Context Navigation

← Previous Changeset
Next Changeset →

Changeset 7357

Timestamp:

23/08/10 16:32:14 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

implemented caching of authorisation decision statements in the PEP to cut down on calls to authorisation service.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 6 added
: 10 edited

Tests/esg_integration/ca/4d241d64.0 (added)
Tests/esg_integration/ca/72fa7371.0 (added)
Tests/esg_integration/ca/BuiltinObjectToken:VerisignClass3PublicPrimaryCertificationAuthority-G2.crt (added)
Tests/esg_integration/ca/VeriSignClass3SecureServerCA-G2.crt (added)
Tests/esg_integration/test_attributeserviceclient.cfg (added)
Tests/esg_integration/test_attributeserviceclient.py (added)
ndg_security_common/ndg/security/common/credentialwallet.py (modified) (16 diffs)
ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (9 diffs)
ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (2 diffs)
ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (5 diffs)
ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (1 diff)
ndg_security_test/ndg/security/test/config/user.db (modified) (previous)
ndg_security_test/ndg/security/test/integration/__init__.py (modified) (3 diffs)
ndg_security_test/ndg/security/test/integration/full_system/policy.xml (modified) (2 diffs)
ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

-                      r6730
+                      r7357
     """Generic Exception class for CredentialWallet module.  Overrides
     Exception to enable writing to the log"""
-    def __init__(self, *arg, **kw):
-        if len(arg) > 0:
-            log.error(arg[0])
-        Exception.__init__(self, *arg, **kw)
 …
     to enable writing to the log"""
-class CredentialWalletAttributeRequestDenied(CredentialWalletError):
-    """Handling exception where CredentialWallet is denied authorisation by an
-    Attribute Authority.
-    @type __extAttCertList: list
-    @ivar __extAttCertList: list of candidate Attribute Certificates that
-    could be used to try to get a mapped certificate from the target
-    Attribute Authority
-    @type __trustedHostInfo: dict
-    @ivar __trustedHostInfo: dictionary indexed by host name giving
-    details of Attribute Authority URI and roles for trusted hosts"""
-    def __init__(self, *args, **kw):
-        """Raise exception for attribute request denied with option to give
-        caller hint to certificates that could used to try to obtain a
-        mapped certificate
-        @type extAttCertList: list
-        @param extAttCertList: list of candidate Attribute Certificates that
-        could be used to try to get a mapped certificate from the target
-        Attribute Authority
-        @type trustedHostInfo: dict
-        @param trustedHostInfo: dictionary indexed by host name giving
-        details of Attribute Authority URI and roles for trusted hosts"""
-        self.__trustedHostInfo = kw.pop('trustedHostInfo', {})
-        self.__extAttCertList = kw.pop('extAttCertList', [])
-        CredentialWalletError.__init__(self, *args, **kw)
-    def _getTrustedHostInfo(self):
-        """Get message text"""
-        return self.__trustedHostInfo
-    trustedHostInfo = property(fget=_getTrustedHostInfo,
-                               doc="URI and roles details for trusted hosts")
-    def _getExtAttCertList(self):
-        """Return list of candidate Attribute Certificates that could be used
-        to try to get a mapped certificate from the target Attribute Authority
-        """
-        return self.__extAttCertList
-    extAttCertList = property(fget=_getExtAttCertList,
-                              doc="list of candidate Attribute Certificates "
-                              "that could be used to try to get a mapped "
-                              "certificate from the target Attribute "
-                              "Authority")
 class _MetaCredentialWallet(type):
 …
     accessGranted = property(fget=_getAccessGranted)
 class CredentialContainer(object):
 …
     ITEM_ATTRNAME = 'credential'
     ISSUERNAME_ATTRNAME = 'issuerName'
-    ATTRIBUTE_AUTHORITY_URI_ATTRNAME = 'attributeAuthorityURI'
     CREDENTIAL_TYPE_ATTRNAME = 'type'
 …
         ITEM_ATTRNAME,
         ISSUERNAME_ATTRNAME,
-        ATTRIBUTE_AUTHORITY_URI_ATTRNAME,
         CREDENTIAL_TYPE_ATTRNAME
+    )
     __slots__ = tuple(["__%s" % n for n in __ATTRIBUTE_NAMES])
+    del n
     def __init__(self, _type=None):
 …
         self.__credential = None
         self.__issuerName = None
-        self.__attributeAuthorityURI = None
     def _getType(self):
 …
                           _setIssuerName,
                           doc="Name of issuer of the credential")
-    def _getAttributeAuthorityURI(self):
-        return self.__attributeAuthorityURI
-    def _setAttributeAuthorityURI(self, value):
-        """String or None type are allowed - The URI may be set to None if
-        a local Attribute Authority instance is being invoked rather
-        one hosted via a remote URI
-        """
-        if not isinstance(value, (basestring, type(None))):
-            raise TypeError('Expecting string or None type for '
-                            '"attributeAuthorityURI"; got %r instead' %
-                            type(value))
-        self.__attributeAuthorityURI = value
-    attributeAuthorityURI = property(_getAttributeAuthorityURI,
-                                     _setAttributeAuthorityURI,
-                                     doc="Attribute Authority Service URI")
     def __getstate__(self):
 …
 class CredentialWalletBase(object):
     """Abstract base class for NDG and SAML Credential Wallet implementations
+    """Abstract base class for Credential Wallet implementations
     """
     CONFIG_FILE_OPTNAMES = ("userId", )
     __slots__ = ("__credentials", "__credentialsKeyedByURI", "__userId")
+    __slots__ = ("__credentials", "__userId")
     def __init__(self):
         self.__userId = None
         self.__credentials = {}
-        self.__credentialsKeyedByURI = {}
     @classmethod
 …
         @type cfg: basestring /ConfigParser derived type
         @param cfg: configuration file path or ConfigParser type object
         @rtype: ndg.security.common.credentialWallet.SAMLCredentialWallet
+        @rtype: ndg.security.common.credentialWallet.SAMLAssertionWallet
         @return: new instance of this class
         '''
 …
     def addCredential(self,
                       credential,
                       attributeAuthorityURI=None,
+                      issuerEndpoint=None,
                       bUpdateCredentialRepository=True):
         """Add a new attribute certificate to the list of credentials held.
 …
         SAML assertion
         @param credential: new attribute Certificate to be added
         @type attributeAuthorityURI: basestring
         @param attributeAuthorityURI: input the Attribute Authority URI from
+        @type issuerEndpoint: basestring
+        @param issuerEndpoint: input the URI of issuing service from
         which credential was retrieved.  This is added to a dict to enable
         access to a given Attribute Certificate keyed by Attribute Authority
+        access to a given Attribute Certificate keyed by issuing service
         URI. See the getCredential method.
         @type bUpdateCredentialRepository: bool
 …
                            doc="List of credentials linked to issuing "
                                "authorities")
-    def _getCredentialsKeyedByURI(self):
-        """Get Property method for credentials keyed by Attribute Authority URI
-        Credentials dict is read-only but also see addCredential method
-        @rtype: dict
-        @return: cached ACs indexed by issuing Attribute Authority"""
-        return self.__credentialsKeyedByURI
-    # Publish attribute
-    credentialsKeyedByURI = property(fget=_getCredentialsKeyedByURI,
-                                     doc="List of Attribute Certificates "
-                                         "linked to attribute authority URI")
     def _getUserId(self):
 …
+class SAMLCredentialWallet(CredentialWalletBase):
+    """CredentialWallet for Earth System Grid supporting caching of SAML
+    Attribute Assertions
+class SAMLAssertionWallet(CredentialWalletBase):
+    """Wallet for Earth System Grid supporting caching of SAML Assertions
     """
     CONFIG_FILE_OPTNAMES = CredentialWalletBase.CONFIG_FILE_OPTNAMES + (
                            "clockSkewTolerance", )
     __slots__ = ("__clockSkewTolerance",)
-    CREDENTIAL_REPOSITORY_NOT_SUPPORTED_MSG = ("SAMLCredentialWallet doesn't "
-                                               "support the "
-                                               "CredentialRepository "
-                                               "interface")
     def __init__(self):
         super(SAMLCredentialWallet, self).__init__()
+        super(SAMLAssertionWallet, self).__init__()
