Changeset 6674 for TI12-security/branches

Timestamp:

04/03/10 15:15:56 (11 years ago)

Author:

pjkersha

Message:

Fixes to SAML timestamp checking

Location:

TI12-security/branches/ndg-security-1.5.x

Files:

• .pydevproject (modified) (1 diff)
• ndg_security_common/ndg/security/common/saml_utils/bindings.py (modified) (5 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py (modified) (5 diffs)

TI12-security/branches/ndg-security-1.5.x/.pydevproject

@@ -13 +13 @@
 <pydev_pathproperty name="org.python.pydev.PROJECT_EXTERNAL_SOURCE_PATH">
 <path>/home/pjkersha/workspace/ndg_security_saml_0_2_x</path>
+<path>/home/pjkersha/workspace/AuthKit/trunk</path>
 </pydev_pathproperty>
 </pydev_project>

TI12-security/branches/ndg-security-1.5.x/ndg_security_common/ndg/security/common/saml_utils/bindings.py

@@ -243 +243 @@
     ISSUER_NAME_OPTNAME = 'issuerName'
     CLOCK_SKEW_OPTNAME = 'clockSkew'
+    VERIFY_TIME_CONDITIONS_OPTNAME = 'verifyTimeConditions'
     
     CONFIG_FILE_OPTNAMES = (
         SUBJECT_ID_OPTNAME,
         ISSUER_NAME_OPTNAME,                 
-        CLOCK_SKEW_OPTNAME            
+        CLOCK_SKEW_OPTNAME, 
+        VERIFY_TIME_CONDITIONS_OPTNAME      
     )
     
@@ -265 +267 @@
         self.__queryAttributes = TypedList(Attribute)
         self.__clockSkew = timedelta(seconds=0.)
-                
+        self.__verifyTimeConditions = True
+    
         super(AttributeQuerySOAPBinding, self).__init__(**kw)
 
@@ -339 +342 @@
                 raise
 
+    def _getVerifyTimeConditions(self):
+        return self.__verifyTimeConditions
+
+    def _setVerifyTimeConditions(self, value):
+        if isinstance(value, bool):
+            self.__verifyTimeConditions = value
+            
+        if isinstance(value, basestring):
+            self.__verifyTimeConditions = str2Bool(value)
+        else:
+            raise TypeError('Expecting bool or string type for '
+                            '"verifyTimeConditions"; got %r instead' % 
+                            type(value))
+
+    verifyTimeConditions = property(_getVerifyTimeConditions, 
+                                    _setVerifyTimeConditions, 
+                                    doc='Set to True to verify any time '
+                                        'Conditions set in the returned '
+                                        'response assertions') 
+    
     def _getSubjectID(self):
         return self.__subjectID
@@ -426 +449 @@
             
         return attributeQuery
-
+    
+    def _verifyTimeConditions(self, response):
+        """Verify time conditions set in a response
+        @param response: SAML Response returned from remote service
+        @type response: ndg.saml.saml2.core.Response
+        @raise SubjectQueryResponseError: if a timestamp is invalid
+        """
+        
+        if not self.verifyTimeConditions:
+            log.debug("Skipping verification of SAML Response time conditions")
+            
+        utcNow = datetime.utcnow() 
+        nowMinusSkew = utcNow - self.clockSkew
+        nowPlusSkew = utcNow + self.clockSkew
+        
+        if response.issueInstant > nowPlusSkew:
+            msg = ('SAML Attribute Response issueInstant [%s] is after '
+                   'the clock time [%s] (skewed +%s)' % 
+                   (response.issueInstant, 
+                    SAMLDateTime.toString(nowPlusSkew),
+                    self.clockSkew))
+            
+            samlRespError = AttributeQueryResponseError(msg)                  
+            samlRespError.response = response
+            raise samlRespError
+        
+        for assertion in response.assertions:
+            if assertion.issueInstant is None:
+                samlRespError = AttributeQueryResponseError("No issueInstant "
+                                                            "set in response "
+                                                            "assertion")
+                samlRespError.response = response
+                raise samlRespError
+            
+            elif nowPlusSkew < assertion.issueInstant:
+                msg = ('The clock time [%s] (skewed +%s) is before the '
+                       'SAML Attribute Response assertion issue instant [%s]' % 
+                       (SAMLDateTime.toString(utcNow),
+                        self.clockSkew,
+                        assertion.issueInstant))
+                samlRespError = AttributeQueryResponseError(msg)
+                samlRespError.response = response
+                raise samlRespError
+
+            if assertion.conditions is not None:
+                if nowPlusSkew < assertion.conditions.notBefore:
+                    msg = ('The clock time [%s] (skewed +%s) is before the '
+                           'SAML Attribute Response assertion conditions not '
+                           'before time [%s]' % 
+                           (SAMLDateTime.toString(utcNow),
+                            self.clockSkew,
+                            assertion.conditions.notBefore))
+                              
+                    samlRespError = AttributeQueryResponseError(msg)
+                    samlRespError.response = response
+                    raise samlRespError
+                 
+                if nowMinusSkew >= assertion.conditions.notOnOrAfter:           
+                    msg = ('The clock time [%s] (skewed -%s) is on or after '
+                           'the SAML Attribute Response assertion conditions '
+                           'not on or after time [%s]' % 
+                           (SAMLDateTime.toString(utcNow),
+                            self.clockSkew,
+                            assertion.conditions.notOnOrAfter))
+                    
+                    samlRespError = AttributeQueryResponseError(msg) 
+                    samlRespError.response = response
+                    raise samlRespError
+                
     def send(self, **kw):
         '''Make an attribute query to a remote SAML service
@@ -458 +549 @@
             raise samlRespError
         
