Changeset 7168

Timestamp:

13/07/10 11:25:18 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• testing ndg.security.server.wsgi.authz.pep.SamlPepMiddleware? in ndg.security.test.unit.authz.test_authz

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/authz/authzservice.py (moved) (moved from TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py)
• ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (5 diffs)
• ndg_security_test/ndg/security/test/config/authorisationservice (added)
• ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini (added)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (13 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

@@ -8 +8 @@
 from ndg.saml.saml2.binding.soap.client.authzdecisionquery import \
                                             AuthzDecisionQuerySslSOAPBinding
-
-class SamlPepConfigError(Exception):
+from ndg.security.server.wsgi.session import SessionHandlerMiddleware
+
+
+class SamlPepMiddlewareConfigError(Exception):
     """Error with SAML PEP configuration settings"""
     
@@ -15 +17 @@
 class SamlPepMiddleware(object):
     '''Policy Enforcement Point for ESG with SAML based Interface
+    
+    @requires: ndg.security.server.wsgi.session.SessionHandlerMiddleware 
+    instance upstream in the WSGI stack.
+    
+    @cvar AUTHZ_DECISION_QUERY_PARAMS_PREFIX: prefix for SAML authorisation
+    decision query options in config file
+    @type AUTHZ_DECISION_QUERY_PARAMS_PREFIX: string
+    
+    @cvar PARAM_NAMES: list of config option names
+    @type PARAM_NAMES: tuple
     
     @ivar __client: SAML authorisation decision query client 
@@ -20 +32 @@
     '''
     AUTHZ_DECISION_QUERY_PARAMS_PREFIX = 'authzDecisionQuery.'
-    AUTHZ_SERVICE_URI_PARAM_NAME = 'authzServiceURI'
-    
-    __slots__ = ('_app', '__client', '__authzServiceURI')
+    SESSION_KEY_PARAM_NAME = 'sessionKey'
+    
+    CREDENTIAL_WALLET_SESSION_KEYNAME = \
+        SessionHandlerMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME
+    USERNAME_SESSION_KEYNAME = \
+        SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME
+    
+    PARAM_NAMES = (
+        'authzServiceURI',
+        'sessionKey'
+    )
+    __slots__ = (
+        '_app', '__client', '__session',
+    ) + tuple(["__%s" % i for i in PARAM_NAMES])
+    del i
     
     def __init__(self, app):
@@ -31 +55 @@
         self._app = app
         self.__client = AuthzDecisionQuerySslSOAPBinding()
+        self.__session = None
         self.__authzServiceURI = None
-        
+        self.__sessionKey = None
+
+    def _getClient(self):
+        return self.__client
+
+    def _setClient(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "client" attribute; '
+                            'got %r' % type(value))
+        self.__client = value
+
+    client = property(_getClient, _setClient, 
+                      doc="SAML authorisation decision query SOAP client")
+
+    def _getSession(self):
+        return self.__session
+
+    def _setSession(self, value):
+        self.__session = value
+
+    session = property(_getSession, _setSession, 
+                       doc="Beaker Security Session instance")
+
+    def _getAuthzServiceURI(self):
+        return self.__authzServiceURI
+
+    def _setAuthzServiceURI(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "authzServiceURI" '
+                            'attribute; got %r' % type(value))
+        self.__authzServiceURI = value
+
+    authzServiceURI = property(_getAuthzServiceURI, _setAuthzServiceURI, 
+                               doc="Authorisation Service URI")
+
+    def _getSessionKey(self):
+        return self.__sessionKey
+
+    def _setSessionKey(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "sessionKey" attribute; '
+                            'got %r' % type(value))
+        self.__sessionKey = value
+
+    sessionKey = property(_getSessionKey, _setSessionKey, 
+                          doc="environ key name for Beaker session object")
+
     def initialise(self, prefix='', **kw):
         '''Initialise object from keyword settings
         