         self.__clockSkewTolerance = timedelta(seconds=0.)
     def _getClockSkewTolerance(self):
         return self.__clockSkewTolerance
 …
             setattr(self, optName, val)
-    def addCredential(self,
-                      credential,
-                      attributeAuthorityURI=None,
-                      bUpdateCredentialRepository=False,
-                      verifyCredential=True):
-        """Add a new assertion to the list of assertion credentials held.
-        @type credential: SAML assertion
-        @param credential: new assertion to be added
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: input the Attribute Authority URI from
-        which credential was retrieved.  This is added to a dict to enable
-        access to a given Attribute Certificate keyed by Attribute Authority
-        URI. See the getCredential method.
-        @type bUpdateCredentialRepository: bool
-        @param bUpdateCredentialRepository: if set to True, and a repository
-        exists it will be updated with the new credentials also. Nb. a derived
-        class will need to be implemented to enable this capability - see
-        the updateCredentialRepository method.
-        @type verifyCredential: bool
-        @param verifyCredential: if set to True, test validity of credential
-        by calling isValidCredential method.
-        @rtype: bool
-        @return: True if credential was added otherwise False.  - If an
-        existing certificate from the same issuer has a later expiry it will
-        take precedence and the new input certificate is ignored."""
-        # Check input
-        if not isinstance(credential, Assertion):
-            raise CredentialWalletError("Input credential must be an "
-                                        "%r type object" % Assertion)
-        if verifyCredential and not self.isValidCredential(credential):
-            raise CredentialWalletError("Validity time error with assertion %r"
-                                        % credential)
-        # Check to see if there is an existing Attribute Certificate held
-        # that was issued by the same host.  If so, compare the expiry time.
-        # The one with the latest expiry will be retained and the other
-        # ignored
-        bUpdateCred = True
-        if credential.issuer is None:
-            raise AttributeError("Adding SAML assertion to wallet: no issuer "
-                                 "set")
-        issuerName = credential.issuer.value
-        if issuerName in self.credentials:
-            # There is an existing certificate held with the same issuing
-            # host name as the new certificate
-            credentialOld = self.credentials[issuerName].credential
-            # If the new certificate has an earlier expiry time then ignore it
-            bUpdateCred = (credential.conditions.notOnOrAfter >
-                           credentialOld.conditions.notOnOrAfter)
-        if bUpdateCred:
-            thisCredential = CredentialContainer(Assertion)
-            thisCredential.credential = credential
-            thisCredential.issuerName = issuerName
-            thisCredential.attributeAuthorityURI = attributeAuthorityURI
-            self.credentials[issuerName] = thisCredential
-            if attributeAuthorityURI:
-                self.credentialsKeyedByURI[
-                    attributeAuthorityURI] = thisCredential
-            # Update the Credentials Repository - the permanent store of user
-            # authorisation credentials.  This allows credentials for previous
-            # sessions to be re-instated
-            if bUpdateCredentialRepository:
-                self.updateCredentialRepository()
-        # Flag to caller to indicate whether the input certificate was added
-        # to the credentials or an exsiting certificate from the same issuer
-        # took precedence
-        return bUpdateCred
     def audit(self):
 …
         expired or are otherwise invalid."""
         log.debug("SAMLCredentialWallet.audit ...")
+        log.debug("SAMLAssertionWallet.audit ...")
         for issuerName, issuerEntry in self.credentials.items():
             if not self.isValidCredential(issuerEntry.credential):
-                self.credentialsKeyedByURI.pop(
-                    issuerEntry.attributeAuthorityURI,
-                    None)
                 del self.credentials[issuerName]
-    def updateCredentialRepository(self, auditCred=True):
