Context Navigation

← Previous Changeset
Next Changeset →

Changeset 7257

Timestamp:

29/07/10 21:32:16 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

cleaning out more old modules containing retired NDG2 security functionality
progress with ndg.security.test.unit.wsgi.authz.test_authz unit tests integrating SAML/XACML authorisation service to WSGI filter SAML PEP

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 1 added
: 3 deleted
: 4 edited
: 1 moved

ndg_security_server/ndg/security/server/wsgi/apploader.py (deleted)
ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (3 diffs)
ndg_security_server/ndg/security/server/wsgi/authz/service.py (moved) (moved from TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/authzservice.py) (7 diffs)
ndg_security_server/ndg/security/server/wsgi/myproxy (deleted)
ndg_security_server/ndg/security/server/wsgi/utils (deleted)
ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (2 diffs)
ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (added)
ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

-                      r7168
+                      r7257
+'''NDG Security Policy Enforcement Point Module
+__author__ = "P J Kershaw"
+__date__ = "11/07/10"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = '$Id:$'
 '''
+Created on 11 Jul 2010
+@author: pjkersha
+'''
+from webob import Request
+import logging
+log = logging.getLogger(__name__)
+import httplib
+from time import time
+import webob
+from ndg.saml.saml2.core import DecisionType
 from ndg.saml.saml2.binding.soap.client.authzdecisionquery import \
                                             AuthzDecisionQuerySslSOAPBinding
+from ndg.security.server.wsgi.session import SessionHandlerMiddleware
+from ndg.security.server.wsgi.session import (SessionMiddlewareBase,
+                                              SessionHandlerMiddleware)
 …
 class SamlPepMiddleware(object):
+class SamlPepMiddleware(SessionMiddlewareBase):
     '''Policy Enforcement Point for ESG with SAML based Interface
 …
         self.session = environ[self.sessionKey]
+        request = Request(environ)
+        self.__client.resourceURI = request.url
+        self.__client.subjectID = request.remote_user or ''
+        self.__client.send(uri=self.__authzServiceURI)
+        request = webob.Request(environ)
+        self.client.resourceURI = request.url
+        # Nb. user may not be logged in hence REMOTE_USER is not set
+        self.client.subjectID = request.remote_user or ''
+        samlAuthzResponse = self.client.send(uri=self.__authzServiceURI)
+        # Record the result in the user's session to enable later
+        # interrogation by any result handler Middleware
+        self.setSession(self.client.query, samlAuthzResponse)
+        # Set HTTP 403 Forbidden response if any of the decisions returned are
+        # deny or indeterminate status
+        failDecisions = (DecisionType.DENY, DecisionType.INDETERMINATE)
+        for assertion in samlAuthzResponse.assertions:
+            for authzDecisionStatement in assertion.authzDecisionStatements:
+                if authzDecisionStatement.decision.value in failDecisions:
+                    response = webob.Response()
+                    if not self.client.subjectID:
+                        # Access failed and the user is not logged in
+                        response.status = httplib.UNAUTHORIZED
+                    else:
+                        # The user is logged in but not authorised
+                        response.status = httplib.FORBIDDEN
+                    response.body = 'Access denied to %r for user %r' % (
+                                                     self.client.resourceURI,
+                                                     self.client.subjectID)
+                    response.content_type = 'text/plain'
+                    log.info(response.body)
+                    return response(environ, start_response)
+        # If got through to here then all is well, call next WSGI middleware/app
         return self._app(environ, start_response)
+    def _createAuthzDecisionQuery(self,
+                                  resourceURI,
+                            subject):
+        """Create SAML authorisation decision query object ready for dispatch
+    def setSession(self, request, response, save=True):
+        """Set PEP context information in the Beaker session using standard key
+        names
+        @param session: beaker session
+        @type session: beaker.session.SessionObject
+        @param request: authorisation decision query
+        @type request: ndg.saml.saml2.core.AuthzDecisionQuery
+        @param response: authorisation response
+        @type response: ndg.saml.saml2.core.Response
+        @param save: determines whether session is saved or not
+        @type save: bool
         """
+#        query = AuthzDecisionQuery()
+#        query.version = SAMLVersion(SAMLVersion.VERSION_20)
+#        query.id = str(uuid4())
+#        query.issueInstant = datetime.utcnow()
+#
+#        query.issuer = Issuer()
+#        query.issuer.format = Issuer.X509_SUBJECT
+#        query.issuer.value = issuer
+#
+#        query.subject = Subject()
+#        query.subject.nameID = NameID()
+#        query.subject.nameID.format = "urn:ndg:saml:test:openid"
+#        query.subject.nameID.value = subject
+#
+#        query.resource = resource
+#
+#        query.actions.append(Action())
+#        query.actions[0].namespace = actionNs
+#        query.actions[0].value = action
+#
+#        return query
+        self.session[self.__class__.PEPCTX_SESSION_KEYNAME] = {
+            self.__class__.PEPCTX_REQUEST_SESSION_KEYNAME: request,
+            self.__class__.PEPCTX_RESPONSE_SESSION_KEYNAME: response,
+            self.__class__.PEPCTX_TIMESTAMP_SESSION_KEYNAME: time()
+        }
+        if save:
+            self.session.save()

