| Home | Trees | Indices | Help |
|
|---|
|
|
1 #!/usr/bin/env python 2 """NDG XACML Policy unit tests 3 4 NERC DataGrid 5 """ 6 __author__ = "P J Kershaw" 7 __date__ = "16/03/10" 8 __copyright__ = "(C) 2010 Science and Technology Facilities Council" 9 __contact__ = "Philip.Kershaw@stfc.ac.uk" 10 __license__ = "BSD - see LICENSE file in top-level directory" 11 __contact__ = "Philip.Kershaw@stfc.ac.uk" 12 __revision__ = "$Id: test_policy.py 8020 2012-02-23 12:35:19Z pjkersha $" 13 import unittest 14 from os import path 15 import logging 16 logging.basicConfig(level=logging.DEBUG) 17 18 from ndg.xacml.core.policy import Policy 19 from ndg.xacml.core.functions import functionMap 20 from ndg.xacml.core.attributedesignator import SubjectAttributeDesignator 21 from ndg.xacml.core.attributeselector import AttributeSelector 22 from ndg.xacml.core.attributevalue import AttributeValueClassFactory 23 from ndg.xacml.parsers.etree.factory import ReaderFactory 24 from ndg.xacml.parsers.etree.attributevaluereader import \ 25 DataTypeReaderClassFactory 26 27 from ndg.xacml.test import (XACML_NDGTEST1_FILEPATH, THIS_DIR, 28 GroupRoleAttributeValue, 29 ETreeGroupRoleDataTypeReader, 30 GroupRoleBag, 31 GroupRoleAtLeastOneMemberOf) 32 3335 """Unit tests for NDG XACML Policy class""" 36 XACML_TEST1_FILENAME = "rule1.xml" 37 XACML_TEST1_FILEPATH = path.join(THIS_DIR, XACML_TEST1_FILENAME) 38 XACML_TEST2_FILENAME = "rule2.xml" 39 XACML_TEST2_FILEPATH = path.join(THIS_DIR, XACML_TEST2_FILENAME) 40 XACML_TEST3_FILENAME = "rule3.xml" 41 XACML_TEST3_FILEPATH = path.join(THIS_DIR, XACML_TEST3_FILENAME) 42 XACML_TEST4_FILENAME = "rule4.xml" 43 XACML_TEST4_FILEPATH = path.join(THIS_DIR, XACML_TEST4_FILENAME) 44 XACML_ESGFTEST1_FILENAME = "esgf1.xml" 45 XACML_ESGFTEST1_FILEPATH = path.join(THIS_DIR, XACML_ESGFTEST1_FILENAME) 46289 290 291 if __name__ == "__main__": 292 unittest.main() 29348 PolicyReader = ReaderFactory.getReader(Policy) 49 policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST1_FILEPATH) 50 self.assert_(policy) 51 52 self.assert_( 53 policy.policyId == "urn:oasis:names:tc:example:SimplePolicy1") 54 55 self.assert_(policy.ruleCombiningAlgId == \ 56 "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides") 57 58 self.assert_( 59 "Med Example Corp access control policy" in policy.description) 60 61 self.assert_(len(policy.target.subjects) == 0) 62 63 self.assert_(policy.rules[0].id == \ 64 "urn:oasis:names:tc:xacml:2.0:example:SimpleRule1") 65 66 self.assert_(policy.rules[0].effect == 'Permit') 67 68 self.assert_( 69 'Any subject with an e-mail name in the med.example.com domain' in \ 70 policy.rules[0].description) 71 72 self.assert_(len(policy.rules[0].target.subjects) == 1) 73 self.assert_(len(policy.rules[0].target.actions) == 0) 74 self.assert_(len(policy.rules[0].target.resources) == 0) 75 self.assert_(len(policy.rules[0].target.environments) == 0) 76 77 self.assert_(len(policy.rules[0].target.subjects[0 78 ].subjectMatches) == 1) 79 80 self.assert_(policy.rules[0].target.subjects[0].subjectMatches[0 81 ].matchId == \ 82 "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match") 83 84 self.assert_(policy.rules[0].target.subjects[0].subjectMatches[0 85 ].attributeValue.dataType == \ 86 "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name") 87 88 self.assert_(policy.rules[0].target.subjects[0].subjectMatches[0 89 ].attributeDesignator.dataType == \ 90 "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name") 91 92 # Attribute ID 93 self.assert_(policy.rules[0].target.subjects[0].subjectMatches[0 