1 | """WSGI Policy Enforcement Point Package |
---|
2 | |
---|
3 | NERC DataGrid Project |
---|
4 | """ |
---|
5 | __author__ = "P J Kershaw" |
---|
6 | __date__ = "16/01/2009" |
---|
7 | __copyright__ = "(C) 2009 Science and Technology Facilities Council" |
---|
8 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
9 | __revision__ = "$Id: $" |
---|
10 | __license__ = "BSD - see LICENSE file in top-level directory" |
---|
11 | import logging |
---|
12 | log = logging.getLogger(__name__) |
---|
13 | |
---|
14 | import warnings |
---|
15 | from time import time |
---|
16 | from urlparse import urlunsplit |
---|
17 | from httplib import UNAUTHORIZED, FORBIDDEN |
---|
18 | |
---|
19 | from ndg.security.common.utils.classfactory import importClass |
---|
20 | from ndg.security.common.X509 import X509Cert |
---|
21 | from ndg.security.common.saml_utils.bindings import AttributeQuerySslSOAPBinding |
---|
22 | |
---|
23 | from ndg.security.common.credentialwallet import (NDGCredentialWallet, |
---|
24 | SAMLCredentialWallet) |
---|
25 | from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase, |
---|
26 | NDGSecurityMiddlewareConfigError) |
---|
27 | |
---|
28 | from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase, |
---|
29 | NDGSecurityMiddlewareConfigError) |
---|
30 | from ndg.security.server.wsgi.authn import (SessionMiddlewareBase, |
---|
31 | SessionHandlerMiddleware) |
---|
32 | |
---|
33 | from ndg.security.common.authz.msi import (Policy, PIP, PIPBase, |
---|
34 | PIPAttributeQuery, |
---|
35 | PIPAttributeResponse, PDP, Request, |
---|
36 | Response, Resource, Subject) |
---|
37 | |
---|
38 | |
---|
39 | class PEPResultHandlerMiddleware(SessionMiddlewareBase): |
---|
40 | """This middleware is invoked if access is denied to a given resource. It |
---|
41 | is incorporated into the call stack by passing it in to a MultiHandler |
---|
42 | instance. The MultiHandler is configured in the AuthorizationMiddlewareBase |
---|
43 | class below. The MultiHandler is passed a checker method which determines |
---|
44 | whether to allow access, or call this interface. The checker is |
---|
45 | implemented in the AuthorizationHandler. See below ... |
---|
46 | |
---|
47 | This class can be overridden to define custom behaviour for the access |
---|
48 | denied response e.g. include an interface to enable users to register for |
---|
49 | the dataset from which they have been denied access. See |
---|
50 | AuthorizationMiddlewareBase pepResultHandler keyword. |
---|
51 | |
---|
52 | SessionMiddlewareBase base class defines user session key and |
---|
53 | isAuthenticated property |
---|
54 | """ |
---|
55 | |
---|
56 | def __init__(self, app, global_conf, prefix='', **app_conf): |
---|
57 | ''' |
---|
58 | @type app: callable following WSGI interface |
---|
59 | @param app: next middleware application in the chain |
---|
60 | @type global_conf: dict |
---|
61 | @param global_conf: PasteDeploy global configuration dictionary |
---|
62 | @type prefix: basestring |
---|
63 | @param prefix: prefix for configuration items |
---|
64 | @type app_conf: dict |
---|
65 | @param app_conf: PasteDeploy application specific configuration |
---|
66 | dictionary |
---|
67 | ''' |
---|
68 | super(PEPResultHandlerMiddleware, self).__init__(app, |
---|
69 | global_conf, |
---|
70 | prefix=prefix, |
---|
71 | **app_conf) |
---|
72 | |
---|
73 | @NDGSecurityMiddlewareBase.initCall |
---|
74 | def __call__(self, environ, start_response): |
---|
75 | |
---|
76 | log.debug("PEPResultHandlerMiddleware.__call__ ...") |
---|
77 | |
---|
78 | self.session = self.environ.get(self.sessionKey) |
---|
79 | if not self.isAuthenticated: |
