Context Navigation

← Previous Change
Next Change →

Changeset 6788 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

30/03/10 13:22:59 (11 years ago)

Author:

pjkersha

Message:

Contains important fix for OpenIDProviderMiddleware - moved OpenIDResponse object from class member to session key to preserve separation between user sessions in sign in process. This bug was manifest in users being incorrectly redirected following login.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Files:

: 2 added
: 2 deleted
: 10 edited

integration/__init__.py (modified) (2 diffs)
integration/authz_lite/policy.xml (modified) (2 diffs)
integration/authz_lite/securedapp.ini (modified) (3 diffs)
integration/authz_lite/securityservices.ini (modified) (9 diffs)
unit/__init__.py (modified) (1 diff)
unit/authz/xacml (added)
unit/soap-attribute-query.xml (added)
unit/wsgi/authz/README (modified) (1 diff)
unit/wsgi/authz/ndg-policy.xml (deleted)
unit/wsgi/authz/ndg-test.ini (deleted)
unit/wsgi/authz/pep-result-handler-test.ini (modified) (1 diff)
unit/wsgi/authz/saml-policy.xml (modified) (3 diffs)
unit/wsgi/authz/saml-test.ini (modified) (1 diff)
unit/wsgi/authz/test_authz.py (modified) (9 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/init.py

-                      r6276
+                      r6788
 "/test_403": "test_403",
 "/test_securedURI": "test_securedURI",
+"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI"
+"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI",
+"/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg":
+    "test_logoutWithReturn2QueryArg",
+"/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg"
+    }
     header = """        <h1>Authorisation Integration Tests:</h1>
 …
                         ('Content-length', str(len(response)))])
         return response
+    def test_logoutWithReturn2QueryArg(self, environ, start_response):
+        """Test logout setting a return to argument to explicitly set the
+        URI to return to following the logout action
+        """
+        response = """<html>
+    <head/>
+    <body>
+        <h1>Logged Out</h1>
+        <p>Successfully redirected to specified return to UIR query argument
+        ndg.security.logout.r=%s following logout.
+        <a href="/">Return to tests</a></p>
+    </body>
+</html>
+""" % environ['PATH_INFO']
+        start_response('200 OK',
+                       [('Content-type', 'text/html'),
+                        ('Content-length', str(len(response)))])
+        return response
     @classmethod
     def app_factory(cls, globalConfig, **localConfig):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/policy.xml

-                      r6063
+                      r6788
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
 …
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini

-                      r6605
+                      r6788
 beaker.session.data_dir = %(here)s/authn/beaker/sessions
 beaker.session.cookie_domain = .localhost
+#beaker.session.cookie_domain = .localhost
 [filter:AuthenticationFilter]
 …
 # Set redirect for OpenID Relying Party in the Security Services app instance
 authN.redirectURI = https://localhost:7443/verify
+# Test with an SSL endpoint
+#authN.redirectURI = https://localhost/verify
+# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
+# passed return to query argument
+authN.sessionHandler.defaultLogoutReturnToURI = https://localhost:7443/
 # AuthKit Set-up
 …
 #authkit.cookie.params.expires = 2
 authkit.cookie.params.domain = .localhost
+#authkit.cookie.params.domain = .localhost
 # environ key name for beaker session

