Changeset 6512

Timestamp:

08/02/10 17:12:29 (11 years ago)

Author:

pjkersha

Message:

Patches to CredentialWallet?, SAML interfaces and authz middleware for WPS testing.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• Makefile (modified) (3 diffs)
• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (8 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/Makefile

@@ -10 +10 @@
 # @license: BSD - LICENSE file
 #
-# $Id$
+# $Id:$
 EGG_DIRS=ndg_security_common ndg_security_client ndg_security_server \
 ndg_security_test ndg_security
@@ -17 +17 @@
 PYTHON=python
 
-eggs:
+Eggs:
+        @echo "Running setup bdist_egg in these directories ${EGG_DIRS} ..."
         @-for dir in ${EGG_DIRS}; do \
                 cd $$dir; \
@@ -45 +46 @@
 force: replace
 
-NDG_EGG_DIST_USER=
-NDG_EGG_DIST_HOST=
-NDG_EGG_DIST_DIR=
+#NDG_EGG_DIST_USER=
+#NDG_EGG_DIST_HOST=
+#NDG_EGG_DIST_DIR=
 
-install_eggs: eggs
+install_eggs: Eggs
+    @echo "Installing eggs to ${NDG_EGG_DIST_HOST}:${NDG_EGG_DIST_DIR} ..."
+    chown ${NDG_EGG_DIST_USER}:cedadev ndg_*/dist/*.egg
         scp ndg_*/dist/*.egg ${NDG_EGG_DIST_USER}@${NDG_EGG_DIST_HOST}:${NDG_EGG_DIST_DIR}
 

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -297 +297 @@
         credentialWallet = cls()
         credentialWallet.parseConfig(cfg, **kw)
+        
+        return credentialWallet
 
     def parseConfig(self, cfg, prefix='', section='DEFAULT'):
@@ -410 +412 @@
     Attribute Assertions
     """
-    __slots__ = ()
+    CONFIG_FILE_OPTNAMES = CredentialWalletBase.CONFIG_FILE_OPTNAMES + (
+                           "clockSkewTolerance", )
+    __slots__ = ("__clockSkewTolerance",)
     
     CREDENTIAL_REPOSITORY_NOT_SUPPORTED_MSG = ("SAMLCredentialWallet doesn't "
@@ -417 +421 @@
                                                "interface")
 
-    @classmethod
-    def fromConfig(cls, cfg, **kw):
-        '''Alternative constructor makes object from config file settings
-        @type cfg: basestring /ConfigParser derived type
-        @param cfg: configuration file path or ConfigParser type object
-        @rtype: ndg.security.common.credentialWallet.SAMLCredentialWallet
-        @return: new instance of this class
-        '''
-        credentialWallet = cls()
-        credentialWallet.parseConfig(cfg, **kw)
-        
-        return credentialWallet
+    def __init__(self):
+        super(SAMLCredentialWallet, self).__init__()
+        self.__clockSkewTolerance = timedelta(seconds=0.)
+
+    def _getClockSkewTolerance(self):
+        return self.__clockSkewTolerance
+
+    def _setClockSkewTolerance(self, value):
+        if isinstance(value, (float, int, long)):
+            self.__clockSkewTolerance = timedelta(seconds=value)
+            
+        elif isinstance(value, basestring):
+            self.__clockSkewTolerance = timedelta(seconds=float(value))
+        else:
+            raise TypeError('Expecting float, int, long or string type for '
+                            '"clockSkewTolerance"; got %r' % type(value))
+
+    clockSkewTolerance = property(_getClockSkewTolerance, 
+                                  _setClockSkewTolerance, 
+                                  doc="Allow a tolerance (seconds) for "
+                                      "checking timestamps of the form: "
+                                      "notBeforeTime - tolerance < now < "
+                                      "notAfterTime + tolerance")
 
     def parseConfig(self, cfg, prefix='', section='DEFAULT'):
@@ -461 +476 @@
                       credential, 
                       attributeAuthorityURI=None,
-                      bUpdateCredentialRepository=False):
+                      bUpdateCredentialRepository=False,
+                      verifyCredential=True):
         """Add a new assertion to the list of assertion credentials held.
 
