Context Navigation

← Previous Change
Next Change →

NDGSecurity

Timestamp:

12/02/10 15:04:42 (11 years ago)

Author:

pjkersha

Message:

Refactoring SAML SOAP bindings module to include AuthzDecisionQuery?:

improved package structure
Generic SubjectQuerySOAPBinding type which AuthzDecision? and Attribute query types extend.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap

Files:

: 4 edited

__init__.py (modified) (9 diffs)
attributequery.py (modified) (5 diffs)
authzdecisionquery.py (modified) (1 diff)
subjectquery.py (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/init.py

-                      r6566
+                      r6567
 log = logging.getLogger(__name__)
-import re
 from os import path
-from datetime import datetime, timedelta
-from uuid import uuid4
 from ConfigParser import ConfigParser
-from M2Crypto.m2urllib2 import HTTPSHandler
 from saml.common import SAMLObject
+from saml.utils import SAMLDateTime
+from saml.saml2.core import (Attribute, AttributeQuery, StatusCode, Response,
+                             Issuer, Subject, SAMLVersion, NameID)
+from saml.xml.etree import AttributeQueryElementTree, ResponseElementTree
+from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.utils import TypedList, str2Bool
 from ndg.security.common.utils.configfileparsers import (
                                                     CaseSensitiveConfigParser)
 …
                                              UrlLib2SOAPRequest)
-# Prevent whole module breaking if this is not available - it's only needed for
-# AttributeQuerySslSOAPBinding
-try:
-    from ndg.security.common.utils.m2crypto import SSLContextProxy
-    _sslContextProxySupport = True
-except ImportError:
-    _sslContextProxySupport = False
 class SOAPBindingError(Exception):
 …
                  requestEnvelopeClass=SOAPEnvelope,
                  responseEnvelopeClass=SOAPEnvelope,
                  serialise=AttributeQueryElementTree.toXML,
                  deserialise=ResponseElementTree.fromXML,
+                 serialise=None,
+                 deserialise=None,
                  handlers=(HTTPSHandler,)):
         '''Create SAML SOAP Client - Nb. serialisation functions assume
         AttributeQuery/Response'''
+        '''Create SAML SOAP Client - Nb. serialisation functions must be set
+        before send()ing the request'''
         self.__client = None
+        self.serialise = serialise
+        self.deserialise = deserialise
+        self.__serialise = None
+        self.__deserialise = None
+        if serialise is not None:
+            self.serialise = serialise
+        if deserialise is not None:
+            self.deserialise = deserialise
         self.client = UrlLib2SOAPClient()
 …
     def _setRequestEnvelopeClass(self, value):
         if not issubclass(value, SOAPEnvelopeBase):
             raise TypeError('Expecting %r for "requestEnvelopeClass"; got %r'%
+            raise TypeError('Expecting %r for "requestEnvelopeClass"; got %r' %
                             (SOAPEnvelopeBase, value))
 …
     def _setClient(self, value):
         if not isinstance(value, UrlLib2SOAPClient):
             raise TypeError('Expecting %r for "client"; got %r'%
+            raise TypeError('Expecting %r for "client"; got %r' %
                             (UrlLib2SOAPClient, type(value)))
         self.__client = value
 …
         defaults to ndg.security.common.soap.client.UrlLib2SOAPRequest
         '''
+        if self.serialise is None:
+            raise AttributeError('No "serialise" method set to serialise the '
+                                 'request')
+        if self.deserialise is None:
+            raise AttributeError('No "deserialise" method set to deserialise '
+                                 'the response')
         if not isinstance(samlObj, SAMLObject):
             raise TypeError('Expecting %r for input attribute query; got %r'
 …
         @type cfg: basestring /ConfigParser derived type
         @param cfg: configuration file path or ConfigParser type object
         @rtype: ndg.security.common.credentialWallet.AttributeQuery
+        @rtype: ndg.security.common.saml_utils.binding.soap.SOAPBinding
         @return: new instance of this class
         '''
 …
     def __getstate__(self):
         '''Enable pickling for use with beaker.session'''
+        '''Explicit implementation needed with __slots__'''
         _dict = {}
         for attrName in SOAPBinding.__slots__:
 …
     def __setstate__(self, attrDict):
         '''Specific implementation needed with __slots__'''
+        '''Explicit implementation needed with __slots__'''
         for attr, val in attrDict.items():
             setattr(self, attr, val)
-class SubjectQueryResponseError(SOAPBindingInvalidResponse):
-    """SAML Response error from Subject Query"""
-    def __init__(self, *arg, **kw):
-        SOAPBindingInvalidResponse.__init__(self, *arg, **kw)
-        self.__response = None
-    def _getResponse(self):
-        '''Gets the response corresponding to this error
-        @return the response
-        '''
-        return self.__response
-    def _setResponse(self, value):
-        '''Sets the response corresponding to this error.
-        @param value: the response
-        '''
-        if not isinstance(value, Response):
-            raise TypeError('"response" must be a %r, got %r' % (Response,
-                                                                 type(value)))
-        self.__response = value
-    response = property(fget=_getResponse, fset=_setResponse,
-                        doc="SAML Response associated with this exception")

