Changeset 6912 for TI12-security/trunk/NDGSecurity

Timestamp:

01/06/10 11:24:18 (11 years ago)

Author:

pjkersha

Message:

Updated and re-ran unit tests for new SAML release.

• All pass apart from MyProxy? interface ones which require MyProxy? server running.
• Removed old NDG Browse and ProFTP PDP interface unit tests

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/saml/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/dap/authz/policy.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/dap/data/RUC.nc (added)
• ndg_security_test/ndg/security/test/integration/pylonsapp/pylonsapp/lib/security_utils.py (deleted)
• ndg_security_test/ndg/security/test/unit/authz/pdp (deleted)
• ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

@@ -66 +66 @@
     DESERIALISE_OPTNAME = 'deserialise' 
     SAML_VERSION_OPTNAME = 'samlVersion'
-    ISSUER_OPTNAME = 'issuer'
     ISSUER_NAME_OPTNAME = 'issuerName'
     ISSUER_FORMAT_OPTNAME = 'issuerFormat'

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

@@ -13 +13 @@
 attributeAuthorityEnvironKeyName = attribute-authority
 attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
-attributeAuthoritySoapWsdlServicePath = /AttributeAuthority
 
 [server:main]
@@ -70 +69 @@
 saml.soapbinding.clockSkewTolerance: 180.0
 
-saml.soapbinding.issuer: /O=Site A/CN=Attribute Authority
+saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
 
 # Logging configuration

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -107 +107 @@
 paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
 prefix = ssl.
+
+# Apply verification against a list of trusted CAs.  To skip this step, comment
+# out or remove this item.  e.g. set CA verification in the Apache config file.
 ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
 #ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/dap/authz/policy.xml

@@ -13 +13 @@
     </Target>
     <Target>
-        <URIPattern>^/sresa1b_ncar_ccsm3_0_run1_200001.*$</URIPattern>
+        <URIPattern>^/RUC.*$</URIPattern>
         <Attributes>
             <Attribute>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/saml/test_samlinterface.py

@@ -304 +304 @@
         
         request = UrlLib2SOAPRequest()
-        request.url = 'http://localhost:5000/AttributeAuthority/saml'
+        request.url = 'http://localhost:5000/AttributeAuthority'
         request.envelope = SOAPEnvelope()
         request.envelope.create()

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/__init__.py

@@ -5 +5 @@
 __author__ = "P J Kershaw"
 __date__ = "23/02/09"
-__copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
 __license__ = "BSD - see LICENSE file in top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
-__revision__ = '$Id: $'
+__revision__ = '$Id$'
 
 import paste.httpserver

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini

@@ -5 +5 @@
 #
 [DEFAULT]
-testConfigDir = %(here)s/../../../config
+attributeQueryInterfaceEnvironKeyName = attributeQueryInterface
 
 [server:main]
@@ -20 +20 @@
 [filter:AttributeAuthorityFilter]
 paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
-prefix = attributeauthority.
+prefix = attributeAuthority.
 
-attributeauthority.environKeyName = myAttributeAuthority
+attributeAuthority.environKeyName = myAttributeAuthority
 
-# Attribute Authority settings
-# 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeauthority.name: Site A
+# Key name for the SAML SOAP binding based interface to reference this
+# service's attribute query method
+attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
+
+# Attribute Authority settings...
 
 # Lifetime is measured in seconds
-attributeauthority.attCertLifetime: 28800 
-
-# Allow an offset for clock skew between servers running 
-# security services. NB, measured in seconds - use a minus sign for time in the
-# past
-attributeauthority.attCertNotBeforeOff: 0
-
-# All Attribute Certificates issued are recorded in this dir
-attributeauthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
-
-# Files in attCertDir are stored using a rotating file handler
-# attCertFileLogCnt sets the max number of files created before the first is 
-# overwritten
-attributeauthority.attCertFileName: ac.xml
-attributeauthority.attCertFileLogCnt: 16
-attributeauthority.dnSeparator:/
-
-# Location of role mapping file
-attributeauthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
+attributeAuthority.assertionLifetime: 28800 
 
 # Settings for custom AttributeInterface derived class to get user roles for given 
 # user ID
-#attributeauthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
-attributeauthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
-attributeauthority.attributeInterface.className: TestUserRoles
+attributeAuthority.attributeInterface.modFilePath: %(here)s
+attributeAuthority.attributeInterface.className: ndg.security.test.config.attributeauthority.sitea.sitea_attributeinterface.TestUserRoles
 
-# Config for XML signature of Attribute Certificate
-attributeauthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
-attributeauthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
-attributeauthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
+# SAML SOAP Binding to the Attribute Authority
+[filter:AttributeAuthoritySamlSoapBindingFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
+prefix = saml.soapbinding.
 
+saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
+
+# Specialisation to incorporate ESG Group/Role type
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+
+saml.soapbinding.pathMatchList = /AttributeAuthority
+saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
+
+# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
+# tolerance for query issueInstant parameter. Set here to 3 minutes
+saml.soapbinding.clockSkewTolerance: 180.0
+
+saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
+

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -31 +31 @@
 # If omitted, DN of SSL Cert is used
 pip.attributeQuery.issuerName = 
+pip.attributeQuery.subjectIdFormat = urn:esg:openid
 pip.attributeQuery.clockSkewTolerance = 0.
 pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string