1 | #!/usr/bin/env python |
---|
2 | """Unit tests for WSGI Authorization handler |
---|
3 | |
---|
4 | NERC DataGrid Project |
---|
5 | """ |
---|
6 | __author__ = "P J Kershaw" |
---|
7 | __date__ = "21/05/09" |
---|
8 | __copyright__ = "(C) 2009 Science and Technology Facilities Council" |
---|
9 | __license__ = "BSD - see LICENSE file in top-level directory" |
---|
10 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
11 | __revision__ = '$Id: $' |
---|
12 | import logging |
---|
13 | |
---|
14 | |
---|
15 | import unittest |
---|
16 | import os |
---|
17 | from urlparse import urlunsplit |
---|
18 | |
---|
19 | from os.path import expandvars as xpdVars |
---|
20 | from os.path import join as jnPath |
---|
21 | mkPath = lambda file: jnPath(os.environ['NDGSEC_COMBINED_SRVS_UNITTEST_DIR'], |
---|
22 | file) |
---|
23 | |
---|
24 | import paste.fixture |
---|
25 | from paste.deploy import loadapp |
---|
26 | |
---|
27 | from ndg.security.test.unit import BaseTestCase |
---|
28 | from ndg.security.server.wsgi import NDGSecurityMiddlewareBase |
---|
29 | from ndg.security.server.wsgi.authz import (NdgPIPMiddlewareConfigError, |
---|
30 | SamlPIPMiddlewareConfigError, |
---|
31 | PEPResultHandlerMiddleware) |
---|
32 | from ndg.security.common.authz.msi import Response |
---|
33 | |
---|
34 | |
---|
35 | class RedirectFollowingAccessDenied(PEPResultHandlerMiddleware): |
---|
36 | |
---|
37 | @NDGSecurityMiddlewareBase.initCall |
---|
38 | def __call__(self, environ, start_response): |
---|
39 | |
---|
40 | queryString = environ.get('QUERY_STRING', '') |
---|
41 | if 'admin=1' in queryString: |
---|
42 | # User has been rejected access to a URI requiring admin rights, |
---|
43 | # try redirect to the same URI minus the admin query arg, this |
---|
44 | # request will pass because admin rights aren't needed |
---|
45 | queryArgs = queryString.split('&') |
---|
46 | queryList = [arg for arg in queryArgs if arg != 'admin=1'] |
---|
47 | editedQuery = '&'.join(queryList) |
---|
48 | redirectURI = urlunsplit(('', '', self.pathInfo, editedQuery, '')) |
---|
49 | return self.redirect(redirectURI) |
---|
50 | else: |
---|
51 | return super(RedirectFollowingAccessDenied, self).__call__( |
---|
52 | environ, |
---|
53 | start_response) |
---|
54 | |
---|
55 | |
---|
56 | class TestAuthZMiddleware(object): |
---|
57 | '''Test Application for the Authentication handler to protect''' |
---|
58 | response = "Test Authorization application" |
---|
59 | |
---|
60 | def __init__(self, app_conf, **local_conf): |
---|
61 | pass |
---|
62 | |
---|
63 | def __call__(self, environ, start_response): |
---|
64 | |
---|
65 | if environ['PATH_INFO'] == '/test_401': |
---|
66 | status = "401 Unauthorized" |
---|
67 | |
---|
68 | elif environ['PATH_INFO'] == '/test_403': |
---|
69 | status = "403 Forbidden" |
---|
70 | |
---|
71 | elif environ['PATH_INFO'] == '/test_200': |
---|
72 | status = "200 OK" |
---|
73 | |
---|
74 | elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI': |
---|
75 | # Nb. AuthZ middleware should intercept the request and bypass this |
---|
76 | # response |
---|
77 | status = "200 OK" |
---|
78 | |
---|
79 | elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI': |
---|
80 | status = "200 OK" |
---|
81 | else: |
---|
82 | status = "404 Not found" |
---|
83 | |
---|
84 | start_response(status, |
---|
85 | [('Content-length', |
---|
86 | str(len(TestAuthZMiddleware.response))), |
---|
87 | ('Content-type', 'text/plain')]) |
---|
88 | return [TestAuthZMiddleware.response] |
---|
89 | |
---|
90 | |
---|
91 | class BeakerSessionStub(dict): |
---|
92 | """Emulate beaker.session session object for purposes of the unit tests |
---|
93 | """ |
---|
94 | def save(self): |
---|
95 | pass |
---|
96 | |
---|
97 | |
---|
98 | class NdgWSGIAuthZTestCase(BaseTestCase): |
---|
99 | |
---|
100 | def __init__(self, *args, **kwargs): |
---|
101 | BaseTestCase.__init__(self, *args, **kwargs) |
---|
102 | |
---|
103 | here_dir = os.path.dirname(os.path.abspath(__file__)) |
---|
104 | wsgiapp = loadapp('config:ndg-test.ini', relative_to=here_dir) |
