Changeset 6062

Timestamp:

27/11/09 11:34:30 (11 years ago)

Author:

pjkersha

Message:

• Working SamlPIPMiddleware - the Policy Information Point with an interface to the SAML Attribute Authority. The PIP retrieves user credential information for the PDP.
• Fixed ndg.security.test.unit.wsgi.authz.test_authz unit tests for the above.

Location:

TI12-security/trunk/python

Files:

• ndg_security_common/ndg/security/common/attributeauthority.py (modified) (5 diffs)
• ndg_security_common/ndg/security/common/authz/msi.py (modified) (15 diffs)
• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/saml_utils/bindings.py (modified) (5 diffs)
• ndg_security_saml/saml/saml2/core.py (modified) (1 diff)
• ndg_security_saml/saml/xml/__init__.py (modified) (2 diffs)
• ndg_security_saml/saml/xml/etree.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (8 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz.py (modified) (9 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/sqlalchemy_ax.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py (modified) (8 diffs)
• ndg_security_test/ndg/security/test/unit/attributeauthority/test_sqlalchemyattributeinterface.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/attributeauthorityclient/attAuthorityClientTest.cfg (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/config.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/openid/provider/axinterface/test_axinterface.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/README (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-policy.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (10 diffs)

TI12-security/trunk/python/ndg_security_common/ndg/security/common/attributeauthority.py

@@ -22 +22 @@
 import logging
 log = logging.getLogger(__name__)
+
+import traceback
 
 # Determine https http transport
@@ -305 +307 @@
 
         except Exception, e:
+            log.error("AttributeAuthority.getHostInfo: %s", 
+                      traceback.format_exc())
+            
             # Try to detect exception type from SOAP fault message
             errMsg = str(e)
@@ -349 +354 @@
 
         except Exception, e:
+            log.error("AttributeAuthority.getTrustedHostInfo: %s", 
+                      traceback.format_exc())
+            
             # Try to detect exception type from SOAP fault message
             errMsg = str(e)
@@ -395 +403 @@
 
         except Exception, e:
+            log.error("AttributeAuthority.getAllHostsInfo: %s", 
+                      traceback.format_exc())
+            
             # Try to detect exception type from SOAP fault message
             errMsg = str(e)
@@ -469 +480 @@
 
         except Exception, e:
+            log.error("AttributeAuthority.getAttCert: %s", 
+                      traceback.format_exc())
+            
             # Try to detect exception type from SOAP fault message
             errMsg = str(e)

TI12-security/trunk/python/ndg_security_common/ndg/security/common/authz/msi.py

@@ -14 +14 @@
 log = logging.getLogger(__name__)
 
+import traceback
 import warnings
 from elementtree import ElementTree
@@ -336 +337 @@
             else:
                 raise AttributeParseError("Invalid Attribute element name: %s" % 
-                                         localName)
+                                          localName)
     
     @classmethod
@@ -351 +352 @@
     namespaces = ()
     def __init__(self, **attributes):
-        invalidAttributes = [attr for attr in attributes \
+        invalidAttributes = [attr for attr in attributes
                              if attr not in self.__class__.namespaces]
         if len(invalidAttributes) > 0:
@@ -376 +377 @@
         
         dict.update(self, d, **kw)
+
 
 class Subject(_AttrDict):
@@ -387 +389 @@
     (USERID_NS, SESSIONID_NS, SESSIONMANAGERURI_NS, ROLES_NS) = namespaces
 
+
 class Resource(_AttrDict):
     '''Resource designator'''
@@ -393 +396 @@
     )
     (URI_NS,) = namespaces
+
            
 class Request(object):
@@ -400 +404 @@
         self.resource = resource
 
+    def _getSubject(self):
+        return self.__subject
+    
+    def _setSubject(self, subject):
+        if not isinstance(subject, Subject,):
+            raise TypeError("Expecting %s type for Request subject; got %r" %
+                            (Subject.__class__.__name__, subject))
+        self.__subject = subject
+
+    subject = property(fget=_getSubject,
+                       fset=_setSubject,
+                       doc="Subject type object representing subject accessing "
+                           "a resource")
+
+    def _getResource(self):
+        return self.__resource
+    
+    def _setResource(self, resource):
+        if not isinstance(resource, Resource):
+            raise TypeError("Expecting %s for Request Resource; got %r" %
+                            (Resource.__class__.__name__, resource))
+        self.__resource = resource
+
+    resource = property(fget=_getResource,
+                        fset=_setResource,
+                        doc="Resource to be protected")
+
+
 class Response(object):
     '''Response from a PDP'''
     decisionValues = range(4)
     (DECISION_PERMIT,
-    DECISION_DENY,
-    DECISION_INDETERMINATE,
-    DECISION_NOT_APPLICABLE) = decisionValues
+     DECISION_DENY,
+     DECISION_INDETERMINATE,
+     DECISION_NOT_APPLICABLE) = decisionValues
 
     # string versions of the 4 Decision types used for encoding
@@ -414 +446 @@
     
     def __init__(self, status, message=None):
+        self.__status = None
+        self.__message = None
         
         self.status = status
@@ -422 +456 @@
             raise TypeError("Status %s not recognised" % status)
         
