Changeset 6063

Timestamp:

27/11/09 15:52:29 (11 years ago)

Author:

pjkersha

Message:

Working authz lite integration tests with integrated SAML Attribute Authority interface to authz middleware: the old NDG Attribute Authority SOAP/WSDL interface is completely removed as a dependency.

• major fixes to ndg.security.common.credentialwallet NDGCredentialWallet and SAMLCredentialWallet for slots and pickling capability needed for beaker.session. NDGCredentialWallet is kept for the moment for backwards compatibility.

Location:

TI12-security/trunk/python

Files:

• ndg_security_common/ndg/security/common/authz/msi.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (17 diffs)
• ndg_security_common/ndg/security/common/soap/client.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/authz_lite/openidprovider/attributeexchange.csv (modified) (previous)
• ndg_security_test/ndg/security/test/integration/authz_lite/policy.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini (modified) (3 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (7 diffs)
• ndg_security_test/setup.py (modified) (1 diff)

TI12-security/trunk/python/ndg_security_common/ndg/security/common/authz/msi.py

@@ -926 +926 @@
                                 
                 except Exception, e:
-                    log.error("SAML Attribute Query: %s", 
+                    log.error("SAML Attribute Query %s: %s", 
                               type(e), traceback.format_exc())
                     return Response(Response.DECISION_INDETERMINATE,

TI12-security/trunk/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -169 +169 @@
     CREDENTIAL_TYPE_ATTRNAME = 'type'
     
-    __slots__ = (
+    __ATTRIBUTE_NAMES = (
         ID_ATTRNAME,
         ITEM_ATTRNAME,
@@ -176 +176 @@
         CREDENTIAL_TYPE_ATTRNAME
     )
+    __slots__ = __ATTRIBUTE_NAMES
     __slots__ += tuple(["_CredentialContainer__%s" % n for n in __slots__])
     
@@ -217 +218 @@
 
     def _setCredential(self, value):
-        if self.type is not None and not isinstance(value, self.type):
+        # Safeguard type attribute referencing for unpickling process - this
+        # method may be called before type attribute has been set
+        _type = getattr(self, 
+                        CredentialContainer.CREDENTIAL_TYPE_ATTRNAME, 
+                        None)
+        
+        if _type is not None and not isinstance(value, _type):
             raise TypeError('Expecting %r type for "credential" attribute; '
                             'got %r' % type(value))
@@ -256 +263 @@
     def __getstate__(self):
         '''Enable pickling'''
-        return dict([(attrName, getattr(self, attrName))
-                     for attrName in self.__class__.__slots__])
+        thisDict = dict([(attrName, getattr(self, attrName))
+                         for attrName in CredentialContainer.__ATTRIBUTE_NAMES])
+        
+        return thisDict
         
     def __setstate__(self, attrDict):
         '''Enable pickling for use with beaker.session'''
-        for attr, val in attrDict.items():
-            setattr(self, attr, val)
+        try:
+            for attr, val in attrDict.items():
+                setattr(self, attr, val)
+        except Exception, e:
+            pass
        
 
@@ -269 +281 @@
     """ 
     CONFIG_FILE_OPTNAMES = ("userId", )
-        
-    __slots__ = (
-        "credentials",
-        "credentialsKeyedByURI",
-    )
-    __slots__ += CONFIG_FILE_OPTNAMES
-    __slots__ += tuple(["_CredentialWalletBase__%s" % name 
-                        for name in __slots__])
-    del name
+    __slots__ = ("__credentials", "__credentialsKeyedByURI", "__userId")
+    
+    # Helper for __getstate__
+    __PROPERTIES = ("credentials", "credentialsKeyedByURI", "userId")
+
+#    __slots__ = READ_ONLY_ATTRIBUTES
+#    __slots__ += CONFIG_FILE_OPTNAMES
+#    __PRIVATE_ATTR_PREFIX = "_CredentialWalletBase__"
+#    __slots__ += tuple([__PRIVATE_ATTR_PREFIX + name for name in __slots__])
+#    del name
     
     def __init__(self):
@@ -386 +399 @@
     def __getstate__(self):
         '''Enable pickling for use with beaker.session'''
-        return dict([(attrName, getattr(self, attrName))
-                     for attrName in self.__class__.__slots__])
-        
+        _dict = {}
+        for attrName in CredentialWalletBase.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_CredentialWalletBase" + attrName
+                
+            _dict[attrName] = getattr(self, attrName)
+            
+        return _dict
+  
     def __setstate__(self, attrDict):
         '''Enable pickling for use with beaker.session'''
-        for attr, val in attrDict.items():
-            setattr(self, attr, val)
+        for attrName, val in attrDict.items():
+            setattr(self, attrName, val)
 
 
@@ -558 +579 @@
             
         return True
-            
+    
+    def __getstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        _dict = super(SAMLCredentialWallet, self).__getstate__()
+        
+        for attrName in SAMLCredentialWallet.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_SAMLCredentialWallet" + attrName
+                
+            _dict[attrName] = getattr(self, attrName)
+            
+        return _dict
+
    
 class NDGCredentialWallet(CredentialWalletBase):
@@ -670 +705 @@
     __metaclass__ = _MetaCredentialWallet
 
+    # Names that may be set in a properties file
     propertyDefaults = dict(
         userX509Cert=None,
@@ -683 +719 @@
         mapFromTrustedHosts=False,
         rtnExtAttCertList=True,
-        attCertRefreshElapse=7200,
+        attCertRefreshElapse=7200
+    )
+    
+    __slots__ = dict(
+        _cfg=None,
+        _dn=None,
+        _userPriKeyPwd=None,
+        _attributeAuthorityClnt=None,
+        _attributeAuthorityURI=None,
+        sslCACertFilePathList=[],
         wssCfgFilePath=None,
         wssCfgSection='DEFAULT',
         wssCfgPrefix='',
-        wssCfgKw={})
-    
-    _protectedAttrs = [
-        '_userX509Cert',
-        '_userX509CertFilePath',
-        '_userPriKey',
-        '_userPriKeyFilePath',
-        '_userPriKeyPwd',
-        '_issuingX509Cert',
-        '_issuingX509CertFilePath',
-        '_attributeAuthorityClnt',
-        '_attributeAuthority',
-        '_attributeAuthorityURI',
-        '_caCertFilePathList',
-        '_mapFromTrustedHosts',
-        '_rtnExtAttCertList',
-        '_attCertRefreshElapse',
-        '_cfg',
-        '_dn'
-    ]
-    
-    __slots__ = propertyDefaults.keys() + _protectedAttrs
-    
+        wssCfgKw={}
+    )
+    __slots__.update(dict([("_" + n, v) for n, v in propertyDefaults.items()]))
+    del n
     def __init__(self, 
                  cfg=None, 
@@ -726 +752 @@
         from
         @type cfgPrefix: basestring
-        @param cfgPrefix: apply a prefix to all NDGCredentialWallet config params 
-        so that if placed in a file with other parameters they can be 
+        @param cfgPrefix: apply a prefix to all NDGCredentialWallet config 
+        params so that if placed in a file with other parameters they can be 
         distinguished
         @type cfgKw: dict
@@ -736 +762 @@
         super(NDGCredentialWallet, self).__init__()
         
-        # Initialise attributes - 1st protected ones
-        attr = {}.fromkeys(NDGCredentialWallet._protectedAttrs)
-        
-        # ... then properties
-        attr.update(NDGCredentialWallet.propertyDefaults)
-        for k, v in attr.items():
+        # Initialise attributes
+        for k, v in NDGCredentialWallet.__slots__.items():
             setattr(self, k, v)
             
@@ -760 +782 @@
 
         # Make a connection to the Credentials Repository
-        if self.credentialRepository is None:
+        if self._credentialRepository is None:
             log.info('Applying default CredentialRepository %r for user '
                      '"%s"' % (NullCredentialRepository, self.userId))
-            self.credentialRepository = NullCredentialRepository()
+            self._credentialRepository = NullCredentialRepository()
         else:
             log.info('Checking CredentialRepository for credentials for user '
                      '"%s"' % self.userId)
             
-            if not issubclass(self.credentialRepository, CredentialRepository):
+            if not issubclass(self._credentialRepository, CredentialRepository):
                 raise CredentialWalletError("Input Credential Repository "
                                             "instance must be of a class "
@@ -777 +799 @@
             # Check for valid attribute certificates for the user
             try:
-                self.credentialRepository.auditCredentials(self.userId)
-                userCred=self.credentialRepository.getCredentials(self.userId)
+                self._credentialRepository.auditCredentials(self.userId)
+                userCred=self._credentialRepository.getCredentials(self.userId)
     
             except Exception, e:
@@ -809 +831 @@
             self.audit()
     
+    def __getstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        _dict = super(NDGCredentialWallet, self).__getstate__()
+        
+        for attrName in SAMLCredentialWallet.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_NDGCredentialWallet" + attrName
+                
+            _dict[attrName] = getattr(self, attrName)
+            
+        return _dict
+        
     def parseConfig(self, cfg, prefix='', section='DEFAULT'):
         '''Extract parameters from cfg config object'''
@@ -1258 +1294 @@
             # authorisation credentials.  This allows credentials for previous
             # sessions to be re-instated
-            if self.credentialRepository and bUpdateCredentialRepository:
+            if self._credentialRepository and bUpdateCredentialRepository:
                 self.updateCredentialRepository()
 
@@ -1292 +1328 @@
         log.debug("NDGCredentialWallet.updateCredentialRepository ...")
         
-        if not self.credentialRepository:
+        if not self._credentialRepository:
             raise CredentialWalletError("No Credential Repository has been "
                                         "created for this wallet")
@@ -1304 +1340 @@
                        if i.id == -1]
 
-        self.credentialRepository.addCredentials(self.userId, attCertList)
+        self._credentialRepository.addCredentials(self.userId, attCertList)
 
     def _createAttributeAuthorityClnt(self, attributeAuthorityURI):

TI12-security/trunk/python/ndg_security_common/ndg/security/common/soap/client.py

@@ -216 +216 @@
         if response.code != httplib.OK:
             output = response.read()
-            excep = HTTPException("Response is: %d %s" % (response.code, 
-                                                          response.msg))
+            excep = HTTPException("Response for request to [%s] is: %d %s" % 
+                                  (soapRequest.url, 
+                                   response.code, 
+                                   response.msg))
             excep.urllib2Response = response
             raise excep
         
-        if response.headers.typeheader not in \
-           UrlLib2SOAPClient.RESPONSE_CONTENT_TYPES:
+        if (response.headers.typeheader not in 
+            UrlLib2SOAPClient.RESPONSE_CONTENT_TYPES):
             responseType = ', '.join(UrlLib2SOAPClient.RESPONSE_CONTENT_TYPES)
             excep = SOAPResponseError("Expecting %r response type; got %r for "

TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py

@@ -81 +81 @@
     SAML_ASSERTION_LIFETIME = 8*60*60
     
-    VALID_USER_IDS = ("https://openid.localhost/philip.kershaw",)
+    VALID_USER_IDS = ("https://openid.localhost/philip.kershaw",
+                      "https://localhost:7443/openid/PhilipKershaw")
     VALID_REQUESTOR_IDS = (
         str(X500DN.fromString("/O=Site A/CN=Authorisation Service")), 

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="pyDAP" xmlns="urn:ndg:security:authz:1.0:policy">
+<Policy PolicyId="AuthZ Lite - Authorisation Integration Tests" xmlns="urn:ndg:security:authz:1.1:policy">
     <Description>Restrict access for Authorization integration tests</Description>
     
@@ -6 +6 @@
         <URIPattern>^/test_securedURI*$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:7443/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
         <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>
-            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-            <uri>http://localhost:7443/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
 </Policy>

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini

@@ -55 +55 @@
 
 # Set redirect for OpenID Relying Party in the Security Services app instance
-authN.redirectURI = http://localhost:7443/verify
+authN.redirectURI = https://localhost:7443/verify
 # Test with an SSL endpoint
 #authN.redirectURI = https://localhost/verify
@@ -76 +76 @@
 
 [filter:AuthorizationFilter]
-paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory
+paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
 prefix = authz.
 policy.filePath = %(here)s/policy.xml
@@ -83 +83 @@
 # retrieve subject attributes from the Attribute Authority associated with the
 # resource to be accessed
-pip.sslCACertFilePathList=
 
-# List of CA certificates used to verify the signatures of 
-# Attribute Certificates retrieved
-pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
-
-#
-# WS-Security Settings for call to Attribute Authority to retrieve user 
-# attributes
-
-# Signature of an outbound message
-
-# Certificate associated with private key used to sign a message.  The sign 
-# method will add this to the BinarySecurityToken element of the WSSE header.  
-# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
-# As an alternative, use signingCertChain - see below...
-
-# PEM encode cert
-pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
-
-# PEM encoded private key file
-pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
-
-# Password protecting private key.  Leave blank if there is no password.
-pip.wssecurity.signingPriKeyPwd=
-
-# For signature verification.  Provide a space separated list of file paths
-pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
-
-# ValueType for the BinarySecurityToken added to the WSSE header
-pip.wssecurity.reqBinSecTokValType=X509v3
-
-# Add a timestamp element to an outbound message
-pip.wssecurity.addTimestamp=True
+# If omitted, DN of SSL Cert is used
+pip.attributeQuery.issuerName = 
+pip.attributeQuery.clockSkew = 0.
+pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
 
 # Logging configuration

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -17 +17 @@
 portNum = 7443
 hostname = localhost
-scheme = http
+scheme = https
 baseURI = %(scheme)s://%(hostname)s:%(portNum)s
 openIDProviderIDBase = /openid
@@ -311 +311 @@
 # Settings for custom AttributeInterface derived class to get user roles for given 
 # user ID
-#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
-attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz_lite.attributeinterface
+attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
+attributeAuthority.attributeInterface.modName: siteAUserRoles
 attributeAuthority.attributeInterface.className: TestUserRoles
 

