Changeset 6617 for TI12-security/trunk/NDGSecurity

Timestamp:

24/02/10 09:40:47 (11 years ago)

Author:

pjkersha

Message:

ndg.security.test.unit.saml.test_soapauthzdecisioninterface: Working Authorisation Service unit test with ndg.security.server.wsgi.authzservice.AuthzServiceMiddleware?. This is called via paste.fixture but it itself is a client to the SAML Attribute Authority running with paster over SSL.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/authzservice.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-service.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/policy-1.1.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py

@@ -339 +339 @@
             request.resource[Resource.URI_NS] = authzDecisionQuery.resource
     
+            # TODO: incorporate action(s) requested into PDP request
+            
             # Call the PDP
             pdpResponse = self.pdp.evaluate(request)
             
             # Create the SAML Response
-            response = Response()
-            
-            now = datetime.utcnow()
-            response.issueInstant = now
-            
-            # Make up a request ID that this response is responding to
-            response.inResponseTo = authzDecisionQuery.id
-            response.id = str(uuid4())
-            response.version = SAMLVersion(SAMLVersion.VERSION_20)
-                
-            response.issuer = Issuer()
-            response.issuer.format = self.issuerFormat
-            response.issuer.value = self.issuerName
-
-            response.status = Status()
-            response.status.statusCode = StatusCode()
-            response.status.statusMessage = StatusMessage()        
-            
-            response.status.statusCode.value = StatusCode.SUCCESS_URI
-            response.status.statusMessage.value = ("Response created "
-                                                   "successfully")
-            
-            assertion = Assertion()
-            response.assertions.append(assertion)
-               
-            assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
-            assertion.id = str(uuid4())
-            assertion.issueInstant = now
-            
-            # Add a conditions statement for a validity of 8 hours
-            assertion.conditions = Conditions()
-            assertion.conditions.notBefore = now
-            assertion.conditions.notOnOrAfter = now + timedelta(
-                                                seconds=self.assertionLifetime)
-                   
-            assertion.subject = Subject()
-            assertion.subject.nameID = NameID()
-            assertion.subject.nameID.format = \
-                authzDecisionQuery.subject.nameID.format
-            assertion.subject.nameID.value = \
-                authzDecisionQuery.subject.nameID.value
-                
-            assertion.issuer = Issuer()
-            assertion.issuer.format = self.issuerFormat
-            assertion.issuer.value = self.issuerName
-            
-            authzDecisionStatement = AuthzDecisionStatement()
-            assertion.authzDecisionStatements.append(authzDecisionStatement)
-                        
-            authzDecisionStatement.resource = authzDecisionQuery.resource
-            authzDecisionStatement.actions.append(Action())
-            authzDecisionStatement.actions[-1].namespace = Action.GHPP_NS_URI
-            authzDecisionStatement.actions[-1].value = Action.HTTP_GET_ACTION
-
+            response = self._createSAMLResponse(authzDecisionQuery)
+            authzDecisionStatement = response.assertions[0
+                                                    ].authzDecisionStatements[0]
+            
             if pdpResponse.status == PDPResponse.DECISION_PERMIT:
                 log.info("AuthzServiceMiddleware.__call__: PDP granted "
@@ -429 +381 @@
         return getAuthzDecision
 
+    def _createSAMLResponse(self, authzDecisionQuery):
+        """Helper method to create a SAML Authorisation Decision Response.  The
+        resource and actions referred to in the query are set in the 
+        Authorization Decision Statement, no decision is set
+        
+        @param authzDecisionQuery: SAML authorsation decision query
+        @type authzDecisionQuery: ndg.saml.saml2.core.AuthzDecisionQuery
+        @return: SAML Authorisation Decision Response
+        @rtype: ndg.saml.saml2.core.Response
+        """
+        response = Response()
+        
+        now = datetime.utcnow()
+        response.issueInstant = now
+        
+        # Make up a request ID that this response is responding to
+        response.inResponseTo = authzDecisionQuery.id
+        response.id = str(uuid4())
+        response.version = SAMLVersion(SAMLVersion.VERSION_20)
+            
+        response.issuer = Issuer()
+        response.issuer.format = self.issuerFormat
+        response.issuer.value = self.issuerName
+
+        response.status = Status()
+        response.status.statusCode = StatusCode()
+        response.status.statusMessage = StatusMessage()        
+        
+        response.status.statusCode.value = StatusCode.SUCCESS_URI
+        response.status.statusMessage.value = ("Response created "
+                                               "successfully")
+        
+        assertion = Assertion()
+        response.assertions.append(assertion)
+           
+        assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+        assertion.id = str(uuid4())
+        assertion.issueInstant = now
+        
+        # Add a conditions statement for a validity of 8 hours
+        assertion.conditions = Conditions()
+        assertion.conditions.notBefore = now
+        assertion.conditions.notOnOrAfter = now + timedelta(
+                                                seconds=self.assertionLifetime)
+               
+        assertion.subject = Subject()
+        assertion.subject.nameID = NameID()
+        assertion.subject.nameID.format = \
+            authzDecisionQuery.subject.nameID.format
+        assertion.subject.nameID.value = \
+            authzDecisionQuery.subject.nameID.value
+            
+        assertion.issuer = Issuer()
+        assertion.issuer.format = self.issuerFormat
+        assertion.issuer.value = self.issuerName
+        
+        authzDecisionStatement = AuthzDecisionStatement()
+        assertion.authzDecisionStatements.append(authzDecisionStatement)
+                    
+        authzDecisionStatement.resource = authzDecisionQuery.resource
+        
+        for action in authzDecisionQuery.actions:
+            authzDecisionStatement.actions.append(Action())
+            authzDecisionStatement.actions[-1].namespace = action.namespace
+            authzDecisionStatement.actions[-1].value = action.value
+
+        return response

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/__init__.py

@@ -40 +40 @@
                                                     ssl_context=ssl_context)
     
-    def _getPasteServer(self):
+    @property
+    def pasteServer(self):
         return self.__pasteServer
     
-    pasteServer = property(fget=_getPasteServer)
-    
-    def _getThread(self):
+    @property
+    def thread(self):
         return self.__thread
-    
-    thread = property(fget=_getThread)
     
     def start(self):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-service.ini

@@ -47 +47 @@
 # Attribute Authorities
 authz.pip.attributeQuery.subjectIdFormat = urn:esg:openid
-authz.pip.attributeQuery.verifyTimeConditions = True
+authz.pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+authz.pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+authz.pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+authz.pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy-1.1.xml

@@ -4 +4 @@
     
     <Target>
-        <URIPattern>http://localhost/dap/data/.*</URIPattern>
+        <URIPattern>^http://localhost/dap/data/.*</URIPattern>
         <Attributes>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>        
     </Target>
     <Target>
-        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
+        <URIPattern>^http://localhost/dap/data/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
@@ -31 +31 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>        

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -198 +198 @@
     CONFIG_FILENAME = 'authz-service.ini'
     RESOURCE_URI = 'http://localhost/dap/data/my.nc.dods?time[0:1:0]'
+    ACCESS_DENIED_RESOURCE_URI = 'http://localhost/dap/data/test_accessDeniedToSecuredURI'
     
     def __init__(self, *arg, **kw):
@@ -205 +206 @@
                                                                     *arg, **kw)
         self.startSiteAAttributeAuthority(withSSL=True, port=5443)
+        
+    def test02AccessDenied(self):
+        cls = SOAPAuthzServiceMiddlewareTestCase
+        query = self._createAuthzDecisionQuery(
+                                        resource=cls.ACCESS_DENIED_RESOURCE_URI)
+        request = self._makeRequest(query=query)
+        
+        header = {
+            'soapAction': "http://www.oasis-open.org/committees/security",
+            'Content-length': str(len(request)),
+            'Content-type': 'text/xml'
+        }
+        response = self.app.post('/authorisationservice/', 
+                                 params=request, 
+                                 headers=header, 
+                                 status=200)
+        print("Response status=%d" % response.status)
+        samlResponse = self._getSAMLResponse(response.body)
+
+        self.assert_(samlResponse.status.statusCode.value == \
+                     StatusCode.SUCCESS_URI)
+        self.assert_(samlResponse.inResponseTo == query.id)
+        self.assert_(samlResponse.assertions[0].subject.nameID.value == \
+                     query.subject.nameID.value)
+        self.assert_(samlResponse.assertions[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
+                                            ].decision == DecisionType.DENY)