Context Navigation

← Previous Changeset
Next Changeset →

Changeset 7287

Timestamp:

06/08/10 09:49:47 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

Working WSGI Authorisation filter with connection to SAML/XACML based Authorisation Service - unit tests: ndg.security.test.unit.wsgi.authz.test_authz
It may need some optimisation to avoid too many WS callouts to the Authorisation Service - perhaps add a local PDP to the authorisation filter to filter out some requests going over the wire e.g. requests for web page CSS or graphics content.
The XACML policy file has some big additions to it to support the various test conditions in ndg.security.test.unit.wsgi.authz.test_authz. These should be ported back to the ndg_xacml package unit tests.
Next major task: remove temp fix in XACML Context handler - instead of using hardwired roles for the user alter it so that the PDP makes a request back to the PIP (Policy Enforcement Point) to grab additional attributes. The PIP will call to Attibute Service(s) to pull any additional attributes needed/

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 7 edited

ndg_security_common/ndg/security/common/saml_utils/esg/xml/etree.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (3 diffs)
ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (4 diffs)
ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (5 diffs)
ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (16 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/esg/xml/etree.py

-                      r7076
+                      r7287
 import logging
 log = logging.getLogger(__name__)
-import re
 from xml.etree import ElementTree
 from ndg.saml.xml import XMLTypeParseError, UnknownAttrProfile
+from ndg.saml.xml.etree import (AttributeValueElementTreeBase, ResponseElementTree,
+                            QName)
+from ndg.saml.xml.etree import (AttributeValueElementTreeBase,
+                                ResponseElementTree,
+                                QName)
 from ndg.security.common.saml_utils.esg import XSGroupRoleAttributeValue