---|
80 | # This check is included as a precaution: this condition should be |
---|
81 | # caught be the AuthNRedirectHandlerMiddleware or PEPFilter |
---|
82 | log.warning("PEPResultHandlerMiddleware: user is not " |
---|
83 | "authenticated - setting HTTP 401 response") |
---|
84 | return self._setErrorResponse(code=UNAUTHORIZED) |
---|
85 | else: |
---|
86 | # Get response message from PDP recorded by PEP |
---|
87 | pepCtx = self.session.get('pepCtx', {}) |
---|
88 | pdpResponse = pepCtx.get('response') |
---|
89 | msg = getattr(pdpResponse, 'message', '') |
---|
90 | |
---|
91 | response = ("Access is forbidden for this resource:%s" |
---|
92 | "Please check with your site administrator that you " |
---|
93 | "have the required access privileges." % |
---|
94 | msg.join(('\n\n',)*2)) |
---|
95 | |
---|
96 | return self._setErrorResponse(code=FORBIDDEN, msg=response) |
---|
97 | |
---|
98 | |
---|
99 | class PEPFilterError(Exception): |
---|
100 | """Base class for PEPFilter exception types""" |
---|
101 | |
---|
102 | class PEPFilterConfigError(PEPFilterError): |
---|
103 | """Configuration related error for PEPFilter""" |
---|
104 | |
---|
105 | class PEPFilter(SessionMiddlewareBase): |
---|
106 | """PEP (Policy Enforcement Point) WSGI Middleware. The PEP enforces |
---|
107 | access control decisions made by the PDP (Policy Decision Point). In |
---|
108 | this case, it follows the WSG middleware filter pattern and is configured |
---|
109 | in a pipeline upstream of the application(s) which it protects. if an |
---|
110 | access denied decision is made, the PEP enforces this by returning a |
---|
111 | 403 Forbidden HTTP response without the application middleware executing |
---|
112 | |
---|
113 | SessionMiddlewareBase base class defines user session key and |
---|
114 | isAuthenticated property |
---|
115 | """ |
---|
116 | TRIGGER_HTTP_STATUS_CODE = str(FORBIDDEN) |
---|
117 | MIDDLEWARE_ID = 'PEPFilter' |
---|
118 | POLICY_PARAM_PREFIX = 'policy.' |
---|
119 | SESSION_KEYNAME = 'sessionKey' |
---|
120 | POLICY_FILEPATH_PARAMNAME = 'filePath' |
---|
121 | |
---|
122 | def __init__(self, app, global_conf, prefix='', **local_conf): |
---|
123 | """Initialise the PIP (Policy Information Point) and PDP (Policy |
---|
124 | Decision Point). The PDP makes access control decisions based on |
---|
125 | a given policy. The PIP manages the retrieval of user credentials on |
---|
126 | behalf of the PDP |
---|
127 | |
---|
128 | @type app: callable following WSGI interface |
---|
129 | @param app: next middleware application in the chain |
---|
130 | @type global_conf: dict |
---|
131 | @param global_conf: PasteDeploy global configuration dictionary |
---|
132 | @type prefix: basestring |
---|
133 | @param prefix: prefix for configuration items |
---|
134 | @type local_conf: dict |
---|
135 | @param local_conf: PasteDeploy application specific configuration |
---|
136 | dictionary |
---|
137 | |
---|
138 | """ |
---|
139 | # Initialise the PDP reading in the policy |
---|
140 | policyCfg = PEPFilter._filterKeywords(local_conf, |
---|
141 | PEPFilter.POLICY_PARAM_PREFIX) |
---|
142 | self.policyFilePath = policyCfg[PEPFilter.POLICY_FILEPATH_PARAMNAME] |
---|
143 | policy = Policy.Parse(policyCfg[PEPFilter.POLICY_FILEPATH_PARAMNAME]) |
---|
144 | |
---|
145 | # Initialise the Policy Information Point to None. This object is |
---|
146 | # created and set later. See AuthorizationMiddlewareBase. |
---|
147 | self.pdp = PDP(policy, None) |
---|
148 | |
---|
149 | self.sessionKey = local_conf.get(PEPFilter.SESSION_KEYNAME, |
---|
150 | PEPFilter.propertyDefaults[ |
---|
151 | PEPFilter.SESSION_KEYNAME]) |
