Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6686

Timestamp:

05/03/10 16:56:35 (11 years ago)

Author:

pjkersha

Message:

Refactoring Attribute Authority to remove NDG Attribute Certificate and role mapping code.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 1 deleted
: 9 edited

.pydevproject (modified) (1 diff)
ndg_security_common/ndg/security/common/utils/factory.py (modified) (2 diffs)
ndg_security_server/ndg/security/server/attributeauthority.py (modified) (12 diffs)
ndg_security_server/ndg/security/server/wsgi/attributeauthority.py (modified) (2 diffs)
ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (5 diffs)
ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini (modified) (4 diffs)
ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAMapConfig.xml (deleted)
ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg (modified) (1 diff)
ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py (modified) (3 diffs)
ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/.pydevproject

-                      r6673
+                      r6686
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.6</pydev_property>
+<pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
+<path>/ndg_security_python/ndg_security_common</path>
+<path>/ndg_security_python/ndg_security_server</path>
+<path>/ndg_security_python/ndg_security_test</path>
+</pydev_pathproperty>
+<pydev_pathproperty name="org.python.pydev.PROJECT_EXTERNAL_SOURCE_PATH">
+<path>/home/pjkersha/workspace/ndg_saml</path>
+<path>/home/pjkersha/workspace/MyProxyClient</path>
+<path>/home/pjkersha/workspace/AuthKit/trunk</path>
+</pydev_pathproperty>
 </pydev_project>

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/factory.py

-                      r6572
+                      r6686
 NERC DataGrid project
 """
 __author__ = "C Byrom - Tessella"
 __date__ = "28/08/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__author__ = "Philip Kershaw"
+__date__ = "15/02/10"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
 __license__ = "BSD - see LICENSE file in top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 …
     if objectName is None:
         if ':' in moduleName:
             # Support PAste style import syntax with rhs of colon denoting
+            # Support Paste style import syntax with rhs of colon denoting
             # module content to import
             _moduleName, objectName = moduleName.rsplit(':', 1)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