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/attributequery.py

-                      r6566
+                      r6567
 log = logging.getLogger(__name__)
+from M2Crypto.m2urllib2 import HTTPSHandler
+from saml.saml2.core import Attribute, AttributeQuery
+from ndg.security.common.utils import TypedList
 from ndg.security.common.sam_utils.binding.soap.subjectquery import (
                                                     SubjectQuery,
+                                                    SubjectQuerySOAPBinding,
                                                     SubjectQueryResponseError)
+# Prevent whole module breaking if this is not available - it's only needed for
+# AttributeQuerySslSOAPBinding
+try:
+    from ndg.security.common.utils.m2crypto import SSLContextProxy
+    _sslContextProxySupport = True
+except ImportError:
+    _sslContextProxySupport = False
 …
 class AttributeQuerySOAPBinding(SOAPBinding):
+class AttributeQuerySOAPBinding(SubjectQuery):
     """SAML Attribute Query SOAP Binding
-    Nb. Assumes X.509 subject type for query issuer
     """
-    SUBJECT_ID_OPTNAME = 'subjectID'
-    ISSUER_NAME_OPTNAME = 'issuerName'
-    CLOCK_SKEW_OPTNAME = 'clockSkewTolerance'
-    CONFIG_FILE_OPTNAMES = (
-        SUBJECT_ID_OPTNAME,
-        ISSUER_NAME_OPTNAME,
-        CLOCK_SKEW_OPTNAME
+    )
     QUERY_ATTRIBUTES_ATTRNAME = 'queryAttributes'
     LEN_QUERY_ATTRIBUTES_ATTRNAME = len(QUERY_ATTRIBUTES_ATTRNAME)
 …
     __PRIVATE_ATTR_PREFIX = "__"
+    __slots__ = tuple([__PRIVATE_ATTR_PREFIX + i
+                       for i in \
+                       CONFIG_FILE_OPTNAMES + (QUERY_ATTRIBUTES_ATTRNAME,)])
+    del i
+    __slots__ = (__PRIVATE_ATTR_PREFIX + QUERY_ATTRIBUTES_ATTRNAME,)
     def __init__(self, **kw):
         '''Create SOAP Client for SAML Attribute Query'''
-        self.__issuerName = None
         self.__queryAttributes = TypedList(Attribute)
-        self.__clockSkewTolerance = timedelta(seconds=0.)
         super(AttributeQuerySOAPBinding, self).__init__(**kw)
-    @classmethod
-    def fromConfig(cls, cfg, **kw):
-        '''Alternative constructor makes object from config file settings
-        @type cfg: basestring /ConfigParser derived type
-        @param cfg: configuration file path or ConfigParser type object
-        @rtype: ndg.security.common.credentialWallet.AttributeQuery
-        @return: new instance of this class
-        '''
-        obj = cls()
-        obj.parseConfig(cfg, **kw)
-        return obj
-    def parseConfig(self, cfg, prefix='', section='DEFAULT'):
-        '''Read config file settings
-        @type cfg: basestring /ConfigParser derived type
-        @param cfg: configuration file path or ConfigParser type object
-        @type prefix: basestring
-        @param prefix: prefix for option names e.g. "attributeQuery."
-        @type section: baestring
-        @param section: configuration file section from which to extract
-        parameters.
-        '''
-        if isinstance(cfg, basestring):
-            cfgFilePath = path.expandvars(cfg)
-            _cfg = CaseSensitiveConfigParser()
-            _cfg.read(cfgFilePath)
-        elif isinstance(cfg, ConfigParser):
-            _cfg = cfg
-        else:
-            raise AttributeError('Expecting basestring or ConfigParser type '
-                                 'for "cfg" attribute; got %r type' % type(cfg))
-        prefixLen = len(prefix)
-        for optName, val in _cfg.items(section):
-            if prefix:
-                # Filter attributes based on prefix
-                if optName.startswith(prefix):
-                    setattr(self, optName[prefixLen:], val)
-            else:
-                # No prefix set - attempt to set all attributes
-                setattr(self, optName, val)
     def __setattr__(self, name, value):
 …
             else:
                 raise
-    def _getSubjectID(self):
-        return self.__subjectID
-    def _setSubjectID(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "subjectID"; got %r '
-                            'instead' % type(value))
-        self.__subjectID = value
-    subjectID = property(_getSubjectID, _setSubjectID,
-                         doc="ID to be sent as query subject")
     def _getQueryAttributes(self):
-        """Returns a *COPY* of the attributes to avoid overwriting the
-        member variable content
-        """
         return self.__queryAttributes
 …
                                    "Attribute Authority")
-    def _getIssuerName(self):
-        return self.__issuerName
-    def _setIssuerName(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "issuerName"; '
-                            'got %r instead' % type(value))
-        self.__issuerName = value
-    issuerName = property(_getIssuerName, _setIssuerName,
-                        doc="Distinguished Name of issuer of SAML Attribute "
