Changeset 6866

Timestamp:

17/05/10 11:39:55 (11 years ago)

Author:

pjkersha

Message:

Updated PyDAP integration test example to work with the latest security middleware.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/dap

Files:

• . (modified) (1 prop)
• authz/policy.xml (modified) (2 diffs)
• log (modified) (1 prop)
• pep_result_handler (added)
• pep_result_handler/layout (added)
• pep_result_handler/layout/CEDA_RightButton60.png (added)
• pep_result_handler/layout/NERC_Logo.gif (added)
• pep_result_handler/layout/NERC_Logo_Swindon.gif (added)
• pep_result_handler/layout/badc logo_sm.jpg (added)
• pep_result_handler/layout/badc_logo4ndg.jpg (added)
• pep_result_handler/layout/default.css (added)
• pep_result_handler/layout/icons (added)
• pep_result_handler/layout/icons/help.png (added)
• pep_result_handler/layout/ndg_logo_circle.gif (added)
• pep_result_handler/layout/neodc_logo4ndg.jpg (added)
• pep_result_handler/layout/openid-inputicon.gif (added)
• pep_result_handler/layout/stfc-circle-sm.gif (added)
• server.ini (modified) (5 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/dap/authz/policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="pyDAP" xmlns="urn:ndg:security:authz:1.0:policy">
+<Policy PolicyId="pyDAP" xmlns="urn:ndg:security:authz:1.1:policy">
     <Description>Restrict access for Authorization integration tests</Description>
     
@@ -6 +6 @@
         <URIPattern>^/sample.*$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-<!--            <uri>https://localhost/AttributeAuthority</uri>
--->
-            <uri>http://localhost:7443/AttributeAuthority</uri>
-        </AttributeAuthority>
     </Target>
     <Target>
         <URIPattern>^/sresa1b_ncar_ccsm3_0_run1_200001.*$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
-            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
+            <Attribute>
+                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
+                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
+            </Attribute>
         </Attributes>
-        <AttributeAuthority>
-<!--            <uri>https://localhost/AttributeAuthority</uri>
--->            
-            <uri>http://localhost:7443/AttributeAuthority</uri>
-        </AttributeAuthority>
+        
     </Target>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/dap/server.ini

@@ -15 +15 @@
 # file
 #
+[DEFAULT]
+testConfigDir = %(here)s/../../config
+beakerSessionKeyName = beaker.session.ndg.security
+
 [server:main]
 use = egg:Paste#http
@@ -42 +46 @@
 # Pipeline to with security filters to protect the pyDAP application
 [pipeline:main]
-pipeline = AuthenticationFilter AuthorizationFilter cascade
+pipeline = BeakerSessionFilter AuthenticationFilter AuthorizationFilter cascade
+
+
+[filter:BeakerSessionFilter]
+paste.filter_app_factory = beaker.middleware:SessionMiddleware
+
+# Cookie name
+beaker.session.key = ndg.security.session
+
+# WSGI environ key name
+environ_key = %(beakerSessionKeyName)s
+beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW
+beaker.cache.data_dir = %(here)s/authn/beaker/cache
+beaker.session.data_dir = %(here)s/authn/beaker/sessions
+
+#beaker.session.cookie_domain = .localhost
 
 [filter:AuthenticationFilter]
@@ -49 +68 @@
 
 # Set redirect for OpenID Relying Party in the Security Services app instance
-#authN.redirectURI = https://localhost/verify
-authN.redirectURI = http://localhost:7443/verify
+#authN.redirectURI = https://localhost:7443/verify
+authN.redirectURI = https://localhost/verify
 
-# Beaker Session set-up
-beaker.session.key = ndg.security.session
-beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW
-beaker.cache.data_dir = %(here)s/authn/beaker/pki/cache
-beaker.session.data_dir = %(here)s/authn/beaker/sessions
-beaker.session.cookie_expires = True
+# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
+# passed return to query argument
+authN.sessionHandler.defaultLogoutReturnToURI = https://localhost:7443/
 
 # AuthKit Set-up
 authkit.setup.method=cookie
 
-# This cookie name and secret MUST agree with the name used by the security 
-# web services app
+# This cookie name and secret MUST agree with the name used by the security web
+# services app
 authkit.cookie.name=ndg.security.auth
 authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
@@ -72 +88 @@
 authkit.cookie.includeip = False
 
+#authkit.cookie.params.expires = 2
+#authkit.cookie.params.domain = .localhost
+
+# environ key name for beaker session
+authkit.session.middleware = %(beakerSessionKeyName)s
+
+
 [filter:AuthorizationFilter]
-paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory
+paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
 prefix = authz.
+authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
+authz.pepResultHandler.staticContentDir = %(here)s/pep_result_handler
+authz.pepResultHandler.baseURL = http://localhost:8001
+authz.pepResultHandler.heading = Access Denied
+authz.pepResultHandler.messageTemplate = Access is forbidden for this resource:<div id="accessDeniedMessage">$pdpResponseMsg</div>Please check with your site administrator that you have the required access privileges.
+authz.pepResultHandler.footerText = This site is for test purposes only.
+authz.pepResultHandler.rightLink = http://ceda.ac.uk/
+authz.pepResultHandler.rightImage = %(authz.pepResultHandler.baseURL)s/layout/CEDA_RightButton60.png
+authz.pepResultHandler.rightAlt = Centre for Environmental Data Archival
+authz.pepResultHandler.helpIcon = %(authz.pepResultHandler.baseURL)s/layout/icons/help.png
+
 policy.filePath = %(here)s/authz/policy.xml
 
@@ -80 +114 @@
 # retrieve subject attributes from the Attribute Authority associated with the
 # resource to be accessed
-pip.sslCACertFilePathList=
 
-# List of CA certificates used to verify the signatures of 
-# Attribute Certificates retrieved
-pip.caCertFilePathList=%(here)s/pki/ca/ndg-test-ca.crt
+# If omitted, DN of SSL Cert is used
+pip.attributeQuery.issuerName = 
+pip.attributeQuery.subjectIdFormat = urn:esg:openid
+pip.attributeQuery.clockSkewTolerance = 0.
+pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
 
-#
-# WS-Security Settings for call to Session Manager
-
-# Signature of an outbound message
-
-# Certificate associated with private key used to sign a message.  The sign 
-# method will add this to the BinarySecurityToken element of the WSSE header.  
-# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
-# As an alternative, use signingCertChain - see below...
-
-# PEM encode cert
-pip.wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt
-
-# PEM encoded private key file
-pip.wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key
-
-# Password protecting private key.  Leave blank if there is no password.
-pip.wssecurity.signingPriKeyPwd=
-
-# For signature verification.  Provide a space separated list of file paths
-pip.wssecurity.caCertFilePathList=%(here)s/pki/ca/ndg-test-ca.crt
-
-# ValueType for the BinarySecurityToken added to the WSSE header
-pip.wssecurity.reqBinSecTokValType=X509v3
-
-# Add a timestamp element to an outbound message
-pip.wssecurity.addTimestamp=True
 
 # Logging configuration