-                      r6673
+                      r6686
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.X509 import X500DN
 from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.classfactory import instantiateClass
 …
     def __init__(self, msg):
         log.error(msg)
+        Exception.__init__(self, msg)
+class AttributeAuthorityAccessDenied(AttributeAuthorityError):
+    """NDG Attribute Authority - access denied exception.
+    Raise from getAttCert method where no roles are available for the user
+    but that the request is otherwise valid.  In all other error cases raise
+    AttributeAuthorityError"""
+class AttributeAuthorityNoTrustedHosts(AttributeAuthorityError):
+    """Raise from getTrustedHosts if there are no trusted hosts defined in
+    the map configuration"""
+class AttributeAuthorityNoMatchingRoleInTrustedHosts(AttributeAuthorityError):
+    """Raise from getTrustedHosts if there is no mapping to any of the
+    trusted hosts for the given input role name"""
+        Exception.__init__(self, msg)
 …
     attributeInterfacePropertyDefaults = {
         'modFilePath':  '',
-        'modName':      '',
         'className':    ''
+    }
 …
     # in the config
     propertyDefaults = {
+        'name':                         '',
+        'attCertLifetime':              -1,
+        'attCertNotBeforeOff':          0.,
+        'clockSkew':                    timedelta(seconds=0.),
+        'issuerName':                   '',
+        'assertionLifetime':              -1,
         'dnSeparator':                  '/',
         ATTRIBUTE_INTERFACE_KEYNAME:    attributeInterfacePropertyDefaults
+    }
-    mapConfigHostDefaults = {
-        'siteName':                 None,
-        'aaURI':                    NotImplemented,
-        'aaDN':                     NotImplemented,
-        'loginURI':                 NotImplemented,
-        'loginServerDN':            NotImplemented,
-        'loginRequestServerDN':     NotImplemented
+    }
     def __init__(self):
 …
             setattr(self, '_AttributeAuthority__%s' % name, val)
-        self.__caCertFilePathList = TypedList(basestring)
         self.__propFilePath = None
         self.__propFileSection = 'DEFAULT'
         self.__propPrefix = ''
-        self.__cert = None
-        # Issuer details - serialise using the separator string set in the
-        # properties file
-        self.__issuer = None
-        self.__issuerSerialNumber = None
-        self.__attCertLog = None
-        self.__name = None
         self.__attributeInterfaceCfg = {}
+    def _getCert(self):
+        return self.__cert
+    def _getIssuer(self):
+        return self.__issuer
+    def _getIssuerSerialNumber(self):
+        return self.__issuerSerialNumber
+    def _getName(self):
+        return self.__name
+    def _getAttCertLifetime(self):
+        return self.__attCertLifetime
+    def _getAttCertNotBeforeOff(self):
+        return self.__attCertNotBeforeOff
+    def _getClockSkew(self):
+        return self.__clockSkew
+    def _getAssertionLifetime(self):
+        return self.__assertionLifetime
     def _getAttributeInterface(self):
         return self.__attributeInterface
+    def _setCert(self, value):
+        if not isinstance(value, X509Cert):
+            raise TypeError('Expecting %r type for "cert"; got %r' %
+                            (X509Cert, type(value)))
+        self.__cert = value
+    def _setIssuer(self, value):
+        self.__issuer = value
+    def _setIssuerSerialNumber(self, value):
+        if not isinstance(value, (long, int)):
+            raise TypeError('Expecting long or int type for "name"; got %r' %
+                            type(value))
+        self.__issuerSerialNumber = value
+    def _setName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "name"; got %r' %
+                            type(value))
+        self.__name = value
+    def _setAttCertLifetime(self, value):
+    def _setAssertionLifetime(self, value):
         if isinstance(value, float):
             self.__attCertLifetime = value
+            self.__assertionLifetime = value
         elif isinstance(value, (basestring, int, long)):
             self.__attCertLifetime = float(value)
+            self.__assertionLifetime = float(value)
         else:
             raise TypeError('Expecting float, int, long or string type for '
+                            '"attCertLifetime"; got %r' % type(value))
+    def _setAttCertNotBeforeOff(self, value):
+        if isinstance(value, float):
+            self.__attCertNotBeforeOff = value
+        elif isinstance(value, (basestring, int, long)):
+            self.__attCertNotBeforeOff = float(value)
+        else:
+            raise TypeError('Expecting float, int, long or string type for '
+                            '"attCertNotBeforeOff"; got %r' % type(value))
+    def _setClockSkew(self, value):
+        if isinstance(value, (float, int, long)):
+            self.__clockSkew = timedelta(seconds=value)
+        elif isinstance(value, basestring):
+            self.__clockSkew = timedelta(seconds=float(value))
+        else:
+            raise TypeError('Expecting float, int, long or string type for '
+                            '"clockSkew"; got %r' % type(value))
+                            '"assertionLifetime"; got %r' % type(value))
     def _setAttributeInterface(self, value):
 …
         self.__attributeInterface = value
-    def _get_caCertFilePathList(self):
-        return self.__caCertFilePathList
-    def _set_caCertFilePathList(self, val):
-        if not isinstance(val, (list, tuple)):
-            raise TypeError('Expecting list or tuple type for '
-                            '"caCertFilePathList"; got %r' % type(val))
-        # Overwrite any original settings
-        self.__caCertFilePathList = TypedList(basestring)
-        # Update with new items
-        self.__caCertFilePathList += val
-    caCertFilePathList = property(fget=_get_caCertFilePathList,
-                                  fset=_set_caCertFilePathList,
-                                  doc="list of file paths for CA certificates "
-                                      "used to validate an Attribute "
-                                      "Certificate")
     def _get_attributeInterfaceCfg(self):
 …
                           doc="Set a prefix for ini file properties")
+    cert = property(fget=_getCert,
+                    fset=_setCert,
+                    doc="X.509 Issuer Certificate")
+    issuer = property(fget=_getIssuer,
+                      fset=_setIssuer,
+                      doc="Issuer name")
+    issuerSerialNumber = property(fget=_getIssuerSerialNumber,
+                                  fset=_setIssuerSerialNumber,
+                                  doc="Issuer Serial Number")
+    name = property(fget=_getName,
+                    fset=_setName,
+                    doc="Issuer organisation name")
+    attCertLifetime = property(fget=_getAttCertLifetime,
+                               fset=_setAttCertLifetime,
+                               doc="Attribute certificate lifetime")
+    attCertNotBeforeOff = property(fget=_getAttCertNotBeforeOff,
+                                   fset=_setAttCertNotBeforeOff,
+                                   doc="Attribute certificate clock skew in "
+                                       "seconds")
+    clockSkew = property(fget=_getClockSkew,
+                         fset=_setClockSkew,
+                         doc="Allow a clock skew in seconds for SAML Attribute"
+                             " Query issueInstant parameter check")
+    assertionLifetime = property(fget=_getAssertionLifetime,
+                                 fset=_setAssertionLifetime,
+                                 doc="validity lifetime (s) for Attribute "
+                                     "assertions issued")
     attributeInterface = property(fget=_getAttributeInterface,
                                   fset=_setAttributeInterface,
                                   doc="Attribute Interface object")
-    name = property(fget=_getName, fset=_setName, doc="Organisation Name")
     @classmethod
     def fromPropertyFile(cls, propFilePath=None, propFileSection='DEFAULT',
+                         propPrefix='attributeauthority.',
+                         bReadMapConfig=True):
+                         propPrefix='attributeauthority.'):
         """Create new NDG Attribute Authority instance from the property file
         settings
 …
         attributeAuthority.propFilePath = propFilePath
         attributeAuthority.readProperties()
         attributeAuthority.initialise(bReadMapConfig=bReadMapConfig)
+        attributeAuthority.initialise()
         return attributeAuthority
     @classmethod
+    def fromProperties(cls, propPrefix='attributeauthority.',
+                       bReadMapConfig=True, **prop):
+    def fromProperties(cls, propPrefix='attributeauthority.', **prop):
         """Create new NDG Attribute Authority instance from input property
         keywords
 …
         property names - useful where properties are being parsed from a file
         section containing parameter names for more than one application
-        @type bReadMapConfig: boolean
-        @param bReadMapConfig: by default the Map Configuration file is
-        read.  Set this flag to False to override.
         """
         attributeAuthority = AttributeAuthority()
 …
         attributeAuthority.setProperties(**prop)
         attributeAuthority.initialise(bReadMapConfig=bReadMapConfig)
+        attributeAuthority.initialise()
         return attributeAuthority
     def initialise(self, bReadMapConfig=True):
+    def initialise(self):
         """Convenience method for set up of Attribute Interface, map
         configuration and PKI"""
-        # Read the Map Configuration file
-        if bReadMapConfig:
-            self.readMapConfig()
         # Instantiate Certificate object
         log.debug("Reading and checking Attribute Authority X.509 cert. ...")
-        self.cert = X509Cert.Read(self.signingCertFilePath)
-        # Check it's valid
-        try:
-            self.cert.isValidTime(raiseExcep=True)
-        except Exception, e:
-            raise AttributeAuthorityError("Attribute Authority's certificate "
-                                          "is invalid: %s" % e)
-        # Check CA certificate
-        log.debug("Reading and checking X.509 CA certificate ...")
-        for caCertFile in self.caCertFilePathList:
-            caCert = X509Cert(caCertFile)
-            caCert.read()
-            try:
-                caCert.isValidTime(raiseExcep=True)
-            except Exception, e:
-                raise AttributeAuthorityError('CA certificate "%s" is '
-                                              'invalid: %s'% (caCert.dn, e))
-        # Issuer details - serialise using the separator string set in the
-        # properties file
-        self.issuer = self.cert.dn.serialise(separator=self.dnSeparator)
-        self.issuerSerialNumber = self.cert.serialNumber
         # Load user - user attribute look-up plugin
         self.initAttributeInterface()
-        attCertFilePath = os.path.join(self.attCertDir, self.attCertFileName)
     def setProperties(self, **prop):
 …
         classProperties.update(self.attributeInterfaceCfg)
+        modName = classProperties.pop('modName')
+        className = classProperties.pop('className')
+        className = classProperties.pop('className', None)
+        if className is None:
+            raise AttributeAuthorityConfigError('No Attribute Interface '
+                                                '"className" property set')
         # file path may be omitted
 …
         return samlResponse
+    def getRoles(self, userId):
+        """Get the roles available to the registered user identified userId.
+        @type dn: string
+        @param dn: user identifier - could be a X500 Distinguished Name
+        @return: list of roles for the given user ID"""
+        log.debug('Calling getRoles for user "%s" ...' % userId)
+        # Call to AttributeInterface derived class.  Each Attribute Authority
+        # should define it's own roles class derived from AttributeInterface to
+        # define how roles are accessed
+        try:
+            return self.__attributeInterface.getRoles(userId)
+        except Exception, e:
+            raise AttributeAuthorityError("Getting user roles: %s" % e)
+    def getAttCertFactory(self):
+    def samlAttributeQueryFactory(self):
         """Factory method to create SAML Attribute Query wrapper function
-        @rtype: function
-        @return getAttCert method function wrapper
-        """
-        def getAttCertWrapper(*arg, **kw):
-            """
-            @type *arg: tuple
-            @param *arg: getAttCert arguments
-            @type **kw: dict
-            @param **kw: getAttCert keyword arguments
-            @rtype: ndg.security.common.AttCert.AttCert
-            @return: new attribute certificate
-            """
-            return self.getAttCert(*arg, **kw)
-        return getAttCertWrapper
-    def samlAttributeQueryFactory(self):
-        """Factory method to create SAML Attribute Qeury wrapper function
         @rtype: function
         @return: samlAttributeQuery method function wrapper

