Changeset 6604 for TI12-security/trunk/NDGSecurity

Timestamp:

22/02/10 14:14:34 (11 years ago)

Author:

pjkersha

Message:

Fix for ticket #1102: added capability to set return to URI as a query argument to allow for cases where HTTP_REFERER is not set. To use applications should set the logout link to  http://<app domain>/<SCRIPT_NAME>/<logout path>?ndg.security.logout.r=<quoted return to URI>.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• .pydevproject (modified) (1 diff)
• ndg_security_common/ndg/security/common/authz/__init__.py (modified) (2 diffs)
• ndg_security_common/ndg/security/common/authz/msi.py (modified) (5 diffs)
• ndg_security_common/ndg/security/common/authz/pip/__init__.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/authz/pip/ndginterface.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/authzservice.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/session.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/.pydevproject

@@ -6 +6 @@
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
 <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
-<path>/ndg_security_python</path>
+<path>/ndg_security_python/ndg_security_client</path>
+<path>/ndg_security_python/ndg_security_common</path>
+<path>/ndg_security_python/ndg_security_server</path>
+<path>/ndg_security_python/ndg_security_test</path>
 </pydev_pathproperty>
 <pydev_pathproperty name="org.python.pydev.PROJECT_EXTERNAL_SOURCE_PATH">

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/__init__.py

@@ -28 +28 @@
     def __setitem__(self, key, val):
         if key not in self.__class__.namespaces:
-            raise KeyError('Namespace "%s" not recognised.  Valid namespaces '
-                           'are: %s' % self.__class__.namespaces)
+            raise KeyError('Namespace %r not recognised.  Valid namespaces '
+                           'are: %r' % (key, self.__class__.namespaces))
             
         dict.__setitem__(self, key, val)
@@ -50 +50 @@
        
         
-class SubjectBase(object):
+class SubjectBase(_AttrDict):
     '''Base class Subject designator'''
-    namespaces = ("urn:ndg:security:authz:1.0:attr:subject:roles", )
-    (ROLES_NS,) = namespaces
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:subject:userId",
+        "urn:ndg:security:authz:1.0:attr:subject:roles", 
+    )
+    (USERID_NS, ROLES_NS,) = namespaces
+
+
+class Subject(SubjectBase):
+    """Container for information about the subject of the query"""

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/msi.py

@@ -20 +20 @@
 from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.etree import QName
-from ndg.security.common.authz import _AttrDict, SubjectBase
+from ndg.security.common.authz import (_AttrDict, SubjectBase, Subject,
+                                       SubjectRetrievalError)
 from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery, 
-                                           PIPAttributeResponse,
-                                           SubjectRetrievalError)
+                                           PIPAttributeResponse)
 
 
@@ -346 +346 @@
 
 
-class Subject(SubjectBase):
-    '''MSI Subject designator'''
-
-
 class Resource(_AttrDict):
     '''Resource designator'''
@@ -360 +356 @@
 class Request(object):
     '''Request to send to a PDP'''
+#    __slots__ = ('__subject', '__resource')
+    
     def __init__(self, subject=Subject(), resource=Resource()):
         self.subject = subject
@@ -368 +366 @@
     
     def _setSubject(self, subject):
-        if not isinstance(subject, Subject,):
-            raise TypeError("Expecting %s type for Request subject; got %r" %
-                            (Subject.__class__.__name__, subject))
+        if not isinstance(subject, SubjectBase):
+            raise TypeError("Expecting %r type for Request subject; got %r" %
+                            (Subject, type(subject)))
         self.__subject = subject
 
@@ -390 +388 @@
                         fset=_setResource,
                         doc="Resource to be protected")
-
+#
+#    def __getstate__(self):
+#        '''Enable pickling'''
+#        _dict = {}
+#        for attrName in Request.__slots__:
+#            # Ugly hack to allow for derived classes setting private member
+#            # variables
+#            if attrName.startswith('__'):
+#                attrName = "_Request" + attrName
+#                
+#            _dict[attrName] = getattr(self, attrName)
+#            
+#        return _dict
+#  
+#    def __setstate__(self, attrDict):
+#        '''Enable pickling'''
+#        for attrName, val in attrDict.items():
+#            setattr(self, attrName, val)
+            
 
 class Response(object):

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/pip/__init__.py

@@ -12 +12 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: __init__.py 3755 2008-04-04 09:11:44Z pjkersha $"
-from ndg.security.common.authz import _AttrDict
+from ndg.security.common.authz import _AttrDict, Subject
 
 

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/pip/ndginterface.py

@@ -34 +34 @@
     
 from ndg.security.common.authz import SubjectBase, SubjectRetrievalError 
-from ndg.security.common.authz.pip import (PIPAttributeQuery, 
-                                           PIPAttributeResponse)          
-from ndg.security.common.authz.pdp import PDPUserAccessDenied
+from ndg.security.common.authz.pip import (PIPAttributeQuery, PIPBase,
+                                           PIPAttributeResponse)
 
 
@@ -110 +109 @@
                                     AttributeCertificateRequestError.__doc__)
         
-        
+class AttributeCertificateRequestDenied(SubjectRetrievalError):
+    'The request for a certificate containing authorisation roles was denied'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                    AttributeCertificateRequestError.__doc__)
+        
+         
 class PIP(PIPBase):
     """Policy Information Point - this implementation enables the PDP to 
@@ -261 +266 @@
         except AttributeRequestDenied, e:
             log.error("Request for attribute certificate denied: %s" % e)
-            raise PDPUserAccessDenied()
+            raise AttributeCertificateRequestDenied()
         
         except SessionNotFound, e:
@@ -326 +331 @@
             log.error("Request for attribute certificate denied: %s",
                       traceback.format_exc())
-            raise PDPUserAccessDenied()
+            raise AttributeCertificateRequestDenied()
         
         # TODO: handle other specific Exception types here for more fine

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -39 +39 @@
 from ndg.security.server.wsgi.authz.result_handler.basic import \
     PEPResultHandlerMiddleware
-
-from ndg.security.common.authz.msi import (Policy, PIP, PIPBase, 
-                                           PIPAttributeQuery, 
-                                           PIPAttributeResponse, PDP, Request, 
-                                           Response, Resource, Subject)
+    
+from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery,
+                                           PIPAttributeResponse)
+
+# The NDG Interface Subject type includes support for Session Manager related
+# keywords which are not needed by the newer SamlPIPMiddleware
+from ndg.security.common.authz.pip.ndginterface import PIP, Subject
+from ndg.security.common.authz.msi import (Policy, PDP, Request, 
+                                           Response, Resource)
 
 
@@ -150 +154 @@
                   "user authorisation ...")
         
-        # Make a request object to pass to the PDP
-        request = Request()
+        # Make a request object to pass to the PDP.  Set an NDG type Subject
+        # which has the extra keyword support for Session Manager and 
+        # Session ID needed by NdgPIPMiddleware.  This can be deprecated in a 
+        # future release when the SOAP/WSL attribute interface is withdrawn
+        # and completely replaced by the SAML one
+        request = Request(subject=Subject())
         request.subject[Subject.USERID_NS] = session['username']
         

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py

@@ -13 +13 @@
 
 from ndg.security.common.utils.factory import importModuleObject
-from ndg.security.common.authz.msi import Policy, PDP
+from ndg.security.common.authz import Subject
+from ndg.security.common.authz.msi import (Policy, PDP, Request, Response,
+                                           Resource)
 from ndg.security.common.authz.pip.esg import PIP
 
@@ -174 +176 @@
             self.__authzDecisionFunc = importModuleObject(value)
             
-        elif iscallable(value):
+        elif callable(value):
             self.__authzDecisionFunc = value
         else:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

@@ -14 +14 @@
 log = logging.getLogger(__name__)
 
+import urllib
+from paste.request import parse_querystring
+
 from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase,
                                       NDGSecurityMiddlewareError)
@@ -89 +92 @@
     
     AUTH_TKT_SET_USER_ENVIRON_KEYNAME = 'paste.auth_tkt.set_user'
+    
+    LOGOUT_RETURN2URI_ARGNAME = 'ndg.security.logout.r'
     
     PARAM_PREFIX = 'sessionHandler.'
@@ -179 +184 @@
         session.save()
         
-        referrer = environ.get('HTTP_REFERER')
+        if self.__class__.LOGOUT_RETURN2URI_ARGNAME in environ['QUERY_STRING']:
+            params = dict(parse_querystring(environ))
+        
+            # Store the return URI query argument in a beaker session
+            quotedReferrer = params.get(
+                                self.__class__.LOGOUT_RETURN2URI_ARGNAME, '')
+            referrer = urllib.unquote(quotedReferrer)
+        else:
+            referrer = environ.get('HTTP_REFERER')
+        
         if referrer is not None:
             def _start_response(status, header, exc_info=None):
@@ -191 +205 @@
                                       exc_info)
                 
-            return _start_response        
+            return _start_response
         else:
             log.error('No referrer set for redirect following logout')

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -406 +406 @@
 # SAML SOAP Binding to the Attribute Authority
 [filter:AttributeAuthoritySamlSoapBindingFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.saml.attributeinterface:SOAPAttributeInterfaceMiddleware.filter_app_factory
+paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.soapbinding.
+
+saml.soapbinding.deserialise = saml.xml.etree:AttributeQueryElementTree.fromXML
+
+# Specialisation to incorporate ESG Group/Role type
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
 
 saml.soapbinding.pathMatchList = /AttributeAuthority/saml