Python 中的 lxml 可以验证 XACML 吗?
Can XACML be validated by lxml in Python?
所以,我正在编写一个小程序来读取 XACML 请求,验证它是否是有效的 XACML,然后检查代码是否符合策略。
在这次尝试中,我找到了 lxml 解析器,它可以将 .xml 文件验证为 .xsd 文件。因此,我获取了相关模式并在验证器 (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd, and http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd) 中尝试了它们,以与包含 XACML 请求的 request.xml 文件进行比较。我遇到的问题是我的程序 returns 验证错误,这意味着它无效,尽管从所有方面来看它应该是。下面列出了有问题的代码,以及输入命令和错误。
import os
import sys
from ndg import *
from lxml import etree
def checkCorrectXACML(xml_path: str, xsd_path: str) -> bool:
input_schema = etree.parse(xsd_path)
schema = etree.XMLSchema(input_schema)
request = etree.parse(xml_path)
result = schema.validate(request)
return result
def checkPolicy(request):
status: bool
return status
def readRequest():
request = str(sys.argv[1])
if(checkCorrectXACML(request, '/home/foo/Documents/xacml.xsd') == True):
return request
else:
raise Exception('Invalid XACML')
def evaluateRequest():
request = readRequest()
status = checkPolicy(request)
return status
def main():
if(len(sys.argv) == 2):
returnResponse = evaluateRequest()
return returnResponse
else:
raise Exception('You need to provide a request path')
if __name__ == '__main__':
main()
错误:
文件“/home/foo/Documents/XACXML.py”,第 22 行,在 readRequest 中
引发异常('Invalid XACML')
异常:无效的 XACML
命令:
python3 XACML.py /home/foo/Desktop/Request1.xml
Request1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Request
xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>External user</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://some.url/foo</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
</Request>
感谢 Martin Honnen 指出 XACML 的命名空间与架构的命名空间不匹配。使用具有类似命名空间的请求解决了这个问题。这是一个 X(AC)ML 样本的示例,它在 xmllint 和脚本中都确实有效。
因此问题出在 xmlns
<?xml version="1.0" encoding="UTF-8"?>
<Request
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>000000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:user-name"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>Some name</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"
Issuer="xacml20.interop.com">
<AttributeValue>0000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"
Issuer="xacml20.interop.com">
<AttributeValue>1</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>false</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>false</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Astring</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>000000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-name"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Somename</AttributeValue>
</Attribute>
<!-- WE GET THIS VIA THE ATTRIBUTE LOCATOR
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Active</AttributeValue>
</Attribute>
-->
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>15000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>10000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>10000</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Buy</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>
所以,我正在编写一个小程序来读取 XACML 请求,验证它是否是有效的 XACML,然后检查代码是否符合策略。
在这次尝试中,我找到了 lxml 解析器,它可以将 .xml 文件验证为 .xsd 文件。因此,我获取了相关模式并在验证器 (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd, and http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd) 中尝试了它们,以与包含 XACML 请求的 request.xml 文件进行比较。我遇到的问题是我的程序 returns 验证错误,这意味着它无效,尽管从所有方面来看它应该是。下面列出了有问题的代码,以及输入命令和错误。
import os
import sys
from ndg import *
from lxml import etree
def checkCorrectXACML(xml_path: str, xsd_path: str) -> bool:
input_schema = etree.parse(xsd_path)
schema = etree.XMLSchema(input_schema)
request = etree.parse(xml_path)
result = schema.validate(request)
return result
def checkPolicy(request):
status: bool
return status
def readRequest():
request = str(sys.argv[1])
if(checkCorrectXACML(request, '/home/foo/Documents/xacml.xsd') == True):
return request
else:
raise Exception('Invalid XACML')
def evaluateRequest():
request = readRequest()
status = checkPolicy(request)
return status
def main():
if(len(sys.argv) == 2):
returnResponse = evaluateRequest()
return returnResponse
else:
raise Exception('You need to provide a request path')
if __name__ == '__main__':
main()
错误:
文件“/home/foo/Documents/XACXML.py”,第 22 行,在 readRequest 中 引发异常('Invalid XACML') 异常:无效的 XACML
命令:
python3 XACML.py /home/foo/Desktop/Request1.xml
Request1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Request
xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd">
<Subject>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>External user</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://some.url/foo</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue>
</Attribute>
</Action>
</Request>
感谢 Martin Honnen 指出 XACML 的命名空间与架构的命名空间不匹配。使用具有类似命名空间的请求解决了这个问题。这是一个 X(AC)ML 样本的示例,它在 xmllint 和脚本中都确实有效。
因此问题出在 xmlns
<?xml version="1.0" encoding="UTF-8"?>
<Request
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>000000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:user-name"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>Some name</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
DataType="http://www.w3.org/2001/XMLSchema#integer"
Issuer="xacml20.interop.com">
<AttributeValue>0000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
DataType="http://www.w3.org/2001/XMLSchema#integer"
Issuer="xacml20.interop.com">
<AttributeValue>1</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>false</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
<AttributeValue>false</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Astring</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>000000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-name"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Somename</AttributeValue>
</Attribute>
<!-- WE GET THIS VIA THE ATTRIBUTE LOCATOR
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Active</AttributeValue>
</Attribute>
-->
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>15000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>10000</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
DataType="http://www.w3.org/2001/XMLSchema#integer">
<AttributeValue>10000</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Buy</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>