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/attributeauthority.py

-                      r6586
+                      r6686
 from ndg.security.server.attributeauthority import AttributeAuthority
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
-from ndg.security.server.wsgi.zsi import SOAPBindingMiddleware
 …
                               doc="Attribute Authority SAML attribute query "
                                   "function")
-from ndg.security.server.zsi.attributeauthority import AttributeAuthorityWS
-class AttributeAuthoritySOAPBindingMiddlewareConfigError(Exception):
-    """Raise if a configuration problem is found"""
-class AttributeAuthoritySOAPBindingMiddleware(NDGSecurityMiddlewareBase,
-                                              AttributeAuthorityWS):
-    """Inheritance from NDGSecurityMiddlewareBase provides a __call__
-    implementation which sets a reference to environ as an object attribute.
-    Inheritance from AttributeAuthorityWS enables preservation of the same
-    SOAP callbacks but with the
-    ndg.security.server.attributeauthority.AttributeAuthority instance provided
-    from environ
-    @type DEFAULT_ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME: basestring
-    @cvar DEFAULT_ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME: Key name used to index the
-    ndg.security.server.attributeauthority.AttributeAuthority instance in the
-    environ dictionary
-    @type ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME_CFG_OPTNAME: basestring
-    @cvar ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME_CFG_OPTNAME: configuration option name
-    for the attribute authority environ key
-    @type DEFAULT_ENVIRON_KEYNAME: basestring
-    @cvar DEFAULT_ENVIRON_KEYNAME: default value for Key name used to index
-    THIS SOAP Service Binding middleware instance in the environ dictionary
-    @type ENVIRON_KEYNAME_CFG_OPTNAME: basestring
-    @cvar ENVIRON_KEYNAME_CFG_OPTNAME: configuration option name for this
-    middleware's environ key
-    """
-    DEFAULT_ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME = \
-                "ndg.security.server.attributeauthority.AttributeAuthority"
-    ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME_CFG_OPTNAME = \
-                'attributeAuthorityEnvironKeyName'
-    DEFAULT_ENVIRON_KEYNAME = ("ndg.security.server.wsgi.attributeauthority."
-                               "AttributeAuthoritySOAPBindingMiddleware")
-    ENVIRON_KEYNAME_CFG_OPTNAME = 'environKeyName'
-    def __init__(self, app):
-        """Don't call AttributeAuthorityWS.__init__ - AttributeAuthority
-        instance is provided via environ through upstream
-        AttributeAuthorityMiddleware
-        """
-        # Call this base class initialiser to set-up the environ attribute
-        NDGSecurityMiddlewareBase.__init__(self, app, None)
-        AttributeAuthorityWS.__init__(self)
-        self.__keyName = None
-        self.__attributeAuthorityKeyName = None
-    def _getKeyName(self):
-        return self.__keyName
-    def _setKeyName(self, val):
-        if not isinstance(val, basestring):
-            raise TypeError('Expecting %r for "keyName" attribute; got %r' %
-                            (basestring, type(val)))
-        self.__keyName = val
-    keyName = property(fget=_getKeyName,
-                       fset=_setKeyName,
-                       doc="Key name used to index THIS SOAP Service Binding "
-                           "middleware instance in the environ dictionary")
-    def _getAttributeAuthorityKeyName(self):
-        return self.__attributeAuthorityKeyName
-    def _setAttributeAuthorityKeyName(self, val):
-        if not isinstance(val, basestring):
-            raise TypeError('Expecting %r for "attributeAuthorityKeyName" '
-                            'attribute; got %r' %(basestring, type(val)))
-        self.__attributeAuthorityKeyName = val
-    attributeAuthorityKeyName = property(fget=_getAttributeAuthorityKeyName,
-                                         fset=_setAttributeAuthorityKeyName,
-                                         doc="Key name used to index the "
-                                             "ndg.security.server.attribute"
-                                             "authority.AttributeAuthority "
-                                             "instance in the environ "
-                                             "dictionary")
-    @classmethod
-    def filter_app_factory(cls, app, global_conf,
-        attributeAuthoritySOAPBindingPrefix='attributeauthority.soapbinding.',
-        **app_conf):
-        """Set-up Attribute Authority SOAP Binding middleware using a Paste app
-        factory pattern.  Overloaded base class method to enable custom
-        settings from app_conf
-        @type app: callable following WSGI interface
-        @param app: next middleware application in the chain
-        @type global_conf: dict
-        @param global_conf: PasteDeploy global configuration dictionary
-        @type prefix: basestring
-        @param prefix: prefix for configuration items
-        @type app_conf: dict
-        @param app_conf: PasteDeploy application specific configuration
-        dictionary
-        """
-        # Generic Binding middleware intercepts the SOAP_ACTION set in environ
-        # and maps it to the matching soap_{SOAP_ACTION} method from this class
-        soapBindingApp = SOAPBindingMiddleware.filter_app_factory(app,
-                                                                  global_conf,
-                                                                  **app_conf)
-        # Make the SOAP Binding wrapper pick up this Attribute Authority
-        # specific SOAP Binding
-        optName = attributeAuthoritySOAPBindingPrefix + \
-                cls.ENVIRON_KEYNAME_CFG_OPTNAME
-        soapBindingApp.serviceSOAPBindingKeyName = app_conf.get(optName,
-                                                cls.DEFAULT_ENVIRON_KEYNAME)
-        # Instantiate this middleware and copy the environ key name setting for
-        # the Attribute Authority Service SOAP Binding
-        app = cls(soapBindingApp)
-        app.keyName = soapBindingApp.serviceSOAPBindingKeyName
-        # envrion key name for the
-        # ndg.security.server.attributeauthority.AttributeAuthority instance
-        optName = attributeAuthoritySOAPBindingPrefix + \
-                cls.ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME_CFG_OPTNAME
-        app.attributeAuthorityKeyName = app_conf.get(optName,
-                           cls.DEFAULT_ATTRIBUTE_AUTHORITY_ENVIRON_KEYNAME)
-        # Extract local WS-Security signature verification filter
-        optName = attributeAuthoritySOAPBindingPrefix + \
-                            cls.WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME
-        app.wsseSignatureVerificationFilterID = app_conf.pop(optName, None)
-        if app.wsseSignatureVerificationFilterID is None:
-            log.warning('No "%s" option was set in the input config' %
-                        cls.WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME)
-        else:
-            log.info('Updated setting from "%s" option' %
-                     cls.WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME)
-        return app
-    @NDGSecurityMiddlewareBase.initCall
-    def __call__(self, environ, start_response):
-        """Set a reference to self in environ for the SOAPBindingMiddleware
-        instance to pick up downstream
-        @type environ: dict
-        @param environ: WSGI environment variables dictionary
-        @type start_response: function
-        @param start_response: standard WSGI start response function
-        """
-        environ[self.keyName] = self
-        return self._app(environ, start_response)
-    def soap_getAttCert(self, ps):
-        '''Retrieve an Attribute Certificate
-        @type ps: ZSI ParsedSoap
-        @param ps: client SOAP message
-        @rtype: ndg.security.common.zsi.attributeauthority.AttributeAuthority_services_types.getAttCertResponse_Holder
-        @return: response'''
-        self._setAttributeAuthorityFromEnviron()
-        return AttributeAuthorityWS.soap_getAttCert(self, ps)
-    def soap_getHostInfo(self, ps):
-        '''Get information about this host
-        @type ps: ZSI ParsedSoap
-        @param ps: client SOAP message
-        @rtype: response
-        @return: response'''
-        self._setAttributeAuthorityFromEnviron()
-        return AttributeAuthorityWS.soap_getHostInfo(self, ps)
-    def soap_getAllHostsInfo(self, ps):
-        '''Get information about all hosts
-        @type ps: ZSI ParsedSoap
-        @param ps: client SOAP message
-        @rtype: tuple
-        @return: response object'''
-        self._setAttributeAuthorityFromEnviron()
-        return AttributeAuthorityWS.soap_getAllHostsInfo(self, ps)
-    def soap_getTrustedHostInfo(self, ps):
-        '''Get information about other trusted hosts
-        @type ps: ZSI ParsedSoap
-        @param ps: client SOAP message
-        @rtype: tuple
-        @return: response object'''
-        self._setAttributeAuthorityFromEnviron()
-        return AttributeAuthorityWS.soap_getTrustedHostInfo(self, ps)
-    def _setAttributeAuthorityFromEnviron(self):
-        self.aa = self.environ.get(self.attributeAuthorityKeyName)
-        if self.aa is None:
-            raise AttributeAuthoritySOAPBindingMiddlewareConfigError(
-                                            'No "%s" key found in environ' %
-                                            self.attributeAuthorityKeyName)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/init.py

-                      r6615
+                      r6686
         self.__serialise = None
         self.__deserialise = None
+        self.__issuer = None
+        self.__clockSkewTolerance = 0.
+        self.__verifyTimeConditions = True
     def initialise(self, global_conf, prefix='', **app_conf):
 …
                             value)
     deserialise = property(_getDeserialise,
                            _setDeserialise,
                            doc="callable to de-serialise response from XML "
                                "type")
+    def _getIssuer(self):
+        return self.__issuer
+    def _setIssuer(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "issuer"; got %r' %
+                            type(value))
+        self.__issuer = value
+    issuer = property(fget=_getIssuer,
+                      fset=_setIssuer,
+                      doc="Name of issuing authority")
+    def _getVerifyTimeConditions(self):
+        return self.__verifyTimeConditions
+    def _setVerifyTimeConditions(self, value):
+        if isinstance(value, bool):
+            self.__verifyTimeConditions = value
+        if isinstance(value, basestring):
+            self.__verifyTimeConditions = str2Bool(value)
+        else:
+            raise TypeError('Expecting bool or string type for '
+                            '"verifyTimeConditions"; got %r instead' %
+                            type(value))
+    verifyTimeConditions = property(_getVerifyTimeConditions,
+                                    _setVerifyTimeConditions,
+                                    doc='Set to True to verify any time '
+                                        'Conditions set in the returned '
+                                        'response assertions')
+    def _getClockSkewTolerance(self):
+        return self.__clockSkewTolerance
+    def _setClockSkewTolerance(self, value):
+        if isinstance(value, (float, int, long)):
+            self.__clockSkewTolerance = timedelta(seconds=value)
+        elif isinstance(value, basestring):
+            self.__clockSkewTolerance = timedelta(seconds=float(value))
+        else:
+            raise TypeError('Expecting float, int, long or string type for '
+                            '"clockSkew"; got %r' % type(value))
+    clockSkewTolerance = property(fget=_getClockSkewTolerance,
+                                  fset=_setClockSkewTolerance,
+                                  doc="Set a tolerance of +/- n seconds to "
+                                      "allow for clock skew when checking "
+                                      "timestamps of client queries")
     @classmethod
     def filter_app_factory(cls, app, global_conf, **app_conf):
 …
         queryElem = soapRequest.body.elem[0]
+        # Create a response with basic attributes if provided in the
+        # initialisation config
+        samlResponse = self._initResponse()
         try:
+            query = self.deserialise(queryElem)
+            samlQuery = self.deserialise(queryElem)
         except UnknownAttrProfile:
             log.exception("%r raised parsing incoming query: " %
                           (type(e), traceback.format_exc()))
+            samlResponse = self._makeErrorResponse(
+                                        StatusCode.UNKNOWN_ATTR_PROFILE_URI)
+            samlResponse.statusCode.value = StatusCode.UNKNOWN_ATTR_PROFILE_URI
         else:
             # Check for Query Interface in environ
 …
                                 self.queryInterfaceKeyName)
+            # Basic validation
+            self._validateQuery(samlQuery)
+            samlResponse.inResponseTo = samlQuery.id
             # Call query interface
             samlResponse = queryInterface(query)
+            queryInterface(samlQuery, samlResponse)
         # Convert to ElementTree representation to enable attachment to SOAP
 …
                         ('Content-type', 'text/xml')])
         return [response]
+    def _makeErrorResponse(self, code):
+        """Convenience method for making a basic response following an error
+    def _validateQuery(self, query):
+        if not self.verifyTimeConditions:
+            log.debug("Skipping verification of SAML Response time conditions")
+        utcNow = datetime.utcnow()
+        nowPlusSkew = utcNow + self.clockSkewTolerance
+        if response.issueInstant > nowPlusSkew:
+            msg = ('SAML Attribute Query issueInstant [%s] is after '
+                   'the clock time [%s] (skewed +%s)' %
+                   (query.issueInstant,
+                    SAMLDateTime.toString(nowPlusSkew),
+                    self.clockSkewTolerance))
+            samlRespError = QueryIssueInstantInvalid(msg)
+            samlRespError.response = response
+            raise samlRespError
+    def _initResponse(self):
+        """Create a SAML Response object with basic settings if any have been
+        provided at initialisation of this class - see initialise
+        @return: SAML response object
+        @rtype: ndg.saml.saml2.core.Response
         """
         samlResponse = Response()
+        samlResponse.issueInstant = datetime.utcnow()
+        utcNow = datetime.utcnow()
+        samlResponse.issueInstant = utcNow
         samlResponse.id = str(uuid4())
+        samlResponse.issuer = Issuer()
+        # Nb. SAML 2.0 spec says issuer format must be omitted
+        if self.issuer is not None:
+            samlResponse.issuer.value = self.issuer
         # Initialise to success status but reset on error
         samlResponse.status = Status()
         samlResponse.status.statusCode = StatusCode()
+        samlResponse.status.statusCode.value = code
+        samlResponse.status.statusMessage = StatusMessage()
+        samlResponse.status.statusCode.value = StatusCode.SUCCESS_URI
+        samlResponse.status.statusMessage = StatusMessage()
         return samlResponse