-        utcNow = datetime.utcnow() + self.clockSkew
-        if response.issueInstant > utcNow:
-            msg = ('SAML Attribute Response issueInstant [%s] is after '
-                   'the current clock time [%s]' % 
-                   (attributeQuery.issueInstant, SAMLDateTime.toString(utcNow)))
-            
-            samlRespError = AttributeQueryResponseError(msg)                  
-            samlRespError.response = response
-            raise samlRespError
-        
-        for assertion in response.assertions:
-            if utcNow < assertion.conditions.notBefore:            
-                msg = ('The current clock time [%s] is before the SAML '
-                       'Attribute Response assertion conditions not before '
-                       'time [%s]' % 
-                       (SAMLDateTime.toString(utcNow),
-                        assertion.conditions.notBefore))
-                          
-                samlRespError = AttributeQueryResponseError(msg)
-                samlRespError.response = response
-                raise samlRespError
-             
-            if utcNow >= assertion.conditions.notOnOrAfter:           
-                msg = ('The current clock time [%s] is on or after the SAML '
-                       'Attribute Response assertion conditions not on or '
-                       'after time [%s]' % 
-                       (SAMLDateTime.toString(utcNow),
-                        response.assertion.conditions.notOnOrAfter))
-                
-                samlRespError = AttributeQueryResponseError(msg) 
-                samlRespError.response = response
-                raise samlRespError   
-            
+        self._verifyTimeConditions(response)
+        
         return response 
 

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -1316 +1316 @@
         @return: WSGI response'''
         """      
+        if not isinstance(oidResponse, server.OpenIDResponse):
+            log.error("OpenID Response is %r type, expecting %r",
+                      type(oidResponse), server.OpenIDResponse)
+            return self._render.errorPage(environ, start_response,
+                                          "Error setting a response.  Please "
+                                          "report this fault to your site "
+                                          "administrator.",
+                                          code=500)
+
         try:
             webresponse = self.oidserver.encodeResponse(oidResponse)