94 ].attributeDesignator.attributeId == \ 95 "urn:oasis:names:tc:xacml:1.0:subject:subject-id")9698 PolicyReader = ReaderFactory.getReader(Policy) 99 policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST2_FILEPATH) 100 self.assert_(policy) 101 102 self.assert_( 103 policy.policyId == "urn:oasis:names:tc:xacml:2.0:example:policyid:2") 104 105 self.assert_(policy.ruleCombiningAlgId == \ 106 "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides") 107 108 self.assert_(policy.description is None) 109 110 self.assert_(len(policy.target.actions) == 0) 111 112 self.assert_(policy.rules[0].id == \ 113 "urn:oasis:names:tc:xacml:2.0:example:ruleid:2") 114 115 self.assert_(policy.rules[0].effect == 'Permit') 116 117 self.assert_(policy.rules[0].description == """\ 118 A person may read any medical record in the 119 http://www.med.example.com/records.xsd namespace 120 for which he or she is the designated parent or guardian, 121 and for which the patient is under 16 years of age""") 122 123 self.assert_(len(policy.rules[0].target.subjects) == 0) 124 self.assert_(len(policy.rules[0].target.actions) == 1) 125 self.assert_(len(policy.rules[0].target.resources) == 1) 126 self.assert_(len(policy.rules[0].target.environments) == 0) 127 128 self.assert_(len(policy.rules[0].target.resources[0 129 ].resourceMatches) == 2) 130 131 self.assert_(policy.rules[0].target.resources[0].resourceMatches[0 132 ].matchId == "urn:oasis:names:tc:xacml:1.0:function:string-equal") 133 134 self.assert_(policy.rules[0].target.resources[0].resourceMatches[0 135 ].attributeValue.dataType == \ 136 "http://www.w3.org/2001/XMLSchema#string") 137 138 self.assert_(policy.rules[0].target.resources[0].resourceMatches[0 139 ].attributeValue.value == 'urn:med:example:schemas:record') 140 141 self.assert_(policy.rules[0].target.resources[0].resourceMatches[0 142 ].attributeDesignator.dataType == \ 143 "http://www.w3.org/2001/XMLSchema#string") 144 145 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 146 ].attributeDesignator.attributeId == \ 147 "urn:oasis:names:tc:xacml:1.0:resource:xpath") 148 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 149 ].matchId == \ 150 "urn:oasis:names:tc:xacml:1.0:function:xpath-node-match") 151 152 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 153 ].attributeValue.dataType == \ 154 "http://www.w3.org/2001/XMLSchema#string") 155 156 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 157 ].attributeValue.value == '/md:record') 158 159 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 160 ].attributeDesignator.dataType == \ 161 "http://www.w3.org/2001/XMLSchema#string") 162 163 self.assert_(policy.rules[0].target.resources[0].resourceMatches[1 164 ].attributeDesignator.attributeId == \ 165 "urn:oasis:names:tc:xacml:1.0:resource:xpath") 166 167 # Verify Action 168 self.assert_(len(policy.rules[0].target.actions[0 169 ].actionMatches) == 1) 170 171 self.assert_(policy.rules[0].target.actions[0].actionMatches[0 172 ].matchId == "urn:oasis:names:tc:xacml:1.0:function:string-equal") 173 174 self.assert_(policy.rules[0].target.actions[0].actionMatches[0 175 ].attributeValue.dataType == \ 176 "http://www.w3.org/2001/XMLSchema#string") 177 178 self.assert_(policy.rules[0].target.actions[0].actionMatches[0 179 ].attributeValue.value == "read") 180 181 self.assert_(policy.rules[0].target.actions[0].actionMatches[0 182 ].attributeDesignator.dataType == \ 183 "http://www.w3.org/2001/XMLSchema#string") 184 185 self.assert_(policy.rules[0].target.actions[0].actionMatches[0 186 ].attributeDesignator.attributeId == \ 187 "urn:oasis:names:tc:xacml:1.0:action:action-id") 188 189 self.assert_(policy.rules[0].condition) 190 self.assert_(policy.rules[0].condition.expression.functionId == \ 191 "urn:oasis:names:tc:xacml:1.0:function:and") 192 193 self.assert_(len(policy.rules[0].condition.expression.expressions) == 1) 194 195 self.assert_(policy.rules[0].condition.expression.expressions[0 196 ].functionId == \ 197 'urn:oasis:names:tc:xacml:1.0:function:string-equal') 198 199 self.assert_(len(policy.rules[0].condition.expression.expressions) == 1) 200 201 self.assert_(len(policy.rules[0].condition.expression.expressions[0 202 ].expressions) == 2) 203 204 self.assert_(policy.rules[0].condition.expression.expressions[0 205 ].expressions[0].functionId == \ 206 "urn:oasis:names:tc:xacml:1.0:function:string-one-and-only") 207 208 self.assert_(isinstance( 209 policy.rules[0].condition.expression.expressions[0 210 ].expressions[0 211 ].expressions[0], SubjectAttributeDesignator)) 212 213 self.assert_(policy.rules[0].condition.expression.expressions[0 214 ].expressions[0 215 ].expressions[0].attributeId == \ 216 "urn:oasis:names:tc:xacml:2.0:example:attribute:" 217 "parent-guardian-id") 218 219 self.assert_(policy.rules[0].condition.expression.expressions[0 220 ].expressions[0 221 ].expressions[0].dataType == \ 222 "http://www.w3.org/2001/XMLSchema#string") 223 224 self.assert_(policy.rules[0].condition.expression.expressions[0 225 ].expressions[0 226 ].expressions[0].attributeId == \ 227 "urn:oasis:names:tc:xacml:2.0:example:attribute:" 228 "parent-guardian-id") 229 230 self.assert_(isinstance(policy.rules[0 231 ].condition.expression.expressions[0 232 ].expressions[1 233 ].expressions[0], AttributeSelector)) 234 235 self.assert_(policy.rules[0 236 ].condition.expression.expressions[0 237 ].expressions[1 238 ].expressions[0].requestContextPath == \ 239 "//md:record/md:parentGuardian/md:parentGuardianId/" 240 "text()") 241 242 self.assert_(policy.rules[0 243 ].condition.expression.expressions[0 244 ].expressions[1 245 ].expressions[0].dataType == \ 246 "http://www.w3.org/2001/XMLSchema#string")247249 PolicyReader = ReaderFactory.getReader(Policy) 250 251 try: 252 policy = PolicyReader.parse( 253 XACMLPolicyTestCase.XACML_TEST3_FILEPATH) 254 self.assert_(policy) 255 except NotImplementedError, e: 256 print("Expecting Obligations not implemented exception: %s" %e)257259 PolicyReader = ReaderFactory.getReader(Policy) 260 policy = PolicyReader.parse(XACMLPolicyTestCase.XACML_TEST4_FILEPATH) 261 self.assert_(policy)262264 # Example policy for URI Regular expression based matching of 265 # resources for NDG 266 PolicyReader = ReaderFactory.getReader(Policy) 267 policy = PolicyReader.parse(XACML_NDGTEST1_FILEPATH) 268 self.assert_(policy)269271 # Example policy with custom attribute value type used with ESGF 272 273 # Add new type 274 AttributeValueClassFactory.addClass('urn:grouprole', 275 GroupRoleAttributeValue) 276 277 # Add new parser for this type 278 DataTypeReaderClassFactory.addReader('urn:grouprole', 279 ETreeGroupRoleDataTypeReader) 280 281 # Add extra matching and bag functions 282 functionMap['urn:grouprole-bag'] = GroupRoleBag 283 functionMap['urn:grouprole-at-least-one-member-of' 284 ] = GroupRoleAtLeastOneMemberOf 285 286 PolicyReader = ReaderFactory.getReader(Policy) 287 policy = PolicyReader.parse(self.__class__.XACML_ESGFTEST1_FILEPATH) 288 self.assert_(policy)
| Home | Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Thu Apr 5 08:44:42 2012 | http://epydoc.sourceforge.net |