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

-                      r6615
+                      r6686
 [pipeline:main]
 pipeline = AttributeAuthorityFilter
-                   wsseSignatureVerificationFilter
-                   AttributeAuthorityWsdlSoapBindingFilter
-                   wsseSignatureFilter
                    AttributeAuthoritySamlSoapBindingFilter
                    mainApp
 …
 attributeAuthority.clockSkew: 180.0
-# All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: %(here)s/attributeCertificateLog
-# Files in attCertDir are stored using a rotating file handler
-# attCertFileLogCnt sets the max number of files created before the first is
-# overwritten
-attributeAuthority.attCertFileName: ac.xml
-attributeAuthority.attCertFileLogCnt: 16
 attributeAuthority.dnSeparator:/
-# Location of role mapping file
-attributeAuthority.mapConfigFilePath: %(here)s/siteAMapConfig.xml
 # Settings for custom AttributeInterface derived class to get user roles for given
 …
 attributeAuthority.attributeInterface.modName: siteAUserRoles
 attributeAuthority.attributeInterface.className: TestUserRoles
-# Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: %(here)s/siteA-aa.key
-attributeAuthority.signingCertFilePath: %(here)s/siteA-aa.crt
-attributeAuthority.caCertFilePathList: $NDGSEC_TEST_CONFIG_DIR/ca/ndg-test-ca.crt
-# SOAP WSDL Based Binding to the Attribute Authority
-[filter:AttributeAuthorityWsdlSoapBindingFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
-prefix = service.soap.binding.
-attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
-service.soap.binding.referencedFilters = wsseSignatureVerificationFilter01
-service.soap.binding.path = %(attributeAuthoritySoapWsdlServicePath)s
-service.soap.binding.enableWSDLQuery = True
-service.soap.binding.charset = utf-8
-service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
-attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
-attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = wsseSignatureVerificationFilter01
 # SAML SOAP Binding to the Attribute Authority
 …
 saml.soapbinding.pathMatchList = /AttributeAuthority/saml
 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
-[filter:wsseSignatureVerificationFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
-filterID = wsseSignatureVerificationFilter01
-path = %(attributeAuthoritySoapWsdlServicePath)s
-# Settings for WS-Security SignatureHandler class used by this filter
-wsseCfgFilePrefix = wssecurity
-# Verify against known CAs - Provide a space separated list of file paths
-wssecurity.caCertFilePathList=$NDGSEC_TEST_CONFIG_DIR/ca/ndg-test-ca.crt
-[filter:wsseSignatureFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
-path = %(attributeAuthoritySoapWsdlServicePath)s
-# Reference the verification filter in order to be able to apply signature
-# confirmation
-referencedFilters = wsseSignatureVerificationFilter01
-wsseSignatureVerificationFilterID = wsseSignatureVerificationFilter01
-# Last filter in chain SOAP handlers writes the response
-writeResponse = True
-# Settings for WS-Security SignatureHandler class used by this filter
-wsseCfgFilePrefix = wssecurity
-# Certificate associated with private key used to sign a message.  The sign
-# method will add this to the BinarySecurityToken element of the WSSE header.
-wssecurity.signingCertFilePath=%(here)s/siteA-aa.crt
-# PEM encoded private key file
-wssecurity.signingPriKeyFilePath=%(here)s/siteA-aa.key
-# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
-# signed message.  See __setReqBinSecTokValType method and binSecTokValType
-# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
-# give full namespace to alternative - see
-# ZSI.wstools.Namespaces.OASIS.X509TOKEN
+#
-# binSecTokValType determines whether signingCert or signingCertChain
-# attributes will be used.
-wssecurity.reqBinSecTokValType=X509v3
-# Add a timestamp element to an outbound message
-wssecurity.addTimestamp=True
-# For WSSE 1.1 - service returns signature confirmation containing signature
-# value sent by client
-wssecurity.applySignatureConfirmation=True

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg

-                      r5681
+                      r6686
 [DEFAULT]
+siteBPropFilePath=$NDGSEC_TEST_CONFIG_DIR/attributeauthority/siteb/siteBAttAuthority.cfg
+[setUp]
+# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this
+# setting for test6GetMappedAttCert
+propFilePath=$NDGSEC_TEST_CONFIG_DIR/attributeauthority/sitea/siteAAttributeAuthority.cfg
+# For https connections only.  !Omit ssl* settings if using http!
+# sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the
+# same as peer hostname.
+sslPeerCertCN = AttributeAuthority
+sslCACertFilePathList = $NDGSEC_TEST_CONFIG_DIR/ca/ndg-test-ca.crt
+[test02GetTrustedHostInfo]
+role = urn:siteA:security:authz:1.0:attr:postgrad
+[test03GetTrustedHostInfoWithNoMatchingRoleFound]
+# Set an alternative role to test no matching role found exception
+role = blah
+[test05GetAttCert]
+issuingClntCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/user.crt
+# Setup for use by test08GetMappedAttCert test
+attCertFilePath = $NDGSEC_AA_UNITTEST_DIR/ac-clnt.xml
+[test06GetAttCertWithUserIdSet]
+userId = system
+attCertFilePath = $NDGSEC_AA_UNITTEST_DIR/ac-clnt-test6.xml
+[test07GetMappedAttCert]
+issuingClntCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/user.crt
+userAttCertFilePath = $NDGSEC_AA_UNITTEST_DIR/ac-clnt.xml
+mappedAttCertFilePath = $NDGSEC_AA_UNITTEST_DIR/mapped-ac.xml
+[test08GetMappedAttCertStressTest]
+issuingClntCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/user.crt
+userAttCertFilePathList = $NDGSEC_AA_UNITTEST_DIR/ac-clnt.xml
+prefix='attribute-authority.'
+attribute-authority.assertionLifetime = 3600
+attribute-authority.issuerName = /O=My Organisation/OU=Centre/CN=Attribute Authority
+attribute-authority.attributeInterface.className = ndg.security.server.attributeauthority.AttributeInterface

