Changeset 6578 for TI12-security/trunk/NDGSecurity

Timestamp:

16/02/10 16:11:08 (11 years ago)

Author:

pjkersha

Message:

• Important fix for SOAP client used with SAML SOAP binding: set text/xml content type.
• Refactored SAML SOAP binding query clients.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/saml_utils/binding/soap/__init__.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/saml_utils/binding/soap/attributequery.py (modified) (3 diffs)
• ndg_security_common/ndg/security/common/saml_utils/binding/soap/authzdecisionquery.py (modified) (2 diffs)
• ndg_security_common/ndg/security/common/saml_utils/binding/soap/subjectquery.py (modified) (5 diffs)
• ndg_security_common/ndg/security/common/saml_utils/esg/xml/etree.py (modified) (2 diffs)
• ndg_security_common/ndg/security/common/soap/client.py (modified) (4 diffs)
• ndg_security_common/ndg/security/common/soap/etree.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/saml/attributeinterface.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/__init__.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/attribute-interface.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-decision-interface.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapattributeinterface.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py (modified) (6 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/__init__.py

@@ -188 +188 @@
         
         samlElem = self.serialise(samlObj)
-
+            
         # Attach query to SOAP body
         request.envelope.body.elem.append(samlElem)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/attributequery.py

@@ -48 +48 @@
     SERIALISE_KW = 'serialise'
     DESERIALISE_KW = 'deserialise'
+    QUERY_TYPE = AttributeQuery
     
     def __init__(self, **kw):
         '''Create SOAP Client for SAML Attribute Query'''
-        self.__queryAttributes = TypedList(Attribute)
         
         # Default to ElementTree based serialisation/deserialisation
@@ -65 +65 @@
         
         super(AttributeQuerySOAPBinding, self).__init__(**kw)
+        self.__queryAttributes = TypedList(Attribute)
             
     def __setattr__(self, name, value):
@@ -107 +108 @@
                                doc="List of attributes to query from the "
                                    "Attribute Authority")
-
-    def _createQuery(self):
-        """ Create a SAML attribute query"""
-        attributeQuery = super(AttributeQuerySOAPBinding, self)._createQuery(
-                                                                AttributeQuery)
-        # Add list of attributes to query                      
-        for attribute in self.queryAttributes:
-            attributeQuery.attributes.append(attribute)
-            
-        return attributeQuery 
+#
+#    def _createQuery(self):
+#        """ Create a SAML attribute query"""
+#        attributeQuery = super(AttributeQuerySOAPBinding, self)._createQuery(
+#                                                                AttributeQuery)
+#        # Add list of attributes to query                      
+#        for attribute in self.queryAttributes:
+#            attributeQuery.attributes.append(attribute)
+#            
+#        return attributeQuery 
 
     

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/authzdecisionquery.py

@@ -17 +17 @@
 from saml.saml2.core import AuthzDecisionQuery
 
-from ndg.security.common.sam_utils.binding.soap.subjectquery import (
+from ndg.security.common.saml_utils.binding.soap.subjectquery import (
                                                     SubjectQuerySOAPBinding,
                                                     SubjectQueryResponseError)
@@ -40 +40 @@
     Nb. Assumes X.509 subject type for query issuer
     """
-    __slots__ = ()
+    SERIALISE_KW = 'serialise'
+    DESERIALISE_KW = 'deserialise'
+    QUERY_TYPE = AuthzDecisionQuery
+    __slots__ = ('__resourceURI', '__action', '__actionNs')
     
     def __init__(self, **kw):
         '''Create SOAP Client for SAML Authorization Decision Query'''
+        cls = AuthzDecisionQuerySOAPBinding
+        
+        # Default to ElementTree based serialisation/deserialisation
+        if cls.SERIALISE_KW not in kw:
+            from saml.xml.etree import AuthzDecisionQueryElementTree
+            kw[cls.SERIALISE_KW] = AuthzDecisionQueryElementTree.toXML
+               
+        if cls.DESERIALISE_KW not in kw:
+            from saml.xml.etree import ResponseElementTree
+            kw[cls.DESERIALISE_KW] = ResponseElementTree.fromXML
+
         super(AuthzDecisionQuerySOAPBinding, self).__init__(**kw)
 
+    def _getResourceURI(self):
+        return self.query.resource
+
+    def _setResourceURI(self, value):
+        self.query.resource = value
+        
+    resourceURI = property(_getResourceURI, _setResourceURI, 
+                           doc="Resource URI to query for access")
     
-    def _createQuery(self):
-        """Specialisation to force creation of AuthzDecisionQuery type instead
-        of SubjectQuery
-        """
-        return super(AuthzDecisionQuerySOAPBinding, self)._createQuery(
-                                                            AuthzDecisionQuery) 
+    @property
+    def actions(self):
+        return self.query.actions
 
     

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/binding/soap/subjectquery.py

@@ -56 +56 @@
     """
     SUBJECT_ID_OPTNAME = 'subjectID'
+    SUBJECT_ID_FORMAT_OPTNAME = 'subjectIdFormat'
     ISSUER_NAME_OPTNAME = 'issuerName'
     ISSUER_FORMAT_OPTNAME = 'issuerFormat'
-    SUBJECT_ID_FORMAT_OPTNAME = 'subjectIdFormat'
     CLOCK_SKEW_OPTNAME = 'clockSkewTolerance'
     VERIFY_TIME_CONDITIONS_OPTNAME = 'verifyTimeConditions'
@@ -72 +72 @@
     