---|
105 | self.app = paste.fixture.TestApp(wsgiapp) |
---|
106 | |
---|
107 | self.startSiteAAttributeAuthority() |
---|
108 | |
---|
109 | def test01CatchNoBeakerSessionFound(self): |
---|
110 | |
---|
111 | # PEPFilterConfigError is raised if no beaker.session is set in |
---|
112 | # environ |
---|
113 | try: |
---|
114 | response = self.app.get('/test_200') |
---|
115 | except NdgPIPMiddlewareConfigError, e: |
---|
116 | print("ok - expected: %s exception: %s" % (e.__class__, e)) |
---|
117 | |
---|
118 | def test02Ensure200WithNotLoggedInAndUnsecuredURI(self): |
---|
119 | |
---|
120 | # Check the authZ middleware leaves the response alone if the URI |
---|
121 | # is not matched in the policy |
---|
122 | |
---|
123 | # Simulate a beaker.session in the environ |
---|
124 | extra_environ={'beaker.session.ndg.security':BeakerSessionStub()} |
---|
125 | response = self.app.get('/test_200', |
---|
126 | extra_environ=extra_environ) |
---|
127 | |
---|
128 | def test03Catch401WithLoggedIn(self): |
---|
129 | |
---|
130 | # Check that the application being secured can raise a HTTP 401 |
---|
131 | # response and that this respected by the Authorization middleware |
---|
132 | # even though a user is set in the session |
---|
133 | |
---|
134 | extra_environ={'beaker.session.ndg.security': |
---|
135 | BeakerSessionStub(username='testuser')} |
---|
136 | response = self.app.get('/test_401', |
---|
137 | extra_environ=extra_environ, |
---|
138 | status=401) |
---|
139 | |
---|
140 | def test04Catch403WithLoggedIn(self): |
---|
141 | |
---|
142 | # Check that the application being secured can raise a HTTP 403 |
---|
143 | # response and that this respected by the Authorization middleware |
---|
144 | # even though a user is set in the session |
---|
145 | |
---|
146 | extra_environ={'beaker.session.ndg.security': |
---|
147 | BeakerSessionStub(username='testuser')} |
---|
148 | response = self.app.get('/test_403', |
---|
149 | extra_environ=extra_environ, |
---|
150 | status=403) |
---|
151 | |
---|
152 | def test05Catch401WithNotLoggedInAndSecuredURI(self): |
---|
153 | |
---|
154 | # AuthZ middleware grants access because the URI requested is not |
---|
155 | # targeted in the policy |
---|
156 | |
---|
157 | # AuthZ middleware checks for username key in session set by AuthN |
---|
158 | # handler |
---|
159 | extra_environ={'beaker.session.ndg.security':BeakerSessionStub()} |
---|
160 | response = self.app.get('/test_accessDeniedToSecuredURI', |
---|
161 | extra_environ=extra_environ, |
---|
162 | status=401) |
---|
163 | |
---|
164 | def test06AccessDeniedForSecuredURI(self): |
---|
165 | |
---|
166 | # User is logged in but doesn't have the required credentials for |
---|
167 | # access |
---|
168 | extra_environ={'beaker.session.ndg.security': |
---|
169 | BeakerSessionStub(username='testuser')} |
---|
170 | |
---|
171 | response = self.app.get('/test_accessDeniedToSecuredURI', |
---|
172 | extra_environ=extra_environ, |
---|
173 | status=403) |
---|
174 | self.assert_("Insufficient privileges to access the " |
---|
175 | "resource" in response) |
---|
176 | print response |
---|
177 | |
---|
178 | def test07AccessGrantedForSecuredURI(self): |
---|
179 | |
---|
180 | # User is logged in and has credentials for access to a URI secured |
---|
181 | # by the policy file |
---|
182 | extra_environ={'beaker.session.ndg.security': |
---|
183 | BeakerSessionStub(username='testuser')} |
---|
184 | |
---|
185 | response = self.app.get('/test_accessGrantedToSecuredURI', |
---|
186 | extra_environ=extra_environ, |
---|
187 | status=200) |
---|
188 | self.assert_(TestAuthZMiddleware.response in response) |
---|
189 | print response |
---|
190 | |
---|
191 | def test08AccessDeniedForAdminQueryArg(self): |
---|
192 | |
---|
193 | # User is logged in but doesn't have the required credentials for |
---|
194 | # access |
---|
195 | extra_environ={'beaker.session.ndg.security': |
---|
196 | BeakerSessionStub(username='testuser')} |
---|
197 | |
---|
