def test01(self):
# Construct a ResourceContent element.
rcContentsStr = '''<wps:GetCapabilities
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.opengis.net/wps/1.0.0/wpsGetCapabilities_request.xsd"
language="en-CA" service="WPS">
<wps:AcceptVersions>
<ows:Version>1.0.0</ows:Version>
</wps:AcceptVersions>
</wps:GetCapabilities>
'''
# Construct XACMLAuthzDecisionQuery including resource content XML.
rcContentsElem = ET.XML(rcContentsStr)
resourceContent = ET.Element(
"{urn:oasis:names:tc:xacml:2.0:context:schema:os}ResourceContent")
resourceContent.append(rcContentsElem)
resourceContent.set('TestAttribute', 'Test Value')
resource = Resource()
resource.resourceContent = resourceContent
request = Request()
request.subjects.append(Subject())
request.resources.append(resource)
request.action = Action()
request.environment = Environment()
query = XACMLAuthzDecisionQuery()
query.xacmlContextRequest = request
query.version = SAMLVersion(SAMLVersion.VERSION_20)
query.id = str(uuid.uuid4())
query.issueInstant = datetime.utcnow()
query.issuer = Issuer()
query.issuer.format = Issuer.X509_SUBJECT
query.issuer.value = self.ISSUER_DN
# Convert to element tree.
queryElem = XACMLAuthzDecisionQueryElementTree.toXML(query)
print(ET.tostring(queryElem))
# Check some values from query and resource content XML.
self.assertEqual(queryElem.get("Version"), "2.0")
self.assertEqual(self._getSingleElementText(queryElem,
"{urn:oasis:names:tc:SAML:2.0:assertion}Issuer"),
self.ISSUER_DN)
self.assertEqual(self._getSingleElementText(queryElem,
"{urn:oasis:names:tc:xacml:2.0:context:schema:os}Request/"
"{urn:oasis:names:tc:xacml:2.0:context:schema:os}Resource/"
"{urn:oasis:names:tc:xacml:2.0:context:schema:os}ResourceContent/"
"{http://www.opengis.net/wps/1.0.0}GetCapabilities/"
"{http://www.opengis.net/wps/1.0.0}AcceptVersions/"
"{http://www.opengis.net/ows/1.1}Version"), "1.0.0")
def _create_request_from_message(self, invocation, receiver, receiver_type='service'):
sender_type = invocation.get_header_value('sender-type', 'Unknown')
if sender_type == 'service':
sender_header = invocation.get_header_value('sender-service', 'Unknown')
sender = invocation.get_service_name(sender_header)
else:
sender = invocation.get_header_value('sender', 'Unknown')
op = invocation.get_header_value('op', 'Unknown')
ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
actor_roles = invocation.get_header_value('ion-actor-roles', {})
log.debug("Using XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s" % (sender, receiver, op, ion_actor_id, str(actor_roles)))
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id))
#Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', invocation)
if hasattr(endpoint_process,'org_name'):
org_name = endpoint_process.org_name
else:
org_name = self.governance_controller._system_root_org_name
#If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for
#the Org that this process is associated with otherwise include all roles and create attributes for each
if org_name == self.governance_controller._system_root_org_name:
log.debug("Including roles for all Orgs")
#If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org],subject)
else:
if actor_roles.has_key(org_name):
log.debug("Org Roles (%s): %s" , org_name, ' '.join(actor_roles[org_name]))
self.create_org_role_attribute(actor_roles[org_name],subject)
#Handle the special case for the ION system actor
if actor_roles.has_key(self.governance_controller._system_root_org_name):
if 'ION_MANAGER' in actor_roles[self.governance_controller._system_root_org_name]:
log.debug("Including ION_MANAGER role")
self.create_org_role_attribute(['ION_MANAGER'],subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
return request
def create_request_from_message(self, invocation):
sender_type = invocation.get_header_value('sender-type', 'Unknown')
if sender_type == 'service':
sender_header = invocation.get_header_value(
'sender-service', 'Unknown')
sender = invocation.get_service_name(sender_header)
else:
sender = invocation.get_header_value('sender', 'Unknown')
receiver_header = invocation.get_header_value('receiver', 'Unknown')
receiver = invocation.get_service_name(receiver_header)
op = invocation.get_header_value('op', 'Unknown')
ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
actor_roles = invocation.get_header_value('ion-actor-roles', {})
log.debug(
"XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s"
% (sender, receiver, op, ion_actor_id, str(actor_roles)))
request = Request()
subject = Subject()
subject.attributes.append(
self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(
self.create_string_attribute(Identifiers.Subject.SUBJECT_ID,
ion_actor_id))
#Iterate over the roles associated with the user and create attributes for each
for org in actor_roles:
attribute = None
for role in actor_roles[org]:
if attribute is None:
attribute = self.create_string_attribute(
ROLE_ATTRIBUTE_ID, role
) #TODO - Figure out how to handle multiple Org Roles
else:
attribute.attributeValues.append(StringAttributeValue())
attribute.attributeValues[-1].value = org + "_" + role
subject.attributes.append(attribute)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(
self.create_string_attribute(Identifiers.Resource.RESOURCE_ID,
receiver))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(
self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
return request
def create_request_from_message(self, invocation):
sender_type = invocation.get_header_value("sender-type", "Unknown")
if sender_type == "service":
sender_header = invocation.get_header_value("sender-service", "Unknown")
sender = invocation.get_service_name(sender_header)
else:
sender = invocation.get_header_value("sender", "Unknown")
receiver_header = invocation.get_header_value("receiver", "Unknown")
receiver = invocation.get_service_name(receiver_header)
op = invocation.get_header_value("op", "Unknown")
ion_actor_id = invocation.get_header_value("ion-actor-id", "anonymous")
actor_roles = invocation.get_header_value("ion-actor-roles", {})
log.debug(
"XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s"
% (sender, receiver, op, ion_actor_id, str(actor_roles))
)
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id))
# Iterate over the roles associated with the user and create attributes for each
for org in actor_roles:
attribute = None
for role in actor_roles[org]:
if attribute is None:
attribute = self.create_string_attribute(
ROLE_ATTRIBUTE_ID, role
) # TODO - Figure out how to handle multiple Org Roles
else:
attribute.attributeValues.append(StringAttributeValue())
attribute.attributeValues[-1].value = org + "_" + role
subject.attributes.append(attribute)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
return request
def fromXML(cls, elem):
"""Parse an ElementTree XACML Request element into a
Request object
@type elem: ElementTree.Element
@param elem: ElementTree element containing the request
@rtype: ndg.xacml.core.context.request.Request
@return: Request object
"""
request = Request()
# Set a reference to the ElementTree element for use by
# AttributeSelectors. The context element for an AttributeSelector is
# always the request, so this is the only element for this is needed.
request.elem = elem
localName = QName.getLocalPart(elem.tag)
if localName != cls.ELEMENT_LOCAL_NAME:
raise XMLParseError('No "%s" element found' %
cls.ELEMENT_LOCAL_NAME)
# Parse sub-elements
for childElem in getElementChildren(elem):
localName = QName.getLocalPart(childElem.tag)
if localName == Subject.ELEMENT_LOCAL_NAME:
subject = SubjectElementTree.fromXML(childElem)
request.subjects.append(subject)
elif localName == Resource.ELEMENT_LOCAL_NAME:
resource = ResourceElementTree.fromXML(childElem)
request.resources.append(resource)
elif localName == Action.ELEMENT_LOCAL_NAME:
request.action = ActionElementTree.fromXML(childElem)
elif localName == Environment.ELEMENT_LOCAL_NAME:
request.environment = EnvironmentElementTree.fromXML(childElem)
else:
raise XMLParseError("XACML context Request child element name %r"
" not recognised" % localName)
return request
def create_request_from_message(self, invocation):
ion_actor_id = invocation.headers['ion-actor-id'] if invocation.headers.has_key('ion-actor-id') and invocation.headers['ion-actor-id'] != '' else 'anonymous'
ion_org_id = invocation.headers['ion-org-id'] if invocation.headers.has_key('ion-org-id') and invocation.headers['ion-org-id'] != '' else 'no-ooi'
receiver = invocation.headers['receiver'] if invocation.headers.has_key('receiver') and invocation.headers['receiver'] != '' else 'Unknown'
op = invocation.headers['op'] if invocation.headers.has_key('op') and invocation.headers['op'] != '' else 'Unknown'