     __PRIVATE_ATTR_PREFIX = "__"
-    __slots__ = tuple([__PRIVATE_ATTR_PREFIX + i for i in CONFIG_FILE_OPTNAMES])
+    __slots__ = tuple([__PRIVATE_ATTR_PREFIX + i 
+                       for i in CONFIG_FILE_OPTNAMES + ('query', )])
     del i
     
+    QUERY_TYPE = SubjectQuery
+    
     def __init__(self, **kw):
-        '''Create SOAP Client for SAML Attribute Query'''
-        self.__issuerName = None
-        self.__issuerFormat = Issuer.X509_SUBJECT
-        self.__subjectID = None
-        self.__subjectIdFormat = NameID.UNSPECIFIED
+        '''Create SOAP Client for SAML Subject Query'''       
         self.__clockSkewTolerance = timedelta(seconds=0.)
         self.__verifyTimeConditions = True
         
+        self._initQuery()
+        
         super(SubjectQuerySOAPBinding, self).__init__(**kw)
 
-    def _getNameIdFormat(self):
-        return self.__subjectIdFormat
-
-    def _setNameIdFormat(self, value):
-        self.__subjectIdFormat = value
-
-    subjectIdFormat = property(_getNameIdFormat, _setNameIdFormat, 
-                            doc="Subject Name ID format")
+    def _initQuery(self):
+        """Initialise query settings"""
+        self.__query = self.__class__.QUERY_TYPE()
+        self.__query.version = SAMLVersion(SAMLVersion.VERSION_20)
+        self.__query.id = str(uuid4())
+        
+        # These properties access the __query instance
+        self.issuerFormat = Issuer.X509_SUBJECT
+        self.subjectIdFormat = NameID.UNSPECIFIED
+
+    def _getQuery(self):
+        return self.__query
+
+    def _setQuery(self, value):
+        if not isinstance(value, self.__class__.QUERY_TYPE):
+            raise TypeError('Expecting %r query type got %r instead' %
+                            (self.__class__, type(value)))
+        self.__query = value
+
+    query = property(_getQuery, _setQuery, 
+                     doc="SAML Subject Query or derived query type")
+
+    def _getSubjectID(self):
+        if self.__query.subject is None or self.__query.subject.nameID is None:
+            return None
+        else:
+            return self.__query.subject.nameID.value
+
+    def _setSubjectID(self, value):
+        if self.__query.subject is None:
+            self.__query.subject = Subject()
+            
+        if self.__query.subject.nameID is None:
+            self.__query.subject.nameID = NameID()
+            
+        self.__query.subject.nameID.value = value
+
+    subjectID = property(_getSubjectID, _setSubjectID, 
+                         doc="ID to be sent as query subject")
+    
+    def _getSubjectIdFormat(self):
+        if self.__query.subject is None or self.__query.subject.nameID is None:
+            return None
+        else:
+            return self.__query.subject.nameID.format
+
+    def _setSubjectIdFormat(self, value):
+        if self.__query.subject is None:
+            self.__query.subject = Subject()
+            
+        if self.__query.subject.nameID is None:
+            self.__query.subject.nameID = NameID()
+            
+        self.__query.subject.nameID.format = value
+
+    subjectIdFormat = property(_getSubjectIdFormat, _setSubjectIdFormat, 
+                               doc="Subject Name ID format")
 
     def _getIssuerFormat(self):
-        return self.__issuerFormat
+        if self.__query.issuer is None:
+            return None
+        else:
+            return self.__query.issuer.value
 
     def _setIssuerFormat(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "issuerFormat"; got %r '
-                            'instead' % type(value))
-        self.__issuerFormat = value
+        if self.__query.issuer is None:
+            self.__query.issuer = Issuer()
+            
+        self.__query.issuer.format = value
 
     issuerFormat = property(_getIssuerFormat, _setIssuerFormat, 
                             doc="Issuer format")
+
+    def _getIssuerName(self):
+        if self.__query.issuer is None:
+            return None
+        else:
+            return self.__query.issuer.value
+
+    def _setIssuerName(self, value):
+        if self.__query.issuer is None:
+            self.__query.issuer = Issuer()
+            
+        self.__query.issuer.value = value
+
+    issuerName = property(_getIssuerName, _setIssuerName, 
+                        doc="Distinguished Name of issuer of SAML Attribute "
+                            "Query to Attribute Authority")
 
     def _getVerifyTimeConditions(self):
@@ -125 +194 @@
                                     doc='Set to True to verify any time '
                                         'Conditions set in the returned '
-                                        'response assertions')
-        
-    def _getSubjectID(self):
-        return self.__subjectID
-
-    def _setSubjectID(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "subjectID"; got %r '
-                            'instead' % type(value))
-        self.__subjectID = value
-
-    subjectID = property(_getSubjectID, _setSubjectID, 
-                         doc="ID to be sent as query subject")  
-
-    def _getIssuerName(self):
-        return self.__issuerName
-
-    def _setIssuerName(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "issuerName"; '
-                            'got %r instead' % type(value))
-            
-        self.__issuerName = value
-
-    issuerName = property(_getIssuerName, _setIssuerName, 
-                        doc="Distinguished Name of issuer of SAML Attribute "
-                            "Query to Attribute Authority")
+                                        'response assertions')  
 