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/init.py

-                      r7155
+                      r7287
 from time import time
 from urlparse import urlunsplit
+from httplib import UNAUTHORIZED, FORBIDDEN
+import httplib
 from paste.cascade import Cascade
 …
 from ndg.security.common.utils.classfactory import importClass
-from ndg.security.common.X509 import X509Cert
-from ndg.saml.saml2.binding.soap.client.attributequery import \
-                                                AttributeQuerySslSOAPBinding
 from ndg.security.common.credentialwallet import SAMLCredentialWallet
+from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase,
+                                      NDGSecurityMiddlewareConfigError)
+from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase,
+                                      NDGSecurityMiddlewareConfigError)
+from ndg.security.server.wsgi.session import (SessionMiddlewareBase,
+                                              SessionHandlerMiddleware)
+from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
+from ndg.security.server.wsgi.authz.pep import SamlPepFilter
 from ndg.security.server.wsgi.authz.result_handler import \
     PEPResultHandlerMiddlewareBase
 from ndg.security.server.wsgi.authz.result_handler.basic import \
     PEPResultHandlerMiddleware
-from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery,
-                                           PIPAttributeResponse)
-from ndg.security.common.authz import Subject
-from ndg.security.common.authz.msi import (Policy, PDP, Request, Response,
-                                           Resource)
+class PEPFilterError(Exception):
+    """Base class for PEPFilter exception types"""
+class Http403ForbiddenStatusHandler(object):
+    """Handler to catch HTTP 403 Forbidden responses.  It integrates with
+    AuthKit's MultiHandler.  This enables the given middleware to be substituted
+    into the WSGI stack should a 403 status be detected set from upstream
+    middleware.
+    @cvar TRIGGER_HTTP_STATUS_CODE: status code to catch - HTTP 403 Forbidden
+    @type TRIGGER_HTTP_STATUS_CODE: basestring
+    """
+    TRIGGER_HTTP_STATUS_CODE = str(httplib.FORBIDDEN)
-class PEPFilterConfigError(PEPFilterError):
-    """Configuration related error for PEPFilter"""
-class PEPFilter(SessionMiddlewareBase):
-    """PEP (Policy Enforcement Point) WSGI Middleware.  The PEP enforces
-    access control decisions made by the PDP (Policy Decision Point).  In
-    this case, it follows the WSG middleware filter pattern and is configured
-    in a pipeline upstream of the application(s) which it protects.  if an
-    access denied decision is made, the PEP enforces this by returning a
-Forbidden HTTP response without the application middleware executing
-    SessionMiddlewareBase base class defines user session key and
-    isAuthenticated property
-    """
-    TRIGGER_HTTP_STATUS_CODE = str(FORBIDDEN)
-    MIDDLEWARE_ID = 'PEPFilter'
-    POLICY_PARAM_PREFIX = 'policy.'
-    SESSION_KEYNAME = 'sessionKey'
-    POLICY_FILEPATH_PARAMNAME = 'filePath'
-    def __init__(self, app, global_conf, prefix='', **local_conf):
-        """Initialise the PIP (Policy Information Point) and PDP (Policy
-        Decision Point).  The PDP makes access control decisions based on
-        a given policy.  The PIP manages the retrieval of user credentials on
-        behalf of the PDP
-        @type app: callable following WSGI interface
-        @param app: next middleware application in the chain
-        @type global_conf: dict
-        @param global_conf: PasteDeploy global configuration dictionary
-        @type prefix: basestring
-        @param prefix: prefix for configuration items
-        @type local_conf: dict
-        @param local_conf: PasteDeploy application specific configuration
-        dictionary
-        """
-        # Initialise the PDP reading in the policy
-        policyCfg = PEPFilter._filterKeywords(local_conf,
-                                              PEPFilter.POLICY_PARAM_PREFIX)
-        self.policyFilePath = policyCfg[PEPFilter.POLICY_FILEPATH_PARAMNAME]
-        policy = Policy.Parse(policyCfg[PEPFilter.POLICY_FILEPATH_PARAMNAME])
-        # Initialise the Policy Information Point to None.  This object is
-        # created and set later.  See AuthorizationMiddlewareBase.
-        self.pdp = PDP(policy, None)
-        self.sessionKey = local_conf.get(PEPFilter.SESSION_KEYNAME,
-                                         PEPFilter.propertyDefaults[
-                                                    PEPFilter.SESSION_KEYNAME])
-        super(PEPFilter, self).__init__(app,
-                                        global_conf,
-                                        prefix=prefix,
-                                        **local_conf)
-    @NDGSecurityMiddlewareBase.initCall
-    def __call__(self, environ, start_response):
-        """
-        @type environ: dict
-        @param environ: WSGI environment variables dictionary
-        @type start_response: function
-        @param start_response: standard WSGI start response function
-        @rtype: iterable
-        @return: response
-        """
-        session = environ.get(self.sessionKey)
-        if session is None:
-            raise PEPFilterConfigError('No beaker session key "%s" found in '
-                                       'environ' % self.sessionKey)
-        queryString = environ.get('QUERY_STRING', '')
-        resourceURI = urlunsplit(('', '', self.pathInfo, queryString, ''))
-        # Check for a secured resource
-        matchingTargets = self._getMatchingTargets(resourceURI)
-        targetMatch = len(matchingTargets) > 0
-        if not targetMatch:
-            log.debug("PEPFilter.__call__: granting access - no matching URI "
