Changeset 6861 for TI12-security/trunk/NDGSecurity

Timestamp:

11/05/10 13:30:09 (11 years ago)

Author:

pjkersha

Message:

Working unit tested SAML Authorisation service with XACML back-end. TODO: Add Policy Information Point interface to XACML PDP to enable user attribute queries based on matching resource rule constraining attributes.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• .pydevproject (modified) (2 diffs)
• Tests/wget (added)
• Tests/wget/creds.pem (added)
• Tests/wget/ggap199002020600.nc (added)
• Tests/wget/myproxy_logon.py (added)
• Tests/wget/proxy.pem (added)
• ndg_security_common/ndg/security/common/X509.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/wsgi/attributeauthority.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authzservice.py (modified) (15 diffs)
• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (5 diffs)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-decision-interface.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-service.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/policy-1.1.xml (deleted)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml (added)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py (modified) (6 diffs)
• ndg_security_test/ndg/security/test/unit/x509/test_x509.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/.pydevproject

@@ -3 +3 @@
 
 <pydev_project>
-<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
+<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Python2.6</pydev_property>
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.6</pydev_property>
 <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
@@ -14 +14 @@
 <path>/home/pjkersha/workspace/MyProxyClient</path>
 <path>/home/pjkersha/workspace/AuthKit/trunk</path>
+<path>/home/pjkersha/workspace/NDG_XACML</path>
 </pydev_pathproperty>
 </pydev_project>

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/X509.py

@@ -15 +15 @@
 import types
 import re
+import os
+import errno
 
 # Handle not before and not after strings
@@ -589 +591 @@
         nValidated = 0
         issuerX509Cert = None
-        while nValidated < n2Validate:                
+        while nValidated < n2Validate:
             issuerX509Cert = None
             issuerDN = x509Cert2Verify.issuer
@@ -642 +644 @@
                 break
         
-        if issuerX509Cert:   
+        if issuerX509Cert:
             if not x509Cert2Verify.verify(issuerX509Cert.pubKey):
                 X509CertInvalidSignature('Signature is invalid for cert. "%s"' %
@@ -899 +901 @@
 
         try:
-#            dnFields = dn.split(self.__separator)
-#            if len(dnFields) < 2:
-#                raise X500DNError("Error parsing DN string: \"%s\"" % dn)
-#
-#            
-#            # Split fields into key/value and also filter null fields if
-#            # found e.g. a leading '/' in the DN would yield a null field
-#            # when split
-#            
-#            items = [field.split('=') for field in dnFields if field]
             dnFields = X500DN.PARSER_RE.split(dn)
             if len(dnFields) < 2:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/attributeauthority.py

@@ -96 +96 @@
         dictionary
         '''
-        app = AttributeAuthorityMiddleware(app)
+        app = cls(app)
         app.initialise(global_conf, **app_conf)
         

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py

@@ -15 +15 @@
 from uuid import uuid4
 
+# SAML authorisation decision query interface
 from ndg.saml.saml2.core import (Response, AuthzDecisionStatement, Assertion,
                                  Action, DecisionType, SAMLVersion, Issuer, 
@@ -20 +21 @@
                                  Subject, Conditions)
 
-from ndg.security.common.utils.factory import importModuleObject
-from ndg.security.common.authz import Subject as PDPSubject
-from ndg.security.common.authz.msi import Response as PDPResponse
-from ndg.security.common.authz.msi import Policy, PDP, Request, Resource
 from ndg.security.common.authz.pip.esginterface import PIP
+
+# XACML Policy Decision Point
+from ndg.xacml.parsers.etree.factory import ReaderFactory
+from ndg.xacml.core.attribute import Attribute
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory
+from ndg.xacml.core.context.pdpinterface import PDPInterface
+from ndg.xacml.core.context.pdp import PDP
+from ndg.xacml.core.context.request import Request
+from ndg.xacml.core.context.resource import Resource
+from ndg.xacml.core import context
 
 
@@ -36 +43 @@
     
 class AuthzServiceMiddleware(object):
-    '''WSGI to add an NDG Security Authorization Service in the environ.  This
-    enables multiple WSGI filters to access the same underlying Attribute
-    Authority instance e.g. provide SAML SOAP and WSDL SOAP based interfaces
-    to the same Authorization Service
+    '''WSGI to add an NDG Security Authorization Service in the environ.
     '''
     DEFAULT_QUERY_IFACE_KEYNAME = \
@@ -45 +49 @@
     
     ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME = 'queryInterfaceKeyName'
-    QUERY_IFACE_OPTNAME = 'queryInterface'
-    ISSUER_NAME_OPTNAME = 'issuerName'
-    ISSUER_FORMAT_OPTNAME = 'issuerFormat'
-    CLOCK_SKEW_TOLERANCE_OPTNAME = 'clockSkewTolerance'
     ASSERTION_LIFETIME_OPTNAME = 'assertionLifetime'
     
@@ -54 +54 @@
     AUTHZ_SRVC_OPTION_DEFAULTS = {
         ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME: DEFAULT_QUERY_IFACE_KEYNAME,
-        ISSUER_NAME_OPTNAME: None,
-        ISSUER_FORMAT_OPTNAME: Issuer.X509_SUBJECT,
         ASSERTION_LIFETIME_OPTNAME: 60*60*8, # 8 hours as default
     }
     
-    POLICY_FILEPATH_OPTNAME = 'filePath'
-    POLICY_CFG_PREFIX = 'policy.'
+    POLICY_FILEPATH_OPTNAME = 'policyFilePath'
     PIP_CFG_PREFIX = 'pip.'
     
     __slots__ = (
         '__policyFilePath',
-        '__' + QUERY_IFACE_OPTNAME, 
+        '__queryInterface', 
         '__' + ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME,
-        '__' + CLOCK_SKEW_TOLERANCE_OPTNAME,
         '__' + ASSERTION_LIFETIME_OPTNAME,
         '__pdp', 
         '_app',
-        '__issuerProxy',
-        '__subjectProxy'
     )
         
     def __init__(self, app):
         '''Set-up an Authorization Service instance
-        '''        
-        super(AuthzServiceMiddleware, self).__init__(app, {}) 
-         
+        '''
         self._app = app
         self.__policyFilePath = None
@@ -85 +77 @@
         self.__queryInterface = None
         self.__queryInterfaceKeyName = None
-        self.__clockSkewTolerance = None
         self.__assertionLifetime = 0.
-        
-        # Proxy object for SAML Response Issuer attributes.  By generating a 
-        # proxy the Response objects inherent attribute validation can be 
-        # applied to Issuer related config parameters before they're assigned to
-        # the response issuer object generated in the authorisation decision 
-        # query response
-        self.__issuerProxy = Issuer()
         
     def initialise(self, global_conf, prefix='authorizationservice.',
@@ -118 +102 @@
             setattr(self, optName, value)
         
-        # Address special cases ...        
-        authzDecisionQueryIfaceOptName = prefix + cls.QUERY_IFACE_OPTNAME
-                                         
-        # Use decision function set in config but default to the implementation
-        # in this class if no config option is set
-        self.queryInterface = app_conf.get(authzDecisionQueryIfaceOptName,
-                                           self.createQueryInterface())        
+        self.queryInterface = self.createQueryInterface()    
 
         # Initialise the Authorisation Policy
-        policyCfgPrefix = prefix + cls.POLICY_CFG_PREFIX
-        policyFilePathOptName = policyCfgPrefix + cls.POLICY_FILEPATH_OPTNAME
-        self.policyFilePath = app_conf.get(policyFilePathOptName)
-             
-        policy = Policy.Parse(self.policyFilePath)
+        policyFilePathOptName = prefix + cls.POLICY_FILEPATH_OPTNAME
+        policyFilePath = app_conf.get(policyFilePathOptName)
+        if policyFilePath is None:
+            raise AuthzServiceMiddlewareConfigError('No policy file path set - '
+                                                    '"policyFilePath" option '
+                                                    'name')
+        
+        self.policyFilePath = policyFilePath 
         
         # Initialise the Policy Information Point 
         pipCfgPrefix = prefix + cls.PIP_CFG_PREFIX
         pip = PIP.fromConfig(app_conf, prefix=pipCfgPrefix)
-        
-        # Set default issuer name if not already specified.  Nb. format must
-        # be overridden
-        if pip.attributeQueryBinding.issuerName is None:
-            pip.attributeQueryBinding.issuerFormat = self.issuerFormat
-            pip.attributeQueryBinding.issuerName = self.issuerName
             
