Ignore:
Timestamp:
20/08/10 15:42:14 (11 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Working version integrated with the ndg.security.test.integration.full_system test. This secures a test HTTP app with the XACML based authorisation called over a SAML interface from a PEP in the app's authorisation middleware
  • Some tuning is needed to optimise performance:
    • caching of attribute queries in the PEP
    • Possible additional PDP in the authorisation filter to filter out some requests from being routed to the SAML authorisation service.
    • possible caching of authorisation decisions at the PEP as another way of avoiding the authorisation service round-trips.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test
Files:
12 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7335 r7350  
    136136                    DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    137137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    138                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue> 
    139                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue> 
     138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 
    140140                </Apply> 
    141141            </Apply> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

    r7077 r7350  
    8888</html> 
    8989""" % (AuthZTestApp.header, 
    90        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     90       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, link)  
    9191                 for link,name in self.method.items() if name != 'default']) 
    9292       ) 
     
    208208    <body> 
    209209        <h1>Logged Out</h1> 
    210         <p>Successfully redirected to specified return to UIR query argument  
     210        <p>Successfully redirected to specified return to URI query argument  
    211211        ndg.security.logout.r=%s following logout.   
    212212        <a href="/">Return to tests</a></p> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/attributeinterface.py

    r7077 r7350  
    2727        if userId.endswith("/openid/PhilipKershaw"): 
    2828            return [ 
    29                 'urn:siteA:security:authz:1.0:attr:postdoc', 
    30                 'urn:siteA:security:authz:1.0:attr:staff',  
    31                 'urn:siteA:security:authz:1.0:attr:undergrad',  
    32                 'urn:siteA:security:authz:1.0:attr:coapec' 
     29                'postdoc', 
     30                'staff',  
     31                'undergrad',  
     32                'coapec' 
    3333            ] 
    3434        elif userId == 'test': 
    3535            return [ 
    36                 'urn:siteA:security:authz:1.0:attr:staff',  
     36                'staff',  
    3737            ] 
    3838        else: 
    39             return ['urn:siteA:security:authz:1.0:attr:guest'] 
     39            return ['guest'] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/pip-mapping.txt

    r7337 r7350  
    1919 
    2020# Entries are whitespace delimited <attribute id> <attribute authority> 
    21 urn:siteA:security:authz:1.0:attr https://localhost:5443/AttributeAuthority 
     21urn:siteA:security:authz:1.0:attr https://localhost:7443/AttributeAuthority 
    2222myattributeid https://myattributeauthority.ac.uk/ 
    2323http://someotherattributeid.schema https://another.ac.uk/attributeservice/ 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

    r7337 r7350  
    2424                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2525                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    26                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> 
     26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue> 
    2727                </ResourceMatch> 
    2828            </Resource> 
     
    4747                <Resource> 
    4848                    <!-- Match the request URI --> 
    49                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     49                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    5050                        <ResourceAttributeDesignator 
    5151                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    5252                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    53                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue> 
     53                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutWithReturn2QueryArg)?$</AttributeValue> 
    5454                    </ResourceMatch> 
    5555                </Resource> 
     
    5858    </Rule> 
    5959 
    60     <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit"> 
     60    <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 
    6161        <!--  
    62             Define URIs which this policy permits but for which the underlying 
    63             app returns 40x HTTP response 
     62            Demonstrate a URI secured with an attribute which the test user  
     63            doesn't have  
    6464        --> 
    6565        <Target> 
     
    7171                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    7272                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    73                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue> 
     73                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 
    7474                    </ResourceMatch> 
    7575                </Resource> 
    7676            </Resources> 
     77            <Subjects> 
     78                <Subject> 
     79                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     80                        <SubjectAttributeDesignator  
     81                            AttributeId="urn:siteA:security:authz:1.0:attr"  
     82                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     83                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 
     84                    </SubjectMatch> 
     85                </Subject> 
     86            </Subjects> 
    7787        </Target> 
    7888    </Rule> 
     
    8696            <Resources> 
    8797                <Resource> 
    88                     <!-- Pattern match the request URI --> 
    89                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     98                    <!-- Match 'test_securedURI' --> 
     99                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    90100                        <ResourceAttributeDesignator 
    91101                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    92102                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    93                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue> 
     103                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 
    94104                    </ResourceMatch> 
    95105                </Resource> 
     
    117127        </Condition> 
    118128    </Rule> 
    119     <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit"> 
    120         <Target> 
    121             <Resources> 
    122                 <Resource> 
    123                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    124                         <ResourceAttributeDesignator 
    125                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    126                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    127                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 
    128                     </ResourceMatch> 
    129                 </Resource> 
    130             </Resources> 
    131         </Target> 
    132         <Condition> 
    133             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    134                 <SubjectAttributeDesignator  
    135                     AttributeId="urn:siteA:security:authz:1.0:attr"  
    136                     DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    137                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    138                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue> 
    139                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue> 
    140                 </Apply> 
    141             </Apply> 
    142         </Condition> 
    143     </Rule> 
    144     <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> 
    145         <!--  
    146             This rule is a modified version of the above to allow for a real use 
    147             case where adding a special query argument grants extra privileges 
    148             associated with an administrator 
    149         --> 
    150         <Target> 
    151             <Resources> 
    152                 <Resource> 
    153                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    154                         <ResourceAttributeDesignator 
    155                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    156                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    157                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> 
    158                     </ResourceMatch> 
    159                 </Resource> 
    160             </Resources> 
    161             <Subjects> 
    162                 <Subject> 
    163                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
    164                         <SubjectAttributeDesignator  
    165                             AttributeId="urn:siteA:security:authz:1.0:attr"  
    166                             DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    167                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue> 
    168                     </SubjectMatch> 
    169                 </Subject> 
    170             </Subjects> 
    171         </Target> 
    172     </Rule> 
    173129</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7341 r7350  
    3030pipeline = BeakerSessionFilter  
    3131                   AuthenticationFilter  
    32                    PolicyEnforcementPointFilter  
     32                   AuthorisationFilter  
    3333                   AuthZTestApp 
    3434 
     
