Source Code for Module ndg.xacml.test.context.test_pdp_with_custom_attributevalue_types

  1  #!/usr/bin/env python 
  2  """NDG unit tests for PDP working with a policy and request context containing 
  3  custom AttributeValue data types 
  4   
  5  NERC DataGrid 
  6  """ 
  7  __author__ = "P J Kershaw" 
  8  __date__ = "28/10/10" 
  9  __copyright__ = "(C) 2010 Science and Technology Facilities Council" 
 10  __contact__ = "Philip.Kershaw@stfc.ac.uk" 
 11  __license__ = "BSD - see LICENSE file in top-level directory" 
 12  __contact__ = "Philip.Kershaw@stfc.ac.uk" 
 13  __revision__ = "$Id$" 
 14  import unittest 
 15  import logging 
 16  logging.basicConfig(level=logging.DEBUG) 
 17   
 18  from ndg.xacml.core import Identifiers 
 19  from ndg.xacml.core.attribute import Attribute 
 20  from ndg.xacml.core.attributevalue import AttributeValueClassFactory 
 21  from ndg.xacml.core.functions import functionMap 
 22  from ndg.xacml.core.context.request import Request 
 23  from ndg.xacml.core.context.subject import Subject 
 24  from ndg.xacml.core.context.resource import Resource 
 25  from ndg.xacml.core.context.action import Action 
 26   
 27  from ndg.xacml.parsers.etree.factory import ReaderFactory 
 28  from ndg.xacml.parsers.etree.attributevaluereader import ( 
 29                                                  DataTypeReaderClassFactory) 
 30  from ndg.xacml.core.context.pdp import PDP 
 31  from ndg.xacml.core.context.result import Decision 
 32  from ndg.xacml.test import (XACML_ESGFTEST1_FILEPATH,   
 33                              GroupRoleAttributeValue,  
 34                              ETreeGroupRoleDataTypeReader, 
 35                              GroupRoleBag, 
 36                              GroupRoleAtLeastOneMemberOf) 
 37  from ndg.xacml.test.context import (AnyUriAttributeValue, StringAttributeValue, 
 38                                      SUBJECT_ID) 
 39   
 40       
 41 -class XacmlEvalPdpWithCustomAttrTypes(unittest.TestCase): 
 42      """Evaluate a policy which contains custom XACML Attribute Value Data types 
 43      """ 
 44      AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 45          'http://localhost/at-least-one-of-subject-role-restricted'        
 46      SUBJECT_DOES_NOT_HAVE_ANY_OF_SPECIFIED_ROLES_ID = \ 
 47          'http://localhost/subject-does-not-have-any-of-specified-roles' 
 48           
 49      @staticmethod 
 50 -    def _createRequestCtx(resourceId,  
 51                            includeSubject=True, 
 52                            subjectGroupRoles=None, 
 53                            groupRoleAttributeId='urn:esg:attr', 
 54                            action='read'): 
 55          """Create an example XACML Request Context for tests""" 
 56          if subjectGroupRoles is None: 
 57              subjectGroupRoles = [('ACME', 'default')] 
 58               
 59          request = Request() 
 60           
 61          if includeSubject: 
 62              subject = Subject() 
 63              openidSubjectAttribute = Attribute() 
 64               
 65              openidSubjectAttribute.attributeId = "urn:esg:openid" 
 66              openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 
 67               
 68              openidSubjectAttribute.attributeValues.append( 
 69                                                          AnyUriAttributeValue()) 
 70              openidSubjectAttribute.attributeValues[-1].value = SUBJECT_ID 
 71                                           
 72               
 73              subject.attributes.append(openidSubjectAttribute) 
 74       
 75              for group, role in subjectGroupRoles: 
 76                  groupRoleAttribute = Attribute() 
 77                   
 78                  groupRoleAttribute.attributeId = groupRoleAttributeId 
 79                  groupRoleAttribute.dataType = 'urn:grouprole' 
 80                   
 81                  groupRoleAttribute.attributeValues.append( 
 82                                                      GroupRoleAttributeValue()) 
 83                  groupRoleAttribute.attributeValues[-1].group = group  
 84                  groupRoleAttribute.attributeValues[-1].role = role  
 85               
 86                  subject.attributes.append(groupRoleAttribute) 
 87                                         
 88              request.subjects.append(subject) 
 89           
 90          resource = Resource() 
 91          resourceAttribute = Attribute() 
 92          resource.attributes.append(resourceAttribute) 
 93           
 94          resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID 
 95                               
 96          resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 
 97          resourceAttribute.attributeValues.append(AnyUriAttributeValue()) 
 98          resourceAttribute.attributeValues[-1].value = resourceId 
 99   
100          request.resources.append(resource) 
101           
102          request.action = Action() 
103          actionAttribute = Attribute() 
104          request.action.attributes.append(actionAttribute) 
105           
106          actionAttribute.attributeId = Identifiers.Action.ACTION_ID 
107          actionAttribute.dataType = StringAttributeValue.IDENTIFIER 
108          actionAttribute.attributeValues.append(StringAttributeValue()) 
109          actionAttribute.attributeValues[-1].value = action 
110           
111          return request 
112           
113 -    def setUp(self): 
114          """Use ESG sample policy""" 
115          # Add new type 
116          AttributeValueClassFactory.addClass('urn:grouprole',  
117                                              GroupRoleAttributeValue) 
118           
119          # Add new parser for this type 
120          DataTypeReaderClassFactory.addReader('urn:grouprole',  
121                                  ETreeGroupRoleDataTypeReader) 
122           
123          # Add extra matching and bag functions 
124          functionMap['urn:grouprole-bag'] = GroupRoleBag 
125          functionMap['urn:grouprole-at-least-one-member-of' 
126                      ] = GroupRoleAtLeastOneMemberOf 
127           
128          # Example policy with custom attribute value type used with ESGF  
129          self.pdp = PDP.fromPolicySource(XACML_ESGFTEST1_FILEPATH, ReaderFactory) 
130                       
131 -    def test01AtLeastOneSubjectRoleResource(self): 
132          # Test at least one member function 
133          request = self._createRequestCtx( 
134                      self.__class__.AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID, 
135                      action='write') 
136          response = self.pdp.evaluate(request) 
137          self.failIf(response is None, "Null response") 
138          for result in response.results: 
139              self.failIf(result.decision != Decision.PERMIT,  
140                          "Expecting Permit decision")     
141                       
142 -    def test02SubjectDoesNotHaveAnyOfSpecifiedRolesForResource(self): 
143          # Test at least one member function 
144          request = self._createRequestCtx( 
145          self.__class__.SUBJECT_DOES_NOT_HAVE_ANY_OF_SPECIFIED_ROLES_ID, 
146          action='write') 
147           
148          response = self.pdp.evaluate(request) 
149          self.failIf(response is None, "Null response") 
150          for result in response.results: 
151              self.failIf(result.decision != Decision.DENY,  
152                          "Expecting Deny decision")     
153              
154               
155  if __name__ == "__main__": 
156      unittest.main() 
157