Changeset 7413

Timestamp:

02/09/10 09:28:06 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• added local PDP call to PEP to enable some requests to be filtered out as not applicable to the main authorisation service. Tested in ndg.security.test.unit.wsgi.authz.test_authz. TODO: add to integration tests.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (9 diffs)
• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml (moved) (moved from TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/request-filter.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py (modified) (10 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

@@ -20 +20 @@
                                             AuthzDecisionQuerySslSOAPBinding
                                             
-from ndg.xacml import core as _xacmlCore
+from ndg.xacml.core import Identifiers as XacmlIdentifiers
+from ndg.xacml.core import context as _xacmlCtx
+from ndg.xacml.core.attribute import Attribute as XacmlAttribute
+from ndg.xacml.core.attributevalue import (
+    AttributeValueClassFactory as XacmlAttributeValueClassFactory, 
+    AttributeValue as XacmlAttributeValue)
+from ndg.xacml.core.context.result import Decision as XacmlDecision
 from ndg.xacml.core.context.pdp import PDP
-from ndg.xacml.core import context as _xacmlCtx
-from ndg.xacml.parsers.etree.factory import ReaderFactory as \
-    XacmlPolicyReaderFactory
+from ndg.xacml.parsers.etree.factory import (
+    ReaderFactory as XacmlPolicyReaderFactory)
     
 from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 
@@ -56 +61 @@
     SESSION_KEY_PARAM_NAME = 'sessionKey'
     CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions'   
-    LOCAL_PDP_FILEPATH_PARAM_NAME = 'localPolicyFilePath'
+    LOCAL_POLICY_FILEPATH_PARAM_NAME = 'localPolicyFilePath'
     
     CREDENTIAL_WALLET_SESSION_KEYNAME = \
@@ -67 +72 @@
         SESSION_KEY_PARAM_NAME,
         CACHE_DECISIONS_PARAM_NAME,
-        LOCAL_PDP_FILEPATH_PARAM_NAME
+        LOCAL_POLICY_FILEPATH_PARAM_NAME
     )
+    
+    XACML_ATTRIBUTEVALUE_CLASS_FACTORY = XacmlAttributeValueClassFactory()
+    
     __slots__ = (
         '_app', '__client', '__session', '__localPdp'
@@ -201 +209 @@
                 setattr(self, name, value)
                 
-            elif value != self.__class__.LOCAL_PDP_FILEPATH_PARAM_NAME:
+            elif name != self.__class__.LOCAL_POLICY_FILEPATH_PARAM_NAME:
                 # Policy file setting is optional
                 raise SamlPepFilterConfigError('Missing option %r' % paramName)
@@ -260 +268 @@
         """
         request = webob.Request(environ)
+        requestURI = request.url
         
         # Apply local PDP if set
-        if self.__localPdp is not None:
-            self.__localPdp.evaluate()
+        if not self.isApplicableRequest(requestURI):
+            # The local PDP has returned a decision that the requested URI is
+            # not applicable and so the authorisation service need not be 
+            # invoked.  This step is an efficiency measure to avoid multiple
+            # callouts to the authorisation service for resources which 
+            # obviously don't need any restrictions 
+            return self._app(environ, start_response)
             
         # Check for cached decision
         if self.cacheDecisions:
-            assertions = self._retrieveCachedAssertions(request.url)
+            assertions = self._retrieveCachedAssertions(requestURI)
         else:
             assertions = None  
@@ -284 +298 @@
             # Record the result in the user's session to enable later 
             # interrogation by any result handler Middleware
-            self.setSession(self.client.query, samlAuthzResponse)
+            self.saveResultCtx(self.client.query, samlAuthzResponse)
         
         
@@ -317 +331 @@
             
             response = webob.Response()
+            response.status = httplib.FORBIDDEN
             response.body = ('An error occurred retrieving an access decision '
                              'for %r for user %r' % (
@@ -374 +389 @@
         self.session.save()
         
-    def setSession(self, request, response, save=True):
+    def saveResultCtx(self, request, response, save=True):
         """Set PEP context information in the Beaker session using standard key
         names.  This is a snapshot of the last request and the response 
@@ -398 +413 @@
             self.session.save()     
 
-    def enforceFromLocalPdp(self, subjectId, resourceURI):
+    PDP_DENY_RESPONSES = (
+        XacmlDecision.DENY_STR, XacmlDecision.INDETERMINATE_STR
+    )
+    
+    def isApplicableRequest(self, resourceURI):
         """A local PDP can filter out some requests to avoid the need to call
         out to the authorisation service 
-        """
-        xacmlRequest = self._createXacmlRequestCtx(subjectId, resourceURI)
+        
+        @param resourceURI: URI of requested resource
+        @type resourceURI: basestring
+        """
+        if self.__localPdp is None:
+            log.debug("No Local PDP set: passing on request to main "
+                      "authorisation service...")
+            return True
+        
+        xacmlRequest = self._createXacmlRequestCtx(resourceURI)
         xacmlResponse = self.__localPdp.evaluate(xacmlRequest)
+        for result in xacmlResponse.results:
+            if result.decision.value != XacmlDecision.NOT_APPLICABLE_STR:
+                log.debug("Local PDP returned %s decision, passing request on "
+                          "to main authorisation service ...", 
+                          result.decision.value)
+                return True
+            
+        return False
 
     def _createXacmlRequestCtx(self, resourceURI):
+        """Wrapper to create a request context for a local PDP - see 
+        isApplicableRequest
+        
+        @param resourceURI: URI of requested resource
+        @type resourceURI: basestring
+        """
         request = _xacmlCtx.request.Request()
         
         resource = _xacmlCtx.request.Resource()
-        resourceAttribute = _xacmlCore.attribute.Attribute()
+        resourceAttribute = XacmlAttribute()
         resource.attributes.append(resourceAttribute)
         
-        resourceAttribute.attributeId = \
-                                    _xacmlCore.Identifiers.Resource.RESOURCE_ID
-                            
-        resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
-        resourceAttribute.attributeValues.append(AnyUriAttributeValue())
+        resourceAttribute.attributeId = XacmlIdentifiers.Resource.RESOURCE_ID
+                                        
+        XacmlAnyUriAttributeValue = \
+            self.__class__.XACML_ATTRIBUTEVALUE_CLASS_FACTORY(
+                                            XacmlAttributeValue.ANY_TYPE_URI)
+                                    
+        resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
+        resourceAttribute.attributeValues.append(XacmlAnyUriAttributeValue())
         resourceAttribute.attributeValues[-1].value = resourceURI
 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -25 +25 @@
 from ndg.xacml.core import context as _xacmlContext
 from ndg.xacml.core.attribute import Attribute as XacmlAttribute
-from ndg.xacml.core.attributevalue import AttributeValueClassFactory as \
-    XacmlAttributeValueClassFactory
+from ndg.xacml.core.attributevalue import (
+    AttributeValueClassFactory as XacmlAttributeValueClassFactory, 
+    AttributeValue as XacmlAttributeValue)
 from ndg.xacml.parsers.etree.factory import ReaderFactory as \
     XacmlPolicyReaderFactory
@@ -377 +378 @@
                                         
         XacmlAnyUriAttributeValue = xacmlAttributeValueFactory(
-                                    'http://www.w3.org/2001/XMLSchema#anyURI')
+                                            XacmlAttributeValue.ANY_TYPE_URI)
         
         openidSubjectAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
@@ -389 +390 @@
 
         XacmlStringAttributeValue = xacmlAttributeValueFactory(
-                                    'http://www.w3.org/2001/XMLSchema#string')
+                                            XacmlAttributeValue.STRING_TYPE_URI)
                                   
         xacmlRequest.subjects.append(xacmlSubject)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -13 +13 @@
 import logging
 import socket
+
 logging.basicConfig()
 log = logging.getLogger(__name__)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/request-filter.xml

@@ -35 +35 @@
         </Resources>
     </Target>   
+    <Rule RuleId="Catch all" Effect="Deny"></Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

@@ -24 +24 @@
 pep.authzServiceURI = https://localhost:9443/authorisation-service
 pep.cacheDecisions = True
+pep.localPolicyFilePath = %(here)s/request-filter.xml
 
 # Settings for Policy Information Point used by the Policy Decision Point to

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -15 +15 @@
 import unittest
 import os
+import time
 from urlparse import urlunsplit
 
 from os import path
 from ConfigParser import SafeConfigParser
+from urllib2 import URLError
+
+from uuid import uuid4
+from datetime import datetime, timedelta
 
 import paste.fixture
 from paste.deploy import loadapp
+
+from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer, 
+                                 AuthzDecisionQuery, AuthzDecisionStatement, 
+                                 Status, StatusCode, StatusMessage, 
+                                 DecisionType, Action, Conditions, Assertion)
+from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree, 
+                                ResponseElementTree)
 
 from ndg.security.test.unit import BaseTestCase
@@ -30 +42 @@
     HTTPRedirectPEPResultHandlerMiddleware
 from ndg.security.server.wsgi.authz.pep import SamlPepFilterConfigError
-
-
-from uuid import uuid4
-from datetime import datetime, timedelta
-
-from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer, 
-                                 AuthzDecisionQuery, AuthzDecisionStatement, 
-                                 Status, StatusCode, StatusMessage, 
-                                 DecisionType, Action, Conditions, Assertion)
-from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree, 
-                                ResponseElementTree)
 
 
@@ -155 +156 @@
     
     def __call__(self, environ, start_response):
-        
+        response = self.__class__.RESPONSE
         if environ['PATH_INFO'] == '/test_401':
             status = "401 Unauthorized"
@@ -172 +173 @@
         elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
             status = "200 OK"
+            
+        elif environ['PATH_INFO'].startswith('/layout'):
+            status = "200 OK"
+            response += ("\n\nAny calls to this path or sub-path should be "
+                         "publicly accessible")
         else:
             status = "404 Not found"
@@ -177 +183 @@
         start_response(status,
                        [('Content-length', 
-                         str(len(TestAuthZMiddleware.RESPONSE))),
+                         str(len(response))),
                         ('Content-type', 'text/plain')])
         
@@ -216 +222 @@
         
         self.startAuthorisationService()  
-          
+    
           
 class SamlPepFilterTestCase(BaseAuthzFilterTestCase):
@@ -272 +278 @@
 
     def test05Catch401WithNotLoggedInAndSecuredURI(self):
-        # AuthZ middleware grants access because the URI requested has no
-        # subject restriction set in the policy rule
+        # User is not logged in and a secured resource has been requested so 401
+        # response is returned
         
         # AuthZ middleware checks for username key in session set by AuthN
         # handler
-        extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}        
+        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()}
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
@@ -284 +290 @@
         
     def test06AccessDeniedForSecuredURI(self):
-        
         # User is logged in but doesn't have the required credentials for 
         # access
@@ -298 +303 @@
         print response
 
-    def test07AccessGrantedForSecuredURI(self):
-        
+    def test07AccessGrantedForSecuredURI(self):      
         # User is logged in and has credentials for access to a URI secured
         # by the policy file
@@ -313 +317 @@
         self.assert_(TestAuthZMiddleware.RESPONSE in response)
         print response
-
+        
+    def test08LocalPolicyFiltersOutRequest(self):
+        # The local PDP filters out the incoming request as not applicable so
+        # that the authorisation service is never invoked.
+        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()}
+        response = self.app.get('/layout/my.css', extra_environ=extra_environ,
+                                status=200)
+        self.assert_(response.body)
+                
 
 class PEPResultHandlerTestCase(BaseAuthzFilterTestCase):