Changeset 7709


Ignore:
Timestamp:
05/11/10 16:54:17 (9 years ago)
Author:
pjkersha
Message:

2.1.0

Re-release to incorporate fixes needed from deployment:

  • enable setting of clock skew tolerance for checking of validity times for assertions cached by PIP.
  • fix ESGF Group/Role? parsing in XACML policy.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/esgf_ext.py

    r7705 r7709  
    139139    """ElementTree based parser for Earth System Grid Federation Group/Role 
    140140    attribute value data type""" 
     141    GROUP_XML_ATTRNAME = 'group' 
     142    ROLE_XML_ATTRNAME = 'role' 
    141143     
    142144    @classmethod 
     
    161163                        attributeValue.__class__.GROUPROLE_ELEMENT_LOCAL_NAME) 
    162164         
    163         # Allow for any of the defined Expression sub-types in the child  
    164         # elements 
    165         for subElem in groupRoleElem: 
    166             localName = QName.getLocalPart(subElem.tag) 
    167             if localName == attributeValue.__class__.ROLE_ELEMENT_LOCAL_NAME: 
    168                 attributeValue.role = subElem.text 
     165        groupXmlAttrValue = groupRoleElem.attrib.get(cls.GROUP_XML_ATTRNAME) 
     166        if groupXmlAttrValue is None: 
     167            raise XMLParseError('No "%s" attribute found in "%s" element' % 
     168                (cls.GROUP_XML_ATTRNAME, 
     169                 attributeValue.__class__.GROUPROLE_ELEMENT_LOCAL_NAME)) 
    169170                 
    170             elif localName == attributeValue.__class__.GROUP_ELEMENT_LOCAL_NAME: 
    171                 attributeValue.group = subElem.text 
    172                  
    173             else: 
    174                 raise XMLParseError('%r ESG Group/Role sub-element not ' 
    175                                     'recognised' % localName)  
     171        attributeValue.group = groupXmlAttrValue.strip() 
    176172 
     173 
     174        roleXmlAttrValue = groupRoleElem.attrib.get(cls.ROLE_XML_ATTRNAME) 
     175        if roleXmlAttrValue is None: 
     176            attributeValue.role = attributeValue.__class__.ROLE_DEFAULT_VALUE 
     177        else: 
     178            attributeValue.role = roleXmlAttrValue.strip() 
     179             
    177180 
    178181def addEsgfXacmlSupport(): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

    r7708 r7709  
    4646    __slots__ = ('__session', ) 
    4747     
    48     def __init__(self, _id, data_dir=None, timeout=None): 
     48    def __init__(self, _id, data_dir=None, timeout=None,  
     49                 assertionClockSkewTolerance=1.0): 
    4950        """ 
    5051        @param _id: unique identifier for session to be created, or one to reload 
     
    7273        if 'wallet' not in self.__session: 
    7374            self.__session['wallet'] = SAMLAssertionWallet() 
     75            self.__session['wallet' 
     76                           ].clockSkewTolerance = assertionClockSkewTolerance 
    7477        else: 
    7578            # Prune expired assertions 
     
    159162        '__sessionCacheDataDir', 
    160163        '__sessionCacheTimeout', 
    161         '__sessionCache' 
     164        '__sessionCacheAssertionClockSkewTol' 
    162165    ) 
    163166     
    164     def __init__(self, sessionCacheDataDir=None, sessionCacheTimeout=None): 
     167    def __init__(self, sessionCacheDataDir=None, sessionCacheTimeout=None, 
     168                 sessionCacheAssertionClockSkewTol=1.0): 
    165169        '''Initialise settings for connection to an Attribute Authority 
    166170         
     
    176180        self.sessionCacheDataDir = sessionCacheDataDir 
    177181        self.sessionCacheTimeout = sessionCacheTimeout 
    178          
     182        self.__sessionCacheAssertionClockSkewTol = \ 
     183            sessionCacheAssertionClockSkewTol 
     184             
    179185        self.__subjectAttributeId = None 
    180186        self.__mappingFilePath = None 
     
    187193         
    188194        self.__cacheSessions = True 
    189         self.__sessionCache = None 
    190195 
    191196    def _getSessionCacheTimeout(self): 
     
    212217                                       'Set to None to have no timeout') 
    213218 
     219    @property 
     220    def sessionCacheAssertionClockSkewTol(self): 
     221        """Clock tolerance of +/- value set for checking the validity times 
     222        of SAML assertions cached in the Session Cache""" 
     223        return self.__sessionCacheAssertionClockSkewTol 
     224 
     225    @sessionCacheAssertionClockSkewTol.setter 
     226    def sessionCacheAssertionClockSkewTol(self, value): 
     227        """Clock tolerance of +/- value set for checking the validity times 
     228        of SAML assertions cached in the Session Cache""" 
     229        if value is None: 
     230            self.__sessionCacheAssertionClockSkewTol = value 
     231          
     232        elif isinstance(value, basestring): 
     233            self.__sessionCacheAssertionClockSkewTol = float(value) 
     234              
     235        elif isinstance(value, (int, float, long)): 
     236            self.__sessionCacheAssertionClockSkewTol = value 
     237             
     238        else: 
     239            raise TypeError('Expecting None, float, int, long or string type; ' 
     240                            'got %r' % type(value)) 
     241     
    214242    def _getCacheSessions(self): 
    215243        return self.__cacheSessions 
     
    457485            attributeIdFoundInCache = False 
    458486            sessionCache = SessionCache(subjectId, 
    459                                         data_dir=self.__sessionCacheDataDir, 
    460                                         timeout=self.__sessionCacheTimeout) 
     487                                    data_dir=self.sessionCacheDataDir, 
     488                                    timeout=self.sessionCacheTimeout, 
     489                                    assertionClockSkewTolerance=\ 
     490                                        self.sessionCacheAssertionClockSkewTol) 
     491             
    461492            assertions = sessionCache.retrieve(attributeAuthorityURI) 
    462493            if assertions is not None: 
     
    488519                response = self.attributeQueryBinding.send( 
    489520                                                    uri=attributeAuthorityURI) 
     521                 
     522                log.debug('Retrieved response from attribute service %r', 
     523                          attributeAuthorityURI) 
    490524            except Exception: 
    491525                log.exception('Error querying Attribute service %r with ' 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini

    r7705 r7709  
    7979# on behalf of the PDP onwards to the PIP 
    8080 
     81# The PIP can cache assertions retrieved from Attribute Authority calls to 
     82# optimise performance.  Set this flag to True/False to enable/disable caching 
     83# respectively.  If this setting is omitted it defaults to True 
     84#authz.ctx_handler.pip.cacheSessions = True 
     85 
     86# Set the directory for cached information to be stored.  This options is  
     87# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then 
     88# sessions will be cached in memory only.  If the service is stopped all cached 
     89# information would be lost 
     90#authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache 
     91 
     92# Set timeout (seconds) for a cached session - following the timeout any existing 
     93# session will be deleted.  This option is ignored if  
     94# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is 
     95# omitted, no timeout is set.  If none is set and  
     96# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively 
     97# cached permanently(!) only an assertion expiry could invalidate a given assertion 
     98# previously cached. 
     99#authz.ctx_handler.pip.sessionCacheTimeout = 3600 
     100 
     101# Allow for a clock skew of +/- 3 seconds when checking validity times of 
     102# SAML assertions cached from attribute service queries 
     103authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0 
     104 
    81105#  
    82106# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7705 r7709  
    217217                <Apply FunctionId="urn:esg:security:xacml:2.0:function:grouprole-bag"> 
    218218                    <AttributeValue DataType="groupRole"> 
    219                         <esg:groupRole> 
    220                             <esg:group>siteagroup</esg:group> 
    221                             <esg:role>default</esg:role> 
    222                         </esg:groupRole> 
     219                        <esg:groupRole group="siteagroup" role="default"/> 
    223220                    </AttributeValue> 
    224221                    <AttributeValue DataType="groupRole"> 
    225                         <esg:groupRole> 
    226                             <esg:group>Staff</esg:group> 
    227                             <esg:role>Administrator</esg:role> 
    228                         </esg:groupRole> 
     222                        <esg:groupRole group="Staff" role="Administrator"/> 
    229223                    </AttributeValue> 
    230224                </Apply> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7708 r7709  
    459459authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache 
    460460 
     461# Set timeout (seconds) for a cached session - following the timeout any existing 
     462# session will be deleted.  This option is ignored if  
     463# authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is 
     464# omitted, no timeout is set.  If none is set and  
     465# authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively 
     466# cached permanently(!) only an assertion expiry could invalidate a given assertion 
     467# previously cached. 
     468authz.ctx_handler.pip.sessionCacheTimeout = 3600 
     469 
     470# Allow for a clock skew of +/- 3 seconds when checking validity times of 
     471# SAML assertions cached from attribute service queries 
     472authz.ctx_handler.pip.sessionCacheAssertionClockSkewTol = 3.0 
     473 
    461474#  
    462475# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
     
    474487authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s 
    475488 
     489# Enable support for ESGF Group/Role Attribute Value in SAML Attribute queries 
     490authz.ctx_handler.pip.attributeQuery.deserialise = ndg.security.common.saml_utils.esgf.xml.etree:ESGFResponseElementTree.fromXML 
     491 
    476492# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority 
    477493authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/saml_pip.cfg

    r7698 r7709  
    2626saml_pip.sessionCacheTimeout = 1800 
    2727 
     28# Allow for a clock skew of +/- 3 seconds when checking validity times of 
     29# SAML assertions cached from attribute service queries 
     30saml_pip.sessionCacheAssertionClockSkewTol = 3.0 
     31 
    2832# The attribute ID of the subject value to extract from the XACML request 
    2933# context and pass in the SAML attribute query 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/xacml/test_saml_pip.py

    r7698 r7709  
    7272        self.assert_(pip.sessionCacheTimeout == 86400L) 
    7373 
     74        # Check default 
     75        self.assert_(pip.sessionCacheAssertionClockSkewTol == 1.0) 
     76         
     77        try: 
     78            pip.sessionCacheAssertionClockSkewTol = [] 
     79            self.fail("pip.sessionCacheAssertionClockSkewTol accepts only " 
     80                      "float/int/long/string or None type value") 
     81        except TypeError: 
     82            pass 
     83         
     84        pip.sessionCacheAssertionClockSkewTol = 0.3 
     85        self.assert_(pip.sessionCacheAssertionClockSkewTol == 0.3) 
     86         
    7487    def test02ReadMappingFile(self): 
    7588        pip = PIP() 
     
    159172        self.assert_(pip.mappingFilePath) 
    160173        self.assert_(pip.sessionCacheTimeout == 1800) 
     174        self.assert_(pip.sessionCacheAssertionClockSkewTol == 3.0) 
    161175         
    162176# TODO: fix test - left out for now because can't get threading to correctly  
Note: See TracChangeset for help on using the changeset viewer.