---|
152 | |
---|
153 | super(PEPFilter, self).__init__(app, |
---|
154 | global_conf, |
---|
155 | prefix=prefix, |
---|
156 | **local_conf) |
---|
157 | |
---|
158 | @NDGSecurityMiddlewareBase.initCall |
---|
159 | def __call__(self, environ, start_response): |
---|
160 | """ |
---|
161 | @type environ: dict |
---|
162 | @param environ: WSGI environment variables dictionary |
---|
163 | @type start_response: function |
---|
164 | @param start_response: standard WSGI start response function |
---|
165 | @rtype: iterable |
---|
166 | @return: response |
---|
167 | """ |
---|
168 | session = environ.get(self.sessionKey) |
---|
169 | if session is None: |
---|
170 | raise PEPFilterConfigError('No beaker session key "%s" found in ' |
---|
171 | 'environ' % self.sessionKey) |
---|
172 | |
---|
173 | queryString = environ.get('QUERY_STRING', '') |
---|
174 | resourceURI = urlunsplit(('', '', self.pathInfo, queryString, '')) |
---|
175 | |
---|
176 | # Check for a secured resource |
---|
177 | matchingTargets = self._getMatchingTargets(resourceURI) |
---|
178 | targetMatch = len(matchingTargets) > 0 |
---|
179 | if not targetMatch: |
---|
180 | log.debug("PEPFilter.__call__: granting access - no matching URI " |
---|
181 | "path target was found in the policy for URI path [%s]", |
---|
182 | resourceURI) |
---|
183 | return self._app(environ, start_response) |
---|
184 | |
---|
185 | log.debug("PEPFilter.__call__: found matching target(s):\n\n %s\n" |
---|
186 | "\nfrom policy file [%s] for URI Path=[%s]\n", |
---|
187 | '\n'.join(["RegEx=%s" % t for t in matchingTargets]), |
---|
188 | self.policyFilePath, |
---|
189 | resourceURI) |
---|
190 | |
---|
191 | if not self.isAuthenticated: |
---|
192 | log.info("PEPFilter.__call__: user is not authenticated - setting " |
---|
193 | "HTTP 401 response ...") |
---|
194 | |
---|
195 | # Set a 401 response for an authentication handler to capture |
---|
196 | return self._setErrorResponse(code=UNAUTHORIZED) |
---|
197 | |
---|
198 | log.debug("PEPFilter.__call__: creating request to call PDP to check " |
---|
199 | "user authorisation ...") |
---|
200 | |
---|
201 | # Make a request object to pass to the PDP |
---|
202 | request = Request() |
---|
203 | request.subject[Subject.USERID_NS] = session['username'] |
---|
204 | |
---|
205 | # IdP Session Manager specific settings: |
---|
206 | # |
---|
207 | # The following won't be set if the IdP running the OpenID Provider |
---|
208 | # hasn't also deployed a Session Manager. In this case, the |
---|
209 | # Attribute Authority will be queried directly from here without a |
---|
210 | # remote Session Manager intermediary to cache credentials |
---|
211 | request.subject[Subject.SESSIONID_NS] = session.get('sessionId') |
---|
212 | request.subject[Subject.SESSIONMANAGERURI_NS] = session.get( |
---|
213 | 'sessionManagerURI') |
---|
214 | request.resource[Resource.URI_NS] = resourceURI |
---|
215 | |
---|
216 | |
---|
217 | # Call the PDP |
---|
218 | response = self.pdp.evaluate(request) |
---|
219 | |
---|
220 | # Record the result in the user's session to enable later |
---|
221 | # interrogation by the AuthZResultHandlerMiddleware |
---|
222 | session['pepCtx'] = {'request': request, 'response': response, |
---|
223 | 'timestamp': time()} |
---|
224 | session.save() |
---|
225 | |
---|
226 | if response.status == Response.DECISION_PERMIT: |
---|
227 | log.info("PEPFilter.__call__: PDP granted access for URI path " |
---|
228 | "[%s] using policy [%s]", |
---|
229 | resourceURI, |
---|
230 | self.policyFilePath) |
---|
231 | |
---|
232 | return self._app(environ, start_response) |
---|
233 | else: |
---|
