Changeset 7168 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

13/07/10 11:25:18 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• testing ndg.security.server.wsgi.authz.pep.SamlPepMiddleware? in ndg.security.test.unit.authz.test_authz

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Files:

• config/authorisationservice (added)
• config/authorisationservice/authorisation-service.ini (added)
• unit/__init__.py (modified) (2 diffs)
• unit/wsgi/authz/saml-test.ini (modified) (2 diffs)
• unit/wsgi/authz/test_authz.py (modified) (13 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -49 +49 @@
     configDirEnvVarName = 'NDGSEC_TEST_CONFIG_DIR'
     
+    AUTHORISATION_SERVICE_PORTNUM = 9443
+    AUTHORISATION_SERVICE_URI = 'https://localhost:%s/authorisation-service' % \
+                                AUTHORISATION_SERVICE_PORTNUM
+    AUTHORISATION_SERVICE_INI_FILEPATH = mkDataDirPath(
+            os.path.join('authorisationservice', 'authorisation-service.ini'))
+                         
     SITEA_ATTRIBUTEAUTHORITY_PORTNUM = 5000
     SITEB_ATTRIBUTEAUTHORITY_PORTNUM = 5100
@@ -192 +198 @@
                               BaseTestCase.SITEB_ATTRIBUTEAUTHORITY_PORTNUM),
                         withSSL=withSSL)
-
+        
+    def startAuthorisationService(self, 
+                                  withSSL=True, 
+                                  port=AUTHORISATION_SERVICE_PORTNUM):
+        self.addService(
+            cfgFilePath=self.__class__.AUTHORISATION_SERVICE_INI_FILEPATH, 
+            port=port,
+            withSSL=withSSL)
+        
     def __del__(self):
         """Stop any services started with the addService method"""

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -21 +21 @@
 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepMiddleware.filter_app_factory
 prefix = pep.
-policy.filePath = %(here)s/saml-policy.xml
-
-pep.authzServiceURI = https://localhost:9443/AuthorisationService
+pep.sessionKey = beaker.session.ndg.security
+pep.authzServiceURI = https://localhost:9443/authorisation-service
 
 pep.pepResultHandler = ndg.security.test.unit.wsgi.authz.test_authz.RedirectFollowingAccessDenied
@@ -32 +31 @@
 
 # If omitted, DN of SSL Cert is used
-pep.authzDecisionQuery.issuerName = 
+pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test
+pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
 pep.authzDecisionQuery.clockSkewTolerance = 0.

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -29 +29 @@
 from ndg.security.server.wsgi.authz.result_handler.redirect import \
     HTTPRedirectPEPResultHandlerMiddleware
-from ndg.security.server.wsgi.authz import SamlPIPMiddlewareConfigError
-
+from ndg.security.server.wsgi.authz.pep import SamlPepMiddlewareConfigError
+
+
+from uuid import uuid4
+from datetime import datetime, timedelta
+
+from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer, 
+                                 AuthzDecisionQuery, AuthzDecisionStatement, 
+                                 Status, StatusCode, StatusMessage, 
+                                 DecisionType, Action, Conditions, Assertion)
+from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree, 
+                                ResponseElementTree)
+
+class TestAuthorisationServiceMiddleware(object):
+    """Test Authorisation Service interface stub"""
+    QUERY_INTERFACE_KEYNAME_OPTNAME = 'queryInterfaceKeyName'
+    RESOURCE_URI = 'http://localhost/dap/data/'
+    ISSUER_DN = '/O=Test/OU=Authorisation/CN=Service Stub'
+    
+    def __init__(self, app, global_conf, **app_conf):
+        self.queryInterfaceKeyName = app_conf[
+            TestAuthorisationServiceMiddleware.QUERY_INTERFACE_KEYNAME_OPTNAME]
+        self._app = app
+    
+    def __call__(self, environ, start_response):
+        environ[self.queryInterfaceKeyName] = self.authzDecisionQueryFactory()
+        return self._app(environ, start_response)
+    
+    def authzDecisionQueryFactory(self):
+        """Makes the authorisation decision"""
+        
+        def authzDecisionQuery(query, response):
+            """Authorisation Decision Query interface called by the next 
+            middleware in the stack the SAML SOAP Query interface middleware 
+            instance
+            (ndg.saml.saml2.binding.soap.server.wsgi.queryinterface.SOAPQueryInterfaceMiddleware)
+            """
+            now = datetime.utcnow()
+            response.issueInstant = now
+            
+            # Make up a request ID that this response is responding to
+            response.inResponseTo = query.id
+            response.id = str(uuid4())
+            response.version = SAMLVersion(SAMLVersion.VERSION_20)
+            
+            response.status = Status()
+            response.status.statusCode = StatusCode()
+            response.status.statusCode.value = StatusCode.SUCCESS_URI
+            response.status.statusMessage = StatusMessage()        
+            response.status.statusMessage.value = \
+                                                "Response created successfully"
+               
+            assertion = Assertion()
+            assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+            assertion.id = str(uuid4())
+            assertion.issueInstant = now
+            
+            authzDecisionStatement = AuthzDecisionStatement()
+            
+            # Make some simple logic to simulate a full access policy
+            if query.resource == self.__class__.RESOURCE_URI:
+                if query.actions[0].value == Action.HTTP_GET_ACTION:
+                    authzDecisionStatement.decision = DecisionType.PERMIT
+                else:
+                    authzDecisionStatement.decision = DecisionType.DENY
+            else:
+                authzDecisionStatement.decision = DecisionType.INDETERMINATE
+                
+            authzDecisionStatement.resource = query.resource
+                
+            authzDecisionStatement.actions.append(Action())
+            authzDecisionStatement.actions[-1].namespace = Action.GHPP_NS_URI
+            authzDecisionStatement.actions[-1].value = Action.HTTP_GET_ACTION
+            assertion.authzDecisionStatements.append(authzDecisionStatement)
+            
+            # Add a conditions statement for a validity of 8 hours
+            assertion.conditions = Conditions()
+            assertion.conditions.notBefore = now
+            assertion.conditions.notOnOrAfter = now + timedelta(seconds=60*60*8)
+                   
+            assertion.subject = Subject()  
+            assertion.subject.nameID = NameID()
+            assertion.subject.nameID.format = query.subject.nameID.format
+            assertion.subject.nameID.value = query.subject.nameID.value
+                
+            assertion.issuer = Issuer()
+            assertion.issuer.format = Issuer.X509_SUBJECT
+            assertion.issuer.value = \
+                                    TestAuthorisationServiceMiddleware.ISSUER_DN
+    
+            response.assertions.append(assertion)
+            return response
+        
+        return authzDecisionQuery
 
 class RedirectFollowingAccessDenied(PEPResultHandlerMiddleware):
@@ -98 +190 @@
     INI_FILE = 'saml-test.ini'
     THIS_DIR = path.dirname(path.abspath(__file__))
+    SESSION_KEYNAME = 'beaker.session.ndg.security'
+    
     def __init__(self, *args, **kwargs):       
         BaseTestCase.__init__(self, *args, **kwargs)
@@ -109 +203 @@
             port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
         
+        self.startAuthorisationService()
 
     def test01CatchNoBeakerSessionFound(self):
@@ -114 +209 @@
         # PEPFilterConfigError is raised if no beaker.session is set in 
         # environ
-        try:
-            response = self.app.get('/test_200')
-        except SamlPIPMiddlewareConfigError, e:
-            print("ok - expected: %s exception: %s" % (e.__class__, e))
+        self.assertRaises(SamlPepMiddlewareConfigError, self.app.get, 
+                          '/test_200')
        
     def test02Ensure200WithNotLoggedInAndUnsecuredURI(self):
@@ -125 +218 @@
         
         # Simulate a beaker.session in the environ
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}
+        extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}
         response = self.app.get('/test_200',
                                 extra_environ=extra_environ)
@@ -136 +229 @@
         
         extra_environ = {
-            'beaker.session.ndg.security':
-                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+            self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=self.__class__.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
         }
         response = self.app.get('/test_401', 
@@ -150 +244 @@
         
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -164 +258 @@
         # AuthZ middleware checks for username key in session set by AuthN
         # handler
-        extra_environ={'beaker.session.ndg.security':BeakerSessionStub()}        
+        extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}        
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
@@ -174 +268 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -190 +284 @@
         # by the policy file
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -205 +299 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
         }
@@ -231 +325 @@
     THIS_DIR = os.path.dirname(os.path.abspath(__file__))
     INI_FILEPATH = path.join(THIS_DIR, INI_FILE)
+    SESSION_KEYNAME = 'beaker.session.ndg.security'
     
     def __init__(self, *arg, **kw):
@@ -253 +348 @@
         # access
         extra_environ = {
-            'beaker.session.ndg.security':
+            self.__class__.SESSION_KEYNAME:
                         BeakerSessionStub(username=self.__class__.OPENID_URI)
         }