-        self._status = status
+        self.__status = status
         
     def _getStatus(self):
-        return getattr(self, '_status', Response.DECISION_INDETERMINATE)
+        return self.__status
     
     status = property(fget=_getStatus,
                       fset=_setStatus,
                       doc="Integer response code; one of %r" % decisionValues)
+
+    def _setMessage(self, message):
+        if not isinstance(message, (basestring, type(None))):
+            raise TypeError('Expecting string or None type for "message"; got '
+                            '%r' % type(message))
+        
+        self.__message = message
+        
+    def _getMessage(self):
+        return self.__message
+    
+    message = property(fget=_getMessage,
+                       fset=_setMessage,
+                       doc="Optional message associated with response")
+        
         
 from ndg.security.common.AttCert import (AttCertInvalidSignature, 
@@ -745 +794 @@
                             sslCACertFilePathList=self.sslCACertFilePathList,
                             cfg=self.wssecurityCfg)
-        except Exception, e:
-            log.error("Creating Attribute Authority client: %s" % e)
+        except Exception:
+            log.error("Creating Attribute Authority client: %s",
+                      traceback.format_exc())
             raise InitSessionCtxError()
         
@@ -755 +805 @@
         
         
-        except AA_AttributeRequestDenied, e:
-            log.error("Request for attribute certificate denied: %s" % e)
+        except AA_AttributeRequestDenied:
+            log.error("Request for attribute certificate denied: %s",
+                      traceback.format_exc())
             raise PDPUserAccessDenied()
         
@@ -765 +816 @@
             log.error("Request to Attribute Authority [%s] for attribute "
                       "certificate: %s: %s", attributeAuthorityURI,
-                      e.__class__, e)
+                      e.__class__, traceback.format_exc())
             raise AttributeCertificateRequestError()
         
@@ -815 +866 @@
     def evaluate(self, request):
         '''Make access control decision'''
+        
+        if not isinstance(request, Request):
+            raise TypeError("Expecting %s type for request; got %r" %
+                            (Request.__class__.__name__, request))
         
         # Look for matching targets to the given resource
@@ -853 +908 @@
                     continue
                           
-                attributeQuery[PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] = \
-                                        attribute.attributeAuthorityURI
+                attributeQuery[
+                    PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS
+                ] = attribute.attributeAuthorityURI
             
                 # Exit from function returning indeterminate status if a 
@@ -864 +920 @@
                     # i.e. a defined exception within the scope of this
                     # module
-                    log.exception(e)
+                    log.error("SAML Attribute Query %s: %s", 
+                              type(e), traceback.format_exc())
                     return Response(Response.DECISION_INDETERMINATE, 
-                                    message=str(e))
+                                    message=traceback.format_exc())
                                 
                 except Exception, e:
-                    log.exception(e)
+                    log.error("SAML Attribute Query: %s", 
+                              type(e), traceback.format_exc())
                     return Response(Response.DECISION_INDETERMINATE,
                                     message="An internal error occurred")

TI12-security/trunk/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -1244 +1244 @@
                 
         if bUpdateCred:
-
             thisCredential = CredentialContainer(AttCert)
             thisCredential.credential = attCert

TI12-security/trunk/python/ndg_security_common/ndg/security/common/saml_utils/bindings.py

@@ -236 +236 @@
     """
     SUBJECT_ID_OPTNAME = 'subjectID'
-    ISSUER_DN_OPTNAME = 'issuerDN'
+    ISSUER_NAME_OPTNAME = 'issuerName'
     CLOCK_SKEW_OPTNAME = 'clockSkew'
     
     CONFIG_FILE_OPTNAMES = (
         SUBJECT_ID_OPTNAME,
-        ISSUER_DN_OPTNAME,                 
+        ISSUER_NAME_OPTNAME,                 
         CLOCK_SKEW_OPTNAME            
     )
@@ -259 +259 @@
     def __init__(self, **kw):
         '''Create SOAP Client for SAML Attribute Query'''
-        self.__issuerDN = None
+        self.__issuerName = None
         self.__queryAttributes = TypedList(Attribute)
         self.__clockSkew = timedelta(seconds=0.)
@@ -366 +366 @@
                                    "Attribute Authority")
 
-    def _getIssuerDN(self):
-        return self.__issuerDN
-
-    def _setIssuerDN(self, value):
-        if isinstance(value, basestring):
-            self.__issuerDN = X500DN.fromString(value)
-            
-        elif isinstance(value, X500DN):
-            self.__issuerDN = value
-        else:
-            raise TypeError('Expecting string or X500DN type for "issuerDN"; '
+    def _getIssuerName(self):
+        return self.__issuerName
+
+    def _setIssuerName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "issuerName"; '
                             'got %r instead' % type(value))
-
-    issuerDN = property(_getIssuerDN, _setIssuerDN, 
+            
+        self.__issuerName = value
+
+    issuerName = property(_getIssuerName, _setIssuerName, 
                         doc="Distinguished Name of issuer of SAML Attribute "
                             "Query to Attribute Authority")
@@ -408 +405 @@
         attributeQuery.issueInstant = datetime.utcnow()
         
-        if self.issuerDN is None:
+        if self.issuerName is None:
             raise AttributeError('No issuer DN has been set for SAML Attribute '
                                  'Query')
@@ -414 +411 @@
         attributeQuery.issuer = Issuer()
         attributeQuery.issuer.format = Issuer.X509_SUBJECT
-        attributeQuery.issuer.value = str(self.issuerDN)
+        attributeQuery.issuer.value = self.issuerName
                         
         attributeQuery.subject = Subject()  

TI12-security/trunk/python/ndg_security_saml/saml/saml2/core.py

@@ -1078 +1078 @@
                       TYPE_LOCAL_NAME, 
                       SAMLConstants.XSD_PREFIX)
+    
+    DEFAULT_FORMAT = "%s#%s" % (SAMLConstants.XSD_NS, TYPE_LOCAL_NAME)
   
     def __init__(self):

TI12-security/trunk/python/ndg_security_saml/saml/xml/__init__.py

@@ -36 +36 @@
 
     # Configuration namespace
-    XMLTOOLING_CONFIG_NS = "http:#www.opensaml.org/xmltooling-config"
+    XMLTOOLING_CONFIG_NS = "http://www.opensaml.org/xmltooling-config"
 
     # Configuration namespace prefix
@@ -48 +48 @@
 
     # XML core namespace
-    XML_NS = "http:#www.w3.org/XML/1998/namespace"
+    XML_NS = "http://www.w3.org/XML/1998/namespace"
     
     # XML core prefix for xml attributes

TI12-security/trunk/python/ndg_security_saml/saml/xml/etree.py

@@ -51 +51 @@
 from saml.utils import SAMLDateTime
 
-from ndg.security.common.saml_utils.esg import XSGroupRoleAttributeValue
-
 
 # Generic ElementTree Helper classes

TI12-security/trunk/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -1564 +1564 @@
  
                       
-class AttributeInterfaceConfigError(Exception):
+class AttributeInterfaceConfigError(AttributeInterfaceError):
     """Invalid configuration set for Attribute interface"""
  
                       
-class AttributeInterfaceRetrieveError(Exception):
+class AttributeInterfaceRetrieveError(AttributeInterfaceError):
     """Error retrieving attributes for Attribute interface class"""
 
@@ -1590 +1590 @@
 class InvalidUserId(AttributeInterfaceError):
     """User Id passed to getAttributes is invalid"""
+    
+    
+class InvalidAttributeFormat(AttributeInterfaceError):
+    """Format for Attribute requested is invalid or not supported"""
     
       
@@ -1921 +1925 @@
     
     __slots__ = (
+        ISSUER_NAME_OPTNAME,
         CONNECTION_STRING_OPTNAME,
         ATTRIBUTE_SQLQUERY_OPTNAME,
@@ -2266 +2271 @@
             # TODO: check name format requested - only XSString is currently
             # supported
+            if (requestedAttribute.nameFormat != 
+                XSStringAttributeValue.DEFAULT_FORMAT):
+                raise InvalidAttributeFormat('Requested attribute type %r but '
+                                     'only %r type is supported' %
+                                     (requestedAttribute.nameFormat,
+                                      XSStringAttributeValue.DEFAULT_FORMAT))
+            
             attribute.nameFormat = requestedAttribute.nameFormat
 
@@ -2352 +2364 @@
         queryTmpl = self.samlAttribute2SqlQuery.get(attributeName)
         if queryTmpl is None:
-            # TODO: how to handle this error?
-            raise Exception()
+            raise AttributeInterfaceConfigError('No SQL query set for attribute '
+                                                '%r' % attributeName)
         
         try:
@@ -2362 +2374 @@
             
         except KeyError, e:
-            raise AttributeInterfaceConfigError("Invalid key for SAML "
+            raise AttributeInterfaceConfigError("Invalid key %s for SAML "
                         "attribute query string.  The valid key is %r" % 
-                        SQLAlchemyAttributeInterface.SQLQUERY_USERID_KEYNAME)
-            
+                        (e,
+                         SQLAlchemyAttributeInterface.SQLQUERY_USERID_KEYNAME))
             
         log.debug('Checking for SAML attributes with SQL Query = "%s"', query)
@@ -2384 +2396 @@
         except (IndexError, TypeError):
             raise AttributeInterfaceRetrieveError("Error with result set: "
-                                                  "%s" %
-                                                  traceback.format_exc())
+                                                  "%s" % traceback.format_exc())
         
         log.debug('Database results for SAML Attribute query user=%r '
@@ -2394 +2405 @@
     def __getstate__(self):
         '''Explicit pickling required with __slots__'''
-        return dict([(attrName, getattr(self, attrName)) \
+        return dict([(attrName, getattr(self, attrName)) 
                       for attrName in SQLAlchemyAttributeInterface.__slots__])
         

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/authz.py

@@ -18 +18 @@
 
 from ndg.security.common.utils.classfactory import importClass
-from ndg.security.common.X509 import X500DN
-from ndg.security.common.utils.m2crypto import SSLContextProxy
+from ndg.security.common.X509 import X509Cert
+from ndg.security.common.saml_utils.bindings import AttributeQuerySslSOAPBinding
 
 from ndg.security.common.credentialwallet import (NDGCredentialWallet,
@@ -436 +436 @@
         # Check for existing credentials cached in wallet            
         credentialItem = credentialWallet.credentialsKeyedByURI.get(
-                                                    attributeAuthorityURI, {})
-        
-        attrCert = credentialItem.credential
-        if attrCert is not None:
+                                                        attributeAuthorityURI)        
+        if credentialItem is not None:
             log.debug("NdgPIPMiddleware._getAttributeCertificate: retrieved "
                       "existing Attribute Certificate cached in Credential "
@@ -447 +445 @@
             # Existing cached credential found - skip call to remote Session
             # Manager / Attribute Authority and return this certificate instead
-            return attrCert
+            return credentialItem.credential
         else:   
             attrCert = PIP._getAttributeCertificate(self,
@@ -491 +489 @@
         SessionHandlerMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME
     USERNAME_SESSION_KEYNAME = \
-        SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME 
+        SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME
+         
+    ATTRIBUTE_QUERY_ATTRNAME = 'attributeQuery'
+    LEN_ATTRIBUTE_QUERY_ATTRNAME = len(ATTRIBUTE_QUERY_ATTRNAME)
           