log.debug("XACML Request: ion_actor_id:%s ion-org-id:%s receiver:%s op:%s " % (ion_actor_id,ion_org_id, receiver, op))
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID,ion_actor_id))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID_QUALIFIER, ion_org_id))
#subject.attributes.append(createStringAttribute(ROLE_ATTRIBUTE_ID, 'researcher'))
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
return request
def _createXacmlRequestCtx(cls):
"""Helper to create a XACML request context"""
ctx = Request()
ctx.subjects.append(Subject())
openidAttr = Attribute()
ctx.subjects[-1].attributes.append(openidAttr)
openidAttr.attributeId = cls.OPENID_ATTR_ID
openidAttr.dataType = 'http://www.w3.org/2001/XMLSchema#anyURI'
anyUriAttrValue = cls.attributeValueClassFactory(openidAttr.dataType)
openidAttrVal = anyUriAttrValue(TestUserDatabase.OPENID_URI)
openidAttr.attributeValues.append(openidAttrVal)
return ctx
def _createXacmlProfileRequestCtx(subjectNameIdFormat, subjectNameId,
resourceUri, resourceContent, actions):
"""Translate SAML authorisation decision query into a XACML request
context
:type subjectNameIdFormat: str
:param subjectNameIdFormat: subject ID format
:type subjectNameId: str
:param subjectNameId: subject ID
:type resourceUri: str
:param resourceUri: resource URI
:type resourceContent: ElementTree.Element
:param resourceContent: data to include as resource content
:type actions: list of str
:param actions: action values
"""
xacmlRequest = XacmlRequest()
xacmlSubject = XacmlSubject()
xacmlAttributeValueFactory = XacmlAttributeValueClassFactory()
openidSubjectAttribute = XacmlAttribute()
openidSubjectAttribute.attributeId = subjectNameIdFormat
XacmlAnyUriAttributeValue = xacmlAttributeValueFactory(
XacmlAttributeValue.ANY_TYPE_URI)
openidSubjectAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
openidSubjectAttribute.attributeValues.append(
XacmlAnyUriAttributeValue())
openidSubjectAttribute.attributeValues[-1].value = subjectNameId
xacmlSubject.attributes.append(openidSubjectAttribute)
XacmlStringAttributeValue = xacmlAttributeValueFactory(
XacmlAttributeValue.STRING_TYPE_URI)
xacmlRequest.subjects.append(xacmlSubject)
resource = XacmlResource()
resourceAttribute = XacmlAttribute()
resource.attributes.append(resourceAttribute)
if resourceContent is not None:
resource.resourceContent = resourceContent
resourceAttribute.attributeId = XacmlIdentifiers.Resource.RESOURCE_ID
resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
resourceAttribute.attributeValues.append(XacmlAnyUriAttributeValue())
resourceAttribute.attributeValues[-1].value = resourceUri
xacmlRequest.resources.append(resource)
xacmlRequest.action = XacmlAction()
for action in actions:
xacmlActionAttribute = XacmlAttribute()
xacmlRequest.action.attributes.append(xacmlActionAttribute)
xacmlActionAttribute.attributeId = XacmlIdentifiers.Action.ACTION_ID
xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
xacmlActionAttribute.attributeValues.append(
XacmlStringAttributeValue())
xacmlActionAttribute.attributeValues[-1].value = action.value
xacmlRequest.environment = XacmlEnvironment()
return xacmlRequest
def _create_request_ctx(resourceId,
includeSubject=True,
subjectId=SUBJECT_ID,
subjectRoles=None,
roleAttributeId=ROLE_ATTRIBUTE_ID,
action='read',
resourceContent=None):
"""Create an example XACML Request Context for tests"""
if subjectRoles is None:
subjectRoles = ('staff',)
request = Request()
if includeSubject:
subject = CtxSubject()
openidSubjectAttribute = Attribute()
openidSubjectAttribute.attributeId = "urn:esg:openid"
openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
openidSubjectAttribute.attributeValues.append(
AnyUriAttributeValue())
openidSubjectAttribute.attributeValues[-1].value = subjectId
subject.attributes.append(openidSubjectAttribute)
for role in subjectRoles:
roleAttribute = Attribute()
roleAttribute.attributeId = roleAttributeId
roleAttribute.dataType = StringAttributeValue.IDENTIFIER
roleAttribute.attributeValues.append(StringAttributeValue())
roleAttribute.attributeValues[-1].value = role
subject.attributes.append(roleAttribute)
request.subjects.append(subject)
resource = ResourceCtx()
resourceAttribute = Attribute()
resource.attributes.append(resourceAttribute)
resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID
resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
resourceAttribute.attributeValues.append(AnyUriAttributeValue())
