Changeset 7698 for TI12-security/trunk

Timestamp:

04/11/10 13:55:40 (10 years ago)

Author:

pjkersha

Message:

Integrated SAML ESGF Group/Role? attribute value type into SAML Attribute Authority client unit tests.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• Tests/esg_integration/test_attributeserviceclient.cfg (modified) (3 diffs)
• Tests/esg_integration/test_attributeserviceclient.py (modified) (2 diffs)
• ndg_security_common/ndg/security/common/saml_utils/esgf/__init__.py (modified) (8 diffs)
• ndg_security_common/ndg/security/common/saml_utils/esgf/xml/etree.py (modified) (10 diffs)
• ndg_security_common/ndg/security/common/utils/factory.py (modified) (6 diffs)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/myproxy/certificate_extapp/saml_attribute_assertion.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (7 diffs)
• ndg_security_server/ndg/security/server/xacml/esgf_ext.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (7 diffs)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/sitea_attributeinterface.py (modified) (5 diffs)
• ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py (modified) (11 diffs)
• ndg_security_test/ndg/security/test/unit/attributeauthorityclient/README (deleted)
• ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.cfg (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.py (modified) (10 diffs)
• ndg_security_test/ndg/security/test/unit/authz/xacml/saml_ctx_handler.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/xacml/saml_pip.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_ctx_handler.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py (modified) (5 diffs)
• ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/test_saml_attribute_assertion.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/attribute-interface.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapattributeinterface.py (modified) (5 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/Tests/esg_integration/test_attributeserviceclient.cfg

@@ -16 +16 @@
 subject = https://esg.prototype.ucar.edu/myopenid/testUser
 
-attributeQuery.deserialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.fromXML
+attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
 attributeQuery.subjectIdFormat = urn:esg:openid
 attributeQuery.clockSkewTolerance = 1.
@@ -35 +35 @@
 subject = https://esg.prototype.ucar.edu/myopenid/testUser
 
-attributeQuery.deserialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.fromXML
+attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
 attributeQuery.subjectIdFormat = urn:esg:openid
 attributeQuery.clockSkewTolerance = 1.
@@ -54 +54 @@
 subject = https://ceda.ac.uk/openid/Philip.Kershaw
 
-attributeQuery.deserialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.fromXML
+attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
 attributeQuery.subjectIdFormat = urn:esg:openid
 attributeQuery.clockSkewTolerance = 1.

TI12-security/trunk/NDGSecurity/python/Tests/esg_integration/test_attributeserviceclient.py

@@ -22 +22 @@
                                         AttributeQuerySslSOAPBinding)
 
-from ndg.security.common.saml_utils.esg.xml.etree import EsgResponseElementTree
+from ndg.security.common.saml_utils.esgf.xml.etree import ESGFResponseElementTree
 from ndg.security.common.utils.etree import prettyPrint
 from ndg.security.common.utils.configfileparsers import (
@@ -54 +54 @@
         response = binding.send(uri=uri)
         
-        # EsgResponseElementTree has an extension to support ESG Group/Role 
+        # ESGFResponseElementTree has an extension to support ESG Group/Role 
         # Attribute Value 
-        samlResponseElem = EsgResponseElementTree.toXML(response)
+        samlResponseElem = ESGFResponseElementTree.toXML(response)
         
         print("SAML Response ...")

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/esgf/__init__.py

@@ -9 +9 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
-from ndg.saml.saml2.core import XSStringAttributeValue, AttributeValue, Attribute
+from ndg.saml.saml2.core import (XSStringAttributeValue, AttributeValue, 
+                                 Attribute)
 from ndg.saml.common.xml import QName, SAMLConstants
 
@@ -15 +16 @@
 
 
-class  _MetaEsgSamlNamespaces(type):
+class  _MetaESGFSamlNamespaces(type):
     """Meta class enables read-only constants"""
     @property
@@ -46 +47 @@
 
  
-class EsgSamlNamespaces(object):
+class ESGFSamlNamespaces(object):
     """Earth System Grid specific constants for use with SAML assertions"""
-    __metaclass__ = _MetaEsgSamlNamespaces
+    __metaclass__ = _MetaESGFSamlNamespaces
     
     
-class XSGroupRoleAttributeValue(AttributeValue): 
+class ESGFGroupRoleAttributeValue(AttributeValue): 
     '''ESG Specific Group/Role attribute value.  ESG attribute permissions are
     organised into group/role pairs
@@ -61 +62 @@
     GROUP_ATTRIB_NAME = "group"
     ROLE_ATTRIB_NAME = "role"
+    DEFAULT_ROLE_NAME = "default"
     
     # QName of the XSI type
@@ -125 +127 @@
      
     def _setGroup(self, group): 
+        if not isinstance(group, basestring):
+            raise TypeError('Expecting a string type for "group" attribute; '
+                            'got %r' % type(group))
         self.__group = group
      
-    group = property(fget=_getGroup, fset=_setGroup)
+    group = property(fget=_getGroup, fset=_setGroup, doc="Group value")
      
     def _getRole(self):
@@ -133 +138 @@
      
     def _setRole(self, role):
+        if not isinstance(role, basestring):
+            raise TypeError('Expecting a string type for "role" attribute; '
+                            'got %r' % type(role))           
         self.__role = role
      
-    role = property(fget=_getRole, fset=_setRole)
+    role = property(fget=_getRole, fset=_setRole, doc="Role value")
 
+    def _setValue(self, value):
+        if not isinstance(value, (tuple, list)) and len(value) != 2:
+            raise TypeError('Expecting a two element tuple or list for group/'
+                            'role value; got %r' % type(value))
+            
+        self.group, self.role = value
+        
+    def _getValue(self):
+        return self.group, self.role
+    
+    value = property(_getValue, _setValue, 
+                     doc="group/role attribute value tuple")
+    
     def getOrderedChildren(self):
         # no children
@@ -142 +163 @@
 
 
-class EsgDefaultQueryAttributes(object):    
+class ESGFDefaultQueryAttributes(object):    
     XSSTRING_NS = "%s#%s" % (
         SAMLConstants.XSD_NS,
@@ -150 +171 @@
     ATTRIBUTES = TypedList(Attribute)
     N_ATTRIBUTES = 3
-    ATTRIBUTES += [Attribute(),]*N_ATTRIBUTES
+    i = 0
+    for i in range(N_ATTRIBUTES): 
+        ATTRIBUTES.append(Attribute())
+    del i
     
-    ATTRIBUTES[0].name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME 
-    ATTRIBUTES[0].friendlyName = EsgSamlNamespaces.FIRSTNAME_FRIENDLYNAME
+    ATTRIBUTES[0].name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME 
+    ATTRIBUTES[0].friendlyName = ESGFSamlNamespaces.FIRSTNAME_FRIENDLYNAME
     ATTRIBUTES[0].nameFormat = XSSTRING_NS
 
-    ATTRIBUTES[1].name = EsgSamlNamespaces.LASTNAME_ATTRNAME 
-    ATTRIBUTES[1].friendlyName = EsgSamlNamespaces.LASTNAME_FRIENDLYNAME
+    ATTRIBUTES[1].name = ESGFSamlNamespaces.LASTNAME_ATTRNAME 
+    ATTRIBUTES[1].friendlyName = ESGFSamlNamespaces.LASTNAME_FRIENDLYNAME
     ATTRIBUTES[1].nameFormat = XSSTRING_NS
     
-    ATTRIBUTES[2].name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
-    ATTRIBUTES[2].friendlyName = EsgSamlNamespaces.EMAILADDRESS_FRIENDLYNAME
+    ATTRIBUTES[2].name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
+    ATTRIBUTES[2].friendlyName = ESGFSamlNamespaces.EMAILADDRESS_FRIENDLYNAME
     ATTRIBUTES[2].nameFormat =  XSSTRING_NS

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/saml_utils/esgf/xml/etree.py

@@ -19 +19 @@
                                 QName)
 
-from ndg.security.common.saml_utils.esg import XSGroupRoleAttributeValue
+from ndg.security.common.saml_utils.esgf import ESGFGroupRoleAttributeValue
 
 
-class XSGroupRoleAttributeValueElementTree(AttributeValueElementTreeBase,
-                                           XSGroupRoleAttributeValue):
+class ESGFGroupRoleAttributeValueElementTree(AttributeValueElementTreeBase,
+                                             ESGFGroupRoleAttributeValue):
     """ElementTree XML representation of Earth System Grid custom Group/Role 
     Attribute Value""" 
@@ -32 +32 @@
         Attribute Value
         
-        @type assertion: saml.saml2.core.XSGroupRoleAttributeValue
-        @param assertion: XSGroupRoleAttributeValue to be represented as an 
-        ElementTree Element
+        @type attributeValue: ndg.security.common.saml_utils.esgf.ESGFGroupRoleAttributeValue
+        @param attributeValue: Group/Role Attribute Value to be represented as 
+        an ElementTree Element
         @rtype: ElementTree.Element
         @return: ElementTree Element
@@ -40 +40 @@
         elem = AttributeValueElementTreeBase.toXML(attributeValue)
         
-        if not isinstance(attributeValue, XSGroupRoleAttributeValue):
+        if not isinstance(attributeValue, ESGFGroupRoleAttributeValue):
             raise TypeError("Expecting %r type; got: %r" % 
-                            (XSGroupRoleAttributeValue, type(attributeValue)))
+                            (ESGFGroupRoleAttributeValue, type(attributeValue)))
             
         ElementTree._namespace_map[attributeValue.namespaceURI
@@ -62 +62 @@
     def fromXML(cls, elem):
         """Parse ElementTree ESG Group/Role attribute element into a SAML 
-        XSGroupRoleAttributeValue object
+        ESGFGroupRoleAttributeValue object
         
         @type elem: ElementTree.Element
         @param elem: Attribute value as ElementTree XML element
-        @rtype: saml.saml2.core.XSGroupRoleAttributeValue
+        @rtype: saml.saml2.core.ESGFGroupRoleAttributeValue
         @return: SAML ESG Group/Role Attribute value
         """
@@ -95 +95 @@
 
                                       
-        attributeValue = XSGroupRoleAttributeValue()
+        attributeValue = ESGFGroupRoleAttributeValue()
         groupName = childElem.attrib.get(cls.GROUP_ATTRIB_NAME)
         if groupName is None:
@@ -105 +105 @@
         roleName = childElem.attrib.get(cls.ROLE_ATTRIB_NAME)
         if roleName is None:
-            raise XMLTypeParseError('No "%s" attribute found in Group/Role '
-                                    'attribute element' % 
-                                    cls.GROUP_ATTRIB_NAME)
+            roleName = cls.DEFAULT_ROLE_NAME
+            
         attributeValue.role = roleName
 
@@ -115 +114 @@
     def factoryMatchFunc(cls, elem):
         """Match function used by AttributeValueElementTreeFactory to
-        determine whether the given attribute is XSGroupRole type
+        determine whether the given attribute is ESGFGroupRoleAttributeValue
+        type
         
         @type elem: ElementTree.Element
         @param elem: Attribute value as ElementTree XML element
-        @rtype: saml.saml2.core.XSGroupRoleAttributeValue or None
-        @return: SAML ESG Group/Role Attribute Value class if elem is an
+        @rtype: ndg.security.common.saml_utils.etree.ESGFGroupRoleAttributeValue
+        or None
+        @return: SAML ESGF Group/Role Attribute Value class if elem is an
         Group/role type element or None if if doesn't match this type 
         """
@@ -140 +141 @@
 
 
-class EsgResponseElementTree(ResponseElementTree):
+class ESGFResponseElementTree(ResponseElementTree):
     """Extend ResponseElementTree type for Attribute Query Response to include 
     ESG custom Group/Role Attribute support"""
@@ -146 +147 @@
     @classmethod
     def toXML(cls, response, **kw):
-        # Add mapping for ESG Group/Role Attribute Value to enable ElementTree
-        # Attribute Value factory to render the XML output
+        """Extend base method adding mapping for ESG Group/Role Attribute Value 
+        to enable ElementTree Attribute Value factory to render the XML output
+        
+        @type response: ndg.security.common.saml_utils.etree.ESGFGroupRoleAttributeValue
+        @param response: ESGF Group/Role attribute value 
+        @rtype: ElementTree.Element
+        @return: ESGF Group/Role attribute value as ElementTree.Element
+        """
         toXMLTypeMap = kw.get('customToXMLTypeMap', {})
-        toXMLTypeMap[XSGroupRoleAttributeValue
-                     ] = XSGroupRoleAttributeValueElementTree
+        toXMLTypeMap[ESGFGroupRoleAttributeValue
+                     ] = ESGFGroupRoleAttributeValueElementTree
         
         kw['customToXMLTypeMap'] = toXMLTypeMap
@@ -160 +167 @@
     @classmethod
     def fromXML(cls, elem, **kw):
+        """Extend base method adding mapping for ESG Group/Role Attribute Value
+         
+        @type elem: ElementTree.Element
+        @param elem: ESGF Group/Role attribute value as ElementTree.Element
+        @rtype: ndg.security.common.saml_utils.etree.ESGFGroupRoleAttributeValue
+        @return: ESGF Group/Role attribute value 
+        """
         toSAMLTypeMap = kw.get('customToSAMLTypeMap', [])
         toSAMLTypeMap.append(
-                        XSGroupRoleAttributeValueElementTree.factoryMatchFunc)
+                        ESGFGroupRoleAttributeValueElementTree.factoryMatchFunc)
         kw['customToSAMLTypeMap'] = toSAMLTypeMap
         

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/factory.py

@@ -38 +38 @@
             except ValueError:
                 raise ValueError('Invalid module name %r set for import: %s' %
-                                 (moduleName, traceback.format_exc()))
-                
-            objectName = [objectName]
+                                 (moduleName, traceback.format_exc()))        
     else:
         _moduleName = moduleName
-        if isinstance(objectName, basestring):
-            objectName = [objectName]
+        
+    if isinstance(objectName, basestring):
+        objectName = [objectName]
     
     log.debug("Importing %r ..." % objectName) 
@@ -53 +52 @@
         for component in components[1:]:
             module = getattr(module, component)
-    except AttributeError, e:
+    except AttributeError:
         raise AttributeError("Error importing %r: %s" %
                              (objectName, traceback.format_exc()))
@@ -71 +70 @@
 
 def callModuleObject(moduleName, objectName=None, moduleFilePath=None, 
-                     objectType=None, objectArgs=(), objectProperties={}):
+                     objectType=None, objectArgs=None, objectProperties=None):
     '''
     Create and return an instance of the specified class or invoke callable
@@ -90 +89 @@
     @return: object - instance of the class specified 
     '''
-
     
     # ensure that properties is a dict - NB, it may be passed in as a null
@@ -97 +95 @@
         objectProperties = {}
 
+    if not objectArgs:
+        objectArgs = ()
+        
     # variable to store original state of the system path
     sysPathBak = None
@@ -131 +132 @@
 
     # Instantiate class
-    log.debug('Instantiating object "%s"' % importedObject.__name__)
+    log.debug('Instantiating object "%s"', importedObject.__name__)
     try:
         if objectArgs:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -36 +36 @@
                                  StatusCode, StatusMessage)
 
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.common.X509 import X500DN
 from ndg.security.common.utils import TypedList
@@ -461 +461 @@
         utcNow = datetime.utcnow()
         if (attributeQuery.subject.nameID.format != 
-            EsgSamlNamespaces.NAMEID_FORMAT):
+            ESGFSamlNamespaces.NAMEID_FORMAT):
             log.error('SAML Attribute Query subject format is %r; expecting '
                       '%r' % (attributeQuery.subject.nameID.format,
-                                EsgSamlNamespaces.NAMEID_FORMAT))
+                                ESGFSamlNamespaces.NAMEID_FORMAT))
             samlResponse.status.statusCode.value = StatusCode.REQUESTER_URI
             samlResponse.status.statusMessage.value = \

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/myproxy/certificate_extapp/saml_attribute_assertion.py

@@ -41 +41 @@
 from ndg.saml.saml2.binding.soap.client.attributequery import \
                                                 AttributeQuerySslSOAPBinding
-from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces,
-                                                EsgDefaultQueryAttributes)
+from ndg.security.common.saml_utils.esgf import (ESGFSamlNamespaces,
+                                                ESGFDefaultQueryAttributes)
 from ndg.security.common.utils.etree import prettyPrint
 from ndg.security.common.X509 import X500DN
@@ -104 +104 @@
     assertion for inclusion by MyProxy into an issued certificate
     """
-    DEFAULT_QUERY_ATTRIBUTES = EsgDefaultQueryAttributes.ATTRIBUTES
+    DEFAULT_QUERY_ATTRIBUTES = ESGFDefaultQueryAttributes.ATTRIBUTES
     N_DEFAULT_QUERY_ATTRIBUTES = len(DEFAULT_QUERY_ATTRIBUTES)
-    ESG_NAME_ID_FORMAT = EsgSamlNamespaces.NAMEID_FORMAT
+    ESG_NAME_ID_FORMAT = ESGFSamlNamespaces.NAMEID_FORMAT
     
     CONNECTION_STRING_OPTNAME = 'connectionString'

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -32 +32 @@
 
 from ndg.security.server.xacml.pip.saml_pip import PIP
+from ndg.security.common.utils.factory import importModuleObject
 
 
@@ -79 +80 @@
         '__issuerProxy', 
         '__assertionLifetime',
+        '__xacmlExtFunc'
     )
     
@@ -92 +94 @@
         self.__assertionLifetime = 0.
         self.__policyFilePath = None
-    
+        self.__xacmlExtFunc = None
+
+    def _getXacmlExtFunc(self):
+        """Get XACML extensions function"""
+        return self.__xacmlExtFunc
+
+    def _setXacmlExtFunc(self, value):
+        """Set XACML extensions function"""
+        if isinstance(value, basestring):
+            self.__xacmlExtFunc = importModuleObject(value)
+            
+        elif callable(value):
+            self.__xacmlExtFunc = value
+            
+        else:
+            raise TypeError('Expecting module object import path string or '
+                            'callable; got %r' % type(value))
+            
+    xacmlExtFunc = property(_getXacmlExtFunc, _setXacmlExtFunc, 
+                            doc="Function or other callable which will be "
+                                "called to set any XACML specific "
+                                "extensions such as new custom attribute value "
+                                "types.  The function should accept no input "
+                                "arguments and any return value is ignored")   
+    
+    def load(self):
+        """Load Policy file, mapping file and extensions function.  In each case
+        load only if they're set
+        """
+        if self.policyFilePath:
+            self.pdp = PDP.fromPolicySource(self.policyFilePath, 
+                                            XacmlPolicyReaderFactory)
+        
+        if self.pip.mappingFilePath:
+            self.pip.readMappingFile()
+            
+        if self.xacmlExtFunc:
+            self.xacmlExtFunc()
+        
     @classmethod
     def fromConfig(cls, cfg, **kw):
@@ -105 +145 @@
         
         # Post initialisation steps - load policy and PIP mapping file
-        if obj.policyFilePath:
-            obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
-                                           XacmlPolicyReaderFactory)
-        
-        if obj.pip.mappingFilePath:
-            obj.pip.readMappingFile()
-            
+        obj.load()
+           
         return obj
 
@@ -159 +194 @@
         
         def _setAttr(__optName):
-            # Check for PIP attribute related items
+            """Convenience function to check for PIP attribute related items
+            """
             if __optName.startswith(pipPrefix):
                 if self.pip is None:    
@@ -211 +247 @@
         
         # Post initialisation steps - load policy and PIP mapping file
-        if obj.policyFilePath:
-            obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
-                                           XacmlPolicyReaderFactory)
-        
-        if obj.pip.mappingFilePath:
-            obj.pip.readMappingFile()
+        obj.load()
                        
         return obj
@@ -492 +523 @@
 
         return response
+

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/esgf_ext.py

@@ -13 +13 @@
 log = logging.getLogger(__name__)
 
+from ndg.xacml.core.functions import functionMap
 from ndg.xacml.core.functions.v1.bag import BagBase
 from ndg.xacml.core.functions.v1.at_least_one_member_of import \
     AtLeastOneMemberOfBase 
-from ndg.xacml.core.attributevalue import AttributeValueClassFactory
+from ndg.xacml.core.attributevalue import (AttributeValue,
+                                           AttributeValueClassFactory)
 from ndg.xacml.parsers import XMLParseError
 from ndg.xacml.parsers.etree.attributevaluereader import (
@@ -68 +70 @@
         return self.__group
     
-    @property.setter
+    @group.setter
     def group(self, value):
         """@param value: new group value to set
@@ -86 +88 @@
         return self.__role
     
-    @property.setter
+    @role.setter
     def role(self, value):
         """@param value: new role value to set
@@ -155 +157 @@
             if localName == attributeValue.__class__.ROLE_ELEMENT_LOCAL_NAME:
                 attributeValue.role = subElem.text
+                
             elif localName == attributeValue.__class__.GROUP_ELEMENT_LOCAL_NAME:
                 attributeValue.group = subElem.text
+                
             else:
                 raise XMLParseError('%r ESG Group/Role sub-element not '
                                     'recognised' % localName) 
+
+
+def addEsgfXacmlSupport():
+    """Add custom Earth System Grid types to XACML Classes.  This includes
+    the Group/Role Attribute type, and associated ElementTree based parser,
+    and XACML bag and at least one member functions
+    """
+    
+    # Add Group/Role type
+    AttributeValueClassFactory.addClass(ESGFGroupRoleAttributeValue.IDENTIFIER, 
+                                        ESGFGroupRoleAttributeValue)
+    
+    # Add new parser for this type
+    DataTypeReaderClassFactory.addReader(ESGFGroupRoleAttributeValue.IDENTIFIER,
+                                         ETreeESGFGroupRoleDataTypeReader)
+    
+    # Add extra matching and bag functions
+    functionMap[ESGFGroupRoleBag.FUNCTION_NS] = ESGFGroupRoleBag
+    functionMap[ESGFGroupRoleAtLeastOneMemberOf.FUNCTION_NS
+                ] = ESGFGroupRoleAtLeastOneMemberOf

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -45 +45 @@
     __slots__ = ('__session', )
     
-    def __init__(self, _id, data_dir=None):
+    def __init__(self, _id, data_dir=None, timeout=None):
         """
         @param _id: unique identifier for session to be created, or one to reload
@@ -55 +55 @@
         If set to None, sessions are cached in memory only.
         @type data_dir: None type / basestring
+        @param timeout: time in seconds for individual caches' lifetimes.  Set 
+        to None to set no expiry.
+        @type timeout: float/int/long or None type
         """                
         # Expecting URIs for Ids, make them safe for storage by encoding first
@@ -64 +67 @@
         self.__session = beaker.session.Session({}, id=encodedId, 
                                                 data_dir=data_dir,
+                                                timeout=timeout,
                                                 use_cookies=False)
         if 'wallet' not in self.__session:
@@ -153 +157 @@
         '__cacheSessions',
         '__sessionCacheDataDir',
+        '__sessionCacheTimeout',
         '__sessionCache'
     )
     
-    def __init__(self, sessionCacheDataDir=None):
+    def __init__(self, sessionCacheDataDir=None, sessionCacheTimeout=None):
         '''Initialise settings for connection to an Attribute Authority
         
@@ -164 +169 @@
         If set to None, sessions are cached in memory only.
         @type sessionCacheDataDir: None type / basestring
+        @param sessionCacheTimeout: time in seconds for individual caches' 
+        lifetimes.  Set to None to set no expiry.
+        @type sessionCacheTimeout: float/int/long/string or None type
         '''
+        self.sessionCacheDataDir = sessionCacheDataDir
+        self.sessionCacheTimeout = sessionCacheTimeout
+        
         self.__subjectAttributeId = None
         self.__mappingFilePath = None
@@ -175 +186 @@
         
         self.__cacheSessions = True
-        self.__sessionCacheDataDir = sessionCacheDataDir
         self.__sessionCache = None
+
+    def _getSessionCacheTimeout(self):
+        return self.__sessionCacheTimeout
+
+    def _setSessionCacheTimeout(self, value):
+        if value is None:
+            self.__sessionCacheTimeout = value
+         
+        elif isinstance(value, basestring):
+            self.__sessionCacheTimeout = float(value)
+             
+        elif isinstance(value, (int, float, long)):
+            self.__sessionCacheTimeout = value
+            
+        else:
+            raise TypeError('Expecting None, float, int, long or string type; '
+                            'got %r' % type(value))
+
+    sessionCacheTimeout = property(_getSessionCacheTimeout, 
+                                   _setSessionCacheTimeout, 
+                                   doc='Set individual session caches to '
+                                       'timeout after this period (seconds).  '
+                                       'Set to None to have no timeout')
 
     def _getCacheSessions(self):
@@ -423 +456 @@
         if self.cacheSessions:
             sessionCache = SessionCache(subjectId,
-                                        data_dir=self.__sessionCacheDataDir)
+                                        data_dir=self.__sessionCacheDataDir,
+                                        timeout=self.__sessionCacheTimeout)
             assertions = sessionCache.retrieve(attributeAuthorityURI)
         else:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

@@ -60 +60 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.mountPath = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/sitea_attributeinterface.py

@@ -15 +15 @@
 
 from ndg.saml.common.xml import SAMLConstants
-from ndg.saml.saml2.core import (Assertion, Attribute, AttributeStatement, Issuer,
-                             SAMLVersion, Subject, NameID, Conditions,
-                             XSStringAttributeValue)
+from ndg.saml.saml2.core import (Assertion, Attribute, AttributeStatement, 
+                                 Issuer, SAMLVersion, Subject, NameID, 
+                                 Conditions, XSStringAttributeValue)
 
+from ndg.security.common.saml_utils.esgf import (ESGFSamlNamespaces,
+                                                 ESGFGroupRoleAttributeValue)
 from ndg.security.common.X509 import X500DN
 from ndg.security.server.attributeauthority import (AttributeInterface, 
@@ -34 +36 @@
 
     SAML_ATTRIBUTE_NAMES = ATTRIBUTE_NAMES + (
-        'urn:esg:email:address',
-        'urn:esg:first:name', 
-        'urn:esg:last:name'
+        ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME,
+        ESGFSamlNamespaces.FIRSTNAME_ATTRNAME, 
+        ESGFSamlNamespaces.LASTNAME_ATTRNAME,
+        'urn:esg:sitea:grouprole'
     )
     
@@ -43 +46 @@
         ('p.kershaw@somewhere.ac.uk',),
         ('Philip',),
-        ('Kershaw',)
+        ('Kershaw',),
+        (('siteagroup', 'default'),)
     )
     
@@ -49 +53 @@
         "EmailAddress",
         "FirstName",
-        "LastName"
+        "LastName",
+        "groupRole"
     )
-    SAML_ATTRIBUTE_FORMATS = (SAMLConstants.XSD_NS+"#"+\
-                              XSStringAttributeValue.TYPE_LOCAL_NAME,) * \
-                              len(SAML_ATTRIBUTE_NAMES)
+    SAML_ATTRIBUTE_FORMATS = (
+        SAMLConstants.XSD_NS+"#"+XSStringAttributeValue.TYPE_LOCAL_NAME,) * (
+        len(SAML_ATTRIBUTE_NAMES)-1) + \
+        (ESGFGroupRoleAttributeValue.TYPE_LOCAL_NAME, )
+    
     SAML_ATTRIBUTES = []
     
+    name, val, vals, format, friendlyName = (None, None, None, None, None)
     for name, vals, format, friendlyName in zip(SAML_ATTRIBUTE_NAMES,
-                                               SAML_ATTRIBUTE_VALUES,
-                                               SAML_ATTRIBUTE_FORMATS,
-                                               SAML_ATTRIBUTE_FRIENDLY_NAMES):
+                                                SAML_ATTRIBUTE_VALUES,
+                                                SAML_ATTRIBUTE_FORMATS,
+                                                SAML_ATTRIBUTE_FRIENDLY_NAMES):
         SAML_ATTRIBUTES.append(Attribute())
         SAML_ATTRIBUTES[-1].name = name
@@ -65 +73 @@
         SAML_ATTRIBUTES[-1].friendlyName = friendlyName
         for val in vals:
-            SAML_ATTRIBUTES[-1].attributeValues.append(XSStringAttributeValue())
-            SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
+            if isinstance(val, tuple):
+                SAML_ATTRIBUTES[-1].attributeValues.append(
+                                                ESGFGroupRoleAttributeValue())
+                SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
+            else:
+                SAML_ATTRIBUTES[-1].attributeValues.append(
+                                                XSStringAttributeValue())
+                SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
 
     del name, val, vals, format, friendlyName

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

@@ -377 +377 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.mountPath = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py

@@ -37 +37 @@
                                  StatusCode)
 from ndg.saml.xml import XMLConstants
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 
 THIS_DIR = path.dirname(__file__)
@@ -139 +139 @@
         # Define queries for SAML attribute names
         attributeInterface.samlAttribute2SqlQuery_firstName = '"%s" "%s"' % (
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME,                                                               
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME,                                                               
             SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY)
             
         setattr(attributeInterface, 
                 'samlAttribute2SqlQuery.lastName',
-                "%s %s" % (EsgSamlNamespaces.LASTNAME_ATTRNAME,
+                "%s %s" % (ESGFSamlNamespaces.LASTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY))
         
         attributeInterface.samlAttribute2SqlQuery[
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME] = (
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME] = (
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY)
         
@@ -170 +170 @@
                 
             'samlAttribute2SqlQuery.firstname': '"%s" "%s"' % (
-                EsgSamlNamespaces.FIRSTNAME_ATTRNAME,
+                ESGFSamlNamespaces.FIRSTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY),
             
             'samlAttribute2SqlQuery.blah': '"%s" "%s"' % (
-                EsgSamlNamespaces.LASTNAME_ATTRNAME,
+                ESGFSamlNamespaces.LASTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY),
         
             'samlAttribute2SqlQuery.3': '%s "%s"' % (
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME,
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME,
             SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY),
         
@@ -195 +195 @@
         self.assert_(
             attributeInterface.samlAttribute2SqlQuery[
-                EsgSamlNamespaces.FIRSTNAME_ATTRNAME] == \
+                ESGFSamlNamespaces.FIRSTNAME_ATTRNAME] == \
             SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY)
         
@@ -219 +219 @@
         self.assert_(
             attributeInterface.samlAttribute2SqlQuery[
-                EsgSamlNamespaces.EMAILADDRESS_ATTRNAME] == \
+                ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME] == \
             SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY)
 
@@ -239 +239 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = \
                                 SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
         
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         fnAttribute.friendlyName = "FirstName"
@@ -251 +251 @@
     
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         lnAttribute.friendlyName = "LastName"
@@ -258 +258 @@
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         emailAddressAttribute.friendlyName = "EmailAddress"
@@ -295 +295 @@
         # Define queries for SAML attribute names
         samlAttribute2SqlQuery = {
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY,
             
-            EsgSamlNamespaces.LASTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.LASTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY,
         
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME: 
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY,
         
@@ -357 +357 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = \
                                 SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = "InvalidFormat"
         emailAddressAttribute.friendlyName = "EmailAddress"
@@ -399 +399 @@
         # Define queries for SAML attribute names
         samlAttribute2SqlQuery = {
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY,
             
-            EsgSamlNamespaces.LASTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.LASTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY,
         
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME: 
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY,
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.cfg

@@ -34 +34 @@
 saml.deserialise = ndg.saml.xml.etree:ResponseElementTree.fromXML
 
-[test05AttributeQuerySOAPBindingInterface]
+[test05AttributeQueryWithESGFAttributeType]
+uri = http://localhost:5000/AttributeAuthority/
+subject = https://openid.localhost/philip.kershaw
+prefix = saml.
+saml.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
+saml.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
+
+[test06AttributeQuerySOAPBindingInterface]
 uri = http://localhost:5000/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw
 
-[test06AttributeQueryFromConfig]
+[test07AttributeQueryFromConfig]
 uri = http://localhost:5000/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw
@@ -48 +55 @@
 attributeQuery.queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
 
-[test07AttributeQuerySslSOAPBindingInterface]
+[test08AttributeQuerySslSOAPBindingInterface]
 uri = https://localhost:5443/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.py

@@ -28 +28 @@
                                         AttributeQuerySOAPBinding, 
                                         AttributeQuerySslSOAPBinding)
-from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces,
-                                                EsgDefaultQueryAttributes)
+from ndg.security.common.saml_utils.esgf import (ESGFSamlNamespaces,
+                                                 ESGFDefaultQueryAttributes,
+                                                 ESGFGroupRoleAttributeValue)
+from ndg.security.common.saml_utils.esgf.xml.etree import (
+                                        ESGFGroupRoleAttributeValueElementTree,
+                                        ESGFResponseElementTree)
+from ndg.security.common.utils.etree import prettyPrint
 from ndg.security.test.unit.attributeauthorityclient import \
                                         AttributeAuthorityClientBaseTestCase
-from ndg.security.common.utils.etree import prettyPrint
-
+   
    
 class AttributeAuthoritySAMLInterfaceTestCase(
@@ -64 +68 @@
         attributeQuery.subject = Subject()
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
                                         XSStringAttributeValue.TYPE_LOCAL_NAME
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = xsStringNs
         fnAttribute.friendlyName = "FirstName"
@@ -76 +80 @@
     
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = xsStringNs
         lnAttribute.friendlyName = "LastName"
@@ -83 +87 @@
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = xsStringNs
         emailAddressAttribute.friendlyName = "emailAddress"
@@ -132 +136 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -172 +176 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -212 +216 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -238 +242 @@
         self.assert_(response.status.statusCode.value==\
                      StatusCode.INVALID_ATTR_NAME_VALUE_URI)
-        
-    def test05AttributeQuerySOAPBindingInterface(self):
-        _cfg = self.cfg['test05AttributeQuerySOAPBindingInterface']
+             
+    def test05AttributeQueryWithESGFAttributeType(self):
+        # Test interface with custom ESGF Group/Role attribute type
+        thisSection = 'test05AttributeQueryWithESGFAttributeType'
+        _cfg = self.cfg[thisSection]
+        
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = "/CN=Authorisation Service/O=Site A"    
+                        
+        attributeQuery.subject = Subject()  
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = _cfg['subject']
+        
+        groupRoleAttribute = Attribute()
+        groupRoleAttribute.name = 'urn:esg:sitea:grouprole'
+        groupRoleAttribute.nameFormat = \
+            ESGFGroupRoleAttributeValue.TYPE_LOCAL_NAME
+        
+        attributeQuery.attributes.append(groupRoleAttribute) 
+
+        binding = SOAPBinding.fromConfig(
+                     AttributeAuthoritySAMLInterfaceTestCase.CONFIG_FILEPATH, 
+                     prefix='saml.',
+                     section=thisSection)
+        
+        response = binding.send(attributeQuery, _cfg['uri'])
+        
+        samlResponseElem = ResponseElementTree.toXML(response)
+        
+        print("SAML Response ...")
+        print(ElementTree.tostring(samlResponseElem))
+        print("Pretty print SAML Response ...")
+        print(prettyPrint(samlResponseElem))
+        
+        self.assert_(response.assertions[0].attributeStatements[0].attributes[0
+            ].attributeValues[0].value == ('siteagroup', 'default'))
+        
+        self.assert_(response.status.statusCode.value == StatusCode.SUCCESS_URI)
+       
+    def test06AttributeQuerySOAPBindingInterface(self):
+        _cfg = self.cfg['test06AttributeQuerySOAPBindingInterface']
         
         binding = AttributeQuerySOAPBinding()
         
         binding.subjectID = AttributeAuthoritySAMLInterfaceTestCase.OPENID_URI
-        binding.subjectIdFormat = EsgSamlNamespaces.NAMEID_FORMAT
+        binding.subjectIdFormat = ESGFSamlNamespaces.NAMEID_FORMAT
         binding.issuerName = \
             str(AttributeAuthoritySAMLInterfaceTestCase.VALID_REQUESTOR_IDS[0])
         binding.issuerFormat = Issuer.X509_SUBJECT
         
-        binding.queryAttributes = EsgDefaultQueryAttributes.ATTRIBUTES
+        binding.queryAttributes = ESGFDefaultQueryAttributes.ATTRIBUTES
         
         response = binding.send(uri=_cfg['uri'])
@@ -262 +311 @@
         self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
 
-    def test06AttributeQueryFromConfig(self):
-        thisSection = 'test06AttributeQueryFromConfig'
+    def test07AttributeQueryFromConfig(self):
+        thisSection = 'test07AttributeQueryFromConfig'
         _cfg = self.cfg[thisSection]
         
@@ -280 +329 @@
         self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
         
-    def test07AttributeQuerySslSOAPBindingInterface(self):
-        thisSection = 'test07AttributeQuerySslSOAPBindingInterface'
+    def test08AttributeQuerySslSOAPBindingInterface(self):
+        thisSection = 'test08AttributeQuerySslSOAPBindingInterface'
         _cfg = self.cfg[thisSection]
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_ctx_handler.cfg

@@ -21 +21 @@
 saml_ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 saml_ctx_handler.assertionLifetime = 86400
+
+# Add Earth System Grid custom types and functions to XACML
+saml_ctx_handler.xacmlExtFunc = ndg.security.server.xacml.esgf_ext:addEsgfXacmlSupport
 
 #

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_pip.cfg

@@ -23 +23 @@
 saml_pip.sessionCacheDataDir = %(here)s/query-results-cache
 
+# Timeout cache in 30mins
+saml_pip.sessionCacheTimeout = 1800
+
 # The attribute ID of the subject value to extract from the XACML request
 # context and pass in the SAML attribute query

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_ctx_handler.py

@@ -56 +56 @@
         self.assert_(handler.issuerFormat)
         self.assert_(handler.assertionLifetime)
+        self.assert_(handler.xacmlExtFunc)
+        
         
 if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py

@@ -59 +59 @@
         
         setattr(pip, 'sessionCacheDataDir', 'My data dir')
+        self.assert_(pip.sessionCacheDataDir == 'My data dir')
+        self.assert_(pip.sessionCacheTimeout is None)
+        
+        try:
+            pip.sessionCacheTimeout = {}
+            self.fail("pip.sessionCacheTimeout accepts only float/int/long/"
+                      "string or None type value")
+        except TypeError:
+            pass
+        
+        pip.sessionCacheTimeout = 86400L
+        self.assert_(pip.sessionCacheTimeout == 86400L)
 
     def test02ReadMappingFile(self):
@@ -69 +81 @@
         print(pip.attribute2AttributeAuthorityMap)
         
-    def _createXacmlRequestCtx(self):
+    @classmethod
+    def _createXacmlRequestCtx(cls):
+        """Helper to create a XACML request context"""
         ctx = Request()
         
@@ -75 +89 @@
         openidAttr = Attribute()
         ctx.subjects[-1].attributes.append(openidAttr)
-        openidAttr.attributeId = self.__class__.OPENID_ATTR_ID
+        openidAttr.attributeId = cls.OPENID_ATTR_ID
         openidAttr.dataType = 'http://www.w3.org/2001/XMLSchema#anyURI'
         
-        anyUriAttrValue = self.__class__.attributeValueClassFactory(
-                                                            openidAttr.dataType)
+        anyUriAttrValue = cls.attributeValueClassFactory(openidAttr.dataType)
         
-        openidAttrVal = anyUriAttrValue(self.__class__.OPENID_URI)
+        openidAttrVal = anyUriAttrValue(cls.OPENID_URI)
         openidAttr.attributeValues.append(openidAttrVal) 
         
         return ctx
     
-    def _createPIP(self):   
+    @classmethod
+    def _createPIP(cls):   
         """Create PIP from test attribute settings"""              
         pip = PIP()
-        pip.mappingFilePath = self.__class__.MAPPING_FILEPATH
+        pip.mappingFilePath = cls.MAPPING_FILEPATH
         pip.readMappingFile()
-        pip.subjectAttributeId = self.__class__.OPENID_ATTR_ID
+        pip.subjectAttributeId = cls.OPENID_ATTR_ID
         
         pip.attributeQueryBinding.issuerName = \
-            'O=NDG, OU=Security, CN=localhost'
+                                            'O=NDG, OU=Security, CN=localhost'
         pip.attributeQueryBinding.issuerFormat = SamlIssuer.X509_SUBJECT
-        pip.attributeQueryBinding.sslCertFilePath = \
-            self.__class__.CLNT_CERT_FILEPATH
-        pip.attributeQueryBinding.sslPriKeyFilePath = \
-            self.__class__.CLNT_PRIKEY_FILEPATH
+        pip.attributeQueryBinding.sslCertFilePath = cls.CLNT_CERT_FILEPATH
+        pip.attributeQueryBinding.sslPriKeyFilePath = cls.CLNT_PRIKEY_FILEPATH
             
-        pip.attributeQueryBinding.sslCACertDir = self.__class__.CACERT_DIR
+        pip.attributeQueryBinding.sslCACertDir = cls.CACERT_DIR
         
         return pip
 
-    def _createSubjectAttributeDesignator(self):
+    @classmethod
+    def _createSubjectAttributeDesignator(cls):
         '''Make attribute designator - in practice this would be passed back 
         from the PDP via the context handler
         '''
         designator = SubjectAttributeDesignator()
-        designator.attributeId = self.__class__.NDGS_ATTR_ID
+        designator.attributeId = cls.NDGS_ATTR_ID
         designator.dataType = 'http://www.w3.org/2001/XMLSchema#string'
         
-        stringAttrValue = self.__class__.attributeValueClassFactory(
+        stringAttrValue = cls.attributeValueClassFactory(
                                     'http://www.w3.org/2001/XMLSchema#string')
         
         return designator
     
-    def _initQuery(self):
+    @classmethod
+    def _initQuery(cls):
         '''Convenience method to set-up the parameters needed for a query'''
-        pip = self._createPIP()
-        designator = self._createSubjectAttributeDesignator()
-        ctx = self._createXacmlRequestCtx()
+        pip = cls._createPIP()
+        designator = cls._createSubjectAttributeDesignator()
+        ctx = cls._createXacmlRequestCtx()
         return pip, designator, ctx
     
@@ -129 +143 @@
                     port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
         
-        pip, designator, ctx = self._initQuery()
+        pip, designator, ctx = self.__class__._initQuery()
         
         # Avoid caching to avoid impacting other tests in this class
@@ -144 +158 @@
         pip = PIP.fromConfig(self.__class__.CONFIG_FILEPATH)
         self.assert_(pip.mappingFilePath)
+        self.assert_(pip.sessionCacheTimeout == 1800)
         
 # TODO: fix test - left out for now because can't get threading to correctly 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/test_saml_attribute_assertion.py

@@ -19 +19 @@
 import unittest
 
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit import BaseTestCase
 from ndg.security.server.myproxy.certificate_extapp.saml_attribute_assertion \
@@ -53 +53 @@
                                         "/CN=Authorisation Service/O=Site A"
         myProxyCertExtApp.attributeQuery.subjectIdFormat = \
-                                        EsgSamlNamespaces.NAMEID_FORMAT                                
+                                        ESGFSamlNamespaces.NAMEID_FORMAT                                
         myProxyCertExtApp.attributeQuery.subjectID = \
                                         CertExtAppTestCase.OPENID_URI
@@ -86 +86 @@
 
         myProxyCertExtApp.attributeQuery.subjectIdFormat = \
-                                        EsgSamlNamespaces.NAMEID_FORMAT                                        
+                                        ESGFSamlNamespaces.NAMEID_FORMAT                                        
         myProxyCertExtApp.attributeQuery.sslCACertDir = \
                                                 CertExtAppTestCase.CACERT_DIR

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini

@@ -46 +46 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.pathMatchList = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/attribute-interface.ini

@@ -28 +28 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 #______________________________________________________________________________

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

@@ -96 +96 @@
         </Condition>
     </Rule>
+    <Rule RuleId="Rule with ESGF Custom types" Effect="Permit">
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_esgf$</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        <Condition>
+            <Apply FunctionId="urn:esg:security:xacml:2.0:function:grouprole-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:ndg:security:authz:1.0:attr" 
+                    DataType="grouprole"/>
+                <Apply FunctionId="urn:esg:security:xacml:2.0:function:grouprole-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapattributeinterface.py

@@ -22 +22 @@
 
 from ndg.security.common.soap.etree import SOAPEnvelope
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
 
@@ -44 +44 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = subject
                                     
@@ -50 +50 @@
         # special case handling for 'FirstName' attribute
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         fnAttribute.friendlyName = "FirstName"
@@ -58 +58 @@
         # special case handling for 'LastName' attribute
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         lnAttribute.friendlyName = "LastName"
@@ -66 +66 @@
         # special case handling for 'LastName' attribute
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
                                     XSStringAttributeValue.TYPE_LOCAL_NAME

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -22 +22 @@
 
 from ndg.security.common.soap.etree import SOAPEnvelope
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
 
@@ -115 +115 @@
         query.subject = Subject()  
         query.subject.nameID = NameID()
-        query.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        query.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         query.subject.nameID.value = subject