     def __init__(self, app, global_conf, prefix='', **local_conf):
@@ -506 +507 @@
         '''
         self.session = None
-        
-        # Hold SSL Attribute Authority connection settings in SSL Context Proxy
-        # object
-        self.__sslCtxProxy = SSLContextProxy()
+        self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()
         
         nameOffset = len(prefix)
@@ -516 +514 @@
                 val = local_conf.pop(k)
                 name = k[nameOffset:]
-                setattr(self.__sslCtxProxy, name, val)
+                setattr(self, name, val)
+                
+        if not self.__attributeQueryBinding.issuerName:
+            issuerX509Cert = X509Cert.Read(
+                    self.__attributeQueryBinding.sslCtxProxy.sslCertFilePath)
+            self.__attributeQueryBinding.issuerName = str(issuerX509Cert.dn)
                 
         NDGSecurityMiddlewareBase.__init__(self, app, {})
-     
+            
+    def __setattr__(self, name, value):
+        """Enable setting of AttributeQuerySslSOAPBinding attributes from
+        names starting with attributeQuery.* / attributeQuery_*.  Addition for
+        setting these values from ini file
+        """
+
+        # Coerce into setting AttributeQuerySslSOAPBinding attributes - 
+        # names must start with 'attributeQuery\W' e.g.
+        # attributeQuery.clockSkew or attributeQuery_issuerDN
+        if name.startswith(SamlPIPMiddleware.ATTRIBUTE_QUERY_ATTRNAME):
+            setattr(self.__attributeQueryBinding, 
+                    name[SamlPIPMiddleware.LEN_ATTRIBUTE_QUERY_ATTRNAME+1:], 
+                    value)
+        else:
+            super(SamlPIPMiddleware, self).__setattr__(name, value)    
+
     @property
-    def sslCtxProxy(self):
-        """SSL Context Proxy object used for setting up an SSL Context for
-        queries to the Attribute Authority
-        """
-        return self.__sslCtxProxy
-    
-            
+    def attributeQueryBinding(self):
+        """SAML SOAP Attribute Query client binding object"""
+        return self.__attributeQueryBinding
+                
     def __call__(self, environ, start_response):
         """Take a copy of the session object so that it is in scope for
@@ -558 +574 @@
         @return: response containing the attributes retrieved from the
         Attribute Authority"""
-        
+        if not isinstance(attributeQuery, PIPAttributeQuery):
+            raise TypeError('Expecting %r type for input "attributeQuery"; '
+                            'got %r' % (AttributeQuery, type(attributeQuery)))
+                            
         attributeAuthorityURI = attributeQuery[
-                                    PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS]
+                                        PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS]
         
         log.debug("SamlPIPMiddleware: received attribute query: %r", 
@@ -580 +599 @@
             credentialWallet = SAMLCredentialWallet()
             credentialWallet.userId = self.session[usernameKeyName]
-            credentialWallet.sslCtxProxy.copy(self.sslCtxProxy)
             
             self.session[credentialWalletKeyName] = credentialWallet
@@ -592 +610 @@
                                                     attributeAuthorityURI)
         if credentialItem is None:
-            # No assertion is cached - make a fresh query
-            credentialWallet.attributeAuthorityURI = attributeAuthorityURI
-            credentialWallet.attributeQuery()
-            credentialItem = credentialWallet.credentialsKeyedByURI.get(
-                                                    attributeAuthorityURI)
+            # No assertion is cached - make a fresh SAML Attribute Query
+            self.attributeQueryBinding.subjectID = credentialWallet.userId
+            response = self.attributeQueryBinding.send(
+                                                    uri=attributeAuthorityURI)
+            for assertion in response.assertions:
+                credentialWallet.addCredential(assertion)
             
             log.debug("SamlPIPMiddleware.attributeQuery: updating Credential "
                       "Wallet with retrieved SAML Attribute Assertion "
-                      "for user session [%s]",
-                      self.session[usernameKeyName])
+                      "for user session [%s]", self.session[usernameKeyName])
         else:
             log.debug("SamlPIPMiddleware.attributeQuery: retrieved existing "
                       "SAML Attribute Assertion cached in Credential Wallet "
-                      "for user session [%s]",
-                      self.session[usernameKeyName])
+                      "for user session [%s]", self.session[usernameKeyName])
 
         attributeResponse = PIPAttributeResponse()
-        attributeResponse[Subject.ROLES_NS] = [
-            attribute.value 
-            for attribute in credentialItem.credential.attributes
-        ]
+        attributeResponse[Subject.ROLES_NS] = []
+        
+        # Unpack assertion attribute values and add to the response object
+        for credentialItem in credentialWallet.credentials.values():
+            for statement in credentialItem.credential.attributeStatements:
+                for attribute in statement.attributes:
+                    attributeResponse[Subject.ROLES_NS] += [
+                        attributeValue.value 
+                        for attributeValue in attribute.attributeValues
+                        if attributeValue.value not in attributeResponse[
+                                                            Subject.ROLES_NS]
+                    ]
         
         log.debug("SamlPIPMiddleware.attributeQuery response: %r", 

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/sqlalchemy_ax.py

@@ -26 +26 @@
     making use of the SQLAlchemy database package'''
     
-    IDENTITY_URI_SESSION_KEYNAME = \
-                        OpenIDProviderMiddleware.IDENTITY_URI_SESSION_KEYNAME
-    USERNAME_SESSION_KEYNAME = \
-                        OpenIDProviderMiddleware.USERNAME_SESSION_KEYNAME
+    USERNAME_SESSION_KEYNAME = OpenIDProviderMiddleware.USERNAME_SESSION_KEYNAME
                         
     CONNECTION_STRING_OPTNAME = 'connectionString'
@@ -147 +144 @@
             raise AXInterfaceConfigError("No username set in session context")
         
-        identityURI = authnCtx.get(
-                            SQLAlchemyAXInterface.IDENTITY_URI_SESSION_KEYNAME)
-        if identityURI is None:
-            raise AXInterfaceConfigError("No OpenID user identifier set in "
-                                         "session context")
-        
         requiredAttributeURIs = ax_req.getRequiredAttrs()
         

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py

@@ -23 +23 @@
 from openid.yadis.manager import Discovery
 
+from ndg.security.common.X509 import X509Cert
 from ndg.security.common.utils.etree import QName
 from ndg.security.common.utils.classfactory import instantiateClass
@@ -346 +347 @@
         by maintaining its own error storage managed by verify_callback.
         '''
-        x509Cert = x509StoreCtx.get_current_cert()
-        dnTxt = x509Cert.get_subject().as_text()
-        commonName = X500DN(dn=dnTxt)['CN']
+        x509Cert = X509Cert.fromM2Crypto(x509StoreCtx.get_current_cert())
+        commonName = x509Cert.dn['CN']
 
         # If all is OK preVerifyOK will be 1.  Return this to the caller to

TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py

@@ -84 +84 @@
     VALID_REQUESTOR_IDS = (
         str(X500DN.fromString("/O=Site A/CN=Authorisation Service")), 
-        str(X500DN.fromString("/O=Site B/CN=Authorisation Service"))
+        str(X500DN.fromString("/O=Site B/CN=Authorisation Service")),
+        str(X500DN.fromString('/CN=test/O=NDG/OU=BADC'))
     )
     

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py

@@ -29 +29 @@
 from ndg.security.server.attributeauthority import (AttributeAuthority, 
     AttributeAuthorityNoMatchingRoleInTrustedHosts, 
-    SQLAlchemyAttributeInterface)
+    SQLAlchemyAttributeInterface, InvalidAttributeFormat)
 
 from ndg.security.common.AttCert import AttCert
@@ -252 +252 @@
 
 class SQLAlchemyAttributeInterfaceTestCase(BaseTestCase):
-    SAML_SUBJECT_SQLQUERY = ("select count(*) from users where '%s' || "
-                             "openid_identifier = '${userId}'" %
-                             BaseTestCase.OPENID_URI_STEM)
-    
-    SAML_FIRSTNAME_SQLQUERY = ("select firstname from users where '%s' || "
-                               "openid_identifier = '${userId}'" %
-                               BaseTestCase.OPENID_URI_STEM)
-            
-    SAML_LASTNAME_SQLQUERY = ("select lastname from users where '%s' || "
-                              "openid_identifier = '${userId}'" %
-                              BaseTestCase.OPENID_URI_STEM)
-        
-    SAML_EMAILADDRESS_SQLQUERY = ("select emailaddress from users where '%s' ||"
-                                  " openid_identifier = '${userId}'" %
-                                  BaseTestCase.OPENID_URI_STEM)
+    SAML_SUBJECT_SQLQUERY = ("select count(*) from users where openid = "
+                             "'${userId}'")
+    
+    SAML_FIRSTNAME_SQLQUERY = ("select firstname from users where openid = "
+                               "'${userId}'")
+            
+    SAML_LASTNAME_SQLQUERY = ("select lastname from users where openid = "
+                              "'${userId}'")
+        
+    SAML_EMAILADDRESS_SQLQUERY = ("select emailaddress from users where "
+                                  "openid = '${userId}'")
         
     SAML_ATTRIBUTES_SQLQUERY = ("select attributename from attributes, users "
-                                "where '%s' || users.openid_identifier = "
-                                "'${userId}' and attributes.username = "
-                                "users.username" % BaseTestCase.OPENID_URI_STEM)
-#        
-#    SAML_ATTRIBUTES_SQLQUERY = ("select attributename from attributes "
-#                                "where username = 'pjk'")
+                                "where users.openid = '${userId}' and "
+                                "attributes.username = users.username")
                                 
     def __init__(self, *arg, **kw):
@@ -403 +395 @@
         attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = \
-                                    "https://openid.localhost/philip.kershaw"
+                                SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
         
         fnAttribute = Attribute()
         fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
-        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        fnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         fnAttribute.friendlyName = "FirstName"
 
@@ -414 +406 @@
         lnAttribute = Attribute()
         lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
-        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        lnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         lnAttribute.friendlyName = "LastName"
 
@@ -421 +413 @@
         emailAddressAttribute = Attribute()
         emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
-        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
-        emailAddressAttribute.friendlyName = "emailAddress"
+        emailAddressAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
+        emailAddressAttribute.friendlyName = "EmailAddress"
 
         attributeQuery.attributes.append(emailAddressAttribute)                                   
@@ -430 +421 @@
         authzAttribute.name = \
             SQLAlchemyAttributeInterfaceTestCase.ATTRIBUTE_NAMES[0]
-        authzAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
+        authzAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         authzAttribute.friendlyName = "authz"
 
@@ -482 +472 @@
             '/O=ESG/OU=NCAR/CN=Gateway')
         
-        attributeInterface.setProperties(samlAssertionLifetime=28800.)
+        attributeInterface.setProperties(samlAssertionLifetime=28800.,
+                                issuerName='/CN=Attribute Authority/O=Site A')
         
         attributeInterface.samlSubjectSqlQuery = (
@@ -504 +495 @@
                     SQLAlchemyAttributeInterfaceTestCase.N_ATTRIBUTE_VALUES)
 
+    def test04SamlAttributeQuery(self):
+        if self.skipTests:
+            return
+        
+        # Prepare a client query
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = '/O=ESG/OU=NCAR/CN=Gateway'
+                        
+                        
+        attributeQuery.subject = Subject()  
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = \
+                                SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
+    
+        emailAddressAttribute = Attribute()
+        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.nameFormat = "InvalidFormat"
+        emailAddressAttribute.friendlyName = "EmailAddress"
+
+        attributeQuery.attributes.append(emailAddressAttribute)                                   
+    
+        authzAttribute = Attribute()
+        authzAttribute.name = \
+            SQLAlchemyAttributeInterfaceTestCase.ATTRIBUTE_NAMES[0]
+        authzAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
+        authzAttribute.friendlyName = "authz"
+
+        attributeQuery.attributes.append(authzAttribute)                                   
+        
+        # Add the response - the interface will populate with an assertion as
+        # appropriate
+        samlResponse = Response()
+        
+        samlResponse.issueInstant = datetime.utcnow()
+        samlResponse.id = str(uuid4())
+        samlResponse.issuer = Issuer()
+        
+        # Initialise to success status but reset on error
+        samlResponse.status = Status()
+        samlResponse.status.statusCode = StatusCode()
+        samlResponse.status.statusMessage = StatusMessage()
+        samlResponse.status.statusCode.value = StatusCode.SUCCESS_URI
+        
+        # Nb. SAML 2.0 spec says issuer format must be omitted
+        samlResponse.issuer.value = "CEDA"
+        
+        samlResponse.inResponseTo = attributeQuery.id
+        
+        # Set up the interface object
+        
+        # Define queries for SAML attribute names
+        samlAttribute2SqlQuery = {
+            EsgSamlNamespaces.FIRSTNAME_ATTRNAME: 
+                SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY,
+            
+            EsgSamlNamespaces.LASTNAME_ATTRNAME: 
+                SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY,
+        
+            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME: 
+                SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY,
+        
+            SQLAlchemyAttributeInterfaceTestCase.ATTRIBUTE_NAMES[0]: 
+                SQLAlchemyAttributeInterfaceTestCase.SAML_ATTRIBUTES_SQLQUERY                    
+        }
+        
+        attributeInterface = SQLAlchemyAttributeInterface(
+                                samlAttribute2SqlQuery=samlAttribute2SqlQuery)
+        
+        attributeInterface.connectionString = \
+                        SQLAlchemyAttributeInterfaceTestCase.DB_CONNECTION_STR
+                
+        attributeInterface.samlValidRequestorDNs = (
+            '/O=STFC/OU=CEDA/CN=AuthorisationService',
+            '/O=ESG/OU=NCAR/CN=Gateway')
+        
+        attributeInterface.setProperties(samlAssertionLifetime=28800.,
+                                issuerName='/CN=Attribute Authority/O=Site A')
+        
+        attributeInterface.samlSubjectSqlQuery = (
+            SQLAlchemyAttributeInterfaceTestCase.SAML_SUBJECT_SQLQUERY)
+        
+        # Make the query
+        try:
+            attributeInterface.getAttributes(attributeQuery, samlResponse)
+        except InvalidAttributeFormat:
+            print("PASSED: caught InvalidAttributeFormat exception")
+        else:
+            self.fail("Expecting InvalidAttributeFormat exception")
         
 if __name__ == "__main__":

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_sqlalchemyattributeinterface.cfg

@@ -1 +1 @@
 [DEFAULT]
-openIdStem = https://openid.localhost/
 attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
-attributeInterface.samlSubjectSqlQuery = select count(*) from users where '%(openIdStem)s' || openid_identifier = '${userId}'
-attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where '%(openIdStem)s' || openid_identifier = '${userId}'"
-attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where '%(openIdStem)s' || openid_identifier = '${userId}'"
-attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where '%(openIdStem)s' || openid_identifier = '${userId}'"
-attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where '%(openIdStem)s' || openid_identifier = '${userId}'"
+attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
+attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
+attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
+attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
+attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
 attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
                                                            /O=Site B/CN=Authorisation Service

