source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/__init__.py @ 5555

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/__init__.py@5555
Revision 5555, 7.6 KB checked in by pjkersha, 11 years ago (diff)

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Line 
1"""NDG Security integration testing package
2
3NERC DataGrid Project
4"""
5__author__ = "P J Kershaw"
6__date__ = "23/04/2009"
7__copyright__ = "(C) 2009 Science and Technology Facilities Council"
8__license__ = "BSD - see top-level directory for LICENSE file"
9__contact__ = "Philip.Kershaw@stfc.ac.uk"
10__revision__ = "$Id$"
11
12class AuthZTestApp(object):
13    """This class simulates the application to be secured by the NDG Security
14    authorization middleware
15    """
16    method = {
17"/": 'default',
18"/test_401": "test_401",
19"/test_403": "test_403",
20"/test_securedURI": "test_securedURI",
21"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI"
22    }
23    header = """        <h1>Authorisation Integration Tests:</h1>
24        <p>These tests use require the security services application to be
25        running.  See securityserviceapp.py and securityservices.ini in the
26        authz_lite/ integration test directory.</p>
27        <h2>To Run:</h2>
28        <p>Try any of the links below.  When prompt for username and password,
29        enter one of the sets of credentials from securityservices.ini
30        openid.provider.authN.userCreds section.  The defaults are:
31        </p>
32        <p>pjk/testpassword</p>
33        <p>another/testpassword</p>
34        <p>The attributeinterface.py AttributeAuthority plugin is configured to
35        grant access to 'pjk' for all URLs below apart from
36        'test_accessDeniedToSecuredURI'.  The 'another' account will be denied
37        access from all URLs apart from 'test_401'</p>
38"""
39
40    def __init__(self, app, globalConfig, **localConfig):
41        self.beakerSessionKeyName = globalConfig['beakerSessionKeyName']
42        self.app = app
43           
44    def __call__(self, environ, start_response):
45       
46        methodName = self.method.get(environ['PATH_INFO'], '').rstrip()
47        if methodName:
48            action = getattr(self, methodName)
49            return action(environ, start_response)
50        elif environ['PATH_INFO'] == '/logout':
51            return self.default(environ, start_response)
52       
53        elif self.app is not None:
54            return self.app(environ, start_response)
55        else:
56            start_response('404 Not Found', [('Content-type', 'text/plain')])
57            return "Authorisation integration tests: invalid URI"
58           
59    def default(self, environ, start_response):
60        if 'username' in environ.get(self.beakerSessionKeyName, {}):
61            response = """<html>
62    <head/>
63    <body>
64        %s
65        <ul>%s</ul>
66        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
67    </body>
68</html>
69""" % (AuthZTestApp.header,
70       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
71                 for link,name in self.method.items() if name != 'default']),
72       environ[self.beakerSessionKeyName]['username'])
73       
74            start_response('200 OK', 
75                           [('Content-type', 'text/html'),
76                            ('Content-length', str(len(response)))])
77        else:
78            response = """<html>
79    <head/>
80    <body>
81        %s
82        <ul>%s</ul>
83    </body>
84</html>
85""" % (AuthZTestApp.header,
86       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
87                 for link,name in self.method.items() if name != 'default'])
88       )
89
90            start_response('200 OK', 
91                           [('Content-type', 'text/html'),
92                            ('Content-length', str(len(response)))])
93        return response
94
95    def test_401(self, environ, start_response):
96        """Trigger the Authentication middleware by returning a 401
97        Unauthorized HTTP status code from this URI"""
98        username = environ[self.beakerSessionKeyName].get('username')
99        if username:
100            response = """<html>
101        <head/>
102        <body>
103            <h1>Authenticated!</h1>
104            <ul>%s</ul>
105            <p>You are logged in.  <a href="/logout">Logout</a></p>
106        </body>
107    </html>
108    """ % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
109                     for link,name in self.method.items() if name != 'default'])
110   
111            start_response('200 OK', 
112                           [('Content-type', 'text/html'),
113                            ('Content-length', str(len(response)))])
114        else:
115            response = "This page shouldn't be displayed!"
116            start_response('401 Unauthorized', 
117                           [('Content-type', 'text/plain'),
118                            ('Content-length', str(len(response)))])
119           
120        return response
121
122    def test_403(self, environ, start_response):
123        """Trigger the Authorization middleware by returning a 403 Forbidden
124        HTTP status code from this URI"""
125       
126        username = environ[self.beakerSessionKeyName].get('username')
127        if username:
128            response = """<html>
129    <head/>
130    <body>
131        <h1>Authorised!</h1>
132        <ul>%s</ul>
133        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
134    </body>
135</html>
136""" % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
137                 for link,name in self.method.items() if name != 'default']),
138       username)
139
140            start_response('200 OK', 
141                           [('Content-type', 'text/html'),
142                            ('Content-length', str(len(response)))])
143        else:
144            response = "This page shouldn't be displayed!"
145            start_response('403 Forbidden', 
146                           [('Content-type', 'text/plain'),
147                            ('Content-length', str(len(response)))])
148
149        return response
150
151    def test_securedURI(self, environ, start_response):
152        """To be secured, the Authorization middleware must have this URI in
153        its policy"""
154        response = """<html>
155    <head/>
156    <body>
157        <h1>Authorised for path [%s]!</h1>
158        <ul>%s</ul>
159        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
160    </body>
161</html>
162""" % (environ['PATH_INFO'],
163       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
164                 for link,name in self.method.items() if name != 'default']),
165       environ[self.beakerSessionKeyName]['username'])
166
167
168        start_response('200 OK', 
169                       [('Content-type', 'text/html'),
170                        ('Content-length', str(len(response)))])
171        return response
172
173
174    def test_accessDeniedToSecuredURI(self, environ, start_response):
175        """To be secured, the Authorization middleware must have this URI in
176        its policy and the user must not have the required role as specified
177        in the policy.  See ndg.security.test.config.attributeauthority.sitea
178        for user role settings retrieved from the attribute authority"""
179        response = """<html>
180    <head/>
181    <body>
182        <h1>Authorised for path [%s]!</h1>
183        <ul>%s</ul>
184        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
185    </body>
186</html>
187""" % (environ['PATH_INFO'],
188       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
189                 for link,name in self.method.items() if name != 'default']),
190       environ[self.beakerSessionKeyName]['username'])
191
192
193        start_response('200 OK', 
194                       [('Content-type', 'text/html'),
195                        ('Content-length', str(len(response)))])
196        return response
197   
198    @classmethod
199    def app_factory(cls, globalConfig, **localConfig):
200        return cls(None, globalConfig, **localConfig)
201   
202    @classmethod
203    def filter_app_factory(cls, app, globalConfig, **localConfig):
204        return cls(app, globalConfig, **localConfig)
Note: See TracBrowser for help on using the repository browser.