Changeset 7414

Timestamp:

02/09/10 11:43:37 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• Tested local PDP with integration tests. ndg.security.test.integration.full_system. This completes the functionality for the XACML integration - now preparing a new release.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/integration/__init__.py (modified) (5 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/policy.xml (added)
• ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py

@@ -22 +22 @@
 from genshi.template import TemplateLoader
 
+from ndg.saml.saml2.core import DecisionType
 from ndg.security.server.wsgi.authz.result_handler import \
     PEPResultHandlerMiddlewareBase
@@ -33 +34 @@
     
     MSG_TMPL = (
-        "Access is forbidden for this resource:<br/><br/>"
         "$pdpResponseMsg<br/><br/>"
-        "Please check with your site administrator that you have the required "
-        "access privileges."
+        "Please report this to your site administrator and check that you "
+        "have the required access privileges."
     )
     
@@ -104 +104 @@
         else:
             # Get response message from PDP recorded by PEP
-            cls = GenshiPEPResultHandlerMiddleware
+            cls = self.__class__
             pepCtx = session.get(cls.PEPCTX_SESSION_KEYNAME, {})
             pdpResponse = pepCtx.get(cls.PEPCTX_RESPONSE_SESSION_KEYNAME)
-            pdpResponseMsg = getattr(pdpResponse, 'message', '') or ''
-                
+            if pdpResponse is not None:
+                # Expecting a SAML response - parse decision values from this
+                pdpResponseMsg = ("The authorisation policy has set "
+                                  "access denied for this resource.")
+                for assertion in pdpResponse.assertions:
+                    for authzDecisionStatement in \
+                         assertion.authzDecisionStatements:
+                        if (authzDecisionStatement.decision.value == 
+                            DecisionType.INDETERMINATE_STR):
+                            pdpResponseMsg = ("An error occurred making an "
+                                              "access decision.")
+                            break
+            else:
+                pdpResponseMsg = "Access is denied for this resource."
+                 
             msg = Template(self.messageTemplate).substitute(
                                                 pdpResponseMsg=pdpResponseMsg)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

@@ -16 +16 @@
     """
     method = {
-"/": 'default',
-"/test_401": "test_401",
-"/test_403": "test_403",
-"/test_securedURI": "test_securedURI",
-"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI",
-"/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg": 
-    "test_logoutWithReturn2QueryArg",
-"/test_logoutViaHttpReferrer": "test_logoutViaHttpReferrer"
+        "/": 'default',
+        "/test_401": "test_401",
+        "/test_403": "test_403",
+        "/test_securedURI": "test_securedURI",
+        "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI",
+        "/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg"
     }
-    header = """        <h1>Authorisation Integration Tests:</h1>
+    header = """        <h1>NDG Security Authorisation Integration Tests:</h1>
         <p>These tests use require the security services application to be
         running.  See securityserviceapp.py and securityservices.ini in the 
@@ -62 +60 @@
             
     def default(self, environ, start_response):
+        links = self.method.copy()
+        del links['/']
+        del links['/test_logoutWithReturn2QueryArg']
+        links['/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg'
+              ] = 'test_logoutWithReturn2QueryArg'
+        
         if 'username' in environ.get(self.beakerSessionKeyName, {}):
             response = """<html>
@@ -73 +77 @@
 """ % (AuthZTestApp.header,
        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default']),
+                  for link, name in links.items()]),
        environ[self.beakerSessionKeyName]['username'])
         
@@ -85 +89 @@
         %s
         <ul>%s</ul>
+        <p>You are logged out.  <a href="/test_401">Login</a></p>
     </body>
 </html>
 """ % (AuthZTestApp.header,
        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default'])
+                 for link,name in links.items()])
        )
 
@@ -220 +225 @@
         return response
     
-    def test_logoutViaHttpReferrer(self, environ, start_response):
-        """Test logout - the middleware works out where to return to by checking
-        the HTTP_REFERER environ setting
-        """
-        response = """<html>
-    <head/>
-    <body>
-        <h1>Logged Out</h1>
-        <p>Successfully redirected to specified return to HTTP_REFERER=%s 
-        following logout.  
-        <a href="/">Return to tests</a></p>
-    </body>
-</html>
-""" % environ['PATH_INFO']
-
-        start_response('200 OK', 
-                       [('Content-type', 'text/html'),
-                        ('Content-length', str(len(response)))])
-        return response
-    
     @classmethod
     def app_factory(cls, globalConfig, **localConfig):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml

@@ -6 +6 @@
     RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
     <Description>
-        Example for NDG Security unit tests: allow access for resource URIs 
-        defined in the rules.  All other URIs are blocked from access
-        
-        See ndg.security.test.unit.wsgi.authz.test_authz to see the various 
-        rules tested out
+        Policy used by a PDP local to the PEP to filter out some requests from 
+        being passed on to the main authorisation service
     </Description>
     
@@ -24 +21 @@
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(?!layout).*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
         </Resources>
     </Target>   
-    
-    <!-- Deny everything by default -->
-    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
-    <!-- 
-        Following rules punch holes through the deny everything rule above
-        because the rule combining algorithm is set to permit overrides - see 
-        Policy element above
-    -->
-    <Rule RuleId="Graphics and CSS" Effect="Permit">
-        <!-- 
-            Public access for graphics and CSS content
-        -->
-        <Target>
-            <Resources>
-                <Resource>
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-        </Target>
-    </Rule>
-
-    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit">
-        <!-- 
-            Define a URI with public access
-            
-            Rule target(s) define which requests apply to the particular rule
-        -->
-        <Target>
-            <Resources>
-                <Resource>
-                    <!-- Match the request URI -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-        </Target>
-    </Rule>
-
-    <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit">
-        <!-- 
-            Demonstrate a URI secured with an attribute which the test user 
-            doesn't have 
-        -->
-        <Target>
-            <Resources>
-                <Resource>
-                    <!-- Match the request URI -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-            <Subjects>
-                <Subject>
-                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
-                        <SubjectAttributeDesignator 
-                            AttributeId="urn:siteA:security:authz:1.0:attr" 
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue>
-                    </SubjectMatch>
-                </Subject>
-            </Subjects>
-        </Target>
-    </Rule>
-    
-    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit">
-        <!-- 
-            Secure a URI path and all sub-paths using a regular expression to 
-            define a URI pattern
-        -->
-        <Target>
-            <Resources>
-                <Resource>
-                    <!-- Match 'test_securedURI' -->
-                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
-                        <ResourceAttributeDesignator
-                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
-                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue>
-                    </ResourceMatch>
-                </Resource>
-            </Resources>
-        </Target>
-        
-        <!-- 
-            The condition narrows down the constraints layed down in the target to
-            something more specific
-            
-            The user must have at least one of the roles set - in this
-            case 'staff'
-        -->
-        <Condition>
-            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
-                <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
-                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
-                </Apply>
-            </Apply>
-        </Condition>
-    </Rule>
+    <Rule RuleId="Catch all" Effect="Deny"></Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

@@ -91 +91 @@
 resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
 resultHandler.staticContentDir = %(here)s/pep_result_handler
+resultHandler.heading = NDG Security Integration Tests
 
 # Settings for the PEP (Policy Enforcement Point)