Changeset 7335

Timestamp:

18/08/10 10:06:33 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• first working e2e test with PEP calling a SAML Authorisation service configured with PIP to make callouts to an Attribute Authority to pull user attributes. This meets the ESG requirements. Next steps:
  • integrate with ndg.security.test.integration.authz_lite browser based integration tests
  • optimise by adding caching of authz decisions to PEP and possibly caching attribute assertions in the PEP.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (9 diffs)
• ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -104 +104 @@
         obj.parseConfig(cfg, **kw)
         
+        # Post initialisation steps - load policy and PIP mapping file
         if obj.policyFilePath:
             obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
                                            XacmlPolicyReaderFactory)
+        
+        if obj.pip.mappingFilePath:
+            obj.pip.readMappingFile()
             
         return obj
@@ -201 +205 @@
         obj.parseKeywords(prefix=prefix, **kw)
         
+        # Post initialisation steps - load policy and PIP mapping file
         if obj.policyFilePath:
             obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
                                            XacmlPolicyReaderFactory)
-                    
+        
+        if obj.pip.mappingFilePath:
+            obj.pip.readMappingFile()
+                       
         return obj
                                        

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -31 +31 @@
 
 
+class PIPException(Exception):
+    """Base exception type for XACML PIP (Policy Information Point) class"""
+    
+    
+class PIPConfigException(PIPException):
+    """Configuration errors related to the XACML PIP (Policy Information Point) 
+    class
+    """
+
+
+class PIPRequestCtxException(PIPException):
+    """Error with request context passed to XACML PIP object's attribute query
+    """
+    
+    
 class PIP(PIPInterface):
     '''Policy Information Point enables XACML PDP to query for additional user
@@ -56 +71 @@
         '__subjectAttributeId',
         '__mappingFilePath', 
-        '__attribute2AttributeAuthorityMap',
+        '__attributeId2AttributeAuthorityMap',
         '__attributeQueryBinding'
     )
@@ -67 +82 @@
         # Force mapping dict to have string type keys and items
         _typeCheckers = (lambda val: isinstance(val, basestring),)*2
-        self.__attribute2AttributeAuthorityMap = VettedDict(*_typeCheckers)
+        self.__attributeId2AttributeAuthorityMap = VettedDict(*_typeCheckers)
         
         self.__attributeQueryBinding = AttributeQuerySslSOAPBinding()
@@ -105 +120 @@
     
     attribute2AttributeAuthorityMap = property(
-                    fget=lambda self: self.__attribute2AttributeAuthorityMap,
+                    fget=lambda self: self.__attributeId2AttributeAuthorityMap,
                     doc="Mapping from attribute Id to attribute authority "
                         "endpoint")
@@ -204 +219 @@
             if _line and not _line.startswith('#'):
                 attributeId, attributeAuthorityURI = _line.split()
-                self.__attribute2AttributeAuthorityMap[attributeId
+                self.__attributeId2AttributeAuthorityMap[attributeId
                                                        ] = attributeAuthorityURI
         
@@ -219 +234 @@
         @return: attribute values found for query subject or None if none 
         could be found
+        @raise PIPConfigException: if attribute ID -> Attribute Authority mapping is
+        empty  
         """
         
@@ -237 +254 @@
         # Look up mapping from request attribute ID to Attribute Authority to
         # query 
-        attributeAuthorityURI = self.__attribute2AttributeAuthorityMap.get(
+        if len(self.__attributeId2AttributeAuthorityMap) == 0:
+            raise PIPConfigException('No entries found in attribute ID to '
+                                     'Attribute Authority mapping')
+            
+        attributeAuthorityURI = self.__attributeId2AttributeAuthorityMap.get(
                                             attributeDesignator.attributeId,
                                             None)
@@ -260 +281 @@
         
         if subjectId is None:
-            # TODO: parameterise data type setting
-            raise Exception('No subject found of type %r in request context' %
-                            'urn:esg:openid')
+            raise PIPRequestCtxException('No subject found of type %r in '
+                                         'request context' %
+                                         self.subjectAttributeId)
         else:
             # Keep a reference to the matching Subject instance
@@ -281 +302 @@
             response = self.attributeQueryBinding.send(
                                                     uri=attributeAuthorityURI)
+        except Exception:
+            log.exception('Error querying Attribute service %r with subject %r',
+                          attributeAuthorityURI,
+                          subjectId)
+            raise
         finally:
             # !Ensure relevant query attributes are reset ready for any 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

@@ -107 +107 @@
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                 <SubjectAttributeDesignator 
-                    AttributeId="urn:ndg:security:authz:1.0:attr" 
+                    AttributeId="urn:siteA:security:authz:1.0:attr" 
                     DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
@@ -133 +133 @@
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                 <SubjectAttributeDesignator 
-                    AttributeId="urn:ndg:security:authz:1.0:attr" 
+                    AttributeId="urn:siteA:security:authz:1.0:attr" 
                     DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>
                 </Apply>
             </Apply>
@@ -163 +163 @@
                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                         <SubjectAttributeDesignator 
-                            AttributeId="urn:ndg:security:authz:1.0:attr" 
+                            AttributeId="urn:siteA:security:authz:1.0:attr" 
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue>
                     </SubjectMatch>
                 </Subject>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -124 +124 @@
         'urn:siteA:security:authz:1.0:attr:undergrad', 
         'urn:siteA:security:authz:1.0:attr:coapec',
-        'urn:siteA:security:authz:1.0:attr:rapid'
+        'urn:siteA:security:authz:1.0:attr:rapid',
+        'urn:siteA:security:authz:1.0:attr:admin'
     )
     N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES)