Changeset 6265

Timestamp:

05/01/10 14:56:55 (11 years ago)

Author:

pjkersha

Message:

Adding Genshi template interface for access denied result handler.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi

Files:

• authz/__init__.py (modified) (6 diffs)
• authz/result_handler/base.html (added)
• authz/result_handler/basic.py (modified) (2 diffs)
• authz/result_handler/error.html (added)
• authz/result_handler/genshi.py (modified) (1 diff)
• openid/provider/renderinginterface/genshi/__init__.py (modified) (1 diff)
• session.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -16 +16 @@
 from urlparse import urlunsplit
 from httplib import UNAUTHORIZED, FORBIDDEN
+        
+from authkit.authenticate.multi import MultiHandler
 
 from ndg.security.common.utils.classfactory import importClass
@@ -28 +30 @@
 from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase, 
                                       NDGSecurityMiddlewareConfigError)
-from ndg.security.server.wsgi.authn import (SessionMiddlewareBase, 
-                                            SessionHandlerMiddleware)
-
-from ndg.security.server.wsgi.authz.result_handler.basic import \
-    PEPResultHandlerMiddleware
+from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 
+                                              SessionHandlerMiddleware)
     
 from ndg.security.common.authz.msi import (Policy, PIP, PIPBase, 
@@ -65 +64 @@
     # Key names for PEP context information
     PEPCTX_SESSION_KEYNAME = 'pepCtx'
-    PEPCTX_REQUEST_KEYNAME = 'request'
-    PEPCTX_RESPONSE_KEYNAME = 'response'
-    PEPCTX_TIMESTAMP_KEYNAME = 'timestamp'
+    PEPCTX_REQUEST_SESSION_KEYNAME = 'request'
+    PEPCTX_RESPONSE_SESSION_KEYNAME = 'response'
+    PEPCTX_TIMESTAMP_SESSION_KEYNAME = 'timestamp'
     POLICY_FILEPATH_PARAMNAME = 'filePath'
     
@@ -170 +169 @@
         # Record the result in the user's session to enable later 
         # interrogation by the AuthZResultHandlerMiddleware
+        PEPFilter.setSession(session, request, response)
         
         if response.status == Response.DECISION_PERMIT:
@@ -192 +192 @@
 
     @classmethod
-    def setSession(cls, session, save=True):
+    def setSession(cls, session, request, response, save=True):
+        """Set PEP context information in the Beaker session using standard key
+        names
+        
+        @param session: beaker session
+        @type session: beaker.session.SessionObject
+        @param request: authorisation request
+        @type request: ndg.security.common.authz.msi.Request
+        @param response: authorisation response
+        @type response: ndg.security.common.authz.msi.Response
+        @param save: determines whether session is saved or not
+        @type save: bool
+        """
         session[cls.PEPCTX_SESSION_KEYNAME] = {
-            cls.PEPCTX_REQUEST_KEYNAME: request, 
-            cls.PEPCTX_RESPONSE_KEYNAME: response,
-            cls.PEPCTX_TIMESTAMP_KEYNAME: time()
+            cls.PEPCTX_REQUEST_SESSION_KEYNAME: request, 
+            cls.PEPCTX_RESPONSE_SESSION_KEYNAME: response,
+            cls.PEPCTX_TIMESTAMP_SESSION_KEYNAME: time()
         }
         
@@ -601 +613 @@
         
         return attributeResponse
-    
-           
-from authkit.authenticate.multi import MultiHandler
+
 
 class AuthorizationMiddlewareError(Exception):
     """Base class for AuthorizationMiddlewareBase exceptions"""
+    
     
 class AuthorizationMiddlewareConfigError(Exception):
     """AuthorizationMiddlewareBase configuration related exceptions"""
  
+ 
+# Import here to avoid import error
+from ndg.security.server.wsgi.authz.result_handler.basic import \
+    PEPResultHandlerMiddleware
    
 class AuthorizationMiddlewareBase(NDGSecurityMiddlewareBase):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py

@@ -18 +18 @@
 
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
-from ndg.security.server.wsgi.authn import SessionMiddlewareBase
+from ndg.security.server.wsgi.session import SessionMiddlewareBase
 from ndg.security.server.wsgi.authz import PEPFilter
 
@@ -71 +71 @@
             # Get response message from PDP recorded by PEP
             pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {})
-            pdpResponse = pepCtx.get(PEPFilter.PEPCTX__RESPONSE_SESSION_KEYNAME)
-            msg = getattr(pdpResponse, 'message', '')
+            pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME)
+            msg = getattr(pdpResponse, 'message', '') or ''
                 
             response = ("Access is forbidden for this resource:%s"

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi.py

@@ -11 +11 @@
 __revision__ = "$Id: $"
 __license__ = "BSD - see LICENSE file in top-level directory"
+from string import Template
+from genshi.template import TemplateLoader
+
+from httplib import UNAUTHORIZED, FORBIDDEN
+
+from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
+from ndg.security.server.wsgi.session import SessionMiddlewareBase
+
+
+class GenshiPEPResultHandlerMiddleware(SessionMiddlewareBase):
+    """Genshi based PEP result handler
+    """
+    PROPERTY_NAMES = (
+        'messageTemplate',
+        'templateName',
+        'templateRootDir'
+    )
+    __slots__ = PROPERTY_NAMES
+        
+    DEFAULT_TMPL_NAME = 'accessdenied.html'
+    DEFAULT_TMPL_DIR = path.join(path.dirname(__file__), 'templates')
+    
+    MSG_TMPL = (
+        "Access is forbidden for this resource:<br/><br/>"
+        "$pdpResponseMsg<br/><br/>"
+        "Please check with your site administrator that you have the required "
+        "access privileges."
+    )
+    
+    def __init__(self, app, global_conf, prefix='', **app_conf):
+        '''
+        @type app: callable following WSGI interface
+        @param app: next middleware application in the chain      
+        @type global_conf: dict        
+        @param global_conf: PasteDeploy global configuration dictionary
+        @type prefix: basestring
+        @param prefix: prefix for configuration items
+        @type app_conf: dict        
+        @param app_conf: PasteDeploy application specific configuration 
+        dictionary
+        '''
+        super(GenshiPEPResultHandlerMiddleware, self).__init__(app,
+                                                               global_conf,
+                                                               prefix=prefix,
+                                                               **app_conf) 
+               
+        # Initialise attributes
+        for i in GenshiRendering.PROPERTY_NAMES:
+            setattr(self, i, '')
+         
+        # Update from keywords   
+        for i in app_conf:
+            setattr(self, i, app_conf[i])
+
+        if not self.templateRootDir:
+            self.templateRootDir = \
+                            GenshiPEPResultHandlerMiddleware.DEFAULT_TMPL_DIR
+         
+        if not self.messageTemplate:
+            self.messageTemplate = GenshiPEPResultHandlerMiddleware.MSG_TMPL
+            
+        if not self.templateName:
+            self.templateName = \
+                GenshiPEPResultHandlerMiddleware.DEFAULT_TMPL_NAME
+            
+        self.__loader = TemplateLoader(self.templateRootDir, auto_reload=True)
+        
+    @NDGSecurityMiddlewareBase.initCall
+    def __call__(self, environ, start_response):
+        
+        if not self.isAuthenticated:
+            # sets 401 response to be trapped by authentication handler
+            log.warning("PEPResultHandlerMiddleware: user is not "
+                        "authenticated - setting HTTP 401 response")
+            return self._setErrorResponse(code=UNAUTHORIZED)
+        else:
+            # Get response message from PDP recorded by PEP
+            pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {})
+            pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME)
+            pdpResponseMsg = getattr(pdpResponse, 'message', '') or ''
+                
+            msg = Template(self.messageTemplate).substitute(
+                                                pdpResponseMsg=pdpResponseMsg)
+
+            response = self._render(xml=msg)
+            start_response(
+                GenshiPEPResultHandlerMiddleware.getStatusMessage(FORBIDDEN),
+                [('Content-type', 'text/html'),
+                 ('Content-Length', str(len(response)))])
+            
+            return response
+        
+    def __setattr__(self, name, value):
+        """Apply some generic type checking"""
+        if name in GenshiRendering.PROPERTY_NAMES:
+            if not isinstance(value, basestring):
+                raise TypeError('Expecting string type for %r attribute; got '
+                                '%r' % (name, type(value)))
+            
+        super(GenshiPEPResultHandlerMiddleware, self).__setattr__(name, value)
+                       
+    def _getLoader(self):
+        return self.__loader
+
+    def _setLoader(self, value):
+        if not isinstance(value, TemplateLoader):
+            raise TypeError('Expecting %r type for "loader"; got %r' % 
+                            (TemplateLoader, type(value)))
+        self.__loader = value
+
+    loader = property(_getLoader, _setLoader, 
+                      doc="Genshi TemplateLoader instance")  
+          
+    def _render(self, **kw):
+        '''Wrapper for Genshi template rendering
+        @type kw: dict
+        @param kw: keywords to pass to template
+        @rtype: string
+        @return: rendered template
+        '''        
+        tmpl = self.loader.load(self.templateName)
+        rendering = tmpl.generate(**kw).render('html', doctype='html')
+        
+        return rendering

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/__init__.py

@@ -84 +84 @@
         @param *arg: RenderingInterface parent class arguments
         @type **opt: dict
-        @param **opt: additional keywords to set-up Buffet rendering'''
+        @param **opt: additional keywords to set-up Genshi rendering'''
         super(GenshiRendering, self).__init__(*arg, **opt)
         

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

@@ -14 +14 @@
 log = logging.getLogger(__name__)
 
-from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
+from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase,
+                                      NDGSecurityMiddlewareError)
 
 
@@ -36 +37 @@
        
 
-class SessionHandlerMiddlewareError(AuthnException):
+class SessionHandlerMiddlewareError(NDGSecurityMiddlewareError):
     """Base exception for SessionHandlerMiddleware"""