resourceAttribute.attributeValues[-1].value = resourceId
resource.resourceContent = resourceContent
request.resources.append(resource)
request.action = Action()
actionAttribute = Attribute()
request.action.attributes.append(actionAttribute)
actionAttribute.attributeId = Identifiers.Action.ACTION_ID
actionAttribute.dataType = StringAttributeValue.IDENTIFIER
actionAttribute.attributeValues.append(StringAttributeValue())
actionAttribute.attributeValues[-1].value = action
request.environment = Environment()
return request
def _create_request_from_message(self, invocation, receiver, receiver_type='service'):
sender, sender_type = invocation.get_message_sender()
op = invocation.get_header_value('op', 'Unknown')
ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
actor_roles = invocation.get_header_value('ion-actor-roles', {})
message_format = invocation.get_header_value('format', '')
#log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles)
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id))
#Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', None)
if endpoint_process is not None and hasattr(endpoint_process,'org_governance_name'):
org_governance_name = endpoint_process.org_governance_name
else:
org_governance_name = self.governance_controller.system_root_org_name
#If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for
#the Org that this process is associated with otherwise include all roles and create attributes for each
if org_governance_name == self.governance_controller.system_root_org_name:
#log.debug("Including roles for all Orgs")
#If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org],subject)
else:
if actor_roles.has_key(org_governance_name):
log.debug("Org Roles (%s): %s" , org_governance_name, ' '.join(actor_roles[org_governance_name]))
self.create_org_role_attribute(actor_roles[org_governance_name],subject)
#Handle the special case for the ION system actor
if actor_roles.has_key(self.governance_controller.system_root_org_name):
if ION_MANAGER in actor_roles[self.governance_controller.system_root_org_name]:
log.debug("Including ION_MANAGER role")
self.create_org_role_attribute([ION_MANAGER],subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
#Check to see if there is a OperationVerb decorator specifying a Verb used with policy
if is_ion_object(message_format):
try:
msg_class = message_classes[message_format]
operation_verb = get_class_decorator_value(msg_class,'OperationVerb')
if operation_verb is not None:
request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb))
except NotFound:
pass
#Create generic attributes for each of the primitive message parameter types to be available in XACML rules
parameter_dict = {'message': invocation.message, 'headers': invocation.headers, 'annotations': invocation.message_annotations }
if endpoint_process is not None:
parameter_dict['process'] = endpoint_process
request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict))
return request
def _createXacmlProfileRequestCtx(subjectNameIdFormat, subjectNameId,
resourceUri, resourceContent, actions):
"""Translate SAML authorisation decision query into a XACML request
context
:type subjectNameIdFormat: str
:param subjectNameIdFormat: subject ID format
:type subjectNameId: str
:param subjectNameId: subject ID
:type resourceUri: str
:param resourceUri: resource URI
:type resourceContent: ElementTree.Element
:param resourceContent: data to include as resource content
:type actions: list of str
:param actions: action values
"""
xacmlRequest = XacmlRequest()
xacmlSubject = XacmlSubject()
xacmlAttributeValueFactory = XacmlAttributeValueClassFactory()
openidSubjectAttribute = XacmlAttribute()
openidSubjectAttribute.attributeId = subjectNameIdFormat
XacmlAnyUriAttributeValue = xacmlAttributeValueFactory(
XacmlAttributeValue.ANY_TYPE_URI)
openidSubjectAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
openidSubjectAttribute.attributeValues.append(
XacmlAnyUriAttributeValue())
openidSubjectAttribute.attributeValues[-1].value = subjectNameId
xacmlSubject.attributes.append(openidSubjectAttribute)
XacmlStringAttributeValue = xacmlAttributeValueFactory(
XacmlAttributeValue.STRING_TYPE_URI)
xacmlRequest.subjects.append(xacmlSubject)
resource = XacmlResource()
resourceAttribute = XacmlAttribute()
resource.attributes.append(resourceAttribute)
if resourceContent is not None:
