Context Navigation

← Previous Changeset
Next Changeset →

Changeset 7147

Timestamp:

01/07/10 12:24:22 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

working attribute service unit tests

Location:

TI12-security/trunk/ndg_saml/ndg/saml

Files:

: 1 deleted
: 5 edited

saml2/binding/soap/server/wsgi/queryinterface.py (modified) (1 diff)
test/binding/soap/attribute-interface.ini (modified) (1 diff)
test/binding/soap/authz-service.ini (deleted)
test/binding/soap/test_samlinterface.py (modified) (1 diff)
test/binding/soap/test_soapattributeinterface.py (modified) (11 diffs)
test/binding/soap/test_soapauthzdecisioninterface.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/ndg_saml/ndg/saml/saml2/binding/soap/server/wsgi/queryinterface.py

-                      r7143
+                      r7147
         else:
             # Check for Query Interface in environ
+            queryInterface = environ.get(self.queryInterfaceKeyName)
+            if queryInterface is None:
+            queryInterface = environ.get(self.queryInterfaceKeyName,
+                                         NotImplemented)
+            if queryInterface == NotImplemented:
                 raise SOAPQueryInterfaceMiddlewareConfigError(
                                 'No query interface "%s" key found in environ' %
+                                'No query interface %r key found in environ' %
                                 self.queryInterfaceKeyName)
+            elif not callable(queryInterface):
+                raise SOAPQueryInterfaceMiddlewareConfigError(
+                    'Query interface %r set in %r environ key is not callable' %
+                    (queryInterface, self.queryInterfaceKeyName))
             # Basic validation

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/attribute-interface.ini

-                      r7143
+                      r7147
 [app:TestApp]
 paste.app_factory = ndg.saml.test.binding.soap.test_soapattributeinterface:TestApp
+paste.app_factory = ndg.saml.test.binding.soap:TestApp
 [filter:SAMLSoapAttributeInterfaceFilter]
 paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
 prefix = saml.
 saml.pathMatchList = /attributeauthority/saml
+saml.mountPath = /attributeauthority
 saml.queryInterfaceKeyName = attributeQueryInterface
 saml.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
+# Specialisation to incorporate ESG Group/Role type
+saml.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
 #______________________________________________________________________________
 # Attribute Authority WSGI settings
+# Test Attribute Authority WSGI settings
+#
 [filter:AttributeAuthorityFilter]
 # This filter is a container for a binding to a SOAP based interface to the
 # Attribute Authority
+paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
+prefix = attributeAuthority.
+attributeAuthority.environKeyName: attributeauthority
+attributeAuthority.environKeyNameAttributeQueryInterface: attributeQueryInterface
+# Attribute Authority settings
+# 'name' setting MUST agree with map config file 'thisHost' name attribute
+attributeAuthority.name: Site A
+# Lifetime is measured in seconds
+attributeAuthority.attCertLifetime: 28800
+# Allow an offset for clock skew between servers running
+# security services. NB, measured in seconds - use a minus sign for time in the
+# past
+attributeAuthority.attCertNotBeforeOff: 0
+# All Attribute Certificates issued are recorded in this dir
+attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
+# Files in attCertDir are stored using a rotating file handler
+# attCertFileLogCnt sets the max number of files created before the first is
+# overwritten
+attributeAuthority.attCertFileName: ac.xml
+attributeAuthority.attCertFileLogCnt: 16
+attributeAuthority.dnSeparator:/
+# Location of role mapping file
+attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
+# Settings for custom AttributeInterface derived class to get user roles for given
+# user ID
+attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
+attributeAuthority.attributeInterface.modName: ndg.security.test.config.attributeauthority.sitea.siteAUserRoles
+attributeAuthority.attributeInterface.className: TestUserRoles
+# Config for XML signature of Attribute Certificate
+attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
+attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
+attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/d573507a.0
+paste.filter_app_factory = ndg.saml.test.binding.soap.test_soapattributeinterface:TestAttributeServiceMiddleware
+queryInterfaceKeyName = attributeQueryInterface

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/test_samlinterface.py

-                      r7140
+                      r7147
 from ndg.soap.etree import SOAPEnvelope
 from ndg.soap.utils.etree import QName, prettyPrint
-from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces,
-                                          XSGroupRoleAttributeValue)
-from ndg.security.common.saml_utils.esg.xml.etree import (
-                                        XSGroupRoleAttributeValueElementTree)

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/test_soapattributeinterface.py

-                      r7140
+                      r7147
 import unittest
 from uuid import uuid4
 from datetime import datetime
+from datetime import datetime, timedelta
 from cStringIO import StringIO
+from ndg.saml.saml2.core import (Attribute, SAMLVersion, Subject, NameID,
+                                 Issuer, AttributeQuery, XSStringAttributeValue,
+                                 StatusCode)
+from ndg.soap.etree import SOAPEnvelope
+from ndg.saml.saml2.core import (Assertion, Attribute, AttributeStatement,
+                                 SAMLVersion, Subject, NameID, Issuer,
+                                 AttributeQuery, XSStringAttributeValue,
+                                 Conditions, Status, StatusCode)
 from ndg.saml.xml import XMLConstants
 from ndg.saml.xml.etree import AttributeQueryElementTree, ResponseElementTree
+from ndg.soap.etree import SOAPEnvelope
+from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
+from ndg.saml.test.binding.soap import SoapSamlInterfaceMiddlewareTestCase
+class TestAttributeServiceMiddleware(object):
+    """Test Attribute Service interface stub"""
+    QUERY_INTERFACE_KEYNAME_OPTNAME = 'queryInterfaceKeyName'
+    ISSUER_DN = '/O=Test/OU=Attribute Service/CN=Service Stub'
+    FIRSTNAME_ATTRNAME = "urn:ndg:saml:firstname"
+    LASTNAME_ATTRNAME = "urn:ndg:saml:lastname"
+    EMAILADDRESS_ATTRNAME = "urn:ndg:saml:emailaddress"
+    VALID_QUERY_ISSUERS = (
+        "/O=Site A/CN=Authorisation Service",
+        "/O=Site B/CN=Authorisation Service"
+    )
+    VALID_SUBJECTS = ("https://openid.localhost/philip.kershaw", )
+    VALID_ATTR_NAME_URIS = (
+        FIRSTNAME_ATTRNAME, LASTNAME_ATTRNAME, EMAILADDRESS_ATTRNAME
+    )
+    def __init__(self, app, global_conf, **app_conf):
+        self.queryInterfaceKeyName = app_conf[
+            self.__class__.QUERY_INTERFACE_KEYNAME_OPTNAME]
+        self._app = app
+        self.firstName = "Philip"
+        self.lastName = "Kershaw"
+        self.emailAddress = "pkershaw@somewhere.ac.uk"
+    def __call__(self, environ, start_response):
+        environ[self.queryInterfaceKeyName] = self.attributeQueryFactory()
+        return self._app(environ, start_response)
+    def attributeQueryFactory(self):
+        """Makes the attribute query method"""
+        def attributeQuery(query, response):
+            """Attribute Query interface called by the next middleware in the
+            stack the SAML SOAP Query interface middleware instance
+            (ndg.saml.saml2.binding.soap.server.wsgi.queryinterface.SOAPQueryInterfaceMiddleware)
+            """
+            response.issueInstant = datetime.utcnow()
+            response.id = str(uuid4())
+            response.issuer = Issuer()
+            # SAML 2.0 spec says format must be omitted
+            #response.issuer.format = Issuer.X509_SUBJECT
+            response.issuer.value = \
+                            "/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk"
+            response.inResponseTo = query.id
+            if query.issuer.value not in self.__class__.VALID_QUERY_ISSUERS:
+                response.status.statusCode.value = \
+                                            StatusCode.REQUEST_DENIED_URI
+                return response
+            if query.subject.nameID.value not in self.__class__.VALID_SUBJECTS:
+                response.status.statusCode.value = \
+                                            StatusCode.UNKNOWN_PRINCIPAL_URI
+                return response
+            assertion = Assertion()
+            assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+            assertion.id = str(uuid4())
+            assertion.issueInstant = response.issueInstant
+            assertion.conditions = Conditions()
+            assertion.conditions.notBefore = assertion.issueInstant
+            assertion.conditions.notOnOrAfter = \
+                assertion.conditions.notBefore + timedelta(seconds=60*60*8)
+            assertion.subject = Subject()
+            assertion.subject.nameID = NameID()
+            assertion.subject.nameID.format = query.subject.nameID.format
+            assertion.subject.nameID.value = query.subject.nameID.value
+            assertion.attributeStatements.append(AttributeStatement())
+            for attribute in query.attributes:
+                if attribute.name == self.__class__.FIRSTNAME_ATTRNAME:
+                    # special case handling for 'FirstName' attribute
+                    fnAttribute = Attribute()
+                    fnAttribute.name = attribute.name
+                    fnAttribute.nameFormat = attribute.nameFormat
+                    fnAttribute.friendlyName = attribute.friendlyName
+                    firstName = XSStringAttributeValue()
+                    firstName.value = self.firstName
+                    fnAttribute.attributeValues.append(firstName)
+                    assertion.attributeStatements[0].attributes.append(
+                                                                    fnAttribute)
+                elif attribute.name == self.__class__.LASTNAME_ATTRNAME:
+                    lnAttribute = Attribute()
+                    lnAttribute.name = attribute.name
+                    lnAttribute.nameFormat = attribute.nameFormat
+                    lnAttribute.friendlyName = attribute.friendlyName
+                    lastName = XSStringAttributeValue()
+                    lastName.value = self.lastName
+                    lnAttribute.attributeValues.append(lastName)
+                    assertion.attributeStatements[0].attributes.append(
+                                                                    lnAttribute)
+                elif (attribute.name == self.__class__.EMAILADDRESS_ATTRNAME and
+                      query.issuer.value ==
+                                        self.__class__.VALID_QUERY_ISSUERS[0]):
+                    emailAddressAttribute = Attribute()
+                    emailAddressAttribute.name = attribute.name
+                    emailAddressAttribute.nameFormat = attribute.nameFormat
+                    emailAddressAttribute.friendlyName = attribute.friendlyName
+                    emailAddress = XSStringAttributeValue()
+                    emailAddress.value = self.emailAddress
+                    emailAddressAttribute.attributeValues.append(emailAddress)
+                    assertion.attributeStatements[0].attributes.append(
+                                                        emailAddressAttribute)
+                else:
+                    response.status.statusCode.value = \
+                                        StatusCode.INVALID_ATTR_NAME_VALUE_URI
+                    return response
+            response.assertions.append(assertion)
+            response.status.statusCode.value = StatusCode.SUCCESS_URI
+            return response
+        return attributeQuery
 …
                                         SoapSamlInterfaceMiddlewareTestCase):
     CONFIG_FILENAME = 'attribute-interface.ini'
+    SERVICE_URI = '/attributeauthority'
     def _createAttributeQuery(self,
 …
         attributeQuery.subject = Subject()
         attributeQuery.subject.nameID = NameID()
         attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = "urn:ndg:saml:test:openid"
         attributeQuery.subject.nameID.value = subject
 …
         # special case handling for 'FirstName' attribute
         fnAttribute = Attribute()
         fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = TestAttributeServiceMiddleware.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         fnAttribute.friendlyName = "FirstName"
 …
         # special case handling for 'LastName' attribute
         lnAttribute = Attribute()
         lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = TestAttributeServiceMiddleware.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         lnAttribute.friendlyName = "LastName"
 …
         # special case handling for 'LastName' attribute
         emailAddressAttribute = Attribute()
+        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = \
+                            TestAttributeServiceMiddleware.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
                                     XSStringAttributeValue.TYPE_LOCAL_NAME
 …
             'Content-type': 'text/xml'
+        }
         response = self.app.post('/attributeauthority/saml',
+        response = self.app.post(self.__class__.SERVICE_URI,
                                  params=request,
                                  headers=header,
 …
+        }
         response = self.app.post('/attributeauthority/saml',
+        response = self.app.post(self.__class__.SERVICE_URI,
                                  params=request,
                                  headers=header,
 …
+        }
         response = self.app.post('/attributeauthority/saml',
+        response = self.app.post(self.__class__.SERVICE_URI,
                                  params=request,
                                  headers=header,
 …
+        }
         response = self.app.post('/attributeauthority/saml',
+        response = self.app.post(self.__class__.SERVICE_URI,
                                  params=request,
                                  headers=header,
 …
+        }
         response = self.app.post('/attributeauthority/saml',
+        response = self.app.post(self.__class__.SERVICE_URI,
                                  params=request,
                                  headers=header,

TI12-security/trunk/ndg_saml/ndg/saml/test/binding/soap/test_soapauthzdecisioninterface.py

-                      r7143
+                      r7147
     def authzDecisionQueryFactory(self):
+        """Makes the authorisation decision"""
         def authzDecisionQuery(query, response):
+            """Authorisation Decision Query interface called by the next
+            middleware in the stack the SAML SOAP Query interface middleware
+            instance
+            (ndg.saml.saml2.binding.soap.server.wsgi.queryinterface.SOAPQueryInterfaceMiddleware)
+            """
             now = datetime.utcnow()
             response.issueInstant = now

Note: See TracChangeset for help on using the changeset viewer.