Changeset 6586 for TI12-security/trunk/NDGSecurity

Timestamp:

19/02/10 11:29:39 (11 years ago)

Author:

pjkersha

Message:

Started ESG Authorisation Service implementation ndg.security.server.wsgi.authorizationservice - SAML SOAP based interface to a Policy Decision Point enabling centralised policy for a range of services.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/authz/msi.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/authz/xacml/__init__.py (modified) (4 diffs)
• ndg_security_common/ndg/security/common/authz/xacml/cond/factory.py (modified) (3 diffs)
• ndg_security_server/ndg/security/server/wsgi/attributeauthority.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authorizationservice.py (added)
• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/saml/attributeinterface.py (deleted)
• ndg_security_server/ndg/security/server/wsgi/saml/authzinterface.py (deleted)
• ndg_security_server/ndg/security/server/wsgi/wssecurity.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/zsi.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini (modified) (5 diffs)
• ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/config.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/msi.py

@@ -815 +815 @@
 PIP = NdgPIP
 
-          
+            
 class PDP(object):
     """Policy Decision Point"""

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/__init__.py

@@ -689 +689 @@
     id = None
 
+
 class DenyOverrides(RuleCombiningAlg):
    '''Deny-overrides: If any rule evaluates to Deny, then the final 
    authorization decision is also Deny.'''
    id = 'Deny-overrides'
+   
    
 class OrderedDenyOverrides(RuleCombiningAlg):
@@ -700 +702 @@
     id = 'Ordered-deny-overrides'
     
+    
 class PermitOverrides(RuleCombiningAlg):
     '''Permit-overrides: If any rule evaluates to Permit, then the final 
     authorization decision is also Permit.'''
+    
     
 class OrderedPermitOverrides(RuleCombiningAlg):
@@ -710 +714 @@
     id = 'Ordered-permit-overrides'
     
+    
 class FirstApplicable(RuleCombiningAlg):
     '''First-applicable: The result of the first relevant rule encountered is 
@@ -795 +800 @@
         raise NotImplementedError()
 
-    def getSubjectAttribute(self, type, id, category):
-        '''Returns available subject attribute value(s) ignoring the issuer.
-     
-        @param type the type of the attribute value(s) to find
-        @param id the id of the attribute value(s) to find
-        @param category the category the attribute value(s) must be in
-     
-        @return a result containing a bag either empty because no values were
-        found or containing at least one value, or status associated with an
-        Indeterminate result'''
-        raise NotImplementedError()
-
-    def getSubjectAttribute(self, type, id, issuer, category):
+    def getSubjectAttribute(self, type, id, issuer=None, category=None):
         '''Returns available subject attribute value(s).
      

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/cond/factory.py

@@ -294 +294 @@
         self.functionMap[functionId] = function
     
-        
     def addAbstractFunction(self, proxy, functionId):
         '''Adds the abstract function proxy to the factory. This is used for
@@ -330 +329 @@
         return functions
     
-
     def createFunction(self, identity):
         '''Tries to get an instance of the specified function.
@@ -354 +352 @@
             raise UnknownIdentifierException("functions of type [%s] are not "
                                              "supported by this factory" % 
-                                             identity)        
-    
+                                             identity)
     
     def createAbstractFunction(self, identity, root):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/attributeauthority.py

@@ -17 +17 @@
 from ndg.security.server.wsgi.zsi import SOAPBindingMiddleware
 
+
 class AttributeAuthorityMiddleware(NDGSecurityMiddlewareBase):
     '''WSGI to add an NDG Security Attribute Authority in the environ.  This
-    enables multiple WSGi filters to access the same underlying Attribute
+    enables multiple WSGI filters to access the same underlying Attribute
     Authority instance e.g. provide SAML SOAP and WSDL SOAP based interfaces
     to the same Attribute Authority

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -215 +215 @@
                                                     'environ')
 
-        contentLength = int(contentLength)        
+        contentLength = int(contentLength)
         soapRequestTxt = soapRequestStream.read(contentLength)
         

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/wssecurity.py

@@ -33 +33 @@
     Overload pathMatch lambda so that it is more inclusive: the default is
     for all paths to be processed by the handlers"""
-    pathMatch = lambda self, environ: environ['PATH_INFO'].startswith(self.path)
+    def pathMatch(self, environ): 
+        if environ['PATH_INFO'].endswith('/'):
+            path == environ['PATH_INFO']
+        else:
+            path = environ['PATH_INFO'] + '/'
+            
+        return path == self.path
 
 
@@ -189 +195 @@
     def __call__(self, environ, start_response):
         '''Verify message signature'''
-        if not SignatureVerificationFilter.isSOAPMessage(environ) or \
-           not self.pathMatch(environ):
+        if (not SignatureVerificationFilter.isSOAPMessage(environ) or 
+           not self.pathMatch(environ)):
             log.debug("SignatureVerificationFilter.__call__: Non-SOAP "
                       "request or path doesn't match SOAP endpoint specified "

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/zsi.py

@@ -91 +91 @@
         self._app = app
         self.__charset = ZSIMiddleware.DEFAULT_CHARSET
-        self.__path = None
+        self.__path = '/'
         self.__referencedFilterKeys = None
         self.__publishedURI = None
@@ -199 +199 @@
         pathOptName = prefix + ZSIMiddleware.PATH_OPTNAME
         if pathOptName in app_conf:
-            if app_conf[pathOptName] != '/':
-                self.path = app_conf[pathOptName].rstrip('/')
+            if not app_conf[pathOptName].endswith('/'):
+                self.path = app_conf[pathOptName] + '/'
             else:
                 self.path = app_conf[pathOptName]
-        else:
-            self.path = '/'
 
         # This flag if set to True causes this handler to call the 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

@@ -13 +13 @@
 attributeAuthorityEnvironKeyName = attribute-authority
 attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
+attributeAuthoritySoapWsdlServicePath = /AttributeAuthority
 
 [server:main]
@@ -93 +94 @@
 
 service.soap.binding.referencedFilters = wsseSignatureVerificationFilter01
-service.soap.binding.path = /AttributeAuthority
+service.soap.binding.path = %(attributeAuthoritySoapWsdlServicePath)s
 service.soap.binding.enableWSDLQuery = True
 service.soap.binding.charset = utf-8
@@ -107 +108 @@
 prefix = saml.soapbinding.
 
-saml.soapbinding.serialise = saml.xml.etree:ResponseElementTree.toXML
 saml.soapbinding.deserialise = saml.xml.etree:AttributeQueryElementTree.fromXML
+
+# Specialisation to incorporate ESG Group/Role type
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+
 saml.soapbinding.pathMatchList = /AttributeAuthority/saml
 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
@@ -116 +120 @@
 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
 filterID = wsseSignatureVerificationFilter01
+path = %(attributeAuthoritySoapWsdlServicePath)s
 
 # Settings for WS-Security SignatureHandler class used by this filter
@@ -125 +130 @@
 [filter:wsseSignatureFilter]
 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
+path = %(attributeAuthoritySoapWsdlServicePath)s
 
 # Reference the verification filter in order to be able to apply signature

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/config.ini

@@ -12 +12 @@
 connectionString = sqlite:///$NDGSEC_TEST_CONFIG_DIR/user.db
 openIdSqlQuery = select openid from users where username = '${username}'     
-attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml
+#attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml
+attributeAuthorityURI = http://localhost:5000/AttributeAuthority/saml
 attributeQuery.subjectIdFormat = urn:esg:openid
 attributeQuery.issuerName = /O=Site A/CN=Authorisation Service