-                      "path target was found in the policy for URI path [%s]",
-                      resourceURI)
-            return self._app(environ, start_response)
-        log.debug("PEPFilter.__call__: found matching target(s):\n\n %s\n"
-                  "\nfrom policy file [%s] for URI Path=[%s]\n",
-                  '\n'.join(["RegEx=%s" % t for t in matchingTargets]),
-                  self.policyFilePath,
-                  resourceURI)
-        if not self.isAuthenticated:
-            log.info("PEPFilter.__call__: user is not authenticated - setting "
-                     "HTTP 401 response ...")
-            # Set a 401 response for an authentication handler to capture
-            return self._setErrorResponse(code=UNAUTHORIZED)
-        log.debug("PEPFilter.__call__: creating request to call PDP to check "
-                  "user authorisation ...")
-        # Make a request object to pass to the PDP.
-        request = Request()
-        request.subject[Subject.USERID_NS] = session['username']
-        request.resource[Resource.URI_NS] = resourceURI
-        # Call the PDP
-        response = self.pdp.evaluate(request)
-        # Record the result in the user's session to enable later
-        # interrogation by the AuthZResultHandlerMiddleware
-        PEPFilter.setSession(session, request, response)
-        if response.status == Response.DECISION_PERMIT:
-            log.info("PEPFilter.__call__: PDP granted access for URI path "
-                     "[%s] using policy [%s]",
-                     resourceURI,
-                     self.policyFilePath)
-            return self._app(environ, start_response)
-        else:
-            log.info("PEPFilter.__call__: PDP returned a status of [%s] "
-                     "denying access for URI path [%s] using policy [%s]",
-                     response.decisionValue2String[response.status],
-                     resourceURI,
-                     self.policyFilePath)
-            # Trigger AuthZResultHandlerMiddleware by setting a response
-            # with HTTP status code equal to the TRIGGER_HTTP_STATUS_CODE class
-            # attribute value
-            triggerStatusCode = int(PEPFilter.TRIGGER_HTTP_STATUS_CODE)
-            return self._setErrorResponse(code=triggerStatusCode)
     @classmethod
+    def setSession(cls, session, request, response, save=True):
+        """Set PEP context information in the Beaker session using standard key
+        names
+        @param session: beaker session
+        @type session: beaker.session.SessionObject
+        @param request: authorisation request
+        @type request: ndg.security.common.authz.msi.Request
+        @param response: authorisation response
+        @type response: ndg.security.common.authz.msi.Response
+        @param save: determines whether session is saved or not
+        @type save: bool
+        """
+        session[cls.PEPCTX_SESSION_KEYNAME] = {
+            cls.PEPCTX_REQUEST_SESSION_KEYNAME: request,
+            cls.PEPCTX_RESPONSE_SESSION_KEYNAME: response,
+            cls.PEPCTX_TIMESTAMP_SESSION_KEYNAME: time()
+        }
+        if save:
+            session.save()
+    def _getMatchingTargets(self, resourceURI):
+        """This method may only be called following __call__ as __call__
+        updates the pathInfo property
+        @type resourceURI: basestring
+        @param resourceURI: the URI of the requested resource
+        @rtype: list
+        @return: return list of policy target objects matching the current
+        path
+        """
+        matchingTargets = [target for target in self.pdp.policy.targets
+                           if target.regEx.match(resourceURI) is not None]
+        return matchingTargets
+    def multiHandlerInterceptFactory(self):
+        """Return a checker function for use with AuthKit's MultiHandler.
+        MultiHandler can be used to catch HTTP 403 Forbidden responses set by
+        an application and call middleware (AuthZResultMiddleware) to handle
+        the access denied message.
+        """
+        def multiHandlerIntercept(environ, status, headers):
+            """AuthKit MultiHandler checker function to intercept
+            unauthorised response status codes from applications to be
+            protected.  This function's definition is embedded into a
+            factory method so that this function has visibility to the
+            PEPFilter object's attributes if required.
+            @type environ: dict
+            @param environ: WSGI environment dictionary
+            @type status: basestring
+            @param status: HTTP response code set by application middleware
+            that this intercept function is to protect
+            @type headers: list
+            @param headers: HTTP response header content"""
+            if status.startswith(PEPFilter.TRIGGER_HTTP_STATUS_CODE):
+                log.debug("PEPFilter: found [%s] status for URI path [%s]: "
+                          "invoking access denied response",
+                          PEPFilter.TRIGGER_HTTP_STATUS_CODE,
+                          environ['PATH_INFO'])
+                return True
+            else:
+                # No match - it's publicly accessible
+                log.debug("PEPFilter: the return status [%s] for this URI "
+                          "path [%s] didn't match the trigger status [%s]",
+                          status,
+                          environ['PATH_INFO'],
+                          PEPFilter.TRIGGER_HTTP_STATUS_CODE)
+                return False
+        return multiHandlerIntercept
+    @staticmethod
+    def _filterKeywords(conf, prefix):
+        filteredConf = {}
+        prefixLen = len(prefix)
+        for k, v in conf.items():
+            if k.startswith(prefix):
