Changeset 7350
- Timestamp:
- 20/08/10 15:42:14 (10 years ago)
- Location:
- TI12-security/trunk/NDGSecurity/python
- Files:
-
- 18 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py
r7292 r7350 128 128 @type: defPaths: dict 129 129 130 @cvar FORM_MATCH_TEXT: use in _displayResponse method to detect whether to 131 wrap the response in the FORM_RESP_WRAPPER_TMPL Javascript. This is only 132 needed when this Provider is return key/values pairs back to the RP as 133 a POST'ed form 134 135 @type FORM_MATCH_TEXT: basestring 136 130 137 @cvar FORM_RESP_WRAPPER_TMPL: If the response to the Relying Party is too 131 138 long it's rendered as form with the POST method instead of query arguments … … 134 141 below... 135 142 @type FORM_RESP_WRAPPER_TMPL: basestring""" 136 143 144 FORM_MATCH_TEXT = '<form' 137 145 FORM_RESP_WRAPPER_TMPL = """<html> 138 146 <head> … … 1335 1343 # If the content length exceeds the maximum to represent on a URL, it's 1336 1344 # rendered as a form instead 1337 # FIXME: Commented out oidResponse.renderAsForm() test as it doesn't 1338 # give consistent answers. Testing based on body content should work 1339 # OK 1340 if webresponse.body: 1341 #if oidResponse.renderAsForm(): 1345 # FIXME: Got rid out oidResponse.renderAsForm() test as it doesn't 1346 # give consistent answers. 1347 # 1348 # The FORM_MATCH_TEXT test detects whether the response needs to be 1349 # wrapped in the FORM_RESP_WRAPPER_TMPL Javascript. This is only 1350 # needed when this Provider is return key/values pairs back to the RP as 1351 # a POST'ed form 1352 if webresponse.body.startswith( 1353 OpenIDProviderMiddleware.FORM_MATCH_TEXT): 1342 1354 # Wrap in HTML with Javascript OnLoad to submit the form 1343 1355 # automatically without user intervention -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/serveryadis.xml
r7292 r7350 1 1 <?xml version="1.0" encoding="UTF-8"?> 2 2 <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 3 <XRD>4 <Service priority="0">5 <Type>$openid20type</Type>6 <URI>$endpoint_url</URI>7 </Service>8 </XRD>9 3 <XRD> 10 4 <Service priority="1"> … … 19 13 </Service> 20 14 </XRD> 15 <XRD> 16 <Service priority="0"> 17 <Type>$openid20type</Type> 18 <URI>$endpoint_url</URI> 19 </Service> 20 </XRD> 21 21 </xrds:XRDS> -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/yadis.xml
r7298 r7350 1 1 <?xml version="1.0" encoding="UTF-8"?> 2 2 <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 3 <XRD>4 <Service priority="0">5 <Type>$openid20type</Type>6 <Type>$openid10type</Type>7 <URI>$endpoint_url</URI>8 <LocalID>$user_url</LocalID>9 </Service>10 </XRD>11 3 <XRD> 12 4 <Service priority="1"> … … 37 29 </Service> 38 30 </XRD> 31 <XRD> 32 <Service priority="0"> 33 <Type>$openid20type</Type> 34 <Type>$openid10type</Type> 35 <URI>$endpoint_url</URI> 36 <LocalID>$user_url</LocalID> 37 </Service> 38 </XRD> 39 39 </xrds:XRDS> -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html
r7077 r7350 34 34 <div id="aboutOpenID" class="hidden"> 35 35 <div class="helptxt"> 36 <p><a href="http://openid.net/get-an-openid/what-is-openid/ >OpenID">OpenID</a> is a36 <p><a href="http://openid.net/get-an-openid/what-is-openid/">OpenID</a> is a 37 37 technology which enables you to sign in at different websites using the same 38 38 identity. Rather than having to remember usernames/passwords for all the -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py
r7335 r7350 312 312 samlAuthzDecisionStatement.decision = _saml.DecisionType.PERMIT 313 313 314 elif (xacmlResponse.results[0].decision == 315 _xacmlContext.result.Decision.INDETERMINATE): 316 log.info("PDP returned a status of [%s] denying access for URI " 317 "path [%s]", _xacmlContext.result.Decision.INDETERMINATE, 318 samlAuthzDecisionQuery.resource) 314 # Nb. Mapping XACML NotApplicable => SAML INDETERMINATE 315 elif (xacmlResponse.results[0].decision in 316 (_xacmlContext.result.Decision.INDETERMINATE, 317 _xacmlContext.result.Decision.NOT_APPLICABLE)): 318 log.info("PDP returned a status of [%s] for URI path [%s]; " 319 "mapping to SAML response [%s] ...", 320 xacmlResponse.results[0].decision, 321 samlAuthzDecisionQuery.resource, 322 _saml.DecisionType.INDETERMINATE) 319 323 320 324 samlAuthzDecisionStatement.decision = \ -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py
