Ignore:
Timestamp:
11/03/10 14:55:42 (11 years ago)
Author:
pjkersha
Message:
  • Working Attribute Authority client unit tests. Configuration parameters such as issuer and flags to test query timestamp and SAML version string have now been moved out of the Attribute Authority to the generic SAML subject Query middleware interface ndg.security.server.wsgi.saml.SOAPQueryInterfaceMiddleware. This could be moved into the SAML egg at a later stage. The AuthzDecisionQuery? interface should be retested to allow for these changes.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/README

    r5290 r6721  
    88    
    99   $ paster serve site-a.ini 
     10       
     11 - sitea_attributeauthority.py: script to invoke the service: 
     12  
     13   $ python ./sitea_attributeauthority.py 
    1014    
    11  - siteAAttributeAuthority.cfg: example standalone Attribute Authority config 
    12    file without Paste configuration 
     15   This script can be used to test the service but the unit tests start up and 
     16   close down attribute authority instances atuomatically.  See:  
     17   ndg.security.test.unit.BaseTestCase 
    1318    
    14  - siteAMapConfig.xml: configures trust relationships with other organisations 
    15    (site b for the tests) 
     19 - sitea_attributeinterface.py: attribute interface plugin to the Attribute  
     20   Authority determines what attributes a given user is entitled to.  In a  
     21   production deployment this might link to a user database or other repository. 
    1622    
    17  - siteAServerApp.py: script to invoke the service: 
    18   
    19    $ python ../siteAServerApp.py 
    20     
    21    This script is used as a convenience method for running the unit tests. 
    22     
    23  - siteAUserRoles.py: attribute interface plugin to the Attribute Authority 
    24    determines what attributes a given user is entitled to.  In a production 
    25    deployment this might link to a user database or other repository. 
    26     
    27 P J Kershaw 14/05/09 
     23Initial version: P J Kershaw 14/05/09 
     24Updated: P J Kershaw 11/03/10 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

    r6720 r6721  
    2121 
    2222[app:mainApp] 
    23 paste.app_factory = ndg.security.test.config.attributeauthority.sitea.siteAServerApp:app_factory 
     23paste.app_factory = ndg.security.test.config.attributeauthority.sitea.sitea_attributeauthority:app_factory 
    2424 
    2525# Chain of SOAP Middleware filters - Nb. WS-Security filters apply to the SOAP 
     
    4343attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s 
    4444 
    45 # Attribute Authority settings 
    46 # 'name' setting MUST agree with map config file 'thisHost' name attribute 
    47 attributeAuthority.name: Site A 
     45# Attribute Authority settings... 
    4846 
    4947# Lifetime is measured in seconds 
     
    5553# user ID 
    5654attributeAuthority.attributeInterface.modFilePath: %(here)s 
    57 attributeAuthority.attributeInterface.modName: siteAUserRoles 
    58 attributeAuthority.attributeInterface.className: TestUserRoles 
     55attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles 
    5956 
    6057# SAML SOAP Binding to the Attribute Authority 
     
    6865saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML 
    6966 
    70 saml.soapbinding.pathMatchList = /AttributeAuthority/saml 
     67saml.soapbinding.pathMatchList = /AttributeAuthority 
    7168saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 
    7269 
     
    7471# tolerance for query issueInstant parameter. Set here to 3 minutes 
    7572saml.soapbinding.clockSkewTolerance: 180.0 
     73 
     74saml.soapbinding.issuer: /O=Site A/CN=Attribute Authority 
    7675 
    7776# Logging configuration 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/sitea_attributeinterface.py

    r6720 r6721  
    7777    VALID_REQUESTOR_IDS = BaseTestCase.VALID_REQUESTOR_IDS 
    7878     
    79     ISSUER_NAME = "/O=Site A/CN=Attribute Authority" 
    80      
    8179    INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = X500DN.fromString( 
    8280                                        "/O=Site B/CN=Authorisation Service") 
     
    128126     
    129127        assertion.issuer = Issuer() 
    130         assertion.issuer.value = TestUserRoles.ISSUER_NAME 
     128        assertion.issuer.value = response.issuer.value 
    131129        assertion.issuer.format = Issuer.X509_SUBJECT 
    132130         
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

    r6276 r6721  
    7474    SITEA_SAML_ISSUER_NAME = "/O=Site A/CN=Attribute Authority" 
    7575     
    76     SESSIONMANAGER_PORTNUM = 5500 
    77      
    7876    NDGSEC_UNITTESTS_DISABLE_THREAD_SERVICES_ENVVAR = \ 
    7977        'NDGSEC_UNITTESTS_DISABLE_THREAD_SERVICES' 
     
