def fromXML(cls, elem):
"""Parse ElementTree element into a SAML XACMLAuthzDecisionQuery object
@type elem: ElementTree.Element
@param elem: XML element containing the AuthzDecisionQuery
@rtype: saml.saml2.core.AuthzDecisionQuery
@return: AuthzDecisionQuery object
"""
if not ElementTree.iselement(elem):
raise TypeError("Expecting %r input type for parsing; got %r" %
(ElementTree.Element, elem))
if QName.getLocalPart(elem.tag) != cls.DEFAULT_ELEMENT_LOCAL_NAME:
raise XMLTypeParseError("No \"%s\" element found" %
cls.DEFAULT_ELEMENT_LOCAL_NAME)
# Unpack attributes from top-level element
attributeValues = []
for attributeName in (cls.VERSION_ATTRIB_NAME,
cls.ISSUE_INSTANT_ATTRIB_NAME,
cls.ID_ATTRIB_NAME):
attributeValue = elem.attrib.get(attributeName)
if attributeValue is None:
raise XMLTypeParseError('No "%s" attribute found in "%s" '
'element' %
(attributeName,
cls.DEFAULT_ELEMENT_LOCAL_NAME))
attributeValues.append(attributeValue)
authzDecisionQuery = XACMLAuthzDecisionQuery()
authzDecisionQuery.version = SAMLVersion(attributeValues[0])
if authzDecisionQuery.version != SAMLVersion.VERSION_20:
raise NotImplementedError("Parsing for %r is implemented for "
"SAML version %s only; version %s is "
"not supported" %
(cls,
SAMLVersion(SAMLVersion.VERSION_20),
SAMLVersion(authzDecisionQuery.version)))
authzDecisionQuery.issueInstant = SAMLDateTime.fromString(
attributeValues[1])
authzDecisionQuery.id = attributeValues[2]
for childElem in elem:
localName = QName.getLocalPart(childElem.tag)
if localName == Issuer.DEFAULT_ELEMENT_LOCAL_NAME:
# Parse Issuer
authzDecisionQuery.issuer = IssuerElementTree.fromXML(childElem)
elif localName == Request.ELEMENT_LOCAL_NAME:
# Create XACML context request from Request element.
authzDecisionQuery.xacmlContextRequest = \
RequestElementTree.fromXML(childElem)
else:
raise XMLTypeParseError("Unrecognised XACMLAuthzDecisionQuery child "
"element \"%s\"" % localName)
return authzDecisionQuery
def fromXML(cls, elem):
if not ElementTree.iselement(elem):
raise TypeError("Expecting %r input type for parsing; got %r" %
(ElementTree.Element, elem))
if QName.getLocalPart(elem.tag) != cls.DEFAULT_ELEMENT_LOCAL_NAME:
raise XMLTypeParseError("No \"%s\" element found" %
cls.DEFAULT_ELEMENT_LOCAL_NAME)
authzDecisionStatement = XACMLAuthzDecisionStatement()
for childElem in elem:
localName = QName.getLocalPart(childElem.tag)
if localName == Response.ELEMENT_LOCAL_NAME:
# Create XACML context request from Response element.
authzDecisionStatement.xacmlContextResponse = \
ResponseElementTree.fromXML(childElem)
elif localName == Request.ELEMENT_LOCAL_NAME:
# Create XACML context request from Request element.
authzDecisionStatement.xacmlContextRequest = \
RequestElementTree.fromXML(childElem)
else:
raise XMLTypeParseError("Unrecognised XACMLAuthzDecisionQuery child "
"element \"%s\"" % localName)
return authzDecisionStatement
def toXML(cls, xacmlAuthzDecisionStatement):
if not isinstance(xacmlAuthzDecisionStatement,
XACMLAuthzDecisionStatement):
raise TypeError("Expecting %r class got %r" %
(XACMLAuthzDecisionStatement,
type(xacmlAuthzDecisionStatement)))
if not xacmlAuthzDecisionStatement.xacmlContextResponse:
raise AttributeError("No xacmlContextResponse has been set for the "
"XACMLAuthzDecisionStatement")
tag = str(QName.fromGeneric(cls.DEFAULT_ELEMENT_NAME))
elem = etree.makeEtreeElement(tag, cls.DEFAULT_ELEMENT_NAME.prefix,
cls.DEFAULT_ELEMENT_NAME.namespaceURI)
xacmlContextResponseElem = ResponseElementTree.toXML(
xacmlAuthzDecisionStatement.xacmlContextResponse)
elem.append(xacmlContextResponseElem)
if xacmlAuthzDecisionStatement.xacmlContextRequest:
xacmlContextRequestElem = RequestElementTree.toXML(
xacmlAuthzDecisionStatement.xacmlContextRequest)
elem.append(xacmlContextRequestElem)
return elem
def test06ExecuteConditionPermit(self):
self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR3_FILEPATH,
ReaderFactory)
resourceContent = self._make_resource_content_element(
self.__class__.RESOURCE_CONTENT_EXECUTE)
request = self._createRequestCtx(
self.__class__.PUBLIC_RESOURCE_ID,
resourceContent=resourceContent)
request.elem = RequestElementTree.toXML(request)
request.attributeSelector = EtreeXPathSelector(request.elem)
response = self.pdp.evaluate(request)
self.failIf(response is None, "Null response")
for result in response.results:
self.failIf(result.decision != Decision.PERMIT,
"Expecting permit decision")
def test01NotApplicable(self):
self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR1_FILEPATH,
ReaderFactory)
resourceContent = self._make_resource_content_element(
self.__class__.RESOURCE_CONTENT_VERSION_100)
request = self._createRequestCtx(
self.__class__.NOT_APPLICABLE_RESOURCE_ID,
resourceContent=resourceContent)
request.elem = RequestElementTree.toXML(request)
request.attributeSelector = EtreeXPathSelector(request.elem)
response = self.pdp.evaluate(request)
self.failIf(response is None, "Null response")
for result in response.results:
self.failIf(result.decision != Decision.NOT_APPLICABLE,
"Expecting not applicable decision")
def test10SelectAttributeDeny(self):
self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR6_FILEPATH,
ReaderFactory)
resourceContent = self._make_resource_content_element(
self.__class__.RESOURCE_CONTENT_EXECUTE)
request = self._createRequestCtx(
self.__class__.PUBLIC_RESOURCE_ID,
resourceContent=resourceContent)
request.elem = RequestElementTree.toXML(request)
request.attributeSelector = EtreeXPathSelector(request.elem)
response = self.pdp.evaluate(request)
self.failIf(response is None, "Null response")
for result in response.results:
if Config.use_lxml:
self.failIf(result.decision != Decision.DENY,
"Expecting deny decision")
else:
self.failIf(result.decision != Decision.INDETERMINATE,
"Expecting indeterminate decision")
def test04Indeterminate(self):
'''This should result in an indeterminate decision because the policy
includes an AttributeSelector with MustBePresent="true", whereas the
request context path is not found in the request XML.
'''
self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR1_FILEPATH,
ReaderFactory)
resourceContent = self._make_resource_content_element(
self.__class__.RESOURCE_CONTENT_NO_VERSION)
request = self._createRequestCtx(
self.__class__.PUBLIC_RESOURCE_ID,
resourceContent=resourceContent)
request.elem = RequestElementTree.toXML(request)
request.attributeSelector = EtreeXPathSelector(request.elem)
response = self.pdp.evaluate(request)
self.failIf(response is None, "Null response")
for result in response.results:
self.failIf(result.decision != Decision.INDETERMINATE,
"Expecting indeterminate decision")
def test08ExecuteLxmlPermit(self):
# Test with condition in XPath expression - this will only return a
# permit decision when using lxml
self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR4_FILEPATH,
ReaderFactory)
resourceContent = self._make_resource_content_element(
self.__class__.RESOURCE_CONTENT_EXECUTE)
request = self._createRequestCtx(
self.__class__.PUBLIC_RESOURCE_ID,
resourceContent=resourceContent)
request.elem = RequestElementTree.toXML(request)
request.attributeSelector = EtreeXPathSelector(request.elem)
response = self.pdp.evaluate(request)
self.failIf(response is None, "Null response")
for result in response.results:
if Config.use_lxml:
self.failIf(result.decision != Decision.PERMIT,
"Expecting permit decision")
else:
log.debug("Using ElementTree: dependent on the version, this "
"test may result in an indeterminate decision. "
"result.decision = %s" % result.decision)
def toXML(cls, xacmlAuthzDecisionQuery):
"""Create an XML representation of the input SAML Authorization
Decision Query object
@type xacmlAuthzDecisionQuery: saml.saml2.core.AuthzDecisionQuery
@param xacmlAuthzDecisionQuery: SAML Authorization Decision Query
@rtype: ElementTree.Element
@return: Attribute Query as ElementTree XML element
"""
if not isinstance(xacmlAuthzDecisionQuery, XACMLAuthzDecisionQuery):
raise TypeError("Expecting %r class got %r" % (XACMLAuthzDecisionQuery,
type(xacmlAuthzDecisionQuery)))
if not xacmlAuthzDecisionQuery.xacmlContextRequest:
raise AttributeError("No xacmlContextRequest has been set for the "
"XACMLAuthzDecisionQuery")
issueInstant = SAMLDateTime.toString(xacmlAuthzDecisionQuery.issueInstant)
attrib = {
cls.ID_ATTRIB_NAME: xacmlAuthzDecisionQuery.id,
cls.ISSUE_INSTANT_ATTRIB_NAME: issueInstant,
# Nb. Version is a SAMLVersion instance and requires explicit cast
cls.VERSION_ATTRIB_NAME: str(xacmlAuthzDecisionQuery.version),
}
tag = str(QName.fromGeneric(cls.DEFAULT_ELEMENT_NAME))
elem = etree.makeEtreeElement(tag, cls.DEFAULT_ELEMENT_NAME.prefix,
cls.DEFAULT_ELEMENT_NAME.namespaceURI,
**attrib)
issuerElem = IssuerElementTree.toXML(xacmlAuthzDecisionQuery.issuer)
elem.append(issuerElem)
requestElem = RequestElementTree.toXML(
xacmlAuthzDecisionQuery.xacmlContextRequest)
elem.append(requestElem)
return elem