@@ -473 +489 @@
         @type bUpdateCredentialRepository: bool
         @param bUpdateCredentialRepository: if set to True, and a repository 
-        exists it will be updated with the new credentials also
+        exists it will be updated with the new credentials also. Nb. a derived
+        class will need to be implemented to enable this capability - see
+        the updateCredentialRepository method.
+        @type verifyCredential: bool
+        @param verifyCredential: if set to True, test validity of credential
+        by calling isValidCredential method.
         
         @rtype: bool
-        @return: True if certificate was added otherwise False.  - If an
+        @return: True if credential was added otherwise False.  - If an
         existing certificate from the same issuer has a later expiry it will
         take precedence and the new input certificate is ignored."""
@@ -485 +506 @@
                                         "%r type object" % Assertion)        
 
-        if not self.isValidCredential(credential):
+        if verifyCredential and not self.isValidCredential(credential):
             raise CredentialWalletError("Validity time error with assertion %r"
-                                        % assertion)
+                                        % credential)
         
         # Check to see if there is an existing Attribute Certificate held
         # that was issued by the same host.  If so, compare the expiry time.
         # The one with the latest expiry will be retained and the other
-        # ingored
+        # ignored
         bUpdateCred = True
+        if credential.issuer is None:
+            raise AttributeError("Adding SAML assertion to wallet: no issuer "
+                                 "set")
+            
         issuerName = credential.issuer.value
         
@@ -551 +576 @@
         """Validate SAML assertion time validity"""
         utcNow = datetime.utcnow()
-        if utcNow < assertion.conditions.notBefore:
+        if utcNow < assertion.conditions.notBefore - self.clockSkewTolerance:
             msg = ('The current clock time [%s] is before the SAML Attribute '
-                   'Response assertion conditions not before time [%s]' % 
+                   'Response assertion conditions not before time [%s] ' 
+                   '(with clock skew tolerance = %s)' % 
                    (SAMLDateTime.toString(utcNow),
-                    assertion.conditions.notBefore))
+                    assertion.conditions.notBefore,
+                    self.clockSkewTolerance))
             log.warning(msg)
             return False
             
-        if utcNow >= assertion.conditions.notOnOrAfter:
+        if (utcNow >= 
+            assertion.conditions.notOnOrAfter + self.clockSkewTolerance):
             msg = ('The current clock time [%s] is on or after the SAML '
                    'Attribute Response assertion conditions not on or after '
-                   'time [%s]' % 
+                   'time [%s] (with clock skew tolerance = %s)' % 
                    (SAMLDateTime.toString(utcNow),
-                    assertion.conditions.notOnOrAfter))
+                    assertion.conditions.notOnOrAfter,
+                    self.clockSkewTolerance))
             log.warning(msg)
             return False
@@ -834 +863 @@
         _dict = super(NDGCredentialWallet, self).__getstate__()
         
-        for attrName in SAMLCredentialWallet.__slots__:
+        for attrName in NDGCredentialWallet.__slots__:
             # Ugly hack to allow for derived classes setting private member
             # variables

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -586 +586 @@
                                                     uri=attributeAuthorityURI)
             for assertion in response.assertions:
-                credentialWallet.addCredential(assertion)
+                credentialWallet.addCredential(assertion,
+                                   attributeAuthorityURI=attributeAuthorityURI,
+                                   verifyCredential=False)
             
             log.debug("SamlPIPMiddleware.attributeQuery: updating Credential "

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -223 +223 @@
         response = soapResponse.serialize()
         
+        log.debug("SOAPAttributeInterfaceMiddleware.__call__: sending response "
+                  "...\n\n%s",
+                  response)
         start_response("200 OK",
                        [('Content-length', str(len(response))),

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

@@ -25 +25 @@
         </Attributes>
     </Target>
+    <!-- Test inclusion of ampersand -->
+    <Target>
+        <URIPattern>^/test_securedURI[?&amp;]MyQueryParam=100</URIPattern>
+        <Attributes>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
+        </Attributes>        
+    </Target>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py

@@ -59 +59 @@
                 assert(attribute.attributeAuthorityURI)
 
+                        
 
 class PIPPlaceholder(PIPBase):
@@ -81 +82 @@
     PERMITTED_RESOURCE_URI = '/test_securedURI'
     DENIED_RESOURCE_URI = '/test_accessDeniedToSecuredURI'
+    WITH_ESCAPE_CHARS_RESOURCE_URI = '/test_securedURI?MyQueryParam=100'
     
     def setUp(self):
@@ -104 +106 @@
         self.assert_(response.status == Response.DECISION_DENY)
 
+    def test03WithEscapeCharsInPolicy(self):
+        self.request.resource[Resource.URI_NS
+                              ] = PDPTestCase.WITH_ESCAPE_CHARS_RESOURCE_URI      
+        response = self.pdp.evaluate(self.request)
+        
+        self.assert_(response.status == Response.DECISION_PERMIT)
+
         
 if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -248 +248 @@
         
     def setUp(self):
-        self.assertion =self._createAssertion()
+        self.assertion = self._createAssertion()
         
     def _createAssertion(self, timeNow=None, validityDuration=60*60*8,
@@ -322 +322 @@
         self.assert_(len(wallet.credentials) == 0)
 
-    def test04ReplaceCredential(self):
+    def test04ClockSkewTolerance(self):
+        # Add a short lived credential but with the wallet set to allow for
+        # a clock skew of 
+        shortExpiryAssertion = self._createAssertion(validityDuration=1)
+        wallet = SAMLCredentialWallet()
+        
+        # Set a tolerance of five seconds
+        wallet.clockSkewTolerance = 5.*60*60
+        wallet.addCredential(shortExpiryAssertion)
+        
+        self.assert_(len(wallet.credentials) == 1)
+        sleep(2)
+        wallet.audit()
+        self.assert_(len(wallet.credentials) == 1)
+        
+    def test05ReplaceCredential(self):
         # Replace an existing credential from a given institution with a more
         # up to date one
@@ -332 +347 @@
         wallet.addCredential(newAssertion)
         self.assert_(len(wallet.credentials) == 1)
-        self.assert_(newAssertion.conditions.notOnOrAfter==\
+        self.assert_(newAssertion.conditions.notOnOrAfter == \
                      wallet.credentials[
                         SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME
                     ].credential.conditions.notOnOrAfter)
         
-    def test05CredentialsFromSeparateSites(self):
+    def test06CredentialsFromSeparateSites(self):
         wallet = self._addCredential()
         wallet.addCredential(self._createAssertion(issuerName="MySite"))
         self.assert_(len(wallet.credentials) == 2)
 
-    def test06Pickle(self):
+    def test07Pickle(self):
         wallet = self._addCredential()
         outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w')
@@ -353 +368 @@
             SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI))
         
+        self.assert_(unpickledWallet.credentials.items()[0][1].issuerName == \
+                     BaseTestCase.SITEA_SAML_ISSUER_NAME)
+
+    def test08CreateFromConfig(self):
+        wallet = SAMLCredentialWallet.fromConfig(
+                                SAMLCredentialWalletTestCase.CONFIG_FILEPATH)
+        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01))
+        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw')
         
 if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg

@@ -9 +9 @@
 # $Id:$
 [DEFAULT]
-clockSkew = 0.
+clockSkewTolerance = 0.01
 userId = https://openid.localhost/philip.kershaw
-issuerDN = /O=Site A/CN=Authorisation Service
-attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml
-queryAttributes.0 = urn:esg:first:name, FirstName, http://www.w3.org/2001/XMLSchema#string
-queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
-
-# SSL Context Proxy settings
-sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca
-sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.crt
-sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.key
-sslValidDNs = /C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost, /O=Site A/CN=Attribute Authority