+                filteredConf[k[prefixLen:]] = conf.pop(k)
+        return filteredConf
+    def _getPDP(self):
+        if self._pdp is None:
+            raise TypeError("PDP object has not been initialised")
+        return self._pdp
+    def _setPDP(self, pdp):
+        if not isinstance(pdp, (PDP, None.__class__)):
+            raise TypeError("Expecting %s or None type for pdp; got %r" %
+                            (PDP.__class__.__name__, pdp))
+        self._pdp = pdp
+    pdp = property(fget=_getPDP,
+                   fset=_setPDP,
+                   doc="Policy Decision Point object makes access control "
+                       "decisions on behalf of the PEP")
+class SamlPIPMiddlewareError(Exception):
+    """Base class for SAML based Policy Information Point WSGI middleware
+    exception types
+    """
+class SamlPIPMiddlewareConfigError(SamlPIPMiddlewareError):
+    """Configuration related error for SAML Policy Information Point WSGI
+    middleware
+    """
+class SamlPIPMiddleware(PIPBase, NDGSecurityMiddlewareBase):
+    '''Extend Policy Information Point to enable caching of SAML credentials in
+    a SAMLCredentialWallet object held in beaker.session
+    '''
+    ENVIRON_KEYNAME = 'ndg.security.server.wsgi.authz.SamlPIPMiddleware'
+    propertyDefaults = {
+        'sessionKey': 'beaker.session.ndg.security',
+    }
+    propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
+    CREDENTIAL_WALLET_SESSION_KEYNAME = \
+        SessionHandlerMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME
+    USERNAME_SESSION_KEYNAME = \
+        SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME
+    ATTRIBUTE_QUERY_ATTRNAME = 'attributeQuery'
+    LEN_ATTRIBUTE_QUERY_ATTRNAME = len(ATTRIBUTE_QUERY_ATTRNAME)
+    def __init__(self, app, global_conf, prefix='', **local_conf):
+        '''
+        @type app: callable following WSGI interface
+        @param app: next middleware application in the chain
+        @type global_conf: dict
+        @param global_conf: PasteDeploy global configuration dictionary
+        @type prefix: basestring
+        @param prefix: prefix for configuration items
+        @type local_conf: dict
+        @param local_conf: PasteDeploy application specific configuration
+        dictionary
+        '''
+        self.session = None
+        self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()
+        nameOffset = len(prefix)
+        for k in local_conf.keys():
+            if k.startswith(prefix):
+                val = local_conf.pop(k)
+                name = k[nameOffset:]
+                setattr(self, name, val)
+        if not self.__attributeQueryBinding.issuerName:
+            issuerX509Cert = X509Cert.Read(
+                    self.__attributeQueryBinding.sslCtxProxy.sslCertFilePath)
+            self.__attributeQueryBinding.issuerName = str(issuerX509Cert.dn)
+        NDGSecurityMiddlewareBase.__init__(self, app, {})
+    def __setattr__(self, name, value):
+        """Enable setting of AttributeQuerySslSOAPBinding attributes from
+        names starting with attributeQuery.* / attributeQuery_*.  Addition for
+        setting these values from ini file
+        """
+        # Coerce into setting AttributeQuerySslSOAPBinding attributes -
+        # names must start with 'attributeQuery\W' e.g.
+        # attributeQuery.clockSkew or attributeQuery_issuerDN
+        if name.startswith(SamlPIPMiddleware.ATTRIBUTE_QUERY_ATTRNAME):
+            setattr(self.__attributeQueryBinding,
+                    name[SamlPIPMiddleware.LEN_ATTRIBUTE_QUERY_ATTRNAME+1:],
+                    value)
+        else:
+            super(SamlPIPMiddleware, self).__setattr__(name, value)
+    @property
+    def attributeQueryBinding(self):
+        """SAML SOAP Attribute Query client binding object"""
+        return self.__attributeQueryBinding
+    def __call__(self, environ, start_response):
+        """Take a copy of the session object so that it is in scope for
+        attributeQuery call and add this instance to the environ
+        so that the PEPFilter can retrieve it and pass on to the PDP
+    def intercept(cls, environ, status, headers):
+        """Checker function for AuthKit Multihandler
         @type environ: dict
+        @param environ: WSGI environment variables dictionary
+        @type start_response: function
+        @param start_response: standard WSGI start response function
+        @rtype: iterable
+        @return: response
+        """
+        self.session = environ.get(self.sessionKey)
+        if self.session is None:
+            raise SamlPIPMiddlewareConfigError('No beaker session key "%s" '
+                                               'found in environ' %
+                                               self.sessionKey)
+        environ[SamlPIPMiddleware.ENVIRON_KEYNAME] = self
+        @param environ: WSGI environment dictionary
+        @type status: basestring
+        @param status: HTTP response code set by application middleware
+        that this intercept function is to protect
+        @type headers: list
+        @param headers: HTTP response header content"""
+        return self._app(environ, start_response)
+        if status.startswith(cls.TRIGGER_HTTP_STATUS_CODE):
+            log.debug("Found [%s] status for URI path [%s]: invoking access "
+                      "denied response",
+                      cls.TRIGGER_HTTP_STATUS_CODE,
+                      environ['PATH_INFO'])
+            return True
+        else:
+            # No match - it's publicly accessible
+            log.debug("The return status [%s] for this URI path [%s] didn't "
+                      "match the trigger status [%s]",
+                      status,
+                      environ['PATH_INFO'],
+                      cls.TRIGGER_HTTP_STATUS_CODE)