    8282 
    8383# 
    84 # Policy Enforcement Point enforces access control decisions made by the  
    85 # Authorisation Service  
    86 [filter:PolicyEnforcementPointFilter] 
    87 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory 
    88 prefix = pep. 
     84# Authorisation filter contains a Policy Enforcement Point which enforces access 
     85# control decisions made by the Authorisation Service  
     86[filter:AuthorisationFilter] 
     87paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory 
     88 
     89# Result handler handles the response for HTTP 403 responses set by the  
     90# application or the PEP. 
     91resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 
     92resultHandler.staticContentDir = %(here)s/pep_result_handler 
     93 
     94# Settings for the PEP (Policy Enforcement Point) 
    8995pep.sessionKey = beaker.session.ndg.security 
    9096pep.authzServiceURI = https://localhost:7443/AuthorisationService 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7341 r7350  
    375375saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML 
    376376 
    377 saml.soapbinding.pathMatchList = /AttributeAuthority 
     377saml.soapbinding.mountPath = /AttributeAuthority 
    378378saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 
    379379 
     
    404404 
    405405# Sets the identity of THIS authorisation service when filling in SAML responses 
    406 saml.issuerName = /O=Test/OU=Authorisation Service 
     406saml.issuerName = /O=Site A/CN=Authorisation Service 
    407407saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
    408408 
     
    426426# 
    427427# XACML Context handler manages PEP (Policy Information Point) requests and the  
    428 # PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point) 
    429 #  
     428# PDP's (Policy Decision Point's) interface to the PIP (Policy Information  
     429# Point) 
    430430 
    431431# XACML Policy file 
     
    434434# Settings for SAML authorisation decision response to a Policy Enforcement Point 
    435435# making a decision query 
    436 authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost 
     436authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service 
    437437authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
    438438authz.ctx_handler.assertionLifetime = 86400 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

    r7335 r7350  
    120120 
    121121    ATTRIBUTE_VALUES = ( 
    122         'urn:siteA:security:authz:1.0:attr:postdoc', 
    123         'urn:siteA:security:authz:1.0:attr:staff',  
    124         'urn:siteA:security:authz:1.0:attr:undergrad',  
    125         'urn:siteA:security:authz:1.0:attr:coapec', 
    126         'urn:siteA:security:authz:1.0:attr:rapid', 
    127         'urn:siteA:security:authz:1.0:attr:admin' 
     122        'postdoc', 
     123        'staff',  
     124        'undergrad',  
     125        'coapec', 
     126        'rapid', 
     127        'admin' 
    128128    ) 
    129129    N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.0.xml

    r7077 r7350  
    66        <URIPattern>^/test_securedURI*$</URIPattern> 
    77        <Attributes> 
    8             <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute> 
     8            <Attribute>staff</Attribute> 
    99        </Attributes> 
    1010        <AttributeAuthority> 
     
    1515        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern> 
    1616        <Attributes> 
    17             <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute> 
    18             <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute> 
     17            <Attribute>forbidden</Attribute> 
     18            <Attribute>keepout</Attribute> 
    1919        </Attributes> 
    2020        <AttributeAuthority> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

    r7077 r7350  
    77        <Attributes> 
    88            <Attribute> 
    9                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     9                <Name>staff</Name> 
    1010                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    1111            </Attribute> 
     
    1616        <Attributes> 
    1717            <Attribute> 
    18                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name> 
     18                <Name>forbidden</Name> 
    1919                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    2020            </Attribute> 
    2121            <Attribute> 
    22                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name> 
     22                <Name>keepout</Name> 
    2323                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    2424            </Attribute> 
     
    3030        <Attributes> 
    3131            <Attribute> 
    32                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     32                <Name>staff</Name> 
    3333                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    3434            </Attribute> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

    r7077 r7350  
    77        <Attributes> 
    88            <Attribute> 
    9                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     9                <Name>staff</Name> 
    1010                <!-- Endpoint is for SOAP/SAML based ESG Interface --> 
    1111                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
     
    1717        <Attributes> 
    1818            <Attribute> 
    19                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name> 
     19                <Name>forbidden</Name> 
    2020                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
    2121            </Attribute> 
     
    3434        <Attributes> 
    3535            <Attribute> 
    36                 <Name>urn:siteA:security:authz:1.0:attr:admin</Name> 
     36                <Name>admin</Name> 
    3737                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
    3838            </Attribute> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

    r7077 r7350  
    5656             
    5757            The user must have at least one of the roles set - in this 
    58             case 'urn:siteA:security:authz:1.0:attr:staff' 
     58            case 'staff' 
    5959        --> 
    6060        <Condition> 
Note: See TracChangeset for help on using the changeset viewer.