source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/credentialwallet/test_credentialwallet.py @ 4380

#!/usr/bin/env python
"""Unit tests for Credential Wallet class

NERC Data Grid Project
"""
__author__ = "P J Kershaw"
__date__ = "03/10/08"
__copyright__ = "(C) 2008 STFC & NERC"
__license__ = \
"""This software may be distributed under the terms of the Q Public 
License, version 1.0 or later."""
__contact__ = "P.J.Kershaw@rl.ac.uk"
__revision__ = '$Id$'

import unittest
import os, sys, getpass, re
import traceback

from ndg.security.common.utils.ConfigFileParsers import \
                                                    CaseSensitiveConfigParser
from ndg.security.common.X509 import X509CertParse
from ndg.security.common.CredWallet import CredWallet, \
                                            CredWalletAttributeRequestDenied

from os.path import expandvars as xpdVars
from os.path import join as jnPath
mkPath = lambda file: jnPath(os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'],file)

import logging
logging.basicConfig(level=logging.DEBUG)


class CredWalletTestCase(unittest.TestCase):
    """Unit test case for ndg.security.common.CredWallet.CredWallet class.
    
    """
    
    def setUp(self):
        
        if 'NDGSEC_INT_DEBUG' in os.environ:
            import pdb
            pdb.set_trace()
        
        if 'NDGSEC_CREDWALLET_UNITTEST_DIR' not in os.environ:
            os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'] = \
                os.path.abspath(os.path.dirname(__file__))
        
        self.cfg = CaseSensitiveConfigParser()
        configFilePath = jnPath(os.environ['NDGSEC_CREDWALLET_UNITTEST_DIR'],
                                "credWalletTest.cfg")
        self.cfg.read(configFilePath)
        

    def test1ReadOnlyClassVariables(self):
        
        try:
            CredWallet.accessDenied = 'yes'
            self.fail("accessDenied class variable should be read-only")
        except Exception, e:
            print("PASS - accessDenied class variable is read-only")

        try:
            CredWallet.accessGranted = False
            self.fail("accessGranted class variable should be read-only")
        except Exception, e:
            print("PASS - accessGranted class variable is read-only")
            
        assert(not CredWallet.accessDenied)
        assert(CredWallet.accessGranted)
        
        
    def test2SetAttributes(self):
        
        credWallet = CredWallet()
        credWallet.userX509Cert = \
'''-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
-----END CERTIFICATE-----
'''
        print("userCert=%s" % credWallet.userX509Cert)
        credWallet.userId = 'ndg-user'
        print("userId=%s" % credWallet.userId)
        
        try:
            credWallet.blah = 'blah blah'
            self.fail("Attempting to set attribute not in __slots__ class "
                      "variable should fail")
        except AttributeError:
            print("PASS - expected AttributeError when setting attribute "
                  "not in __slots__ class variable")
            
        credWallet.caCertFilePathList=None
        credWallet.attributeAuthorityURI='http://localhost/AttributeAuthority'
            
        credWallet.attributeAuthority = None
        credWallet.credentialRepository = None
        credWallet.mapFromTrustedHosts = False
        credWallet.rtnExtAttCertList = True
        credWallet.attCertRefreshElapse = 7200
            
    def test3GetAttCertWithUserId(self):
                    
        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
        attCert = credWallet.getAttCert()
        
        # No user X.509 cert is set so the resulting Attribute Certificate
        # user ID should be the same as that set for the wallet
        assert(attCert.userId == credWallet.userId)
        print "Attribute Certificate:\n%s" % attCert
        
    def test4GetAttCertWithUserX509Cert(self):
                    
        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
        
        # Set a test individual user certificate to override the client 
        # cert. and private key in WS-Security settings in the config file
        credWallet.userX509Cert = """
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
-----END CERTIFICATE-----
"""
        credWallet.userPriKey = """
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xM
ieMZy9XQft2dFBDYZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk
2dZxaAt97zXEruEHJoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5
Je8QREThIE5hRd9FoUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLC
cLvs3THQ3kO5qYYbB0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhM
ZvSJ/tVGJY4HfWG7B4PZzYwo5vn/tYH1mk7w5QIDAQABAoIBAQCQdxly/iBxWo60
Jh1zukxOj4QCzwLnps1P8z27FMeK/eJ33scCjeWpkios4An7MZktSW0UqXt135E1
wxjwdaBzABDZm/Q0xkGLyLfTXI5EgnIWQO+mRVifxGqXhsFSB6gYCUPEFfZnOE6x
XZ9sPluKvtTRUR79eb1glzGHRfEF31eBQdPkATA011twBNL3ApULxjlnFBch1LXD
lldbYb9wWV9Bcl9ftJ7Sr4kJ7gqiETWRgKuyMMwGfhIrr8PXB/oq9VOAGg+XSQQY
+0sm1URfh/N5Q7ES+dgOR4MTCn8LUFW859OqY5QZidqDxg/fTNNt6znx0FZcGfbd
oDJV6Oc9AoGBAOgjNePWgxiDYJohNWATs7fUXvT4cGrR6TdJKXd3T8bVp+AO94au
vM9iOZiCfQNRxGYHA25EfwflaF3yKLOvlsK7k1ewRvQ4Hqi/MRyRxIhPmLYCkavl
FOKHV3UeLItpRJMzjU4OBq2k1g3uC22ZYWWXFaYmP+KSW5ICq0v8M4SfAoGBAMCJ
UqbPP8MPht36P43dZJDX+GlPlhWcXrWCD0ePX0wExEBeg+M0GqHTWrz4OwSzHTY0
XPwPqm2kEICIhHyK/BSZ09CMOdHwUc3gRZULCrSnTkEcJY+XY9IftYcVXIL2xFfx
qXqiLe7Le7p2mscSKXUM4uE4Vz16JHDE3Kh3Gnf7AoGAdi2WvcrzKoOXpl/JoIPn
NmrzfJsOABOlOvQQHDWtc3hJ4pM8CGDk1l8XG0EzC4GRDq/7WyOb2BU+MLWbav61
LaX4uOeQ97uqQBY1lmnPN+XtxJtCNdSF8V0ddQ5Ldx28P4Q7J8WUOMp1/tl1D/LJ
1sI3z0Ihu+Luo0Kgmipmv9kCgYB+eTZL0RQHZCmpovsgi2/GHbhWJStnosIr5PV4
gluNKgxoZC2qj812w8l1HHJYUfg8ZQU3pmrDfuRAKm0tCncwaSPUeGh62axC2rGa
iBhONyCWcJDT1BSEMMQjqgqNFOBBDMPRhLs7g3sRL1vYrLuC4iYe382e2p8ZXJe+
Kg6/BQKBgDlFDM9m/9A11PIlh/ir0KXUqtPA1q+Hn629BRsbbsH2HW+kj018RLT+
SgRwhrqFtF5HCMXEh0ez/RyHHoMiVnan9jpLtGEdE8ojJnISjvkIyLUCCJdq8HYC
25UDHqKuoqHBiXWazfZ6MOlcIm6vp1FpVDygu59JHPROMxW+BAg/
-----END RSA PRIVATE KEY-----
"""
        credWallet.createAttributeAuthorityClnt()
        attCert = credWallet.getAttCert()
        
        # A user X.509 cert. was set so this cert's DN should be set in the
        # userId field of the resulting Attribute Certificate
        assert(attCert.userId == str(credWallet.userX509Cert.dn))
        print "Attribute Certificate:\n%s" % attCert
         


    def test5GetAttCertRefusedWithUserCert(self):
        
        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))    
        credWallet.userX509CertFilePath = self.cfg.get('setUp',
                                                       'userX509CertFilePath')
        credWallet.userPriKeyFilePath = self.cfg.get('setUp',
                                                     'userPriKeyFilePath')
        
        # Set AA URI AFTER user PKI settings so that these are picked in the
        # implicit call to create a new AA Client when the URI is set
        credWallet.attributeAuthorityURI = self.cfg.get('setUp', 
                                                    'attributeAuthorityURI')
        try:
            attCert = credWallet.getAttCert()
        except CredWalletAttributeRequestDenied, e:
            print "SUCCESS - obtained expected result: %s" % e
            return
        
        self.fail("Request allowed from Attribute Authority where user is NOT "
                  "registered!")

    def test6GetMappedAttCertWithUserId(self):
        
        # Call Site A Attribute Authority where user is registered
        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
        attCert = credWallet.getAttCert()

        # Use Attribute Certificate cached in wallet to get a mapped 
        # Attribute Certificate from Site B's Attribute Authority
        siteBURI = self.cfg.get('setUp', 'attributeAuthorityURI')        
        attCert = credWallet.getAttCert(attributeAuthorityURI=siteBURI)
            
        print("Mapped Attribute Certificate from Site B Attribute "
              "Authority:\n%s" % attCert)
            
                                                    
if __name__ == "__main__":
    unittest.main()