     def _getClockSkewTolerance(self):
@@ -172 +215 @@
                                       "assertion condition notBefore and "
                                       "notOnOrAfter times to allow for clock "
-                                      "skew")  
-
-    def _createQuery(self, queryClass=SubjectQuery):
-        """ Create a SAML SubjectQuery derived type instance
-        @param queryClass: query type to create - must be 
-        saml.saml2.core.SubjectQuery type
-        @type queryClass: type
-        @return: query instance
-        @rtype: saml.saml2.core.SubjectQuery
-        """
-        if not issubclass(queryClass, SubjectQuery):
-            raise TypeError('Query class %r is not a SubjectQuery derived type'
-                            % queryClass)
-            
-        query = queryClass()
-        query.version = SAMLVersion(SAMLVersion.VERSION_20)
-        query.id = str(uuid4())
-        query.issueInstant = datetime.utcnow()
-        
+                                      "skew")
+    
+    def _validateQueryParameters(self):
+        """Perform sanity check immediately before creating the query and 
+        sending it"""
         if self.issuerName is None:
-            raise AttributeError('No issuer DN has been set for SAML Query')
-        
-        query.issuer = Issuer()
-        query.issuer.format = self.issuerFormat
-        query.issuer.value = self.issuerName
-                        
-        query.subject = Subject()  
-        query.subject.nameID = NameID()
-        query.subject.nameID.format = self.subjectIdFormat
-        query.subject.nameID.value = self.subjectID
-            
-        return query
+            raise AttributeError('No issuer name has been set for SAML Query')
+
+        if self.issuerFormat is None:
+            raise AttributeError('No issuer format has been set for SAML Query')
+        
+        if self.subjectID is None:
+            raise AttributeError('No subject has been set for SAML Query')
+        
+        if self.subjectIdFormat is None:
+            raise AttributeError('No subject format has been set for SAML '
+                                 'Query')
+
+    def _initSend(self):
+        """Perform any final initialisation prior to sending the query - derived
+        classes may overload to specify as required"""
+        self.__query.issueInstant = datetime.utcnow()
 
     def send(self, **kw):
@@ -214 +247 @@
         defaults to ndg.security.common.soap.client.UrlLib2SOAPRequest
         '''
-        query = self._createQuery()
-            
-        response = super(SubjectQuerySOAPBinding, self).send(query, **kw)
+        self._validateQueryParameters() 
+        self._initSend()
+           
+        response = super(SubjectQuerySOAPBinding, self).send(self.query, **kw)
 
         # Perform validation

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/esg/xml/etree.py

@@ -16 +16 @@
 
 from saml.xml import XMLTypeParseError, UnknownAttrProfile
-from saml.xml.etree import AttributeValueElementTreeBase, QName
+from saml.xml.etree import (AttributeValueElementTreeBase, ResponseElementTree,
+                            QName)
 
 from ndg.security.common.saml_utils.esg import XSGroupRoleAttributeValue
@@ -138 +139 @@
         return None
 
+
+class EsgResponseElementTree(ResponseElementTree):
+    """Extend ResponseElementTree type for Attribute Query Response to include 
+    ESG custom Group/Role Attribute support"""
+    
+    @classmethod
+    def toXML(cls, response, **kw):
+        # Add mapping for ESG Group/Role Attribute Value to enable ElementTree
+        # Attribute Value factory to render the XML output
+        toXMLTypeMap = kw.get('customToXMLTypeMap', {})
+        toXMLTypeMap[XSGroupRoleAttributeValue
+                     ] = XSGroupRoleAttributeValueElementTree
+        
+        kw['customToXMLTypeMap'] = toXMLTypeMap
+        
+        # Convert to ElementTree representation to enable attachment to SOAP
+        # response body
+        return ResponseElementTree.toXML(response, **kw)
+    
+    @classmethod
+    def fromXML(cls, elem, **kw):
+        toSAMLTypeMap = kw.get('customToSAMLTypeMap', [])
+        toSAMLTypeMap.append(
+                        XSGroupRoleAttributeValueElementTree.factoryMatchFunc)
+        kw['customToSAMLTypeMap'] = toSAMLTypeMap
+        
+        return ResponseElementTree.fromXML(elem, **kw)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/soap/client.py

@@ -137 +137 @@
     def __init__(self):
         self.__fileobject = None
-
-    def _getFileobject(self):
+        
+    @property
+    def fileobject(self):
+        "urllib2 file object returned from request"
         return self.__fileobject
-
-    fileobject = property(fget=_getFileobject,
-                          doc="urllib2 file object returned from request")
 
     
 class UrlLib2SOAPClient(SOAPClientBase):
     """urllib2 based SOAP Client"""
+    DEFAULT_HTTP_HEADER = {'Content-type': 'text/xml'}
     
     def __init__(self):
@@ -154 +154 @@
         self.__openerDirector.add_handler(urllib2.HTTPHandler())
         self.__timeout = None
+        self.__httpHeader = UrlLib2SOAPClient.DEFAULT_HTTP_HEADER.copy()
+
+    def _getHttpHeader(self):
+        return self.__httpHeader
+
+    def _setHttpHeader(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for "httpHeader" attribute; '
+                            'got %r instead' % type(value))
+        self.__httpHeader = value
+
+    httpHeader = property(_getHttpHeader, _setHttpHeader, 
+                          doc="Set HTTP header fields in this dict object")
 
     def _getTimeout(self):
@@ -203 +216 @@
             
         soapRequestStr = soapRequest.envelope.serialize()
-        
-        if log.level <= logging.DEBUG:
+
+        if log.getEffectiveLevel() <= logging.DEBUG:
             from ndg.security.common.utils.etree import prettyPrint
             log.debug("SOAP Request:")
@@ -211 +224 @@
 
         soapResponse = UrlLib2SOAPResponse()
-        response = self.openerDirector.open(soapRequest.url, 
+        urllib2Request = urllib2.Request(soapRequest.url) 
+        for i in self.httpHeader.items():
+            urllib2Request.add_header(*i)
+            
+        response = self.openerDirector.open(urllib2Request, 
                                             soapRequestStr, 
                                             *arg)
         if response.code != httplib.OK:
-            output = response.read()
             excep = HTTPException("Response for request to [%s] is: %d %s" % 
                                   (soapRequest.url, 

