Changeset 6730 for TI12-security/trunk/NDGSecurity

Timestamp:

16/03/10 08:37:55 (11 years ago)

Author:

pjkersha

Message:

• Working Credential Wallet refactored for Python 2.6
• Pruned out more old code: ZSI and Twisted SAOP/WSDL wrappers, Session Manager and WS-Security, Test 'Site B' Attribute Authority - for testing role mapping.
• Started XACML package ElementTree based parser.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/authz/xacml/__init__.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/authz/xacml/etree (added)
• ndg_security_common/ndg/security/common/authz/xacml/etree/__init__.py (added)
• ndg_security_common/ndg/security/common/authz/xacml/etree/reader.py (added)
• ndg_security_common/ndg/security/common/authz/xacml/etree/writer.py (added)
• ndg_security_common/ndg/security/common/authz/xacml/policy.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (4 diffs)
• ndg_security_common/ndg/security/common/utils/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (7 diffs)
• ndg_security_server/ndg/security/server/sessionmanager.py (deleted)
• ndg_security_server/ndg/security/server/wsgi/wssecurity.py (deleted)
• ndg_security_server/ndg/security/server/wsgi/zsi.py (deleted)
• ndg_security_server/ndg/security/server/zsi (deleted)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/siteb (deleted)
• ndg_security_test/ndg/security/test/config/sessionmanager (deleted)
• ndg_security_test/ndg/security/test/integration/authz (deleted)
• ndg_security_test/ndg/security/test/integration/combinedservices (deleted)
• ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/sessionmanager (deleted)
• ndg_security_test/ndg/security/test/unit/sessionmanagerclient (deleted)
• ndg_security_test/ndg/security/test/unit/wssecurity (deleted)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/__init__.py

@@ +1 @@
+class XACMLError(Exception):
+    """Base class for XACML package exception types"""
+    
+    
+class XMLParseError(XACMLError):
+    """XACML package XML Parsing error"""
+    
+    
 class PolicyComponent(object):
     """Base class for Policy and Policy subelements"""

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/policy.py

@@ -39 +39 @@
 
 class Policy(PolicyComponent):
-    """NDG MSI Policy."""   
+    """NDG MSI Policy.""" 
+    POLICY_ID_ATTRIB_NAME = "PolicyId"
+    RULE_COMBINING_ALG_ID_ATTRIB_NAME = "RuleCombiningAlgId"
+      
     DESCRIPTION_LOCALNAME = "Description"
     TARGET_LOCALNAME = "Target"
+    POLICY_DEFAULTS_LOCALNAME = "PolicyDefaults"
+    OBLIGATIONS_LOCALNAME = "Obligations"
+    RULE_LOCALNAME = "Rule"
     
     # Plan to support permit overrides in a future release

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -16 +16 @@
 import os
 import warnings
-import traceback
 
 # Check Attribute Certificate validity times
@@ -26 +25 @@
 from ndg.saml.saml2.core import Assertion
 
-# Access Attribute Authority's web service using ZSI - allow pass if not 
-# loaded since it's possible to make AttributeAuthority instance locally
-# without using the WS
-aaImportError = True
-try:
-    # AttributeAuthority client package resides with CredentialWallet module in 
-    # ndg.security.common
-    from ndg.security.common.attributeauthority import (
-        AttributeAuthorityClient, AttributeAuthorityClientError, 
-        AttributeRequestDenied, NoMatchingRoleInTrustedHosts)
-    aaImportError = False
-except ImportError:
-    pass
-
-# Likewise - may not want to use WS and use AttributeAuthority locally in which
-# case no need to import it
-try:
-    from ndg.security.server.attributeauthority import (AttributeAuthority, 
-        AttributeAuthorityError, AttributeAuthorityAccessDenied)
-    aaImportError = False
-except ImportError:
-    pass
-
-if aaImportError:
-    raise ImportError("Either AttributeAuthority or AttributeAuthorityClient "
-                      "classes must be present to allow interoperation with "
-                      "Attribute Authorities: %s" % traceback.format_exc())
-
-# Authentication X.509 Certificate
-from ndg.security.common.X509 import X509Cert
-from M2Crypto import X509, BIO, RSA
-
-# Authorisation - attribute certificate 
-from ndg.security.common.AttCert import AttCert, AttCertError
-from ndg.security.common.wssecurity.signaturehandler.dom import SignatureHandler
-
-# generic parser to read INI/XML properties file
-from ndg.security.common.utils.configfileparsers import \
-                                                INIPropertyFileWithValidation
-
-from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.configfileparsers import (     
                                                     CaseSensitiveConfigParser,)
@@ -178 +136 @@
     __slots__ = tuple(["__%s" % n for n in __ATTRIBUTE_NAMES])
     
-    def __init__(self, type=None):
+    def __init__(self, _type=None):
         self.__type = None
-        self.type = type
+        self.type = _type
         
         self.__id = -1
@@ -700 +658 @@
     
     def __init__(self, propFilePath=None, dbPPhrase=None, **prop):
-        pass
+        """Null Credential Repository __init__ placeholder"""
 
     def addUser(self, userId):
-        pass
+        """Null Credential Repository addUser placeholder"""
                             
     def auditCredentials(self, **attCertValidKeys):
-        pass
+        """Null Credential Repository addUser placeholder"""
 
     def getCredentials(self, userId):
+        """Null Credential Repository getCredentials placeholder"""
         return []
        
     def addCredentials(self, userId, attCertList):
-        pass
+        """Null Credential Repository addCredentials placeholder"""

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/__init__.py

@@ -76 +76 @@
     
         return super(TypedList, self).append(item)
+
+class RestrictedKeyNamesDict(dict):
+    """Utility class for holding a constrained list of key names
+    """
+    
+    def __init__(self, *arg, **kw):
+        """Alter standard dict() initialisation to fix key names set at 
+        initialisation
+        """
+        super(RestrictedKeyNamesDict, self).__init__(*arg, **kw)
+        self.__keyNames = self.keys() 
+          
+    def __setitem__(self, key, val):
+        if key not in self.__keyNames:
+            raise KeyError('Key name %r not recognised.  Valid key names '
+                           'are: %r' % (key, self.__keyNames))
+            
+        dict.__setitem__(self, key, val)
+
+    def update(self, d, **kw):        
+        for dictArg in (d, kw):
+            for k in dictArg:
+                if k not in self.__keyNames:
+                    raise KeyError('Key name "%s" not recognised.  Valid '
+                                   'key names are: %s' % 
+                                   self.__keyNames)
+        
+        dict.update(self, d, **kw)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -38 +38 @@
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
 from ndg.security.common.X509 import X500DN
-from ndg.security.common.utils import TypedList
+from ndg.security.common.utils import TypedList, RestrictedKeyNamesDict
 from ndg.security.common.utils.classfactory import instantiateClass
 from ndg.security.common.utils.configfileparsers import (
@@ -93 +93 @@
     ISSUER_NAME_OPTNAME = 'issuerName'
     ASSERTION_LIFETIME_OPTNAME = 'assertionLifetime'
-    DN_SEPARATOR_OPTNAME = 'dnSeparator'
     
     ATTRIBUTE_INTERFACE_OPTPREFIX = 'attributeInterface'
@@ -113 +112 @@
         ISSUER_NAME_OPTNAME:            '',
         ASSERTION_LIFETIME_OPTNAME:     -1,
-        DN_SEPARATOR_OPTNAME:           '/',
         ATTRIBUTE_INTERFACE_OPTPREFIX:  ATTRIBUTE_INTERFACE_PROPERTY_DEFAULTS
     }
@@ -119 +117 @@
     __slots__ = (
         '__assertionLifetime', 
-        '__dnSeparator',
         '__propFilePath',
         '__propFileSection',
@@ -133 +130 @@
         # Initial config file property based attributes
         self.__assertionLifetime = None
-        self.__dnSeparator = None
         
         self.__propFilePath = None        
@@ -139 +135 @@
         self.__propPrefix = ''
         
-        self.__attributeInterfaceCfg = {}
+        self.__attributeInterfaceCfg = RestrictedKeyNamesDict(
+                    AttributeAuthority.ATTRIBUTE_INTERFACE_PROPERTY_DEFAULTS)
         
     def __getstate__(self):
@@ -189 +186 @@
                                      doc="Settings for Attribute Interface "
                                          "initialisation")
-    
-    def _get_dnSeparator(self):
-        return self.__dnSeparator
-    
-    def _set_dnSeparator(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "dnSeparator"; got '
-                            '%r' % type(value))
-        self.__dnSeparator = value
-         
-    dnSeparator = property(fget=_get_dnSeparator, 
-                           fset=_set_dnSeparator,
-                           doc="Distinguished Name separator character used "
-                               "with X.509 Certificate issuer certificate")
 
     def setPropFilePath(self, val=None):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

@@ -47 +47 @@
 # Lifetime is measured in seconds
 attributeAuthority.assertionLifetime: 28800 
-
-attributeAuthority.dnSeparator:/
 
 # Settings for custom AttributeInterface derived class to get user roles for given 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

@@ -1 +1 @@
 #!/usr/bin/env python
-"""Unit tests for Credential Wallet classes
+"""Unit tests for Credential Wallet class
 
 NERC DataGrid Project
@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
+import logging
+logging.basicConfig(level=logging.DEBUG)
 
 import unittest
-import os, sys, getpass, re
-import traceback
+import os
 
 from string import Template
@@ -23 +24 @@
 from time import sleep
 from datetime import datetime, timedelta
+
 from ndg.saml.utils import SAMLDateTime
 from ndg.saml.xml.etree import AssertionElementTree
 
 from ndg.security.test.unit import BaseTestCase
+from ndg.security.common.utils.etree import prettyPrint
+from ndg.security.common.credentialwallet import SAMLCredentialWallet
 
-from ndg.security.common.utils.configfileparsers import (
-                                                    CaseSensitiveConfigParser)
-from ndg.security.common.utils.etree import prettyPrint
-from ndg.security.common.X509 import X509CertParse
-from ndg.security.common.credentialwallet import (NDGCredentialWallet, 
-    CredentialWalletAttributeRequestDenied, SAMLCredentialWallet)
-from ndg.security.server.attributeauthority import AttributeAuthority
-
-from os.path import expandvars as xpdVars
-from os.path import join as jnPath
-mkPath = lambda file: jnPath(os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'], file)
-
-import logging
-logging.basicConfig(level=logging.DEBUG)
-
-
-class NDGCredentialWalletTestCase(BaseTestCase):
-    """Unit test case for 
-    ndg.security.common.credentialwallet.NDGCredentialWallet class.
-    """
-    THIS_DIR = os.path.dirname(__file__)
-    PICKLE_FILENAME = 'NDGCredentialWalletPickle.dat'
-    PICKLE_FILEPATH = os.path.join(THIS_DIR, PICKLE_FILENAME)
-
-    def __init__(self, *arg, **kw):
-        super(NDGCredentialWalletTestCase, self).__init__(*arg, **kw)
-        self.startAttributeAuthorities()
-    
-    def setUp(self):
-        super(NDGCredentialWalletTestCase, self).setUp()
-        
-        if 'NDGSEC_INT_DEBUG' in os.environ:
-            import pdb
-            pdb.set_trace()
-        
-        if 'NDGSEC_CREDWALLET_UNITTEST_DIR' not in os.environ:
-            os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'] = \
-                os.path.abspath(os.path.dirname(__file__))
-        
-        self.cfg = CaseSensitiveConfigParser()
-        configFilePath = jnPath(os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'],
-                                "credWalletTest.cfg")
-        self.cfg.read(configFilePath)
-
-        self.userX509CertFilePath=self.cfg.get('setUp', 'userX509CertFilePath')
-        self.userPriKeyFilePath=self.cfg.get('setUp', 'userPriKeyFilePath')
-        
-
-    def test01ReadOnlyClassVariables(self):
-        
-        try:
-            NDGCredentialWallet.accessDenied = 'yes'
-            self.fail("accessDenied class variable should be read-only")
-        except Exception, e:
-            print("PASS - accessDenied class variable is read-only")
-
-        try:
-            NDGCredentialWallet.accessGranted = False
-            self.fail("accessGranted class variable should be read-only")
-        except Exception, e:
-            print("PASS - accessGranted class variable is read-only")
-            
-        assert(not NDGCredentialWallet.accessDenied)
-        assert(NDGCredentialWallet.accessGranted)
-        
-        
-    def test02SetAttributes(self):
-        
-        credWallet = NDGCredentialWallet()
-        credWallet.userX509Cert=open(xpdVars(self.userX509CertFilePath)).read()
-        print("userX509Cert=%s" % credWallet.userX509Cert)
-        credWallet.userId = 'ndg-user'
-        print("userId=%s" % credWallet.userId)
-        
-        try:
-            credWallet.blah = 'blah blah'
-            self.fail("Attempting to set attribute not in __slots__ class "
-                      "variable should fail")
-        except AttributeError:
-            print("PASS - expected AttributeError when setting attribute "
-                  "not in __slots__ class variable")
-            
-        credWallet.caCertFilePathList=None
-        credWallet.attributeAuthorityURI='http://localhost/AttributeAuthority'
-            
-        credWallet.attributeAuthority = None
-        credWallet._credentialRepository = None