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py

@@ -12 +12 @@
 import os
 from os.path import dirname, abspath, join
+      
+from OpenSSL import SSL
 
+from ndg.security.test.unit import BaseTestCase
 from ndg.security.test.unit.wsgi import PasteDeployAppServer
+
+INI_FILEPATH = 'securityservices.ini'
 
 # To start run 
@@ -25 +30 @@
         port = 7443
         
-    cfgFileName='securityservices.ini'
-    cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)    
-    server = PasteDeployAppServer(cfgFilePath=cfgFilePath, port=port) 
+    cfgFileName = INI_FILEPATH
+    cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)  
+    
+    certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
+                                'pki', 
+                                'localhost.crt')
+    priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
+                                  'pki', 
+                                  'localhost.key')
+    
+    ssl_context = SSL.Context(SSL.SSLv23_METHOD)
+    ssl_context.set_options(SSL.OP_NO_SSLv2)
+
+    ssl_context.use_privatekey_file(priKeyFilePath)
+    ssl_context.use_certificate_file(certFilePath)
+
+    server = PasteDeployAppServer(cfgFilePath=cfgFilePath, 
+                                  port=port,
+                                  ssl_context=ssl_context) 
     server.start()

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -17 +17 @@
 from string import Template
 from cStringIO import StringIO
+import cPickle as pickle
+
 from elementtree import ElementTree
 
@@ -46 +48 @@
     ndg.security.common.credentialwallet.NDGCredentialWallet class.
     """
+    THIS_DIR = os.path.dirname(__file__)
+    PICKLE_FILENAME = 'NDGCredentialWalletPickle.dat'
+    PICKLE_FILEPATH = os.path.join(THIS_DIR, PICKLE_FILENAME)
+
     def __init__(self, *arg, **kw):
         super(NDGCredentialWalletTestCase, self).__init__(*arg, **kw)
@@ -108 +114 @@
             
         credWallet.attributeAuthority = None
-        credWallet.credentialRepository = None
+        credWallet._credentialRepository = None
         credWallet.mapFromTrustedHosts = False
         credWallet.rtnExtAttCertList = True
@@ -159 +165 @@
             attCert = credWallet.getAttCert()
         except CredentialWalletAttributeRequestDenied, e:
-            print("SUCCESS - obtained expected result: %s" % e)
+            print("ok - obtained expected result: %s" % e)
             return
         
@@ -196 +202 @@
         print("Attribute Certificate:\n%s" % attCert)  
 
+    def test08Pickle(self):
+        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
+                                                          'cfgFilePath'))
+
+        outFile = open(NDGCredentialWalletTestCase.PICKLE_FILEPATH, 'w')
+        pickle.dump(credWallet, outFile)
+        outFile.close()
+        
+        inFile = open(NDGCredentialWalletTestCase.PICKLE_FILEPATH)
+        unpickledCredWallet = pickle.load(inFile)
+        self.assert_(unpickledCredWallet.userId == credWallet.userId)
+        
 
 class SAMLCredentialWalletTestCase(BaseTestCase):
@@ -201 +219 @@
     CONFIG_FILENAME = 'test_samlcredentialwallet.cfg'
     CONFIG_FILEPATH = os.path.join(THIS_DIR, CONFIG_FILENAME)
+    PICKLE_FILENAME = 'SAMLCredentialWalletPickle.dat'
+    PICKLE_FILEPATH = os.path.join(THIS_DIR, PICKLE_FILENAME)
     
     ASSERTION_STR = (
@@ -321 +341 @@
         wallet.addCredential(self._createAssertion(issuerName="MySite"))
         self.assert_(len(wallet.credentials) == 2)
+
+    def test06Pickle(self):
+        wallet = self._addCredential()
+        outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w')
+        pickle.dump(wallet, outFile)
+        outFile.close()
+        
+        inFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH)
+        unpickledWallet = pickle.load(inFile)
+        self.assert_(unpickledWallet.credentialsKeyedByURI.get(
+            SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI))
         
         

TI12-security/trunk/python/ndg_security_test/setup.py

@@ -29 +29 @@
     url =                       'http://proj.badc.rl.ac.uk/ndg/wiki/Security',
     license =               'BSD - See LICENCE file for details',
+    install_requires =      'pyOpenSSL', # Required for paster to run under SSL
     packages =                      find_packages(),
     namespace_packages =        ['ndg', 'ndg.security'],