-                            "Query to Attribute Authority")
-    def _getClockSkewTolerance(self):
-        return self.__clockSkewTolerance
-    def _setClockSkewTolerance(self, value):
-        if isinstance(value, (float, int, long)):
-            self.__clockSkewTolerance = timedelta(seconds=value)
-        elif isinstance(value, basestring):
-            self.__clockSkewTolerance = timedelta(seconds=float(value))
-        else:
-            raise TypeError('Expecting float, int, long or string type for '
-                            '"clockSkewTolerance"; got %r' % type(value))
-    clockSkewTolerance = property(fget=_getClockSkewTolerance,
-                         fset=_setClockSkewTolerance,
-                         doc="Allow a clock skew in seconds for SAML Attribute"
-                             " Query issueInstant parameter check")
     def _createQuery(self):
         """ Create a SAML attribute query"""
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        if self.issuerName is None:
+            raise AttributeError('No issuer DN has been set for SAML Attribute '
+                                 'Query')
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = self.issuerName
+        attributeQuery.subject = Subject()
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = self.subjectID
+        attributeQuery = super(AttributeQuerySOAPBinding, self)._createQuery(
+                                                    AttributeQuerySOAPBinding)
         # Add list of attributes to query
         for attribute in self.queryAttributes:
             attributeQuery.attributes.append(attribute)
+        return attributeQuery
+    def send(self, **kw):
+        '''Make an attribute query to a remote SAML service
+        @type uri: basestring
+        @param uri: uri of service.  May be omitted if set from request.url
+        @type request: ndg.security.common.soap.UrlLib2SOAPRequest
+        @param request: SOAP request object to which query will be attached
+        defaults to ndg.security.common.soap.client.UrlLib2SOAPRequest
+        '''
+        attributeQuery = self._createQuery()
+        response = super(AttributeQuerySOAPBinding, self).send(attributeQuery,
+                                                               **kw)
+        # Perform validation
+        if response.status.statusCode.value != StatusCode.SUCCESS_URI:
+            msg = ('Return status code flagged an error.  The message is: %r' %
+                   response.status.statusMessage.value)
+            samlRespError = AttributeQueryResponseError(msg)
+            samlRespError.response = response
+            raise samlRespError
+        # Check Query ID matches the query ID the service received
+        if response.inResponseTo != attributeQuery.id:
+            msg = ('Response in-response-to ID %r, doesn\'t match the original '
+                   'query ID, %r' % (response.inResponseTo, attributeQuery.id))
+            samlRespError = AttributeQueryResponseError(msg)
+            samlRespError.response = response
+            raise samlRespError
+        utcNow = datetime.utcnow() + self.clockSkewTolerance
+        if response.issueInstant > utcNow:
+            msg = ('SAML Attribute Response issueInstant [%s] is after '
+                   'the current clock time [%s]' %
+                   (attributeQuery.issueInstant, SAMLDateTime.toString(utcNow)))
+            samlRespError = AttributeQueryResponseError(msg)
+            samlRespError.response = response
+            raise samlRespError
+        for assertion in response.assertions:
+            if assertion.conditions is not None:
+                if utcNow < assertion.conditions.notBefore:
+                    msg = ('The current clock time [%s] is before the SAML '
+                           'Attribute Response assertion conditions not before '
+                           'time [%s]' %
+                           (SAMLDateTime.toString(utcNow),
+                            assertion.conditions.notBefore))
+                    samlRespError = AttributeQueryResponseError(msg)
+                    samlRespError.response = response
+                    raise samlRespError
+                if utcNow >= assertion.conditions.notOnOrAfter:
+                    msg = ('The current clock time [%s] is on or after the '
+                           'SAML Attribute Response assertion conditions not '
+                           'on or after time [%s]' %
+                           (SAMLDateTime.toString(utcNow),
+                            response.assertion.conditions.notOnOrAfter))
+                    samlRespError = AttributeQueryResponseError(msg)
+                    samlRespError.response = response
+                    raise samlRespError
+        return response
+        return attributeQuery