-        """No Credential Repository support is required"""
-        msg = SAMLCredentialWallet.CREDENTIAL_REPOSITORY_NOT_SUPPORTED_MSG
-        log.warning(msg)
-        warnings.warn(msg)
     def isValidCredential(self, assertion):
 …
     def __getstate__(self):
         '''Enable pickling for use with beaker.session'''
         _dict = super(SAMLCredentialWallet, self).__getstate__()
         for attrName in SAMLCredentialWallet.__slots__:
+        _dict = super(SAMLAssertionWallet, self).__getstate__()
+        for attrName in SAMLAssertionWallet.__slots__:
             # Ugly hack to allow for derived classes setting private member
             # variables
             if attrName.startswith('__'):
                 attrName = "_SAMLCredentialWallet" + attrName
+                attrName = "_SAMLAssertionWallet" + attrName
             _dict[attrName] = getattr(self, attrName)
         return _dict
+class SAMLAttributeWallet(SAMLAssertionWallet):
+    """Wallet with functionality for retrieving assertions containing attribute
+    statements based on endpoint URI and issuer name
+    """
+    __slots__ = ("__credentialsKeyedByURI",)
+    def __init__(self):
+        super(SAMLAttributeWallet, self).__init__()
+        self.__credentialsKeyedByURI = {}
+    def _getCredentialsKeyedByURI(self):
+        """Get Property method for credentials keyed by issuing service URI
+        Credentials dict is read-only but also see addCredential method
+        @rtype: dict
+        @return: cached ACs indexed by issuing service URI"""
+        return self.__credentialsKeyedByURI
+    # Publish attribute
+    credentialsKeyedByURI = property(fget=_getCredentialsKeyedByURI,
+                                     doc="List of credentials "
+                                         "linked to issuing service URI")
+    def addCredential(self,
+                      credential,
+                      issuerEndpoint=None,
+                      verifyCredential=True):
+        """Add a new assertion to the list of assertion credentials held.
+        @type credential: SAML assertion
+        @param credential: new assertion to be added
+        @type issuerEndpoint: basestring
+        @param issuerEndpoint: input the issuing service URI from
+        which credential was retrieved.  This is added to a dict to enable
+        access to a given Attribute Certificate keyed by issuing service
+        URI. See the getCredential method.
+        @type verifyCredential: bool
+        @param verifyCredential: if set to True, test validity of credential
+        by calling isValidCredential method.
+        @rtype: bool
+        @return: True if credential was added otherwise False.  - If an
+        existing certificate from the same issuer has a later expiry it will
+        take precedence and the new input certificate is ignored."""
+        # Check input
+        if not isinstance(credential, Assertion):
+            raise CredentialWalletError("Input credential must be an "
+                                        "%r type object" % Assertion)
+        if verifyCredential and not self.isValidCredential(credential):
+            raise CredentialWalletError("Validity time error with assertion %r"
+                                        % credential)
+        # Check to see if there is an existing Attribute Certificate held
+        # that was issued by the same host.  If so, compare the expiry time.
+        # The one with the latest expiry will be retained and the other
+        # ignored
+        bUpdateCred = True
+        if credential.issuer is None:
+            raise AttributeError("Adding SAML assertion to wallet: no issuer "
+                                 "set")
+        issuerName = credential.issuer.value
+        if issuerName in self.credentials:
+            # There is an existing certificate held with the same issuing
+            # host name as the new certificate
+            credentialOld = self.credentials[issuerName].credential
+            # If the new certificate has an earlier expiry time then ignore it
+            bUpdateCred = (credential.conditions.notOnOrAfter >
+                           credentialOld.conditions.notOnOrAfter)
+        if bUpdateCred:
+            thisCredential = CredentialContainer(Assertion)
+            thisCredential.credential = credential
+            thisCredential.issuerName = issuerName
+            self.credentials[issuerName] = thisCredential
+            if issuerEndpoint:
+                self.credentialsKeyedByURI[
+                    issuerEndpoint] = thisCredential
+    def audit(self):
+        """Check the credentials held in the wallet removing any that have
+        expired or are otherwise invalid."""
+        log.debug("SAMLAssertionWallet.audit ...")
+        for issuerName, issuerEntry in self.credentials.items():
+            if not self.isValidCredential(issuerEntry.credential):
+                foundMatch = False
+                endpoint = None
+                for endpoint, v in self.credentialsKeyedByURI.items():
+                    if v.issuerName.value == issuerName:
+                        foundMatch = True
+                        break
+                if foundMatch:
+                    self.credentialsKeyedByURI.pop(endpoint, None)
+                del self.credentials[issuerName]
+    def __getstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        _dict = super(SAMLAttributeWallet, self).__getstate__()
+        for attrName in SAMLAttributeWallet.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_SAMLAttributeWallet" + attrName
+            _dict[attrName] = getattr(self, attrName)
+        return _dict
+class SAMLAuthzDecisionWallet(SAMLAssertionWallet):
+    """Wallet with functionality for retrieving assertions containing
+    authorisation decision statements.  Credentials are keyed by resource Id"""
+    __slots__ = ()
+    def addCredential(self, assertion, verifyCredential=True):
+        """Add a new assertion to the list of assertion credentials held.
+        @type assertion: SAML assertion
+        @param assertion: new assertion to be added
+        @type verifyCredential: bool
+        @param verifyCredential: if set to True, test validity of credential
+        by calling isValidCredential method.
+        @rtype: bool
+        @return: True if credential was added otherwise False.  - If an
+        existing certificate from the same issuer has a later expiry it will
+        take precedence and the new input certificate is ignored."""
+        # Check input
+        if not isinstance(assertion, Assertion):
+            raise CredentialWalletError("Input assertion must be an "
+                                        "%r type object" % Assertion)
+        if verifyCredential and not self.isValidCredential(assertion):
+            raise CredentialWalletError("Validity time error with assertion %r"
+                                        % assertion)
+        # Check to see if there is an existing decision statement held for the
+        # same resource ID.  If so, compare the expiry time.  The one with the
+        # latest expiry will be retained and the other ignored
+        bUpdateCred = True
+        # Get the resource ID from the authorisation decision statement
+        # Nb. Assumes a SINGLE statement
+        if len(assertion.authzDecisionStatements) != 1:
+            raise CredentialWalletError("Expecting a single authorisation "
+                                        "decision statement passed with the "
+                                        "input assertion; found %r",
+                                        len(assertion.authzDecisionStatements))
+        resourceId = assertion.authzDecisionStatements[0].resource
+        if resourceId in self.credentials:
+            # There is an existing certificate held with the same issuing
+            # host name as the new certificate
+            assertionOld = self.credentials[resourceId].credential
+            # If the new certificate has an earlier expiry time then ignore it
+            bUpdateCred = (assertion.conditions.notOnOrAfter >
+                           assertionOld.conditions.notOnOrAfter)
+        if bUpdateCred:
+            thisCredential = CredentialContainer(Assertion)
+            thisCredential.credential = assertion
+            if assertion.issuer.value:
+                thisCredential.issuerName = assertion.issuer.value
+            self.credentials[resourceId] = thisCredential
+    def __getstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        _dict = super(SAMLAuthzDecisionWallet, self).__getstate__()
+        for attrName in SAMLAuthzDecisionWallet.__slots__:
+            # Ugly hack to allow for derived classes setting private member
+            # variables
+            if attrName.startswith('__'):
+                attrName = "_SAMLAuthzDecisionWallet" + attrName
+            _dict[attrName] = getattr(self, attrName)
+        return _dict

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/init.py

r7287	r7357
22	22
23	23	from ndg.security.common.utils.classfactory import importClass
24		from ndg.security.common.credentialwallet import SAML~~Credential~~Wallet
	24	from ndg.security.common.credentialwallet import SAMLAttributeWallet
25	25	from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
26	26	from ndg.security.server.wsgi.authz.pep import SamlPepFilter

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

-                      r7287
+                      r7357
 from ndg.security.server.wsgi.session import (SessionMiddlewareBase,
                                               SessionHandlerMiddleware)
+from ndg.security.common.credentialwallet import SAMLAuthzDecisionWallet
+from ndg.security.common.utils import str2Bool
 …
     AUTHZ_DECISION_QUERY_PARAMS_PREFIX = 'authzDecisionQuery.'
     SESSION_KEY_PARAM_NAME = 'sessionKey'
+    CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions'
     CREDENTIAL_WALLET_SESSION_KEYNAME = \
 …
     PARAM_NAMES = (
         'authzServiceURI',
+        'sessionKey'
+        'sessionKey',
+        'cacheDecisions'
+    )
     __slots__ = (
 …
         self.__authzServiceURI = None
         self.__sessionKey = None
+        self.__cacheDecisions = False
     def _getClient(self):
 …
                           doc="environ key name for Beaker session object")
+    def _getCacheDecisions(self):
+        return self.__cacheDecisions
+    def _setCacheDecisions(self, value):
+        if isinstance(value, basestring):
+            self.__cacheDecisions = str2Bool(value)
+        elif isinstance(value, bool):
+            self.__cacheDecisions = value
+        else:
+            raise TypeError('Expecting bool/string type for "cacheDecisions" '
+                            'attribute; got %r' % type(value))
+    cacheDecisions = property(_getCacheDecisions, _setCacheDecisions,
+                              doc="Set to True to make the session cache "
+                                  "authorisation decisions returned from the "
+                                  "Authorisation Service")
     def initialise(self, prefix='', **kw):
         '''Initialise object from keyword settings
 …
             value = kw.get(paramName)
             if value is None:
                 raise SamlPepFilterConfigError('Missing option %r' %
                                                    paramName)
+                raise SamlPepFilterConfigError('Missing option %r' % paramName)
             setattr(self, name, value)
 …
         request = webob.Request(environ)
+        self.client.resourceURI = request.url
+        # Nb. user may not be logged in hence REMOTE_USER is not set
+        self.client.subjectID = request.remote_user or ''
+        samlAuthzResponse = self.client.send(uri=self.__authzServiceURI)
+        # Record the result in the user's session to enable later
+        # interrogation by any result handler Middleware
+        self.setSession(self.client.query, samlAuthzResponse)
+        # Check for cached decision
+        if self.cacheDecisions:
+            cachedAssertion = self._retrieveAuthzDecision(request.url)
+        else:
+            cachedAssertion = None
+        if cachedAssertion is not None:
+            assertions = (cachedAssertion,)
+        else:
+            # No stored decision in cache, invoke the authorisation service
+            self.client.resourceURI = request.url
+            # Nb. user may not be logged in hence REMOTE_USER is not set
+            self.client.subjectID = request.remote_user or ''
+            samlAuthzResponse = self.client.send(uri=self.__authzServiceURI)
+            assertions = samlAuthzResponse.assertions
+            # Record the result in the user's session to enable later
+            # interrogation by any result handler Middleware
+            self.setSession(self.client.query, samlAuthzResponse)
         # Set HTTP 403 Forbidden response if any of the decisions returned are
 …
         failDecisions = (DecisionType.DENY, DecisionType.INDETERMINATE)
+        for assertion in samlAuthzResponse.assertions:
+        # Review decision statement(s) in assertions and enforce the decision
+        assertion = None
+        for assertion in assertions:
             for authzDecisionStatement in assertion.authzDecisionStatements:
                 if authzDecisionStatement.decision.value in failDecisions:
 …
                     return response(environ, start_response)
+        if assertion is None:
+            log.error("No assertions set in authorisation decision response "
+                      "from %r", self.authzServiceURI)
+            response.body = ('An error occurred retrieving an access decision '
+                             'for %r for user %r' % (
+                                             self.client.resourceURI,
+                                             self.client.subjectID))
+            response.content_type = 'text/plain'
+            log.info(response.body)
+            return response(environ, start_response)
+        if self.cacheDecisions:
+            self._cacheAuthzDecision(assertion)
         # If got through to here then all is well, call next WSGI middleware/app
         return self._app(environ, start_response)
+    def _retrieveAuthzDecision(self, resourceId):
+        """Return assertion containing authorisation decision for the given
+        resource ID.
+        @param resourceId: search for decisions for this resource Id
+        @type resourceId: basestring
+        @return: assertion containing authorisation decision for the given
+        resource ID or None if no wallet has been set or no assertion was
+        found matching the input resource Id
+        @rtype: ndg.saml.saml2.core.Assertion / None type
+        """
+        # Get reference to wallet
+        walletKeyName = self.__class__.CREDENTIAL_WALLET_SESSION_KEYNAME
+        credWallet = self.session.get(walletKeyName)
+        # Wallet has a dictionary of credential objects keyed by resource ID
+        credentials = getattr(credWallet, 'credentials', {})
+        # Retrieve assertion from Credential object
+        assertion = getattr(credentials.get(resourceId), 'credential', None)
+        return assertion
+    def _cacheAuthzDecision(self, assertion):
+        """Cache an authorisation decision from a response retrieved from the
+        authorisation service.  This is invoked only if cacheDecisions boolean
+        is set to True
+        @param assertion: SAML assertion containing authorisation decision
+        @type assertion: ndg.saml.saml2.core.Assertion
+        """
+        walletKeyName = self.__class__.CREDENTIAL_WALLET_SESSION_KEYNAME
+        credWallet = self.session.get(walletKeyName)
+        if credWallet is None:
+            credWallet = SAMLAuthzDecisionWallet()
+        credWallet.addCredential(assertion)
+        self.session[walletKeyName] = credWallet
+        self.session.save()
     def setSession(self, request, response, save=True):
         """Set PEP context information in the Beaker session using standard key
+        names
+        names.  This is a snapshot of the last request and the response
+        received.  It can be used by downstream middleware to provide contextual
+        information about authorisation decisions
         @param session: beaker session

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

-                      r7350
+                      r7357
             return None
         else:
             return self.__issuerProxy.value
+            return self.__issuerProxy.format
     def _setIssuerFormat(self, value):
 …
         assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
         assertion.id = str(uuid4())
+        assertion.issuer = _saml.Issuer()
+        assertion.issuer.value = self.issuerName
+        assertion.issuer.format = self.issuerFormat
         now = datetime.utcnow()

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

-                      r7350
+                      r7357
         @return: attribute values found for query subject or None if none
         could be found
         @raise PIPConfigException: if attribute ID -> Attribute Authority mapping is
         empty
+        @raise PIPConfigException: if attribute ID -> Attribute Authority
+        mapping is empty
         """
 …
                 if attribute.attributeId == self.subjectAttributeId:
                     if len(attribute.attributeValues) != 1:
+                        raise Exception("Expecting a single attribute value "
+                                        "for query subject ID")
+                        raise PIPRequestCtxException("Expecting a single "
+                                                     "attribute value "
+                                                     "for query subject ID")
                     subjectId = attribute.attributeValues[0].value
                     break
 …
         # query
         attributeFormat = attributeDesignator.dataType
+        attributeId = attributeDesignator.attributeId
         samlAttribute = SamlAttribute()
         samlAttribute.name = attributeDesignator.attributeId
 …
         # format specified and copy into XACML attributes
         xacmlAttribute = XacmlAttribute()
         xacmlAttribute.attributeId = attributeDesignator.attributeId
+        xacmlAttribute.attributeId = attributeId
         xacmlAttribute.dataType = attributeFormat
 …
         # Update the XACML request context subject with the new attributes
+        xacmlCtxSubject.attributes.append(xacmlAttribute)
+        matchFound = False
+        for attr in xacmlCtxSubject.attributes:
+            matchFound = attr.attributeId == attributeId
+            if matchFound:
+                newAttrVals = [attrVal
+                               for attrVal in xacmlAttribute.attributeValues
+                               if attrVal not in attr.attributeValues]
+                attr.attributeValues.extend(newAttrVals)
+                break
+        if not matchFound:
+            xacmlCtxSubject.attributes.append(xacmlAttribute)
         # Return the attributes to the caller to comply with the interface

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

r7350	r7357
165	165	AttributeId="urn:siteA:security:authz:1.0:attr"
166	166	DataType="http://www.w3.org/2001/XMLSchema#string"/>
167		<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">~~urn:siteA:security:authz:1.0:attr:~~admin</AttributeValue>
	167	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
168	168	</SubjectMatch>
169	169	</Subject>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/init.py

-                      r7350
+                      r7357
 "/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg":
     "test_logoutWithReturn2QueryArg",
 "/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg"
+"/test_logoutViaHttpReferrer": "test_logoutViaHttpReferrer"
+    }
     header = """        <h1>Authorisation Integration Tests:</h1>
 …
 </html>
 """ % (AuthZTestApp.header,
        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, link)
+       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)
                  for link,name in self.method.items() if name != 'default'])
+       )
 …
         return response
+    def test_logoutViaHttpReferrer(self, environ, start_response):
+        """Test logout - the middleware works out where to return to by checking
+        the HTTP_REFERER environ setting
+        """
+        response = """<html>
+    <head/>
+    <body>
+        <h1>Logged Out</h1>
+        <p>Successfully redirected to specified return to HTTP_REFERER=%s
+        following logout.
+        <a href="/">Return to tests</a></p>
+    </body>
+</html>
+""" % environ['PATH_INFO']
+        start_response('200 OK',
+                       [('Content-type', 'text/html'),
+                        ('Content-length', str(len(response)))])
+        return response
     @classmethod
     def app_factory(cls, globalConfig, **localConfig):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

-                      r7350
+                      r7357
         Policy element above
     -->
+    <Rule RuleId="Graphics and CSS" Effect="Permit">
+        <!--
+            Public access for graphics and CSS content
+        -->
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+    </Rule>
     <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
         <!--
 …
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutWithReturn2QueryArg)?$</AttributeValue>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue>
                     </ResourceMatch>
                 </Resource>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

r7350	r7357
95	95	pep.sessionKey = beaker.session.ndg.security
96	96	pep.authzServiceURI = https://localhost:7443/AuthorisationService
	97	pep.cacheDecisions = True
97	98
98	99	# Settings for Policy Information Point used by the Policy Decision Point to

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 7357

Legend:

Download in other formats: