Home       Trees       Indices       Help   
NDG XACML
Package ndg :: Package xacml :: Package test :: Package context :: Module test_pdp_with_first_applicable_rule_combining_algorithm
[hide private]

Source Code for Module ndg.xacml.test.context.test_pdp_with_first_applicable_rule_combining_algorithm

  1  ''' 
  2  Created on 26 Aug 2011 
  3   
  4  @author: rwilkinson 
  5  ''' 
  6  import logging 
  7  import unittest 
  8   
  9  from ndg.xacml.parsers.etree.factory import ReaderFactory 
 10  from ndg.xacml.core.context.pdp import PDP 
 11  from ndg.xacml.core.context.result import Decision 
 12  from ndg.xacml.test import XACML_FIRSTAPPLICABLE_FILEPATH 
 13  from ndg.xacml.test.context import XacmlContextBaseTestCase 
 14   
 15   
 16  logging.basicConfig(level=logging.DEBUG) 
 17   

 18 -class Test(XacmlContextBaseTestCase): 

 19   
 20      NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 
 21       
 22      # This could be any applicable resource value, provided there's no rule to 
 23      # override and enable access 
 24      PRIVATE_RESOURCE_ID = 'http://localhost/private-resource' 
 25       
 26      PUBLIC_RESOURCE_ID = 'http://localhost/resource-only-restricted' 
 27      NOT_APPLICABLE_RESOURCE_ID = 'https://localhost' 
 28   
 29      SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 30          'http://localhost/single-subject-role-restricted' 
 31      ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 32          'http://localhost/action-and-single-subject-role-restricted' 
 33      AT_LEAST_ONE_SUBJECT_ROLE_RESTRICTED_ID = \ 
 34          'http://localhost/at-least-one-of-subject-role-restricted' 
 35   
 36      LEVEL1_ID = \ 
 37          'http://localhost/hierarchy/dir1' 
 38      LEVEL2_ID = \ 
 39          'http://localhost/hierarchy/dir1/dir2' 
 40      LEVEL3_ID = \ 
 41          'http://localhost/hierarchy/dir1/dir2/dir3' 
 42   
 43      LEVEL1_NOINHERIT_ID = \ 
 44          'http://localhost/hierarchynoinherit/dir1' 
 45      LEVEL2_NOINHERIT_ID = \ 
 46          'http://localhost/hierarchynoinherit/dir1/dir2' 
 47      LEVEL3_NOINHERIT_ID = \ 
 48          'http://localhost/hierarchynoinherit/dir1/dir2/dir3' 
 49   

 50 -    def setUp(self): 

 52   
 53   
 54      # Tests in which only one rule applies - these should give the same 
 55      # results as with the permit-overrides rule combining algorithm. 

 56 -    def test01NotApplicable(self): 

 57          # Set a resource Id that doesn't match the main target 
 58          request = self._createRequestCtx( 
 59                                      self.__class__.NOT_APPLICABLE_RESOURCE_ID) 
 60          response = self.pdp.evaluate(request) 
 61          self.failIf(response is None, "Null response") 
 62          for result in response.results: 
 63              self.failIf(result.decision != Decision.NOT_APPLICABLE,  
 64                          "Expecting not applicable decision") 

 65           

 67          # Test a resource which has no subject restrictions 
 68          request = self._createRequestCtx(self.__class__.PUBLIC_RESOURCE_ID, 
 69                                           includeSubject=False) 
 70          response = self.pdp.evaluate(request) 
 71          self.failIf(response is None, "Null response") 
 72          for result in response.results: 
 73              self.failIf(result.decision != Decision.PERMIT,  
 74                          "Expecting Permit decision") 

 75           

 76 -    def test03PrivateResource(self): 

 77          request = self._createRequestCtx( 
 78                                      self.__class__.PRIVATE_RESOURCE_ID) 
 79          response = self.pdp.evaluate(request) 
 80          self.failIf(response is None, "Null response") 
 81          for result in response.results: 
 82              self.failIf(result.decision != Decision.DENY,  
 83                          "Expecting Deny decision") 