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/authzdecisionquery.py

-                      r6566
+                      r6567
 import logging
 log = logging.getLogger(__name__)
+from M2Crypto.m2urllib2 import HTTPSHandler
+from saml.saml2.core import AuthzDecisionQuery
+from ndg.security.common.sam_utils.binding.soap.subjectquery import (
+                                                    SubjectQuerySOAPBinding,
+                                                    SubjectQueryResponseError)
+# Prevent whole module breaking if this is not available - it's only needed for
+# AuthzDecisionQuerySslSOAPBinding
+try:
+    from ndg.security.common.utils.m2crypto import SSLContextProxy
+    _sslContextProxySupport = True
+except ImportError:
+    _sslContextProxySupport = False
+class AuthzDecisionQueryResponseError(SubjectQueryResponseError):
+    """SAML Response error from Attribute Query"""
+class AuthzDecisionQuerySOAPBinding(SubjectQuerySOAPBinding):
+    """SAML Attribute Query SOAP Binding
+    Nb. Assumes X.509 subject type for query issuer
+    """
+    __slots__ = ()
+    def __init__(self, **kw):
+        '''Create SOAP Client for SAML Authorization Decision Query'''
+        super(AuthzDecisionQuerySOAPBinding, self).__init__(**kw)
+    def _createQuery(self):
+        """Specialisation to force creation of AuthzDecisionQuery type instead
+        of SubjectQuery
+        """
+        return super(AuthzDecisionQuerySOAPBinding, self)._createQuery(
+                                                            AuthzDecisionQuery)
+class AuthzDecisionQuerySslSOAPBinding(AuthzDecisionQuerySOAPBinding):
+    """Specialisation of AuthzDecisionQuerySOAPbinding taking in the setting of
+    SSL parameters for mutual authentication
+    """
+    SSL_CONTEXT_PROXY_SUPPORT = _sslContextProxySupport
+    __slots__ = ('__sslCtxProxy',)
+    def __init__(self, **kw):
+        if not AuthzDecisionQuerySslSOAPBinding.SSL_CONTEXT_PROXY_SUPPORT:
+            raise ImportError("ndg.security.common.utils.m2crypto import "
+                              "failed - missing M2Crypto package?")
+        # Miss out default HTTPSHandler and set in send() instead
+        if 'handlers' in kw:
+            raise TypeError("__init__() got an unexpected keyword argument "
+                            "'handlers'")
+        super(AuthzDecisionQuerySslSOAPBinding, self).__init__(handlers=(),
+                                                               **kw)
+        self.__sslCtxProxy = SSLContextProxy()
+    def send(self, **kw):
+        """Override base class implementation to pass explicit SSL Context
+        """
+        httpsHandler = HTTPSHandler(ssl_context=self.sslCtxProxy.createCtx())
+        self.client.openerDirector.add_handler(httpsHandler)
+        return super(AuthzDecisionQuerySslSOAPBinding, self).send(**kw)
+    @property
+    def sslCtxProxy(self):
+        """SSL Context Proxy object used for setting up an SSL Context for
+        queries
+        """
+        return self.__sslCtxProxy
+    def __setattr__(self, name, value):
+        """Enable setting of SSLContextProxy attributes as if they were
+        attributes of this class.  This is intended as a convenience for
+        making settings parameters read from a config file
+        """
+        try:
+            super(AuthzDecisionQuerySslSOAPBinding, self).__setattr__(name,
+                                                                      value)
+        except AttributeError:
+            # Coerce into setting SSL Context Proxy attributes
+            try:
+                setattr(self.sslCtxProxy, name, value)
+            except:
+                raise

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/subjectquery.py

-                      r6566
+                      r6567
+"""SAML 2.0 bindings module implements SOAP binding for subject query
+NERC DataGrid Project
+"""
+__author__ = "P J Kershaw"
+__date__ = "12/02/10"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = '$Id: $'
+import logging
+log = logging.getLogger(__name__)
+from datetime import datetime, timedelta
+from saml.common import SAMLObject
+from saml.utils import SAMLDateTime
+from saml.saml2.core import (Attribute, AttributeQuery, StatusCode, Response,
+                             Issuer, Subject, SAMLVersion, NameID)
+from ndg.security.common.saml_utils.binding.soap import (SOAPBinding,
+    SOAPBindingInvalidResponse)
+class SubjectQueryResponseError(SOAPBindingInvalidResponse):
+    """SAML Response error from Subject Query"""
+    def __init__(self, *arg, **kw):
+        SOAPBindingInvalidResponse.__init__(self, *arg, **kw)
+        self.__response = None
+    def _getResponse(self):
+        '''Gets the response corresponding to this error
+        @return the response
+        '''
+        return self.__response
+    def _setResponse(self, value):
+        '''Sets the response corresponding to this error.
+        @param value: the response
+        '''
+        if not isinstance(value, Response):
+            raise TypeError('"response" must be a %r, got %r' % (Response,
+                                                                 type(value)))
+        self.__response = value
+    response = property(fget=_getResponse, fset=_setResponse,
+                        doc="SAML Response associated with this exception")
 class SubjectQuerySOAPBinding(SOAPBinding):
     """SAML Subject Query SOAP Binding
-    Nb. Assumes X.509 subject type for query issuer
     """
     SUBJECT_ID_OPTNAME = 'subjectID'
 …
         '''Create SOAP Client for SAML Attribute Query'''
         self.__issuerName = None
+        self.__issuerFormat = Issuer.X509_SUBJECT
+        self.__nameIdFormat = NameID.UNSPECIFIED
         self.__clockSkewTolerance = timedelta(seconds=0.)
         self.__verifyTimeConditions = True
         super(SubjectQuerySOAPBinding, self).__init__(**kw)
+    def _getNameIdFormat(self):
+        return self.__nameIdFormat
+    def _setNameIdFormat(self, value):
+        self.__nameIdFormat = value
+    nameIdFormat = property(_getNameIdFormat, _setNameIdFormat,
+                            doc="Subject Name ID format")
+    def _getIssuerFormat(self):
+        return self.__issuerFormat
+    def _setIssuerFormat(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "issuerFormat"; got %r '
+                            'instead' % type(value))
+        self.__issuerFormat = value
+    issuerFormat = property(_getIssuerFormat, _setIssuerFormat,
+                            doc="Issuer format")
     def _getVerifyTimeConditions(self):
 …
         query.issuer = Issuer()
         query.issuer.format = Issuer.X509_SUBJECT
+        query.issuer.format = self.issuerFormat
         query.issuer.value = self.issuerName
         query.subject = Subject()
         query.subject.nameID = NameID()
         query.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        query.subject.nameID.format = self.nameIdFormat
         query.subject.nameID.value = self.subjectID

Note: See TracChangeset for help on using the changeset viewer.