-        @type global_conf: dict        
-        @param global_conf: PasteDeploy global configuration dictionary
         @type prefix: basestring
         @param prefix: prefix for configuration items
-        @type app_conf: dict        
-        @param app_conf: PasteDeploy application specific configuration 
+        @type kw: dict        
+        @param kw: configuration settings
         dictionary
-        @raise SamlPepConfigError: no "authzServiceURI" setting
+        @raise SamlPepMiddlewareConfigError: missing option setting(s)
         '''
+        # Parse authorisation decision query options
         queryPrefix = prefix + self.__class__.AUTHZ_DECISION_QUERY_PARAMS_PREFIX
-        self.__client.parseKeywords(prefix=queryPrefix)
-        authzServiceUriParamName = prefix + \
-                                    self.__class__.AUTHZ_SERVICE_URI_PARAM_NAME
-                                    
-        self.__authzServiceURI = kw.get(authzServiceUriParamName)
-        if self.__authzServiceURI is None:
-            raise SamlPepConfigError('No %r setting for the authorisation '
-                                     'service URI' % authzServiceUriParamName)
-        
+        self.client.parseKeywords(prefix=queryPrefix, **kw)
+            
+        # Parse other options
+        for name in SamlPepMiddleware.PARAM_NAMES:
+            paramName = prefix + name
+            value = kw.get(paramName)
+            if value is None:
+                raise SamlPepMiddlewareConfigError('Missing option %r' % 
+                                                   paramName)
+            setattr(self, name, value)
+                    
     @classmethod
     def filter_app_factory(cls, app, global_conf, prefix='', **app_conf):
@@ -85 +157 @@
         @return: response
         """
+        # Get reference to session object - SessionHandler middleware must be in
+        # place upstream of this middleware in the WSGI stack
+        if self.sessionKey not in environ:
+            raise SamlPepMiddlewareConfigError('No beaker session key "%s" '
+                                               'found in environ' % 
+                                               self.sessionKey)
+        self.session = environ[self.sessionKey]
+        
         request = Request(environ)
         self.__client.resourceURI = request.url
-        print dir(self.__client)
-        self.__client.subjectID = request.remote_user
+        self.__client.subjectID = request.remote_user or ''
         
         self.__client.send(uri=self.__authzServiceURI)
+        
+        return self._app(environ, start_response)
 
     def _createAuthzDecisionQuery(self,

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -49 +49 @@
     configDirEnvVarName = 'NDGSEC_TEST_CONFIG_DIR'
     
+    AUTHORISATION_SERVICE_PORTNUM = 9443
+    AUTHORISATION_SERVICE_URI = 'https://localhost:%s/authorisation-service' % \
+                                AUTHORISATION_SERVICE_PORTNUM
+    AUTHORISATION_SERVICE_INI_FILEPATH = mkDataDirPath(
+            os.path.join('authorisationservice', 'authorisation-service.ini'))
+                         
     SITEA_ATTRIBUTEAUTHORITY_PORTNUM = 5000
     SITEB_ATTRIBUTEAUTHORITY_PORTNUM = 5100
@@ -192 +198 @@
                               BaseTestCase.SITEB_ATTRIBUTEAUTHORITY_PORTNUM),
                         withSSL=withSSL)
-
+        
+    def startAuthorisationService(self, 
+                                  withSSL=True, 
+                                  port=AUTHORISATION_SERVICE_PORTNUM):
+        self.addService(
+            cfgFilePath=self.__class__.AUTHORISATION_SERVICE_INI_FILEPATH, 
+            port=port,
+            withSSL=withSSL)
+        
     def __del__(self):
         """Stop any services started with the addService method"""

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -21 +21 @@
 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepMiddleware.filter_app_factory
 prefix = pep.
-policy.filePath = %(here)s/saml-policy.xml
-
-pep.authzServiceURI = https://localhost:9443/AuthorisationService
+pep.sessionKey = beaker.session.ndg.security
+pep.authzServiceURI = https://localhost:9443/authorisation-service
 
 pep.pepResultHandler = ndg.security.test.unit.wsgi.authz.test_authz.RedirectFollowingAccessDenied
@@ -32 +31 @@
 
 # If omitted, DN of SSL Cert is used
-pep.authzDecisionQuery.issuerName = 
+pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test
+pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
 pep.authzDecisionQuery.clockSkewTolerance = 0.

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -29 +29 @@
 from ndg.security.server.wsgi.authz.result_handler.redirect import \
     HTTPRedirectPEPResultHandlerMiddleware
-from ndg.security.server.wsgi.authz import SamlPIPMiddlewareConfigError
-
+from ndg.security.server.wsgi.authz.pep import SamlPepMiddlewareConfigError
+
+
+from uuid import uuid4
+from datetime import datetime, timedelta
+
+from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer, 
+                                 AuthzDecisionQuery, AuthzDecisionStatement, 
+                                 Status, StatusCode, StatusMessage, 
+                                 DecisionType, Action, Conditions, Assertion)
+from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree, 
+                                ResponseElementTree)
+
+class TestAuthorisationServiceMiddleware(object):
+    """Test Authorisation Service interface stub"""
+    QUERY_INTERFACE_KEYNAME_OPTNAME = 'queryInterfaceKeyName'
+    RESOURCE_URI = 'http://localhost/dap/data/'
+    ISSUER_DN = '/O=Test/OU=Authorisation/CN=Service Stub'
+    
+    def __init__(self, app, global_conf, **app_conf):
+        self.queryInterfaceKeyName = app_conf[
+            TestAuthorisationServiceMiddleware.QUERY_INTERFACE_KEYNAME_OPTNAME]
+        self._app = app
+    
+    def __call__(self, environ, start_response):
+        environ[self.queryInterfaceKeyName] = self.authzDecisionQueryFactory()
+        return self._app(environ, start_response)
+    
+    def authzDecisionQueryFactory(self):
+        """Makes the authorisation decision"""
+        
+        def authzDecisionQuery(query, response):
+            """Authorisation Decision Query interface called by the next 
+            middleware in the stack the SAML SOAP Query interface middleware 
+            instance
+            (ndg.saml.saml2.binding.soap.server.wsgi.queryinterface.SOAPQueryInterfaceMiddleware)
+            """
+            now = datetime.utcnow()
+            response.issueInstant = now
+            
+            # Make up a request ID that this response is responding to
+            response.inResponseTo = query.id
+            response.id = str(uuid4())
+            response.version = SAMLVersion(SAMLVersion.VERSION_20)
+            
+            response.status = Status()
+            response.status.statusCode = StatusCode()
+            response.status.statusCode.value = StatusCode.SUCCESS_URI
+            response.status.statusMessage = StatusMessage()        
+            response.status.statusMessage.value = \
+                                                "Response created successfully"
+               
+            assertion = Assertion()
+            assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+            assertion.id = str(uuid4())
+            assertion.issueInstant = now
+            
+            authzDecisionStatement = AuthzDecisionStatement()
+            
+            # Make some simple logic to simulate a full access policy
+            if query.resource == self.__class__.RESOURCE_URI:
+                if query.actions[0].value == Action.HTTP_GET_ACTION:
+                    authzDecisionStatement.decision = DecisionType.PERMIT
+                else:
+                    authzDecisionStatement.decision = DecisionType.DENY
+            else:
+                authzDecisionStatement.decision = DecisionType.INDETERMINATE
+                
+            authzDecisionStatement.resource = query.resource
+                
+            authzDecisionStatement.actions.append(Action())
+            authzDecisionStatement.actions[-1].namespace = Action.GHPP_NS_URI
+            authzDecisionStatement.actions[-1].value = Action.HTTP_GET_ACTION
+            assertion.authzDecisionStatements.append(authzDecisionStatement)
+            
+            # Add a conditions statement for a validity of 8 hours
+            assertion.conditions = Conditions()
+            assertion.conditions.notBefore = now
+            assertion.conditions.notOnOrAfter = now + timedelta(seconds=60*60*8)
+                   
+            assertion.subject = Subject()  
+            assertion.subject.nameID = NameID()
+            assertion.subject.nameID.format = query.subject.nameID.format
+            assertion.subject.nameID.value = query.subject.nameID.value
+                
+            assertion.issuer = Issuer()
+            assertion.issuer.format = Issuer.X509_SUBJECT
+            assertion.issuer.value = \
+                                    TestAuthorisationServiceMiddleware.ISSUER_DN
+    
+            response.assertions.append(assertion)
+            return response
+        
+        return authzDecisionQuery
 
 class RedirectFollowingAccessDenied(PEPResultHandlerMiddleware):
@@ -98 +190 @@
     INI_FILE = 'saml-test.ini'
     THIS_DIR = path.dirname(path.abspath(__file__))
+    SESSION_KEYNAME = 'beaker.session.ndg.security'
+    
     def __init__(self, *args, **kwargs):       
         BaseTestCase.__init__(self, *args, **kwargs)
@@ -109 +203 @@
             port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
         
+        self.startAuthorisationService()
 
     def test01CatchNoBeakerSessionFound(self):
@@ -114 +209 @@
         # PEPFilterConfigError is raised if no beaker.session is set in 
         # environ
-        try:
-            response = self.app.get('/test_200')
-        except SamlPIPMiddlewareConfigError, e:
-            print("ok - expected: %s exception: %s" % (e.__class__, e))
+        self.assertRaises(SamlPepMiddlewareConfigError, self.app.get, 
+                          '/test_200')
        
     def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
@@ -125 +218 @@
         
         # Simulate a beaker.session in the environ
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}
+        extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}
         response = self.app.get('/test_200',
                                 extra_environ=extra_environ)
@@ -136 +229 @@
         
         extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+            self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=self.__class__.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
         }
         response = self.app.get('/test_401', 
@@ -150 +244 @@
         
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -164 +258 @@
         # AuthZ middleware checks for username key in session set by AuthN
         # handler
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}        
+        extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}        
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
@@ -174 +268 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -190 +284 @@
         # by the policy file
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -205 +299 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -231 +325 @@
     THIS_DIR = os.path.dirname(os.path.abspath(__file__))
     INI_FILEPATH = path.join(THIS_DIR, INI_FILE)
+    SESSION_KEYNAME = 'beaker.session.ndg.security'
     
     def __init__(self, *arg, **kw):
@@ -253 +348 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                         BeakerSessionStub(username=self.__class__.OPENID_URI)
         }