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py

@@ -20 +20 @@
 from xml.etree import ElementTree
 
+from saml.utils import SAMLDateTime
 from saml.saml2.core import (Response, Assertion, Attribute, 
                              AttributeStatement, SAMLVersion, Subject, NameID,
@@ -31 +32 @@
 from ndg.security.common.soap.etree import SOAPEnvelope
 from ndg.security.common.utils.etree import QName, prettyPrint
+from ndg.security.common.saml_utils.bindings import (AttributeQuerySOAPBinding,
+                                                AttributeQueryResponseError)
 from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces, 
                                           XSGroupRoleAttributeValue)
@@ -160 +163 @@
     """TODO: test SAML Attribute Authority interface"""
     thisDir = os.path.dirname(os.path.abspath(__file__))
-
-    def __init__(self, *args, **kwargs):
-        wsgiApp = SamlSoapBindingApp()
-        self.app = paste.fixture.TestApp(wsgiApp)
-         
-        BaseTestCase.__init__(self, *args, **kwargs)
-        
-
-    def test01AttributeQuery(self):
-        attributeQuery = AttributeQuery()
-        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
-        attributeQuery.id = str(uuid4())
-        attributeQuery.issueInstant = datetime.utcnow()
-        
-        attributeQuery.issuer = Issuer()
-        attributeQuery.issuer.format = Issuer.X509_SUBJECT
-        attributeQuery.issuer.value = \
-                        "/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk"
-                        
-                        
-        attributeQuery.subject = Subject()  
-        attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
-        attributeQuery.subject.nameID.value = \
-                                    "https://openid.localhost/philip.kershaw"
-        
-        # special case handling for 'FirstName' attribute
-        fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
-        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        fnAttribute.friendlyName = "FirstName"
-
-        attributeQuery.attributes.append(fnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
-        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        lnAttribute.friendlyName = "LastName"
-
-        attributeQuery.attributes.append(lnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
-        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
-        emailAddressAttribute.friendlyName = "emailAddress"
-
-        attributeQuery.attributes.append(emailAddressAttribute)                                   
-        
-        elem = AttributeQueryElementTree.toXML(attributeQuery)
-        soapRequest = SOAPEnvelope()
-        soapRequest.create()
-        soapRequest.body.elem.append(elem)
-        
-        request = soapRequest.serialize()
-        
-        header = {
-            'soapAction': "http://www.oasis-open.org/committees/security",
-            'Content-length': str(len(request)),
-            'Content-type': 'text/xml'
-        }
-        response = self.app.post('/attributeauthority', 
-                                 params=request, 
-                                 headers=header, 
-                                 status=200)
-        print("Response status=%d" % response.status)
-
-        soapResponse = SOAPEnvelope()
-        
-        responseStream = StringIO()
-        responseStream.write(response.body)
-        responseStream.seek(0)
-        
-        soapResponse.parse(responseStream)
-        
-        print("Parsed response ...")
-        print(soapResponse.serialize())
-#        print(prettyPrint(soapResponse.elem))
-        
-        response = ResponseElementTree.fromXML(soapResponse.body.elem[0])
-        self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
-        self.assert_(response.inResponseTo == attributeQuery.id)
-        self.assert_(response.assertions[0].subject.nameID.value == \
-                     attributeQuery.subject.nameID.value)
-      
-    def test02AttributeQueryWithSOAPClient(self):
-            
-        # Thread a separate attribute authority instance
-        self.startSiteAAttributeAuthority()
-          
-        client = UrlLib2SOAPClient()
-        
-        # ElementTree based envelope class
-        client.responseEnvelopeClass = SOAPEnvelope
-        
-        request = UrlLib2SOAPRequest()
-        request.url = 'http://localhost:5000/AttributeAuthority/saml'
-        request.envelope = SOAPEnvelope()
-        request.envelope.create()
-        
-        # Make an attribute query
-        attributeQuery = AttributeQuery()
-        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
-        attributeQuery.id = str(uuid4())
-        attributeQuery.issueInstant = datetime.utcnow()
-        
-        attributeQuery.issuer = Issuer()
-        attributeQuery.issuer.format = Issuer.X509_SUBJECT
-        attributeQuery.issuer.value = \
-                        "/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk"
-
-        attributeQuery.subject = Subject()  
-        attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
-        attributeQuery.subject.nameID.value = \
-                            "https://esg.prototype.ucar.edu/myopenid/testUser"
-        
-        # special case handling for 'FirstName' attribute
-        fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
-        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        fnAttribute.friendlyName = "FirstName"
-
-        attributeQuery.attributes.append(fnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
-        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
-        lnAttribute.friendlyName = "LastName"
-
-        attributeQuery.attributes.append(lnAttribute)
-    
-        # special case handling for 'LastName' attribute
-        emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
-        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
-                                    XSStringAttributeValue.TYPE_LOCAL_NAME
-        emailAddressAttribute.friendlyName = "emailAddress"
-
-        attributeQuery.attributes.append(emailAddressAttribute)                                   
-        
-        attributeQueryElem = AttributeQueryElementTree.toXML(attributeQuery)
-
-        # Attach query to SOAP body
-        request.envelope.body.elem.append(attributeQueryElem)
-        
-        from M2Crypto.m2urllib2 import HTTPSHandler
-        from urllib2 import URLError
-
-        client.openerDirector.add_handler(HTTPSHandler())
-        try:
-            response = client.send(request)
-        except URLError, e:
-            self.fail("Error calling Attribute Service")
-        
-        print("Response from server:\n\n%s" % response.envelope.serialize())
-        
-        if len(response.envelope.body.elem) != 1:
-            self.fail("Expecting single child element is SOAP body")
-            
-        if QName.getLocalPart(response.envelope.body.elem[0].tag)!='Response':
-            self.fail('Expecting "Response" element in SOAP body')
-            
-        toSAMLTypeMap = [XSGroupRoleAttributeValueElementTree.factoryMatchFunc]
-        response = ResponseElementTree.fromXML(response.envelope.body.elem[0],
-                                            customToSAMLTypeMap=toSAMLTypeMap)
-        self.assert_(response)
-        
-    def test03ParseResponse(self):
-        response = \
-'''<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+    RESPONSE = '''\
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
-      <samlp:Response ID="05680cb2-4973-443d-9d31-7bc99bea87c1" InResponseTo="e3183380-ae82-4285-8827-8c40613842de" IssueInstant="2009-08-17T12:28:37.325Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+      <samlp:Response ID="05680cb2-4973-443d-9d31-7bc99bea87c1" InResponseTo="e3183380-ae82-4285-8827-8c40613842de" IssueInstant="%(issueInstant)s" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
          <saml:Issuer Format="urn:esg:issuer" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ESG-NCAR</saml:Issuer>
          <samlp:Status>
             <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
          </samlp:Status>
-         <saml:Assertion ID="192c67d9-f9cd-457a-9242-999e7b943166" IssueInstant="2009-08-17T12:28:37.347Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+         <saml:Assertion ID="192c67d9-f9cd-457a-9242-999e7b943166" IssueInstant="%(assertionIssueInstant)s" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
             <saml:Issuer Format="urn:esg:issuer">ESG-NCAR</saml:Issuer>
             <saml:Subject>
                <saml:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/testUser</saml:NameID>
             </saml:Subject>
-            <saml:Conditions NotBefore="2009-08-17T12:28:37.347Z" NotOnOrAfter="2009-08-18T12:28:37.347Z" />
+            <saml:Conditions NotBefore="%(notBefore)s" NotOnOrAfter="%(notOnOrAfter)s" />
             <saml:AttributeStatement>
                <saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string">
@@ -371 +202 @@
       </samlp:Response>
    </SOAP-ENV:Body>
-</SOAP-ENV:Envelope>'''
-        
+</SOAP-ENV:Envelope>
+'''
+
+    def __init__(self, *args, **kwargs):
+        wsgiApp = SamlSoapBindingApp()
+        self.app = paste.fixture.TestApp(wsgiApp)
+         
+        BaseTestCase.__init__(self, *args, **kwargs)
+        
+
+    def test01AttributeQuery(self):
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = \
+                        "/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk"
+                        
+                        
+        attributeQuery.subject = Subject()  
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = \
+                                    "https://openid.localhost/philip.kershaw"
+        
+        # special case handling for 'FirstName' attribute
+        fnAttribute = Attribute()
+        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        fnAttribute.friendlyName = "FirstName"
+
+        attributeQuery.attributes.append(fnAttribute)
+    
+        # special case handling for 'LastName' attribute
+        lnAttribute = Attribute()
+        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        lnAttribute.friendlyName = "LastName"
+
+        attributeQuery.attributes.append(lnAttribute)
+    
+        # special case handling for 'LastName' attribute
+        emailAddressAttribute = Attribute()
+        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
+                                    XSStringAttributeValue.TYPE_LOCAL_NAME
+        emailAddressAttribute.friendlyName = "emailAddress"
+
+        attributeQuery.attributes.append(emailAddressAttribute)                                   
+        
+        elem = AttributeQueryElementTree.toXML(attributeQuery)
+        soapRequest = SOAPEnvelope()
+        soapRequest.create()
+        soapRequest.body.elem.append(elem)
+        
+        request = soapRequest.serialize()
+        
+        header = {
+            'soapAction': "http://www.oasis-open.org/committees/security",
+            'Content-length': str(len(request)),
+            'Content-type': 'text/xml'
+        }
+        response = self.app.post('/attributeauthority', 
+                                 params=request, 
+                                 headers=header, 
+                                 status=200)
+        print("Response status=%d" % response.status)
+
         soapResponse = SOAPEnvelope()
         
         responseStream = StringIO()
-        responseStream.write(response)
+        responseStream.write(response.body)
+        responseStream.seek(0)
+        
+        soapResponse.parse(responseStream)
+        
+        print("Parsed response ...")
+        print(soapResponse.serialize())
+#        print(prettyPrint(soapResponse.elem))
+        
+        response = ResponseElementTree.fromXML(soapResponse.body.elem[0])
+        self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
+        self.assert_(response.inResponseTo == attributeQuery.id)
+        self.assert_(response.assertions[0].subject.nameID.value == \
+                     attributeQuery.subject.nameID.value)
+      
+    def test02AttributeQueryWithSOAPClient(self):
+            
+        # Thread a separate attribute authority instance
+        self.startSiteAAttributeAuthority()
+          
+        client = UrlLib2SOAPClient()
+        
+        # ElementTree based envelope class
+        client.responseEnvelopeClass = SOAPEnvelope
+        
+        request = UrlLib2SOAPRequest()
+        request.url = 'http://localhost:5000/AttributeAuthority/saml'
+        request.envelope = SOAPEnvelope()
+        request.envelope.create()
+        
+        # Make an attribute query
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = \
+                        "/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk"
+
+        attributeQuery.subject = Subject()  
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = \
+                            "https://esg.prototype.ucar.edu/myopenid/testUser"
+        
+        # special case handling for 'FirstName' attribute
+        fnAttribute = Attribute()
+        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        fnAttribute.friendlyName = "FirstName"
+
+        attributeQuery.attributes.append(fnAttribute)
+    
+        # special case handling for 'LastName' attribute
+        lnAttribute = Attribute()
+        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
+        lnAttribute.friendlyName = "LastName"
+
+        attributeQuery.attributes.append(lnAttribute)
+    
+        # special case handling for 'LastName' attribute
+        emailAddressAttribute = Attribute()
+        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
+                                    XSStringAttributeValue.TYPE_LOCAL_NAME
+        emailAddressAttribute.friendlyName = "emailAddress"
+
+        attributeQuery.attributes.append(emailAddressAttribute)                                   
+        
+        attributeQueryElem = AttributeQueryElementTree.toXML(attributeQuery)
+
+        # Attach query to SOAP body
+        request.envelope.body.elem.append(attributeQueryElem)
+        
+        from M2Crypto.m2urllib2 import HTTPSHandler
+        from urllib2 import URLError
+
+        client.openerDirector.add_handler(HTTPSHandler())
+        try:
+            response = client.send(request)
+        except URLError, e:
+            self.fail("Error calling Attribute Service")
+        
+        print("Response from server:\n\n%s" % response.envelope.serialize())
+        
+        if len(response.envelope.body.elem) != 1:
+            self.fail("Expecting single child element is SOAP body")
+            
+        if QName.getLocalPart(response.envelope.body.elem[0].tag)!='Response':
+            self.fail('Expecting "Response" element in SOAP body')
+            
+        toSAMLTypeMap = [XSGroupRoleAttributeValueElementTree.factoryMatchFunc]
+        response = ResponseElementTree.fromXML(response.envelope.body.elem[0],
+                                            customToSAMLTypeMap=toSAMLTypeMap)
+        self.assert_(response)
+
+    def _parseResponse(self, responseStr):
+        """Helper to parse a response from a string"""
+        soapResponse = SOAPEnvelope()
+        
+        responseStream = StringIO()
+        responseStream.write(responseStr)
         responseStream.seek(0)
         
@@ -387 +391 @@
         response = ResponseElementTree.fromXML(soapResponse.body.elem[0],
                                             customToSAMLTypeMap=toSAMLTypeMap)
+        return response
+        
+    def test03ParseResponse(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                        respDict
+        response = self._parseResponse(responseStr)
         self.assert_(response)
 
+    def test04AssertionConditionExpired(self):
+        utcNow = datetime.utcnow() + timedelta(seconds=60*60*9)
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting not on or after timestamp error")
+        except AttributeQueryResponseError, e:
+            print("PASSED: %s" % e)
+
+    def test05ResponseIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except AttributeQueryResponseError, e:
+            print("PASSED: %s" % e)
+
+    def test06NotBeforeConditionInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow + timedelta(seconds=1)),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except AttributeQueryResponseError, e:
+            print("PASSED: %s" % e)
+
+    def test07AssertionIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except AttributeQueryResponseError, e:
+            print("PASSED: %s" % e)
+
+    def test07ClockSkewCorrectedAssertionIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        
+        # Set a skew to correct the error
+        binding.clockSkew = 1
+        
+        try:
+            binding._verifyTimeConditions(response)
+        except AttributeQueryResponseError, e:
+            self.fail("issue instant timestamp error should be corrected for")
+
+    def test08ClockSkewCorrectedAssertionConditionExpired(self):
+        utcNow = datetime.utcnow() + timedelta(seconds=60*60*9)
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = AttributeQuerySOAPBinding()
+        
+        # Set a skew to correct the error
+        binding.clockSkew = 60*60*9
+        
+        try:
+            binding._verifyTimeConditions(response)
             
+        except AttributeQueryResponseError, e:
+            self.fail("Not on or after timestamp error should be corrected for")
+                 
 if __name__ == "__main__":
     unittest.main()