Changeset 7358 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

24/08/10 15:34:07 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• added caching capability to Policy Information Point. This enables the PIP to retrieve previously cached assertions from an Attribute Authority optimising performance. Caching is done with beaker.session but instead of indexing based on a cookie, it's based on the subject Id i.e. for ESG, a user's OpenID.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit

Files:

• __init__.py (modified) (1 diff)
• authz/xacml/saml_pip.cfg (modified) (2 diffs)
• authz/xacml/test_saml_pip.py (modified) (7 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -210 +210 @@
         
     def __del__(self):
+        self.stopAllServices()
+        
+    def stopAllServices(self):
         """Stop any services started with the addService method"""
         if hasattr(self, 'services'):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_pip.cfg

@@ -20 +20 @@
 saml_pip.mappingFilePath = %(here)s/pip-mapping.txt
 
+# Cache assertions retrieved from the Attribute Authority to optimise performance
+saml_pip.sessionCacheDataDir = %(here)s/query-results-cache
+
 # The attribute ID of the subject value to extract from the XACML request
 # context and pass in the SAML attribute query
@@ -27 +30 @@
 saml_pip.attributeQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 
-# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
+# These settings configure SSL mutual authentication for the query to the SAML 
+# Attribute Authority
 saml_pip.attributeQuery.sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.crt
 saml_pip.attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.key

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py

@@ -15 +15 @@
 from os import path
 import unittest
+
+from urllib2 import URLError
 
 from ndg.xacml.core.attributedesignator import SubjectAttributeDesignator
@@ -45 +47 @@
                                    
     attributeValueClassFactory = AttributeValueClassFactory()
-    
-    def __init__(self, *arg, **kw):
-        BaseTestCase.__init__(self, *arg, **kw)
-        self.startSiteAAttributeAuthority(withSSL=True, 
-                    port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
-        
+            
     def test01CreateAndCheckAttributes(self):
         pip = PIP()
@@ -60 +57 @@
         except AttributeError:
             pass
+        
+        setattr(pip, 'sessionCacheDataDir', 'My data dir')
 
     def test02ReadMappingFile(self):
@@ -86 +85 @@
         
         return ctx
-                     
-    def test03Query(self):
+    
+    def _createPIP(self):   
+        """Create PIP from test attribute settings"""              
         pip = PIP()
         pip.mappingFilePath = self.__class__.MAPPING_FILEPATH
@@ -102 +102 @@
             
         pip.attributeQueryBinding.sslCACertDir = self.__class__.CACERT_DIR
-            
-        # Make attribute designator - in practice this would be passed back from
-        # the PDP via the context handler
+        
+        return pip
+
+    def _createSubjectAttributeDesignator(self):
+        '''Make attribute designator - in practice this would be passed back 
+        from the PDP via the context handler
+        '''
         designator = SubjectAttributeDesignator()
         designator.attributeId = self.__class__.NDGS_ATTR_ID
@@ -112 +116 @@
                                     'http://www.w3.org/2001/XMLSchema#string')
         
+        return designator
+    
+    def _initQuery(self):
+        '''Convenience method to set-up the parameters needed for a query'''
+        pip = self._createPIP()
+        designator = self._createSubjectAttributeDesignator()
         ctx = self._createXacmlRequestCtx()
+        return pip, designator, ctx
+    
+    def test03Query(self):
+        self.startSiteAAttributeAuthority(withSSL=True, 
+                    port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+        
+        pip, designator, ctx = self._initQuery()
+        
+        # Avoid caching to avoid impacting other tests in this class
+        pip.cacheSessions = False
         
         attributeValues = pip.attributeQuery(ctx, designator)
@@ -118 +138 @@
         print("PIP retrieved attribute values %r" % attributeValues)
         
+        self.stopAllServices()
+        
     def test04InitFromConfigFile(self):
         # Initialise from settings in a config file
         pip = PIP.fromConfig(self.__class__.CONFIG_FILEPATH)
         self.assert_(pip.mappingFilePath)
-
+        
+    def test05SessionCaching(self):
+        self.startSiteAAttributeAuthority(withSSL=True, 
+                    port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
+        
+        pipA, designator, ctx = self._initQuery()
+        attributeValuesA = pipA.attributeQuery(ctx, designator)
+        
+        pipB = self._createPIP()
+        pipB.cacheSessions = False
+        
+        attributeValuesB = pipB.attributeQuery(ctx, designator)
+        
+        self.stopAllServices()
+        
+        attributeValuesA2 = pipA.attributeQuery(ctx, designator)
+        self.assert_(len(attributeValuesA2) > 0)
+        
+        try:
+            attributeValuesB2 = pipB.attributeQuery(ctx, designator)
+            self.fail("Expected URLError exception for call with no-caching set")
+        except URLError, e:
+            print("Pass: expected %r error for call with no-caching set" % e)
+        
+        
         
 if __name__ == "__main__":