Changeset 7698 for TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg

Timestamp:

04/11/10 13:55:40 (10 years ago)

Author:

pjkersha

Message:

Integrated SAML ESGF Group/Role? attribute value type into SAML Attribute Authority client unit tests.

Location:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test

Files:

• config/attributeauthority/sitea/site-a.ini (modified) (1 diff)
• config/attributeauthority/sitea/sitea_attributeinterface.py (modified) (5 diffs)
• integration/full_system/securityservices.ini (modified) (1 diff)
• unit/attributeauthority/test_attributeauthority.py (modified) (11 diffs)
• unit/attributeauthorityclient/README (deleted)
• unit/attributeauthorityclient/test_samlattributeauthorityclient.cfg (modified) (2 diffs)
• unit/attributeauthorityclient/test_samlattributeauthorityclient.py (modified) (10 diffs)
• unit/authz/xacml/saml_ctx_handler.cfg (modified) (1 diff)
• unit/authz/xacml/saml_pip.cfg (modified) (1 diff)
• unit/authz/xacml/test_saml_ctx_handler.py (modified) (1 diff)
• unit/authz/xacml/test_saml_pip.py (modified) (5 diffs)
• unit/myproxy/certificate_extapp/test_saml_attribute_assertion.py (modified) (3 diffs)
• unit/wsgi/attributeauthority/test.ini (modified) (1 diff)
• unit/wsgi/saml/attribute-interface.ini (modified) (1 diff)
• unit/wsgi/saml/policy.xml (modified) (1 diff)
• unit/wsgi/saml/test_soapattributeinterface.py (modified) (5 diffs)
• unit/wsgi/saml/test_soapauthzdecisioninterface.py (modified) (2 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/site-a.ini

@@ -60 +60 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.mountPath = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/sitea_attributeinterface.py

@@ -15 +15 @@
 
 from ndg.saml.common.xml import SAMLConstants
-from ndg.saml.saml2.core import (Assertion, Attribute, AttributeStatement, Issuer,
-                             SAMLVersion, Subject, NameID, Conditions,
-                             XSStringAttributeValue)
+from ndg.saml.saml2.core import (Assertion, Attribute, AttributeStatement, 
+                                 Issuer, SAMLVersion, Subject, NameID, 
+                                 Conditions, XSStringAttributeValue)
 
+from ndg.security.common.saml_utils.esgf import (ESGFSamlNamespaces,
+                                                 ESGFGroupRoleAttributeValue)
 from ndg.security.common.X509 import X500DN
 from ndg.security.server.attributeauthority import (AttributeInterface, 
@@ -34 +36 @@
 
     SAML_ATTRIBUTE_NAMES = ATTRIBUTE_NAMES + (
-        'urn:esg:email:address',
-        'urn:esg:first:name', 
-        'urn:esg:last:name'
+        ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME,
+        ESGFSamlNamespaces.FIRSTNAME_ATTRNAME, 
+        ESGFSamlNamespaces.LASTNAME_ATTRNAME,
+        'urn:esg:sitea:grouprole'
     )
     
@@ -43 +46 @@
         ('p.kershaw@somewhere.ac.uk',),
         ('Philip',),
-        ('Kershaw',)
+        ('Kershaw',),
+        (('siteagroup', 'default'),)
     )
     
@@ -49 +53 @@
         "EmailAddress",
         "FirstName",
-        "LastName"
+        "LastName",
+        "groupRole"
     )
-    SAML_ATTRIBUTE_FORMATS = (SAMLConstants.XSD_NS+"#"+\
-                              XSStringAttributeValue.TYPE_LOCAL_NAME,) * \
-                              len(SAML_ATTRIBUTE_NAMES)
+    SAML_ATTRIBUTE_FORMATS = (
+        SAMLConstants.XSD_NS+"#"+XSStringAttributeValue.TYPE_LOCAL_NAME,) * (
+        len(SAML_ATTRIBUTE_NAMES)-1) + \
+        (ESGFGroupRoleAttributeValue.TYPE_LOCAL_NAME, )
+    
     SAML_ATTRIBUTES = []
     
+    name, val, vals, format, friendlyName = (None, None, None, None, None)
     for name, vals, format, friendlyName in zip(SAML_ATTRIBUTE_NAMES,
-                                               SAML_ATTRIBUTE_VALUES,
-                                               SAML_ATTRIBUTE_FORMATS,
-                                               SAML_ATTRIBUTE_FRIENDLY_NAMES):
+                                                SAML_ATTRIBUTE_VALUES,
+                                                SAML_ATTRIBUTE_FORMATS,
+                                                SAML_ATTRIBUTE_FRIENDLY_NAMES):
         SAML_ATTRIBUTES.append(Attribute())
         SAML_ATTRIBUTES[-1].name = name
@@ -65 +73 @@
         SAML_ATTRIBUTES[-1].friendlyName = friendlyName
         for val in vals:
-            SAML_ATTRIBUTES[-1].attributeValues.append(XSStringAttributeValue())
-            SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
+            if isinstance(val, tuple):
+                SAML_ATTRIBUTES[-1].attributeValues.append(
+                                                ESGFGroupRoleAttributeValue())
+                SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
+            else:
+                SAML_ATTRIBUTES[-1].attributeValues.append(
+                                                XSStringAttributeValue())
+                SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
 
     del name, val, vals, format, friendlyName

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

@@ -377 +377 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.mountPath = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.py

@@ -37 +37 @@
                                  StatusCode)
 from ndg.saml.xml import XMLConstants
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 
 THIS_DIR = path.dirname(__file__)
@@ -139 +139 @@
         # Define queries for SAML attribute names
         attributeInterface.samlAttribute2SqlQuery_firstName = '"%s" "%s"' % (
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME,                                                               
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME,                                                               
             SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY)
             
         setattr(attributeInterface, 
                 'samlAttribute2SqlQuery.lastName',
-                "%s %s" % (EsgSamlNamespaces.LASTNAME_ATTRNAME,
+                "%s %s" % (ESGFSamlNamespaces.LASTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY))
         
         attributeInterface.samlAttribute2SqlQuery[
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME] = (
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME] = (
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY)
         
@@ -170 +170 @@
                 
             'samlAttribute2SqlQuery.firstname': '"%s" "%s"' % (
-                EsgSamlNamespaces.FIRSTNAME_ATTRNAME,
+                ESGFSamlNamespaces.FIRSTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY),
             
             'samlAttribute2SqlQuery.blah': '"%s" "%s"' % (
-                EsgSamlNamespaces.LASTNAME_ATTRNAME,
+                ESGFSamlNamespaces.LASTNAME_ATTRNAME,
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY),
         
             'samlAttribute2SqlQuery.3': '%s "%s"' % (
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME,
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME,
             SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY),
         
@@ -195 +195 @@
         self.assert_(
             attributeInterface.samlAttribute2SqlQuery[
-                EsgSamlNamespaces.FIRSTNAME_ATTRNAME] == \
+                ESGFSamlNamespaces.FIRSTNAME_ATTRNAME] == \
             SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY)
         
@@ -219 +219 @@
         self.assert_(
             attributeInterface.samlAttribute2SqlQuery[
-                EsgSamlNamespaces.EMAILADDRESS_ATTRNAME] == \
+                ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME] == \
             SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY)
 
@@ -239 +239 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = \
                                 SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
         
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         fnAttribute.friendlyName = "FirstName"
@@ -251 +251 @@
     
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         lnAttribute.friendlyName = "LastName"
@@ -258 +258 @@
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
         emailAddressAttribute.friendlyName = "EmailAddress"
@@ -295 +295 @@
         # Define queries for SAML attribute names
         samlAttribute2SqlQuery = {
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY,
             
-            EsgSamlNamespaces.LASTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.LASTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY,
         
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME: 
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY,
         
@@ -357 +357 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = \
                                 SQLAlchemyAttributeInterfaceTestCase.OPENID_URI
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = "InvalidFormat"
         emailAddressAttribute.friendlyName = "EmailAddress"
@@ -399 +399 @@
         # Define queries for SAML attribute names
         samlAttribute2SqlQuery = {
-            EsgSamlNamespaces.FIRSTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.FIRSTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_FIRSTNAME_SQLQUERY,
             
-            EsgSamlNamespaces.LASTNAME_ATTRNAME: 
+            ESGFSamlNamespaces.LASTNAME_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_LASTNAME_SQLQUERY,
         
-            EsgSamlNamespaces.EMAILADDRESS_ATTRNAME: 
+            ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME: 
                 SQLAlchemyAttributeInterfaceTestCase.SAML_EMAILADDRESS_SQLQUERY,
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.cfg

@@ -34 +34 @@
 saml.deserialise = ndg.saml.xml.etree:ResponseElementTree.fromXML
 
-[test05AttributeQuerySOAPBindingInterface]
+[test05AttributeQueryWithESGFAttributeType]
+uri = http://localhost:5000/AttributeAuthority/
+subject = https://openid.localhost/philip.kershaw
+prefix = saml.
+saml.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML
+saml.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML
+
+[test06AttributeQuerySOAPBindingInterface]
 uri = http://localhost:5000/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw
 
-[test06AttributeQueryFromConfig]
+[test07AttributeQueryFromConfig]
 uri = http://localhost:5000/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw
@@ -48 +55 @@
 attributeQuery.queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string
 
-[test07AttributeQuerySslSOAPBindingInterface]
+[test08AttributeQuerySslSOAPBindingInterface]
 uri = https://localhost:5443/AttributeAuthority/
 subject = https://openid.localhost/philip.kershaw

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/attributeauthorityclient/test_samlattributeauthorityclient.py

@@ -28 +28 @@
                                         AttributeQuerySOAPBinding, 
                                         AttributeQuerySslSOAPBinding)
-from ndg.security.common.saml_utils.esg import (EsgSamlNamespaces,
-                                                EsgDefaultQueryAttributes)
+from ndg.security.common.saml_utils.esgf import (ESGFSamlNamespaces,
+                                                 ESGFDefaultQueryAttributes,
+                                                 ESGFGroupRoleAttributeValue)
+from ndg.security.common.saml_utils.esgf.xml.etree import (
+                                        ESGFGroupRoleAttributeValueElementTree,
+                                        ESGFResponseElementTree)
+from ndg.security.common.utils.etree import prettyPrint
 from ndg.security.test.unit.attributeauthorityclient import \
                                         AttributeAuthorityClientBaseTestCase
-from ndg.security.common.utils.etree import prettyPrint
-
+   
    
 class AttributeAuthoritySAMLInterfaceTestCase(
@@ -64 +68 @@
         attributeQuery.subject = Subject()
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
                                         XSStringAttributeValue.TYPE_LOCAL_NAME
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = xsStringNs
         fnAttribute.friendlyName = "FirstName"
@@ -76 +80 @@
     
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = xsStringNs
         lnAttribute.friendlyName = "LastName"
@@ -83 +87 @@
     
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = xsStringNs
         emailAddressAttribute.friendlyName = "emailAddress"
@@ -132 +136 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -172 +176 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -212 +216 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = _cfg['subject']
         xsStringNs = SAMLConstants.XSD_NS+"#"+\
@@ -238 +242 @@
         self.assert_(response.status.statusCode.value==\
                      StatusCode.INVALID_ATTR_NAME_VALUE_URI)
-        
-    def test05AttributeQuerySOAPBindingInterface(self):
-        _cfg = self.cfg['test05AttributeQuerySOAPBindingInterface']
+             
+    def test05AttributeQueryWithESGFAttributeType(self):
+        # Test interface with custom ESGF Group/Role attribute type
+        thisSection = 'test05AttributeQueryWithESGFAttributeType'
+        _cfg = self.cfg[thisSection]
+        
+        attributeQuery = AttributeQuery()
+        attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
+        attributeQuery.id = str(uuid4())
+        attributeQuery.issueInstant = datetime.utcnow()
+        
+        attributeQuery.issuer = Issuer()
+        attributeQuery.issuer.format = Issuer.X509_SUBJECT
+        attributeQuery.issuer.value = "/CN=Authorisation Service/O=Site A"    
+                        
+        attributeQuery.subject = Subject()  
+        attributeQuery.subject.nameID = NameID()
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.value = _cfg['subject']
+        
+        groupRoleAttribute = Attribute()
+        groupRoleAttribute.name = 'urn:esg:sitea:grouprole'
+        groupRoleAttribute.nameFormat = \
+            ESGFGroupRoleAttributeValue.TYPE_LOCAL_NAME
+        
+        attributeQuery.attributes.append(groupRoleAttribute) 
+
+        binding = SOAPBinding.fromConfig(
+                     AttributeAuthoritySAMLInterfaceTestCase.CONFIG_FILEPATH, 
+                     prefix='saml.',
+                     section=thisSection)
+        
+        response = binding.send(attributeQuery, _cfg['uri'])
+        
+        samlResponseElem = ResponseElementTree.toXML(response)
+        
+        print("SAML Response ...")
+        print(ElementTree.tostring(samlResponseElem))
+        print("Pretty print SAML Response ...")
+        print(prettyPrint(samlResponseElem))
+        
+        self.assert_(response.assertions[0].attributeStatements[0].attributes[0
+            ].attributeValues[0].value == ('siteagroup', 'default'))
+        
+        self.assert_(response.status.statusCode.value == StatusCode.SUCCESS_URI)
+       
+    def test06AttributeQuerySOAPBindingInterface(self):
+        _cfg = self.cfg['test06AttributeQuerySOAPBindingInterface']
         
         binding = AttributeQuerySOAPBinding()
         
         binding.subjectID = AttributeAuthoritySAMLInterfaceTestCase.OPENID_URI
-        binding.subjectIdFormat = EsgSamlNamespaces.NAMEID_FORMAT
+        binding.subjectIdFormat = ESGFSamlNamespaces.NAMEID_FORMAT
         binding.issuerName = \
             str(AttributeAuthoritySAMLInterfaceTestCase.VALID_REQUESTOR_IDS[0])
         binding.issuerFormat = Issuer.X509_SUBJECT
         
-        binding.queryAttributes = EsgDefaultQueryAttributes.ATTRIBUTES
+        binding.queryAttributes = ESGFDefaultQueryAttributes.ATTRIBUTES
         
         response = binding.send(uri=_cfg['uri'])
@@ -262 +311 @@
         self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
 
-    def test06AttributeQueryFromConfig(self):
-        thisSection = 'test06AttributeQueryFromConfig'
+    def test07AttributeQueryFromConfig(self):
+        thisSection = 'test07AttributeQueryFromConfig'
         _cfg = self.cfg[thisSection]
         
@@ -280 +329 @@
         self.assert_(response.status.statusCode.value==StatusCode.SUCCESS_URI)
         
-    def test07AttributeQuerySslSOAPBindingInterface(self):
-        thisSection = 'test07AttributeQuerySslSOAPBindingInterface'
+    def test08AttributeQuerySslSOAPBindingInterface(self):
+        thisSection = 'test08AttributeQuerySslSOAPBindingInterface'
         _cfg = self.cfg[thisSection]
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_ctx_handler.cfg

@@ -21 +21 @@
 saml_ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
 saml_ctx_handler.assertionLifetime = 86400
+
+# Add Earth System Grid custom types and functions to XACML
+saml_ctx_handler.xacmlExtFunc = ndg.security.server.xacml.esgf_ext:addEsgfXacmlSupport
 
 #

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_pip.cfg

@@ -23 +23 @@
 saml_pip.sessionCacheDataDir = %(here)s/query-results-cache
 
+# Timeout cache in 30mins
+saml_pip.sessionCacheTimeout = 1800
+
 # The attribute ID of the subject value to extract from the XACML request
 # context and pass in the SAML attribute query

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_ctx_handler.py

@@ -56 +56 @@
         self.assert_(handler.issuerFormat)
         self.assert_(handler.assertionLifetime)
+        self.assert_(handler.xacmlExtFunc)
+        
         
 if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py

@@ -59 +59 @@
         
         setattr(pip, 'sessionCacheDataDir', 'My data dir')
+        self.assert_(pip.sessionCacheDataDir == 'My data dir')
+        self.assert_(pip.sessionCacheTimeout is None)
+        
+        try:
+            pip.sessionCacheTimeout = {}
+            self.fail("pip.sessionCacheTimeout accepts only float/int/long/"
+                      "string or None type value")
+        except TypeError:
+            pass
+        
+        pip.sessionCacheTimeout = 86400L
+        self.assert_(pip.sessionCacheTimeout == 86400L)
 
     def test02ReadMappingFile(self):
@@ -69 +81 @@
         print(pip.attribute2AttributeAuthorityMap)
         
-    def _createXacmlRequestCtx(self):
+    @classmethod
+    def _createXacmlRequestCtx(cls):
+        """Helper to create a XACML request context"""
         ctx = Request()
         
@@ -75 +89 @@
         openidAttr = Attribute()
         ctx.subjects[-1].attributes.append(openidAttr)
-        openidAttr.attributeId = self.__class__.OPENID_ATTR_ID
+        openidAttr.attributeId = cls.OPENID_ATTR_ID
         openidAttr.dataType = 'http://www.w3.org/2001/XMLSchema#anyURI'
         
-        anyUriAttrValue = self.__class__.attributeValueClassFactory(
-                                                            openidAttr.dataType)
+        anyUriAttrValue = cls.attributeValueClassFactory(openidAttr.dataType)
         
-        openidAttrVal = anyUriAttrValue(self.__class__.OPENID_URI)
+        openidAttrVal = anyUriAttrValue(cls.OPENID_URI)
         openidAttr.attributeValues.append(openidAttrVal) 
         
         return ctx
     
-    def _createPIP(self):   
+    @classmethod
+    def _createPIP(cls):   
         """Create PIP from test attribute settings"""              
         pip = PIP()
-        pip.mappingFilePath = self.__class__.MAPPING_FILEPATH
+        pip.mappingFilePath = cls.MAPPING_FILEPATH
         pip.readMappingFile()
-        pip.subjectAttributeId = self.__class__.OPENID_ATTR_ID
+        pip.subjectAttributeId = cls.OPENID_ATTR_ID
         
         pip.attributeQueryBinding.issuerName = \
-            'O=NDG, OU=Security, CN=localhost'
+                                            'O=NDG, OU=Security, CN=localhost'
         pip.attributeQueryBinding.issuerFormat = SamlIssuer.X509_SUBJECT
-        pip.attributeQueryBinding.sslCertFilePath = \
-            self.__class__.CLNT_CERT_FILEPATH
-        pip.attributeQueryBinding.sslPriKeyFilePath = \
-            self.__class__.CLNT_PRIKEY_FILEPATH
+        pip.attributeQueryBinding.sslCertFilePath = cls.CLNT_CERT_FILEPATH
+        pip.attributeQueryBinding.sslPriKeyFilePath = cls.CLNT_PRIKEY_FILEPATH
             
-        pip.attributeQueryBinding.sslCACertDir = self.__class__.CACERT_DIR
+        pip.attributeQueryBinding.sslCACertDir = cls.CACERT_DIR
         
         return pip
 
-    def _createSubjectAttributeDesignator(self):
+    @classmethod
+    def _createSubjectAttributeDesignator(cls):
         '''Make attribute designator - in practice this would be passed back 
         from the PDP via the context handler
         '''
         designator = SubjectAttributeDesignator()
-        designator.attributeId = self.__class__.NDGS_ATTR_ID
+        designator.attributeId = cls.NDGS_ATTR_ID
         designator.dataType = 'http://www.w3.org/2001/XMLSchema#string'
         
-        stringAttrValue = self.__class__.attributeValueClassFactory(
+        stringAttrValue = cls.attributeValueClassFactory(
                                     'http://www.w3.org/2001/XMLSchema#string')
         
         return designator
     
-    def _initQuery(self):
+    @classmethod
+    def _initQuery(cls):
         '''Convenience method to set-up the parameters needed for a query'''
-        pip = self._createPIP()
-        designator = self._createSubjectAttributeDesignator()
-        ctx = self._createXacmlRequestCtx()
+        pip = cls._createPIP()
+        designator = cls._createSubjectAttributeDesignator()
+        ctx = cls._createXacmlRequestCtx()
         return pip, designator, ctx
     
@@ -129 +143 @@
                     port=self.__class__.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM)
         
-        pip, designator, ctx = self._initQuery()
+        pip, designator, ctx = self.__class__._initQuery()
         
         # Avoid caching to avoid impacting other tests in this class
@@ -144 +158 @@
         pip = PIP.fromConfig(self.__class__.CONFIG_FILEPATH)
         self.assert_(pip.mappingFilePath)
+        self.assert_(pip.sessionCacheTimeout == 1800)
         
 # TODO: fix test - left out for now because can't get threading to correctly 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/myproxy/certificate_extapp/test_saml_attribute_assertion.py

@@ -19 +19 @@
 import unittest
 
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit import BaseTestCase
 from ndg.security.server.myproxy.certificate_extapp.saml_attribute_assertion \
@@ -53 +53 @@
                                         "/CN=Authorisation Service/O=Site A"
         myProxyCertExtApp.attributeQuery.subjectIdFormat = \
-                                        EsgSamlNamespaces.NAMEID_FORMAT                                
+                                        ESGFSamlNamespaces.NAMEID_FORMAT                                
         myProxyCertExtApp.attributeQuery.subjectID = \
                                         CertExtAppTestCase.OPENID_URI
@@ -86 +86 @@
 
         myProxyCertExtApp.attributeQuery.subjectIdFormat = \
-                                        EsgSamlNamespaces.NAMEID_FORMAT                                        
+                                        ESGFSamlNamespaces.NAMEID_FORMAT                                        
         myProxyCertExtApp.attributeQuery.sslCACertDir = \
                                                 CertExtAppTestCase.CACERT_DIR

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini

@@ -46 +46 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.soapbinding.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 saml.soapbinding.pathMatchList = /AttributeAuthority

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/attribute-interface.ini

@@ -28 +28 @@
 
 # Specialisation to incorporate ESG Group/Role type
-saml.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
+saml.serialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.toXML
 
 #______________________________________________________________________________

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

@@ -96 +96 @@
         </Condition>
     </Rule>
+    <Rule RuleId="Rule with ESGF Custom types" Effect="Permit">
+        <Target>
+            <Resources>
+                <Resource>
+                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_esgf$</AttributeValue>
+                        <ResourceAttributeDesignator
+                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
+                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
+                    </ResourceMatch>
+                </Resource>
+            </Resources>
+        </Target>
+        <Condition>
+            <Apply FunctionId="urn:esg:security:xacml:2.0:function:grouprole-at-least-one-member-of">
+                <SubjectAttributeDesignator 
+                    AttributeId="urn:ndg:security:authz:1.0:attr" 
+                    DataType="grouprole"/>
+                <Apply FunctionId="urn:esg:security:xacml:2.0:function:grouprole-bag">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
 </Policy>

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapattributeinterface.py

@@ -22 +22 @@
 
 from ndg.security.common.soap.etree import SOAPEnvelope
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
 
@@ -44 +44 @@
         attributeQuery.subject = Subject()  
         attributeQuery.subject.nameID = NameID()
-        attributeQuery.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         attributeQuery.subject.nameID.value = subject
                                     
@@ -50 +50 @@
         # special case handling for 'FirstName' attribute
         fnAttribute = Attribute()
-        fnAttribute.name = EsgSamlNamespaces.FIRSTNAME_ATTRNAME
+        fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
         fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         fnAttribute.friendlyName = "FirstName"
@@ -58 +58 @@
         # special case handling for 'LastName' attribute
         lnAttribute = Attribute()
-        lnAttribute.name = EsgSamlNamespaces.LASTNAME_ATTRNAME
+        lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
         lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
         lnAttribute.friendlyName = "LastName"
@@ -66 +66 @@
         # special case handling for 'LastName' attribute
         emailAddressAttribute = Attribute()
-        emailAddressAttribute.name = EsgSamlNamespaces.EMAILADDRESS_ATTRNAME
+        emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
         emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
                                     XSStringAttributeValue.TYPE_LOCAL_NAME

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/test_soapauthzdecisioninterface.py

@@ -22 +22 @@
 
 from ndg.security.common.soap.etree import SOAPEnvelope
-from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
+from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.test.unit.wsgi.saml import SoapSamlInterfaceMiddlewareTestCase
 
@@ -115 +115 @@
         query.subject = Subject()  
         query.subject.nameID = NameID()
-        query.subject.nameID.format = EsgSamlNamespaces.NAMEID_FORMAT
+        query.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
         query.subject.nameID.value = subject