Changeset 6039

Timestamp:

23/11/09 13:48:59 (11 years ago)

Author:

pjkersha

Message:

Unit tested SamlCredentialWallet?.

Location:

TI12-security/trunk/python

Files:

• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (15 diffs)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (5 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/attributeauthority/test_sqlalchemyattributeinterface.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py (modified) (1 diff)

TI12-security/trunk/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -148 +148 @@
     accessGranted = property(fget=_getAccessGranted)
 
+class CredentialContainer(object):
+    """Container for cached credentials"""
+    ID_ATTRNAME = 'id'
+    ITEM_ATTRNAME = 'credential'
+    ISSUERNAME_ATTRNAME = 'issuerName'
+    ATTRIBUTE_AUTHORITY_URI_ATTRNAME = 'attributeAuthorityURI'
+    CREDENTIAL_TYPE_ATTRNAME = 'type'
+    
+    __slots__ = (
+        ID_ATTRNAME,
+        ITEM_ATTRNAME,
+        ISSUERNAME_ATTRNAME,
+        ATTRIBUTE_AUTHORITY_URI_ATTRNAME,
+        CREDENTIAL_TYPE_ATTRNAME
+    )
+    __slots__ += tuple(["_CredentialContainer__%s" % n for n in __slots__])
+    
+    def __init__(self, type=None):
+        self.__type = None
+        self.type = type
+        
+        self.__id = -1
+        self.__credential = None
+        self.__issuerName = None
+        self.__attributeAuthorityURI = None
+
+    def _getType(self):
+        return self.__type
+
+    def _setType(self, value):
+        if not isinstance(value, type):
+            raise TypeError('Expecting %r for "type" attribute; got %r' %
+                            (type, type(value)))       
+        self.__type = value
+
+    type = property(_getType, _setType, 
+                    doc="Type for credential - set to None for any type")
+
+    def _getId(self):
+        return self.__id
+
+    def _setId(self, value):
+        if not isinstance(value, int):
+            raise TypeError('Expecting int type for "id" attribute; got %r' %
+                            type(value))
+        self.__id = value
+
+    id = property(_getId, 
+                  _setId, 
+                  doc="Numbered identifier for credential - "
+                      "set to -1 for new credentials")
+
+    def _getCredential(self):
+        return self.__credential
+
+    def _setCredential(self, value):
+        if self.type is not None and not isinstance(value, self.type):
+            raise TypeError('Expecting %r type for "credential" attribute; '
+                            'got %r' % type(value))
+        self.__credential = value
+
+    credential = property(_getCredential, 
+                          _setCredential, 
+                          doc="Credential object")
+
+    def _getIssuerName(self):
+        return self.__issuerName
+
+    def _setIssuerName(self, value):
+        self.__issuerName = value
+
+    issuerName = property(_getIssuerName, 
+                          _setIssuerName, 
+                          doc="Name of issuer of the credential")
+
+    def _getAttributeAuthorityURI(self):
+        return self.__attributeAuthorityURI
+
+    def _setAttributeAuthorityURI(self, value):
+        """String or None type are allowed - The URI may be set to None if
+        a local Attribute Authority instance is being invoked rather
+        one hosted via a remote URI
+        """
+        if not isinstance(value, (basestring, type(None))):
+            raise TypeError('Expecting string or None type for '
+                            '"attributeAuthorityURI"; got %r instead' % 
+                            type(value))
+        self.__attributeAuthorityURI = value
+
+    attributeAuthorityURI = property(_getAttributeAuthorityURI,
+                                     _setAttributeAuthorityURI, 
+                                     doc="Attribute Authority Service URI")
+
+    def __getstate__(self):
+        '''Enable pickling'''
+        return dict([(attrName, getattr(self, attrName))
+                     for attrName in self.__class__.__slots__])
+        
+    def __setstate__(self, attrDict):
+        '''Enable pickling for use with beaker.session'''
+        for attr, val in attrDict.items():
+            setattr(self, attr, val)
+
+       
 
 class CredentialWalletBase(object):
@@ -154 +258 @@
     __slots__ = (
         "userId",
-        "attributeAuthorityURI"
+        "attributeAuthorityURI",
         "credentials",
         "credentialsKeyedByURI",
@@ -261 +365 @@
 
     def _setAttributeAuthorityURI(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "attributeAuthorityURI";'
-                            ' got %r instead' % type(value))
+        """String or None type are allowed - The URI may be set to None to 
+        flag that a local Attribute Authority instance is being invoked rather
+        one hosted via a remote URI
+        """
+        if not isinstance(value, (basestring, type(None))):
+            raise TypeError('Expecting string or None type for '
+                            '"attributeAuthorityURI"; got %r instead' % 
+                            type(value))
         self.__attributeAuthorityURI = value
 
