class XacmlDynamicPolicyTestCase(unittest.TestCase):
"""Test Dynamic creation of policy and rules from code API instead of
XML policy file"""
attributeValueClassFactory = AttributeValueClassFactory()
def _create_policy(self):
self.policy = Policy()
self.policy.policyId = 'Dynamic Policy Test'
self.policy.ruleCombiningAlgId = \
'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides'
# Add top-level target - determines an overall match for this policy
self.policy.target = Target()
# Match based on resource - add a resource match to the target
resource = Resource()
resource_match = ResourceMatch()
resource_match.matchId = "urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"
resource_match.attributeValue = self.__class__.attributeValueClassFactory(
"http://www.w3.org/2001/XMLSchema#anyURI")()
resource_match.attributeValue.value = '^http://localhost/.*'
resource_match.attributeDesignator = ResourceAttributeDesignator()
resource_match.attributeDesignator.attributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
resource_match.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
resource.matches.append(resource_match)
self.policy.target.resources.append(resource)
# Add rules
denyall_rule = Rule()
denyall_rule.id = 'Deny all rule'
denyall_rule.effect = Effect.DENY
self.policy.rules.append(denyall_rule)
singlerole_rule = Rule()
singlerole_rule.id = 'dataset1 rule'
singlerole_rule.effect = Effect.PERMIT
singlerole_rule.target = Target()
resource_match1 = ResourceMatch()
resource_match1.matchId = "urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"
resource_match1.attributeValue = self.__class__.attributeValueClassFactory(
"http://www.w3.org/2001/XMLSchema#anyURI")()
resource_match1.attributeValue.value = '^http://localhost/dataset1/.*$'
resource_match1.attributeDesignator = ResourceAttributeDesignator()
resource_match1.attributeDesignator.attributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
resource_match1.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#anyURI"
resource1 = Resource()
resource1.matches.append(resource_match1)
singlerole_rule.target.resources.append(resource1)
subject_match1 = SubjectMatch()
subject_match1.matchId = "urn:oasis:names:tc:xacml:1.0:function:string-equal"
subject_match1.attributeValue = self.__class__.attributeValueClassFactory(
"http://www.w3.org/2001/XMLSchema#string")()
subject_match1.attributeValue.value = 'staff'
subject_match1.attributeDesignator = SubjectAttributeDesignator()
subject_match1.attributeDesignator.attributeId = ROLE_ATTRIBUTE_ID
subject_match1.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#string"
subject1 = Subject()
subject1.matches.append(subject_match1)
singlerole_rule.target.subjects.append(subject1)
self.policy.rules.append(singlerole_rule)
@staticmethod
def _create_request_ctx(resourceId,
includeSubject=True,
subjectId=SUBJECT_ID,
subjectRoles=None,
roleAttributeId=ROLE_ATTRIBUTE_ID,
action='read',
resourceContent=None):
"""Create an example XACML Request Context for tests"""
if subjectRoles is None:
subjectRoles = ('staff',)
request = Request()
if includeSubject:
subject = CtxSubject()
openidSubjectAttribute = Attribute()
openidSubjectAttribute.attributeId = "urn:esg:openid"
openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
openidSubjectAttribute.attributeValues.append(
AnyUriAttributeValue())
openidSubjectAttribute.attributeValues[-1].value = subjectId
subject.attributes.append(openidSubjectAttribute)
for role in subjectRoles:
roleAttribute = Attribute()
roleAttribute.attributeId = roleAttributeId
roleAttribute.dataType = StringAttributeValue.IDENTIFIER
roleAttribute.attributeValues.append(StringAttributeValue())
roleAttribute.attributeValues[-1].value = role
subject.attributes.append(roleAttribute)
request.subjects.append(subject)
resource = ResourceCtx()
resourceAttribute = Attribute()
resource.attributes.append(resourceAttribute)
resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID
resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
resourceAttribute.attributeValues.append(AnyUriAttributeValue())
resourceAttribute.attributeValues[-1].value = resourceId
resource.resourceContent = resourceContent
request.resources.append(resource)
request.action = Action()
actionAttribute = Attribute()
request.action.attributes.append(actionAttribute)
actionAttribute.attributeId = Identifiers.Action.ACTION_ID
actionAttribute.dataType = StringAttributeValue.IDENTIFIER
actionAttribute.attributeValues.append(StringAttributeValue())
actionAttribute.attributeValues[-1].value = action
request.environment = Environment()
return request
def _create_pdp(self):
self._create_policy()
self.pdp = PDP(policy=self.policy)
def test01_create_policy(self):
self._create_policy()
def test02_create_pdp(self):
self._create_pdp()
def test03_test_rule(self):
self._create_pdp()
request = self._create_request_ctx('http://localhost/dataset1/my.nc',
subjectId='http://me.openid.ac.uk',
subjectRoles=('staff',))
response = self.pdp.evaluate(request)
for result in response.results:
self.failIf(result.decision != Decision.PERMIT,
"Expecting Permit decision")
role = attributeValueFactory("http://www.w3.org/2001/XMLSchema#string")
arole = role("administrator")
# Add the role-attribute to the request-subject
# id: urn:oasis:names:tc:xacml:2.0:example:attribute:role
attr = Attribute()
attr.attributeId = "urn:oasis:names:tc:xacml:2.0:example:attribute:role"
attr.dataType = role.IDENTIFIER # = http://www.w3.org/2001/XMLSchema#string
attr.attributeValues.append(arole)
subject = Subject()
subject.attributes.append(attr)
request.subjects.append(subject)
# See what we've received as result
res = pdp.evaluate(request)
for result in res.results:
print result.decision
"""
How to add actions (I did not test it yet):
somevalue = attributeValueFactory("http://www.w3.org/2001/XMLSchema#string")
avalue = somevalue("https://www.gonicus.de/webdav")
bvalue = somevalue("read")
# Add a resource attribute
resourceAttribute = Attribute()
