Changeset 7414
- Timestamp:
- 02/09/10 11:43:37 (10 years ago)
- Location:
- TI12-security/trunk/NDGSecurity/python
- Files:
-
- 1 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py
r7077 r7414 22 22 from genshi.template import TemplateLoader 23 23 24 from ndg.saml.saml2.core import DecisionType 24 25 from ndg.security.server.wsgi.authz.result_handler import \ 25 26 PEPResultHandlerMiddlewareBase … … 33 34 34 35 MSG_TMPL = ( 35 "Access is forbidden for this resource:<br/><br/>"36 36 "$pdpResponseMsg<br/><br/>" 37 "Please check with your site administrator that you have the required"38 " access privileges."37 "Please report this to your site administrator and check that you " 38 "have the required access privileges." 39 39 ) 40 40 … … 104 104 else: 105 105 # Get response message from PDP recorded by PEP 106 cls = GenshiPEPResultHandlerMiddleware106 cls = self.__class__ 107 107 pepCtx = session.get(cls.PEPCTX_SESSION_KEYNAME, {}) 108 108 pdpResponse = pepCtx.get(cls.PEPCTX_RESPONSE_SESSION_KEYNAME) 109 pdpResponseMsg = getattr(pdpResponse, 'message', '') or '' 110 109 if pdpResponse is not None: 110 # Expecting a SAML response - parse decision values from this 111 pdpResponseMsg = ("The authorisation policy has set " 112 "access denied for this resource.") 113 for assertion in pdpResponse.assertions: 114 for authzDecisionStatement in \ 115 assertion.authzDecisionStatements: 116 if (authzDecisionStatement.decision.value == 117 DecisionType.INDETERMINATE_STR): 118 pdpResponseMsg = ("An error occurred making an " 119 "access decision.") 120 break 121 else: 122 pdpResponseMsg = "Access is denied for this resource." 123 111 124 msg = Template(self.messageTemplate).substitute( 112 125 pdpResponseMsg=pdpResponseMsg) -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py
r7357 r7414 16 16 """ 17 17 method = { 18 "/": 'default', 19 "/test_401": "test_401", 20 "/test_403": "test_403", 21 "/test_securedURI": "test_securedURI", 22 "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI", 23 "/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg": 24 "test_logoutWithReturn2QueryArg", 25 "/test_logoutViaHttpReferrer": "test_logoutViaHttpReferrer" 18 "/": 'default', 19 "/test_401": "test_401", 20 "/test_403": "test_403", 21 "/test_securedURI": "test_securedURI", 22 "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI", 23 "/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg" 26 24 } 27 header = """ <h1> Authorisation Integration Tests:</h1>25 header = """ <h1>NDG Security Authorisation Integration Tests:</h1> 28 26 <p>These tests use require the security services application to be 29 27 running. See securityserviceapp.py and securityservices.ini in the … … 62 60 63 61 def default(self, environ, start_response): 62 links = self.method.copy() 63 del links['/'] 64 del links['/test_logoutWithReturn2QueryArg'] 65 links['/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg' 66 ] = 'test_logoutWithReturn2QueryArg' 67 64 68 if 'username' in environ.get(self.beakerSessionKeyName, {}): 65 69 response = """<html> … … 73 77 """ % (AuthZTestApp.header, 74 78 '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 75 for link,name in self.method.items() if name != 'default']),79 for link, name in links.items()]), 76 80 environ[self.beakerSessionKeyName]['username']) 77 81 … … 85 89 %s 86 90 <ul>%s</ul> 91 <p>You are logged out. <a href="/test_401">Login</a></p> 87 92 </body> 88 93 </html> 89 94 """ % (AuthZTestApp.header, 90 95 '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 91 for link,name in self.method.items() if name != 'default'])96 for link,name in links.items()]) 92 97 ) 93 98 … … 220 225 return response 221 226 222 def test_logoutViaHttpReferrer(self, environ, start_response):223 """Test logout - the middleware works out where to return to by checking224 the HTTP_REFERER environ setting225 """226 response = """<html>227 <head/>228 <body>229 <h1>Logged Out</h1>230 <p>Successfully redirected to specified return to HTTP_REFERER=%s231 following logout.232 <a href="/">Return to tests</a></p>233 </body>234 </html>235 """ % environ['PATH_INFO']236 237 start_response('200 OK',238 [('Content-type', 'text/html'),239 ('Content-length', str(len(response)))])240 return response241 242 227 @classmethod 243 228 def app_factory(cls, globalConfig, **localConfig): -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml
r7413 r7414 6 6 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 7 7 <Description> 8 Example for NDG Security unit tests: allow access for resource URIs 9 defined in the rules. All other URIs are blocked from access 10 11 See ndg.security.test.unit.wsgi.authz.test_authz to see the various 12 rules tested out 8 Policy used by a PDP local to the PEP to filter out some requests from 9 being passed on to the main authorisation service 13 10 </Description> 14 11 … … 24 21 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 25 22 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 26 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/ .*$</AttributeValue>23 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(?!layout).*$</AttributeValue> 27 24 </ResourceMatch> 28 25 </Resource> 29 26 </Resources> 30 27 </Target> 31 32 <!-- Deny everything by default --> 33 <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> 34 <!-- 35 Following rules punch holes through the deny everything rule above 36 because the rule combining algorithm is set to permit overrides - see 37 Policy element above 38 --> 39 <Rule RuleId="Graphics and CSS" Effect="Permit"> 40 <!-- 41 Public access for graphics and CSS content 42 --> 43 <Target> 44 <Resources> 45 <Resource> 46 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 47 <ResourceAttributeDesignator 48 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 49 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 50 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue> 51 </ResourceMatch> 52 </Resource> 53 </Resources> 54 </Target> 55 </Rule> 56 57 <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit"> 58 <!-- 59 Define a URI with public access 60 61 Rule target(s) define which requests apply to the particular rule 62 --> 63 <Target> 64 <Resources> 65 <Resource> 66 <!-- Match the request URI --> 67 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 68 <ResourceAttributeDesignator 69 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 70 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 71 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue> 72 </ResourceMatch> 73 </Resource> 74 </Resources> 75 </Target> 76 </Rule> 77 78 <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 79 <!-- 80 Demonstrate a URI secured with an attribute which the test user 81 doesn't have 82 --> 83 <Target> 84 <Resources> 85 <Resource> 86 <!-- Match the request URI --> 87 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 88 <ResourceAttributeDesignator 89 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 90 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 91 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 92 </ResourceMatch> 93 </Resource> 94 </Resources> 95 <Subjects> 96 <Subject> 97 <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 98 <SubjectAttributeDesignator 99 AttributeId="urn:siteA:security:authz:1.0:attr" 100 DataType="http://www.w3.org/2001/XMLSchema#string"/> 101 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 102 </SubjectMatch> 103 </Subject> 104 </Subjects> 105 </Target> 106 </Rule> 107 108 <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 109 <!-- 110 Secure a URI path and all sub-paths using a regular expression to 111 define a URI pattern 112 --> 113 <Target> 114 <Resources> 115 <Resource> 116 <!-- Match 'test_securedURI' --> 117 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 118 <ResourceAttributeDesignator 119 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 120 DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 121 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 122 </ResourceMatch> 123 </Resource> 124 </Resources> 125 </Target> 126 127 <!-- 128 The condition narrows down the constraints layed down in the target to 129 something more specific 130 131 The user must have at least one of the roles set - in this 132 case 'staff' 133 --> 134 <Condition> 135 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 136 <SubjectAttributeDesignator 137 AttributeId="urn:siteA:security:authz:1.0:attr" 138 DataType="http://www.w3.org/2001/XMLSchema#string"/> 139 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 140 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 141 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 142 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 143 </Apply> 144 </Apply> 145 </Condition> 146 </Rule> 28 <Rule RuleId="Catch all" Effect="Deny"></Rule> 147 29 </Policy> -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini
r7364 r7414 91 91 resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 92 92 resultHandler.staticContentDir = %(here)s/pep_result_handler 93 resultHandler.heading = NDG Security Integration Tests 93 94 94 95 # Settings for the PEP (Policy Enforcement Point)
Note: See TracChangeset
for help on using the changeset viewer.