 84   

 86          # Access based on a resource ID and single subject role 
 87          request = self._createRequestCtx( 
 88                              self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 
 89          response = self.pdp.evaluate(request) 
 90          self.failIf(response is None, "Null response") 
 91          for result in response.results: 
 92              self.failIf(result.decision != Decision.PERMIT,  
 93                          "Expecting Permit decision")   

 94   

 96          # Subject doesn't have the required role for access 
 97          request = self._createRequestCtx( 
 98                              self.__class__.SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 
 99                              subjectRoles=('student',)) 
100          response = self.pdp.evaluate(request) 
101          self.failIf(response is None, "Null response") 
102          for result in response.results: 
103              self.failIf(result.decision != Decision.DENY,  
104                          "Expecting Deny decision")   

105   

107          # Test restriction based on action type as well as subject role 
108          request = self._createRequestCtx( 
109                      self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID) 
110          response = self.pdp.evaluate(request) 
111          self.failIf(response is None, "Null response") 
112          for result in response.results: 
113              self.failIf(result.decision != Decision.PERMIT,  
114                          "Expecting Permit decision") 

115   

117          # Test subject requests invalid action type 
118          request = self._createRequestCtx( 
119                      self.__class__.ACTION_AND_SINGLE_SUBJECT_ROLE_RESTRICTED_ID, 
120                      action='write') 
121          response = self.pdp.evaluate(request) 
122          self.failIf(response is None, "Null response") 
123          for result in response.results: 
124              self.failIf(result.decision != Decision.DENY,  
125                          "Expecting Deny decision")   

126   
127   
128      # Tests for resources in a hierarchy where more than one rule may apply, 
129      # but one is selected by the first applicable rule combining algorithm. 
130      # There are no deny rules for resources within the hierarchy so 
131      # permissions are inherited cumulatively down the hierarchy. 

133          # Access based on a resource ID and single subject role 
134          request = self._createRequestCtx( 
135                              self.__class__.LEVEL1_ID, 
136                              subjectRoles=('postdoc',)) 
137          response = self.pdp.evaluate(request) 
138          self.failIf(response is None, "Null response") 
139          for result in response.results: 
140              self.failIf(result.decision != Decision.PERMIT,  
141                          "Expecting Permit decision")   

142   

144          # Access based on a resource ID and single subject role 
145          request = self._createRequestCtx( 
146                              self.__class__.LEVEL1_ID, 
147                              subjectRoles=('admin',)) 
148          response = self.pdp.evaluate(request) 
149          self.failIf(response is None, "Null response") 
150          for result in response.results: 
151              self.failIf(result.decision != Decision.DENY,  
152                          "Expecting Deny decision")   

153   

155          # Access based on a resource ID and single subject role 
156          request = self._createRequestCtx( 
157                              self.__class__.LEVEL2_ID, 
158                              subjectRoles=('admin',)) 
159          response = self.pdp.evaluate(request) 
160          self.failIf(response is None, "Null response") 
161          for result in response.results: 
162              self.failIf(result.decision != Decision.PERMIT,  
163                          "Expecting Permit decision")   

164   

166          # Access based on a resource ID and single subject role 
167          request = self._createRequestCtx( 
168                              self.__class__.LEVEL2_ID, 
169                              subjectRoles=('staff',)) 
170          response = self.pdp.evaluate(request) 
171          self.failIf(response is None, "Null response") 
172          for result in response.results: 
173              self.failIf(result.decision != Decision.DENY,  
174                          "Expecting Deny decision")   

175   

177          # Access based on a resource ID and single subject role 
178          request = self._createRequestCtx( 
179                              self.__class__.LEVEL3_ID, 
180                              subjectRoles=('staff',)) 
181          response = self.pdp.evaluate(request) 
182          self.failIf(response is None, "Null response") 
183          for result in response.results: 
184              self.failIf(result.decision != Decision.PERMIT,  
185                          "Expecting Permit decision")   

186   

188          # Access based on a resource ID and single subject role 
189          request = self._createRequestCtx( 
190                              self.__class__.LEVEL3_ID, 
191                              subjectRoles=('postdoc',)) 
192          response = self.pdp.evaluate(request) 
193          self.failIf(response is None, "Null response") 
194          for result in response.results: 
195              self.failIf(result.decision != Decision.PERMIT,  
196                          "Expecting Permit decision")   