+            return False
+    def attributeQuery(self, attributeQuery):
+        """Query the Attribute Authority specified in the request to retrieve
+        the attributes if any corresponding to the subject
+        @type attributeResponse: PIPAttributeQuery
+        @param attributeResponse:
+        @rtype: PIPAttributeResponse
+        @return: response containing the attributes retrieved from the
+        Attribute Authority"""
+        if not isinstance(attributeQuery, PIPAttributeQuery):
+            raise TypeError('Expecting %r type for input "attributeQuery"; '
+                            'got %r' % (PIPAttributeQuery,
+                                        type(attributeQuery)))
+        attributeAuthorityURI = attributeQuery[
+                                        PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS]
+        log.debug("SamlPIPMiddleware: received attribute query: %r",
+                  attributeQuery)
+        # Check for a wallet in the current session - if not present, create
+        # one.  See ndg.security.server.wsgi.authn.SessionHandlerMiddleware
+        # for session keys.  The 'credentialWallet' key is deleted along with
+        # any other security keys when the user logs out
+        credentialWalletKeyName = \
+                            SamlPIPMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME
+        usernameKeyName = SamlPIPMiddleware.USERNAME_SESSION_KEYNAME
+        if not credentialWalletKeyName in self.session:
+            log.debug("SamlPIPMiddleware.attributeQuery: adding a "
+                      "Credential Wallet to user session [%s] ...",
+                      self.session[usernameKeyName])
+            credentialWallet = SAMLCredentialWallet()
+            credentialWallet.userId = self.session[usernameKeyName]
+            self.session[credentialWalletKeyName] = credentialWallet
+            self.session.save()
+        else:
+            # Take reference to wallet for efficiency
+            credentialWallet = self.session[credentialWalletKeyName]
+        # Check for existing credentials cached in wallet
+        credentialItem = credentialWallet.credentialsKeyedByURI.get(
+                                                    attributeAuthorityURI)
+        if credentialItem is None:
+            # No assertion is cached - make a fresh SAML Attribute Query
+            self.attributeQueryBinding.subjectID = credentialWallet.userId
+            response = self.attributeQueryBinding.send(
+                                                    uri=attributeAuthorityURI)
+            for assertion in response.assertions:
+                credentialWallet.addCredential(assertion,
+                                   attributeAuthorityURI=attributeAuthorityURI,
+                                   verifyCredential=False)
+            log.debug("SamlPIPMiddleware.attributeQuery: updating Credential "
+                      "Wallet with retrieved SAML Attribute Assertion "
+                      "for user session [%s]", self.session[usernameKeyName])
+        else:
+            log.debug("SamlPIPMiddleware.attributeQuery: retrieved existing "
+                      "SAML Attribute Assertion cached in Credential Wallet "
+                      "for user session [%s]", self.session[usernameKeyName])
+        attributeResponse = PIPAttributeResponse()
+        attributeResponse[Subject.ROLES_NS] = []
+        # Unpack assertion attribute values and add to the response object
+        for credentialItem in credentialWallet.credentials.values():
+            for statement in credentialItem.credential.attributeStatements:
+                for attribute in statement.attributes:
+                    attributeResponse[Subject.ROLES_NS] += [
+                        attributeValue.value
+                        for attributeValue in attribute.attributeValues
+                        if attributeValue.value not in attributeResponse[
+                                                            Subject.ROLES_NS]
+                    ]
+        log.debug("SamlPIPMiddleware.attributeQuery response: %r",
+                  attributeResponse)
+        return attributeResponse
+class AuthorizationMiddlewareError(Exception):
+    """Base class for AuthorizationMiddlewareBase exceptions"""
+class AuthorizationMiddlewareConfigError(Exception):
+    """AuthorizationMiddlewareBase configuration related exceptions"""
+class AuthorisationFilterConfigError(Exception):
+    """AuthorisationFilterBase configuration related exceptions"""
+class AuthorizationMiddlewareBase(NDGSecurityMiddlewareBase):
+    '''Virtual class - A base Handler to call Policy Enforcement Point
+    middleware to intercept requests and enforce access control decisions.
+class AuthorisationFilter(object):
+    '''NDG Security Authorisation filter wraps the Policy Enforcement Point
+    (PEP) filter to intercept requests and enforce access control decisions and
+    result handler middleware which enables a customised response given an
+    authorisation denied decision from the PEP filter.
+    '''
+    PEP_PARAM_PREFIX = 'pep.'
+    RESULT_HANDLER_PARAMNAME = "resultHandler"
+    RESULT_HANDLER_PARAM_PREFIX = RESULT_HANDLER_PARAMNAME + '.'
+    RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir'
+    Extend THIS class adding the new type to any WSGI middleware chain ahead of
+    the application(s) which it is to protect.  To make an implementation for
+    this virtual class, set PIP_MIDDLEWARE_CLASS in the derived type to a
+    valid Policy Information Point Class.  Use in conjunction with
+    ndg.security.server.wsgi.authn.AuthenticationMiddleware
+    '''
+    PEP_PARAM_PREFIX = 'pep.filter.'
+    PIP_PARAM_PREFIX = 'pip.'
+    PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler"
