def load_org_policy_rules(self, rules_text): log.debug("Loading policies for org") #Simply create a new PDP object for the service #TODO - make sure this is thread safe with the evaluation that uses it. input_source = StringIO(rules_text) self.org_pdp = PDP.fromPolicySource(input_source, ReaderFactory)
def load_org_policy_rules(self, rules_text): log.debug("Loading policies for org") #Simply create a new PDP object for the service #TODO - make sure this is thread safe with the evaluation that uses it. input_source = StringIO(rules_text) self.org_pdp = PDP.fromPolicySource(input_source, ReaderFactory)
def initialise(self, prefix='', **kw): '''Initialise object from keyword settings :type prefix: basestring :param prefix: prefix for configuration items :type kw: dict :param kw: configuration settings dictionary :raise SamlPepFilterConfigError: missing option setting(s) ''' # Parse other options for name in SamlPepFilter.PARAM_NAMES: paramName = prefix + name value = kw.get(paramName) if value is not None: setattr(self, name, value) elif name != self.__class__.LOCAL_POLICY_FILEPATH_PARAM_NAME: # Policy file setting is optional raise SamlPepFilterConfigError('Missing option %r' % paramName) # Parse authorisation decision query options queryPrefix = prefix + self.__class__.AUTHZ_DECISION_QUERY_PARAMS_PREFIX self.client.parseKeywords(prefix=queryPrefix, **kw) # Initialise the local PDP if self.localPolicyFilePath: self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath, XacmlPolicyReaderFactory)
def __init__(self, *args, **kwargs): self.resource_policy_decision_point = dict() self.service_policy_decision_point = dict() self.empty_pdp = PDP.fromPolicySource( path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) self.load_common_service_policy_rules('')
def load_policy_rules(self, resource_policy, rules_text): log.debug("Loading rules for service: %s" % resource_policy) #Simply create a new PDP object for the service #TODO - make sure this is thread safe with the evaluation that uses it. input_source = StringIO(rules_text) self.policy_decision_point[resource_policy] = PDP.fromPolicySource(input_source, ReaderFactory)
def __init__(self, governance_controller): self.resource_policy_decision_point = dict() self.service_policy_decision_point = dict() self.empty_pdp = PDP.fromPolicySource(path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) self.load_common_service_policy_rules('') self.governance_controller = governance_controller #Create and register an Attribute Value derived class to handle a dict type used for the messages _className = 'Dict' + AttributeValue.CLASS_NAME_SUFFIX _classVars = {'TYPE': dict, 'IDENTIFIER': DICT_TYPE_URI} _attributeValueClass = type(_className, (AttributeValue, ), _classVars) AttributeValue.register(_attributeValueClass) attributeValueFactory.addClass(DICT_TYPE_URI, _attributeValueClass) self.DictAttributeValue = attributeValueFactory(DICT_TYPE_URI) #Create and register an Attribute Value derived class to handle any object _className = 'Object' + AttributeValue.CLASS_NAME_SUFFIX _classVars = {'TYPE': object, 'IDENTIFIER': OBJECT_TYPE_URI} _attributeValueClass = type(_className, (AttributeValue, ), _classVars) AttributeValue.register(_attributeValueClass) attributeValueFactory.addClass(OBJECT_TYPE_URI, _attributeValueClass) self.ObjectAttributeValue = attributeValueFactory(OBJECT_TYPE_URI) #Create and add new function for evaluating functions that take the message as a dict from pyon.core.governance.policy.evaluate import EvaluateCode, EvaluateFunction functionMap['urn:oasis:names:tc:xacml:1.0:function:evaluate-code'] = EvaluateCode functionMap['urn:oasis:names:tc:xacml:1.0:function:evaluate-function'] = EvaluateFunction
def load_common_service_policy_rules(self, rules_text): self.common_service_rules = rules_text input_source = StringIO( self.create_policy_from_rules(COMMON_SERVICE_POLICY_RULES, rules_text)) self.load_common_service_pdp = PDP.fromPolicySource( input_source, ReaderFactory)