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/soap/etree.py

@@ -148 +148 @@
         
         self.qname = QName(SOAPEnvelopeBase.DEFAULT_ELEMENT_NS, 
-                             tag=SOAPEnvelopeBase.DEFAULT_ELEMENT_LOCAL_NAME, 
-                             prefix=SOAPEnvelopeBase.DEFAULT_ELEMENT_NS_PREFIX)
+                           tag=SOAPEnvelopeBase.DEFAULT_ELEMENT_LOCAL_NAME, 
+                           prefix=SOAPEnvelopeBase.DEFAULT_ELEMENT_NS_PREFIX)
         self.__header = SOAPHeader()
         self.__body = SOAPBody()

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -9 +9 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
-__license__ = "BSD - see LICENSE file in top-levle directory"
+__license__ = "BSD - see LICENSE file in top-level directory"
+import logging
+log = logging.getLogger(__name__)
+import traceback
+from cStringIO import StringIO
+from uuid import uuid4
+from datetime import datetime
+from xml.etree import ElementTree
+
+from saml.saml2.core import Response, AttributeQuery, Status, StatusCode 
+from saml.xml import UnknownAttrProfile
+from saml.xml.etree import AttributeQueryElementTree, ResponseElementTree
+
+from ndg.security.common.saml_utils.esg import XSGroupRoleAttributeValue
+from ndg.security.common.saml_utils.esg.xml.etree import (
+                                        XSGroupRoleAttributeValueElementTree)
+from ndg.security.common.soap.etree import SOAPEnvelope
+from ndg.security.common.utils.factory import importModuleObject
+from ndg.security.server.wsgi import NDGSecurityPathFilter
+from ndg.security.server.wsgi.soap import SOAPMiddleware
+
+
+class SOAPQueryInterfaceMiddlewareError(Exception):
+    """Base class for WSGI SAML 2.0 SOAP Query Interface Errors"""
+
+
+class SOAPQueryInterfaceMiddlewareConfigError(Exception):
+    """WSGI SAML 2.0 SOAP Query Interface Configuration problem"""
+
+  
+class SOAPQueryInterfaceMiddleware(SOAPMiddleware, NDGSecurityPathFilter):
+    """Implementation of SAML 2.0 SOAP Binding for Query/Request Binding
+    
+    @type PATH_OPTNAME: basestring
+    @cvar PATH_OPTNAME: name of app_conf option for specifying a path or paths
+    that this middleware will intercept and process
+    @type QUERY_INTERFACE_KEYNAME_OPTNAME: basestring
+    @cvar QUERY_INTERFACE_KEYNAME_OPTNAME: app_conf option name for key name
+    used to reference the SAML query interface in environ
+    @type DEFAULT_QUERY_INTERFACE_KEYNAME: basestring
+    @param DEFAULT_QUERY_INTERFACE_KEYNAME: default key name for referencing
+    SAML query interface in environ
+    """
+    log = logging.getLogger('SOAPQueryInterfaceMiddleware')
+    PATH_OPTNAME = "pathMatchList"
+    QUERY_INTERFACE_KEYNAME_OPTNAME = "queryInterfaceKeyName"
+    DEFAULT_QUERY_INTERFACE_KEYNAME = ("ndg.security.server.wsgi.saml."
+                            "SOAPQueryInterfaceMiddleware.queryInterface")
+    
+    REQUEST_ENVELOPE_CLASS_OPTNAME = 'requestEnvelopeClass'
+    RESPONSE_ENVELOPE_CLASS_OPTNAME = 'responseEnvelopeClass'
+    SERIALISE_OPTNAME = 'serialise'
+    DESERIALISE_OPTNAME = 'deserialise' 
+     
+    CONFIG_FILE_OPTNAMES = (
+        PATH_OPTNAME,
+        QUERY_INTERFACE_KEYNAME_OPTNAME,
+        DEFAULT_QUERY_INTERFACE_KEYNAME,
+        REQUEST_ENVELOPE_CLASS_OPTNAME,
+        RESPONSE_ENVELOPE_CLASS_OPTNAME,
+        SERIALISE_OPTNAME,
+        DESERIALISE_OPTNAME
+    )
+    
+    def __init__(self, app):
+        '''@type app: callable following WSGI interface
+        @param app: next middleware application in the chain 
+        '''     
+        NDGSecurityPathFilter.__init__(self, app, None)
+        
+        self._app = app
+        
+        # Set defaults
+        cls = SOAPQueryInterfaceMiddleware
+        self.__queryInterfaceKeyName = cls.DEFAULT_QUERY_INTERFACE_KEYNAME
+        self.pathMatchList = ['/']
+        self.__requestEnvelopeClass = None
+        self.__responseEnvelopeClass = None
+        self.__serialise = None
+        self.__deserialise = None
+                 
+    def initialise(self, global_conf, prefix='', **app_conf):
+        '''
+        @type global_conf: dict        
+        @param global_conf: PasteDeploy global configuration dictionary
+        @type prefix: basestring
+        @param prefix: prefix for configuration items
+        @type app_conf: dict        
+        @param app_conf: PasteDeploy application specific configuration 
+        dictionary
+        '''
+        cls = SOAPQueryInterfaceMiddleware
+        
+        # Override where set in config
+        for name in SOAPQueryInterfaceMiddleware.CONFIG_FILE_OPTNAMES:
+            val = app_conf.get(prefix + name)
+            if val is not None:
+                setattr(self, name, val)
+
+        if self.serialise is None:
+            raise AttributeError('No "serialise" method set to serialise the '
+                                 'SAML response from this middleware.')
+
+        if self.deserialise is None:
+            raise AttributeError('No "deserialise" method set to parse the '
+                                 'SAML request to this middleware.')
+            
+    def _getSerialise(self):
+        return self.__serialise
+
+    def _setSerialise(self, value):
+        if isinstance(value, basestring):
+            self.__serialise = importModuleObject(value)
+            
+        elif callable(value):
+            self.__serialise = value
+        else:
+            raise TypeError('Expecting callable for "serialise"; got %r' % 
+                            value)
+
+    serialise = property(_getSerialise, _setSerialise, 
+                         doc="callable to serialise request into XML type")
+
+    def _getDeserialise(self):
+        return self.__deserialise
+
+    def _setDeserialise(self, value):
+        if isinstance(value, basestring):
+            self.__deserialise = importModuleObject(value)
+            
+        elif callable(value):
+            self.__deserialise = value
+        else:
+            raise TypeError('Expecting callable for "deserialise"; got %r' % 
+                            value)
+        
+
+    deserialise = property(_getDeserialise, 
+                           _setDeserialise, 
+                           doc="callable to de-serialise response from XML "
+                               "type")        
+    @classmethod
+    def filter_app_factory(cls, app, global_conf, **app_conf):
+        """Set-up using a Paste app factory pattern.  Set this method to avoid
+        possible conflicts from multiple inheritance
+        
+        @type app: callable following WSGI interface
+        @param app: next middleware application in the chain      
+        @type global_conf: dict        
+        @param global_conf: PasteDeploy global configuration dictionary
+        @type prefix: basestring
+        @param prefix: prefix for configuration items
+        @type app_conf: dict        
+        @param app_conf: PasteDeploy application specific configuration 
+        dictionary
+        """
+        app = cls(app)
+        app.initialise(global_conf, **app_conf)
+        
+        return app
+    
+    def _getQueryInterfaceKeyName(self):
+        return self.__queryInterfaceKeyName
+
+    def _setQueryInterfaceKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "queryInterfaceKeyName"'
+                            ' got %r' % value)
+            
+        self.__queryInterfaceKeyName = value
+
+    queryInterfaceKeyName = property(fget=_getQueryInterfaceKeyName, 
+                                     fset=_setQueryInterfaceKeyName, 
+                                     doc="environ keyname for Attribute Query "
+                                         "interface")
+    
+    @NDGSecurityPathFilter.initCall
+    def __call__(self, environ, start_response):
+        """Check for and parse a SOAP SAML Attribute Query and return a
+        SAML Response
+        
+        @type environ: dict
+        @param environ: WSGI environment variables dictionary
+        @type start_response: function
+        @param start_response: standard WSGI start response function
+        """
+    
+        # Ignore non-matching path
+        if not self.pathMatch:
+            return self._app(environ, start_response)
+          
+        # Ignore non-POST requests
+        if environ.get('REQUEST_METHOD') != 'POST':
+            return self._app(environ, start_response)
+        
+        soapRequestStream = environ.get('wsgi.input')
+        if soapRequestStream is None:
+            raise SOAPQueryInterfaceMiddlewareError('No "wsgi.input" in '
+                                                    'environ')
+        
+        # TODO: allow for chunked data
+        contentLength = environ.get('CONTENT_LENGTH')
+        if contentLength is None:
+            raise SOAPQueryInterfaceMiddlewareError('No "CONTENT_LENGTH" in '
+                                                    'environ')
+
+        contentLength = int(contentLength)        
+        soapRequestTxt = soapRequestStream.read(contentLength)
+        
+        # Parse into a SOAP envelope object
+        soapRequest = SOAPEnvelope()
+        soapRequest.parse(StringIO(soapRequestTxt))
+        
+        log.debug("SOAPQueryInterfaceMiddleware.__call__: received SAML "
+                  "SOAP AttributeQuery ...")
+       
+        queryElem = soapRequest.body.elem[0]
+        
+        try:
+            query = self.deserialise(queryElem)
+        except UnknownAttrProfile:
+            log.exception("%r raised parsing incoming query: " % 
+                          (type(e), traceback.format_exc()))
+            samlResponse = self._makeErrorResponse(
+                                        StatusCode.UNKNOWN_ATTR_PROFILE_URI)
+        else:   
+            # Check for Query Interface in environ
+            queryInterface = environ.get(self.queryInterfaceKeyName)
+            if queryInterface is None:
+                raise SOAPQueryInterfaceMiddlewareConfigError(
+                                'No query interface "%s" key found in environ' %
+                                self.queryInterfaceKeyName)
+            
+            # Call query interface        
+            samlResponse = queryInterface(query)
+        
+        # Convert to ElementTree representation to enable attachment to SOAP
+        # response body
+        samlResponseElem = self.serialise(samlResponse)
+        
+        # Create SOAP response and attach the SAML Response payload
+        soapResponse = SOAPEnvelope()
+        soapResponse.create()
+        soapResponse.body.elem.append(samlResponseElem)
+        
+        response = soapResponse.serialize()
+        
+        log.debug("SOAPQueryInterfaceMiddleware.__call__: sending response "
+                  "...\n\n%s",
+                  response)
+        start_response("200 OK",
+                       [('Content-length', str(len(response))),
+                        ('Content-type', 'text/xml')])
+        return [response]
+
+    def _makeErrorResponse(self, code):
+        """Convenience method for making a basic response following an error
+        """
+        samlResponse = Response()
+        
+        samlResponse.issueInstant = datetime.utcnow()            
+        samlResponse.id = str(uuid4())
+        
+        # Initialise to success status but reset on error
+        samlResponse.status = Status()
+        samlResponse.status.statusCode = StatusCode()
+        samlResponse.status.statusCode.value = code
+        
+        return samlResponse
+

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/attributeinterface.py

@@ -192 +192 @@
             if queryInterface is None:
                 raise SOAPAttributeInterfaceMiddlewareConfigError(
-                                'No query interface "%s" key found in environ'%
+                                'No query interface "%s" key found in environ' %
                                 self.queryInterfaceKeyName)
             

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py

@@ -79 +79 @@
     ISSUER_NAME = "/O=Site A/CN=Attribute Authority"
     
-    INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = str(
-                    X500DN.fromString("/O=Site B/CN=Authorisation Service"))
+    INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = X500DN.fromString(
+                                        "/O=Site B/CN=Authorisation Service")
     
     def __init__(self, propertiesFilePath=None):
@@ -94 +94 @@
         requestedAttributeNames = [attribute.name 
                                    for attribute in attributeQuery.attributes]
+        if attributeQuery.issuer.format != Issuer.X509_SUBJECT:
+            raise InvalidRequestorId('Requestor issuer format "%s" is invalid' %
+                                     attributeQuery.issuerFormat.value)
+            
         requestorId = X500DN.fromString(attributeQuery.issuer.value)
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/__init__.py

@@ -15 +15 @@
 from ndg.security.test.unit import BaseTestCase
 
+
 class TestApp(object):
+    """Dummy application to terminate middleware stack containing SAML service
+    """
     def __init__(self, global_conf, **app_conf):
         pass
@@ -38 +41 @@
         self.app = paste.fixture.TestApp(wsgiapp)
          
-        unittest.TestCase.__init__(self, *args, **kwargs)
+        BaseTestCase.__init__(self, *args, **kwargs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/attribute-interface.ini

@@ -21 +21 @@
 
 [filter:SAMLSoapAttributeInterfaceFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.saml.attributeinterface:SOAPAttributeInterfaceMiddleware.filter_app_factory
+paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.
 saml.pathMatchList = /attributeauthority/saml
 saml.queryInterfaceKeyName = attributeQueryInterface
+saml.deserialise = saml.xml.etree:AttributeQueryElementTree.fromXML
+
+# Specialisation to incorporate ESG Group/Role type
+saml.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
 
 #______________________________________________________________________________

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-decision-interface.ini

@@ -15 +15 @@
 
 [pipeline:main]
-pipeline = AttributeAuthorityFilter SAMLSoapAttributeInterfaceFilter TestApp
+pipeline = TestAuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter TestApp
 
 [app:TestApp]
 paste.app_factory = ndg.security.test.unit.wsgi.saml:TestApp
 
-[filter:SAMLSoapAttributeInterfaceFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.saml.attributeinterface:SOAPAttributeInterfaceMiddleware.filter_app_factory
+[filter:SAMLSoapAuthzDecisionInterfaceFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.
-saml.pathMatchList = /attributeauthority/saml
-saml.queryInterfaceKeyName = attributeQueryInterface
+saml.pathMatchList = /authorisationservice
+saml.queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC
+saml.deserialise = saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
+saml.serialise = saml.xml.etree:ResponseElementTree.toXML
 
 #______________________________________________________________________________
-# Attribute Authority WSGI settings
+# Authorisation Service WSGI settings
 #
-[filter:AttributeAuthorityFilter]
+[filter:TestAuthorisationServiceFilter]
 # This filter is a container for a binding to a SOAP based interface to the
 # Attribute Authority
-paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
-
-prefix = attributeAuthority.
-
-attributeAuthority.environKeyName: attributeauthority
-attributeAuthority.environKeyNameAttributeQueryInterface: attributeQueryInterface
-
-# Attribute Authority settings
-# 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: Site A
-
-# Lifetime is measured in seconds
-attributeAuthority.attCertLifetime: 28800 
-
-# Allow an offset for clock skew between servers running 
-# security services. NB, measured in seconds - use a minus sign for time in the
-# past
-attributeAuthority.attCertNotBeforeOff: 0
-
-# All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
-
-# Files in attCertDir are stored using a rotating file handler
-# attCertFileLogCnt sets the max number of files created before the first is 
-# overwritten
-attributeAuthority.attCertFileName: ac.xml
-attributeAuthority.attCertFileLogCnt: 16
-attributeAuthority.dnSeparator:/
-
-# Location of role mapping file
-attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
-
-# Settings for custom AttributeInterface derived class to get user roles for given 
-# user ID
-attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
-attributeAuthority.attributeInterface.modName: ndg.security.test.config.attributeauthority.sitea.siteAUserRoles
-attributeAuthority.attributeInterface.className: TestUserRoles
-
-# Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
-attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
-attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
+paste.filter_app_factory = ndg.security.test.unit.wsgi.saml.test_soapauthzdecisioninterface:TestAuthorisationServiceMiddleware
+queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapattributeinterface.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
+import unittest
 from uuid import uuid4
 from datetime import datetime
@@ -22 +23 @@
 from ndg.security.common.soap.etree import SOAPEnvelope
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
-
-
-class SOAPAttributeInterfaceMiddlewareTestCase(unittest.TestCase):
+from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
+
+
+class SOAPAttributeInterfaceMiddlewareTestCase(
+                                        SoapSamlInterfaceMiddlewareTestCase):
     CONFIG_FILENAME = 'attribute-interface.ini'
     