r7335 r7350 284 284 'request context' % 285 285 self.subjectAttributeId) 286 elif not subjectId: 287 # Empty string 288 return None 286 289 else: 287 290 # Keep a reference to the matching Subject instance -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml
r7335 r7350 136 136 DataType="http://www.w3.org/2001/XMLSchema#string"/> 137 137 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 138 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> urn:siteA:security:authz:1.0:attr:staff</AttributeValue>139 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>138 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 139 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 140 140 </Apply> 141 141 </Apply> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py
r7077 r7350 88 88 </html> 89 89 """ % (AuthZTestApp.header, 90 '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)90 '\n'.join(['<li><a href="%s">%s</a></li>' % (link, link) 91 91 for link,name in self.method.items() if name != 'default']) 92 92 ) … … 208 208 <body> 209 209 <h1>Logged Out</h1> 210 <p>Successfully redirected to specified return to U IRquery argument210 <p>Successfully redirected to specified return to URI query argument 211 211 ndg.security.logout.r=%s following logout. 212 212 <a href="/">Return to tests</a></p> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/attributeinterface.py
r7077 r7350 27 27 if userId.endswith("/openid/PhilipKershaw"): 28 28 return [ 29 ' urn:siteA:security:authz:1.0:attr:postdoc',30 ' urn:siteA:security:authz:1.0:attr:staff',31 'u rn:siteA:security:authz:1.0:attr:undergrad',32 ' urn:siteA:security:authz:1.0:attr:coapec'29 'postdoc', 30 'staff', 31 'undergrad', 32 'coapec' 33 33 ] 34 34 elif userId == 'test': 35 35 return [ 36 ' urn:siteA:security:authz:1.0:attr:staff',36 'staff', 37 37 ] 38 38 else: 39 return [' urn:siteA:security:authz:1.0:attr:guest']39 return ['guest'] -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/pip-mapping.txt
r7337 r7350 19 19 20 20 # Entries are whitespace delimited <attribute id> <attribute authority> 21 urn:siteA:security:authz:1.0:attr https://localhost: 5443/AttributeAuthority21 urn:siteA:security:authz:1.0:attr https://localhost:7443/AttributeAuthority 22 22 myattributeid https://myattributeauthority.ac.uk/ 23 23 http://someotherattributeid.schema https://another.ac.uk/attributeservice/ -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml
r7337 r7350 24 24 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 25 25 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 26 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost /.*$</AttributeValue>26 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue> 27 27 </ResourceMatch> 28 28 </Resource> … … 47 47 <Resource> 48 48 <!-- Match the request URI --> 49 <ResourceMatch MatchId="urn:oasis:names:tc:xacml: 1.0:function:anyURI-equal">49 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 50 50 <ResourceAttributeDesignator 51 51 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 52 52 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 53 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"> http://localhost/test_200</AttributeValue>53 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutWithReturn2QueryArg)?$</AttributeValue> 54 54 </ResourceMatch> 55 55 </Resource> … … 58 58 </Rule> 59 59 60 <Rule RuleId="urn:ndg:security: underlying-app-denies-access-uri" Effect="Permit">60 <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 61 61 <!-- 62 De fine URIs which this policy permits but for which the underlying63 app returns 40x HTTP response62 Demonstrate a URI secured with an attribute which the test user 63 doesn't have 64 64 --> 65 65 <Target> … … 71 71 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 72 72 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 73 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"> http://localhost/test_40[13]</AttributeValue>73 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 74 74 </ResourceMatch> 75 75 </Resource> 76 76 </Resources> 77 <Subjects> 78 <Subject> 79 <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 80 <SubjectAttributeDesignator 81 AttributeId="urn:siteA:security:authz:1.0:attr" 82 DataType="http://www.w3.org/2001/XMLSchema#string"/> 83 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 84 </SubjectMatch> 85 </Subject> 86 </Subjects> 77 87 </Target> 78 88 </Rule> … … 86 96 <Resources> 87 97 <Resource> 88 <!