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/service.py

-                      r7168
+                      r7257
 log = logging.getLogger(__name__)
+from datetime import datetime, timedelta
+from uuid import uuid4
+# SAML authorisation decision query interface
+from ndg.saml.saml2.core import (Response, AuthzDecisionStatement, Assertion,
+                                 Action, DecisionType, SAMLVersion, Issuer,
+                                 Status, StatusCode, StatusMessage, NameID,
+                                 Subject, Conditions)
+from ndg.xacml.core.context.pdp import PDP
+from ndg.xacml.parsers.etree.factory import ReaderFactory as \
+    XacmlEtreePolicyReaderFactory
 from ndg.security.common.authz.pip.esginterface import PIP
+# XACML Policy Decision Point
+from ndg.xacml.parsers.etree.factory import ReaderFactory
+from ndg.xacml.core.attribute import Attribute
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory
+from ndg.xacml.core.context.pdpinterface import PDPInterface
+from ndg.xacml.core.context.pdp import PDP
+from ndg.xacml.core.context.request import Request
+from ndg.xacml.core.context.resource import Resource
+from ndg.xacml.core import context
+class AuthzServiceMiddlewareError(Exception):
+from ndg.security.server.xacml.ctx_handler import saml_ctx_handler
+class AuthorisationServiceMiddlewareError(Exception):
     """Authorisation Service generic exception type"""
+class AuthzServiceMiddlewareConfigError(AuthzServiceMiddlewareError):
+class AuthorisationServiceMiddlewareConfigError(
+                                        AuthorisationServiceMiddlewareError):
     """Authorisation Service configuration error"""
 class AuthzServiceMiddleware(object):
+class AuthorisationServiceMiddleware(object):
     '''WSGI to add an NDG Security Authorization Service in the environ.
+    @cvar PIP_CFG_PREFIX: prefix for Policy Information Point related parameters
+    @type PIP_CFG_PREFIX: string
     '''
+    DEFAULT_PARAM_PREFIX = 'authorisationService.'
     DEFAULT_QUERY_IFACE_KEYNAME = \
                         'ndg.security.server.wsgi.authzservice.queryInterface'
     ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME = 'queryInterfaceKeyName'
+    ASSERTION_LIFETIME_OPTNAME = 'assertionLifetime'
+    XACML_CTX_HANDLER_PARAM_PREFIX = 'xacmlContext.'
     # For loop based assignment where possible of config options in initialise()
     AUTHZ_SRVC_OPTION_DEFAULTS = {
         ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME: DEFAULT_QUERY_IFACE_KEYNAME,
-        ASSERTION_LIFETIME_OPTNAME: 60*60*8, # 8 hours as default
+    }
 …
     __slots__ = (
         '__policyFilePath',
+        '__xacmlCtxHandler',
         '__queryInterface',
         '__' + ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME,
-        '__' + ASSERTION_LIFETIME_OPTNAME,
-        '__pdp',
         '_app',
+    )
     def __init__(self, app):
+        '''Set-up an Authorization Service instance
+        '''Set-up an Authorisation Service instance
+        @param app: next app/middleware in WSGI stack
+        @type app: callable
         '''
         self._app = app
+        self.__policyFilePath = None
+        self.__pdp = None
+        self.__xacmlCtxHandler = saml_ctx_handler.SamlCtxHandler()
         self.__queryInterface = None
         self.__queryInterfaceKeyName = None
+        self.__assertionLifetime = 0.
+    def initialise(self, global_conf, prefix='authorizationservice.',
+                   **app_conf):
+        """Set-up Authorization Service middleware using a Paste app factory
+        pattern.  Overloaded base class method to enable custom settings from
+        app_conf
+        @type app: callable following WSGI interface
+        @param app: next middleware application in the chain
+        @type global_conf: dict
+        @param global_conf: PasteDeploy global configuration dictionary
+    def initialise(self, prefix=DEFAULT_PARAM_PREFIX, **app_conf):
+        """Set-up Authorization Service middleware from keyword settings
         @type prefix: basestring
         @param prefix: prefix for configuration items
 …
         dictionary
         """
         cls = AuthzServiceMiddleware
+        cls = AuthorisationServiceMiddleware
         # Loop based assignment where possible
 …
         self.queryInterface = self.createQueryInterface()
+        # Initialise the Authorisation Policy
+        # Initialise the Policy Information Point
+        pipCfgPrefix = prefix + cls.PIP_CFG_PREFIX
+        pip = PIP.fromConfig(app_conf, prefix=pipCfgPrefix)
         policyFilePathOptName = prefix + cls.POLICY_FILEPATH_OPTNAME
         policyFilePath = app_conf.get(policyFilePathOptName)
         if policyFilePath is None:
+            raise AuthzServiceMiddlewareConfigError('No policy file path set - '
+                                                    '"policyFilePath" option '
+                                                    'name')
+        self.policyFilePath = policyFilePath
+        # Initialise the Policy Information Point
+        pipCfgPrefix = prefix + cls.PIP_CFG_PREFIX
+        pip = PIP.fromConfig(app_conf, prefix=pipCfgPrefix)
+        # Initialise the PDP reading in the policy
+        self.pdp = PDP.fromPolicySource(self.policyFilePath, ReaderFactory)
+            raise AuthorisationServiceMiddlewareConfigError("No XACML policy "
+                                                            "file set")
+        # Initialise the XACML Context handler
+        ctxHandlerPrefix = prefix + \
+                                self.__class__.XACML_CTX_HANDLER_PARAM_PREFIX
+        lenCtxHandlerPrefix = len(ctxHandlerPrefix)
+        for optName, value in app_conf.items():
+            if optName.startswith(ctxHandlerPrefix):
+                attrName = optName[lenCtxHandlerPrefix:]
+                setattr(self.__xacmlCtxHandler, attrName, value)