-        credWallet.mapFromTrustedHosts = False
-        credWallet.rtnExtAttCertList = True
-        credWallet.attCertRefreshElapse = 7200
-     
-            
-    def test03GetAttCertWithUserId(self):
-                    
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'))
-        attCert = credWallet.getAttCert()
-        
-        # No user X.509 cert is set so the resulting Attribute Certificate
-        # user ID should be the same as that set for the wallet
-        assert(attCert.userId == credWallet.userId)
-        print("Attribute Certificate:\n%s" % attCert)
-        
-    def test04GetAttCertWithUserX509Cert(self):
-                    
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'))
-        
-        # Set a test individual user certificate to override the client 
-        # cert. and private key in WS-Security settings in the config file
-        credWallet.userX509Cert=open(xpdVars(self.userX509CertFilePath)).read()
-        credWallet.userPriKey=open(xpdVars(self.userPriKeyFilePath)).read()
-        attCert = credWallet.getAttCert()
-        
-        # A user X.509 cert. was set so this cert's DN should be set in the
-        # userId field of the resulting Attribute Certificate
-        assert(attCert.userId == str(credWallet.userX509Cert.dn))
-        print("Attribute Certificate:\n%s" % attCert)
-
-    def test05GetAttCertRefusedWithUserX509Cert(self):
-        
-        # Keyword mapFromTrustedHosts overrides any setting in the config file
-        # This flag prevents role mapping from a trusted AA and so in this case
-        # forces refusal of the request
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'),
-                                         mapFromTrustedHosts=False)    
-        credWallet.userX509CertFilePath = self.userX509CertFilePath
-        credWallet.userPriKeyFilePath = self.userPriKeyFilePath
-        
-        # Set AA URI AFTER user PKI settings so that these are picked in the
-        # implicit call to create a new AA Client when the URI is set
-        credWallet.attributeAuthorityURI = self.cfg.get('setUp', 
-                                                        'attributeAuthorityURI')
-        try:
-            attCert = credWallet.getAttCert()
-        except CredentialWalletAttributeRequestDenied, e:
-            print("ok - obtained expected result: %s" % e)
-            return
-        
-        self.fail("Request allowed from Attribute Authority where user is NOT "
-                  "registered!")
-
-    def test06GetMappedAttCertWithUserId(self):
-        
-        # Call Site A Attribute Authority where user is registered
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'))
-        attCert = credWallet.getAttCert()
-
-        # Use Attribute Certificate cached in wallet to get a mapped 
-        # Attribute Certificate from Site B's Attribute Authority
-        siteBURI = self.cfg.get('setUp', 'attributeAuthorityURI')        
-        attCert = credWallet.getAttCert(attributeAuthorityURI=siteBURI)
-            
-        print("Mapped Attribute Certificate from Site B Attribute "
-              "Authority:\n%s" % attCert)
-                        
-    def test07GetAttCertFromLocalAAInstance(self):
-        thisSection = 'test07GetAttCertFromLocalAAInstance'
-        aaPropFilePath = self.cfg.get(thisSection,
-                                      'attributeAuthorityPropFilePath') 
-                  
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'))
-        credWallet.attributeAuthority = AttributeAuthority.fromPropertyFile(
-                                            propFilePath=aaPropFilePath)
-        attCert = credWallet.getAttCert()
-        
-        # No user X.509 cert is set so the resulting Attribute Certificate
-        # user ID should be the same as that set for the wallet
-        assert(attCert.userId == credWallet.userId)
-        print("Attribute Certificate:\n%s" % attCert)  
-
-    def test08Pickle(self):
-        credWallet = NDGCredentialWallet(cfg=self.cfg.get('setUp', 
-                                                          'cfgFilePath'))
-
-        outFile = open(NDGCredentialWalletTestCase.PICKLE_FILEPATH, 'w')
-        pickle.dump(credWallet, outFile)
-        outFile.close()
-        
-        inFile = open(NDGCredentialWalletTestCase.PICKLE_FILEPATH)
-        unpickledCredWallet = pickle.load(inFile)
-        self.assert_(unpickledCredWallet.userId == credWallet.userId)
-        
 
 class SAMLCredentialWalletTestCase(BaseTestCase):