    182180                                              'site-a.ini')) 
    183181        self.addService(cfgFilePath=siteACfgFilePath,  
    184                         port=port or BaseTestCase.SITEA_ATTRIBUTEAUTHORITY_PORTNUM, 
     182                        port=(port or  
     183                              BaseTestCase.SITEA_ATTRIBUTEAUTHORITY_PORTNUM), 
    185184                        withSSL=withSSL) 
    186185         
     
    190189                                              'site-b.ini')) 
    191190        self.addService(cfgFilePath=siteBCfgFilePath,  
    192                         port=port or BaseTestCase.SITEB_ATTRIBUTEAUTHORITY_PORTNUM, 
    193                         withSSL=withSSL)         
    194  
    195     def startSessionManager(self): 
    196         """Serve test Session Manager service""" 
    197         cfgFilePath = mkDataDirPath(join('sessionmanager',  
    198                                          'session-manager.ini')) 
    199         self.addService(cfgFilePath=cfgFilePath,  
    200                         port=BaseTestCase.SESSIONMANAGER_PORTNUM) 
    201          
     191                        port=(port or  
     192                              BaseTestCase.SITEB_ATTRIBUTEAUTHORITY_PORTNUM), 
     193                        withSSL=withSSL) 
    202194 
    203195    def __del__(self): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg

    r6719 r6721  
    1010prefix=attribute-authority. 
    1111attribute-authority.assertionLifetime = 3600 
    12 attribute-authority.issuerName = /O=My Organisation/OU=Centre/CN=Attribute Authority  
    1312attribute-authority.attributeInterface.className = ndg.security.server.attributeauthority.AttributeInterface 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py

    r6720 r6721  
    4646    PROPERTIES_FILENAME = 'test_attributeauthority.cfg' 
    4747    PROPERTIES_FILEPATH = path.join(THIS_DIR, PROPERTIES_FILENAME) 
    48     ISSUER_NAME = '/O=My Organisation/OU=Centre/CN=Attribute Authority' 
    4948    ASSERTION_LIFETIME = "86400" 
    5049 
     
    5453        self.assert_(aa) 
    5554        self.assert_(aa.assertionLifetime == 3600) 
    56         self.assert_(aa.issuerName == cls.ISSUER_NAME) 
    5755         
    5856    def _createAttributeAuthorityHelper(self): 
     
    6664                                       'AttributeInterface') 
    6765         
    68         aa = AttributeAuthority.fromProperties(issuerName=cls.ISSUER_NAME, 
     66        aa = AttributeAuthority.fromProperties( 
    6967                    assertionLifetime=cls.ASSERTION_LIFETIME, 
    7068                    attributeInterface_className=attributeInterfaceClassName) 
     
    8179        # Check lifetime property converted from string input to float 
    8280        self.assert_(aa.assertionLifetime == float(cls.ASSERTION_LIFETIME)) 
    83         self.assert_(aa.issuerName == cls.ISSUER_NAME) 
    8481        self.assert_(isinstance(aa.attributeInterface, AttributeInterface)) 
    8582 
     
    9289        self.assert_(aa2) 
    9390        self.assert_(aa2.assertionLifetime == aa.assertionLifetime) 
    94         self.assert_(aa2.issuerName == aa.issuerName) 
    9591        self.assert_(isinstance(aa2.attributeInterface, AttributeInterface)) 
    9692     
     
    322318            '/O=ESG/OU=NCAR/CN=Gateway') 
    323319         
    324         attributeInterface.setProperties(samlAssertionLifetime=28800., 
    325                                 issuerName='/CN=Attribute Authority/O=Site A') 
     320        attributeInterface.setProperties(samlAssertionLifetime=28800.) 
    326321         
    327322        attributeInterface.samlSubjectSqlQuery = ( 
     
    414409         
    415410            SQLAlchemyAttributeInterfaceTestCase.ATTRIBUTE_NAMES[0]:  
    416                 SQLAlchemyAttributeInterfaceTestCase.SAML_ATTRIBUTES_SQLQUERY                     
     411                SQLAlchemyAttributeInterfaceTestCase.SAML_ATTRIBUTES_SQLQUERY 
    417412        } 
    418413         
     
    427422            '/O=ESG/OU=NCAR/CN=Gateway') 
    428423         
    429         attributeInterface.setProperties(samlAssertionLifetime=28800., 
    430                                 issuerName='/CN=Attribute Authority/O=Site A') 
     424        attributeInterface.setProperties(samlAssertionLifetime=28800.) 
    431425         
    432426        attributeInterface.samlSubjectSqlQuery = ( 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_sqlalchemyattributeinterface.cfg

    r6062 r6721  
    11[DEFAULT] 
    2 attributeInterface.issuerName = /O=Site A/CN=Attribute Authority 
    32attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}' 
    43attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'" 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.cfg

    r6575 r6721  
    1212# included here 
    1313[test01AttributeQuery] 
    14 uri = http://localhost:5000/AttributeAuthority/saml 
     14uri = http://localhost:5000/AttributeAuthority/ 
    1515subject = https://openid.localhost/philip.kershaw 
    1616siteAttributeName = urn:siteA:security:authz:1.0:attr 
    1717 
    1818[test02AttributeQueryInvalidIssuer] 
    19 uri = http://localhost:5000/AttributeAuthority/saml 
     19uri = http://localhost:5000/AttributeAuthority/ 
    2020subject = https://openid.localhost/philip.kershaw 
    2121siteAttributeName = urn:siteA:security:authz:1.0:attr 
    2222 
    2323[test03AttributeQueryUnknownSubject] 
    24 uri = http://localhost:5000/AttributeAuthority/saml 
     24uri = http://localhost:5000/AttributeAuthority/ 
    2525subject = https://openid.localhost/unknown 
    2626siteAttributeName = urn:siteA:security:authz:1.0:attr 
    2727 
    2828[test04AttributeQueryInvalidAttrName] 
    29 uri = http://localhost:5000/AttributeAuthority/saml 
     29uri = http://localhost:5000/AttributeAuthority/ 
    3030subject = https://openid.localhost/philip.kershaw 
    3131siteAttributeName = invalid-attr 
    3232prefix = saml. 
    33 saml.serialise = saml.xml.etree:AttributeQueryElementTree.toXML 
    34 saml.deserialise = saml.xml.etree:ResponseElementTree.fromXML 
     33saml.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML 
     34saml.deserialise = ndg.saml.xml.etree:ResponseElementTree.fromXML 
    3535 
    3636[test05AttributeQuerySOAPBindingInterface] 
    37 uri = http://localhost:5000/AttributeAuthority/saml 
     37uri = http://localhost:5000/AttributeAuthority/ 
    3838subject = https://openid.localhost/philip.kershaw 
    3939 
    4040[test06AttributeQueryFromConfig] 
    41 uri = http://localhost:5000/AttributeAuthority/saml 
     41uri = http://localhost:5000/AttributeAuthority/ 
    4242subject = https://openid.localhost/philip.kershaw 
    4343 
     
    4949 
    5050[test07AttributeQuerySslSOAPBindingInterface] 
    51 uri = http://localhost:5000/AttributeAuthority/saml 
     51uri = http://localhost:5000/AttributeAuthority/ 
    5252subject = https://openid.localhost/philip.kershaw 
    5353 
     
    6363attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.key 
    6464attributeQuery.sslValidDNs = /C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost, /O=Site A/CN=Attribute Authority 
     65 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.py

    r6720 r6721  
    298298         
    299299        self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI) 
    300               
    301     def test08AuthzDecisionQuery(self): 
    302         _cfg = self.cfg['test02AuthzDecisionQuery'] 
    303          
    304         query = AuthzDecisionQuery() 
    305         query.version = SAMLVersion(SAMLVersion.VERSION_20) 
    306         query.id = str(uuid4()) 
    307         query.issueInstant = datetime.utcnow() 
    308          
    309         query.issuer = Issuer() 
    310         query.issuer.format = Issuer.X509_SUBJECT 
    311         query.issuer.value = str( 
    312                 AttributeAuthoritySAMLInterfaceTestCase.VALID_REQUESTOR_IDS[0]) 
    313                          
    314         query.subject = Subject()   
    315         query.subject.nameID = NameID() 
    316         query.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT 
    317         query.subject.nameID.value = _cfg['subject'] 
    318  
    319         binding = SOAPBinding() 
    320         binding.serialise = AuthzDecisionQueryElementTree.toXML 
    321         binding.deserialise = ResponseElementTree.fromXML 
    322         response = binding.send(query, _cfg['uri']) 
    323  
    324         samlResponseElem = ResponseElementTree.toXML(response) 
    325          
    326         print("SAML Response ...") 
    327         print(ElementTree.tostring(samlResponseElem)) 
    328         print("Pretty print SAML Response ...") 
    329         print(prettyPrint(samlResponseElem)) 
    330          
    331         self.assert_( 
    332             response.status.statusCode.value==StatusCode.REQUEST_DENIED_URI) 
    333300 
    334301        
Note: See TracChangeset for help on using the changeset viewer.