Changeset 7143

Timestamp:

01/07/10 08:53:38 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• working query interface middleware for authz decision interface unit tests

Location:

TI12-security/trunk/ndg_saml/ndg/saml

Files:

• saml2/binding/soap/__init__.py (modified) (1 diff)
• saml2/binding/soap/client/__init__.py (modified) (1 diff)
• saml2/binding/soap/client/subjectquery.py (modified) (1 diff)
• saml2/binding/soap/server/wsgi/queryinterface.py (modified) (7 diffs)
• test/binding/soap/__init__.py (modified) (2 diffs)
• test/binding/soap/attribute-interface.ini (modified) (1 diff)
• test/binding/soap/authz-decision-interface.ini (modified) (1 diff)
• test/binding/soap/authz-service.ini (modified) (1 diff)
• test/binding/soap/test_soapauthzdecisioninterface.py (modified) (7 diffs)
• utils/__init__.py (modified) (1 diff)

TI12-security/trunk/ndg_saml/ndg/saml/saml2/binding/soap/__init__.py

@@ -12 +12 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id$"
+class SOAPBindingError(Exception):
+    '''Base exception type for client SAML SOAP Binding'''
+
+
+class SOAPBindingInvalidResponse(SOAPBindingError):
+    '''Raise if the response is invalid'''
+    def __init__(self, *arg, **kw):
+        SOAPBindingInvalidResponse.__init__(self, *arg, **kw)
+        self.__response = None
+    
+    def _getResponse(self):
+        '''Gets the response corresponding to this error
+        
+        @return the response
+        '''
+        return self.__response
+
+    def _setResponse(self, value):
+        '''Sets the response corresponding to this error.
+        
+        @param value: the response
+        '''
+        if not isinstance(value, Response):
+            raise TypeError('"response" must be a %r, got %r' % (Response,
+                                                                 type(value)))
+        self.__response = value
+        
+    response = property(fget=_getResponse, fset=_setResponse, 
+                        doc="SAML Response associated with this exception")

TI12-security/trunk/ndg_saml/ndg/saml/saml2/binding/soap/client/__init__.py

@@ -24 +24 @@
 from ndg.soap.client import (UrlLib2SOAPClient, UrlLib2SOAPRequest)
 
-
-class SOAPBindingError(Exception):
-    '''Base exception type for client SAML SOAP Binding for Attribute Query'''
-
-
-class SOAPBindingInvalidResponse(SOAPBindingError):
-    '''Raise if the response is invalid'''
+from ndg.saml.saml2.binding.soap import SOAPBindingInvalidResponse
     
     

TI12-security/trunk/ndg_saml/ndg/saml/saml2/binding/soap/client/subjectquery.py

@@ -27 +27 @@
 class SubjectQueryResponseError(SOAPBindingInvalidResponse):
     """SAML Response error from Subject Query"""
-    def __init__(self, *arg, **kw):
-        SOAPBindingInvalidResponse.__init__(self, *arg, **kw)
-        self.__response = None
-    
-    def _getResponse(self):
-        '''Gets the response corresponding to this error
-        
-        @return the response
-        '''
-        return self.__response
-
-    def _setResponse(self, value):
-        '''Sets the response corresponding to this error.
-        
-        @param value: the response
-        '''
-        if not isinstance(value, Response):
-            raise TypeError('"response" must be a %r, got %r' % (Response,
-                                                                 type(value)))
-        self.__response = value
-        
-    response = property(fget=_getResponse, fset=_setResponse, 
-                        doc="SAML Response associated with this exception")
     
 

TI12-security/trunk/ndg_saml/ndg/saml/saml2/binding/soap/server/wsgi/queryinterface.py

@@ -19 +19 @@
 from ndg.soap.server.wsgi.middleware import SOAPMiddleware
 from ndg.soap.etree import SOAPEnvelope
-from ndg.soap.utils import str2Bool
-
+
+from ndg.saml.utils import str2Bool
 from ndg.saml.utils.factory import importModuleObject
 from ndg.saml.xml import UnknownAttrProfile
@@ -27 +27 @@
 from ndg.saml.saml2.core import (Response, Status, StatusCode, StatusMessage, 
                                  Issuer) 
+from ndg.saml.saml2.binding.soap import SOAPBindingInvalidResponse
 
 
@@ -37 +38 @@
 
 
+class QueryIssueInstantInvalid(SOAPBindingInvalidResponse):
+    """Invalid timestamp for incoming query"""
+    
+    
 class SOAPQueryInterfaceMiddleware(SOAPMiddleware):
     """Implementation of SAML 2.0 SOAP Binding for Query/Request Binding
@@ -81 +86 @@
         @param app: next middleware application in the chain 
         '''     
-        super(SOAPQueryInterfaceMiddleware, self).__init__(app, None)
+        super(SOAPQueryInterfaceMiddleware, self).__init__()
         
         self._app = app
@@ -89 +94 @@
         self.__queryInterfaceKeyName = cls.DEFAULT_QUERY_INTERFACE_KEYNAME
         self.__mountPath = None
-        self.mountPath = ['/']
+        self.mountPath = '/'
         self.__requestEnvelopeClass = None
         self.__responseEnvelopeClass = None
@@ -354 +359 @@
     
         # Ignore non-matching path
-        if not self.pathMatch:
+        if environ['PATH_INFO'] not in (self.mountPath, 
+                                        self.mountPath + '/'):
             return self._app(environ, start_response)
           
@@ -394 +400 @@
             log.exception("%r raised parsing incoming query: %s" % 
                           (type(e), traceback.format_exc()))
-            samlResponse.statusCode.value = StatusCode.UNKNOWN_ATTR_PROFILE_URI
+            samlResponse.status.statusCode.value = \
+                                            StatusCode.UNKNOWN_ATTR_PROFILE_URI
         else:   
             # Check for Query Interface in environ

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/__init__.py

@@ -10 +10 @@
 __license__ = "http://www.apache.org/licenses/LICENSE-2.0"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
-__revision__ = '$Id:$'
+__revision__ = '$Id$'
 import os
 import unittest
@@ -42 +42 @@
         self.app = paste.fixture.TestApp(wsgiapp)
          
-        BaseTestCase.__init__(self, *args, **kwargs)
+        unittest.TestCase.__init__(self, *args, **kwargs)

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/attribute-interface.ini

@@ -18 +18 @@
 
 [app:TestApp]
-paste.app_factory = ndg.security.test.unit.wsgi.saml:TestApp
+paste.app_factory = ndg.saml.test.binding.soap.test_soapattributeinterface:TestApp
 
 [filter:SAMLSoapAttributeInterfaceFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
+paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.
 saml.pathMatchList = /attributeauthority/saml

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/authz-decision-interface.ini

@@ -1 +1 @@
 #
 # INI file for testing the SAML Authorisation Query interface.  It uses a
-# test stub for the Authorisation Service rather than
-# ndg.security.server.wsgi.authzservice.AuthzServiceMiddleware.  See,
-# authz-service.ini to compare
+# test stub for the Authorisation Service 
 #
 # The %(here)s variable will be replaced with the parent directory of this file

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/authz-service.ini

@@ -18 +18 @@
 
 [app:TestApp]
-paste.app_factory = ndg.security.test.unit.wsgi.saml:TestApp
+paste.app_factory = ndg.saml.test.binding.soap:TestApp
 
 [filter:SAMLSoapAuthzDecisionInterfaceFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory
+paste.filter_app_factory = ndg.saml.saml2.binding.server.wsgi:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.
 saml.pathMatchList = /authorisationservice

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/test_soapauthzdecisioninterface.py

@@ -64 +64 @@
             
             authzDecisionStatement = AuthzDecisionStatement()
-            authzDecisionStatement.decision = DecisionType.PERMIT
-            authzDecisionStatement.resource = \
-                TestAuthorisationServiceMiddleware.RESOURCE_URI
+            
+            # Make some simple logic to simulate a full access policy
+            if query.resource == self.__class__.RESOURCE_URI:
+                if query.actions[0].value == Action.HTTP_GET_ACTION:
+                    authzDecisionStatement.decision = DecisionType.PERMIT
+                else:
+                    authzDecisionStatement.decision = DecisionType.DENY
+            else:
+                authzDecisionStatement.decision = DecisionType.INDETERMINATE
+                
+            authzDecisionStatement.resource = query.resource
+                
             authzDecisionStatement.actions.append(Action())
             authzDecisionStatement.actions[-1].namespace = Action.GHPP_NS_URI
@@ -101 +110 @@
                             issuer="/O=Site A/CN=PEP",
                             subject="https://openid.localhost/philip.kershaw",
-                            resource=None,
+                            resource=RESOURCE_URI,
                             action=Action.HTTP_GET_ACTION,
                             actionNs=Action.GHPP_NS_URI):
@@ -117 +126 @@
         query.subject.nameID.format = "urn:ndg:saml:test:openid"
         query.subject.nameID.value = subject
-                                 
-        if resource is None:
-            query.resource = self.__class__.RESOURCE_URI
-        else:   
-            query.resource = resource
+   
+        query.resource = resource
                  
         query.actions.append(Action())
@@ -162 +168 @@
         return response
     
-    def test01ValidQuery(self):
+    def test01AccessGranted(self):
         query = self._createAuthzDecisionQuery()
         request = self._makeRequest(query=query)
@@ -187 +193 @@
         self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
                                             ].decision == DecisionType.PERMIT)
-
-        
-class SOAPAuthzServiceMiddlewareTestCase(
-                                SOAPAuthzDecisionInterfaceMiddlewareTestCase):
-    """Test the actual server side middleware 
-    ndg.security.server.wsgi.authzservice.AuthzServiceMiddleware
-    rather than a test stub
-    """
-    CONFIG_FILENAME = 'authz-service.ini'
-    RESOURCE_URI = 'http://localhost/dap/data/my.nc.dods?time[0:1:0]&lat'
-    ACCESS_DENIED_RESOURCE_URI = \
-        'http://localhost/dap/data/test_accessDeniedToSecuredURI'
-    
-    def __init__(self, *arg, **kw):
-        """Extend base init to include SAML Attribute Authority required by
-        Authorisation Service"""
-        super(SOAPAuthzDecisionInterfaceMiddlewareTestCase, self).__init__(
-                                                                    *arg, **kw)
-        self.startSiteAAttributeAuthority(withSSL=True, port=5443)
-        
+   
     def test02AccessDenied(self):
-        cls = SOAPAuthzServiceMiddlewareTestCase
-        query = self._createAuthzDecisionQuery(
-                                        resource=cls.ACCESS_DENIED_RESOURCE_URI)
+        query = self._createAuthzDecisionQuery(action=Action.HTTP_POST_ACTION)
         request = self._makeRequest(query=query)
         
@@ -223 +208 @@
                                  status=200)
         print("Response status=%d" % response.status)
+        
         samlResponse = self._getSAMLResponse(response.body)
 
@@ -233 +219 @@
         self.assert_(samlResponse.assertions[0].authzDecisionStatements[0])
         self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
-                                            ].decision == DecisionType.DENY)   
-    
-    
+                                            ].decision == DecisionType.DENY)
+        
+    def test03IndeterminateResponse(self):
+        query = self._createAuthzDecisionQuery(
+                            resource=self.__class__.RESOURCE_URI + 'invalid')
+        request = self._makeRequest(query=query)
+        
+        header = {
+            'soapAction': "http://www.oasis-open.org/committees/security",
+            'Content-length': str(len(request)),
+            'Content-type': 'text/xml'
+        }
+        response = self.app.post('/authorisationservice/', 
+                                 params=request, 
+                                 headers=header, 
+                                 status=200)
+        print("Response status=%d" % response.status)
+        
+        samlResponse = self._getSAMLResponse(response.body)
+
+        self.assert_(samlResponse.status.statusCode.value == \
+                     StatusCode.SUCCESS_URI)
+        self.assert_(samlResponse.inResponseTo == query.id)
+        self.assert_(samlResponse.assertions[0].subject.nameID.value == \
+                     query.subject.nameID.value)
+        self.assert_(samlResponse.assertions[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0])
+        self.assert_(samlResponse.assertions[0].authzDecisionStatements[0
+                                    ].decision == DecisionType.INDETERMINATE)
+        
+
 if __name__ == "__main__":
     unittest.main()

TI12-security/trunk/ndg_saml/ndg/saml/utils/__init__.py

@@ -34 +34 @@
                                                                 format)[0:6]))
 from datetime import datetime, timedelta
+
         
-        
+# Interpret a string as a boolean
+str2Bool = lambda str: str.lower() in ("yes", "true", "t", "1")
+
+      
 class SAMLDateTime(object):
     """Generic datetime formatting utility for SAML timestamps - XMLSchema