+        # Read XACML policy into PDP
+        self.__xacmlCtxHandler.pdp = PDP.fromPolicySource(policyFilePath,
+                                                XacmlEtreePolicyReaderFactory)
     @classmethod
 …
         '''
         app = cls(app)
         app.initialise(global_conf, **app_conf)
+        app.initialise(**app_conf)
         return app
 …
         return self._app(environ, start_response)
-    _getPolicyFilePath = lambda self: self.__policyFilePath
-    def _setPolicyFilePath(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "policyFilePath" '
-                            'attribute; got %r' % type(value))
-        self.__policyFilePath = value
-    policyFilePath = property(_getPolicyFilePath,
-                              _setPolicyFilePath,
-                              doc="Policy file path")
-    def _getIssuerFormat(self):
-        if self.__issuerProxy is None:
-            return None
-        else:
-            return self.__issuerProxy.value
-    def _setIssuerFormat(self, value):
-        if self.__issuerProxy is None:
-            self.__issuerProxy = Issuer()
-        self.__issuerProxy.format = value
-    issuerFormat = property(_getIssuerFormat, _setIssuerFormat,
-                            doc="Issuer format")
+#
-#    def _getIssuerName(self):
-#        if self.__issuerProxy is None:
-#            return None
-#        else:
-#            return self.__issuerProxy.value
+#
-#    def _setIssuerName(self, value):
-#        if self.__issuerProxy is None:
-#            self.__issuerProxy = Issuer()
+#
-#        self.__issuerProxy.value = value
+#
-#    issuerName = property(_getIssuerName, _setIssuerName,
-#                          doc="Name of issuer of SAML Authorisation Query "
-#                              "Response")
-    _getAssertionLifetime = lambda self: self.__assertionLifetime
-    def _setAssertionLifetime(self, value):
-        if isinstance(value, (int, float, basestring)):
-            self.__assertionLifetime = float(value)
-        else:
-            raise TypeError('Expecting int, float or string type for '
-                            '"assertionLifetime" attribute; got %s instead' %
-                            type(value))
-    assertionLifetime = property(fget=_getAssertionLifetime,
-                                 fset=_setAssertionLifetime,
-                                 doc="lifetime of assertion in seconds used to "
-                                     "set assertion conditions notOnOrAfter "
-                                     "time")
-    def _getPdp(self):
-        return self.__pdp
-    def _setPdp(self, value):
-        if not isinstance(value, PDPInterface):
-            raise TypeError('Expecting %r type for "pdp" attribute; got %r '
-                            'instead' % (PDPInterface, value))
-        self.__pdp = value
-    pdp = property(_getPdp, _setPdp, None, "Policy Decision Point")
     def _get_queryInterfaceKeyName(self):
 …
         """
         # Nest function within AuthzServiceMiddleware method so that self is
         # in its scope
+        # Nest function within AuthorisationServiceMiddleware method so that
+        # self is in its scope
         def getAuthzDecision(authzDecisionQuery, samlResponse):
             """Authorisation decision function accepts a SAML AuthzDecisionQuery
+            and calls the Policy Decision Point returning a response
+            @type authzDecisionQuery: saml.saml2.core.AuthzDecisionQuery
+            and calls the XACML context handler returning a response.  The
+            context handler is an interface to the the XACML Policy Decision
+            Point, XACML polic(y|ies) and Policy Information Point.
+            @type authzDecisionQuery: ndg.saml.saml2.core.AuthzDecisionQuery
             @param authzDecisionQuery: WSGI environment variables dictionary
             @rtype: saml.saml2.core.Response
+            @rtype: ndg.saml.saml2.core.Response
             @return: SAML response containing Authorisation Decision Statement
+            """
+            request = self._createXacmlRequestCtx(authzDecisionQuery)
+            # Call the PDP
+            xacmlResponse = self.pdp.evaluate(request)
+            # Create the SAML Response
+            self._createSAMLResponseAssertion(authzDecisionQuery, samlResponse)
+            authzDecisionStatement = samlResponse.assertions[0
+                                                    ].authzDecisionStatements[0]
+            if (xacmlResponse.results[0].decision ==
+                context.result.Decision.PERMIT):
+                log.info("AuthzServiceMiddleware.__call__: PDP granted "
+                         "access for URI path [%s] using policy [%s]",
+                         authzDecisionQuery.resource,
+                         self.policyFilePath)
+                authzDecisionStatement.decision = DecisionType.PERMIT
+            elif (xacmlResponse.results[0].decision ==
+                  context.result.Decision.INDETERMINATE):
+                log.info("AuthzServiceMiddleware.__call__: PDP returned a "
+                         "status of [%s] denying access for URI path [%s] "
+                         "using policy [%s]",
+                         context.result.Decision.INDETERMINATE,
+                         authzDecisionQuery.resource,
+                         self.policyFilePath)
+                authzDecisionStatement.decision = DecisionType.INDETERMINATE
+            else:
+                log.info("AuthzServiceMiddleware.__call__: PDP returned a "
+                         "status of [%s] denying access for URI path [%s] "
+                         "using policy [%s]",
+                         context.result.Decision.DENY,
+                         authzDecisionQuery.resource,
+                         self.policyFilePath)