         # Initialise the PDP reading in the policy        
-        self.pdp = PDP(policy, pip)
+        self.pdp = PDP.fromPolicySource(self.policyFilePath, ReaderFactory)
         
     @classmethod
@@ -205 +180 @@
     issuerFormat = property(_getIssuerFormat, _setIssuerFormat, 
                             doc="Issuer format")
-
-    def _getIssuerName(self):
-        if self.__issuerProxy is None:
-            return None
-        else:
-            return self.__issuerProxy.value
-
-    def _setIssuerName(self, value):
-        if self.__issuerProxy is None:
-            self.__issuerProxy = Issuer()
-            
-        self.__issuerProxy.value = value
-
-    issuerName = property(_getIssuerName, _setIssuerName, 
-                          doc="Name of issuer of SAML Authorisation Query "
-                              "Response")
-
-    def _getClockSkewTolerance(self):
-        return self.__clockSkewTolerance
-
-    def _setClockSkewTolerance(self, value):
-        if isinstance(value, (float, int, long)):
-            self.__clockSkewTolerance = timedelta(seconds=value)
-            
-        elif isinstance(value, basestring):
-            self.__clockSkewTolerance = timedelta(seconds=float(value))
-        else:
-            raise TypeError('Expecting float, int, long or string type for '
-                            '"clockSkewTolerance"; got %r' % type(value))
-
-    clockSkewTolerance = property(fget=_getClockSkewTolerance, 
-                                  fset=_setClockSkewTolerance, 
-                                  doc="Allow a tolerance in seconds for SAML "
-                                      "Query issueInstant parameter check and "
-                                      "assertion condition notBefore and "
-                                      "notOnOrAfter times to allow for clock "
-                                      "skew")
+#
+#    def _getIssuerName(self):
+#        if self.__issuerProxy is None:
+#            return None
+#        else:
+#            return self.__issuerProxy.value
+#
+#    def _setIssuerName(self, value):
+#        if self.__issuerProxy is None:
+#            self.__issuerProxy = Issuer()
+#            
+#        self.__issuerProxy.value = value
+#
+#    issuerName = property(_getIssuerName, _setIssuerName, 
+#                          doc="Name of issuer of SAML Authorisation Query "
+#                              "Response")
     
     _getAssertionLifetime = lambda self: self.__assertionLifetime
@@ -263 +217 @@
 
     def _setPdp(self, value):
-        if not isinstance(value, PDP):
+        if not isinstance(value, PDPInterface):
             raise TypeError('Expecting %r type for "pdp" attribute; got %r '
-                            'instead' % value)
+                            'instead' % (PDPInterface, value))
             
         self.__pdp = value
@@ -317 +271 @@
         # Nest function within AuthzServiceMiddleware method so that self is
         # in its scope
-        def getAuthzDecision(authzDecisionQuery):
+        def getAuthzDecision(authzDecisionQuery, samlResponse):
             """Authorisation decision function accepts a SAML AuthzDecisionQuery
             and calls the Policy Decision Point returning a response
@@ -326 +280 @@
             @return: SAML response containing Authorisation Decision Statement
             """        
-            # Make a request object to pass to the PDP
-            request = Request()
-            request.subject[PDPSubject.USERID_NS
-                            ] = authzDecisionQuery.subject.nameID.value
-            
-            # IdP Session Manager specific settings:
-            #
-            # The following won't be set if the IdP running the OpenID Provider
-            # hasn't also deployed a Session Manager.  In this case, the
-            # Attribute Authority will be queried directly from here without a
-            # remote Session Manager intermediary to cache credentials
-            request.resource[Resource.URI_NS] = authzDecisionQuery.resource
-    
-            # TODO: incorporate action(s) requested into PDP request
+            request = self._createXacmlRequestCtx(authzDecisionQuery)
             
             # Call the PDP
-            pdpResponse = self.pdp.evaluate(request)
+            xacmlResponse = self.pdp.evaluate(request)
             
             # Create the SAML Response
-            response = self._createSAMLResponse(authzDecisionQuery)
-            authzDecisionStatement = response.assertions[0
+            self._createSAMLResponseAssertion(authzDecisionQuery, samlResponse)
+            authzDecisionStatement = samlResponse.assertions[0
                                                     ].authzDecisionStatements[0]
             
-            if pdpResponse.status == PDPResponse.DECISION_PERMIT:
+            if (xacmlResponse.results[0].decision == 
+                context.result.Decision.PERMIT):
                 log.info("AuthzServiceMiddleware.__call__: PDP granted "
                          "access for URI path [%s] using policy [%s]", 
@@ -357 +299 @@
                 authzDecisionStatement.decision = DecisionType.PERMIT
             
-            elif pdpResponse.status == PDPResponse.DECISION_INDETERMINATE:
+            elif (xacmlResponse.results[0].decision == 
+                  context.result.Decision.INDETERMINATE):
                 log.info("AuthzServiceMiddleware.__call__: PDP returned a "
                          "status of [%s] denying access for URI path [%s] "
                          "using policy [%s]", 
-                         pdpResponse.decisionValue2String[pdpResponse.status],
+                         context.result.Decision.INDETERMINATE,
                          authzDecisionQuery.resource,
                          self.policyFilePath) 
@@ -371 +314 @@
                          "status of [%s] denying access for URI path [%s] "
                          "using policy [%s]", 
-                         pdpResponse.decisionValue2String[pdpResponse.status],
+                         context.result.Decision.DENY,
                          authzDecisionQuery.resource,
                          self.policyFilePath) 
@@ -377 +320 @@
                 authzDecisionStatement.decision = DecisionType.DENY
     
-            return response
+            return samlResponse
         
         return getAuthzDecision
-
-    def _createSAMLResponse(self, authzDecisionQuery):
-        """Helper method to create a SAML Authorisation Decision Response.  The
-        resource and actions referred to in the query are set in the 
-        Authorization Decision Statement, no decision is set
-        
-        @param authzDecisionQuery: SAML authorsation decision query
+    
+    def _createXacmlRequestCtx(self, authzDecisionQuery):
+        """Translate SAML authorisation decision query into a XACML request
+        context
+        """
+        request = context.request.Request()
+        subject = context.subject.Subject()
+        
+        attributeValueFactory = AttributeValueClassFactory()
+        
+        openidSubjectAttribute = Attribute()
+        roleAttribute = Attribute()
+        
+        openidSubjectAttribute.attributeId = \
+                                        authzDecisionQuery.subject.nameID.format
+                                        
+        AnyUriAttributeValue = attributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#anyURI')
+        
+        openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
+        
+        openidSubjectAttribute.attributeValues.append(AnyUriAttributeValue())
+        openidSubjectAttribute.attributeValues[-1].value = \
+                                    authzDecisionQuery.subject.nameID.value
+        
+        subject.attributes.append(openidSubjectAttribute)
+
+        StringAttributeValue = attributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#string')
+
+        # TODO: get attributes - replace hard coded values
+        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
+        roleAttribute.dataType = StringAttributeValue.IDENTIFIER
+        
+        roleAttribute.attributeValues.append(StringAttributeValue())
+        roleAttribute.attributeValues[-1].value = 'staff' 
+        
+        subject.attributes.append(roleAttribute)
+                                  
+        request.subjects.append(subject)
+        
+        resource = Resource()
+        resourceAttribute = Attribute()
+        resource.attributes.append(resourceAttribute)
+        
+        resourceAttribute.attributeId = \
+                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            
+        resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
+        resourceAttribute.attributeValues.append(AnyUriAttributeValue())
+        resourceAttribute.attributeValues[-1].value = \
+                                                    authzDecisionQuery.resource
+
+        request.resources.append(resource)
+        
+        request.action = context.action.Action()
+        actionAttribute = Attribute()
+        request.action.attributes.append(actionAttribute)
+        
+        actionAttribute.attributeId = \
+                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
+        actionAttribute.dataType = StringAttributeValue.IDENTIFIER
+        actionAttribute.attributeValues.append(StringAttributeValue())
+        actionAttribute.attributeValues[-1].value = authzDecisionQuery.actions[0
+                                                                        ].value
+        
+        return request
+    
+    def _createSAMLResponseAssertion(self, authzDecisionQuery, response):
+        """Helper method to add an assertion containing an Authorisation
+        Decision Statement to the SAML response
+        
+        @param authzDecisionQuery: SAML Authorisation Decision Query
         @type authzDecisionQuery: ndg.saml.saml2.core.AuthzDecisionQuery
-        @return: SAML Authorisation Decision Response
-        @rtype: ndg.saml.saml2.core.Response
+        @param response: SAML response
+        @type response: ndg.saml.saml2.core.Response
         """
-        response = Response()
-        
+#        response = Response()
+#        
         now = datetime.utcnow()
         response.issueInstant = now
-        
-        # Make up a request ID that this response is responding to
-        response.inResponseTo = authzDecisionQuery.id
-        response.id = str(uuid4())
-        response.version = SAMLVersion(SAMLVersion.VERSION_20)
-            
-        response.issuer = Issuer()
-        response.issuer.format = self.issuerFormat
-        response.issuer.value = self.issuerName
-
-        response.status = Status()
-        response.status.statusCode = StatusCode()
-        response.status.statusMessage = StatusMessage()        
-        
-        response.status.statusCode.value = StatusCode.SUCCESS_URI
-        response.status.statusMessage.value = ("Response created "
-                                               "successfully")
+#        
+#        # Make up a request ID that this response is responding to
+#        response.inResponseTo = authzDecisionQuery.id
+#        response.id = str(uuid4())
+#        response.version = SAMLVersion(SAMLVersion.VERSION_20)
+#            
+#        response.issuer = Issuer()
+#        response.issuer.format = self.issuerFormat
+#        response.issuer.value = self.issuerName
+#
+#        response.status = Status()
+#        response.status.statusCode = StatusCode()
+#        response.status.statusMessage = StatusMessage()        
+#        
+#        response.status.statusCode.value = StatusCode.SUCCESS_URI
+#        response.status.statusMessage.value = ("Response created "
+#                                               "successfully")
         
         assertion = Assertion()
@@ -432 +441 @@
         assertion.subject.nameID.value = \
             authzDecisionQuery.subject.nameID.value
-            
-        assertion.issuer = Issuer()
-        assertion.issuer.format = self.issuerFormat
-        assertion.issuer.value = self.issuerName
         
         authzDecisionStatement = AuthzDecisionStatement()

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -67 +67 @@
     SAML_VERSION_OPTNAME = 'samlVersion'
     ISSUER_OPTNAME = 'issuer'
+    ISSUER_NAME_OPTNAME = 'issuerName'
+    ISSUER_FORMAT_OPTNAME = 'issuerFormat'
     
     CONFIG_FILE_OPTNAMES = (
@@ -77 +79 @@
         DESERIALISE_OPTNAME,
         SAML_VERSION_OPTNAME,
-        ISSUER_OPTNAME
+        ISSUER_NAME_OPTNAME,
+        ISSUER_FORMAT_OPTNAME
     )
     
@@ -101 +104 @@
         self.__verifySAMLVersion = True
         self.__samlVersion = SAMLVersion.VERSION_20
-                 
+        
+        # Proxy object for SAML Response Issuer attributes.  By generating a 
+        # proxy the Response objects inherent attribute validation can be 
+        # applied to Issuer related config parameters before they're assigned to
+        # the response issuer object generated in the authorisation decision 
+        # query response
+        self.__issuerProxy = Issuer()
+      
     def initialise(self, global_conf, prefix='', **app_conf):
         '''
@@ -175 +185 @@
                       fset=_setIssuer, 
                       doc="Name of issuing authority")
+
+    def _getIssuerFormat(self):
+        if self.__issuerProxy is None:
+            return None
+        else:
+            return self.__issuerProxy.value
+
+    def _setIssuerFormat(self, value):
+        if self.__issuerProxy is None:
+            self.__issuerProxy = Issuer()
+            
+        self.__issuerProxy.format = value
+
+    issuerFormat = property(_getIssuerFormat, _setIssuerFormat, 
+                            doc="Issuer format")
+
+    def _getIssuerName(self):
+        if self.__issuerProxy is None:
+            return None
+        else:
+            return self.__issuerProxy.value
+
+    def _setIssuerName(self, value):
+        self.__issuerProxy.value = value
+
+    issuerName = property(_getIssuerName, _setIssuerName, 
+                          doc="Name of issuer of SAML Query Response")
 
     def _getVerifyTimeConditions(self):
@@ -454 +491 @@
         samlResponse.issuer = Issuer()
         
-        # Nb. SAML 2.0 spec says issuer format must be omitted
-        if self.issuer is not None:
-            samlResponse.issuer.value = self.issuer
+        if self.issuerName is not None:
+            samlResponse.issuer.value = self.issuerName
+        
+        if self.issuerFormat is not None:
+            # TODO: Check SAML 2.0 spec says issuer format must be omitted??
+            samlResponse.issuer.format = self.issuerFormat
         
         # Initialise to success status but reset on error

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -326 +326 @@
     def isValidClientCert(self):
         sslClientCert = self.environ[self.sslClientCertKeyName]
-        
+
         # Certificate string passed through a proxy has spaces in place of
         # newline delimiters.  Fix by re-organising the string into a single 
@@ -361 +361 @@
            
         # Verify against list of acceptable DNs if set
+        
         if len(self.clientCertDNMatchList) > 0:
             dn = self.__clientCert.dn
@@ -372 +373 @@
                               self.clientCertDNMatchList)
                     return True
-        else:
+                
             log.debug("No match found for Client Certificate DN %s in "
                       "permitted DNs list %r", dn, self.clientCertDNMatchList)
@@ -379 +380 @@
 
         self.environ[
-            ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME] = True            
+            ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME] = True
         return True
 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py

@@ -24 +24 @@
 os.environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR
 
+import optparse
+
 # To start run 
-# $ paster serve services.ini or run this file as a script
-# $ ./securityservicesapp.py [port #]
-if __name__ == '__main__':
-    import sys
-    if len(sys.argv) > 1:
-        port = int(sys.argv[1])
-    else:
-        port = 7443
-            
+# $ paster serve services.ini or run this file as a script, see
+# $ ./securityservicesapp.py -h
+if __name__ == '__main__':    
+    cfgFileName = INI_FILEPATH
+    cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)  
+        
+    parser = optparse.OptionParser()
+    parser.add_option("-p",
+                      "--port",
+                      dest="port",
+                      default=7443,
+                      type='int',
+                      help="port number to run under")
+
+    parser.add_option("-s",
+                      "--with-ssl",
+                      dest="withSSL",
+                      default='True',
+                      help="Run with SSL")
+
+    parser.add_option("-c",
+                      "--conf",
+                      dest="configFilePath",
+                      default=cfgFilePath,
+                      help="Configuration file path")
+    
     # Initialise test user database
     from ndg.security.test.unit import BaseTestCase
     BaseTestCase.initDb()
     
-    cfgFileName = INI_FILEPATH
-    cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)  
+    opt = parser.parse_args()[0]
     
-    certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
-                                'pki', 
-                                'localhost.crt')
-    priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
-                                  'pki', 
-                                  'localhost.key')
+    if opt.withSSL.lower() == 'true':
+        certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
+                                    'pki', 
+                                    'localhost.crt')
+        priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 
+                                      'pki', 
+                                      'localhost.key')
+        
+        ssl_context = SSL.Context(SSL.SSLv23_METHOD)
+        ssl_context.set_options(SSL.OP_NO_SSLv2)
     
-    ssl_context = SSL.Context(SSL.SSLv23_METHOD)
-    ssl_context.set_options(SSL.OP_NO_SSLv2)
+        ssl_context.use_privatekey_file(priKeyFilePath)
+        ssl_context.use_certificate_file(certFilePath)
+    else:
+        ssl_context = None
 
-    ssl_context.use_privatekey_file(priKeyFilePath)
-    ssl_context.use_certificate_file(certFilePath)
-
-    server = PasteDeployAppServer(cfgFilePath=cfgFilePath, 
-                                  port=port,
+    server = PasteDeployAppServer(cfgFilePath=opt.configFilePath, 
+                                  port=opt.port,
                                   ssl_context=ssl_context) 
     server.start()

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-decision-interface.ini

@@ -30 +30 @@
 saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
 saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
+saml.issuerName = /O=Test/OU=Authorisation Service
+saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 
 #______________________________________________________________________________
@@ -39 +41 @@
 paste.filter_app_factory = ndg.security.test.unit.wsgi.saml.test_soapauthzdecisioninterface:TestAuthorisationServiceMiddleware
 queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC
+

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/authz-service.ini

@@ -15 +15 @@
 
 [pipeline:main]
-pipeline = TestAuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter TestApp
+pipeline = AuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter TestApp
 
 [app:TestApp]
@@ -28 +28 @@
 saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
 
+# AuthzDecisionQuery Response settings
+saml.issuerName = /O=NDG/OU=CEDA/CN=Authorisation Service
+saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+saml.clockSkewTolerance = 1
+saml.assertionLifetime = 86400
+
 #______________________________________________________________________________
 # Authorisation Service WSGI settings
 #
-[filter:TestAuthorisationServiceFilter]
+[filter:AuthorisationServiceFilter]
 # This filter is a container for a binding to a SOAP based interface to the
 # Attribute Authority
 paste.filter_app_factory = ndg.security.server.wsgi.authzservice:AuthzServiceMiddleware.filter_app_factory
 prefix = authz.
-authz.policy.filePath = %(here)s/policy-1.1.xml
+authz.policyFilePath = %(here)s/policy.xml
 authz.queryInterfaceKeyName = %(queryInterfaceKeyName)s
-
-# AuthzDecisionQuery Response settings
-authz.issuerName = /O=NDG/OU=CEDA/CN=Authorisation Service
-authz.clockSkewTolerance = 1
-authz.assertionLifetime = 86400
 
 # Policy Information Point settings - makes an Attribute Queries to 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -30 +30 @@
     QUERY_INTERFACE_KEYNAME_OPTNAME = 'queryInterfaceKeyName'
     RESOURCE_URI = 'http://localhost/dap/data/'
-    ISSUER_DN = '/O=Site A/CN=PDP'
+    ISSUER_DN = '/O=Test/OU=Authorisation/CN=Service Stub'
     
     def __init__(self, app, global_conf, **app_conf):
@@ -42 +42 @@
     
     def authzDecisionQueryFactory(self):
-        def authzDecisionQuery(query):
-            response = Response()
+        def authzDecisionQuery(query, response):
             now = datetime.utcnow()
             response.issueInstant = now
@@ -51 +50 @@
             response.id = str(uuid4())
             response.version = SAMLVersion(SAMLVersion.VERSION_20)
-                
-            response.issuer = Issuer()
-            response.issuer.format = Issuer.X509_SUBJECT
-            response.issuer.value = TestAuthorisationServiceMiddleware.ISSUER_DN
             
             response.status = Status()
@@ -106 +101 @@
                             issuer="/O=Site A/CN=PEP",
                             subject="https://openid.localhost/philip.kershaw",
-                            resource=RESOURCE_URI,
+                            resource=None,
                             action=Action.HTTP_GET_ACTION,
                             actionNs=Action.GHPP_NS_URI):
@@ -122 +117 @@
         query.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
         query.subject.nameID.value = subject
-                                    
-        query.resource = resource         
+                                 
+        if resource is None:
+            query.resource = self.__class__.RESOURCE_URI
+        else:   
+            query.resource = resource
+                 
         query.actions.append(Action())
         query.actions[0].namespace = actionNs
@@ -197 +196 @@
     """
     CONFIG_FILENAME = 'authz-service.ini'
-    RESOURCE_URI = 'http://localhost/dap/data/my.nc.dods?time[0:1:0]'
-    ACCESS_DENIED_RESOURCE_URI = 'http://localhost/dap/data/test_accessDeniedToSecuredURI'
+    RESOURCE_URI = 'http://localhost/dap/data/my.nc.dods?time[0:1:0]&lat'
+    ACCESS_DENIED_RESOURCE_URI = \
+        'http://localhost/dap/data/test_accessDeniedToSecuredURI'
     
     def __init__(self, *arg, **kw):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/x509/test_x509.py

@@ -41 +41 @@
 
 class X509TestCase(BaseTestCase):
+    """Unit test X509 module"""
+    CA_DIR = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 'ca')
     
     def __del__(self):
@@ -197 +199 @@
                   "isValidTime: %s" % _warningMsg)
 
-
+    def test10ReadStackFromCADir(self):
+        
+        stack = X509Stack.fromCADir(X509TestCase.CA_DIR)
+        self.assert_(stack)
+        self.assert_(len(stack) > 0)
+        
 class X500DNTestCase(BaseTestCase):
     def test01VerifyParsingForFieldsContainingSlash(self):