
148                      subjectRoles=('student',)) 
149           
150          response = ctxHandler.handlePEPRequest(request) 
151          self.failIf(response is None, "Null response") 
152          for result in response.results: 
153              self.failIf(result.decision != Decision.PERMIT,  
154                          "Expecting PERMIT decision")             

155           
156           
157  if __name__ == "__main__": 
158      unittest.main() 
159

   Home       Trees       Indices       Help   
NDG XACML
Generated by Epydoc 3.0.1 on Thu Apr 5 08:44:40 2012 http://epydoc.sourceforge.net