class XacmlDynamicPolicyTestCase(unittest.TestCase): """Test Dynamic creation of policy and rules from code API instead of XML policy file""" attributeValueClassFactory = AttributeValueClassFactory() def _create_policy(self): self.policy = Policy() self.policy.policyId = 'Dynamic Policy Test' self.policy.ruleCombiningAlgId = \ 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides' # Add top-level target - determines an overall match for this policy self.policy.target = Target() # Match based on resource - add a resource match to the target resource = Resource() resource_match = ResourceMatch() resource_match.matchId = "urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match" resource_match.attributeValue = self.__class__.attributeValueClassFactory( "http://www.w3.org/2001/XMLSchema#anyURI")() resource_match.attributeValue.value = '^http://localhost/.*' resource_match.attributeDesignator = ResourceAttributeDesignator() resource_match.attributeDesignator.attributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id" resource_match.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#anyURI" resource.matches.append(resource_match) self.policy.target.resources.append(resource) # Add rules denyall_rule = Rule() denyall_rule.id = 'Deny all rule' denyall_rule.effect = Effect.DENY self.policy.rules.append(denyall_rule) singlerole_rule = Rule() singlerole_rule.id = 'dataset1 rule' singlerole_rule.effect = Effect.PERMIT singlerole_rule.target = Target() resource_match1 = ResourceMatch() resource_match1.matchId = "urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match" resource_match1.attributeValue = self.__class__.attributeValueClassFactory( "http://www.w3.org/2001/XMLSchema#anyURI")() resource_match1.attributeValue.value = '^http://localhost/dataset1/.*$' resource_match1.attributeDesignator = ResourceAttributeDesignator() resource_match1.attributeDesignator.attributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id" resource_match1.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#anyURI" resource1 = Resource() resource1.matches.append(resource_match1) singlerole_rule.target.resources.append(resource1) subject_match1 = SubjectMatch() subject_match1.matchId = "urn:oasis:names:tc:xacml:1.0:function:string-equal" subject_match1.attributeValue = self.__class__.attributeValueClassFactory( "http://www.w3.org/2001/XMLSchema#string")() subject_match1.attributeValue.value = 'staff' subject_match1.attributeDesignator = SubjectAttributeDesignator() subject_match1.attributeDesignator.attributeId = ROLE_ATTRIBUTE_ID subject_match1.attributeDesignator.dataType = "http://www.w3.org/2001/XMLSchema#string" subject1 = Subject() subject1.matches.append(subject_match1) singlerole_rule.target.subjects.append(subject1) self.policy.rules.append(singlerole_rule) @staticmethod def _create_request_ctx(resourceId, includeSubject=True, subjectId=SUBJECT_ID, subjectRoles=None, roleAttributeId=ROLE_ATTRIBUTE_ID, action='read', resourceContent=None): """Create an example XACML Request Context for tests""" if subjectRoles is None: subjectRoles = ('staff',) request = Request() if includeSubject: subject = CtxSubject() openidSubjectAttribute = Attribute() openidSubjectAttribute.attributeId = "urn:esg:openid" openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER openidSubjectAttribute.attributeValues.append( AnyUriAttributeValue()) openidSubjectAttribute.attributeValues[-1].value = subjectId subject.attributes.append(openidSubjectAttribute) for role in subjectRoles: roleAttribute = Attribute() roleAttribute.attributeId = roleAttributeId roleAttribute.dataType = StringAttributeValue.IDENTIFIER roleAttribute.attributeValues.append(StringAttributeValue()) roleAttribute.attributeValues[-1].value = role subject.attributes.append(roleAttribute) request.subjects.append(subject) resource = ResourceCtx() resourceAttribute = Attribute() resource.attributes.append(resourceAttribute) resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER resourceAttribute.attributeValues.append(AnyUriAttributeValue()) resourceAttribute.attributeValues[-1].value = resourceId resource.resourceContent = resourceContent request.resources.append(resource) request.action = Action() actionAttribute = Attribute() request.action.attributes.append(actionAttribute) actionAttribute.attributeId = Identifiers.Action.ACTION_ID actionAttribute.dataType = StringAttributeValue.IDENTIFIER actionAttribute.attributeValues.append(StringAttributeValue()) actionAttribute.attributeValues[-1].value = action request.environment = Environment() return request def _create_pdp(self): self._create_policy() self.pdp = PDP(policy=self.policy) def test01_create_policy(self): self._create_policy() def test02_create_pdp(self): self._create_pdp() def test03_test_rule(self): self._create_pdp() request = self._create_request_ctx('http://localhost/dataset1/my.nc', subjectId='http://me.openid.ac.uk', subjectRoles=('staff',)) response = self.pdp.evaluate(request) for result in response.results: self.failIf(result.decision != Decision.PERMIT, "Expecting Permit decision")
role = attributeValueFactory("http://www.w3.org/2001/XMLSchema#string") arole = role("administrator") # Add the role-attribute to the request-subject # id: urn:oasis:names:tc:xacml:2.0:example:attribute:role attr = Attribute() attr.attributeId = "urn:oasis:names:tc:xacml:2.0:example:attribute:role" attr.dataType = role.IDENTIFIER # = http://www.w3.org/2001/XMLSchema#string attr.attributeValues.append(arole) subject = Subject() subject.attributes.append(attr) request.subjects.append(subject) # See what we've received as result res = pdp.evaluate(request) for result in res.results: print result.decision """ How to add actions (I did not test it yet): somevalue = attributeValueFactory("http://www.w3.org/2001/XMLSchema#string") avalue = somevalue("https://www.gonicus.de/webdav") bvalue = somevalue("read") # Add a resource attribute resourceAttribute = Attribute()