Changeset 4909

Timestamp:

06/02/09 16:56:59 (12 years ago)

Author:

pjkersha

Message:

Major progress on authentication and authorisation WSGI chain:

• integration test harness in ndg.security.test.integration.authz
  • chain PEP middleware catches secured URIs. If URI is a secured one, it sets the status to 403.
  • The 403 status is caught by the PDP. The PDP checks for a login cookie, if not set it sets 401 Unauthorized
  • 401 is caught by OpenID handler and sets OpenID signin form response so that the user can login
  • If the user is logged in, the PDP checks authZ credentials (TODO) if not set it sets a 403 status and responds with an access denied message
• The PDP uses authkit.authenticate.multi.MultiHandler? to trap 403 responses from the PEP and display an access denied message.
• ndg.security.server.wsgi.pdp needs cleaning up in line with change to use authkit MultiHandler?

Location:

TI12-security/trunk/python

Files:

• Tests/wsgiStack (added)
• Tests/wsgiStack/test_wsgiStack.py (added)
• ndg.security.server/ndg/security/server/wsgi/__init__.py (modified) (5 diffs)
• ndg.security.server/ndg/security/server/wsgi/authn.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/wsgi/pdp.py (added)
• ndg.security.server/ndg/security/server/wsgi/pep/__init__.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/combinedservices/singlesignonservice/sso.cfg (modified) (1 diff)
• ndg.security.test/ndg/security/test/integration (added)
• ndg.security.test/ndg/security/test/integration/authz (added)
• ndg.security.test/ndg/security/test/integration/authz/__init__.py (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/__init__.py (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/data (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/data/openid (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/NERC_Logo.gif (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/NERC_Logo_Swindon.gif (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/badc logo_sm.jpg (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/badc_logo4ndg.jpg (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/icons (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/icons/help.png (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/ndg2.css (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/ndg_logo_circle.gif (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/neodc_logo4ndg.jpg (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/openid-inputicon.gif (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/public/layout/stfc-circle-sm.gif (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/templates (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/templates/__init__.py (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/templates/ndgpage.kid (added)
• ndg.security.test/ndg/security/test/integration/authz/openidrelyingparty/templates/signin.kid (added)
• ndg.security.test/ndg/security/test/integration/authz/serverapp.py (added)
• ndg.security.test/ndg/security/test/integration/authz/services.ini (added)
• ndg.security.test/ndg/security/test/openidrelyingparty/services.ini (modified) (4 diffs)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/__init__.py

@@ -12 +12 @@
 import httplib
 
-
+class NDGSecurityMiddlewareError(Exception):
+    '''Base exception class for NDG Security middleware'''
+    
+class NDGSecurityMiddlewareConfigError(NDGSecurityMiddlewareError):
+    '''NDG Security Middleware Configuration error'''
+    
 class NDGSecurityMiddlewareBase(object):
     """Base class for NDG Security Middleware classes"""
@@ -109 +114 @@
         return response
         
+    @staticmethod
+    def getStatusMessage(statusCode):
+        '''Make a standard status message for use with start_response
+        @type statusCode: int
+        @param statusCode: HTTP status code
+        @rtype: str
+        @return: status code with standard message
+        @raise KeyError: for invalid status code
+        '''
+        return '%d %s' % (statusCode, httplib.responses[statusCode])
+    
     # Utility functions to support Paste Deploy application and filter function
     # signatures
@@ -235 +251 @@
                               fset=_setStart_response,
                               doc="Reference to WSGI start_response function")
-    
+        
+        
+    def _redirect(self, url, start_response=None):
+        """Do a HTTP 302 redirect
+        
+        @type start_response: callable following WSGI start_response convention
+        @param start_response: WSGI start response callable
+        @type url: basestring
+        @param url: URL to redirect to
+        @rtype: list
+        @return: empty HTML body
+        """
+        if start_response is None:
+            # self.start_response will be None if initCall decorator wasn't 
+            # applied to __call__
+            if start_response is None:
+                raise NDGSecurityMiddlewareConfigError("No start_response "
+                                                       "function set.")
+            start_response = self.start_response
+            
+        start_response(NDGSecurityMiddlewareBase.getStatusMessage(302), 
+                       [('Content-type', 'text/html'),
+                        ('Content-length', '0'),
+                        ('Location', url)])
+        return []
+   
+   
 class NDGSecurityPathFilter(NDGSecurityMiddlewareBase):
-    """Specialization of NDG Security Middleware to enable filtering based on
+    """Specialisation of NDG Security Middleware to enable filtering based on
     PATH_INFO
     
@@ -259 +301 @@
 
     _isSSLRequest = lambda self: self.environ.get(
-                                NDGSecurityPathFilter.sslKeyName) == '1'
+                                    NDGSecurityPathFilter.sslKeyName) == '1'
     isSSLRequest = property(fget=_isSSLRequest,
-                            doc="Approximation for is an SSL request boolean "
-                                "- depends on Apache config SSLOptions "
-                                "StdEnvVars option being set")
+                            doc="Is an SSL request boolean "
+                                "- depends on Apache config")
     
     def __init__(self, *arg, **kw):
         super(NDGSecurityPathFilter, self).__init__(*arg, **kw)
-        self._pathMatchList = []
         
     def _getPathMatchList(self):
@@ -286 +326 @@
         if isinstance(pathList, basestring):
             # Try parsing a space separated list of file paths
-             self._pathMatchList = pathList.split()
+             self._pathMatchList=[path.strip() for path in pathList.split(',')]
             
         elif not isinstance(pathList, (list, tuple)):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authn.py

@@ -1 +1 @@
 """HTTP Basic Authentication Middleware
 
-NERC Data Grid Project
+NERC DataGrid Project
 
 """
@@ -7 +7 @@
 __date__ = "13/01/09"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id$"

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py

@@ -33 +33 @@
         'signinInterfaceMiddlewareClass': None,
         'baseURL': '',
-        'sessionKey': 'beaker.session',
-        'reservedPaths': []
+        'sessionKey': 'beaker.session'
     }
     propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
@@ -120 +119 @@
                 log.debug('No referer set for redirect following logout')
                 
-#        if self.pathInfo not in self.reservedPaths:
+        # Set a return to address following logout.  
+        # TODO: This code will need to be refactored if this middleware is 
+        # deployed externally via a proxy - HTTP_REFERER will be the internal 
+        # URI instead of the one exposed outside
         if 'HTTP_REFERER' in environ:
             session['ndg.security.server.wsgi.openid.relyingparty.referer'] = \
@@ -150 +152 @@
 
         return self._app(environ, set401UnauthorizedReponse)
-    
-    def _redirect(self, url):
-        """Do a HTTP 302 redirect
-        
-        @type url: basestring
-        @param url: URL to redirect to
-        @rtype: list
-        @return: empty HTML body
-        """
-        self.start_response('302 %s' % httplib.responses[302], 
-                            [('Content-type', 'text/html'),
-                             ('Location', url)])
-        return []
 
-    def _setReservedPaths(self, paths):
-        if isinstance(paths, basestring):
-            self._reservedPaths = [path.strip() for path in paths.split(',')]
-        elif isinstance(paths, (tuple, list)):
-            self._reservedPaths = paths
-        else:
-            raise AttributeError("Reserved paths must be a string or list or "
-                                 "tuple")
-    def _getReservedPaths(self):
-        return self._reservedPaths
-    
-    reservedPaths = property(fget=_getReservedPaths,
-                             fset=_setReservedPaths,
-                             doc="Set paths that logout redirect must avoid "
-                                 "e.g. AuthKit OpenID processing")
     
 class SigninInterfaceError(Exception):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/pep/__init__.py

@@ -8 +8 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id$"
-__license__ = "BSD"
+__license__ = "BSD - see LICENSE file in top-levle directory"
 import logging
 log = logging.getLogger(__name__)
@@ -27 +27 @@
     sslServerDNKeyName = 'SSL_SERVER_S_DN'
      
