Ignore:
Timestamp:
02/09/10 09:28:06 (11 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • added local PDP call to PEP to enable some requests to be filtered out as not applicable to the main authorisation service. Tested in ndg.security.test.unit.wsgi.authz.test_authz. TODO: add to integration tests.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test
Files:
4 edited
1 moved

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

    r7358 r7413  
    1313import logging 
    1414import socket 
     15 
    1516logging.basicConfig() 
    1617log = logging.getLogger(__name__) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/request-filter.xml

    r7364 r7413  
    3535        </Resources> 
    3636    </Target>    
     37    <Rule RuleId="Catch all" Effect="Deny"></Rule> 
    3738</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-test.ini

    r7354 r7413  
    2424pep.authzServiceURI = https://localhost:9443/authorisation-service 
    2525pep.cacheDecisions = True 
     26pep.localPolicyFilePath = %(here)s/request-filter.xml 
    2627 
    2728# Settings for Policy Information Point used by the Policy Decision Point to 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

    r7287 r7413  
    1515import unittest 
    1616import os 
     17import time 
    1718from urlparse import urlunsplit 
    1819 
    1920from os import path 
    2021from ConfigParser import SafeConfigParser 
     22from urllib2 import URLError 
     23 
     24from uuid import uuid4 
     25from datetime import datetime, timedelta 
    2126 
    2227import paste.fixture 
    2328from paste.deploy import loadapp 
     29 
     30from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer,  
     31                                 AuthzDecisionQuery, AuthzDecisionStatement,  
     32                                 Status, StatusCode, StatusMessage,  
     33                                 DecisionType, Action, Conditions, Assertion) 
     34from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree,  
     35                                ResponseElementTree) 
    2436 
    2537from ndg.security.test.unit import BaseTestCase 
     
    3042    HTTPRedirectPEPResultHandlerMiddleware 
    3143from ndg.security.server.wsgi.authz.pep import SamlPepFilterConfigError 
    32  
    33  
    34 from uuid import uuid4 
    35 from datetime import datetime, timedelta 
    36  
    37 from ndg.saml.saml2.core import (SAMLVersion, Subject, NameID, Issuer,  
    38                                  AuthzDecisionQuery, AuthzDecisionStatement,  
    39                                  Status, StatusCode, StatusMessage,  
    40                                  DecisionType, Action, Conditions, Assertion) 
    41 from ndg.saml.xml.etree import (AuthzDecisionQueryElementTree,  
    42                                 ResponseElementTree) 
    4344 
    4445 
     
    155156     
    156157    def __call__(self, environ, start_response): 
    157          
     158        response = self.__class__.RESPONSE 
    158159        if environ['PATH_INFO'] == '/test_401': 
    159160            status = "401 Unauthorized" 
     
    172173        elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI': 
    173174            status = "200 OK" 
     175             
     176        elif environ['PATH_INFO'].startswith('/layout'): 
     177            status = "200 OK" 
     178            response += ("\n\nAny calls to this path or sub-path should be " 
     179                         "publicly accessible") 
    174180        else: 
    175181            status = "404 Not found" 
     
    177183        start_response(status, 
    178184                       [('Content-length',  
    179                          str(len(TestAuthZMiddleware.RESPONSE))), 
     185                         str(len(response))), 
    180186                        ('Content-type', 'text/plain')]) 
    181187         
     
    216222         
    217223        self.startAuthorisationService()   
    218            
     224     
    219225           
    220226class SamlPepFilterTestCase(BaseAuthzFilterTestCase): 
     
    272278 
    273279    def test05Catch401WithNotLoggedInAndSecuredURI(self): 
    274         # AuthZ middleware grants access because the URI requested has no 
    275         # subject restriction set in the policy rule 
     280        # User is not logged in and a secured resource has been requested so 401 
     281        # response is returned 
    276282         
    277283        # AuthZ middleware checks for username key in session set by AuthN 
    278284        # handler 
    279         extra_environ={self.__class__.SESSION_KEYNAME:BeakerSessionStub()}         
     285        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()} 
    280286        response = self.app.get('/test_accessDeniedToSecuredURI', 
    281287                                extra_environ=extra_environ, 
     
    284290         
    285291    def test06AccessDeniedForSecuredURI(self): 
    286          
    287292        # User is logged in but doesn't have the required credentials for  
    288293        # access 
     
    298303        print response 
    299304 
    300     def test07AccessGrantedForSecuredURI(self): 
    301          
     305    def test07AccessGrantedForSecuredURI(self):       
    302306        # User is logged in and has credentials for access to a URI secured 
    303307        # by the policy file 
     
    313317        self.assert_(TestAuthZMiddleware.RESPONSE in response) 
    314318        print response 
    315  
     319         
     320    def test08LocalPolicyFiltersOutRequest(self): 
     321        # The local PDP filters out the incoming request as not applicable so 
     322        # that the authorisation service is never invoked. 
     323        extra_environ = {self.__class__.SESSION_KEYNAME: BeakerSessionStub()} 
     324        response = self.app.get('/layout/my.css', extra_environ=extra_environ, 
     325                                status=200) 
     326        self.assert_(response.body) 
     327                 
    316328 
    317329class PEPResultHandlerTestCase(BaseAuthzFilterTestCase): 
Note: See TracChangeset for help on using the changeset viewer.