resource.resourceContent = resourceContent
resourceAttribute.attributeId = XacmlIdentifiers.Resource.RESOURCE_ID
resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
resourceAttribute.attributeValues.append(XacmlAnyUriAttributeValue())
resourceAttribute.attributeValues[-1].value = resourceUri
xacmlRequest.resources.append(resource)
xacmlRequest.action = XacmlAction()
for action in actions:
xacmlActionAttribute = XacmlAttribute()
xacmlRequest.action.attributes.append(xacmlActionAttribute)
xacmlActionAttribute.attributeId = XacmlIdentifiers.Action.ACTION_ID
xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
xacmlActionAttribute.attributeValues.append(
XacmlStringAttributeValue())
xacmlActionAttribute.attributeValues[-1].value = action.value
xacmlRequest.environment = XacmlEnvironment()
return xacmlRequest
def _create_request_from_message(self,
invocation,
receiver,
receiver_type='service'):
sender_type = invocation.get_header_value('sender-type', 'Unknown')
if sender_type == 'service':
sender_header = invocation.get_header_value(
'sender-service', 'Unknown')
sender = invocation.get_service_name(sender_header)
else:
sender = invocation.get_header_value('sender', 'Unknown')
op = invocation.get_header_value('op', 'Unknown')
ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
actor_roles = invocation.get_header_value('ion-actor-roles', {})
log.debug(
"Using XACML Request: sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s"
% (sender, receiver, op, ion_actor_id, str(actor_roles)))
request = Request()
subject = Subject()
subject.attributes.append(
self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(
self.create_string_attribute(Identifiers.Subject.SUBJECT_ID,
ion_actor_id))
#Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', invocation)
if hasattr(endpoint_process, 'org_name'):
org_name = endpoint_process.org_name
else:
org_name = self.governance_controller._system_root_org_name
#If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for
#the Org that this process is associated with otherwise include all roles and create attributes for each
if org_name == self.governance_controller._system_root_org_name:
log.debug("Including roles for all Orgs")
#If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org], subject)
else:
if actor_roles.has_key(org_name):
log.debug("Org Roles (%s): %s", org_name,
' '.join(actor_roles[org_name]))
self.create_org_role_attribute(actor_roles[org_name], subject)
#Handle the special case for the ION system actor
if actor_roles.has_key(
self.governance_controller._system_root_org_name):
if 'ION_MANAGER' in actor_roles[
self.governance_controller._system_root_org_name]:
log.debug("Including ION_MANAGER role")
self.create_org_role_attribute(['ION_MANAGER'], subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(
self.create_string_attribute(Identifiers.Resource.RESOURCE_ID,
receiver))
resource.attributes.append(
self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(
self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
return request
def _create_request_from_message(self, invocation, receiver, receiver_type=PROCTYPE_SERVICE):
sender, sender_type = invocation.get_message_sender()
op = invocation.get_header_value(MSG_HEADER_OP, 'Unknown')
actor_id = invocation.get_header_value(MSG_HEADER_ACTOR, ANONYMOUS_ACTOR)
user_context_id = invocation.get_header_value(MSG_HEADER_USER_CONTEXT_ID, "")
user_context_differs = bool(actor_id and actor_id != ANONYMOUS_ACTOR and user_context_id and actor_id != user_context_id)
actor_roles = invocation.get_header_value(MSG_HEADER_ROLES, {})
message_format = invocation.get_header_value(MSG_HEADER_FORMAT, '')
# if receiver == "agpro_exchange":
# print "### POLICY DECISION rty=%s recv=%s actor=%s context=%s differ:%s" % (receiver_type, receiver, actor_id, user_context_id, user_context_differs)
# print " Headers: %s" % invocation.headers
#log.debug("Checking XACML Request: receiver_type: %s, sender: %s, receiver:%s, op:%s, ion_actor_id:%s, ion_actor_roles:%s", receiver_type, sender, receiver, op, ion_actor_id, actor_roles)
request = Request()
subject = Subject()
subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, actor_id))
subject.attributes.append(self.create_string_attribute(USER_CONTEXT_ID, user_context_id))
subject.attributes.append(self.create_string_attribute(USER_CONTEXT_DIFFERS, str(user_context_differs)))
# Get the Org name associated with the endpoint process
endpoint_process = invocation.get_arg_value('process', None)
if endpoint_process is not None and hasattr(endpoint_process, 'org_governance_name'):
org_governance_name = endpoint_process.org_governance_name
else:
org_governance_name = self.governance_controller.system_root_org_name
# If this process is not associated with the root Org, then iterate over the roles associated
# with the user only for the Org that this process is associated with otherwise include all roles
# and create attributes for each
if org_governance_name == self.governance_controller.system_root_org_name:
#log.debug("Including roles for all Orgs")
# If the process Org name is the same for the System Root Org, then include all of them to be safe
for org in actor_roles:
self.create_org_role_attribute(actor_roles[org], subject)
else:
if org_governance_name in actor_roles:
log.debug("Org Roles (%s): %s", org_governance_name, ' '.join(actor_roles[org_governance_name]))
self.create_org_role_attribute(actor_roles[org_governance_name], subject)
# Handle the special case for the ION system actor
if self.governance_controller.system_root_org_name in actor_roles:
if SUPERUSER_ROLE in actor_roles[self.governance_controller.system_root_org_name]:
log.debug("Including SUPERUSER role")
self.create_org_role_attribute([SUPERUSER_ROLE], subject)
request.subjects.append(subject)
resource = Resource()
resource.attributes.append(self.create_string_attribute(Identifiers.Resource.RESOURCE_ID, receiver))
resource.attributes.append(self.create_string_attribute(RECEIVER_TYPE, receiver_type))
request.resources.append(resource)
request.action = Action()
request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
# Check to see if there is a OperationVerb decorator specifying a Verb used with policy
if is_ion_object(message_format):
try:
msg_class = message_classes[message_format]
operation_verb = get_class_decorator_value(msg_class, DECORATOR_OP_VERB)
if operation_verb is not None:
request.action.attributes.append(self.create_string_attribute(ACTION_VERB, operation_verb))
except NotFound:
pass
# Create generic attributes for each of the primitive message parameter types to be available in XACML rules
# and evaluation functions
parameter_dict = {'message': invocation.message,
'headers': invocation.headers,
'annotations': invocation.message_annotations}
if endpoint_process is not None:
parameter_dict['process'] = endpoint_process
request.action.attributes.append(self.create_dict_attribute(ACTION_PARAMETERS, parameter_dict))
return request
def _createRequestCtx(resourceId,
includeSubject=True,
subjectGroupRoles=None,
groupRoleAttributeId='urn:esg:attr',
action='read'):
"""Create an example XACML Request Context for tests"""
if subjectGroupRoles is None:
subjectGroupRoles = [('ACME', 'default')]
request = Request()
if includeSubject:
subject = Subject()
openidSubjectAttribute = Attribute()
openidSubjectAttribute.attributeId = "urn:esg:openid"
openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
openidSubjectAttribute.attributeValues.append(
AnyUriAttributeValue())
openidSubjectAttribute.attributeValues[-1].value = SUBJECT_ID
subject.attributes.append(openidSubjectAttribute)
for group, role in subjectGroupRoles:
groupRoleAttribute = Attribute()
groupRoleAttribute.attributeId = groupRoleAttributeId
groupRoleAttribute.dataType = 'urn:grouprole'
groupRoleAttribute.attributeValues.append(
GroupRoleAttributeValue())
groupRoleAttribute.attributeValues[-1].group = group
groupRoleAttribute.attributeValues[-1].role = role
subject.attributes.append(groupRoleAttribute)
request.subjects.append(subject)
resource = Resource()
resourceAttribute = Attribute()
resource.attributes.append(resourceAttribute)
resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID
resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
resourceAttribute.attributeValues.append(AnyUriAttributeValue())
resourceAttribute.attributeValues[-1].value = resourceId
request.resources.append(resource)
request.action = Action()
actionAttribute = Attribute()
request.action.attributes.append(actionAttribute)
actionAttribute.attributeId = Identifiers.Action.ACTION_ID
actionAttribute.dataType = StringAttributeValue.IDENTIFIER
actionAttribute.attributeValues.append(StringAttributeValue())
actionAttribute.attributeValues[-1].value = action
return request