+    PEP_RESULT_HANDLER_PARAM_PREFIX = PEP_RESULT_HANDLER_PARAMNAME + '.'
+    PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir'
+    class PIP_MIDDLEWARE_CLASS(object):
+        """Policy Information Point WSGI middleware abstract base,
+        implementations should retrieve user credentials to enable the PDP to
+        make access control decisions
+        """
+        def __init__(self, app, global_conf, prefix='', **local_conf):
+            raise NotImplementedError(' '.join(
+                AuthorizationMiddlewareBase.PIP_MIDDLEWARE_CLASS.__doc__.split())
+            )
+    def __init__(self, app, global_conf, prefix='', **app_conf):
+    @classmethod
+    def filter_app_factory(cls, app, global_conf, prefix='', **app_conf):
         """Set-up Policy Enforcement Point to enforce access control decisions
         based on the URI path requested and/or the HTTP response code set by
 …
         dictionary
         """
+        cls = AuthorizationMiddlewareBase
+        # Allow for static content for use with PEP result handler middleware
+        resultHandlerParamPrefix = prefix + cls.RESULT_HANDLER_PARAM_PREFIX
+        resultHandlerStaticContentDirParamName = \
+                                resultHandlerParamPrefix + \
+                                cls.RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME
+        # Allow for static content for use with PEP result handler middleware
+        pepResultHandlerParamPrefix = prefix + \
+                                            cls.PEP_RESULT_HANDLER_PARAM_PREFIX
+        pepResultHandlerStaticContentDirParamName = \
+            pepResultHandlerParamPrefix + \
+            cls.PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME
+        resultHandlerStaticContentDir = app_conf.get(
+                                    resultHandlerStaticContentDirParamName)
+        if resultHandlerStaticContentDir is not None:
+            staticApp = StaticURLParser(resultHandlerStaticContentDir)
+            app = Cascade([app, staticApp], catch=(httplib.NOT_FOUND,))
+        pepPrefix = prefix + cls.PEP_PARAM_PREFIX
+        pepFilter = SamlPepFilter.filter_app_factory(app,
+                                                     global_conf,
+                                                     prefix=pepPrefix,
+                                                     **app_conf)
+        pepResultHandlerStaticContentDir = app_conf.get(
+                                    pepResultHandlerStaticContentDirParamName)
+        if pepResultHandlerStaticContentDir is not None:
+            staticApp = StaticURLParser(pepResultHandlerStaticContentDir)
+            app = Cascade([app, staticApp], catch=(404,))
+        # Now add the multi-handler to enable result handler to be invoked on
+        # 403 forbidden status from upstream middleware
+        app = MultiHandler(pepFilter)
+        authzPrefix = prefix + cls.PEP_PARAM_PREFIX
+        pepFilter = PEPFilter(app,
+                              global_conf,
+                              prefix=authzPrefix,
+                              **app_conf)
+        pepInterceptFunc = pepFilter.multiHandlerInterceptFactory()
+        # Slot in the Policy Information Point in the WSGI stack at this point
+        # so that it can take a copy of the beaker session object from environ
+        # ahead of the PDP's request to it for an Attribute Certificate
+        pipPrefix = cls.PIP_PARAM_PREFIX
+        pipFilter = self.__class__.PIP_MIDDLEWARE_CLASS(pepFilter,
+                                                        global_conf,
+                                                        prefix=pipPrefix,
+                                                        **app_conf)
+        pepFilter.pdp.pip = pipFilter
+        app = MultiHandler(pipFilter)
+        pepResultHandlerClassName = app_conf.pop(
+                                        prefix+cls.PEP_RESULT_HANDLER_PARAMNAME,
+                                        None)
+        if pepResultHandlerClassName is None:
+            pepResultHandler = PEPResultHandlerMiddleware
+        resultHandlerClassName = app_conf.pop(
+                                            prefix+cls.RESULT_HANDLER_PARAMNAME,
+                                            None)
+        if resultHandlerClassName is None:
+            resultHandler = PEPResultHandlerMiddleware
         else:
             pepResultHandler = importClass(pepResultHandlerClassName,
+            resultHandler = importClass(resultHandlerClassName,
                                     objectType=PEPResultHandlerMiddlewareBase)
         app.add_method(PEPFilter.MIDDLEWARE_ID,
                        pepResultHandler.filter_app_factory,
+        app.add_method(resultHandler.__class__.__name__,
+                       resultHandler.filter_app_factory,
                        global_conf,
                        prefix=pepResultHandlerParamPrefix,
+                       prefix=resultHandlerParamPrefix,
                        **app_conf)
+        app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc)
+        super(AuthorizationMiddlewareBase, self).__init__(app, {})
+class SAMLAuthorizationMiddleware(AuthorizationMiddlewareBase):
+    """Implementation of AuthorizationMiddlewareBase using the SAML Policy
+    Information Point interface.  This retrieves attributes over the SOAP/SAML
+    Attribute Authority interface
+    (ndg.security.server.wsgi.saml.attributeinterface.SOAPAttributeInterfaceMiddleware) and caches
+    SAML Assertions in a
+    ndg.security.common.credentialWallet.SAMLCredentialWallet
+    """
+    PIP_MIDDLEWARE_CLASS = SamlPIPMiddleware
+        app.add_checker(resultHandler.__class__.__name__,
+                        Http403ForbiddenStatusHandler.intercept)
+        return app

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

-                      r7257
+                      r7287
 class SamlPepMiddlewareConfigError(Exception):
+class SamlPepFilterConfigError(Exception):
     """Error with SAML PEP configuration settings"""
 class SamlPepMiddleware(SessionMiddlewareBase):
+class SamlPepFilter(SessionMiddlewareBase):
     '''Policy Enforcement Point for ESG with SAML based Interface
 …
         @param kw: configuration settings
         dictionary
         @raise SamlPepMiddlewareConfigError: missing option setting(s)
+        @raise SamlPepFilterConfigError: missing option setting(s)
         '''
         # Parse authorisation decision query options
 …
         # Parse other options
         for name in SamlPepMiddleware.PARAM_NAMES:
+        for name in SamlPepFilter.PARAM_NAMES:
             paramName = prefix + name
             value = kw.get(paramName)
             if value is None:
                 raise SamlPepMiddlewareConfigError('Missing option %r' %
+                raise SamlPepFilterConfigError('Missing option %r' %
                                                    paramName)
             setattr(self, name, value)
 …
         # place upstream of this middleware in the WSGI stack
         if self.sessionKey not in environ:
+            raise SamlPepMiddlewareConfigError('No beaker session key "%s" '
+                                               'found in environ' %
+                                               self.sessionKey)
+            raise SamlPepFilterConfigError('No beaker session key "%s" found '
+                                           'in environ' % self.sessionKey)
         self.session = environ[self.sessionKey]

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

-                      r7257
+                      r7287
     RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
     <Description>
+        NDG XACML example for unit tests: allow access for resource URIs
+        matching given regular expressions.  The subject must have at least one
+        of a set of named attributes allocated
+        Example for NDG Security unit tests: allow access for resource URIs
+        defined in the rules.  All other URIs are blocked from access
+        See ndg.security.test.unit.wsgi.authz.test_authz to see the various
+        rules tested out
     </Description>
 …
     <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
         <!--
+            Rule target(s) define which requests apply to the particular rule
+            Secure a URI path and all sub-paths using a regular expression to
+            define a URI pattern
         -->
         <Target>
 …
             The user must have at least one of the roles set - in this
             case 'urn:siteA:security:authz:1.0:attr:staff'
+            case 'staff'
         -->
         <Condition>
 …
             <Resources>
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                         <ResourceAttributeDesignator
                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+                <SubjectAttributeDesignator
+                    AttributeId="urn:ndg:security:authz:1.0:attr"
+                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
+        <!--
+            This rule is a modified version of the above to allow for a real use
+            case where adding a special query argument grants extra privileges
+            associated with an administrator
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
                     </ResourceMatch>
                 </Resource>
 …
             <Subjects>
                 <Subject>
                     <SubjectMatch>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                         <SubjectAttributeDesignator
                             AttributeId="urn:ndg:security:authz:1.0:attr"
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
                     </SubjectMatch>
                 </Subject>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

-                      r7077
+                      r7287
 [filter:AuthZFilter]
 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
+paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory
 prefix = authz.
-policy.filePath = %(here)s/saml-policy.xml
+authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.redirect.HTTPRedirectPEPResultHandlerMiddleware
+authz.pepResultHandler.redirectURI = /nowhere
+# This result handler responds with a redirect request to the client if access
+# denied to the original requested URI
+authz.resultHandler = ndg.security.server.wsgi.authz.result_handler.redirect.HTTPRedirectPEPResultHandlerMiddleware
+authz.resultHandler.redirectURI = /test_accessGrantedToSecuredURI
 # Settings for Policy Information Point used by the Policy Decision Point to
+# retrieve subject attributes from the Attribute Authority associated with the
+# resource to be accessed
+# Settings for the Policy Enforcement Point
+authz.pep.sessionKey = beaker.session.ndg.security
+authz.pep.authzServiceURI = https://localhost:9443/authorisation-service
 # If omitted, DN of SSL Cert is used
+pip.attributeQuery.issuerName =
+pip.attributeQuery.clockSkewTolerance = 0.
+pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
+pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca
+pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
+authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test
+authz.pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+authz.pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
+authz.pep.authzDecisionQuery.clockSkewTolerance = 0.
+authz.pep.authzDecisionQuery.sslCACertDir=%(testConfigDir)s/ca
+authz.pep.authzDecisionQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
+authz.pep.authzDecisionQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

-                      r7168
+                      r7287
 [pipeline:main]
 pipeline = AuthZFilter TestApp
+pipeline = PolicyEnforcementPointFilter TestApp
 [app:TestApp]
 paste.app_factory = ndg.security.test.unit.wsgi.authz.test_authz:TestAuthZMiddleware
 [filter:AuthZFilter]
 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepMiddleware.filter_app_factory
+[filter:PolicyEnforcementPointFilter]
+paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory
 prefix = pep.
 pep.sessionKey = beaker.session.ndg.security
 pep.authzServiceURI = https://localhost:9443/authorisation-service
-pep.pepResultHandler = ndg.security.test.unit.wsgi.authz.test_authz.RedirectFollowingAccessDenied
 # Settings for Policy Information Point used by the Policy Decision Point to

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

-                      r7257
+                      r7287
 from ndg.security.server.wsgi.authz.result_handler.redirect import \
     HTTPRedirectPEPResultHandlerMiddleware
 from ndg.security.server.wsgi.authz.pep import SamlPepMiddlewareConfigError
+from ndg.security.server.wsgi.authz.pep import SamlPepFilterConfigError
 …
 class TestAuthZMiddleware(object):
     '''Test Application for the Authentication handler to protect'''
     response = "Test Authorization application"
+    RESPONSE = "Test Authorization application"
     def __init__(self, app_conf, **local_conf):
 …
         start_response(status,
                        [('Content-length',
                          str(len(TestAuthZMiddleware.response))),
+                         str(len(TestAuthZMiddleware.RESPONSE))),
                         ('Content-type', 'text/plain')])
         return [TestAuthZMiddleware.response]
+        return [TestAuthZMiddleware.RESPONSE + ' returned: ' + status]
 …
     def save(self):
         pass
+class SamlWSGIAuthZTestCase(BaseTestCase):
+class BaseAuthzFilterTestCase(BaseTestCase):
+    """Base class for NDG Security WSGI authorisation filters
+    """
     INI_FILE = 'saml-test.ini'
     THIS_DIR = path.dirname(path.abspath(__file__))
+    INI_FILEPATH = None # Set in __init__ to enable derived classes to alter
     SESSION_KEYNAME = 'beaker.session.ndg.security'
+    def __init__(self, *args, **kwargs):
+    def __init__(self, *args, **kwargs):
+        """Test the authorisation filter using Paste fixture and set up
+        Authorisation and Attribute Services needed for making authorisation
+        decisions
+        """
         BaseTestCase.__init__(self, *args, **kwargs)
         wsgiapp = loadapp('config:'+SamlWSGIAuthZTestCase.INI_FILE,
                           relative_to=SamlWSGIAuthZTestCase.THIS_DIR)
+        wsgiapp = loadapp('config:'+self.__class__.INI_FILE,
+                          relative_to=self.__class__.THIS_DIR)
         self.app = paste.fixture.TestApp(wsgiapp)
+        self.__class__.INI_FILEPATH = os.path.join(self.__class__.THIS_DIR,
+                                                   self.__class__.INI_FILE)
         self.startSiteAAttributeAuthority(withSSL=True,
+            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+        self.startAuthorisationService()
+            port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+        self.startAuthorisationService()
+class SamlPepFilterTestCase(BaseAuthzFilterTestCase):
+    """Test SAML based Policy Enforcement Filter.  This has a SAML authorisation
+    decision query interface to call to a remote authorisation service"""
     def test01CatchNoBeakerSessionFound(self):
 …
         # PEPFilterConfigError is raised if no beaker.session is set in
         # environ
         self.assertRaises(SamlPepMiddlewareConfigError, self.app.get,
+        self.assertRaises(SamlPepFilterConfigError, self.app.get,
                           '/test_200')
 …
         response = self.app.get('/test_200',
                                 extra_environ=extra_environ)
+        print response
     def test03Catch401WithLoggedIn(self):
 …
                                 extra_environ=extra_environ,
                                 status=401)
+        print response
     def test04Catch403WithLoggedIn(self):
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+                BeakerSessionStub(username=SamlPepFilterTestCase.OPENID_URI),
             'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
                                 extra_environ=extra_environ,
                                 status=403)
+        print response
     def test05Catch401WithNotLoggedInAndSecuredURI(self):
         # AuthZ middleware grants access because the URI requested is has no
+        # AuthZ middleware grants access because the URI requested has no
         # subject restriction set in the policy rule
 …
                                 extra_environ=extra_environ,
                                 status=401)
+        print response
     def test06AccessDeniedForSecuredURI(self):
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+                BeakerSessionStub(username=SamlPepFilterTestCase.OPENID_URI),
             'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
                                 status=403)
         print response
-        self.assert_("Insufficient privileges to access the "
-                     "resource" in response)
     def test07AccessGrantedForSecuredURI(self):
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+                BeakerSessionStub(username=SamlPepFilterTestCase.OPENID_URI),
             'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
                                 extra_environ=extra_environ,
                                 status=200)
+        self.assert_(TestAuthZMiddleware.response in response)
+        print response
+    def test08AccessDeniedForAdminQueryArg(self):
+        self.assert_(TestAuthZMiddleware.RESPONSE in response)
+        print response
+class PEPResultHandlerTestCase(BaseAuthzFilterTestCase):
+    """Test Authorisation Filter - this contains the PEP filter and a result
+    handler which enables customisation of behaviour on 403 Forbidden responses
+    """
+    INI_FILE = 'pep-result-handler-test.ini'
+    AUTHZ_FILTER_SECTION = 'filter:AuthZFilter'
+    AUTHZ_RESULT_HANDLER_REDIRECT_URI_OPTNAME = 'authz.resultHandler.redirectURI'
+    def __init__(self, *arg, **kw):
+        BaseAuthzFilterTestCase.__init__(self, *arg, **kw)
+        cfgParser = SafeConfigParser()
+        cfgParser.read(self.__class__.INI_FILEPATH)
+        self.redirectURI = cfgParser.get(self.__class__.AUTHZ_FILTER_SECTION,
+                    self.__class__.AUTHZ_RESULT_HANDLER_REDIRECT_URI_OPTNAME)
+    def test01RedirectPEPResultHandlerMiddleware(self):
+        # User is logged in but doesn't have the required credentials for
+        extra_environ = {
+            self.__class__.SESSION_KEYNAME:
+                        BeakerSessionStub(username=self.__class__.OPENID_URI),
+            'REMOTE_USER': self.__class__.OPENID_URI
+        }
+        # Expecting result handler to be invoked overriding the 403 response
+        response = self.app.get('/test_accessDeniedToSecuredURI',
+                                extra_environ=extra_environ,
+                                status=302)
+        print("Result handler has intercepted the 403 Forbidden response "
+              "from the PEP and set this redirect response instead: %s" %
+              response)
+        self.assert_(response.header_dict.get('location') == self.redirectURI)
+    def test02RedirectFollowingAccessDeniedForAdminQueryArg(self):
         # User is logged in but doesn't have the required credentials for
 …
         extra_environ = {
             self.__class__.SESSION_KEYNAME:
                 BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI),
+                BeakerSessionStub(username=SamlPepFilterTestCase.OPENID_URI),
             'REMOTE_USER': self.__class__.OPENID_URI
+        }
 …
         # into play the PEP result handler defined in this module,
         # RedirectFollowingAccessDenied.  This class reinvokes the request
+        # but without the admin query argument.  Access is then granted for
+        # the redirected request
+        # but without the admin query argument (see the ini file for what this
+        # location is.  Access is then granted because the user has access
+        # rights for the new location.
         response = self.app.get('/test_accessGrantedToSecuredURI',
                                 params={'admin': 1},
                                 extra_environ=extra_environ,
                                 status=302)
+        try:
+            redirectResponse = response.follow(extra_environ=extra_environ)
+        except paste.fixture.AppError, e:
+            self.failIf(TestAuthZMiddleware.response not in response)
+        print response
+class PEPResultHandlerTestCase(BaseTestCase):
+    INI_FILE = 'pep-result-handler-test.ini'
+    THIS_DIR = os.path.dirname(os.path.abspath(__file__))
+    INI_FILEPATH = path.join(THIS_DIR, INI_FILE)
+    SESSION_KEYNAME = 'beaker.session.ndg.security'
+    def __init__(self, *arg, **kw):
+        BaseTestCase.__init__(self, *arg, **kw)
+        here_dir = os.path.dirname(os.path.abspath(__file__))
+        wsgiapp = loadapp('config:'+self.__class__.INI_FILE,
+                          relative_to=self.__class__.THIS_DIR)
+        self.app = paste.fixture.TestApp(wsgiapp)
+        cfg = SafeConfigParser(dict(here=self.__class__.THIS_DIR))
+        cfg.read(self.__class__.INI_FILEPATH)
+        self.redirectURI = cfg.get('filter:AuthZFilter',
+                                   'authz.pepResultHandler.redirectURI')
+        self.startSiteAAttributeAuthority(withSSL=True,
+            port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+    def testRedirectPEPResultHandlerMiddleware(self):
+        # User is logged in but doesn't have the required credentials for
+        # access
+        raise NotImplementedError('TODO: fix recursion error')
+#        extra_environ = {
+#            self.__class__.SESSION_KEYNAME:
+#                        BeakerSessionStub(username=self.__class__.OPENID_URI)
+#        }
+#
+#        # Expecting redirect response to specified redirect URI
+#        response = self.app.get('/test_accessDeniedToSecuredURI',
+#                                extra_environ=extra_environ,
+#                                status=302)
+#        print(response)
+#        self.assert_(response.header_dict.get('location') == self.redirectURI)
+        print("Redirect Handler has interrupted the 403 Denied response and "
+              "added this redirect response instead: %s" % response)
+        # Follow the redirect - the policy should allow access to the new
+        # location
+        redirectResponse = response.follow(extra_environ=extra_environ,
+                                           status=200)
+        print("Following the redirect to location %r gives this response: %s" %
+              (response.header_dict.get('location'), redirectResponse))
 if __name__ == "__main__":

Note: See TracChangeset for help on using the changeset viewer.