@@ -400 +509 @@
         caCertFilePathList=[],
         sslCACertFilePathList=[],
-        attributeAuthorityURI=None,
         attributeAuthority=None,
         credentialRepository=None,
@@ -793 +901 @@
         super(CredentialWallet, self)._setAttributeAuthorityURI(
                                                         attributeAuthorityURI)
-              
-        # Re-initialize local instance
-        self._attributeAuthority = CredentialWallet.propertyDefaults[
+         
+        if attributeAuthorityURI is not None:     
+            # Re-initialize local instance
+            self._attributeAuthority = CredentialWallet.propertyDefaults[
                                                         'attributeAuthority']
             
@@ -819 +928 @@
         
         @type attributeAuthority: ndg.security.server.attributeauthority.AttributeAuthority
-        @param attributeAuthority: Attribute Authority instance."""
-        if attributeAuthority is not None and \
-           not isinstance(attributeAuthority, AttributeAuthority):
-            raise AttributeError("Expecting %r for attributeAuthority "
-                                 "attribute" % AttributeAuthority)
+        @param attributeAuthority: Attribute Authority instance.
+        """
+        if not isinstance(attributeAuthority, (AttributeAuthority, type(None))):
+            raise AttributeError("Expecting %r or None type for "
+                                 "\"attributeAuthority\" attribute; got %r" % 
+                                 (AttributeAuthority, type(attributeAuthority)))
             
         self._attributeAuthority = attributeAuthority
         
         # Re-initialize setting for remote service
-        self._attributeAuthorityURI = \
-                    CredentialWallet.propertyDefaults['attributeAuthorityURI']
+        self.attributeAuthorityURI = None
             
     attributeAuthority = property(fget=_getAttributeAuthority,
@@ -927 +1036 @@
 
         # Check input
-        if not isinstance(credential, attCert):
+        if not isinstance(attCert, AttCert):
             raise CredentialWalletError("Credential must be an %r type object" %
                                         AttCert)
@@ -948 +1057 @@
             # There is an existing certificate held with the same issuing
             # host name as the new certificate
-            attCertOld = self.credentials[issuerName]['attCert']
+            attCertOld = self.credentials[issuerName].credential
 
             # Get expiry times in datetime format to allow comparison
@@ -960 +1069 @@
                 
         if bUpdateCred:
-            # Update: Nb. -1 ID value flags item as new.  Items read in
-            # from the CredentialRepository during creation of the wallet will
-            # have +ve IDs previously allocated by the database
-            self.credentials[issuerName] = {
-                'id': -1, 
-                'attCert': attCert,
-                'issuerName': issuerName,
-                'attributeAuthorityURI': attributeAuthorityURI
-            }
-
+
+            thisCredential = CredentialContainer(AttCert)
+            thisCredential.credential = attCert
+            thisCredential.issuerName = issuerName
+            thisCredential.attributeAuthorityURI = attributeAuthorityURI
+            
+            self.credentials[issuerName] = thisCredential 
+            
             if attributeAuthorityURI:
-                self.credentialsKeyedByURI[attributeAuthorityURI] = \
-                    self.credentials[issuerName]
+                self.credentialsKeyedByURI[
+                    attributeAuthorityURI] = thisCredential
             
             # Update the Credentials Repository - the permanent store of user
@@ -998 +1105 @@
         # P J Kershaw 12/09/05
         for key, val in self.credentials.items():
-            if not val['attCert'].isValid(chkSig=False):
+            if not val.credential.isValid(chkSig=False):
                 del self.credentials[key]
 
@@ -1020 +1127 @@
 
         # Update the database - only add new entries i.e. with an ID of -1
-        attCertList = [i['attCert'] for i in self.credentials.values() 
-                       if i['id'] == -1]
+        attCertList = [i.credential for i in self.credentials.values() 
+                       if i.id == -1]
 
         self.credentialRepository.addCredentials(self.userId, attCertList)
@@ -1565 +1672 @@
                     # original provenance and contain at least one of the
                     # required roles
-                    attCert = self.credentials[hostName]['attCert']
+                    attCert = self.credentials[hostName].credential
                     
                     if hostName in trustedHostInfo and attCert.isOriginal():                        
@@ -1717 +1824 @@
     ESG_NAME_ID_FORMAT = EsgSamlNamespaces.NAMEID_FORMAT
     
-    ATTRIBUTE_AUTHORITY_URI_OPTNAME = 'attributeAuthorityURI'
     ISSUER_DN_OPTNAME = 'issuerDN'
     CLOCK_SKEW_OPTNAME = 'clockSkew'
     
     CONFIG_FILE_OPTNAMES = (
-        ATTRIBUTE_AUTHORITY_URI_OPTNAME,
         ISSUER_DN_OPTNAME,                 
         CLOCK_SKEW_OPTNAME            
@@ -1963 +2068 @@
         log.debug("Adding credentials into wallet...")
         for assertion in response.assertions:
-            self.addCredential(assertion)
+            self.addCredential(assertion, 
+                               attributeAuthorityURI=self.attributeAuthorityURI)
 
     def addCredential(self, 
@@ -1997 +2103 @@
         # ingored
         bUpdateCred = True
-        issuerName = attCert['issuerName']
+        issuerName = credential.issuer.value
         
         if issuerName in self.credentials:
             # There is an existing certificate held with the same issuing
             # host name as the new certificate
-            attCertOld = self.credentials[issuerName]['attCert']
-
-            # Get expiry times in datetime format to allow comparison
-            dtAttCertOldNotAfter = attCertOld.getValidityNotAfter(\
-                                                            asDatetime=True)
-            dtAttCertNotAfter = attCert.getValidityNotAfter(asDatetime=True)
+            credentialOld = self.credentials[issuerName]['assertion']
 
             # If the new certificate has an earlier expiry time then ignore it
-            bUpdateCred = dtAttCertNotAfter > dtAttCertOldNotAfter
-
-                
+            bUpdateCred = (credential.conditions.notOnOrAfter > 
+                           credentialOld.conditions.notOnOrAfter)
+
         if bUpdateCred:
-            # Update: Nb. -1 ID value flags item as new.  Items read in
-            # from the CredentialRepository during creation of the wallet will
-            # have +ve IDs previously allocated by the database
-            self.credentials[issuerName] = {
-                'id': -1, 
-                'attCert': attCert,
-                'issuerName': issuerName,
-                'attributeAuthorityURI': attributeAuthorityURI
-            }
-
+            thisCredential = CredentialContainer(Assertion)
+            thisCredential.credential = credential
+            thisCredential.issuerName = issuerName
+            thisCredential.attributeAuthorityURI = attributeAuthorityURI
+            
+            self.credentials[issuerName] = thisCredential
+            
             if attributeAuthorityURI:
-                self.credentialsKeyedByURI[attributeAuthorityURI] = \
-                    self.credentials[issuerName]
-            
+                self.credentialsKeyedByURI[
+                    attributeAuthorityURI] = thisCredential 
+
             # Update the Credentials Repository - the permanent store of user
             # authorisation credentials.  This allows credentials for previous

TI12-security/trunk/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -30 +30 @@
 from saml.utils import SAMLDateTime
 from saml.saml2.core import (Response, Assertion, Attribute, AttributeStatement,
-                             SAMLVersion, Subject, NameID, Issuer, 
-                             AttributeQuery, XSStringAttributeValue, Conditions,
-                             Status, StatusCode, StatusMessage)
+                             SAMLVersion, Subject, NameID, Issuer, Conditions,
+                             AttributeQuery, XSStringAttributeValue, Status, 
+                             StatusCode, StatusMessage)
 
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
@@ -1908 +1908 @@
     SQLQUERY_USERID_KEYNAME = 'userId'
     
+    ISSUER_NAME_FORMAT = Issuer.X509_SUBJECT
+    ISSUER_NAME_OPTNAME = 'issuerName'
     CONNECTION_STRING_OPTNAME = 'connectionString'
     ATTRIBUTE_SQLQUERY_OPTNAME = 'attributeSqlQuery'
@@ -1942 +1944 @@
             raise AttributeInterfaceConfigError("SQLAlchemy is not installed")
         
+        self.__issuerName = None
         self.__connectionString = None
         self.__attributeSqlQuery = None
@@ -1997 +2000 @@
             else:
                 setattr(self, name, val)
+
+    def _getIssuerName(self):
+        return self.__issuerName
+
+    def _setIssuerName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "%s" attribute; got %r'%
+                            (SQLAlchemyAttributeInterface.ISSUER_NAME_OPTNAME,
+                             type(value)))
+
+        self.__issuerName = value
+
+    issuerName = property(_getIssuerName, 
+                          _setIssuerName, 
+                          doc="The name of the issuing organisation.  This is "
+                              "expected to be an X.509 Distinguished Name")
             
     def _getSamlAssertionLifetime(self):
@@ -2215 +2234 @@
         assertion.id = str(uuid4())
         assertion.issueInstant = response.issueInstant
+    
+        assertion.issuer = Issuer()
+        assertion.issuer.value = self.issuerName
+        assertion.issuer.format = Issuer.X509_SUBJECT
 
         assertion.conditions = Conditions()

