Changeset 7444 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Timestamp:

03/09/10 14:47:05 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• fixed ordering of attribute designator and attribute value elements in example policy files for correct schema validation.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Files:

• config/authorisationservice/policy.xml (modified) (9 diffs)
• integration/full_system/policy.xml (modified) (5 diffs)
• unit/authz/xacml/test_saml_pip.py (modified) (1 diff)
• unit/wsgi/authz/test_authz.py (modified) (1 diff)
• unit/wsgi/saml/policy.xml (modified) (3 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

@@ -21 +21 @@
                 <!-- Pattern match all request URIs beginning with / -->
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                     <ResourceAttributeDesignator
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -48 +48 @@
                     <!-- Match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -68 +68 @@
                     <!-- Match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -88 +88 @@
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -98 +98 @@
                 <Action>
                     <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                         <ActionAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                             DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                     </ActionMatch>
                 </Action>
@@ -117 +117 @@
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                 <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
+                    AttributeId="urn:ndg:security:authz:1.0:attr" 
                     DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
@@ -132 +132 @@
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -143 +143 @@
             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                 <SubjectAttributeDesignator 
-                    AttributeId="urn:siteA:security:authz:1.0:attr" 
+                    AttributeId="urn:ndg:security:authz:1.0:attr" 
                     DataType="http://www.w3.org/2001/XMLSchema#string"/>
                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
@@ -159 +159 @@
         -->
         <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:ndg:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
             <Resources>
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue>
                     </ResourceMatch>
                 </Resource>
             </Resources>
-            <Subjects>
-                <Subject>
-                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
-                        <SubjectAttributeDesignator 
-                            AttributeId="urn:siteA:security:authz:1.0:attr" 
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
-                    </SubjectMatch>
-                </Subject>
-            </Subjects>
         </Target>
     </Rule>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

@@ -21 +21 @@
                 <!-- Pattern match all request URIs beginning with / -->
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue>
                     <ResourceAttributeDesignator
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -45 +45 @@
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -66 +66 @@
                     <!-- Match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -82 +82 @@
         -->
         <Target>
+            <Subjects>
+                <Subject>
+                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue>
+                        <SubjectAttributeDesignator 
+                            AttributeId="urn:siteA:security:authz:1.0:attr" 
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                    </SubjectMatch>
+                </Subject>
+            </Subjects>
             <Resources>
                 <Resource>
                     <!-- Match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue>
                     </ResourceMatch>
                 </Resource>
             </Resources>
-            <Subjects>
-                <Subject>
-                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
-                        <SubjectAttributeDesignator 
-                            AttributeId="urn:siteA:security:authz:1.0:attr" 
-                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue>
-                    </SubjectMatch>
-                </Subject>
-            </Subjects>
         </Target>
     </Rule>
@@ -116 +116 @@
                     <!-- Match 'test_securedURI' -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue>
                     </ResourceMatch>
                 </Resource>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py

@@ -164 +164 @@
         try:
             attributeValuesB2 = pipB.attributeQuery(ctx, designator)
-            self.fail("Expected URLError exception for call with no-caching set")
+            self.fail("Expected URLError exception for call with no-caching "
+                      "set")
         except URLError, e:
             print("Pass: expected %r error for call with no-caching set" % e)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/test_authz.py

@@ -333 +333 @@
     INI_FILE = 'pep-result-handler-test.ini'
     AUTHZ_FILTER_SECTION = 'filter:AuthZFilter'
-    AUTHZ_RESULT_HANDLER_REDIRECT_URI_OPTNAME = 'authz.resultHandler.redirectURI'
+    AUTHZ_RESULT_HANDLER_REDIRECT_URI_OPTNAME = \
+        'authz.resultHandler.redirectURI'
     
     def __init__(self, *arg, **kw):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

@@ -17 +17 @@
                 <!-- Pattern match all request URIs beginning with / -->
                 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                     <ResourceAttributeDesignator
                         AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                         DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                 </ResourceMatch>
             </Resource>
@@ -42 +42 @@
                     <!-- Pattern match the request URI -->
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/dap/data/my.nc.dods\?time\[0:1:0\]&amp;lat$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/dap/data/my.nc.dods\?time\[0:1:0\]&amp;lat$</AttributeValue>
                     </ResourceMatch>
                 </Resource>
@@ -76 +76 @@
                 <Resource>
                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
                         <ResourceAttributeDesignator
                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
-                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
                     </ResourceMatch>
                 </Resource>