197   

199          # Access based on a resource ID and single subject role 
200          request = self._createRequestCtx( 
201                              self.__class__.LEVEL3_ID, 
202                              subjectRoles=('admin',)) 
203          response = self.pdp.evaluate(request) 
204          self.failIf(response is None, "Null response") 
205          for result in response.results: 
206              self.failIf(result.decision != Decision.PERMIT,  
207                          "Expecting Permit decision")   

208   
209   
210      # Tests for resources in hierarchy where more than one rule may apply, 
211      # but one is selected by the first applicable rule combining algorithm. 
212      # Following the permit rules at each level in the hierarchy, there is 
213      # a deny rule for all subjects so that permissions are not inherited 
214      # down the hierarchy. 

216          # Access based on a resource ID and single subject role 
217          request = self._createRequestCtx( 
218                              self.__class__.LEVEL1_NOINHERIT_ID, 
219                              subjectRoles=('postdoc',)) 
220          response = self.pdp.evaluate(request) 
221          self.failIf(response is None, "Null response") 
222          for result in response.results: 
223              self.failIf(result.decision != Decision.PERMIT,  
224                          "Expecting Permit decision")   

225   

227          # Access based on a resource ID and single subject role 
228          request = self._createRequestCtx( 
229                              self.__class__.LEVEL1_NOINHERIT_ID, 
230                              subjectRoles=('admin',)) 
231          response = self.pdp.evaluate(request) 
232          self.failIf(response is None, "Null response") 
233          for result in response.results: 
234              self.failIf(result.decision != Decision.DENY,  
235                          "Expecting Deny decision")   

236   

238          # Access based on a resource ID and single subject role 
239          request = self._createRequestCtx( 
240                              self.__class__.LEVEL2_NOINHERIT_ID, 
241                              subjectRoles=('admin',)) 
242          response = self.pdp.evaluate(request) 
243          self.failIf(response is None, "Null response") 
244          for result in response.results: 
245              self.failIf(result.decision != Decision.PERMIT,  
246                          "Expecting Permit decision")   

247   

249          # Access based on a resource ID and single subject role 
250          request = self._createRequestCtx( 
251                              self.__class__.LEVEL2_NOINHERIT_ID, 
252                              subjectRoles=('staff',)) 
253          response = self.pdp.evaluate(request) 
254          self.failIf(response is None, "Null response") 
255          for result in response.results: 
256              self.failIf(result.decision != Decision.DENY,  
257                          "Expecting Deny decision")   

258   

260          # Access based on a resource ID and single subject role 
261          request = self._createRequestCtx( 
262                              self.__class__.LEVEL3_NOINHERIT_ID, 
263                              subjectRoles=('staff',)) 
264          response = self.pdp.evaluate(request) 
265          self.failIf(response is None, "Null response") 
266          for result in response.results: 
267              self.failIf(result.decision != Decision.PERMIT,  
268                          "Expecting Permit decision")   

269   

271          # Access based on a resource ID and single subject role 
272          request = self._createRequestCtx( 
273                              self.__class__.LEVEL3_NOINHERIT_ID, 
274                              subjectRoles=('postdoc',)) 
275          response = self.pdp.evaluate(request) 
276          self.failIf(response is None, "Null response") 
277          for result in response.results: 
278              self.failIf(result.decision != Decision.DENY,  
279                          "Expecting Deny decision")   

280   

282          # Access based on a resource ID and single subject role 
283          request = self._createRequestCtx( 
284                              self.__class__.LEVEL3_NOINHERIT_ID, 
285                              subjectRoles=('admin',)) 
286          response = self.pdp.evaluate(request) 
287          self.failIf(response is None, "Null response") 
288          for result in response.results: 
289              self.failIf(result.decision != Decision.DENY,  
290                          "Expecting Deny decision")   

291   
292   
293  if __name__ == "__main__": 
294      unittest.main() 
295

   Home       Trees       Indices       Help   
NDG XACML
Generated by Epydoc 3.0.1 on Thu Apr 5 08:44:41 2012 http://epydoc.sourceforge.net