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/authz.py

@@ -428 +428 @@
         
         # Check for existing credentials cached in wallet            
-        credential = credentialWallet.credentialsKeyedByURI.get(
+        credentialItem = credentialWallet.credentialsKeyedByURI.get(
                                                     attributeAuthorityURI, {})
         
-        attrCert = credential.get('attCert')
+        attrCert = credentialItem.credential
         if attrCert is not None:
             log.debug("PIPMiddleware._getAttributeCertificate: retrieved "

TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py

@@ -21 +21 @@
                                                     UserIdNotKnown)
 from saml.common.xml import SAMLConstants
-from saml.saml2.core import (Assertion, Attribute, AttributeStatement, 
-                             SAMLVersion, Subject, NameID, 
-                             XSStringAttributeValue, Conditions)
+from saml.saml2.core import (Assertion, Attribute, AttributeStatement, Issuer,
+                             SAMLVersion, Subject, NameID, Conditions,
+                             XSStringAttributeValue)
 
 
@@ -83 +83 @@
     VALID_REQUESTOR_IDS = ("/O=Site A/CN=Authorisation Service", 
                            "/O=Site B/CN=Authorisation Service")
+    
+    ISSUER_NAME = "/O=Site A/CN=Attribute Authority"
+    
     INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = "/O=Site B/CN=Authorisation Service"
     
@@ -125 +128 @@
         assertion.id = str(uuid4())
         assertion.issueInstant = response.issueInstant
+    
+        assertion.issuer = Issuer()
+        assertion.issuer.value = TestUserRoles.ISSUER_NAME
+        assertion.issuer.format = Issuer.X509_SUBJECT
         
         assertion.conditions = Conditions()

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -63 +63 @@
         'http://localhost:%s/AttributeAuthority/saml' % \
                                     SITEB_ATTRIBUTEAUTHORITY_PORTNUM
+                                    
+    SITEA_SAML_ISSUER_NAME = "/O=Site A/CN=Attribute Authority"
     
     SESSIONMANAGER_PORTNUM = 5500
@@ -110 +112 @@
     )
     N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES)
+    
+    VALID_REQUESTOR_IDS = ("/O=Site A/CN=Authorisation Service", 
+                           "/O=Site B/CN=Authorisation Service")
     
     def __init__(self, *arg, **kw):

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_sqlalchemyattributeinterface.cfg

@@ -1 +1 @@
 [DEFAULT]
 openIdStem = https://openid.localhost/
+attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
 attributeInterface.samlSubjectSqlQuery = select count(*) from users where '%(openIdStem)s' || openid_identifier = '${userId}'
 attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where '%(openIdStem)s' || openid_identifier = '${userId}'"

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -15 +15 @@
 import traceback
 
+from saml.xml.etree import AssertionElementTree
+
 from ndg.security.test.unit import BaseTestCase
 
 from ndg.security.common.utils.configfileparsers import (
                                                     CaseSensitiveConfigParser)
+from ndg.security.common.utils.etree import prettyPrint
 from ndg.security.common.X509 import X509CertParse
 from ndg.security.common.credentialwallet import (CredentialWallet, 
@@ -187 +190 @@
 class SamlCredentialWalletTestCase(BaseTestCase):
     def __init__(self, *arg, **kw):
-        super(CredentialWalletTestCase, self).__init__(*arg, **kw)
+        super(SamlCredentialWalletTestCase, self).__init__(*arg, **kw)
         self.startSiteAAttributeAuthority()
         
     def test01(self):
         wallet = SamlCredentialWallet()
+        
+        wallet.userId = SamlCredentialWalletTestCase.OPENID_URI
+        wallet.issuerDN = SamlCredentialWalletTestCase.VALID_REQUESTOR_IDS[0]        
         wallet.attributeAuthorityURI = \
             SamlCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI
+        
         wallet.attributeQuery()
+        self.assert_(len(wallet.credentials) == 1)
+        self.assert_(
+            SamlCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI in \
+            wallet.credentialsKeyedByURI)
+        self.assert_(SamlCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME in \
+                     wallet.credentials)
+        self.assert_(
+            wallet.credentials[
+                SamlCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME
+            ].credential.subject.nameID.value == \
+            wallet.userId)
+        
+        assertion = wallet.credentials[
+            SamlCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME
+        ].credential
+        samlAssertionElem = AssertionElementTree.toXML(assertion)
+        print("SAML Assertion:\n%s" % prettyPrint(samlAssertionElem))
                                                                 
 if __name__ == "__main__":

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py

@@ -60 +60 @@
         samlResponse.issuer = Issuer()
         
-        # SAML 2.0 spec says fromat must be omitted
+        # SAML 2.0 spec says format must be omitted
         #samlResponse.issuer.format = Issuer.X509_SUBJECT
         samlResponse.issuer.value = \