Changeset 7350

Timestamp:

20/08/10 15:42:14 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• Working version integrated with the ndg.security.test.integration.full_system test. This secures a test HTTP app with the XACML based authorisation called over a SAML interface from a PEP in the app's authorisation middleware
• Some tuning is needed to optimise performance:
  • caching of attribute queries in the PEP
  • Possible additional PDP in the authorisation filter to filter out some requests from being routed to the SAML authorisation service.
  • possible caching of authorisation decisions at the PEP as another way of avoiding the authorisation service round-trips.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (3 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/serveryadis.xml (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/yadis.xml (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html (modified) (1 diff)
• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/__init__.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/attributeinterface.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/full_system/pip-mapping.txt (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/full_system/policy.xml (modified) (6 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.0.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -128 +128 @@
     @type: defPaths: dict
     
+    @cvar FORM_MATCH_TEXT: use in _displayResponse method to detect whether to
+    wrap the response in the FORM_RESP_WRAPPER_TMPL Javascript.  This is only
+    needed when this Provider is return key/values pairs back to the RP as 
+    a POST'ed form
+    
+    @type FORM_MATCH_TEXT: basestring
+    
     @cvar FORM_RESP_WRAPPER_TMPL: If the response to the Relying Party is too 
     long it's rendered as form with the POST method instead of query arguments 
@@ -134 +141 @@
     below...
     @type FORM_RESP_WRAPPER_TMPL: basestring"""
-    
+
+    FORM_MATCH_TEXT = '<form'    
     FORM_RESP_WRAPPER_TMPL = """<html>
     <head>
@@ -1335 +1343 @@
         # If the content length exceeds the maximum to represent on a URL, it's
         # rendered as a form instead
-        # FIXME: Commented out oidResponse.renderAsForm() test as it doesn't 
-        # give consistent answers.  Testing based on body content should work
-        # OK
-        if webresponse.body:
-        #if oidResponse.renderAsForm():
+        # FIXME: Got rid out oidResponse.renderAsForm() test as it doesn't 
+        # give consistent answers.  
+        #
+        # The FORM_MATCH_TEXT test detects whether the response needs to be 
+        # wrapped in the FORM_RESP_WRAPPER_TMPL Javascript.  This is only
+        # needed when this Provider is return key/values pairs back to the RP as 
+        # a POST'ed form
+        if webresponse.body.startswith(
+                                    OpenIDProviderMiddleware.FORM_MATCH_TEXT):
             # Wrap in HTML with Javascript OnLoad to submit the form
             # automatically without user intervention

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/serveryadis.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
-    <XRD>
-        <Service priority="0">
-            <Type>$openid20type</Type>
-            <URI>$endpoint_url</URI>
-        </Service>
-    </XRD>
     <XRD>
         <Service priority="1">
@@ -19 +13 @@
         </Service>
     </XRD>
+    <XRD>
+        <Service priority="0">
+            <Type>$openid20type</Type>
+            <URI>$endpoint_url</URI>
+        </Service>
+    </XRD>
 </xrds:XRDS>

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/yadis.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
-    <XRD>
-        <Service priority="0">
-            <Type>$openid20type</Type>
-            <Type>$openid10type</Type>
-            <URI>$endpoint_url</URI>
-            <LocalID>$user_url</LocalID>
-        </Service>
-    </XRD>
     <XRD>
         <Service priority="1">
@@ -37 +29 @@
         </Service>
     </XRD>
+    <XRD>
+        <Service priority="0">
+            <Type>$openid20type</Type>
+            <Type>$openid10type</Type>
+            <URI>$endpoint_url</URI>
+            <LocalID>$user_url</LocalID>
+        </Service>
+    </XRD>
 </xrds:XRDS>

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html

@@ -34 +34 @@
                         <div id="aboutOpenID" class="hidden">
                                 <div class="helptxt">
-                                        <p><a href="http://openid.net/get-an-openid/what-is-openid/>OpenID">OpenID</a> is a 
+                                        <p><a href="http://openid.net/get-an-openid/what-is-openid/">OpenID</a> is a 
                                                 technology which enables you to sign in at different websites using the same 
                                                 identity.  Rather than having to remember usernames/passwords for all the 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -312 +312 @@
             samlAuthzDecisionStatement.decision = _saml.DecisionType.PERMIT
         
-        elif (xacmlResponse.results[0].decision == 
-              _xacmlContext.result.Decision.INDETERMINATE):
-            log.info("PDP returned a status of [%s] denying access for URI "
-                     "path [%s]", _xacmlContext.result.Decision.INDETERMINATE,
-                     samlAuthzDecisionQuery.resource) 
+        # Nb. Mapping XACML NotApplicable => SAML INDETERMINATE
+        elif (xacmlResponse.results[0].decision in 
+              (_xacmlContext.result.Decision.INDETERMINATE,
+               _xacmlContext.result.Decision.NOT_APPLICABLE)):
+            log.info("PDP returned a status of [%s] for URI path [%s]; "
+                     "mapping to SAML response [%s] ...", 
+                     xacmlResponse.results[0].decision,
+                     samlAuthzDecisionQuery.resource,
+                     _saml.DecisionType.INDETERMINATE) 
             
             samlAuthzDecisionStatement.decision = \

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -284 +284 @@
                                          'request context' %
                                          self.subjectAttributeId)
+        elif not subjectId:
+            # Empty string
+            return None
         else:
             # Keep a reference to the matching Subject instance

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

@@ -136 +136 @@
                     DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
                 </Apply>
             </Apply>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

@@ -88 +88 @@
 </html>
 """ % (AuthZTestApp.header,
-       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
+       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, link) 
                  for link,name in self.method.items() if name != 'default'])
        )
@@ -208 +208 @@
     <body>
         <h1>Logged Out</h1>
-        <p>Successfully redirected to specified return to UIR query argument 
+        <p>Successfully redirected to specified return to URI query argument 
         ndg.security.logout.r=%s following logout.  
         <a href="/">Return to tests</a></p>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/attributeinterface.py

@@ -27 +27 @@
         if userId.endswith("/openid/PhilipKershaw"):
             return [
-                'urn:siteA:security:authz:1.0:attr:postdoc',
-                'urn:siteA:security:authz:1.0:attr:staff', 
-                'urn:siteA:security:authz:1.0:attr:undergrad', 
-                'urn:siteA:security:authz:1.0:attr:coapec'
+                'postdoc',
+                'staff', 
+                'undergrad', 
+                'coapec'
             ]
         elif userId == 'test':
             return [
-                'urn:siteA:security:authz:1.0:attr:staff', 
+                'staff', 
             ]
         else:
-            return ['urn:siteA:security:authz:1.0:attr:guest']
+            return ['guest']

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/pip-mapping.txt

@@ -19 +19 @@
 
 # Entries are whitespace delimited <attribute id> <attribute authority>
-urn:siteA:security:authz:1.0:attr https://localhost:5443/AttributeAuthority
+urn:siteA:security:authz:1.0:attr https://localhost:7443/AttributeAuthority
 myattributeid https://myattributeauthority.ac.uk/
 http://someotherattributeid.schema https://another.ac.uk/attributeservice/

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

@@ -24 +24 @@
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -47 +47 @@
                 <Resource>
                     <!-- Match the request URI -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutWithReturn2QueryArg)?$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -58 +58 @@
     </Rule>
 
-    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit">
+    <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit">
         <!-- 
-            Define URIs which this policy permits but for which the underlying
-            app returns 40x HTTP response
+            Demonstrate a URI secured with an attribute which the test user 
+            doesn't have 
         -->
         <Target>
@@ -71 +71 @@
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue>
                     </ResourceMatch>
                 </Resource>
             </Resources>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:siteA:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
         </Target>
     </Rule>
@@ -86 +96 @@
             <Resources>
                 <Resource>
-                    <!-- Pattern match the request URI -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <!-- Match 'test_securedURI' -->
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -117 +127 @@
         </Condition>
     </Rule>
-    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit">
-        <Target>
-            <Resources>
-                <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-        </Target>
-        <Condition>
-            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
-                <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue>
-                </Apply>
-            </Apply>
-        </Condition>
-    </Rule>
-    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit">
-        <!-- 
-            This rule is a modified version of the above to allow for a real use
-            case where adding a special query argument grants extra privileges
-            associated with an administrator
-        -->
-        <Target>
-            <Resources>
-                <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-            <Subjects>
-                <Subject>
-                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
-                        <SubjectAttributeDesignator 
-                            AttributeId="urn:siteA:security:authz:1.0:attr" 
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue>
-                    </SubjectMatch>
-                </Subject>
-            </Subjects>
-        </Target>
-    </Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

@@ -30 +30 @@
 pipeline = BeakerSessionFilter 
                    AuthenticationFilter 
-                   PolicyEnforcementPointFilter 
+                   AuthorisationFilter 
                    AuthZTestApp
 
@@ -82 +82 @@
 
 #
-# Policy Enforcement Point enforces access control decisions made by the 
-# Authorisation Service 
-[filter:PolicyEnforcementPointFilter]
-paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory
-prefix = pep.
+# Authorisation filter contains a Policy Enforcement Point which enforces access
+# control decisions made by the Authorisation Service 
+[filter:AuthorisationFilter]
+paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory
+
+# Result handler handles the response for HTTP 403 responses set by the 
+# application or the PEP.
+resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
+resultHandler.staticContentDir = %(here)s/pep_result_handler
+
+# Settings for the PEP (Policy Enforcement Point)
 pep.sessionKey = beaker.session.ndg.security
 pep.authzServiceURI = https://localhost:7443/AuthorisationService

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

@@ -375 +375 @@
 saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
 
-saml.soapbinding.pathMatchList = /AttributeAuthority
+saml.soapbinding.mountPath = /AttributeAuthority
 saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
 
@@ -404 +404 @@
 
 # Sets the identity of THIS authorisation service when filling in SAML responses
-saml.issuerName = /O=Test/OU=Authorisation Service
+saml.issuerName = /O=Site A/CN=Authorisation Service
 saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 
@@ -426 +426 @@
 #
 # XACML Context handler manages PEP (Policy Information Point) requests and the 
-# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point)
-# 
+# PDP's (Policy Decision Point's) interface to the PIP (Policy Information 
+# Point)
 
 # XACML Policy file
@@ -434 +434 @@
 # Settings for SAML authorisation decision response to a Policy Enforcement Point
 # making a decision query
-authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost
+authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
 authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 authz.ctx_handler.assertionLifetime = 86400

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -120 +120 @@
 
     ATTRIBUTE_VALUES = (
-        'urn:siteA:security:authz:1.0:attr:postdoc',
-        'urn:siteA:security:authz:1.0:attr:staff', 
-        'urn:siteA:security:authz:1.0:attr:undergrad', 
-        'urn:siteA:security:authz:1.0:attr:coapec',
-        'urn:siteA:security:authz:1.0:attr:rapid',
-        'urn:siteA:security:authz:1.0:attr:admin'
+        'postdoc',
+        'staff', 
+        'undergrad', 
+        'coapec',
+        'rapid',
+        'admin'
     )
     N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.0.xml

@@ -6 +6 @@
         <URIPattern>^/test_securedURI*$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
+            <Attribute>staff</Attribute>
         </Attributes>
         <AttributeAuthority>
@@ -15 +15 @@
         <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
-            <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>
-            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
+            <Attribute>forbidden</Attribute>
+            <Attribute>keepout</Attribute>
         </Attributes>
         <AttributeAuthority>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

@@ -7 +7 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <Name>staff</Name>
                 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
@@ -16 +16 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
+                <Name>forbidden</Name>
                 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:keepout</Name>
+                <Name>keepout</Name>
                 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
@@ -30 +30 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <Name>staff</Name>
                 <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

@@ -7 +7 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:staff</Name>
+                <Name>staff</Name>
                 <!-- Endpoint is for SOAP/SAML based ESG Interface -->
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
@@ -17 +17 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name>
+                <Name>forbidden</Name>
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>
@@ -34 +34 @@
         <Attributes>
             <Attribute>
-                <Name>urn:siteA:security:authz:1.0:attr:admin</Name>
+                <Name>admin</Name>
                 <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI>
             </Attribute>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

@@ -56 +56 @@
             
             The user must have at least one of the roles set - in this
-            case 'urn:siteA:security:authz:1.0:attr:staff'
+            case 'staff'
         -->
         <Condition>