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

-                      r6615
+                      r6788
 # Global Attribute Authority Settings
-attributeAuthorityEnvironKeyName = ndg.security.server.attributeauthority.AttributeAuthority
 attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
 …
 # Ordering of filters and app is critical
 [pipeline:main]
+pipeline = wsseSignatureVerificationFilter
+                   AttributeAuthorityFilter
+                   AttributeAuthorityWsdlSoapBindingFilter
+           wsseSignatureFilter
+pipeline = AttributeAuthorityFilter
            AttributeAuthoritySamlSoapBindingFilter
                    SessionMiddlewareFilter
 …
 beaker.session.cookie_expires = True
 beaker.session.cookie_domain = .localhost
+#beaker.session.cookie_domain = .localhost
 # Key name for keying into environ dictionary
 …
 cookie.includeip = False
 cookie.params.domain = .localhost
+#cookie.params.domain = .localhost
 # SSL Client Certificate based authentication is invoked if the client passed
 …
 authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
 authkit.cookie.signoutpath = /logout
 authkit.cookie.params.domain = .localhost
+#authkit.cookie.params.domain = .localhost
 # Disable inclusion of client IP address from cookie signature due to
 …
 prefix = attributeAuthority.
-# Key name by which the WSDL SOAP based interface may reference this
-# service
-attributeAuthority.environKeyName = %(attributeAuthorityEnvironKeyName)s
-# Key name for the SAML SOAP binding based interface to reference this
-# service's attribute query method
-attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
-# Attribute Authority settings
-# 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: Site A
 # Lifetime is measured in seconds
+attributeAuthority.attCertLifetime: 28800
+# Allow an offset for clock skew between servers running
+# security services. NB, measured in seconds - use a minus sign for time in the
+# past
+attributeAuthority.attCertNotBeforeOff: 0
+# All Attribute Certificates issued are recorded in this dir
+attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
+# Files in attCertDir are stored using a rotating file handler
+# attCertFileLogCnt sets the max number of files created before the first is
+# overwritten
+attributeAuthority.attCertFileName: ac.xml
+attributeAuthority.attCertFileLogCnt: 16
+attributeAuthority.dnSeparator:/
+# Location of role mapping file
+attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
+attributeAuthority.assertionLifetime: 28800
 # Settings for custom AttributeInterface derived class to get user roles for given
 …
 #attributeAuthority.attributeInterface.className: TestUserRoles
+# Key name for the SAML SOAP binding based interface to reference this
+# service's attribute query method
+attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
 # SQLAlchemy Attribute Interface
 attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
+attributeAuthority.attributeInterface.modName: ndg.security.server.attributeauthority
+attributeAuthority.attributeInterface.className: SQLAlchemyAttributeInterface
+attributeAuthority.attributeInterface.issuerName = /O=Site A/CN=Attribute Authority
+attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
 attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
 attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
 …
                                                            /CN=test/O=NDG/OU=BADC
-# Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
-attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
-attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
-# SOAP WSDL Based Binding to the Attribute Authority
-[filter:AttributeAuthorityWsdlSoapBindingFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthoritySOAPBindingMiddleware.filter_app_factory
-prefix = service.soap.binding.
-attributeAuthoritySOAPBindingPrefix = attributeauthority.service.soap.binding.
-service.soap.binding.referencedFilters = filter:wsseSignatureVerificationFilter
-service.soap.binding.path = /AttributeAuthority
-service.soap.binding.enableWSDLQuery = True
-service.soap.binding.charset = utf-8
-service.soap.binding.serviceSOAPBindingEnvironKeyName = ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware
-attributeauthority.service.soap.binding.attributeAuthorityEnvironKeyName = %(attributeAuthorityEnvironKeyName)s
-attributeauthority.service.soap.binding.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 # SAML SOAP Binding to the Attribute Authority
 [filter:AttributeAuthoritySamlSoapBindingFilter]
 …
 saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
 saml.soapbinding.pathMatchList = /AttributeAuthority/saml
+saml.soapbinding.pathMatchList = /AttributeAuthority
 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
+#______________________________________________________________________________
+# WS-Security Signature Verification
+[filter:wsseSignatureVerificationFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter.filter_app_factory
+filterID = %(__name__)s
+# Settings for WS-Security SignatureHandler class used by this filter
+wsseCfgFilePrefix = wssecurity
+# Verify against known CAs - Provide a space separated list of file paths
+wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
+#______________________________________________________________________________
+# Apply WS-Security Signature
+[filter:wsseSignatureFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter.filter_app_factory
+# Reference the verification filter in order to be able to apply signature
+# confirmation
+referencedFilters = filter:wsseSignatureVerificationFilter
+wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
+# Last filter in chain of SOAP handlers writes the response
+writeResponse = True
+# Settings for WS-Security SignatureHandler class used by this filter
+wsseCfgFilePrefix = wssecurity
+# Certificate associated with private key used to sign a message.  The sign
+# method will add this to the BinarySecurityToken element of the WSSE header.
+wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
+# PEM encoded private key file
+wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
+# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
+# signed message.  See __setReqBinSecTokValType method and binSecTokValType
+# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
+# give full namespace to alternative - see
+# ZSI.wstools.Namespaces.OASIS.X509TOKEN
+#
+# binSecTokValType determines whether signingCert or signingCertChain
+# attributes will be used.
+wssecurity.reqBinSecTokValType=X509v3
+# Add a timestamp element to an outbound message
+wssecurity.addTimestamp=True
+# For WSSE 1.1 - service returns signature confirmation containing signature
+# value sent by client
+wssecurity.applySignatureConfirmation=True
+# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
+# tolerance for query issueInstant parameter. Set here to 3 minutes
+saml.soapbinding.clockSkewTolerance: 180.0
+saml.soapbinding.issuer: /O=Site A/CN=Attribute Authority
 # Logging configuration

