Changeset 6044

Timestamp:

24/11/09 17:02:57 (11 years ago)

Author:

pjkersha

Message:

Made new SAML SOAP bindings specialisations for SAML Attribute Query and query over SSL.

Location:

TI12-security/trunk/python

Files:

• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/saml_utils/bindings.py (modified) (6 diffs)
• ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py (modified) (1 diff)

TI12-security/trunk/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -1795 +1795 @@
                              StatusCode,
                              StatusMessage)
-from saml.xml.etree import AssertionElementTree, ResponseElementTree
+from saml.xml.etree import ResponseElementTree
    
-from ndg.security.common.saml_utils.bindings import SOAPBinding as SamlSoapBinding
+from ndg.security.common.saml_utils.bindings import SOAPBinding as \
+                                                                SamlSoapBinding
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
 from ndg.security.common.X509 import X500DN

TI12-security/trunk/python/ndg_security_common/ndg/security/common/saml_utils/bindings.py

@@ -12 +12 @@
 log = logging.getLogger(__name__)
 
+import re
+from datetime import datetime, timedelta
+
 from M2Crypto.m2urllib2 import HTTPSHandler
 
-from saml.saml2.core import Response, AttributeQuery
+from saml.common import SAMLObject
+from saml.utils import SAMLDateTime
+from saml.saml2.core import Attribute, AttributeQuery, StatusCode, Response
 from saml.xml.etree import AttributeQueryElementTree, ResponseElementTree
 
-from ndg.security.common.utils.etree import QName
+# Prevent whole module breaking if this is not available - it's only needed for
+# AttributeQuerySslSOAPBinding
+try:
+    from ndg.security.common.utils.m2crypto import SSLContextProxy
+    _sslContextProxySupport = True
+    
+except ImportError:
+    _sslContextProxySupport = False
+
+from ndg.security.common.utils import TypedList
+from ndg.security.common.utils.etree import QName   
+from ndg.security.common.X509 import X500DN 
 from ndg.security.common.soap import SOAPEnvelopeBase
 from ndg.security.common.soap.etree import SOAPEnvelope
 from ndg.security.common.soap.client import (UrlLib2SOAPClient, 
-    UrlLib2SOAPRequest)
+                                             UrlLib2SOAPRequest)
 
 
@@ -36 +52 @@
 
 class SOAPBinding(object):
-    '''Client SAML SOAP Binding for Attribute Query'''
+    '''Client SAML SOAP Binding'''
     
     isIterable = staticmethod(_isIterable)
+    __slots__ = (
+        "client",
+        "requestEnvelopeClass",
+        "serialise",
+        "deserialise"
+    )
+    __PRIVATE_ATTR_PREFIX = '_SOAPBinding__'
+    __slots__ += tuple([__PRIVATE_ATTR_PREFIX + i for i in __slots__])
+    del i
     
     def __init__(self, 
@@ -44 +69 @@
                  responseEnvelopeClass=SOAPEnvelope,
                  handlers=(HTTPSHandler,)):
-        '''Create SOAP Client'''
+        '''Create SAML SOAP Client'''
         self.__client = None
           
@@ -59 +84 @@
         for handler in handlers:
             self.client.openerDirector.add_handler(handler())
-            
-        self.serialise = AttributeQueryElementTree.toXML
-        self.deserialise = ResponseElementTree.fromXML
 
     def _getSerialise(self):
@@ -114 +136 @@
     client = property(_getClient, _setClient, 
                       doc="SOAP Client object")   
-         
-    def attributeQuery(self, attributeQuery, uri=None, request=None):
+
+    def send(self, samlObj, uri=None, request=None):
+        '''Make an request/query to a remote SAML service
+        
+        @type samlObj: saml.common.SAMLObject
+        @param samlObj: SAML query/request object
+        @type uri: basestring 
+        @param uri: uri of service.  May be omitted if set from request.url
+        @type request: ndg.security.common.soap.UrlLib2SOAPRequest
+        @param request: SOAP request object to which query will be attached
+        defaults to ndg.security.common.soap.client.UrlLib2SOAPRequest
+        '''
+        if not isinstance(samlObj, SAMLObject):
+            raise TypeError('Expecting %r for input attribute query; got %r'
+                            % (SAMLObject, type(samlObj)))
+            
+        if request is None:
+            request = UrlLib2SOAPRequest()            
+            request.envelope = self.requestEnvelopeClass()
+            request.envelope.create()
+            
+        if uri is not None:
+            request.url = uri
+        
+        samlElem = self.serialise(samlObj)
+
+        # Attach query to SOAP body
+        request.envelope.body.elem.append(samlElem)
+            
+        response = self.client.send(request)
+        
+        if len(response.envelope.body.elem) != 1:
+            raise SOAPBindingInvalidResponse("Expecting single child element "
+                                             "is SOAP body")
+            
+        if QName.getLocalPart(response.envelope.body.elem[0].tag)!='Response':
+            raise SOAPBindingInvalidResponse('Expecting "Response" element in '
+                                             'SOAP body')
+            
+        response = self.deserialise(response.envelope.body.elem[0])
+        
+        return response
+        
+    def __getstate__(self):
+        '''Specific implementation needed with __slots__'''
+        return dict([(attrName, getattr(self, attrName)) 
+                     for attrName in self.__class__.__slots__])
+        
+    def __setstate__(self, attrDict):
+        '''Specific implementation needed with __slots__'''
+        for attr, val in attrDict.items():
+            setattr(self, attr, val)
+            
+
+class AttributeQueryResponseError(SOAPBindingInvalidResponse):
+    """Attribute Authority returned a SAML Response error code"""
+    def __init__(self, *arg, **kw):
+        SOAPBindingInvalidResponse.__init__(self, *arg, **kw)
+        self.__response = None
+    
+    def _getResponse(self):
+        '''Gets the response corresponding to this error
+        
+        @return the response
+        '''
+        return self.__response
+
+    def _setResponse(self, value):
+        '''Sets the response corresponding to this error.
+        
+        @param value: the response
+        '''
+        if not isinstance(value, Response):
+            raise TypeError('"response" must be a %r, got %r' % (Response,
+                                                                 type(value)))
+        self.__response = value
+        
+    response = property(fget=_getResponse, fset=_setResponse, 
+                        doc="SAML Response associated with this exception")
+
+
+class AttributeQuerySOAPBinding(SOAPBinding): 
+    """SAML Attribute Query SOAP Binding"""
+    ISSUER_DN_OPTNAME = 'issuerDN'
+    CLOCK_SKEW_OPTNAME = 'clockSkew'
+    
+    CONFIG_FILE_OPTNAMES = (
+        ISSUER_DN_OPTNAME,                 
+        CLOCK_SKEW_OPTNAME            
+    )
+    
+    QUERY_ATTRIBUTES_ATTRNAME = 'queryAttributes'
+    LEN_QUERY_ATTRIBUTES_ATTRNAME = len(QUERY_ATTRIBUTES_ATTRNAME)
+    QUERY_ATTRIBUTES_PAT = re.compile(',\s*')
+    
+    __slots__ = (
+       QUERY_ATTRIBUTES_ATTRNAME,
+    )
+    __slots__ += CONFIG_FILE_OPTNAMES
+    __PRIVATE_ATTR_PREFIX = '_AttributeQuerySOAPBinding__'
+    __slots__ += tuple([__PRIVATE_ATTR_PREFIX + i for i in __slots__])
+    del i
+    
+    def __init__(self, **kw):
+        '''Create SOAP Client for SAML Attribute Query'''
+        self.__issuerDN = None
+        self.__queryAttributes = TypedList(Attribute)
+        self.__clockSkew = timedelta(seconds=0.)
+                
+        super(AttributeQuerySOAPBinding, self).__init__(**kw)
+        
+        self.serialise = AttributeQueryElementTree.toXML
+        self.deserialise = ResponseElementTree.fromXML
+
+    @classmethod
+    def fromConfig(cls, cfg, **kw):
+        '''Alternative constructor makes object from config file settings
+        @type cfg: basestring /ConfigParser derived type
+        @param cfg: configuration file path or ConfigParser type object
+        @rtype: ndg.security.common.credentialWallet.AttributeQuery
+        @return: new instance of this class
+        '''
+        obj = cls()
+        obj.parseConfig(cfg, **kw)
+        
+        return obj
+
+    def parseConfig(self, cfg, prefix='', section='DEFAULT'):
+        '''Read config file settings
+        @type cfg: basestring /ConfigParser derived type
+        @param cfg: configuration file path or ConfigParser type object
+        @type prefix: basestring
+        @param prefix: prefix for option names e.g. "attributeQuery."
+        @type section: baestring
+        @param section: configuration file section from which to extract
+        parameters.
+        '''  
+        if isinstance(cfg, basestring):
+            cfgFilePath = path.expandvars(cfg)
+            _cfg = CaseSensitiveConfigParser()
+            _cfg.read(cfgFilePath)
+            
+        elif isinstance(cfg, ConfigParser):
+            _cfg = cfg   
+        else:
+            raise AttributeError('Expecting basestring or ConfigParser type '
+                                 'for "cfg" attribute; got %r type' % type(cfg)) 
+        
+        prefixLen = len(prefix)
+        for optName, val in _cfg.items(section):
+            if prefix and optName.startswith(prefix):
+                optName = optName[prefixLen:]
+                
+            setattr(self, optName, val)
+            
+    def __setattr__(self, name, value):
+        """Enable setting of SAML query attribute objects via a comma separated
+        string suitable for use reading from an ini file.  
+        """
+        try:
+            super(AttributeQuerySOAPBinding, self).__setattr__(name, value)
+            
+        except AttributeError:
+            if name.startswith(
+                        AttributeQuerySOAPBinding.QUERY_ATTRIBUTES_ATTRNAME):
+                # Special handler for parsing string format settings
+                if not isinstance(value, basestring):
+                    raise TypeError('Expecting string format for special '
+                                    '%r attribute; got %r instead' %
+                                    (name, type(value)))
+                    
+                pat = AttributeQuerySOAPBinding.QUERY_ATTRIBUTES_PAT
+                attribute = Attribute()
+                
+                (attribute.name, 
+                 attribute.friendlyName, 
+                 attribute.format) = pat.split(value)
+                 
+                self.queryAttributes.append(attribute)
+            else:
+                raise
+           
+    def _getQueryAttributes(self):
+        """Returns a *COPY* of the attributes to avoid overwriting the 
+        member variable content
+        """
+        return self.__queryAttributes
+
+    def _setQueryAttributes(self, value):
+        if not isinstance(value, TypedList) and value.elementType != Attribute:
+            raise TypeError('Expecting TypedList(Attribute) type for '
+                            '"queryAttributes"; got %r instead' % type(value)) 
+        
+        self.__queryAttributes = value
+    
+    queryAttributes = property(_getQueryAttributes, 
+                               _setQueryAttributes, 
+                               doc="List of attributes to query from the "
+                                   "Attribute Authority")
+
+    def _getIssuerDN(self):
+        return self.__issuerDN
+
+    def _setIssuerDN(self, value):
+        if isinstance(value, basestring):
+            self.__issuerDN = X500DN.fromString(value)
+            
+        elif isinstance(value, X500DN):
+            self.__issuerDN = value
+        else:
+            raise TypeError('Expecting string or X500DN type for "issuerDN"; '
+                            'got %r instead' % type(value))
+        self.__issuerDN = value
+
+    issuerDN = property(_getIssuerDN, _setIssuerDN, 
+                        doc="Distinguished Name of issuer of SAML Attribute "
+                            "Query to Attribute Authority")
+
+    def _getClockSkew(self):
+        return self.__clockSkew
+
+    def _setClockSkew(self, value):
+        if isinstance(value, (float, int, long)):
+            self.__clockSkew = timedelta(seconds=value)
+            
+        elif isinstance(value, basestring):
+            self.__clockSkew = timedelta(seconds=float(value))
+        else:
+            raise TypeError('Expecting float, int, long or string type for '
+                            '"clockSkew"; got %r' % type(value))
+
+    clockSkew = property(fget=_getClockSkew, 
+                         fset=_setClockSkew, 
+                         doc="Allow a clock skew in seconds for SAML Attribute"
+                             " Query issueInstant parameter check")  
+              
+    def send(self, attributeQuery, **kw):
         '''Make an attribute query to a remote SAML service
         
@@ -130 +387 @@
                             % (AttributeQuery, type(attributeQuery)))
             
-        if request is None:
-            request = UrlLib2SOAPRequest()            
-            request.envelope = self.requestEnvelopeClass()
-            request.envelope.create()
-            
-        if uri is not None:
-            request.url = uri
-        
-        attributeQueryElem = self.serialise(attributeQuery)
-
-        # Attach query to SOAP body
-        request.envelope.body.elem.append(attributeQueryElem)
-            
-        response = self.client.send(request)
-        
-        if len(response.envelope.body.elem) != 1:
-            raise SOAPBindingInvalidResponse("Expecting single child element "
-                                             "is SOAP body")
-            
-        if QName.getLocalPart(response.envelope.body.elem[0].tag)!='Response':
-            raise SOAPBindingInvalidResponse('Expecting "Response" element in '
-                                             'SOAP body')
-            
-        response = self.deserialise(response.envelope.body.elem[0])
-        
-        return response
-
+        response = super(AttributeQuerySOAPBinding, self).send(attributeQuery, 
+                                                               **kw)
+
+        # Perform validation
+        if response.status.statusCode.value != StatusCode.SUCCESS_URI:
+            msg = ('Return status code flagged an error.  The message is: %r' %
+                   response.status.statusMessage.value)
+            samlRespError = AttributeQueryResponseError(msg)
+            samlRespError.response = response
+            raise samlRespError
+        
+        # Check Query ID matches the query ID the service received
+        if response.inResponseTo != attributeQuery.id:
+            msg = ('Response in-response-to ID %r, doesn\'t match the original '
+                   'query ID, %r' % (response.inResponseTo, attributeQuery.id))
+            
+            samlRespError = AttributeQueryResponseError(msg)
+            samlRespError.response = response
+            raise samlRespError
+        
+        utcNow = datetime.utcnow() + self.clockSkew
+        if response.issueInstant > utcNow:
+            msg = ('SAML Attribute Response issueInstant [%s] is after '
+                   'the current clock time [%s]' % 
+                   (attributeQuery.issueInstant, SAMLDateTime.toString(utcNow)))
+            
+            samlRespError = AttributeQueryResponseError(msg)                  
+            samlRespError.response = response
+            raise samlRespError
+        
+        for assertion in response.assertions:
+            if utcNow < assertion.conditions.notBefore:            
+                msg = ('The current clock time [%s] is before the SAML '
+                       'Attribute Response assertion conditions not before '
+                       'time [%s]' % 
+                       (SAMLDateTime.toString(utcNow),
+                        assertion.conditions.notBefore))
+                          
+                samlRespError = AttributeQueryResponseError(msg)
+                samlRespError.response = response
+                raise samlRespError
+             
+            if utcNow >= assertion.conditions.notOnOrAfter:           
+                msg = ('The current clock time [%s] is on or after the SAML '
+                       'Attribute Response assertion conditions not on or '
+                       'after time [%s]' % 
+                       (SAMLDateTime.toString(utcNow),
+                        response.assertion.conditions.notOnOrAfter))
+                
+                samlRespError = AttributeQueryResponseError(msg) 
+                samlRespError.response = response
+                raise samlRespError    
+
+    
+class AttributeQuerySslSOAPBinding(AttributeQuerySOAPBinding):
+    """Specialisation of AttributeQuerySOAPbinding taking in the setting of
+    SSL parameters for mutual authentication
+    """
+    SSL_CONTEXT_PROXY_SUPPORT = _sslContextProxySupport
+    
+    def __init__(self, **kw):
+        if not AttributeQuerySslSOAPBinding.SSL_CONTEXT_PROXY_SUPPORT:
+            raise ImportError("ndg.security.common.utils.m2crypto import "
+                              "failed - missing M2Crypto package?")
+        
+        # Miss out default HTTPSHandler and set in send() instead
+        if 'handlers' in kw:
+            raise TypeError("__init__() got an unexpected keyword argument "
+                            "'handlers'")
+            
+        super(AttributeQuerySslSOAPBinding, self).__init__(handlers=(), **kw)
+        self.__sslCtxProxy = SSLContextProxy()
+
+    def send(self, **kw):
+        """Override base class implementation to pass explicit SSL Context
+        """
+        httpsHandler = HTTPSHandler(ssl_context=self.sslCtxProxy.createCtx())
+        self.client.openerDirector.add_handler(httpsHandler)
+        return super(AttributeQuerySslSOAPBinding, self).send(**kw)
+        
+    @property
+    def sslCtxProxy(self):
+        """SSL Context Proxy object used for setting up an SSL Context for
+        queries
+        """
+        return self.__sslCtxProxy
+            
+    def __setattr__(self, name, value):
+        """Enable setting of SSLContextProxy attributes as if they were 
+        attributes of this class.  This is intended as a convenience for 
+        making settings parameters read from a config file
+        """
+        try:
+            super(AttributeQuerySOAPBinding, self).__setattr__(name, value)
+            
+        except AttributeError:
+            # Coerce into setting SSL Context Proxy attributes
+            try:
+                setattr(self.sslCtxProxy, name, value)
+            except:
+                raise e

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py

@@ -15 +15 @@
                                            PIPAttributeQuery,
                                            PIPAttributeResponse)
+
 
 class MsiBaseTestCase(BaseTestCase):