@@ -179 +182 @@
                      StatusCode.INVALID_ATTR_NAME_VALUE_URI)
         
-    def test04InvalidIssuer(self):
-        request = self._makeRequest(issuer="My Attribute Query Issuer")
+    def test04InvalidQueryIssuer(self):
+        request = self._makeRequest(issuer="/CN=My Attribute Query Issuer")
         
         header = {

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -1 +1 @@
 #!/usr/bin/env python
-"""Unit tests for WSGI SAML 2.0 SOAP Attribute Query Interface
+"""Unit tests for WSGI SAML 2.0 SOAP Authorisation Decision Query Interface
 
 NERC DataGrid Project
 """
 __author__ = "P J Kershaw"
-__date__ = "21/08/09"
-__copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__date__ = "15/02/2010"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
 __license__ = "BSD - see LICENSE file in top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
+import unittest
 from uuid import uuid4
-from datetime import datetime
+from datetime import datetime, timedelta
 from cStringIO import StringIO
 
-from saml.saml2.core import (Attribute, SAMLVersion, Subject, NameID, Issuer, 
-                             AttributeQuery, XSStringAttributeValue, 
-                             StatusCode)
-from saml.xml import XMLConstants
-from saml.xml.etree import AttributeQueryElementTree, ResponseElementTree
+from saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer, Response,
+                             AuthzDecisionQuery, AuthzDecisionStatement, Status,
+                             StatusCode, StatusMessage, DecisionType, Action, 
+                             Conditions, Assertion)
+from saml.xml.etree import AuthzDecisionQueryElementTree, ResponseElementTree
 
 from ndg.security.common.soap.etree import SOAPEnvelope
@@ -25 +26 @@
 
 
-class SOAPAuthzDecisionInterfaceMiddlewareTestCase(unittest.TestCase):
+class TestAuthorisationServiceMiddleware(object):
+    """Test Authorisation Service interface stub"""
+    QUERY_INTERFACE_KEYNAME_OPTNAME = 'queryInterfaceKeyName'
+    RESOURCE_URI = 'http://localhost/dap/data/'
+    ISSUER_DN = '/O=Site A/CN=PDP'
+    
+    def __init__(self, app, global_conf, **app_conf):
+        self.queryInterfaceKeyName = app_conf[
+            TestAuthorisationServiceMiddleware.QUERY_INTERFACE_KEYNAME_OPTNAME]
+        self._app = app
+    
+    def __call__(self, environ, start_response):
+        environ[self.queryInterfaceKeyName] = self.authzDecisionQueryFactory()
+        return self._app(environ, start_response)
+    
+    def authzDecisionQueryFactory(self):
+        def authzDecisionQuery(query):
+            response = Response()
+            now = datetime.utcnow()
+            response.issueInstant = now
+            
+            # Make up a request ID that this response is responding to
+            response.inResponseTo = query.id
+            response.id = str(uuid4())
+            response.version = SAMLVersion(SAMLVersion.VERSION_20)
+                
+            response.issuer = Issuer()
+            response.issuer.format = Issuer.X509_SUBJECT
+            response.issuer.value = TestAuthorisationServiceMiddleware.ISSUER_DN
+            
+            response.status = Status()
+            response.status.statusCode = StatusCode()
+            response.status.statusCode.value = StatusCode.SUCCESS_URI
+            response.status.statusMessage = StatusMessage()        
+            response.status.statusMessage.value = \
+                                                "Response created successfully"
+               
+            assertion = Assertion()
+            assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+            assertion.id = str(uuid4())
+            assertion.issueInstant = now
+            
+            authzDecisionStatement = AuthzDecisionStatement()
+            authzDecisionStatement.decision = DecisionType.PERMIT
+            authzDecisionStatement.resource = \
+                TestAuthorisationServiceMiddleware.RESOURCE_URI
+            authzDecisionStatement.actions.append(Action())
+            authzDecisionStatement.actions[-1].namespace = Action.GHPP_NS_URI
+            authzDecisionStatement.actions[-1].value = Action.HTTP_GET_ACTION
+            assertion.authzDecisionStatements.append(authzDecisionStatement)
+            
+            # Add a conditions statement for a validity of 8 hours
+            assertion.conditions = Conditions()
+            assertion.conditions.notBefore = now
+            assertion.conditions.notOnOrAfter = now + timedelta(seconds=60*60*8)
+                   
+            assertion.subject = Subject()  
+            assertion.subject.nameID = NameID()
+            assertion.subject.nameID.format = query.subject.nameID.format
+            assertion.subject.nameID.value = query.subject.nameID.value
+                
+            assertion.issuer = Issuer()
+            assertion.issuer.format = Issuer.X509_SUBJECT
+            assertion.issuer.value = \
+                                    TestAuthorisationServiceMiddleware.ISSUER_DN
+    
+            response.assertions.append(assertion)
+            return response
+        
+        return authzDecisionQuery
+    
+    
+class SOAPAuthzDecisionInterfaceMiddlewareTestCase(
+                                        SoapSamlInterfaceMiddlewareTestCase):
     CONFIG_FILENAME = 'authz-decision-interface.ini'
 
     def _createAuthzDecisionQuery(self, 
-                        issuer="/O=Site A/CN=Authorisation Service",
-                        subject="https://openid.localhost/philip.kershaw"):
-        query = AttributeQuery()
+                    issuer="/O=Site A/CN=PEP",
+                    subject="https://openid.localhost/philip.kershaw",
+                    resource=TestAuthorisationServiceMiddleware.RESOURCE_URI,
+                    action=Action.HTTP_GET_ACTION,
+                    actionNs=Action.GHPP_NS_URI):
+        query = AuthzDecisionQuery()
         query.version = SAMLVersion(SAMLVersion.VERSION_20)
         query.id = str(uuid4())
@@ -45 +122 @@
         query.subject.nameID.value = subject
                                     
-        
-        # special case handling for 'FirstName' attribute
-        fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
-        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        fnAttribute.friendlyName = "FirstName"
-
-        query.attributes.append(fnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
-        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        lnAttribute.friendlyName = "LastName"
-
-        query.attributes.append(lnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
-        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
-        emailAddressAttribute.friendlyName = "emailAddress"
-
-        query.attributes.append(emailAddressAttribute)  
+        query.resource = resource         
+        query.actions.append(Action())
+        query.actions[0].namespace = actionNs
+        query.actions[0].value = action    
 
         return query
@@ -79 +135 @@
             query = self._createAuthzDecisionQuery(**kw)
             
-        elem = AuthzDecusionQueryElementTree.toXML(query)
+        elem = AuthzDecisionQueryElementTree.toXML(query)
         soapRequest = SOAPEnvelope()
         soapRequest.create()
@@ -115 +171 @@
             'Content-type': 'text/xml'
         }
-        response = self.app.post('/attributeauthority/saml', 
+        response = self.app.post('/authorisationservice/', 
                                  params=request, 
                                  headers=header, 
@@ -127 +183 @@
         self.assert_(samlResponse.assertions[0].subject.nameID.value == \
                      query.subject.nameID.value)
-
-    def test02AttributeReleaseDenied(self):
-        request = self._makeRequest(issuer="/O=Site B/CN=Authorisation Service")
+        self.assert_(samlResponse.assertions[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
+                                            ].decision == DecisionType.PERMIT)
         
-        header = {
-            'soapAction': "http://www.oasis-open.org/committees/security",
-            'Content-length': str(len(request)),
-            'Content-type': 'text/xml'
-        }
-        
-        response = self.app.post('/attributeauthority/saml', 
-                                 params=request, 
-                                 headers=header, 
-                                 status=200)
-        
-        print("Response status=%d" % response.status)
-        
-        samlResponse = self._getSAMLResponse(response.body)
-
-        self.assert_(samlResponse.status.statusCode.value == \
-                     StatusCode.INVALID_ATTR_NAME_VALUE_URI)
-
-    def test03InvalidAttributesRequested(self):
-        query = self._createAuthzDecisionQuery()
-        
-        # Add an unsupported Attribute name
-        attribute = Attribute()
-        attribute.name = "urn:my:attribute"
-        attribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
-        attribute.friendlyName = "myAttribute"
-        query.attributes.append(attribute)     
-        
-        request = self._makeRequest(query=query)
-           
-        header = {
-            'soapAction': "http://www.oasis-open.org/committees/security",
-            'Content-length': str(len(request)),
-            'Content-type': 'text/xml'
-        }
-       
-        response = self.app.post('/attributeauthority/saml', 
-                                 params=request, 
-                                 headers=header, 
-                                 status=200)
-        
-        print("Response status=%d" % response.status)
-        
-        samlResponse = self._getSAMLResponse(response.body)
-
-        self.assert_(samlResponse.status.statusCode.value == \
-                     StatusCode.INVALID_ATTR_NAME_VALUE_URI)
-        
-    def test04InvalidIssuer(self):
-        request = self._makeRequest(issuer="My Attribute Query Issuer")
-        
-        header = {
-            'soapAction': "http://www.oasis-open.org/committees/security",
-            'Content-length': str(len(request)),
-            'Content-type': 'text/xml'
-        }
-       
-        response = self.app.post('/attributeauthority/saml', 
-                                 params=request, 
-                                 headers=header, 
-                                 status=200)
-        
-        print("Response status=%d" % response.status)
-        
-        samlResponse = self._getSAMLResponse(response.body)
-
-        self.assert_(samlResponse.status.statusCode.value == \
-                     StatusCode.REQUEST_DENIED_URI)
-
-    def test05UnknownPrincipal(self):
-        request = self._makeRequest(subject="Joe.Bloggs")
-        
-        header = {
-            'soapAction': "http://www.oasis-open.org/committees/security",
-            'Content-length': str(len(request)),
-            'Content-type': 'text/xml'
-        }
-        
-        response = self.app.post('/attributeauthority/saml', 
-                                 params=request, 
-                                 headers=header, 
-                                 status=200)
-        
-        print("Response status=%d" % response.status)
-        
-        samlResponse = self._getSAMLResponse(response.body)
-
-        self.assert_(samlResponse.status.statusCode.value == \
-                     StatusCode.UNKNOWN_PRINCIPAL_URI)
-
+    def test02(self):
+        pass
  
 if __name__ == "__main__":