Context Navigation

← Previous Change
Next Change →

test

Timestamp:

02/09/10 09:28:06 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

added local PDP call to PEP to enable some requests to be filtered out as not applicable to the main authorisation service. Tested in ndg.security.test.unit.wsgi.authz.test_authz. TODO: add to integration tests.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Files:

: 4 edited
: 1 moved

integration/full_system/request-filter.xml (moved) (moved from TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml)
unit/__init__.py (modified) (1 diff)
unit/wsgi/authz/request-filter.xml (modified) (1 diff)
unit/wsgi/authz/saml-test.ini (modified) (1 diff)
unit/wsgi/authz/test_authz.py (modified) (10 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/init.py

r7358	r7413
13	13	import logging
14	14	import socket
	15
15	16	logging.basicConfig()
16	17	log = logging.getLogger(__name__)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/request-filter.xml

r7364	r7413
35	35	</Resources>
36	36	</Target>
	37	<Rule RuleId="Catch all" Effect="Deny"></Rule>
37	38	</Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

r7354	r7413
24	24	pep.authzServiceURI = https://localhost:9443/authorisation-service
25	25	pep.cacheDecisions = True
	26	pep.localPolicyFilePath = %(here)s/request-filter.xml
26	27
27	28	# Settings for Policy Information Point used by the Policy Decision Point to

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

-                      r7287
+                      r7413
 import unittest
 import os
+import time
 from urlparse import urlunsplit
 from os import path
 from ConfigParser import SafeConfigParser
+from urllib2 import URLError
+from uuid import uuid4
+from datetime import datetime, timedelta
 import paste.fixture
 from paste.deploy import loadapp
+from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer,
+                                 AuthzDecisionQuery, AuthzDecisionStatement,
+                                 Status, StatusCode, StatusMessage,
+                                 DecisionType, Action, Conditions, Assertion)
+from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree,
+                                ResponseElementTree)
 from ndg.security.test.unit import BaseTestCase
 …
     HTTPRedirectPEPResultHandlerMiddleware
 from ndg.security.server.wsgi.authz.pep import SamlPepFilterConfigError
-from uuid import uuid4
-from datetime import datetime, timedelta
-from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer,
-                                 AuthzDecisionQuery, AuthzDecisionStatement,
-                                 Status, StatusCode, StatusMessage,
-                                 DecisionType, Action, Conditions, Assertion)
-from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree,
-                                ResponseElementTree)
 …
     def __call__(self, environ, start_response):
+        response = self.__class__.RESPONSE
         if environ['PATH_INFO'] == '/test_401':
             status = "401 Unauthorized"
 …
         elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI':
             status = "200 OK"
+        elif environ['PATH_INFO'].startswith('/layout'):
+            status = "200 OK"
+            response += ("\n\nAny calls to this path or sub-path should be "
+                         "publicly accessible")
         else:
             status = "404 Not found"
 …
         start_response(status,
                        [('Content-length',
                          str(len(TestAuthZMiddleware.RESPONSE))),
+                         str(len(response))),
                         ('Content-type', 'text/plain')])
 …
         self.startAuthorisationService()
 class SamlPepFilterTestCase(BaseAuthzFilterTestCase):
 …
     def test05Catch401WithNotLoggedInAndSecuredURI(self):
         # AuthZ middleware grants access because the URI requested has no
         # subject restriction set in the policy rule
+        # User is not logged in and a secured resource has been requested so 401
+        # response is returned
         # AuthZ middleware checks for username key in session set by AuthN
         # handler
         extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}
+        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()}
         response = self.app.get('/test_accessDeniedToSecuredURI',
                                 extra_environ=extra_environ,
 …
     def test06AccessDeniedForSecuredURI(self):
         # User is logged in but doesn't have the required credentials for
         # access
 …
         print response
+    def test07AccessGrantedForSecuredURI(self):
+    def test07AccessGrantedForSecuredURI(self):
         # User is logged in and has credentials for access to a URI secured
         # by the policy file
 …
         self.assert_(TestAuthZMiddleware.RESPONSE in response)
         print response
+    def test08LocalPolicyFiltersOutRequest(self):
+        # The local PDP filters out the incoming request as not applicable so
+        # that the authorisation service is never invoked.
+        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()}
+        response = self.app.get('/layout/my.css', extra_environ=extra_environ,
+                                status=200)
+        self.assert_(response.body)
 class PEPResultHandlerTestCase(BaseAuthzFilterTestCase):

Note: See TracChangeset for help on using the changeset viewer.