Changeset 7337 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

18/08/10 14:09:19 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• renamed authz_lite integration test - 'full_system', started adding in Authorisation Service.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system

Files:

• . (moved) (moved from TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite)
• pip-mapping.txt (added)
• policy.xml (modified) (1 diff)
• securityservices.ini (modified) (4 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="AuthZ Lite - Authorisation Integration Tests" xmlns="urn:ndg:security:authz:1.1:policy">
-    <Description>Restrict access for Authorization integration tests</Description>
+<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
+    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
+    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+    <Description>
+        Example for NDG Security unit tests: allow access for resource URIs 
+        defined in the rules.  All other URIs are blocked from access
+        
+        See ndg.security.test.unit.wsgi.authz.test_authz to see the various 
+        rules tested out
+    </Description>
     
+    <!-- 
+        The Policy target(s) define which requests apply to the whole policy
+    -->
     <Target>
-        <URIPattern>^/test_securedURI*$</URIPattern>
-        <Attributes>
-            <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
-            </Attribute>
-        </Attributes>
-    </Target>
-    <Target>
-        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
-        <Attributes>
-            <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
-            </Attribute>
-            <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
-                <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
-            </Attribute>
-        </Attributes>
-    </Target>
+        <Resources>
+            <Resource>
+                <!-- Pattern match all request URIs beginning with / -->
+                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <ResourceAttributeDesignator
+                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
+                </ResourceMatch>
+            </Resource>
+        </Resources>
+    </Target>   
+    
+    <!-- Deny everything by default -->
+    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
+    <!-- 
+        Following rules punch holes through the deny everything rule above
+        because the rule combining algorithm is set to permit overrides - see 
+        Policy element above
+    -->
+    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
+        <!-- 
+            Define a URI with public access
+            
+            Rule target(s) define which requests apply to the particular rule
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+
+    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit">
+        <!-- 
+            Define URIs which this policy permits but for which the underlying
+            app returns 40x HTTP response
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
+    
+    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
+        <!-- 
+            Secure a URI path and all sub-paths using a regular expression to 
+            define a URI pattern
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <!-- Pattern match the request URI -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        
+        <!-- 
+            The condition narrows down the constraints layed down in the target to
+            something more specific
+            
+            The user must have at least one of the roles set - in this
+            case 'staff'
+        -->
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:siteA:security:authz:1.0:attr" 
+                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:siteA:security:authz:1.0:attr" 
+                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
+        <!-- 
+            This rule is a modified version of the above to allow for a real use
+            case where adding a special query argument grants extra privileges
+            associated with an administrator
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:siteA:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
+        </Target>
+    </Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

@@ -2 +2 @@
 # NERC DataGrid Security
 #
-# Paste configuration for combined Attribute Authority, OpenID Relying Party 
-# and Provider services
+# Paste configuration for combined SAML Attribute Authority and Authorisation
+# Services, OpenID Relying Party and Provider services and SSL client 
+# authentication filters.  This is for test purposes only.  A production system
+# might deploy these on different hosts or separate WSGI scripts.
 #
 # The %(here)s variable will be replaced with the parent directory of this file
@@ -27 +29 @@
 attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
 
+# ... and Authorisation Service
+authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
+
 dbConnectionString = sqlite:///%(testConfigDir)s/user.db
 
@@ -57 +62 @@
 pipeline = AttributeAuthorityFilter 
            AttributeAuthoritySamlSoapBindingFilter
+           AuthorisationServiceFilter
+           AuthorisationSamlSoapBindingFilter
                    SessionMiddlewareFilter
                    SSLCientAuthKitFilter
@@ -378 +385 @@
 saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
 
+#______________________________________________________________________________
+# SAML/SOAP query interface to the Authorisation Service
+[filter:AuthorisationSamlSoapBindingFilter]
+paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
+prefix = saml.
+
+# The URI path for this service
+saml.mountPath = /AuthorisationService
+
+# The key name in environ which the upstream authorisation service must assign
+# to its authorisation query callback - see the AuthorisationServiceFilter 
+# settings below...
+saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
+
+# ElementTree based XML parsing and serialisation used for SAML messages
+saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
+saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
+
+# Sets the identity of THIS authorisation service when filling in SAML responses
+saml.issuerName = /O=Test/OU=Authorisation Service
+saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+
+#______________________________________________________________________________
+# Authorisation Service WSGI settings
+[filter:AuthorisationServiceFilter]
+# This filter is a container for a binding to a SOAP/SAML based interface to the
+# Authorisation Service.  It contains a XACML Context handler which manages
+# requests from Policy Enforcement Points to the PDP and also enables the PDP
+# to make attribute queries to Policy Information Point
+paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
+prefix = authz.
+
+# Expose this filter's authorisation decision query callback via this key name
+# in environ
+authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
+
+# Lifetime for authorisation assertions issued from this service
+authz.xacmlContext.assertionLifetime = 86400
+
+#
+# XACML Context handler manages PEP (Policy Information Point) requests and the 
+# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point)
+# 
+
+# XACML Policy file
+authz.ctx_handler.policyFilePath = %(here)s/policy.xml
+
+# Settings for SAML authorisation decision response to a Policy Enforcement Point
+# making a decision query
+authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost
+authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
+authz.ctx_handler.assertionLifetime = 86400
+
+#
+# Policy Information Point interface settings
+#
+# The Context handler is a client to the PIP, passing on attribute queries 
+# on behalf of the PDP onwards to the PIP
+
+# 
+# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a 
+# query from the XACML context handler, checks the attribute(s) being queried 
+# for and looks up this mapping to determine which attribute authority to query 
+# to find out if the subject has the attribute in their entitlement
+authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
+
+# The attribute ID of the subject value to extract from the XACML request
+# context and pass in the SAML attribute query
+authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
+
+# The context handler 
+authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
+authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
+
+# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
+authz.ctx_handler.pip.attributeQuery.sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.crt
+authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.key
+authz.ctx_handler.pip.attributeQuery.sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca
+
 # Logging configuration
 [loggers]