+                authzDecisionStatement.decision = DecisionType.DENY
+            return samlResponse
+            """
+            # Create special request object which enables the context handler
+            # to formulate a response from the query and the existing response
+            # object initialised by this object
+            request = saml_ctx_handler.SamlPEPRequest()
+            request.authzDecisionQuery = authzDecisionQuery
+            request.response = samlResponse
+            response = self.__xacmlCtxHandler.handlePEPRequest(request)
+            return response
         return getAuthzDecision
-    def _createXacmlRequestCtx(self, authzDecisionQuery):
-        """Translate SAML authorisation decision query into a XACML request
-        context
-        """
-        request = context.request.Request()
-        subject = context.subject.Subject()
-        attributeValueFactory = AttributeValueClassFactory()
-        openidSubjectAttribute = Attribute()
-        roleAttribute = Attribute()
-        openidSubjectAttribute.attributeId = \
-                                        authzDecisionQuery.subject.nameID.format
-        AnyUriAttributeValue = attributeValueFactory(
-                                    'http://www.w3.org/2001/XMLSchema#anyURI')
-        openidSubjectAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
-        openidSubjectAttribute.attributeValues.append(AnyUriAttributeValue())
-        openidSubjectAttribute.attributeValues[-1].value = \
-                                    authzDecisionQuery.subject.nameID.value
-        subject.attributes.append(openidSubjectAttribute)
-        StringAttributeValue = attributeValueFactory(
-                                    'http://www.w3.org/2001/XMLSchema#string')
-        # TODO: get attributes - replace hard coded values
-        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
-        roleAttribute.dataType = StringAttributeValue.IDENTIFIER
-        roleAttribute.attributeValues.append(StringAttributeValue())
-        roleAttribute.attributeValues[-1].value = 'staff'
-        subject.attributes.append(roleAttribute)
-        request.subjects.append(subject)
-        resource = Resource()
-        resourceAttribute = Attribute()
-        resource.attributes.append(resourceAttribute)
-        resourceAttribute.attributeId = \
-                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-        resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
-        resourceAttribute.attributeValues.append(AnyUriAttributeValue())
-        resourceAttribute.attributeValues[-1].value = \
-                                                    authzDecisionQuery.resource
-        request.resources.append(resource)
-        request.action = context.action.Action()
-        actionAttribute = Attribute()
-        request.action.attributes.append(actionAttribute)
-        actionAttribute.attributeId = \
-                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
-        actionAttribute.dataType = StringAttributeValue.IDENTIFIER
-        actionAttribute.attributeValues.append(StringAttributeValue())
-        actionAttribute.attributeValues[-1].value = authzDecisionQuery.actions[0
-                                                                        ].value
-        return request
-    def _createSAMLResponseAssertion(self, authzDecisionQuery, response):
-        """Helper method to add an assertion containing an Authorisation
-        Decision Statement to the SAML response
-        @param authzDecisionQuery: SAML Authorisation Decision Query
-        @type authzDecisionQuery: ndg.saml.saml2.core.AuthzDecisionQuery
-        @param response: SAML response
-        @type response: ndg.saml.saml2.core.Response
-        """
-#        response = Response()
+#
-        now = datetime.utcnow()
-        response.issueInstant = now
+#
-#        # Make up a request ID that this response is responding to
-#        response.inResponseTo = authzDecisionQuery.id
-#        response.id = str(uuid4())
-#        response.version = SAMLVersion(SAMLVersion.VERSION_20)
+#
-#        response.issuer = Issuer()
-#        response.issuer.format = self.issuerFormat
-#        response.issuer.value = self.issuerName
+#
-#        response.status = Status()
-#        response.status.statusCode = StatusCode()
-#        response.status.statusMessage = StatusMessage()
+#
-#        response.status.statusCode.value = StatusCode.SUCCESS_URI
-#        response.status.statusMessage.value = ("Response created "
-#                                               "successfully")
-        assertion = Assertion()
-        response.assertions.append(assertion)
-        assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
-        assertion.id = str(uuid4())
-        assertion.issueInstant = now
-        # Add a conditions statement for a validity of 8 hours
-        assertion.conditions = Conditions()
-        assertion.conditions.notBefore = now
-        assertion.conditions.notOnOrAfter = now + timedelta(
-                                                seconds=self.assertionLifetime)
-        assertion.subject = Subject()
-        assertion.subject.nameID = NameID()
-        assertion.subject.nameID.format = \
-            authzDecisionQuery.subject.nameID.format
-        assertion.subject.nameID.value = \
-            authzDecisionQuery.subject.nameID.value
-        authzDecisionStatement = AuthzDecisionStatement()
-        assertion.authzDecisionStatements.append(authzDecisionStatement)
-        authzDecisionStatement.resource = authzDecisionQuery.resource
-        for action in authzDecisionQuery.actions:
-            authzDecisionStatement.actions.append(Action())
-            authzDecisionStatement.actions[-1].namespace = action.namespace
-            authzDecisionStatement.actions[-1].value = action.value
-        return response

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

-                      r7077
+                      r7257
+'''
+Created on 14 May 2010
+@author: pjkersha
+'''
+from ndg.xacml.core.context.handler import CtxHandlerInterface
+class SamlCtxHandler(CtxHandlerInterface):
+"""XACML Context handler translates to and from SAML Authorisation Decision
+Query / Response
+"""
+__author__ = "P J Kershaw"
+__date__ = "14/05/10"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = '$Id$'
+import logging
+log = logging.getLogger(__name__)
+from datetime import datetime, timedelta
+from uuid import uuid4
+from ndg.saml.saml2 import core as _saml
+from ndg.saml.common import SAMLVersion
+from ndg.xacml.core import context as _xacmlContext
+from ndg.xacml.core.attribute import Attribute as XacmlAttribute
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory as \
+    XacmlAttributeValueClassFactory
+from ndg.xacml.parsers.etree.factory import ReaderFactory
+class SamlPEPRequest(object):
+    """Helper class for SamlCtxHandler.handlePEPRequest"""
+    __slots__ = ('__authzDecisionQuery', '__response', '__policyFilePath')
+    def __init__(self):
+        self.__authzDecisionQuery = None
+        self.__response = None
+    def _getAuthzDecisionQuery(self):
+        return self.__authzDecisionQuery
+    def _setAuthzDecisionQuery(self, value):
+        if not isinstance(value, _saml.AuthzDecisionQuery):
+            raise TypeError('Expecting %r type for "response" attribute, got %r'
+                            % (_saml.Response, type(value)))
+        self.__authzDecisionQuery = value
+    authzDecisionQuery = property(_getAuthzDecisionQuery,
+                                  _setAuthzDecisionQuery,
+                                  doc="SAML Authorisation Decision Query")
+    def _getResponse(self):
+        return self.__response
+    def _setResponse(self, value):
+        if not isinstance(value, _saml.Response):
+            raise TypeError('Expecting %r type for "response" attribute, got %r'
+                            % (_saml.Response, type(value)))
+        self.__response = value
+    response = property(_getResponse, _setResponse, doc="SAML Response")
+class SamlCtxHandler(_xacmlContext.handler.CtxHandlerBase):
     """XACML Context handler for accepting SAML 2.0 based authorisation
     decision queries and interfacing to a PEP with SAML based Attribute Query
     Interface
     """
+    def pepQuery(self, request, designator):
+    __slots__ = (
+        '__policyFilePath',
+        '__issuerProxy',
+        '__assertionLifetime',
+    )
+    def __init__(self):
+        super(SamlCtxHandler, self).__init__()
+        # Proxy object for SAML Response Issuer attributes.  By generating a
+        # proxy the Response objects inherent attribute validation can be
+        # applied to Issuer related config parameters before they're assigned to
+        # the response issuer object generated in the authorisation decision
+        # query response
+        self.__issuerProxy = _saml.Issuer()
+        self.__assertionLifetime = 0.
+    def _getIssuerFormat(self):
+        if self.__issuerProxy is None:
+            return None
+        else:
+            return self.__issuerProxy.value
+    def _setIssuerFormat(self, value):
+        if self.__issuerProxy is None:
+            self.__issuerProxy = _saml.Issuer()
+        self.__issuerProxy.format = value
+    issuerFormat = property(_getIssuerFormat, _setIssuerFormat,
+                            doc="Issuer format")
+    def _getIssuerName(self):
+        if self.__issuerProxy is None:
+            return None
+        else:
+            return self.__issuerProxy.value
+    def _setIssuerName(self, value):
+        if self.__issuerProxy is None:
+            self.__issuerProxy = _saml.Issuer()
+        self.__issuerProxy.value = value
+    issuerName = property(_getIssuerName, _setIssuerName,
+                          doc="Name of issuer of SAML Authorisation Query "
+                              "Response")
+    _getAssertionLifetime = lambda self: self.__assertionLifetime
+    def _setAssertionLifetime(self, value):
+        if isinstance(value, (int, float, long, basestring)):
+            self.__assertionLifetime = float(value)
+        else:
+            raise TypeError('Expecting int, long, float or string type for '
+                            '"assertionLifetime" attribute; got %s instead' %
+                            type(value))
+    assertionLifetime = property(fget=_getAssertionLifetime,
+                                 fset=_setAssertionLifetime,
+                                 doc="lifetime of assertion in seconds used to "
+                                     "set assertion conditions notOnOrAfter "
+                                     "time")
+    def handlePEPRequest(self, pepRequest):
+        """Handle request from Policy Enforcement Point
+        @param pepRequest: request containing a SAML authorisation decision
+        query and optionally an initialised SAML response object
+        @type pepRequest: ndg.security.server.xacml.saml_ctx_handler.SamlPEPRequest
+        @return: SAML authorisation decision response
+        @rtype: ndg.saml.saml2.core.Response
+        """
+        samlAuthzDecisionQuery = pepRequest.authzDecisionQuery
+        xacmlRequest = self._createXacmlRequestCtx(samlAuthzDecisionQuery)
+        # Call the PDP
+        xacmlResponse = self.pdp.evaluate(xacmlRequest)
+        # Create the SAML Response
+        samlResponse = self._createSAMLResponseAssertion(samlAuthzDecisionQuery,
+                                                         pepRequest.response)
+        samlAuthzDecisionStatement = samlResponse.assertions[0
+                                                ].authzDecisionStatements[0]
+        # Convert the decision status
+        if (xacmlResponse.results[0].decision ==
+            _xacmlContext.result.Decision.PERMIT):
+            log.info("PDP granted access for URI path [%s]",
+                     samlAuthzDecisionQuery.resource)
+            samlAuthzDecisionStatement.decision = _saml.DecisionType.PERMIT
+        elif (xacmlResponse.results[0].decision ==
+              _xacmlContext.result.Decision.INDETERMINATE):
+            log.info("PDP returned a status of [%s] denying access for URI "
+                     "path [%s]", _xacmlContext.result.Decision.INDETERMINATE,
+                     samlAuthzDecisionQuery.resource)
+            samlAuthzDecisionStatement.decision = \
+                                                _saml.DecisionType.INDETERMINATE
+        else:
+            log.info("PDP returned a status of [%s] denying access for URI "
+                     "path [%s]", _xacmlContext.result.Decision.DENY,
+                     samlAuthzDecisionQuery.resource)
+            samlAuthzDecisionStatement.decision = _saml.DecisionType.DENY
+        return samlResponse
+    def pipQuery(self, request, designator):
         """Query a Policy Information Point to retrieve the attribute values
         corresponding to the specified input designator.  Optionally, update the
 …
         """
         return []
+    def _createXacmlRequestCtx(self, samlAuthzDecisionQuery):
+        """Translate SAML authorisation decision query into a XACML request
+        context
+        """
+        xacmlRequest = _xacmlContext.request.Request()
+        xacmlSubject = _xacmlContext.subject.Subject()
+        xacmlAttributeValueFactory = XacmlAttributeValueClassFactory()
+        openidSubjectAttribute = XacmlAttribute()
+        roleAttribute = XacmlAttribute()
+        openidSubjectAttribute.attributeId = \
+                                samlAuthzDecisionQuery.subject.nameID.format
+        XacmlAnyUriAttributeValue = xacmlAttributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#anyURI')
+        openidSubjectAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
+        openidSubjectAttribute.attributeValues.append(
+                                                    XacmlAnyUriAttributeValue())
+        openidSubjectAttribute.attributeValues[-1].value = \
+                                samlAuthzDecisionQuery.subject.nameID.value
+        xacmlSubject.attributes.append(openidSubjectAttribute)
+        XacmlStringAttributeValue = xacmlAttributeValueFactory(
+                                    'http://www.w3.org/2001/XMLSchema#string')
+        # TODO: get attributes - replace hard coded values
+        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
+        roleAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
+        roleAttribute.attributeValues.append(XacmlStringAttributeValue())
+        roleAttribute.attributeValues[-1].value = 'staff'
+        xacmlSubject.attributes.append(roleAttribute)
+        xacmlRequest.subjects.append(xacmlSubject)
+        resource = _xacmlContext.resource.Resource()
+        resourceAttribute = XacmlAttribute()
+        resource.attributes.append(resourceAttribute)
+        resourceAttribute.attributeId = \
+                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+        resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
+        resourceAttribute.attributeValues.append(XacmlAnyUriAttributeValue())
+        resourceAttribute.attributeValues[-1].value = \
+                                                samlAuthzDecisionQuery.resource
+        xacmlRequest.resources.append(resource)
+        xacmlRequest.action = _xacmlContext.action.Action()
+        for action in samlAuthzDecisionQuery.actions:
+            xacmlActionAttribute = XacmlAttribute()
+            xacmlRequest.action.attributes.append(xacmlActionAttribute)
+            xacmlActionAttribute.attributeId = \
+                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
+            xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
+            xacmlActionAttribute.attributeValues.append(
+                                                    XacmlStringAttributeValue())
+            xacmlActionAttribute.attributeValues[-1].value = action.value
+        return xacmlRequest
+    def _createSAMLResponseAssertion(self, authzDecisionQuery, response):
+        """Helper method to add an assertion containing an Authorisation
+        Decision Statement to the SAML response
+        @param authzDecisionQuery: SAML Authorisation Decision Query
+        @type authzDecisionQuery: ndg.saml.saml2.core.AuthzDecisionQuery
+        @param response: SAML response
+        @type response: ndg.saml.saml2.core.Response
+        """
+        # Check for a response set, if none present create one.
+        if response is None:
+            response = _saml.Response()
+            now = datetime.utcnow()
+            response.issueInstant = now
+            # Make up a request ID that this response is responding to
+            response.inResponseTo = authzDecisionQuery.id
+            response.id = str(uuid4())
+            response.version = SAMLVersion(SAMLVersion.VERSION_20)
+            response.issuer = _saml.Issuer()
+            response.issuer.format = self.issuerFormat
+            response.issuer.value = self.issuerName
+            response.status = _saml.Status()
+            response.status.statusCode = _saml.StatusCode()
+            response.status.statusMessage = _saml.StatusMessage()
+            response.status.statusCode.value = _saml.StatusCode.SUCCESS_URI
+            response.status.statusMessage.value = ("Response created "
+                                                   "successfully")
+        assertion = _saml.Assertion()
+        response.assertions.append(assertion)
+        assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
+        assertion.id = str(uuid4())
+        now = datetime.utcnow()
+        assertion.issueInstant = now
+        # Add a conditions statement for a validity of 8 hours
+        assertion.conditions = _saml.Conditions()
+        assertion.conditions.notBefore = now
+        assertion.conditions.notOnOrAfter = now + timedelta(
+                                                seconds=self.assertionLifetime)
+        assertion.subject = _saml.Subject()
+        assertion.subject.nameID = _saml.NameID()
+        assertion.subject.nameID.format = \
+            authzDecisionQuery.subject.nameID.format
+        assertion.subject.nameID.value = \
+            authzDecisionQuery.subject.nameID.value
+        authzDecisionStatement = _saml.AuthzDecisionStatement()
+        assertion.authzDecisionStatements.append(authzDecisionStatement)
+        authzDecisionStatement.resource = authzDecisionQuery.resource
+        for action in authzDecisionQuery.actions:
+            authzDecisionStatement.actions.append(_saml.Action())
+            authzDecisionStatement.actions[-1].namespace = action.namespace
+            authzDecisionStatement.actions[-1].value = action.value
+        return response

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini

-                      r7168
+                      r7257
 # This filter is a container for a binding to a SOAP based interface to the
 # Attribute Authority
+paste.filter_app_factory = ndg.saml.test.binding.soap.test_authzservice:TestAuthorisationServiceMiddleware
+queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC
+paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
+prefix = authz.
+authz.queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC
+authz.policyFilePath = %(here)s/policy.xml
+authz.xacmlContext.assertionLifetime = 86400
 # Logging configuration

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

-                      r7168
+                      r7257
 from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree,
                                 ResponseElementTree)
 class TestAuthorisationServiceMiddleware(object):
 …
         return authzDecisionQuery
 class RedirectFollowingAccessDenied(PEPResultHandlerMiddleware):
 …
         else:
             return super(RedirectFollowingAccessDenied, self).__call__(
                                                             environ,
                                                             start_response)
+                                                                environ,
+                                                                start_response)
 class TestAuthZMiddleware(object):
     '''Test Application for the Authentication handler to protect'''
 …
                          str(len(TestAuthZMiddleware.response))),
                         ('Content-type', 'text/plain')])
         return [TestAuthZMiddleware.response]
 …
         BaseTestCase.__init__(self, *args, **kwargs)
         wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE,
                           relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
 …
     def test04Catch403WithLoggedIn(self):
         # Check that the application being secured can raise a HTTP 403
         # response and that this respected by the Authorization middleware
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
+        }
         response = self.app.get('/test_403',
 …
     def test05Catch401WithNotLoggedInAndSecuredURI(self):
+        # AuthZ middleware grants access because the URI requested is not
+        # targeted in the policy
+        # AuthZ middleware grants access because the URI requested is has no
+        # subject restriction set in the policy rule
         # AuthZ middleware checks for username key in session set by AuthN
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI)
+                BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
         # User is logged in but doesn't have the required credentials for
         # access
+        extra_environ = {
+            self.__class__.SESSION_KEYNAME:
+                        BeakerSessionStub(username=self.__class__.OPENID_URI)
+        }
+        # Expecting redirect response to specified redirect URI
+        response = self.app.get('/test_accessDeniedToSecuredURI',
+                                extra_environ=extra_environ,
+                                status=302)
+        print(response)
+        self.assert_(response.header_dict.get('location') == self.redirectURI)
+        raise NotImplementedError('TODO: fix recursion error')
+#        extra_environ = {
+#            self.__class__.SESSION_KEYNAME:
+#                        BeakerSessionStub(username=self.__class__.OPENID_URI)
+#        }
+#
+#        # Expecting redirect response to specified redirect URI
+#        response = self.app.get('/test_accessDeniedToSecuredURI',
+#                                extra_environ=extra_environ,
+#                                status=302)
+#        print(response)
+#        self.assert_(response.header_dict.get('location') == self.redirectURI)
 if __name__ == "__main__":

Note: See TracChangeset for help on using the changeset viewer.