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py

-                      r6615
+                      r6686
 logging.basicConfig(level=logging.DEBUG)
+from os.path import expandvars as xpdVars
+from os.path import join as jnPath
+mkPath = lambda file:jnPath(os.environ['NDGSEC_AA_UNITTEST_DIR'], file)
+from warnings import warn
+from uuid import uuid4
+from datetime import datetime
+from os import path
 from ndg.security.test.unit import BaseTestCase
 …
     CaseSensitiveConfigParser)
 from ndg.security.server.attributeauthority import (AttributeAuthority,
-    AttributeAuthorityNoMatchingRoleInTrustedHosts,
     SQLAlchemyAttributeInterface, InvalidAttributeFormat)
+from ndg.security.common.AttCert import AttCert
+class AttributeAuthorityTestCase(BaseTestCase):
+    clntPriKeyPwd = None
+    def setUp(self):
+        super(AttributeAuthorityTestCase, self).setUp()
+        if 'NDGSEC_INT_DEBUG' in os.environ:
+            import pdb
+            pdb.set_trace()
+        if 'NDGSEC_AA_UNITTEST_DIR' not in os.environ:
+            os.environ['NDGSEC_AA_UNITTEST_DIR'] = \
+                os.path.abspath(os.path.dirname(__file__))
+        self.cfgParser = CaseSensitiveConfigParser()
+        cfgFilePath = mkPath('test_attributeauthority.cfg')
+        self.cfgParser.read(cfgFilePath)
+        self.cfg = {}
+        for section in self.cfgParser.sections() + ['DEFAULT']:
+            self.cfg[section] = dict(self.cfgParser.items(section))
+        self.aa = AttributeAuthority.fromPropertyFile(
+                                            self.cfg['setUp']['propFilePath'])
+    _mkSiteBAttributeAuthority = lambda self: \
+        AttributeAuthority.fromPropertyFile(
+                        propFilePath=self.cfg['DEFAULT']['siteBPropFilePath'])
+    def test01GetHostInfo(self):
+        """test01GetHostInfo: retrieve info for AA host"""
+        hostInfo = self.aa.hostInfo
+        print("Host Info:\n %s" % hostInfo)
+    def test02GetTrustedHostInfo(self):
+        """test02GetTrustedHostInfo: retrieve trusted host info matching a
+        given role"""
+        thisSection = self.cfg['test02GetTrustedHostInfo']
+        trustedHostInfo = self.aa.getTrustedHostInfo(thisSection['role'])
+        for hostname, hostInfo in trustedHostInfo.items():
+            self.assert_(hostname, "Hostname not set")
+            for k, v in hostInfo.items():
+                self.assert_(k, "hostInfo value key unset")
+        print("Trusted Host Info:\n %s" % trustedHostInfo)
+    def test03GetTrustedHostInfoWithNoMatchingRoleFound(self):
+        """test03GetTrustedHostInfoWithNoMatchingRoleFound: test the case
+        where the input role doesn't match any roles in the target AA's map
+        config file"""
+        thisSection = self.cfg[
+                            'test03GetTrustedHostInfoWithNoMatchingRoleFound']
+        try:
+            trustedHostInfo = self.aa.getTrustedHostInfo(thisSection['role'])
+            self.fail("Expecting NoMatchingRoleInTrustedHosts exception")
+        except AttributeAuthorityNoMatchingRoleInTrustedHosts, e:
+            print('PASSED - no match for role "%s": %s' % (thisSection['role'],
+                                                           e))
+    def test04GetTrustedHostInfoWithNoRole(self):
+        """test04GetTrustedHostInfoWithNoRole: retrieve trusted host info
+        irrespective of role"""
+        trustedHostInfo = self.aa.getTrustedHostInfo()
+        for hostname, hostInfo in trustedHostInfo.items():
+            self.assert_(hostname, "Hostname not set")
+            for k, v in hostInfo.items():
+                self.assert_(k, "hostInfo value key unset")
+        print("Trusted Host Info:\n %s" % trustedHostInfo)
+    def test05GetAttCert(self):
+        """test05GetAttCert: Request attribute certificate from NDG Attribute
+        Authority Web Service."""
+        thisSection = self.cfg['test05GetAttCert']
+        # Read user Certificate into a string ready for passing via WS
+        try:
+            userX509CertFilePath = xpdVars(thisSection.get(
+                                                    'issuingClntCertFilePath'))
+            userX509CertTxt = open(userX509CertFilePath, 'r').read()
+        except TypeError:
+            # No issuing cert set
+            userX509CertTxt = None
+        except IOError, ioErr:
+            raise Exception("Error reading certificate file \"%s\": %s" %
+                                    (ioErr.filename, ioErr.strerror))
+        # Make attribute certificate request
+        attCert = self.aa.getAttCert(holderX509Cert=userX509CertTxt)
+        print("Attribute Certificate: \n\n:" + str(attCert))
+        attCert.filePath = xpdVars(thisSection['attCertFilePath'])
+        attCert.write()
+    def test06GetAttCertWithUserIdSet(self):
+        """test06GetAttCertWithUserIdSet: Request attribute certificate from
+        NDG Attribute Authority Web Service setting a specific user Id
+        independent of the signer of the SOAP request."""
+        thisSection = self.cfg['test06GetAttCertWithUserIdSet']
+        # Make attribute certificate request
+        userId = thisSection['userId']
+        attCert = self.aa.getAttCert(userId=userId)
+        print("Attribute Certificate: \n\n:" + str(attCert))
+        attCert.filePath = xpdVars(thisSection['attCertFilePath'])
+        attCert.write()
+    def test07GetMappedAttCert(self):
+        """test07GetMappedAttCert: Request mapped attribute certificate from
+        NDG Attribute Authority Web Service."""
+        thisSection = self.cfg['test07GetMappedAttCert']
+        # Read user Certificate into a string ready for passing via WS
+        try:
+            userX509CertFilePath = xpdVars(thisSection.get(
+                                                    'issuingClntCertFilePath'))
+            userX509CertTxt = open(userX509CertFilePath, 'r').read()
+        except TypeError:
+            # No issuing cert set
+            userX509CertTxt = None
+        except IOError, ioErr:
+            raise Exception("Error reading certificate file \"%s\": %s" %
+                                    (ioErr.filename, ioErr.strerror))
+        # Simlarly for Attribute Certificate
+        try:
+            userAttCert = AttCert.Read(
+                                xpdVars(thisSection['userAttCertFilePath']))
+        except IOError, ioErr:
+            raise Exception("Error reading attribute certificate file \"%s\": "
+                            "%s" % (ioErr.filename, ioErr.strerror))
+        # Make client to site B Attribute Authority
+        siteBAA = self._mkSiteBAttributeAuthority()
+        # Make attribute certificate request
+        attCert = siteBAA.getAttCert(holderX509Cert=userX509CertTxt,
+                                     userAttCert=userAttCert)
+        print("Attribute Certificate: \n\n:" + str(attCert))
+        attCert.filePath = xpdVars(thisSection['mappedAttCertFilePath'])
+        attCert.write()
+    def test08GetMappedAttCertStressTest(self):
+        """test08GetMappedAttCertStressTest: Request mapped attribute
+        certificate from NDG Attribute Authority Web Service."""
+        thisSection = self.cfg['test08GetMappedAttCertStressTest']
+        # Read user Certificate into a string ready for passing via WS
+        try:
+            userX509CertFilePath = xpdVars(thisSection.get(
+                                                    'issuingClntCertFilePath'))
+            userX509CertTxt = open(userX509CertFilePath, 'r').read()
+        except TypeError:
+            # No issuing cert set
+            userX509CertTxt = None
+        except IOError, ioErr:
+            raise Exception("Error reading certificate file \"%s\": %s" %
+                                    (ioErr.filename, ioErr.strerror))
+        # Make client to site B Attribute Authority
+        siteBAA = self._mkSiteBAttributeAuthority()
+        acFilePathList = [xpdVars(file) for file in \
+                          thisSection['userAttCertFilePathList'].split()]
+        passed = True
+        for acFilePath in acFilePathList:
+            try:
+                userAttCert = AttCert.Read(acFilePath)
+            except IOError, ioErr:
+                raise Exception("Error reading attribute certificate file "
+                                '"%s": %s' % (ioErr.filename, ioErr.strerror))
+            # Make attribute certificate request
+            try:
+                attCert = siteBAA.getAttCert(holderX509Cert=userX509CertTxt,
+                                             userAttCert=userAttCert)
+            except Exception, e:
+                passed = True
+                outFilePfx = 'test08GetMappedAttCertStressTest-%s' % \
+                        os.path.basename(acFilePath)
+                msgFile = open(outFilePfx+".msg", 'w')
+                msgFile.write('Failed for "%s": %s\n' % (acFilePath, e))
+        self.assert_(passed,
+                     "At least one Attribute Certificate request failed.  "
+                     "Check the .msg files in this directory")
+from warnings import warn
+from uuid import uuid4
+from datetime import datetime
+from ndg.saml.saml2.core import (Response, Attribute, SAMLVersion, Subject, NameID,
+                             Issuer, AttributeQuery, XSStringAttributeValue,
+                             Status, StatusMessage, StatusCode)
+from ndg.saml.saml2.core import (Response, Attribute, SAMLVersion, Subject,
+                                 NameID, Issuer, AttributeQuery,
+                                 XSStringAttributeValue, Status, StatusMessage,
+                                 StatusCode)
 from ndg.saml.xml import XMLConstants
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+THIS_DIR = path.dirname(__file__)
+class AttributeAuthorityTestCase(BaseTestCase):
+    THIS_DIR = THIS_DIR
+    PROPERTIES_FILENAME = 'test_attributeauthority.cfg'
+    PROPERTIES_FILEPATH = path.join(THIS_DIR, PROPERTIES_FILENAME)
+    ISSUER_NAME = '/O=My Organisation/OU=Centre/CN=Attribute Authority'
+    def test01ParsePropertiesFile(self):
+        cls = AttributeAuthorityTestCase
+        aa = AttributeAuthority.fromPropertyFile(cls.PROPERTIES_FILEPATH)
+        self.assert_(aa)
+        self.assert_(aa.assertionLifetime == 3600)
+        self.assert_(aa.issuerName == cls.ISSUER_NAME)
+    def test02FromPropertis(self):
+        # Casts from string to float
+        assertionLifetime = "86400"
+        issuerName = 'My issuer'
+        aa = AttributeAuthority.fromProperties(issuerName=issuerName,
+                                            assertionLifetime=assertionLifetime)
+        self.assert_(aa)
+        self.assert_(aa.assertionLifetime == float(assertionLifetime))
+        self.assert_(aa.issuerName == issuerName)
 class SQLAlchemyAttributeInterfaceTestCase(BaseTestCase):
+    THIS_DIR = THIS_DIR
+    PROPERTIES_FILENAME = 'test_sqlalchemyattributeinterface.cfg'
+    PROPERTIES_FILEPATH = path.join(THIS_DIR, PROPERTIES_FILENAME)
     SAML_SUBJECT_SQLQUERY = ("select count(*) from users where openid = "
                              "'${userId}'")
 …
             return
         cfgParser = CaseSensitiveConfigParser()
+        cfgFilePath = mkPath('test_sqlalchemyattributeinterface.cfg')
+        cls = SQLAlchemyAttributeInterfaceTestCase
+        cfgFilePath = cls.PROPERTIES_FILEPATH
         cfgParser.read(cfgFilePath)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py

-                      r6615
+                      r6686
 from xml.etree import ElementTree
+from ndg.saml.utils import SAMLDateTime
 from ndg.saml.saml2.core import (Response, Assertion, Attribute,
                              AttributeStatement, SAMLVersion, Subject, NameID,
 …
 from ndg.security.common.soap.etree import SOAPEnvelope
 from ndg.security.common.utils.etree import QName, prettyPrint
+from ndg.security.common.saml_utils.binding.soap.subjectquery import (
+    SubjectQuerySOAPBinding, ResponseIssueInstantInvalid,
+    AssertionIssueInstantInvalid, AssertionConditionNotBeforeInvalid,
+    AssertionConditionNotOnOrAfterInvalid)
 from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces,
                                           XSGroupRoleAttributeValue)
 …
     """TODO: test SAML Attribute Authority interface"""
     thisDir = os.path.dirname(os.path.abspath(__file__))
+    RESPONSE = '''\
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+   <SOAP-ENV:Body>
+      <samlp:Response ID="05680cb2-4973-443d-9d31-7bc99bea87c1" InResponseTo="e3183380-ae82-4285-8827-8c40613842de" IssueInstant="%(issueInstant)s" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+         <saml:Issuer Format="urn:esg:issuer" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ESG-NCAR</saml:Issuer>
+         <samlp:Status>
+            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+         </samlp:Status>
+         <saml:Assertion ID="192c67d9-f9cd-457a-9242-999e7b943166" IssueInstant="%(assertionIssueInstant)s" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+            <saml:Issuer Format="urn:esg:issuer">ESG-NCAR</saml:Issuer>
+            <saml:Subject>
+               <saml:NameID Format="urn:esg:openid">https://esg.prototype.ucar.edu/myopenid/testUser</saml:NameID>
+            </saml:Subject>
+            <saml:Conditions NotBefore="%(notBefore)s" NotOnOrAfter="%(notOnOrAfter)s" />
+            <saml:AttributeStatement>
+               <saml:Attribute FriendlyName="FirstName" Name="urn:esg:first:name" NameFormat="http://www.w3.org/2001/XMLSchema#string">
+                  <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Test</saml:AttributeValue>
+               </saml:Attribute>
+               <saml:Attribute FriendlyName="LastName" Name="urn:esg:last:name" NameFormat="http://www.w3.org/2001/XMLSchema#string">
+                  <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">User</saml:AttributeValue>
+               </saml:Attribute>
+               <saml:Attribute FriendlyName="EmailAddress" Name="urn:esg:first:email:address" NameFormat="http://www.w3.org/2001/XMLSchema#string">
+                  <saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">ejn@ucar.edu</saml:AttributeValue>
+               </saml:Attribute>
+               <saml:Attribute FriendlyName="GroupRole" Name="urn:esg:group:role" NameFormat="groupRole">
+                  <saml:AttributeValue>
+                     <esg:groupRole group="CCSM" role="default" xmlns:esg="http://www.esg.org" />
+                  </saml:AttributeValue>
+                  <saml:AttributeValue>
+                     <esg:groupRole group="Dynamical Core" role="default" xmlns:esg="http://www.esg.org" />
+                  </saml:AttributeValue>
+                  <saml:AttributeValue>
+                     <esg:groupRole group="NARCCAP" role="default" xmlns:esg="http://www.esg.org" />
+                  </saml:AttributeValue>
+               </saml:Attribute>
+            </saml:AttributeStatement>
+         </saml:Assertion>
+      </samlp:Response>
+   </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+'''
     def __init__(self, *args, **kwargs):
 …
         BaseTestCase.__init__(self, *args, **kwargs)
     def test01AttributeQuery(self):
         attributeQuery = AttributeQuery()
 …
         self.assert_(response)
+    def _parseResponse(self, responseStr):
+        """Helper to parse a response from a string"""
+        soapResponse = SOAPEnvelope()
+        responseStream = StringIO()
+        responseStream.write(responseStr)
+        responseStream.seek(0)
+        soapResponse.parse(responseStream)
+        print("Parsed response ...")
+        print(soapResponse.serialize())
+        toSAMLTypeMap = [XSGroupRoleAttributeValueElementTree.factoryMatchFunc]
+        response = ResponseElementTree.fromXML(soapResponse.body.elem[0],
+                                            customToSAMLTypeMap=toSAMLTypeMap)
+        return response
+    def test03ParseResponse(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                        respDict
+        response = self._parseResponse(responseStr)
+        self.assert_(response)
+    def test04AssertionConditionExpired(self):
+        # issued 9 hours ago
+        issueInstant = datetime.utcnow() - timedelta(seconds=60*60*9)
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(issueInstant),
+            'assertionIssueInstant': SAMLDateTime.toString(issueInstant),
+            'notBefore': SAMLDateTime.toString(issueInstant),
+            # It lasts for 8 hours so it's expired by one hour
+            'notOnOrAfter': SAMLDateTime.toString(issueInstant + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting not on or after timestamp error")
+        except AssertionConditionNotOnOrAfterInvalid, e:
+            print("PASSED: %s" % e)
+    def test05ResponseIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except ResponseIssueInstantInvalid, e:
+            print("PASSED: %s" % e)
+    def test06NotBeforeConditionInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow),
+            'notBefore': SAMLDateTime.toString(utcNow + timedelta(seconds=1)),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except AssertionConditionNotBeforeInvalid, e:
+            print("PASSED: %s" % e)
+    def test07AssertionIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        try:
+            binding._verifyTimeConditions(response)
+            self.fail("Expecting issue instant timestamp error")
+        except AssertionIssueInstantInvalid, e:
+            print("PASSED: %s" % e)
+    def test07ClockSkewCorrectedAssertionIssueInstantInvalid(self):
+        utcNow = datetime.utcnow()
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(utcNow),
+            'assertionIssueInstant': SAMLDateTime.toString(utcNow + timedelta(
+                                                                    seconds=1)),
+            'notBefore': SAMLDateTime.toString(utcNow),
+            'notOnOrAfter': SAMLDateTime.toString(utcNow + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        # Set a skew to correct the error
+        binding.clockSkewTolerance = 1
+        try:
+            binding._verifyTimeConditions(response)
+        except AssertionIssueInstantInvalid, e:
+            self.fail("issue instant timestamp error should be corrected for")
+    def test08ClockSkewCorrectedAssertionConditionExpired(self):
+        # Issued 9 hours ago
+        issueInstant = datetime.utcnow() - timedelta(seconds=60*60*9)
+        respDict = {
+            'issueInstant': SAMLDateTime.toString(issueInstant),
+            'assertionIssueInstant': SAMLDateTime.toString(issueInstant),
+            'notBefore': SAMLDateTime.toString(issueInstant),
+            # Assertion lasts 8 hours so it has expired by one hour
+            'notOnOrAfter': SAMLDateTime.toString(issueInstant + timedelta(
+                                                            seconds=60*60*8))
+        }
+        responseStr = SamlAttributeAuthorityInterfaceTestCase.RESPONSE % \
+                                                                    respDict
+        response = self._parseResponse(responseStr)
+        binding = SubjectQuerySOAPBinding()
+        # Set a skew of over one hour to correct for the assertion expiry
+        binding.clockSkewTolerance = 60*60 + 3
+        try:
+            binding._verifyTimeConditions(response)
+        except AssertionConditionNotOnOrAfterInvalid, e:
+            self.fail("Not on or after timestamp error should be corrected for")
 if __name__ == "__main__":

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 6686

Legend:

Download in other formats: