Changeset 6633 for TI12-security/branches

Timestamp:

24/02/10 16:01:49 (11 years ago)

Author:

pjkersha

Message:

Merging in changes from 6557

Location:

TI12-security/branches/ndg-security-1.5.x

Files:

• .project (added)
• .pydevproject (added)
• ndg_security_server/ndg/security/server/wsgi/authn.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/myproxy/__init__.py (modified) (3 diffs)
• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/identityPatternWhitelist.cfg (added)
• ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/test_validation.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test_myproxy.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini (modified) (1 diff)

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authn.py

@@ -325 +325 @@
     ndg.security.server.wsgi.openid.relyingparty.OpenIDRelyingPartyMiddleware 
     which performs a similar function.
-    """
+    """    
+    _sslAuthnSucceeded = lambda self: self.environ.get(
+                    AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME,
+                    False)
+        
+    sslAuthnSucceeded = property(fget=_sslAuthnSucceeded,
+                                 doc="Boolean indicating SSL authentication "
+                                     "has succeeded in "
+                                     "AuthKitSSLAuthnMiddleware upstream of "
+                                     "this middleware")   
     
     @NDGSecurityMiddlewareBase.initCall
@@ -369 +378 @@
                                    "'REMOTE_USER' environment variable is set")
     
-    _sslAuthnSucceeded = lambda self: self.environ.get(
-                    AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME,
-                    False)
-        
-    sslAuthnSucceeded = property(fget=_sslAuthnSucceeded,
-                                 doc="Boolean indicating SSL authentication "
-                                     "has succeeded in "
-                                     "AuthKitSSLAuthnMiddleware upstream of "
-                                     "this middleware")
-    
     def __init__(self, app, app_conf, **local_conf):
         super(AuthKitRedirectResponseMiddleware, self).__init__(app, app_conf,

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -586 +586 @@
                                                     uri=attributeAuthorityURI)
             for assertion in response.assertions:
-                credentialWallet.addCredential(assertion)
+                credentialWallet.addCredential(assertion,
+                                   attributeAuthorityURI=attributeAuthorityURI,
+                                   verifyCredential=False)
             
             log.debug("SamlPIPMiddleware.attributeQuery: updating Credential "

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/myproxy/__init__.py

@@ -142 +142 @@
             """Wrap MyProxy logon method as a WSGI app
             """
-            if environ['HTTP_METHOD'] == 'GET':
+            if environ.get('REQUEST_METHOD') == 'GET':
                 # No certificate request passed with GET call
                 # TODO: retire this method? - keys are generated here instead of
@@ -148 +148 @@
                 certReq = None
                     
-            elif environ['HTTP_METHOD'] == 'POST':
+            elif environ.get('REQUEST_METHOD') == 'POST':
                 
                 pemCertReq = environ[
@@ -160 +160 @@
                 status = self.getStatusMessage(httplib.UNAUTHORIZED)
                 response = ("HTTP request method %r not recognised for this "
-                            "request " % environ['HTTP_METHOD'])
+                            "request " % environ.get('REQUEST_METHOD', 
+                                                     '<Not set>'))
                 
             try:

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -223 +223 @@
         response = soapResponse.serialize()
         
+        log.debug("SOAPAttributeInterfaceMiddleware.__call__: sending response "
+                  "...\n\n%s",
+                  response)
         start_response("200 OK",
                        [('Content-length', str(len(response))),

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -56 +56 @@
     CACERT_FILEPATH_LIST_OPTNAME = 'caCertFilePathList'
     CLIENT_CERT_DN_MATCH_LIST_OPTNAME = 'clientCertDNMatchList'
+    CLIENT_CERT_DN_MATCH_LIST_SEP_PAT = re.compile(',\s*')
     SSL_KEYNAME_OPTNAME = 'sslKeyName'
     SSL_CLIENT_CERT_KEYNAME_OPTNAME = 'sslClientCertKeyName'
@@ -78 +79 @@
     AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.'
                                        'ApacheSSLAuthnMiddleware.authenticated')
-    
+
     def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
         
@@ -212 +213 @@
         if isinstance(value, basestring):
             # Try parsing a space separated list of file paths
-            self.__clientCertDNMatchList = [X500DN(dn=dn) 
-                                            for dn in value.split()]
+            pat = ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_SEP_PAT
+            dnList = pat.split(value)
+            self.__clientCertDNMatchList = [X500DN(dn=dn) for dn in dnList]
             
         elif isinstance(value, (list, tuple)):
@@ -225 +227 @@
                     raise TypeError('Expecting a string, or %r type for "%s" '
                                     'list item; got %r' % 
-                (X500DN,
-                 ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME,
-                 type(dn)))
+                    (X500DN,
+                     ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME,
+                     type(dn)))
                     
         else:

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

@@ -25 +25 @@
         </Attributes>
     </Target>
+    <!-- Test inclusion of ampersand -->
+    <Target>
+        <URIPattern>^/test_securedURI[?&amp;]MyQueryParam=100</URIPattern>
+        <Attributes>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
+        </Attributes>        
+    </Target>
 </Policy>

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py

@@ -59 +59 @@
                 assert(attribute.attributeAuthorityURI)
 
+                        
 
 class PIPPlaceholder(PIPBase):
@@ -81 +82 @@
     PERMITTED_RESOURCE_URI = '/test_securedURI'
     DENIED_RESOURCE_URI = '/test_accessDeniedToSecuredURI'
+    WITH_ESCAPE_CHARS_RESOURCE_URI = '/test_securedURI?MyQueryParam=100'
     
     def setUp(self):
@@ -104 +106 @@
         self.assert_(response.status == Response.DECISION_DENY)
 
+    def test03WithEscapeCharsInPolicy(self):
+        self.request.resource[Resource.URI_NS
+                              ] = PDPTestCase.WITH_ESCAPE_CHARS_RESOURCE_URI      
+        response = self.pdp.evaluate(self.request)
+        
+        self.assert_(response.status == Response.DECISION_PERMIT)
+
         
 if __name__ == "__main__":

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -248 +248 @@
         
     def setUp(self):
-        self.assertion =self._createAssertion()
+        self.assertion = self._createAssertion()
         
     def _createAssertion(self, timeNow=None, validityDuration=60*60*8,
@@ -322 +322 @@
         self.assert_(len(wallet.credentials) == 0)
 
-    def test04ReplaceCredential(self):
+    def test04ClockSkewTolerance(self):
+        # Add a short lived credential but with the wallet set to allow for
+        # a clock skew of 
+        shortExpiryAssertion = self._createAssertion(validityDuration=1)
+        wallet = SAMLCredentialWallet()
+        
+        # Set a tolerance of five seconds
+        wallet.clockSkewTolerance = 5.*60*60
+        wallet.addCredential(shortExpiryAssertion)
+        
+        self.assert_(len(wallet.credentials) == 1)
+        sleep(2)
+        wallet.audit()
+        self.assert_(len(wallet.credentials) == 1)
+        
+    def test05ReplaceCredential(self):
         # Replace an existing credential from a given institution with a more
         # up to date one
@@ -332 +347 @@
         wallet.addCredential(newAssertion)
         self.assert_(len(wallet.credentials) == 1)
-        self.assert_(newAssertion.conditions.notOnOrAfter==\
+        self.assert_(newAssertion.conditions.notOnOrAfter == \
                      wallet.credentials[
                         SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME
                     ].credential.conditions.notOnOrAfter)
         
-    def test05CredentialsFromSeparateSites(self):
+    def test06CredentialsFromSeparateSites(self):
         wallet = self._addCredential()
         wallet.addCredential(self._createAssertion(issuerName="MySite"))
         self.assert_(len(wallet.credentials) == 2)
 
-    def test06Pickle(self):
+    def test07Pickle(self):
         wallet = self._addCredential()
         outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w')
@@ -353 +368 @@
             SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI))
         
+        self.assert_(unpickledWallet.credentials.items()[0][1].issuerName == \
+                     BaseTestCase.SITEA_SAML_ISSUER_NAME)
+
+    def test08CreateFromConfig(self):
+        wallet = SAMLCredentialWallet.fromConfig(
+                                SAMLCredentialWalletTestCase.CONFIG_FILEPATH)
+        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01))
+        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw')
         
 if __name__ == "__main__":

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg

@@ -9 +9 @@
 # $Id:$
 [DEFAULT]
-clockSkew = 0.
+clockSkewTolerance = 0.01
 userId = https://openid.localhost/philip.kershaw
-issuerDN = /O=Site A/CN=Authorisation Service
-attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml
-queryAttributes.0 = urn:esg:first:name, FirstName, http://www.w3.org/2001/XMLSchema#string
-queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
-
-# SSL Context Proxy settings
-sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca
-sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.crt
-sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.key
-sslValidDNs = /C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost, /O=Site A/CN=Attribute Authority

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/test_validation.py

@@ -63 +63 @@
     x509CertFilePath = mkDataDirPath(os.path.join('pki', 'localhost.crt'))
     
-    def get_current_cert(self):
-        return X509.load_cert(X509StoreCtxPlaceHolder.x509CertFilePath)
+    def get1_chain(self):
+        return [X509.load_cert(X509StoreCtxPlaceHolder.x509CertFilePath)]
     
 class IdPValidationTestCase(BaseTestCase):

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test.ini

@@ -6 +6 @@
 [DEFAULT]
 username = testuser
-#password = 
+password = testpasswd
 
 [server:main]
@@ -23 +23 @@
 http.auth.basic.rePathMatchList = .*
 myproxy.logonFuncEnvKeyName = myProxyLogon
-#myproxy.client.hostname = localhost
-myproxy.client.hostname = glue.badc.rl.ac.uk
-myproxy.client.serverDN = /O=NDG/OU=BADC/CN=glue.badc.rl.ac.uk
+myproxy.client.hostname = localhost
+myproxy.client.serverDN = /O=NDG/OU=BADC/CN=localhost

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test_myproxy.py

@@ -20 +20 @@
 from paste.deploy import loadapp
 
-from M2Crypto import X509
+from M2Crypto import X509, RSA, EVP, m2
 
 from ndg.security.test.unit import BaseTestCase
@@ -210 +210 @@
         
         # Create key pair
+        nBitsForKey = 2048
         keys = RSA.gen_key(nBitsForKey, m2.RSA_F4)
         certReq = X509.Request()
@@ -224 +225 @@
         certReq.set_subject_name(x509Name)
         
-        certReq.sign(pubKey, messageDigest)
+        certReq.sign(pubKey, "md5")
 
         pemCertReq = certReq.as_pem()

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini

@@ -23 +23 @@
 ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
 ssl.rePathMatchList = ^/secured/.*$ ^/restrict.*
-ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test /O=localhost/OU=local/CN=test2
+ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test, /O=localhost/OU=local client/CN=test 2