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/attAuthorityClientTest.cfg

@@ -78 +78 @@
 subject = https://openid.localhost/philip.kershaw
 attributeQuery.clockSkew = 0.
-attributeQuery.issuerDN = /O=Site A/CN=Authorisation Service
+attributeQuery.issuerName = /O=Site A/CN=Authorisation Service
 attributeQuery.queryAttributes.0 = urn:esg:first:name, FirstName, http://www.w3.org/2001/XMLSchema#string
 attributeQuery.queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
@@ -87 +87 @@
 
 attributeQuery.clockSkew = 0.
-attributeQuery.issuerDN = /O=Site A/CN=Authorisation Service
+attributeQuery.issuerName = /O=Site A/CN=Authorisation Service
 attributeQuery.queryAttributes.0 = urn:esg:email:address, EmailAddress, http://www.w3.org/2001/XMLSchema#string
 attributeQuery.queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -298 +298 @@
         
         self.assert_(len(wallet.credentials) == 1)
-        sleep(1)
+        sleep(2)
         wallet.audit()
         self.assert_(len(wallet.credentials) == 0)

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/config.ini

@@ -13 +13 @@
 openIdSqlQuery = select openid from users where username = '${username}'     
 attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml
-attributeQuery.issuerDN = /O=Site A/CN=Authorisation Service
+attributeQuery.issuerName = /O=Site A/CN=Authorisation Service
 attributeQuery.clockSkew = 0
 attributeQuery_queryAttributes.0 = urn:esg:email:address, EmailAddress, http://www.w3.org/2001/XMLSchema#string

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/openid/provider/axinterface/test_axinterface.py

@@ -34 +34 @@
             SQLAlchemyAXInterfaceTestCase.DB_CONNECTION_STR
             
-        interface.sqlQuery = ("select firstname from users where '%s' || "
-                              "openid_identifier = '${invalidUsernameKey}'" %
-                              SQLAlchemyAXInterfaceTestCase.OPENID_URI_STEM)
+        interface.sqlQuery = ("select firstname from users where username = "
+                              "'${invalidUsernameKey}'")
         
         axReq = FetchRequest()
@@ -42 +41 @@
         
         authnCtx = {
-            SQLAlchemyAXInterface.IDENTITY_URI_SESSION_KEYNAME: 
-                SQLAlchemyAXInterfaceTestCase.OPENID_URI
+            SQLAlchemyAXInterface.USERNAME_SESSION_KEYNAME: 
+                SQLAlchemyAXInterfaceTestCase.USERNAME
         }
         
@@ -62 +61 @@
         
         interface.sqlQuery = ("select firstname, lastname, emailAddress from "
-                              "users where '%s' || "
-                              "openid_identifier = '${username}'" %
-                              SQLAlchemyAXInterfaceTestCase.OPENID_URI_STEM)
+                              "users where username = '${username}'")
         
         axReq = FetchRequest()
@@ -74 +71 @@
         
         authnCtx = {
-            SQLAlchemyAXInterface.IDENTITY_URI_SESSION_KEYNAME: 
-                SQLAlchemyAXInterfaceTestCase.OPENID_URI
+            SQLAlchemyAXInterface.USERNAME_SESSION_KEYNAME: 
+                SQLAlchemyAXInterfaceTestCase.USERNAME
         }
         

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/README

@@ -1 +1 @@
 WSGI Authorization Middleware Unit Tests
 ========================================
-These tests call ndg.security.server.wsgi.authz.AuthorizationMiddleware via
+These tests call ndg.security.server.wsgi.authz.SAMLAuthorizationMiddleware 
+and ndg.security.server.wsgi.authz.NDGAuthorizationMiddleware via
 paste.fixture.  An attribute authority service needs to be running in order
 for the middleware to check user attributes,  In a separate terminal start

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="AuthZUnitTests" xmlns="urn:ndg:security:authz:1.0:policy">
-    <Description>Restrict access for Authorization unit tests</Description>
+<Policy PolicyId="NDGAuthZUnitTests" xmlns="urn:ndg:security:authz:1.1:policy">
+    <Description>Restrict access for NDG based Authorization unit tests</Description>
     
     <Target>
         <URIPattern>^/test_accessGrantedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <!-- Endpoint is for SOAP/WSDL based NDG Interface -->
+                <AttributeAuthorityURI>http://localhost:5000/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
         <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>
-            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
+                <AttributeAuthorityURI>http://localhost:5000/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
+                <AttributeAuthorityURI>http://localhost:5000/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
@@ -29 +33 @@
         <URIPattern>^/test_accessGrantedToSecuredURI\?admin=1$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:admin</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:admin</Name>
+                <AttributeAuthorityURI>http://localhost:5000/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
 </Policy>

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/ndg-test.ini

@@ -19 +19 @@
 
 [filter:AuthZFilter]
-paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
+paste.filter_app_factory=ndg.security.server.wsgi.authz:NDGAuthorizationMiddleware.filter_app_factory
 prefix = authz.
-policy.filePath = %(here)s/policy.xml
+policy.filePath = %(here)s/ndg-policy.xml
 
 authz.pepResultHandler = ndg.security.test.unit.wsgi.authz.test_authz.RedirectFollowingAccessDenied
 
-# Settings for Policy Information Point used by the Policy Decision Point to
-# retrieve subject attributes from the Attribute Authority associated with the
-# resource to be accessed
-pip.sslCACertDir=%(testConfigDir)s/ca
-pip.sslCertFilePath=%(testConfigDir)s/pki/test.crt
-pip.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
+# List of CA certificates used to verify the signatures of 
+# Attribute Certificates retrieved
+pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
+
+#
+# WS-Security Settings for call to Session Manager
+
+# Signature of an outbound message
+
+# Certificate associated with private key used to sign a message.  The sign 
+# method will add this to the BinarySecurityToken element of the WSSE header.  
+# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
+# As an alternative, use signingCertChain - see below...
+
+# PEM encode cert
+pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
+
+# PEM encoded private key file
+pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
+
+# Password protecting private key.  Leave blank if there is no password.
+pip.wssecurity.signingPriKeyPwd=
+
+# For signature verification.  Provide a space separated list of file paths
+pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
+
+# ValueType for the BinarySecurityToken added to the WSSE header
+pip.wssecurity.reqBinSecTokValType=X509v3
+
+# Add a timestamp element to an outbound message
+pip.wssecurity.addTimestamp=True

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="AuthZUnitTests" xmlns="urn:ndg:security:authz:1.0:policy">
-    <Description>Restrict access for Authorization unit tests</Description>
+<Policy PolicyId="SAMLAuthZUnitTests" xmlns="urn:ndg:security:authz:1.1:policy">
+    <Description>Restrict access for SAML based Authorization unit tests</Description>
     
     <Target>
         <URIPattern>^/test_accessGrantedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <!-- Endpoint is for SOAP/SAML based ESG Interface -->
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
         <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>
-            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
@@ -29 +33 @@
         <URIPattern>^/test_accessGrantedToSecuredURI\?admin=1$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:admin</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:admin</Name>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:5000/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
 </Policy>

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -21 +21 @@
 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
 prefix = authz.
-policy.filePath = %(here)s/policy.xml
+policy.filePath = %(here)s/saml-policy.xml
 
 authz.pepResultHandler = ndg.security.test.unit.wsgi.authz.test_authz.RedirectFollowingAccessDenied
@@ -28 +28 @@
 # retrieve subject attributes from the Attribute Authority associated with the
 # resource to be accessed
-pip.sslCACertDir=%(testConfigDir)s/ca
-pip.sslCertFilePath=%(testConfigDir)s/pki/test.crt
-pip.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
+
+# If omitted, DN of SSL Cert is used
+pip.attributeQuery.issuerName = 
+pip.attributeQuery.clockSkew = 0.
+pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -24 +24 @@
 import paste.fixture
 from paste.deploy import loadapp
+
+from ndg.security.test.unit import BaseTestCase
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
 from ndg.security.server.wsgi.authz import (NdgPIPMiddlewareConfigError,
@@ -94 +96 @@
  
     
-class NdgWSGIAuthZTestCase(unittest.TestCase):
+class NdgWSGIAuthZTestCase(BaseTestCase):
 
     def __init__(self, *args, **kwargs):
+        BaseTestCase.__init__(self, *args, **kwargs)
+        
         here_dir = os.path.dirname(os.path.abspath(__file__))
-        wsgiapp = loadapp('config:test.ini', relative_to=here_dir)
+        wsgiapp = loadapp('config:ndg-test.ini', relative_to=here_dir)
         self.app = paste.fixture.TestApp(wsgiapp)
-         
-        unittest.TestCase.__init__(self, *args, **kwargs)
+        
+        self.startSiteAAttributeAuthority()
+        
         
 
@@ -111 +116 @@
             response = self.app.get('/test_200')
         except NdgPIPMiddlewareConfigError, e:
-            print("PASS - expected: %s exception: %s" % (e.__class__, e))
+            print("ok - expected: %s exception: %s" % (e.__class__, e))
        
     def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
@@ -255 +260 @@
  
     
-class SamlWSGIAuthZTestCase(unittest.TestCase):
-
-    def __init__(self, *args, **kwargs):
+class SamlWSGIAuthZTestCase(BaseTestCase):
+
+    def __init__(self, *args, **kwargs):       
+        BaseTestCase.__init__(self, *args, **kwargs)
+
         here_dir = os.path.dirname(os.path.abspath(__file__))
         wsgiapp = loadapp('config:saml-test.ini', relative_to=here_dir)
         self.app = paste.fixture.TestApp(wsgiapp)
-         
-        unittest.TestCase.__init__(self, *args, **kwargs)
+        
+        self.startSiteAAttributeAuthority(withSSL=True,
+            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
         
 
@@ -272 +280 @@
             response = self.app.get('/test_200')
         except SamlPIPMiddlewareConfigError, e:
-            print("PASS - expected: %s exception: %s" % (e.__class__, e))
+            print("ok - expected: %s exception: %s" % (e.__class__, e))
        
     def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
@@ -290 +298 @@
         # even though a user is set in the session
         
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_401', 
                                 extra_environ=extra_environ,
@@ -302 +312 @@
         # even though a user is set in the session
         
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_403', 
                                 extra_environ=extra_environ,
@@ -324 +336 @@
         # User is logged in but doesn't have the required credentials for 
         # access
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         response = self.app.get('/test_accessDeniedToSecuredURI',
@@ -338 +352 @@
         # User is logged in and has credentials for access to a URI secured
         # by the policy file
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         response = self.app.get('/test_accessGrantedToSecuredURI',
@@ -351 +367 @@
         # User is logged in but doesn't have the required credentials for 
         # access
-        extra_environ={'beaker.session.ndg.security':
-                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         
         # Try this URI with the query arg admin=1.  This will be picked up