Changeset 7314

Timestamp:

11/08/10 16:39:41 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• significant progress on PIP - can init from config file and added unit tests

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/utils/__init__.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (13 diffs)
• ndg_security_test/ndg/security/test/unit/xacml (added)
• ndg_security_test/ndg/security/test/unit/xacml/__init__.py (added)
• ndg_security_test/ndg/security/test/unit/xacml/pip-mapping.txt (added)
• ndg_security_test/ndg/security/test/unit/xacml/saml_pip.cfg (added)
• ndg_security_test/ndg/security/test/unit/xacml/test_saml_pip.py (added)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/__init__.py

@@ -9 +9 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
+import UserDict
 
 # Interpret a string as a boolean
 str2Bool = lambda str: str.lower() in ("yes", "true", "t", "1")
+
 
 class UniqList(list):
@@ -104 +106 @@
         
         dict.update(self, d, **kw)
+        
+  
+class VettedDict(UserDict.DictMixin):
+    """Enforce custom checking on keys and items before addition to a 
+    dictionary
+    """
+    
+    def __init__(self, *args):
+        """Initialise setting the allowed type or types for keys and items
+        
+        @param args: two arguments: the first is a callable which filters for 
+        permissable keys in this dict, the second sets the type or list of
+        types permissable for items in this dict
+        @type args: tuple
+        """
+        if len(args) != 2:
+            raise TypeError('__init__() takes 2 arguments, KeyFilter and '
+                            'valueFilter (%d given)' % len(args))
+        
+        # Validation of inputs
+        for arg, argName in zip(args, ('KeyFilter', 'valueFilter')):
+            if not callable(arg):
+                raise TypeError('Expecting callable for %r input; got %r' % 
+                                (argName, type(arg)))
+
+        self.__KeyFilter, self.__valueFilter = args
+        
+        self.__map = {}
+        
+    def _verifyKeyValPair(self, key, val):
+        """Check given key value pair and return False if they should be 
+        filtered out.  Filter functions may also raise an exception if they
+        wish to abort completely
+        
+        @param key: dict key to check
+        @type key: basestring
+        @param val: value to check
+        @type val: any
+        """
+        if not self.__KeyFilter(key):
+            return False
+        
+        elif not self.__valueFilter(val):
+            return False
+        
+        else:
+            return True
+                  
+    def __setitem__(self, key, val):
+        """Enforce type checking when setting new items
+        
+        @param key: key for item to set
+        @type key: any
+        @param val: value to set for this key
+        @type val: any
+        """       
+        if self._verifyKeyValPair(key, val):
+            self.__map[key] = val
+
+    def __getitem__(self, key):
+        """Provide implementation for getting items
+        @param key: key for item to retrieve
+        @type key: any
+        @return: value for input key
+        @rtype: any
+        """
+        if key not in self.__map:
+            raise KeyError('%r key not found in dict' % key)
+        
+        return self.__map[key]
+    
+    def get(self, key, *arg):
+        """Provide implementation of get item with default
+        
+        @param key: key for item to retrieve
+        @type key: any
+        @param arg: use to set a default argument
+        @type arg: tuple
+        """
+        if key in self.__map:
+            return self.__map[key]
+        
+        elif len(arg) > 1:
+            # Default value set
+            return arg[1]
+        else:
+            return None
+
+    def __repr__(self):
+        return repr(self.__map)
+    
+    def keys(self):
+        return self.__map.keys()
+    
+    def items(self):
+        return self.__map.items()
+    
+    def values(self):
+        return self.__map.values()
+    
+    def __contains__(self, val):
+        return self.__map.__contains__(val)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -13 +13 @@
 
 from os import path
-from ConfigParser import SafeConfigParser
+from ConfigParser import SafeConfigParser, ConfigParser
 
 from ndg.xacml.core.context.pipinterface import PIPInterface
@@ -20 +20 @@
 from ndg.saml.saml2.core import (AttributeQuery as SamlAttributeQuery, 
                                  Attribute as SamlAttribute)
-from ndg.saml.utils import TypedList as SamlTypedList
+from ndg.saml.utils import TypedList
 from ndg.saml.saml2.binding.soap.client.attributequery import \
                                             AttributeQuerySslSOAPBinding
                                             
-from ndg.security.common.X509 import X509Cert
+from ndg.security.common.utils import VettedDict
 
 
 class PIP(PIPInterface):
     '''Policy Information Point enables XACML PDP to query for additional user
-    attrbiutes.  The PDP does this indirectly via the Context Handler
+    attributes.  The PDP does this indirectly via the Context Handler   
     '''
     # Subject attributes makes no sense for external configuration - these 
@@ -45 +45 @@
     ATTRIBUTE_QUERY_ATTRNAME_OFFSET = LEN_ATTRIBUTE_QUERY_ATTRNAME + 1
     
-    __slots__ = ('__mappingFilePath',)
+    DEFAULT_OPT_PREFIX = 'saml_pip.'
+
+    __slots__ = (
+        '__subjectAttributeId',
+        '__mappingFilePath', 
+        '__attribute2AttributeAuthorityMap',
+        '__attributeQueryBinding'
+    )
     
     def __init__(self):
         '''Initialise settings for connection to an Attribute Authority'''
-        self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()    
+        self.__subjectAttributeId = None
         self.__mappingFilePath = None
-
+        
+        # Force mapping dict to have string type keys and items
+        _typeCheckers = (lambda val: isinstance(val, basestring),)*2
+        self.__attribute2AttributeAuthorityMap = VettedDict(*_typeCheckers)
+        
+        self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()
+        
+    def _get_subjectAttributeId(self):
+        return self.__subjectAttributeId
+
+    def _set_subjectAttributeId(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "subjectAttributeId"; '
+                            'got %r' % type(value))
+        self.__subjectAttributeId = value
+
+    subjectAttributeId = property(_get_subjectAttributeId, 
+                                  _set_subjectAttributeId,
+                                  doc="The attribute ID of the subject value "
+                                      "to extract from the XACML request "
+                                      "context and pass in the SAML attribute "
+                                      "query")
+                                       
     def _getMappingFilePath(self):
         return self.__mappingFilePath
@@ -59 +88 @@
             raise TypeError('Expecting string type for "mappingFilePath"; got '
                             '%r' % type(value))
-        self.__mappingFilePath = value
+        self.__mappingFilePath = path.expandvars(value)
 
     mappingFilePath = property(_getMappingFilePath, 
                                _setMappingFilePath, 
-                               doc="Mapping File maps attribute IDs to the "
-                                   "Attribute Authorities from which they may "
-                                   "be queried for")
-
+                               doc="Mapping File maps Attribute ID -> "
+"Attribute Authority mapping file.  The PIP, on receipt of a query from the "
+"XACML context handler, checks the attribute(s) being queried for and looks up "
+"this mapping to determine which attribute authority to query to find out if "
+"the subject has the attribute in their entitlement.")
+    
+    attribute2AttributeAuthorityMap = property(
+                    fget=lambda self: self.__attribute2AttributeAuthorityMap,
+                    doc="Mapping from attribute Id to attribute authority "
+                        "endpoint")
+    
+    @property
+    def attributeQueryBinding(self):
+        """SAML SOAP Attribute Query client binding object"""
+        return self.__attributeQueryBinding
+    
     @classmethod
     def fromConfig(cls, cfg, **kw):
@@ -96 +137 @@
             setattr(self, optName, val)
 
-    def parseConfig(self, cfg, prefix='', section='DEFAULT'):
+    def parseConfig(self, cfg, prefix=DEFAULT_OPT_PREFIX, section='DEFAULT'):
         '''Read config settings from a file, config parser object or dict
         
@@ -103 +144 @@
         @type prefix: basestring
         @param prefix: prefix for option names e.g. "attributeQuery."
-        @type section: baestring
+        @type section: basetring
         @param section: configuration file section from which to extract
         parameters.
@@ -109 +150 @@
         if isinstance(cfg, basestring):
             cfgFilePath = path.expandvars(cfg)
-            _cfg = SafeConfigParser()
+            
+            # Add a 'here' helper option for setting dir paths in the config
+            # file
+            hereDir = path.abspath(path.dirname(cfgFilePath))
+            _cfg = SafeConfigParser(defaults={'here': hereDir})
+            
+            # Make option name reading case sensitive
+            _cfg.optionxform = str
             _cfg.read(cfgFilePath)
             items = _cfg.items(section)
@@ -129 +177 @@
                 # Filter attributes based on prefix
                 if optName.startswith(prefix):
-                    self.__setAttr(optName[prefixLen:], val)
+                    setattr(self, optName[prefixLen:], val)
             else:
                 # No prefix set - attempt to set all attributes   
-                self.__setAttr(optName, val)
+                setattr(self, optName, val)
                             
-#    def __setattr__(self, name, value):
-#        """Enable setting of AttributeQuerySslSOAPBinding attributes from
-#        names starting with attributeQuery.* / attributeQuery_*.  Addition for
-#        setting these values from ini file
-#        """
-#
-#        # Coerce into setting AttributeQuerySslSOAPBinding attributes - 
-#        # names must start with 'attributeQuery\W' e.g.
-#        # attributeQuery.clockSkew or attributeQuery_issuerDN
-#        if name.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
-#            queryAttrName = name[
-#                                self.__class__.ATTRIBUTE_QUERY_ATTRNAME_OFFSET:]
-#            
-#            # Skip subject and attribute Id related parameters to prevent 
-#            # settings from static configuration.  These are set from the 
-#            # incoming XACML context
-#            if min([queryAttrName.startswith(i) for i in 
-#                    self.__class__.DISALLOWED_ATTRIBUTE_QUERY_OPTNAMES]):
-#                super(PIP, self).__setattr__(name, value)
-#                
-#            setattr(self.__attributeQueryBinding, queryAttrName, value)
-#        else:
-#            super(PIP, self).__setattr__(name, value)    
-
+    def __setattr__(self, name, value):
+        """Enable setting of AttributeQuerySslSOAPBinding attributes from
+        names starting with attributeQuery.* / attributeQuery_*.  Addition for
+        setting these values from ini file
+        """
+
+        # Coerce into setting AttributeQuerySslSOAPBinding attributes - 
+        # names must start with 'attributeQuery\W' e.g.
+        # attributeQuery.clockSkewTolerance or attributeQuery_issuerDN
+        if name.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
+            queryAttrName = name[
+                                self.__class__.ATTRIBUTE_QUERY_ATTRNAME_OFFSET:]
+            
+            # Skip subject related parameters to prevent settings from static
+            # configuration.  These are set at runtime
+            if min([queryAttrName.startswith(i) 
+                    for i in self.__class__.DISALLOWED_ATTRIBUTE_QUERY_OPTNAMES
+                    ]):
+                super(PIP, self).__setattr__(name, value)
+                
+            setattr(self.__attributeQueryBinding, queryAttrName, value)
+        else:
+            super(PIP, self).__setattr__(name, value)    
     
     def readMappingFile(self):
@@ -163 +210 @@
         """
         mappingFile = open(self.mappingFilePath)
-        self.__attribute2AttributeAuthorityMap = dict()
-        for line in mappingFile.readline():
-            if not line.startswith('#'):
-                attributeId, attributeAuthorityURI = line.split()
+        for line in mappingFile.readlines():
+            _line = path.expandvars(line).strip()
+            if _line and not _line.startswith('#'):
+                attributeId, attributeAuthorityURI = _line.split()
                 self.__attribute2AttributeAuthorityMap[attributeId
                                                        ] = attributeAuthorityURI
@@ -182 +229 @@
                             (Request, type(context)))
         
-        # TODO: Check for cached attributes for this subject (i.e. user)
-        
+        # TODO: Check for cached attributes for this subject (i.e. user)        
         # If none found send a query to the attribute authority
-        
-        # TODO: Look-up the attribute authority corresponding to the query
-
-#        attributeAuthorityURI = self.__attribute2AttributeAuthorityMap.get(
-#                                                                attributeName)
-        attributeAuthorityURI = 'https://localhost:7443/AttributeAuthority'
-                        
+
+        # Look up mapping from request attribute ID to Attribute Authority to
+        # query 
+        attributeAuthorityURI = self.__attribute2AttributeAuthorityMap.get(
+                                            attributeDesignator.attributeId,
+                                            None)
+        if attributeAuthorityURI is None:
+            log.debug("No matching attribute authority endpoint found in "
+                      "mapping file %r for input attribute ID %r", 
+                      self.mappingFilePath,
+                      attributeDesignator.attributeId)
+            
+            return []
+        
         # Get subject from the request context
-        # TODO: parameterise data type setting
         subjectId = None
         for subject in context.subjects:
             for attribute in subject.attributes:
-                if attribute.dataType == 'urn:esg:openid':
+                if attribute.attributeId == self.subjectAttributeId:
                     if len(attribute.attributeValues) != 1:
                         raise Exception("Expecting a single attribute value "
@@ -210 +262 @@
         else:
             # Keep a reference to the matching Subject instance
-            _subject = subject
+            xacmlCtxSubject = subject
             
         # Get the id of the attribute to be queried for and add it to the SAML
@@ -218 +270 @@
         samlAttribute.name = attributeDesignator.attributeId
         samlAttribute.nameFormat = attributeFormat
-        attributeQueryBinding.query.attributes.append(samlAttribute)
-        
-        
-        attributeQueryBinding.subjectID = subjectId
-        response = attributeQueryBinding.send(uri=attributeAuthorityURI)
+        self.attributeQueryBinding.query.attributes.append(samlAttribute)
+        
+        # Dispatch query
+        try:
+            self.attributeQueryBinding.subjectID = subjectId
+            self.attributeQueryBinding.subjectIdFormat = self.subjectAttributeId
+            response = self.attributeQueryBinding.send(
+                                                    uri=attributeAuthorityURI)
+        finally:
+            # !Ensure relevant query attributes are reset ready for any 
+            # subsequent query!
+            self.attributeQueryBinding.subjectID = ''
+            self.attributeQueryBinding.subjectIdFormat = ''
+            self.attributeQueryBinding.query.attributes = TypedList(
+                                                                SamlAttribute)
         
         # Unpack SAML assertion attribute values corresponding to the name 
@@ -234 +296 @@
         
         # Update the XACML request context subject with the new attributes
-        _subject.attributes.append(attributeValues)
+        xacmlCtxSubject.attributes.append(attributeValues)
         
         # Return the attributes to the caller to comply with the interface