-    def __init__(self, *arg, **kw):
+    def __init__(self, app, app_conf, prefix='', **local_conf):
         log.debug("Initialising PEPMiddleware ...")
-        super(PEPMiddleware, self).__init__(*arg, **kw)
+        
+        super(PEPMiddleware, self).__init__(app, app_conf, prefix=prefix, 
+                                            **local_conf)
         self.charset = '; charset=utf-8'
 
-    @NDGSecurityMiddlewareBase.initCall         
+    @NDGSecurityPathFilter.initCall         
     def __call__(self, environ, start_response):
-        log.debug("Calling PEPMiddleware.__call__ ...")
+        log.debug("PEPMiddleware.__call__ ...")
         
-        # TODO: Is a security session set?
-        if True:
-            log.info('No security session is set')
-        else:
-            log.info('Security session is set')
-            if self.isSSLRequest:
-                
-                response = self._redirectFromHTTPS2HTTP(start_response)
-                if response is not None:
-                    return response
-                
         # Is this requested URL secured?
         if self.pathMatch:
-            return self._setErrorResponse(environ, 
-                                          start_response,
-                                          code=self.errorResponseCode)
+#            return self._setErrorResponse(environ, 
+#                                          start_response,
+#                                          code=self.errorResponseCode)
+            def _start_response(status, header, exc_info=None):
+                '''alter start_response to return unauthorised status
+                
+                @type status: str
+                @param status: HTTP status code and status message
+                @type header: list
+                @param header: list of field, value tuple HTTP header content
+                @type exc_info: Exception
+                @param exc_info: exception info
+                '''
+                log.debug('[%s] is a secured URI: setting 403 status...' % 
+                          self.pathInfo)
+                                        
+                _status = self.getStatusMessage(403)
+                           
+                return start_response(_status, header, exc_info)
+            
         else:
-            # User is logged in - Redirect to HTTP based URL and complete
-            # Policy enforcement
-            pass
-#            if self.isSSLRequest:
-#                response = self._redirectFromHTTPS2HTTP(start_response)
-#                if response is not None:
-#                    return response
+            _start_response = start_response
             
-        return self._setResponse(environ, start_response)
+        return self._setResponse(environ, _start_response)
+    
 
     def _redirectFromHTTPS2HTTP(self, start_response):

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/singlesignonservice/sso.cfg

@@ -16 +16 @@
 # content such as graphics and stylesheets
 #configDir=%(here)s
+configDir=/home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso/badc_site
 
 # Switch from default templates package to templates/ in alternative directory
-#templatesPackage: ndg.security.server.sso.sso.badc_site.templates
+templatesPackage: ndg.security.server.sso.sso.badc_site.templates
 
 # Redirect SOAP output to a file e.g. open(<somefile>, 'w')

TI12-security/trunk/python/ndg.security.test/ndg/security/test/openidrelyingparty/services.ini

@@ -3 +3 @@
 #
 # Paste configuration for OpenID Relying Party test service
-# * Session Manager
-# * Attribute Authority
 #
 # The %(here)s variable will be replaced with the parent directory of this file
@@ -34 +32 @@
 [filter:SessionMiddlewareFilter]
 paste.filter_app_factory=beaker.middleware:SessionMiddleware
-#beaker.session.key = sso
 beaker.session.secret = somesecret
 
@@ -48 +45 @@
 
 openid.relyingparty.sessionKey = beaker.session
-openid.relyingparty.baseURL = http://localhost:5600
-openid.relyingparty.reservedPaths = %(authkit.openid.path.process)s, %(authkit.openid.path.verify)s
+openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
 openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
 openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
@@ -70 +66 @@
 authkit.cookie.signoutpath = /logout
 authkit.openid.path.signedin=/
-#authkit.openid.path.process=/PROCESS
-#authkit.openid.path.verify=/VERIFY
-authkit.openid.path.process=/process
-authkit.openid.path.verify=/verify
 authkit.openid.store.type=file
 authkit.openid.store.config=%(here)s/data/openid