198 | # Try this URI with the query arg admin=1. This will be picked up |
---|
199 | # by the policy as a request requiring admin rights. The request is |
---|
200 | # denied as the user doesn't have these rights but this then calls |
---|
201 | # into play the PEP result handler defined in this module, |
---|
202 | # RedirectFollowingAccessDenied. This class reinvokes the request |
---|
203 | # but without the admin query argument. Access is then granted for |
---|
204 | # the redirected request |
---|
205 | response = self.app.get('/test_accessGrantedToSecuredURI', |
---|
206 | params={'admin': 1}, |
---|
207 | extra_environ=extra_environ, |
---|
208 | status=302) |
---|
209 | try: |
---|
210 | redirectResponse = response.follow(extra_environ=extra_environ) |
---|
211 | except paste.fixture.AppError, e: |
---|
212 | self.failIf(TestAuthZMiddleware.response not in response) |
---|
213 | print response |
---|
214 | |
---|
215 | |
---|
216 | class TestAuthZMiddleware(object): |
---|
217 | '''Test Application for the Authentication handler to protect''' |
---|
218 | response = "Test Authorization application" |
---|
219 | |
---|
220 | def __init__(self, app_conf, **local_conf): |
---|
221 | pass |
---|
222 | |
---|
223 | def __call__(self, environ, start_response): |
---|
224 | |
---|
225 | if environ['PATH_INFO'] == '/test_401': |
---|
226 | status = "401 Unauthorized" |
---|
227 | |
---|
228 | elif environ['PATH_INFO'] == '/test_403': |
---|
229 | status = "403 Forbidden" |
---|
230 | |
---|
231 | elif environ['PATH_INFO'] == '/test_200': |
---|
232 | status = "200 OK" |
---|
233 | |
---|
234 | elif environ['PATH_INFO'] == '/test_accessDeniedToSecuredURI': |
---|
235 | # Nb. AuthZ middleware should intercept the request and bypass this |
---|
236 | # response |
---|
237 | status = "200 OK" |
---|
238 | |
---|
239 | elif environ['PATH_INFO'] == '/test_accessGrantedToSecuredURI': |
---|
240 | status = "200 OK" |
---|
241 | else: |
---|
242 | status = "404 Not found" |
---|
243 | |
---|
244 | start_response(status, |
---|
245 | [('Content-length', |
---|
246 | str(len(TestAuthZMiddleware.response))), |
---|
247 | ('Content-type', 'text/plain')]) |
---|
248 | return [TestAuthZMiddleware.response] |
---|
249 | |
---|
250 | |
---|
251 | class BeakerSessionStub(dict): |
---|
252 | """Emulate beaker.session session object for purposes of the unit tests |
---|
253 | """ |
---|
254 | def save(self): |
---|
255 | pass |
---|
256 | |
---|
257 | |
---|
258 | class SamlWSGIAuthZTestCase(BaseTestCase): |
---|
259 | |
---|
260 | def __init__(self, *args, **kwargs): |
---|
261 | BaseTestCase.__init__(self, *args, **kwargs) |
---|
262 | |
---|
263 | here_dir = os.path.dirname(os.path.abspath(__file__)) |
---|
264 | wsgiapp = loadapp('config:saml-test.ini', relative_to=here_dir) |
---|
265 | self.app = paste.fixture.TestApp(wsgiapp) |
---|
266 | |
---|
267 | self.startSiteAAttributeAuthority(withSSL=True, |
---|
268 | port=SamlWSGIAuthZTestCase.SITEA_SSL_ATTRIBUTEAUTHORITY_PORTNUM) |
---|
269 | |
---|
270 | |
---|
271 | def test01CatchNoBeakerSessionFound(self): |
---|
272 | |
---|
273 | # PEPFilterConfigError is raised if no beaker.session is set in |
---|
274 | # environ |
---|
275 | try: |
---|
276 | response = self.app.get('/test_200') |
---|
277 | except SamlPIPMiddlewareConfigError, e: |
---|
278 | print("ok - expected: %s exception: %s" % (e.__class__, e)) |
---|
279 | |
---|
280 | def test02Ensure200WithNotLoggedInAndUnsecuredURI(self): |
---|
281 | |
---|
282 | # Check the authZ middleware leaves the response alone if the URI |
---|
283 | # is not matched in the policy |
---|
284 | |
---|
285 | # Simulate a beaker.session in the environ |
---|
286 | extra_environ={'beaker.session.ndg.security':BeakerSessionStub()} |
---|
287 | response = self.app.get('/test_200', |
---|
288 | extra_environ=extra_environ) |
---|
289 | |
---|
290 | def test03Catch401WithLoggedIn(self): |
---|
291 | |
---|
292 | # Check that the application being secured can raise a HTTP 401 |
---|
293 | # response and that this respected by the Authorization middleware |
---|
294 | # even though a user is set in the session |
---|
295 | |
---|
296 | extra_environ = { |
---|
297 | 'beaker.session.ndg.security': |
---|
298 | BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI) |
---|
299 | } |
---|
300 | response = self.app.get('/test_401', |
---|
301 | extra_environ=extra_environ, |
---|
302 | status=401) |
---|
303 | |
---|
304 | def test04Catch403WithLoggedIn(self): |
---|
305 | |
---|
306 | # Check that the application being secured can raise a HTTP 403 |
---|
307 | # response and that this respected by the Authorization middleware |
---|
308 | # even though a user is set in the session |
---|
309 | |
---|
310 | extra_environ = { |
---|
311 | 'beaker.session.ndg.security': |
---|
312 | BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI) |
---|
313 | } |
---|
314 | response = self.app.get('/test_403', |
---|
315 | extra_environ=extra_environ, |
---|
316 | status=403) |
---|
317 | |
---|
318 | def test05Catch401WithNotLoggedInAndSecuredURI(self): |
---|
319 | |
---|
320 | # AuthZ middleware grants access because the URI requested is not |
---|
321 | # targeted in the policy |
---|
322 | |
---|
323 | # AuthZ middleware checks for username key in session set by AuthN |
---|
324 | # handler |
---|
325 | extra_environ={'beaker.session.ndg.security':BeakerSessionStub()} |
---|
326 | response = self.app.get('/test_accessDeniedToSecuredURI', |
---|
327 | extra_environ=extra_environ, |
---|
328 | status=401) |
---|
329 | |
---|
330 | def test06AccessDeniedForSecuredURI(self): |
---|
331 | |
---|
332 | # User is logged in but doesn't have the required credentials for |
---|
333 | # access |
---|
334 | extra_environ = { |
---|
335 | 'beaker.session.ndg.security': |
---|
336 | BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI) |
---|
337 | } |
---|
338 | |
---|
339 | response = self.app.get('/test_accessDeniedToSecuredURI', |
---|
340 | extra_environ=extra_environ, |
---|
341 | status=403) |
---|
342 | self.assert_("Insufficient privileges to access the " |
---|
343 | "resource" in response) |
---|
344 | print response |
---|
345 | |
---|
346 | def test07AccessGrantedForSecuredURI(self): |
---|
347 | |
---|
348 | # User is logged in and has credentials for access to a URI secured |
---|
349 | # by the policy file |
---|
350 | extra_environ = { |
---|
351 | 'beaker.session.ndg.security': |
---|
352 | BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI) |
---|
353 | } |
---|
354 | |
---|
355 | response = self.app.get('/test_accessGrantedToSecuredURI', |
---|
356 | extra_environ=extra_environ, |
---|
357 | status=200) |
---|
358 | self.assert_(TestAuthZMiddleware.response in response) |
---|
359 | print response |
---|
360 | |
---|
361 | def test08AccessDeniedForAdminQueryArg(self): |
---|
362 | |
---|
363 | # User is logged in but doesn't have the required credentials for |
---|
364 | # access |
---|
365 | extra_environ = { |
---|
366 | 'beaker.session.ndg.security': |
---|
367 | BeakerSessionStub(username=SamlWSGIAuthZTestCase.OPENID_URI) |
---|
368 | } |
---|
369 | |
---|
370 | # Try this URI with the query arg admin=1. This will be picked up |
---|
371 | # by the policy as a request requiring admin rights. The request is |
---|
372 | # denied as the user doesn't have these rights but this then calls |
---|
373 | # into play the PEP result handler defined in this module, |
---|
374 | # RedirectFollowingAccessDenied. This class reinvokes the request |
---|
375 | # but without the admin query argument. Access is then granted for |
---|
376 | # the redirected request |
---|
377 | response = self.app.get('/test_accessGrantedToSecuredURI', |
---|
378 | params={'admin': 1}, |
---|
379 | extra_environ=extra_environ, |
---|
380 | status=302) |
---|
381 | try: |
---|
382 | redirectResponse = response.follow(extra_environ=extra_environ) |
---|
383 | except paste.fixture.AppError, e: |
---|
384 | self.failIf(TestAuthZMiddleware.response not in response) |
---|
385 | print response |
---|
386 | |
---|
387 | |
---|
388 | if __name__ == "__main__": |
---|
389 | unittest.main() |
---|