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/init.py

r6721	r6788
68	68	SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM = 5443
69	69	SITEA_SSL_ATTRIBUTEAUTHORITY_SAML_URI = \
70		'https://localhost:%d/AttributeAuthority~~/saml~~' % \
	70	'https://localhost:%d/AttributeAuthority' % \
71	71	SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM
72	72	SSL_CERT_DN = "/C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost"

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/README

-                      r6062
+                      r6788
 ========================================
 These tests call ndg.security.server.wsgi.authz.SAMLAuthorizationMiddleware
+and ndg.security.server.wsgi.authz.NDGAuthorizationMiddleware via
+paste.fixture.  An attribute authority service needs to be running in order
+for the middleware to check user attributes,  In a separate terminal start
+this service:
+via paste.fixture.  An attribute authority service is also started as a separate
+thread.
+$ python ../../../config/attributeauthority/sitea/siteAServerApp.py
+Then, to run the tests:
+To run the tests:
 $ python test_authz.py
 P J Kershaw 22/05/09
+P J Kershaw 22/03/10

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

r6284	r6788
32	32	# If omitted, DN of SSL Cert is used
33	33	pip.attributeQuery.issuerName =
34		pip.attributeQuery.clockSkew = 0.
	34	pip.attributeQuery.clockSkewTolerance = 0.
35	35	pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
36	36	pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

-                      r6062
+                      r6788
                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
                 <!-- Endpoint is for SOAP/SAML based ESG Interface -->
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
 …
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>
 …
             <Attribute>
                 <Name>urn:siteA:security:authz:1.0:attr:admin</Name>
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority/saml</AttributeAuthorityURI>
+                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
         </Attributes>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

r6062	r6788
31	31	# If omitted, DN of SSL Cert is used
32	32	pip.attributeQuery.issuerName =
33		pip.attributeQuery.clockSkew = 0.
	33	pip.attributeQuery.clockSkewTolerance = 0.
34	34	pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
35	35	pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

-                      r6284
+                      r6788
 from ndg.security.server.wsgi.authz.result_handler.redirect import \
     HTTPRedirectPEPResultHandlerMiddleware
+from ndg.security.server.wsgi.authz import (NdgPIPMiddlewareConfigError,
+                                            SamlPIPMiddlewareConfigError)
+from ndg.security.server.wsgi.authz import SamlPIPMiddlewareConfigError
 from ndg.security.common.authz.msi import Response
 …
     def save(self):
         pass
+class TestAuthZMiddleware(object):
+    '''Test Application for the Authentication handler to protect'''
+    response = "Test Authorization application"
+    def __init__(self, app_conf, **local_conf):
+        pass
+    def __call__(self, environ, start_response):
+        if environ['PATH_INFO'] == '/test_401':
+            status = "401 Unauthorized"
+        elif environ['PATH_INFO'] == '/test_403':
+            status = "403 Forbidden"
+        elif environ['PATH_INFO'] == '/test_200':
+            status = "200 OK"
+        elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI':
+            # Nb. AuthZ middleware should intercept the request and bypass this
+            # response
+            status = "200 OK"
+        elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
+            status = "200 OK"
+        else:
+            status = "404 Not found"
+        start_response(status,
+                       [('Content-length',
+                         str(len(TestAuthZMiddleware.response))),
+                        ('Content-type', 'text/plain')])
+        return [TestAuthZMiddleware.response]
+class BeakerSessionStub(dict):
+    """Emulate beaker.session session object for purposes of the unit tests
+    """
+    def save(self):
+        pass
 class NdgWSGIAuthZTestCase(BaseTestCase):
     INI_FILE = 'ndg-test.ini'
+class SamlWSGIAuthZTestCase(BaseTestCase):
+    INI_FILE = 'saml-test.ini'
     THIS_DIR = os.path.dirname(os.path.abspath(__file__))
     def __init__(self, *args, **kwargs):
+    def __init__(self, *args, **kwargs):
         BaseTestCase.__init__(self, *args, **kwargs)
         wsgiapp = loadapp('config:'+NdgWSGIAuthZTestCase.INI_FILE,
                           relative_to=NdgWSGIAuthZTestCase.THIS_DIR)
+        wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE,
+                          relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
         self.app = paste.fixture.TestApp(wsgiapp)
+        self.startSiteAAttributeAuthority()
+        self.startSiteAAttributeAuthority(withSSL=True,
+            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
     def test01CatchNoBeakerSessionFound(self):
 …
         try:
             response = self.app.get('/test_200')
         except NdgPIPMiddlewareConfigError, e:
+        except SamlPIPMiddlewareConfigError, e:
             print("ok - expected: %s exception: %s" % (e.__class__, e))
 …
         # even though a user is set in the session
+        extra_environ={'beaker.session.ndg.security':
+                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_401',
                                 extra_environ=extra_environ,
 …
         # even though a user is set in the session
+        extra_environ={'beaker.session.ndg.security':
+                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_403',
                                 extra_environ=extra_environ,
 …
         # User is logged in but doesn't have the required credentials for
         # access
+        extra_environ={'beaker.session.ndg.security':
+                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
                                 status=403)
+        print response
         self.assert_("Insufficient privileges to access the "
                      "resource" in response)
-        print response
     def test07AccessGrantedForSecuredURI(self):
 …
         # User is logged in and has credentials for access to a URI secured
         # by the policy file
+        extra_environ={'beaker.session.ndg.security':
+                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         response = self.app.get('/test_accessGrantedToSecuredURI',
 …
         # User is logged in but doesn't have the required credentials for
         # access
+        extra_environ={'beaker.session.ndg.security':
+                       BeakerSessionStub(username='testuser')}
+        extra_environ = {
+            'beaker.session.ndg.security':
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
         # Try this URI with the query arg admin=1.  This will be picked up
 …
         print response
-class TestAuthZMiddleware(object):
-    '''Test Application for the Authentication handler to protect'''
-    response = "Test Authorization application"
-    def __init__(self, app_conf, **local_conf):
-        pass
-    def __call__(self, environ, start_response):
-        if environ['PATH_INFO'] == '/test_401':
-            status = "401 Unauthorized"
-        elif environ['PATH_INFO'] == '/test_403':
-            status = "403 Forbidden"
-        elif environ['PATH_INFO'] == '/test_200':
-            status = "200 OK"
-        elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI':
-            # Nb. AuthZ middleware should intercept the request and bypass this
-            # response
-            status = "200 OK"
