Changeset 6617 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

24/02/10 09:40:47 (11 years ago)

Author:

pjkersha

Message:

ndg.security.test.unit.saml.test_soapauthzdecisioninterface: Working Authorisation Service unit test with ndg.security.server.wsgi.authzservice.AuthzServiceMiddleware?. This is called via paste.fixture but it itself is a client to the SAML Attribute Authority running with paster over SSL.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi

Files:

• __init__.py (modified) (1 diff)
• saml/authz-service.ini (modified) (1 diff)
• saml/policy-1.1.xml (modified) (2 diffs)
• saml/test_soapauthzdecisioninterface.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/__init__.py

@@ -40 +40 @@
                                                     ssl_context=ssl_context)
     
-    def _getPasteServer(self):
+    @property
+    def pasteServer(self):
         return self.__pasteServer
     
-    pasteServer = property(fget=_getPasteServer)
-    
-    def _getThread(self):
+    @property
+    def thread(self):
         return self.__thread
-    
-    thread = property(fget=_getThread)
     
     def start(self):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-service.ini

@@ -47 +47 @@
 # Attribute Authorities
 authz.pip.attributeQuery.subjectIdFormat = urn:esg:openid
-authz.pip.attributeQuery.verifyTimeConditions = True
+authz.pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+authz.pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+authz.pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+authz.pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy-1.1.xml

@@ -4 +4 @@
     
     <Target>
-        <URIPattern>http://localhost/dap/data/.*</URIPattern>
+        <URIPattern>^http://localhost/dap/data/.*</URIPattern>
         <Attributes>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>        
     </Target>
     <Target>
-        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
+        <URIPattern>^http://localhost/dap/data/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
@@ -31 +31 @@
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
             </Attribute>
         </Attributes>        

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -198 +198 @@
     CONFIG_FILENAME = 'authz-service.ini'
     RESOURCE_URI = 'http://localhost/dap/data/my.nc.dods?time[0:1:0]'
+    ACCESS_DENIED_RESOURCE_URI = 'http://localhost/dap/data/test_accessDeniedToSecuredURI'
     
     def __init__(self, *arg, **kw):
@@ -205 +206 @@
                                                                     *arg, **kw)
         self.startSiteAAttributeAuthority(withSSL=True, port=5443)
+        
+    def test02AccessDenied(self):
+        cls = SOAPAuthzServiceMiddlewareTestCase
+        query = self._createAuthzDecisionQuery(
+                                        resource=cls.ACCESS_DENIED_RESOURCE_URI)
+        request = self._makeRequest(query=query)
+        
+        header = {
+            'soapAction': "http://www.oasis-open.org/committees/security",
+            'Content-length': str(len(request)),
+            'Content-type': 'text/xml'
+        }
+        response = self.app.post('/authorisationservice/', 
+                                 params=request, 
+                                 headers=header, 
+                                 status=200)
+        print("Response status=%d" % response.status)
+        samlResponse = self._getSAMLResponse(response.body)
+
+        self.assert_(samlResponse.status.statusCode.value == \
+                     StatusCode.SUCCESS_URI)
+        self.assert_(samlResponse.inResponseTo == query.id)
+        self.assert_(samlResponse.assertions[0].subject.nameID.value == \
+                     query.subject.nameID.value)
+        self.assert_(samlResponse.assertions[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
+                                            ].decision == DecisionType.DENY)