-- Pattern match the request URI-->89 <ResourceMatch MatchId="urn:oasis:names:tc:xacml: 2.0:function:anyURI-regexp-match">98 <!-- Match 'test_securedURI' --> 99 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 90 100 <ResourceAttributeDesignator 91 101 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 92 102 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 93 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI"> ^http://localhost/test_securedURI.*$</AttributeValue>103 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 94 104 </ResourceMatch> 95 105 </Resource> … … 117 127 </Condition> 118 128 </Rule> 119 <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">120 <Target>121 <Resources>122 <Resource>123 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">124 <ResourceAttributeDesignator125 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"126 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>127 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>128 </ResourceMatch>129 </Resource>130 </Resources>131 </Target>132 <Condition>133 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">134 <SubjectAttributeDesignator135 AttributeId="urn:siteA:security:authz:1.0:attr"136 DataType="http://www.w3.org/2001/XMLSchema#string"/>137 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">138 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>139 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>140 </Apply>141 </Apply>142 </Condition>143 </Rule>144 <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">145 <!--146 This rule is a modified version of the above to allow for a real use147 case where adding a special query argument grants extra privileges148 associated with an administrator149 -->150 <Target>151 <Resources>152 <Resource>153 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">154 <ResourceAttributeDesignator155 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"156 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>157 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>158 </ResourceMatch>159 </Resource>160 </Resources>161 <Subjects>162 <Subject>163 <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">164 <SubjectAttributeDesignator165 AttributeId="urn:siteA:security:authz:1.0:attr"166 DataType="http://www.w3.org/2001/XMLSchema#string"/>167 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue>168 </SubjectMatch>169 </Subject>170 </Subjects>171 </Target>172 </Rule>173 129 </Policy> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini
r7341 r7350 30 30 pipeline = BeakerSessionFilter 31 31 AuthenticationFilter 32 PolicyEnforcementPointFilter32 AuthorisationFilter 33 33 AuthZTestApp 34 34 … … 82 82 83 83 # 84 # Policy Enforcement Point enforces access control decisions made by the 85 # Authorisation Service 86 [filter:PolicyEnforcementPointFilter] 87 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory 88 prefix = pep. 84 # Authorisation filter contains a Policy Enforcement Point which enforces access 85 # control decisions made by the Authorisation Service 86 [filter:AuthorisationFilter] 87 paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory 88 89 # Result handler handles the response for HTTP 403 responses set by the 90 # application or the PEP. 91 resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 92 resultHandler.staticContentDir = %(here)s/pep_result_handler 93 94 # Settings for the PEP (Policy Enforcement Point) 89 95 pep.sessionKey = beaker.session.ndg.security 90 96 pep.authzServiceURI = https://localhost:7443/AuthorisationService -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini
r7341 r7350 375 375 saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML 376 376 377 saml.soapbinding. pathMatchList= /AttributeAuthority377 saml.soapbinding.mountPath = /AttributeAuthority 378 378 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 379 379 … … 404 404 405 405 # Sets the identity of THIS authorisation service when filling in SAML responses 406 saml.issuerName = /O= Test/OU=Authorisation Service406 saml.issuerName = /O=Site A/CN=Authorisation Service 407 407 saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 408 408 … … 426 426 # 427 427 # XACML Context handler manages PEP (Policy Information Point) requests and the 428 # PDP's (Policy Decis on Point's) interface to the PIP (Policy Information Point)429 # 428 # PDP's (Policy Decision Point's) interface to the PIP (Policy Information 429 # Point) 430 430 431 431 # XACML Policy file … … 434 434 # Settings for SAML authorisation decision response to a Policy Enforcement Point 435 435 # making a decision query 436 authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost436 authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service 437 437 authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 438 438 authz.ctx_handler.assertionLifetime = 86400 -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py
r7335 r7350 120 120 121 121 ATTRIBUTE_VALUES = ( 122 ' urn:siteA:security:authz:1.0:attr:postdoc',123 ' urn:siteA:security:authz:1.0:attr:staff',124 'u rn:siteA:security:authz:1.0:attr:undergrad',125 ' urn:siteA:security:authz:1.0:attr:coapec',126 ' urn:siteA:security:authz:1.0:attr:rapid',127 ' urn:siteA:security:authz:1.0:attr:admin'122 'postdoc', 123 'staff', 124 'undergrad', 125 'coapec', 126 'rapid', 127 'admin' 128 128 ) 129 129 N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES) -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.0.xml
r7077 r7350 6 6 <URIPattern>^/test_securedURI*$</URIPattern> 7 7 <Attributes> 8 <Attribute> urn:siteA:security:authz:1.0:attr:staff</Attribute>8 <Attribute>staff</Attribute> 9 9 </Attributes> 10 10 <AttributeAuthority> … … 15 15 <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern> 16 16 <Attributes> 17 <Attribute> urn:siteA:security:authz:1.0:attr:forbidden</Attribute>18 <Attribute> urn:siteA:security:authz:1.0:attr:keepout</Attribute>17 <Attribute>forbidden</Attribute> 18 <Attribute>keepout</Attribute> 19 19 </Attributes> 20 20 <AttributeAuthority> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml
r7077 r7350 7 7 <Attributes> 8 8 <Attribute> 9 <Name> urn:siteA:security:authz:1.0:attr:staff</Name>9 <Name>staff</Name> 10 10 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 11 11 </Attribute> … … 16 16 <Attributes> 17 17 <Attribute> 18 <Name> urn:siteA:security:authz:1.0:attr:forbidden</Name>18 <Name>forbidden</Name> 19 19 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 20 20 </Attribute> 21 21 <Attribute> 22 <Name> urn:siteA:security:authz:1.0:attr:keepout</Name>22 <Name>keepout</Name> 23 23 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 24 24 </Attribute> … … 30 30 <Attributes> 31 31 <Attribute> 32 <Name> urn:siteA:security:authz:1.0:attr:staff</Name>32 <Name>staff</Name> 33 33 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 34 34 </Attribute> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml
r7077 r7350 7 7 <Attributes> 8 8 <Attribute> 9 <Name> urn:siteA:security:authz:1.0:attr:staff</Name>9 <Name>staff</Name> 10 10 <!-- Endpoint is for SOAP/SAML based ESG Interface --> 11 11 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> … … 17 17 <Attributes> 18 18 <Attribute> 19 <Name> urn:siteA:security:authz:1.0:attr:forbidden</Name>19 <Name>forbidden</Name> 20 20 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 21 21 </Attribute> … … 34 34 <Attributes> 35 35 <Attribute> 36 <Name> urn:siteA:security:authz:1.0:attr:admin</Name>36 <Name>admin</Name> 37 37 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 38 38 </Attribute> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml
r7077 r7350 56 56 57 57 The user must have at least one of the roles set - in this 58 case ' urn:siteA:security:authz:1.0:attr:staff'58 case 'staff' 59 59 --> 60 60 <Condition>
Note: See TracChangeset
for help on using the changeset viewer.