def __init__(self, governance_controller): self.resource_policy_decision_point = dict() self.service_policy_decision_point = dict() self.empty_pdp = PDP.fromPolicySource(path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) self.load_common_service_policy_rules('') self.governance_controller = governance_controller
def __init__(self, *args, **kwargs): self.policy_decision_point = dict() self.org_pdp = PDP.fromPolicySource(path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) #Adding an not function to XACML from pyon.core.governance.policy.xacml.not_function import Not from pyon.core.governance.policy.xacml.and_function import And functionMap['urn:oasis:names:tc:xacml:ooi:function:not'] = Not functionMap['urn:oasis:names:tc:xacml:ooi:function:and'] = And
def __init__(self, *args, **kwargs): self.policy_decision_point = dict() self.org_pdp = PDP.fromPolicySource( path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) #Adding an not function to XACML from pyon.core.governance.policy.xacml.not_function import Not from pyon.core.governance.policy.xacml.and_function import And functionMap['urn:oasis:names:tc:xacml:ooi:function:not'] = Not functionMap['urn:oasis:names:tc:xacml:ooi:function:and'] = And
def test02_04And2ArgsTrue(self): self.pdp = PDP.fromPolicySource(XACML_ANDTEST_FILEPATH, ReaderFactory) request = self._createRequestCtx( self.__class__.RESOURCE4_ID, subjectRoles=('role1', 'role2')) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.PERMIT, "Expecting Permit decision")
def load_policy_rules(self, resource_id, rules_text): log.debug("Loading policies for resource: %s" % resource_id) self.clear_resource_policy(resource_id) #Simply create a new PDP object for the service #TODO - make sure this is thread safe with the evaluation that uses it. input_source = StringIO(rules_text) self.policy_decision_point[resource_id] = PDP.fromPolicySource( input_source, ReaderFactory)
def test02_03And1ArgFalse(self): self.pdp = PDP.fromPolicySource(XACML_ANDTEST_FILEPATH, ReaderFactory) request = self._createRequestCtx( self.__class__.RESOURCE3_ID, subjectRoles=('role1',)) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.DENY, "Expecting Deny decision")
def createPDP(self): """Create PDP from ion agents policy file""" log.debug("Creating a new PDP") # TODO - May need to implement a not function here. #from pyon.core.governance.ndg_xacml.ooi_and import And #functionMap['urn:oasis:names:tc:xacml:ooi:function:and'] = And self.policy_decision_point = PDP.fromPolicySource(path.join(THIS_DIR, XACML_ION_POLICY_FILENAME), ReaderFactory) return self.policy_decision_point
def get_pdp(self, resource_id): if self.policy_decision_point.has_key(resource_id): return self.policy_decision_point[resource_id] # If a PDP does not exist for this resource - then return default. if self.default_pdp is None: # Loads a blank policy set as the default or an unknown resource_policy self.default_pdp = PDP.fromPolicySource(path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) return self.default_pdp
def test02_02AnyUriUrlencode(self): """Test URL encoding of a URI value resulting in a deny decision. """ self.pdp = PDP.fromPolicySource(XACML_CUSTOM_FUNCTION_TEST_FILEPATH, ReaderFactory) request = self._createRequestCtx(self.__class__.RESOURCE4_ID, subjectRoles=('role1',)) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.DENY, "Expecting Deny decision")
def test01_01StringUrlencode(self): """Test URL encoding of a string value resulting in a permit decision. """ self.pdp = PDP.fromPolicySource(XACML_CUSTOM_FUNCTION_TEST_FILEPATH, ReaderFactory) request = self._createRequestCtx(self.__class__.RESOURCE1_ID, subjectRoles=('role1',)) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.PERMIT, "Expecting Permit decision")
def test01_04StringConcatenate4Values(self): """Test concatenation of 4 string values resulting in deny decision. """ self.pdp = PDP.fromPolicySource(XACML_CONCATENATE_TEST_FILEPATH, ReaderFactory) request = self._createRequestCtx(self.__class__.RESOURCE4_ID, subjectRoles=('role1',)) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.DENY, "Expecting Deny decision")
def load_resource_policy_rules(self, resource_key, rules_text): if not rules_text and not self.resource_policy_decision_point.has_key(resource_key): return log.info("Loading policies for resource: %s" % resource_key) self.clear_resource_policy(resource_key) #Simply create a new PDP object for the service input_source = StringIO(self.create_policy_from_rules(resource_key, rules_text)) self.resource_policy_decision_point[resource_key] = PDP.fromPolicySource(input_source, ReaderFactory)
def test02_01UrlStringConcatenate2Values(self): """Test concatenation of URI and 1 string value resulting in permit decision. """ self.pdp = PDP.fromPolicySource(XACML_CONCATENATE_TEST_FILEPATH, ReaderFactory) request = self._createRequestCtx(self.__class__.RESOURCE5_ID, subjectRoles=('role1',)) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.PERMIT, "Expecting Permit decision")
def get_pdp(self, resource_id): if self.policy_decision_point.has_key(resource_id): return self.policy_decision_point[resource_id] #If a PDP does not exist for this resource - then return default. if self.default_pdp is None: #Loads a blank policy set as the default or an unknown resource_policy self.default_pdp = PDP.fromPolicySource( path.join(THIS_DIR, XACML_EMPTY_POLICY_FILENAME), ReaderFactory) return self.default_pdp
def set_resource_policy_rules(self, resource_key, policy_list): log.debug("Loading policies for resource: %s" % resource_key) self.clear_resource_policy(resource_key) if not policy_list: self.resource_policy_decision_point[resource_key] = None return # Create a new PDP object for the resource rules_text = self._get_rules_text(policy_list) input_source = StringIO(self.create_resource_policy_from_rules(resource_key, rules_text)) self.resource_policy_decision_point[resource_key] = PDP.fromPolicySource(input_source, ReaderFactory)
def load_service_policy_rules(self, service_name, rules_text): if not rules_text and not self.service_policy_decision_point.has_key(service_name): return log.debug("Loading policies for service: %s" % service_name) self.clear_service_policy(service_name) service_rule_set = self.common_service_rules + rules_text #Simply create a new PDP object for the service input_source = StringIO(self.create_policy_from_rules(service_name, service_rule_set)) self.service_policy_decision_point[service_name] = PDP.fromPolicySource(input_source, ReaderFactory)
def set_service_policy_rules(self, service_name, policy_list): log.debug("Loading policies for service: %s" % service_name) self.clear_service_policy(service_name) if not policy_list: self.service_policy_decision_point[service_name] = None return # Create a new PDP object for the service rules_text = self._get_rules_text(policy_list) input_source = StringIO(self.create_policy_from_rules(service_name, rules_text)) self.service_policy_decision_point[service_name] = PDP.fromPolicySource(input_source, ReaderFactory)
def test06ExecuteConditionPermit(self): self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR3_FILEPATH, ReaderFactory) resourceContent = self._make_resource_content_element( self.__class__.RESOURCE_CONTENT_EXECUTE) request = self._createRequestCtx( self.__class__.PUBLIC_RESOURCE_ID, resourceContent=resourceContent) request.elem = RequestElementTree.toXML(request) request.attributeSelector = EtreeXPathSelector(request.elem) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.PERMIT, "Expecting permit decision")
def test01NotApplicable(self): self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR1_FILEPATH, ReaderFactory) resourceContent = self._make_resource_content_element( self.__class__.RESOURCE_CONTENT_VERSION_100) request = self._createRequestCtx( self.__class__.NOT_APPLICABLE_RESOURCE_ID, resourceContent=resourceContent) request.elem = RequestElementTree.toXML(request) request.attributeSelector = EtreeXPathSelector(request.elem) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.NOT_APPLICABLE, "Expecting not applicable decision")
def load_resource_policy_rules(self, resource_key, rules_text): if not rules_text and not self.resource_policy_decision_point.has_key( resource_key): return log.info("Loading policies for resource: %s" % resource_key) self.clear_resource_policy(resource_key) #Simply create a new PDP object for the service input_source = StringIO( self.create_policy_from_rules(resource_key, rules_text)) self.resource_policy_decision_point[ resource_key] = PDP.fromPolicySource(input_source, ReaderFactory)
def load_service_policy_rules(self, service_name, rules_text): if not rules_text and not self.service_policy_decision_point.has_key( service_name): return log.info("Loading policies for service: %s" % service_name) self.clear_service_policy(service_name) service_rule_set = self.common_service_rules + rules_text #Simply create a new PDP object for the service input_source = StringIO( self.create_policy_from_rules(service_name, service_rule_set)) self.service_policy_decision_point[ service_name] = PDP.fromPolicySource(input_source, ReaderFactory)
def load(self): """Load Policy file, mapping file and extensions functions. In each case load only if they're set. """ # This must be called first before the policy is loaded so that any # new custom types are added before a parse is attempted. if self.xacmlExtFunc: for fn in self.xacmlExtFunc: fn() if self.policyFilePath: self.pdp = PDP.fromPolicySource(self.policyFilePath, XacmlPolicyReaderFactory) if self.pip.mappingFilePath: self.pip.readMappingFile()
def load(self): """Load Policy file, mapping file and extensions functions. In each case load only if they're set. """ # This must be called first before the policy is loaded so that any # new custom types are added before a parse is attempted. if self.xacmlExtFunc: for fn in self.xacmlExtFunc: fn() if self.policyFilePath: self.pdp = PDP.fromPolicySource(self.policyFilePath, XacmlPolicyReaderFactory) if self.pip.mappingFilePath: self.pip.readMappingFile()
def setUp(self): """Use ESG sample policy""" # Add new type AttributeValueClassFactory.addClass('urn:grouprole', GroupRoleAttributeValue) # Add new parser for this type DataTypeReaderClassFactory.addReader('urn:grouprole', ETreeGroupRoleDataTypeReader) # Add extra matching and bag functions functionMap['urn:grouprole-bag'] = GroupRoleBag functionMap['urn:grouprole-at-least-one-member-of' ] = GroupRoleAtLeastOneMemberOf # Example policy with custom attribute value type used with ESGF self.pdp = PDP.fromPolicySource(XACML_ESGFTEST1_FILEPATH, ReaderFactory)
def test04Indeterminate(self): '''This should result in an indeterminate decision because the policy includes an AttributeSelector with MustBePresent="true", whereas the request context path is not found in the request XML. ''' self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR1_FILEPATH, ReaderFactory) resourceContent = self._make_resource_content_element( self.__class__.RESOURCE_CONTENT_NO_VERSION) request = self._createRequestCtx( self.__class__.PUBLIC_RESOURCE_ID, resourceContent=resourceContent) request.elem = RequestElementTree.toXML(request) request.attributeSelector = EtreeXPathSelector(request.elem) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: self.failIf(result.decision != Decision.INDETERMINATE, "Expecting indeterminate decision")
def test10SelectAttributeDeny(self): self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR6_FILEPATH, ReaderFactory) resourceContent = self._make_resource_content_element( self.__class__.RESOURCE_CONTENT_EXECUTE) request = self._createRequestCtx( self.__class__.PUBLIC_RESOURCE_ID, resourceContent=resourceContent) request.elem = RequestElementTree.toXML(request) request.attributeSelector = EtreeXPathSelector(request.elem) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: if Config.use_lxml: self.failIf(result.decision != Decision.DENY, "Expecting deny decision") else: self.failIf(result.decision != Decision.INDETERMINATE, "Expecting indeterminate decision")
def initialise(self, prefix='', **kw): '''Initialise object from keyword settings :type prefix: basestring :param prefix: prefix for configuration items :type kw: dict :param kw: configuration settings dictionary :raise SamlPepFilterConfigError: missing option setting(s) ''' # Parse other options for name in SamlPepFilter.PARAM_NAMES: paramName = prefix + name value = kw.get(paramName) if value is not None: setattr(self, name, value) # All but the local policy settings are manadatory elif name not in self.__class__.OPTIONAL_PARAM_NAMES: raise SamlPepFilterConfigError('Missing option %r' % paramName) # Parse authorisation decision query options - first the bindings i.e. # the connection specific settings query_binding_prefix = prefix + \ self.__class__.AUTHZ_DECISION_QUERY_BINDING_PARAMS_PREFIX self.client_binding.parseKeywords(prefix=query_binding_prefix, **kw) # ... next set constants to do with the authorisation decision queries # that will be made. Settings such as the resource URI and principle # (user being queried for) are set on a call by call basis query_prefix = prefix + \ self.__class__.AUTHZ_DECISION_QUERY_PARAMS_PREFIX self.client_query = AuthzDecisionQueryFactory.from_kw( prefix=query_prefix, **kw) # Initialise the local PDP if self.localPolicyFilePath: self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath, XacmlPolicyReaderFactory)
def initialise(self, prefix='', **kw): '''Initialise object from keyword settings :type prefix: basestring :param prefix: prefix for configuration items :type kw: dict :param kw: configuration settings dictionary :raise SamlPepFilterConfigError: missing option setting(s) ''' # Parse other options for name in SamlPepFilter.PARAM_NAMES: paramName = prefix + name value = kw.get(paramName) if value is not None: setattr(self, name, value) # All but the local policy settings are manadatory elif name not in self.__class__.OPTIONAL_PARAM_NAMES: raise SamlPepFilterConfigError('Missing option %r' % paramName) # Parse authorisation decision query options - first the bindings i.e. # the connection specific settings query_binding_prefix = prefix + \ self.__class__.AUTHZ_DECISION_QUERY_BINDING_PARAMS_PREFIX self.client_binding.parseKeywords(prefix=query_binding_prefix, **kw) # ... next set constants to do with the authorisation decision queries # that will be made. Settings such as the resource URI and principle # (user being queried for) are set on a call by call basis query_prefix = prefix + \ self.__class__.AUTHZ_DECISION_QUERY_PARAMS_PREFIX self.client_query = AuthzDecisionQueryFactory.from_kw( prefix=query_prefix, **kw) # Initialise the local PDP if self.localPolicyFilePath: self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath, XacmlPolicyReaderFactory)
def test08ExecuteLxmlPermit(self): # Test with condition in XPath expression - this will only return a # permit decision when using lxml self.pdp = PDP.fromPolicySource(XACML_ATTRIBUTESELECTOR4_FILEPATH, ReaderFactory) resourceContent = self._make_resource_content_element( self.__class__.RESOURCE_CONTENT_EXECUTE) request = self._createRequestCtx( self.__class__.PUBLIC_RESOURCE_ID, resourceContent=resourceContent) request.elem = RequestElementTree.toXML(request) request.attributeSelector = EtreeXPathSelector(request.elem) response = self.pdp.evaluate(request) self.failIf(response is None, "Null response") for result in response.results: if Config.use_lxml: self.failIf(result.decision != Decision.PERMIT, "Expecting permit decision") else: log.debug("Using ElementTree: dependent on the version, this " "test may result in an indeterminate decision. " "result.decision = %s" % result.decision)
def setUp(self): print "Setting up" self.pdp = PDP.fromPolicySource(self.__class__.XACML_FILEPATH, ReaderFactory) print "Setup complete"
def _createPDPfromNdgTest1Policy(): """Create PDP from NDG test policy file""" pdp = PDP.fromPolicySource(XACML_NDGTEST1_FILEPATH, ReaderFactory) return pdp
def setUp(self): print "Setting up" self.pdp = PDP.fromPolicySource(self.__class__.XACML_POLICY_SET_FILEPATH, ReaderFactory, UrlPolicyFinder(THIS_DIR)) print "Setup complete"
def get_empty_pdp(self): policy_set = self.create_policy_from_rules(EMPTY_POLICY_ID, "") input_source = StringIO(policy_set) pdp = PDP.fromPolicySource(input_source, ReaderFactory) return pdp
def setUp(self): self.pdp = PDP.fromPolicySource(XACML_SUBJECTMATCH_FILEPATH, ReaderFactory)