-        elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
-            status = "200 OK"
-        else:
-            status = "404 Not found"
-        start_response(status,
-                       [('Content-length',
-                         str(len(TestAuthZMiddleware.response))),
-                        ('Content-type', 'text/plain')])
-        return [TestAuthZMiddleware.response]
-class BeakerSessionStub(dict):
-    """Emulate beaker.session session object for purposes of the unit tests
-    """
-    def save(self):
-        pass
-class SamlWSGIAuthZTestCase(BaseTestCase):
-    INI_FILE = 'saml-test.ini'
-    THIS_DIR = os.path.dirname(os.path.abspath(__file__))
-    def __init__(self, *args, **kwargs):
-        BaseTestCase.__init__(self, *args, **kwargs)
-        wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE,
-                          relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
-        self.app = paste.fixture.TestApp(wsgiapp)
-        self.startSiteAAttributeAuthority(withSSL=True,
-            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
-    def test01CatchNoBeakerSessionFound(self):
-        # PEPFilterConfigError is raised if no beaker.session is set in
-        # environ
-        try:
-            response = self.app.get('/test_200')
-        except SamlPIPMiddlewareConfigError, e:
-            print("ok - expected: %s exception: %s" % (e.__class__, e))
-    def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
-        # Check the authZ middleware leaves the response alone if the URI
-        # is not matched in the policy
-        # Simulate a beaker.session in the environ
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}
-        response = self.app.get('/test_200',
-                                extra_environ=extra_environ)
-    def test03Catch401WithLoggedIn(self):
-        # Check that the application being secured can raise a HTTP 401
-        # response and that this respected by the Authorization middleware
-        # even though a user is set in the session
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
-        response = self.app.get('/test_401',
-                                extra_environ=extra_environ,
-                                status=401)
-    def test04Catch403WithLoggedIn(self):
-        # Check that the application being secured can raise a HTTP 403
-        # response and that this respected by the Authorization middleware
-        # even though a user is set in the session
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
-        response = self.app.get('/test_403',
-                                extra_environ=extra_environ,
-                                status=403)
-    def test05Catch401WithNotLoggedInAndSecuredURI(self):
-        # AuthZ middleware grants access because the URI requested is not
-        # targeted in the policy
-        # AuthZ middleware checks for username key in session set by AuthN
-        # handler
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}
-        response = self.app.get('/test_accessDeniedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=401)
-    def test06AccessDeniedForSecuredURI(self):
-        # User is logged in but doesn't have the required credentials for
-        # access
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
-        response = self.app.get('/test_accessDeniedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=403)
-        self.assert_("Insufficient privileges to access the "
-                     "resource" in response)
-        print response
-    def test07AccessGrantedForSecuredURI(self):
-        # User is logged in and has credentials for access to a URI secured
-        # by the policy file
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
-        response = self.app.get('/test_accessGrantedToSecuredURI',
-                                extra_environ=extra_environ,
-                                status=200)
-        self.assert_(TestAuthZMiddleware.response in response)
-        print response
-    def test08AccessDeniedForAdminQueryArg(self):
-        # User is logged in but doesn't have the required credentials for
-        # access
-        extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+        }
-        # Try this URI with the query arg admin=1.  This will be picked up
-        # by the policy as a request requiring admin rights.  The request is
-        # denied as the user doesn't have these rights but this then calls
-        # into play the PEP result handler defined in this module,
-        # RedirectFollowingAccessDenied.  This class reinvokes the request
-        # but without the admin query argument.  Access is then granted for
-        # the redirected request
-        response = self.app.get('/test_accessGrantedToSecuredURI',
-                                params={'admin': 1},
-                                extra_environ=extra_environ,
-                                status=302)
-        try:
-            redirectResponse = response.follow(extra_environ=extra_environ)
-        except paste.fixture.AppError, e:
-            self.failIf(TestAuthZMiddleware.response not in response)
-        print response
 class PEPResultHandlerTestCase(BaseTestCase):

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: