Changeset 7310

Timestamp:

10/08/10 16:40:37 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• progress with SAML attribute query interface to PIP.

File:

• TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (5 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -18 +18 @@
 from ndg.xacml.core.context.request import Request
 
-from ndg.saml.saml2.core import AttributeQuery
+from ndg.saml.saml2.core import (AttributeQuery as SamlAttributeQuery, 
+                                 Attribute as SamlAttribute)
+from ndg.saml.utils import TypedList as SamlTypedList
 from ndg.saml.saml2.binding.soap.client.attributequery import \
                                             AttributeQuerySslSOAPBinding
@@ -33 +35 @@
     DISALLOWED_ATTRIBUTE_QUERY_OPTNAMES = (
         AttributeQuerySslSOAPBinding.SUBJECT_ID_OPTNAME,
+        AttributeQuerySslSOAPBinding.QUERY_ATTRIBUTES_ATTRNAME
     )
     ATTRIBUTE_QUERY_ATTRNAME = 'attributeQuery'
     LEN_ATTRIBUTE_QUERY_ATTRNAME = len(ATTRIBUTE_QUERY_ATTRNAME)
     
-    __slots__ = ('__attributeQueryBinding')
+    # +1 allows for '.' or other separator e.g. 
+    # pip.attributeQuery.issuerName
+    #                   ^
+    ATTRIBUTE_QUERY_ATTRNAME_OFFSET = LEN_ATTRIBUTE_QUERY_ATTRNAME + 1
+    
+    __slots__ = ('__mappingFilePath',)
     
     def __init__(self):
         '''Initialise settings for connection to an Attribute Authority'''
         self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()    
+        self.__mappingFilePath = None
+
+    def _getMappingFilePath(self):
+        return self.__mappingFilePath
+
+    def _setMappingFilePath(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "mappingFilePath"; got '
+                            '%r' % type(value))
+        self.__mappingFilePath = value
+
+    mappingFilePath = property(_getMappingFilePath, 
+                               _setMappingFilePath, 
+                               doc="Mapping File maps attribute IDs to the "
+                                   "Attribute Authorities from which they may "
+                                   "be queried for")
 
     @classmethod
@@ -55 +79 @@
         
         return obj
+    
+    def __setAttr(self, optName, val): 
+        """Helper method to differentiate attribute query binding option names
+        from other config options
+        
+        @param optName: config file option name
+        @type optName: basestring
+        @param val: corresponding value
+        @type val: basestring
+        """
+        if optName.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
+            setattr(self, 
+                    optName[self.__class__.ATTRIBUTE_QUERY_ATTRNAME_OFFSET:],
+                    val)
+        else:
+            setattr(self, optName, val)
 
     def parseConfig(self, cfg, prefix='', section='DEFAULT'):
@@ -84 +124 @@
         
         prefixLen = len(prefix)
+        
         for optName, val in items:
             if prefix:
                 # Filter attributes based on prefix
                 if optName.startswith(prefix):
-                    setattr(self, optName[prefixLen:], val)
+                    self.__setAttr(optName[prefixLen:], val)
             else:
                 # No prefix set - attempt to set all attributes   
-                setattr(self, optName, val)
-                
-        if (not self.attributeQueryBinding.issuerName and 
-            self.attributeQueryBinding.sslCtxProxy.sslCertFilePath is not None):
-            issuerX509Cert = X509Cert.Read(
-                        self.attributeQueryBinding.sslCtxProxy.sslCertFilePath)
-            self.attributeQueryBinding.issuerName = str(issuerX509Cert.dn)
-            
-    def __setattr__(self, name, value):
-        """Enable setting of AttributeQuerySslSOAPBinding attributes from
-        names starting with attributeQuery.* / attributeQuery_*.  Addition for
-        setting these values from ini file
-        """
-
-        # Coerce into setting AttributeQuerySslSOAPBinding attributes - 
-        # names must start with 'attributeQuery\W' e.g.
-        # attributeQuery.clockSkew or attributeQuery_issuerDN
-        if name.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
-            queryAttrName = name[self.__class__.LEN_ATTRIBUTE_QUERY_ATTRNAME+1:]
-            
-            # Skip subject related parameters to prevent settings from static
-            # configuration.  These are set at runtime
-            if queryAttrName in self.__class__.DISALLOWED_ATTRIBUTE_QUERY_OPTNAMES:
-                super(PIP, self).__setattr__(name, value)
-                
-            setattr(self.__attributeQueryBinding, queryAttrName, value)
-        else:
-            super(PIP, self).__setattr__(name, value)    
-
-    @property
-    def attributeQueryBinding(self):
-        """SAML SOAP Attribute Query client binding object"""
-        return self.__attributeQueryBinding
+                self.__setAttr(optName, val)
+                            
+#    def __setattr__(self, name, value):
+#        """Enable setting of AttributeQuerySslSOAPBinding attributes from
+#        names starting with attributeQuery.* / attributeQuery_*.  Addition for
+#        setting these values from ini file
+#        """
+#
+#        # Coerce into setting AttributeQuerySslSOAPBinding attributes - 
+#        # names must start with 'attributeQuery\W' e.g.
+#        # attributeQuery.clockSkew or attributeQuery_issuerDN
+#        if name.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
+#            queryAttrName = name[
+#                                self.__class__.ATTRIBUTE_QUERY_ATTRNAME_OFFSET:]
+#            
+#            # Skip subject and attribute Id related parameters to prevent 
+#            # settings from static configuration.  These are set from the 
+#            # incoming XACML context
+#            if min([queryAttrName.startswith(i) for i in 
+#                    self.__class__.DISALLOWED_ATTRIBUTE_QUERY_OPTNAMES]):
+#                super(PIP, self).__setattr__(name, value)
+#                
+#            setattr(self.__attributeQueryBinding, queryAttrName, value)
+#        else:
+#            super(PIP, self).__setattr__(name, value)    
+
     
     def readMappingFile(self):
         """Read the file which maps attribute names to Attribute Authorities
         """
+        mappingFile = open(self.mappingFilePath)
+        self.__attribute2AttributeAuthorityMap = dict()
+        for line in mappingFile.readline():
+            if not line.startswith('#'):
+                attributeId, attributeAuthorityURI = line.split()
+                self.__attribute2AttributeAuthorityMap[attributeId
+                                                       ] = attributeAuthorityURI
         
     def attributeQuery(self, context, attributeDesignator):
@@ -141 +182 @@
                             (Request, type(context)))
         
-        # Check for cached attributes for this subject (i.e. user)
+        # TODO: Check for cached attributes for this subject (i.e. user)
         
         # If none found send a query to the attribute authority
         
-        # Find out the attribute authority corresponding to the query
-        attributeName = attributes[0]
-        attributeAuthorityURI = self.__attribute2AttributeAuthorityMap.get(attributeName)
-        
-               
-        log.debug("PIP: received attribute query: %r", attributeQuery)
-         
-        try:
-            self.attributeQueryBinding.subjectID = None
-            response = self.attributeQueryBinding.send(
-                                                    uri=attributeAuthorityURI)
-        finally:
-            # Ensure subject ID is reset ready for any subsequent query
-            self.attributeQueryBinding.subjectID = ''
-        
-        attributeResponse = PIPAttributeResponse()
-        attributeResponse[Subject.ROLES_NS] = []
-        
-        # Unpack assertion attribute values and add to the response object
+        # TODO: Look-up the attribute authority corresponding to the query
+
+#        attributeAuthorityURI = self.__attribute2AttributeAuthorityMap.get(
+#                                                                attributeName)
+        attributeAuthorityURI = 'https://localhost:7443/AttributeAuthority'
+                        
+        # Get subject from the request context
+        # TODO: parameterise data type setting
+        subjectId = None
+        for subject in context.subjects:
+            for attribute in subject.attributes:
+                if attribute.dataType == 'urn:esg:openid':
+                    if len(attribute.attributeValues) != 1:
+                        raise Exception("Expecting a single attribute value "
+                                        "for query subject ID")
+                    subjectId = attribute.attributeValues[0].value
+                    break
+        
+        if subjectId is None:
+            # TODO: parameterise data type setting
+            raise Exception('No subject found of type %r in request context' %
+                            'urn:esg:openid')
+        else:
+            # Keep a reference to the matching Subject instance
+            _subject = subject
+            
+        # Get the id of the attribute to be queried for and add it to the SAML
+        # query
+        attributeFormat = attributeDesignator.dataType
+        samlAttribute = SamlAttribute()
+        samlAttribute.name = attributeDesignator.attributeId
+        samlAttribute.nameFormat = attributeFormat
+        attributeQueryBinding.query.attributes.append(samlAttribute)
+        
+        
+        attributeQueryBinding.subjectID = subjectId
+        response = attributeQueryBinding.send(uri=attributeAuthorityURI)
+        
+        # Unpack SAML assertion attribute values corresponding to the name 
+        # format specified
+        attributeValues = []
         for assertion in response.assertions:
             for statement in assertion.attributeStatements:
                 for attribute in statement.attributes:
-                    attributeResponse[Subject.ROLES_NS] += [
-                        attributeValue.value 
-                        for attributeValue in attribute.attributeValues
-                        if attributeValue.value not in attributeResponse[
-                                                            Subject.ROLES_NS]
-                    ]
-        
-        log.debug("PIP.attributeQuery response: %r", attributeResponse)
-        
-        return attributeResponse
+                    if attribute.nameFormat == attributeFormat:
+                        attributeValues.append(attribute.attributeValues)
+        
+        # Update the XACML request context subject with the new attributes
+        _subject.attributes.append(attributeValues)
+        
+        # Return the attributes to the caller to comply with the interface
+        return attributeValues