234 | log.info("PEPFilter.__call__: PDP returned a status of [%s] " |
---|
235 | "denying access for URI path [%s] using policy [%s]", |
---|
236 | response.decisionValue2String[response.status], |
---|
237 | resourceURI, |
---|
238 | self.policyFilePath) |
---|
239 | |
---|
240 | # Trigger AuthZResultHandlerMiddleware by setting a response |
---|
241 | # with HTTP status code equal to the TRIGGER_HTTP_STATUS_CODE class |
---|
242 | # attribute value |
---|
243 | triggerStatusCode = int(PEPFilter.TRIGGER_HTTP_STATUS_CODE) |
---|
244 | return self._setErrorResponse(code=triggerStatusCode) |
---|
245 | |
---|
246 | def _getMatchingTargets(self, resourceURI): |
---|
247 | """This method may only be called following __call__ as __call__ |
---|
248 | updates the pathInfo property |
---|
249 | |
---|
250 | @type resourceURI: basestring |
---|
251 | @param resourceURI: the URI of the requested resource |
---|
252 | @rtype: list |
---|
253 | @return: return list of policy target objects matching the current |
---|
254 | path |
---|
255 | """ |
---|
256 | matchingTargets = [target for target in self.pdp.policy.targets |
---|
257 | if target.regEx.match(resourceURI) is not None] |
---|
258 | return matchingTargets |
---|
259 | |
---|
260 | def multiHandlerInterceptFactory(self): |
---|
261 | """Return a checker function for use with AuthKit's MultiHandler. |
---|
262 | MultiHandler can be used to catch HTTP 403 Forbidden responses set by |
---|
263 | an application and call middleware (AuthZResultMiddleware) to handle |
---|
264 | the access denied message. |
---|
265 | """ |
---|
266 | |
---|
267 | def multiHandlerIntercept(environ, status, headers): |
---|
268 | """AuthKit MultiHandler checker function to intercept |
---|
269 | unauthorised response status codes from applications to be |
---|
270 | protected. This function's definition is embedded into a |
---|
271 | factory method so that this function has visibility to the |
---|
272 | PEPFilter object's attributes if required. |
---|
273 | |
---|
274 | @type environ: dict |
---|
275 | @param environ: WSGI environment dictionary |
---|
276 | @type status: basestring |
---|
277 | @param status: HTTP response code set by application middleware |
---|
278 | that this intercept function is to protect |
---|
279 | @type headers: list |
---|
280 | @param headers: HTTP response header content""" |
---|
281 | |
---|
282 | if status.startswith(PEPFilter.TRIGGER_HTTP_STATUS_CODE): |
---|
283 | log.debug("PEPFilter: found [%s] status for URI path [%s]: " |
---|
284 | "invoking access denied response", |
---|
285 | PEPFilter.TRIGGER_HTTP_STATUS_CODE, |
---|
286 | environ['PATH_INFO']) |
---|
287 | return True |
---|
288 | else: |
---|
289 | # No match - it's publicly accessible |
---|
290 | log.debug("PEPFilter: the return status [%s] for this URI " |
---|
291 | "path [%s] didn't match the trigger status [%s]", |
---|
292 | status, |
---|
293 | environ['PATH_INFO'], |
---|
294 | PEPFilter.TRIGGER_HTTP_STATUS_CODE) |
---|
295 | return False |
---|
296 | |
---|
297 | return multiHandlerIntercept |
---|
298 | |
---|
299 | @staticmethod |
---|
300 | def _filterKeywords(conf, prefix): |
---|
301 | filteredConf = {} |
---|
302 | prefixLen = len(prefix) |
---|
303 | for k, v in conf.items(): |
---|
304 | if k.startswith(prefix): |
---|
305 | filteredConf[k[prefixLen:]] = conf.pop(k) |
---|
306 | |
---|
307 | return filteredConf |
---|
308 | |
---|
309 | def _getPDP(self): |
---|
310 | if self._pdp is None: |
---|
311 | raise TypeError("PDP object has not been initialised") |
---|
312 | return self._pdp |
---|
313 | |
---|
314 | def _setPDP(self, pdp): |
---|
315 | if not isinstance(pdp, (PDP, None.__class__)): |
---|
316 | raise TypeError("Expecting %s or None type for pdp; got %r" % |
---|
317 | (PDP.__class__.__name__, pdp)) |
---|
318 | self._pdp = pdp |
---|
319 | |
---|
320 | pdp = property(fget=_getPDP, |
---|
321 | fset=_setPDP, |
---|
322 | doc="Policy Decision Point object makes access control " |
---|
323 | "decisions on behalf of the PEP") |
---|
324 | |
---|
325 | |
---|
326 | class NdgPIPMiddlewareError(Exception): |
---|
327 | """Base class for Policy Information Point WSGI middleware exception types |
---|
328 | """ |
---|
329 | |
---|
330 | class NdgPIPMiddlewareConfigError(NdgPIPMiddlewareError): |
---|
331 | """Configuration related error for Policy Information Point WSGI middleware |
---|
332 | """ |
---|
333 | |
---|
334 | class NdgPIPMiddleware(PIP, NDGSecurityMiddlewareBase): |
---|
335 | '''Extend Policy Information Point to enable caching of credentials in |
---|
336 | a NDGCredentialWallet object held in beaker.session |
---|
337 | ''' |
---|
338 | ENVIRON_KEYNAME = 'ndg.security.server.wsgi.authz.NdgPIPMiddleware' |
---|
339 | |
---|
340 | propertyDefaults = { |
---|
341 | 'sessionKey': 'beaker.session.ndg.security', |
---|
342 | } |
---|
343 | propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults) |
---|
344 | |
---|
345 | def __init__(self, app, global_conf, prefix='', **local_conf): |
---|
346 | ''' |
---|
347 | @type app: callable following WSGI interface |
---|
348 | @param app: next middleware application in the chain |
---|
349 | @type global_conf: dict |
---|
350 | @param global_conf: PasteDeploy global configuration dictionary |
---|
351 | @type prefix: basestring |
---|
352 | @param prefix: prefix for configuration items |
---|
353 | @type local_conf: dict |
---|
354 | @param local_conf: PasteDeploy application specific configuration |
---|
355 | dictionary |
---|
356 | ''' |
---|
357 | |
---|
358 | # Pre-process list items splitting as needed |
---|
359 | if isinstance(local_conf.get('caCertFilePathList'), basestring): |
---|
360 | local_conf[ |
---|
361 | 'caCertFilePathList'] = NDGSecurityMiddlewareBase.parseListItem( |
---|
362 | local_conf['caCertFilePathList']) |
---|
363 | |
---|
364 | if isinstance(local_conf.get('sslCACertFilePathList'), basestring): |
---|
365 | local_conf[ |
---|
366 | 'sslCACertFilePathList' |
---|
367 | ] = NDGSecurityMiddlewareBase.parseListItem( |
---|
368 | local_conf['sslCACertFilePathList']) |
---|
369 | |
---|
370 | PIP.__init__(self, prefix=prefix, **local_conf) |
---|
371 | |
---|
372 | for k in local_conf.keys(): |
---|
373 | if k.startswith(prefix): |
---|
374 | del local_conf[k] |
---|
375 | |
---|
376 | NDGSecurityMiddlewareBase.__init__(self, |
---|
377 | app, |
---|
378 | global_conf, |
---|
379 | prefix=prefix, |
---|
380 | **local_conf) |
---|
381 | |
---|
382 | def __call__(self, environ, start_response): |
---|
383 | """Take a copy of the session object so that it is in scope for |
---|
384 | _getAttributeCertificate call and add this instance to the environ |
---|
385 | so that the PEPFilter can retrieve it and pass on to the PDP |
---|
386 | |
---|
387 | @type environ: dict |
---|
388 | @param environ: WSGI environment variables dictionary |
---|
389 | @type start_response: function |
---|
390 | @param start_response: standard WSGI start response function |
---|
391 | @rtype: iterable |
---|
392 | @return: response |
---|
393 | """ |
---|
394 | self.session = environ.get(self.sessionKey) |
---|
395 | if self.session is None: |
---|
396 | raise NdgPIPMiddlewareConfigError('No beaker session key "%s" found ' |
---|
397 | 'in environ' % self.sessionKey) |
---|
398 | environ[NdgPIPMiddleware.ENVIRON_KEYNAME] = self |
---|
399 | |
---|
400 | return self._app(environ, start_response) |
---|
401 | |
---|
402 | def _getAttributeCertificate(self, attributeAuthorityURI, **kw): |
---|
403 | '''Extend base class implementation to make use of the |
---|
404 | NDGCredentialWallet Attribute Certificate cache held in the beaker |
---|
405 | session. If no suitable certificate is present invoke default behaviour |
---|
406 | and retrieve an Attribute Certificate from the Attribute Authority or |
---|
407 | Session Manager specified |
---|
408 | |
---|
409 | @type attributeAuthorityURI: basestring |
---|
410 | @param attributeAuthorityURI: URI to Attribute Authority service |
---|
411 | @type username: basestring |
---|
412 | @param username: subject user identifier - could be an OpenID |
---|
413 | @type sessionId: basestring |
---|
414 | @param sessionId: Session Manager session handle |
---|
415 | @type sessionManagerURI: basestring |
---|
416 | @param sessionManagerURI: URI to remote session manager service |
---|
417 | @rtype: ndg.security.common.AttCert.AttCert |
---|
418 | @return: Attribute Certificate containing user roles |
---|
419 | ''' |
---|
420 | # Check for a wallet in the current session - if not present, create |
---|
421 | # one. See ndg.security.server.wsgi.authn.SessionHandlerMiddleware |
---|
422 | # for session keys. The 'credentialWallet' key is deleted along with |
---|
423 | # any other security keys when the user logs out |
---|
424 | if not 'credentialWallet' in self.session: |
---|
425 | log.debug("NdgPIPMiddleware._getAttributeCertificate: adding a " |
---|
426 | "Credential Wallet to user session [%s] ...", |
---|
427 | self.session['username']) |
---|
428 | |
---|
429 | self.session['credentialWallet'] = NDGCredentialWallet( |
---|
430 | userId=self.session['username']) |
---|
431 | self.session.save() |
---|
432 | |
---|
433 | # Take reference to wallet for efficiency |
---|
434 | credentialWallet = self.session['credentialWallet'] |
---|
435 | |
---|
436 | # Check for existing credentials cached in wallet |
---|
437 | credentialItem = credentialWallet.credentialsKeyedByURI.get( |
---|
438 | attributeAuthorityURI) |
---|
439 | if credentialItem is not None: |
---|
440 | log.debug("NdgPIPMiddleware._getAttributeCertificate: retrieved " |
---|
441 | "existing Attribute Certificate cached in Credential " |
---|
442 | "Wallet for user session [%s]", |
---|
443 | self.session['username']) |
---|
444 | |
---|
445 | # Existing cached credential found - skip call to remote Session |
---|
446 | # Manager / Attribute Authority and return this certificate instead |
---|
447 | return credentialItem.credential |
---|
448 | else: |
---|
449 | attrCert = PIP._getAttributeCertificate(self, |
---|
450 | attributeAuthorityURI, |
---|
451 | **kw) |
---|
452 | |
---|
453 | log.debug("NdgPIPMiddleware._getAttributeCertificate: updating " |
---|
454 | "Credential Wallet with retrieved Attribute " |
---|
455 | "Certificate for user session [%s]", |
---|
456 | self.session['username']) |
---|
457 | |
---|
458 | # Update the wallet with this Attribute Certificate so that it's |
---|
459 | # cached for future calls |
---|
460 | credentialWallet.addCredential(attrCert, |
---|
461 | attributeAuthorityURI=attributeAuthorityURI) |
---|
462 | |
---|
463 | return attrCert |
---|
464 | |
---|
465 | |
---|
466 | class SamlPIPMiddlewareError(Exception): |
---|
467 | """Base class for SAML based Policy Information Point WSGI middleware |
---|
468 | exception types |
---|
469 | """ |
---|
470 | |
---|
471 | |
---|
472 | class SamlPIPMiddlewareConfigError(NdgPIPMiddlewareError): |
---|
473 | """Configuration related error for Policy Information Point WSGI middleware |
---|
474 | """ |
---|
475 | |
---|
476 | |
---|
477 | class SamlPIPMiddleware(PIPBase, NDGSecurityMiddlewareBase): |
---|
478 | '''Extend Policy Information Point to enable caching of SAML credentials in |
---|
479 | a SAMLCredentialWallet object held in beaker.session |
---|
480 | ''' |
---|
481 | ENVIRON_KEYNAME = 'ndg.security.server.wsgi.authz.SamlPIPMiddleware' |
---|
482 | |
---|
483 | propertyDefaults = { |
---|
484 | 'sessionKey': 'beaker.session.ndg.security', |
---|
485 | } |
---|
486 | propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults) |
---|
487 | |
---|
488 | CREDENTIAL_WALLET_SESSION_KEYNAME = \ |
---|
489 | SessionHandlerMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME |
---|
490 | USERNAME_SESSION_KEYNAME = \ |
---|
491 | SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME |
---|
492 | |
---|
493 | ATTRIBUTE_QUERY_ATTRNAME = 'attributeQuery' |
---|
494 | LEN_ATTRIBUTE_QUERY_ATTRNAME = len(ATTRIBUTE_QUERY_ATTRNAME) |
---|
495 | |
---|
496 | def __init__(self, app, global_conf, prefix='', **local_conf): |
---|
497 | ''' |
---|
498 | @type app: callable following WSGI interface |
---|
499 | @param app: next middleware application in the chain |
---|
500 | @type global_conf: dict |
---|
501 | @param global_conf: PasteDeploy global configuration dictionary |
---|
502 | @type prefix: basestring |
---|
503 | @param prefix: prefix for configuration items |
---|
504 | @type local_conf: dict |
---|
505 | @param local_conf: PasteDeploy application specific configuration |
---|
506 | dictionary |
---|
507 | ''' |
---|
508 | self.session = None |
---|
509 | self.__attributeQueryBinding = AttributeQuerySslSOAPBinding() |
---|
510 | |
---|
511 | nameOffset = len(prefix) |
---|
512 | for k in local_conf.keys(): |
---|
513 | if k.startswith(prefix): |
---|
514 | val = local_conf.pop(k) |
---|
515 | name = k[nameOffset:] |
---|
516 | setattr(self, name, val) |
---|
517 | |
---|
518 | if not self.__attributeQueryBinding.issuerName: |
---|
519 | issuerX509Cert = X509Cert.Read( |
---|
520 | self.__attributeQueryBinding.sslCtxProxy.sslCertFilePath) |
---|
521 | self.__attributeQueryBinding.issuerName = str(issuerX509Cert.dn) |
---|
522 | |
---|
523 | NDGSecurityMiddlewareBase.__init__(self, app, {}) |
---|
524 | |
---|
525 | def __setattr__(self, name, value): |
---|
526 | """Enable setting of AttributeQuerySslSOAPBinding attributes from |
---|
527 | names starting with attributeQuery.* / attributeQuery_*. Addition for |
---|
528 | setting these values from ini file |
---|
529 | """ |
---|
530 | |
---|
531 | # Coerce into setting AttributeQuerySslSOAPBinding attributes - |
---|
532 | # names must start with 'attributeQuery\W' e.g. |
---|
533 | # attributeQuery.clockSkew or attributeQuery_issuerDN |
---|
534 | if name.startswith(SamlPIPMiddleware.ATTRIBUTE_QUERY_ATTRNAME): |
---|
535 | setattr(self.__attributeQueryBinding, |
---|
536 | name[SamlPIPMiddleware.LEN_ATTRIBUTE_QUERY_ATTRNAME+1:], |
---|
537 | value) |
---|
538 | else: |
---|
539 | super(SamlPIPMiddleware, self).__setattr__(name, value) |
---|
540 | |
---|
541 | @property |
---|
542 | def attributeQueryBinding(self): |
---|
543 | """SAML SOAP Attribute Query client binding object""" |
---|
544 | return self.__attributeQueryBinding |
---|
545 | |
---|
546 | def __call__(self, environ, start_response): |
---|
547 | """Take a copy of the session object so that it is in scope for |
---|
548 | attributeQuery call and add this instance to the environ |
---|
549 | so that the PEPFilter can retrieve it and pass on to the PDP |
---|
550 | |
---|
551 | @type environ: dict |
---|
552 | @param environ: WSGI environment variables dictionary |
---|
553 | @type start_response: function |
---|
554 | @param start_response: standard WSGI start response function |
---|
555 | @rtype: iterable |
---|
556 | @return: response |
---|
557 | """ |
---|
558 | self.session = environ.get(self.sessionKey) |
---|
559 | if self.session is None: |
---|
560 | raise SamlPIPMiddlewareConfigError('No beaker session key "%s" ' |
---|
561 | 'found in environ' % |
---|
562 | self.sessionKey) |
---|
563 | environ[SamlPIPMiddleware.ENVIRON_KEYNAME] = self |
---|
564 | |
---|
565 | return self._app(environ, start_response) |
---|
566 | |
---|
567 | def attributeQuery(self, attributeQuery): |
---|
568 | """Query the Attribute Authority specified in the request to retrieve |
---|
569 | the attributes if any corresponding to the subject |
---|
570 | |
---|
571 | @type attributeResponse: PIPAttributeQuery |
---|
572 | @param attributeResponse: |
---|
573 | @rtype: PIPAttributeResponse |
---|
574 | @return: response containing the attributes retrieved from the |
---|
575 | Attribute Authority""" |
---|
576 | if not isinstance(attributeQuery, PIPAttributeQuery): |
---|
577 | raise TypeError('Expecting %r type for input "attributeQuery"; ' |
---|
578 | 'got %r' % (AttributeQuery, type(attributeQuery))) |
---|
579 | |
---|
580 | attributeAuthorityURI = attributeQuery[ |
---|
581 | PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] |
---|
582 | |
---|
583 | log.debug("SamlPIPMiddleware: received attribute query: %r", |
---|
584 | attributeQuery) |
---|
585 | |
---|
586 | # Check for a wallet in the current session - if not present, create |
---|
587 | # one. See ndg.security.server.wsgi.authn.SessionHandlerMiddleware |
---|
588 | # for session keys. The 'credentialWallet' key is deleted along with |
---|
589 | # any other security keys when the user logs out |
---|
590 | credentialWalletKeyName = \ |
---|
591 | SamlPIPMiddleware.CREDENTIAL_WALLET_SESSION_KEYNAME |
---|
592 | usernameKeyName = SamlPIPMiddleware.USERNAME_SESSION_KEYNAME |
---|
593 | |
---|
594 | if not credentialWalletKeyName in self.session: |
---|
595 | log.debug("SamlPIPMiddleware.attributeQuery: adding a " |
---|
596 | "Credential Wallet to user session [%s] ...", |
---|
597 | self.session[usernameKeyName]) |
---|
598 | |
---|
599 | credentialWallet = SAMLCredentialWallet() |
---|
600 | credentialWallet.userId = self.session[usernameKeyName] |
---|
601 | |
---|
602 | self.session[credentialWalletKeyName] = credentialWallet |
---|
603 | self.session.save() |
---|
604 | else: |
---|
605 | # Take reference to wallet for efficiency |
---|
606 | credentialWallet = self.session[credentialWalletKeyName] |
---|
607 | |
---|
608 | # Check for existing credentials cached in wallet |
---|
609 | credentialItem = credentialWallet.credentialsKeyedByURI.get( |
---|
610 | attributeAuthorityURI) |
---|
611 | if credentialItem is None: |
---|
612 | # No assertion is cached - make a fresh SAML Attribute Query |
---|
613 | self.attributeQueryBinding.subjectID = credentialWallet.userId |
---|
614 | response = self.attributeQueryBinding.send( |
---|
615 | uri=attributeAuthorityURI) |
---|
616 | for assertion in response.assertions: |
---|
617 | credentialWallet.addCredential(assertion) |
---|
618 | |
---|
619 | log.debug("SamlPIPMiddleware.attributeQuery: updating Credential " |
---|
620 | "Wallet with retrieved SAML Attribute Assertion " |
---|
621 | "for user session [%s]", self.session[usernameKeyName]) |
---|
622 | else: |
---|
623 | log.debug("SamlPIPMiddleware.attributeQuery: retrieved existing " |
---|
624 | "SAML Attribute Assertion cached in Credential Wallet " |
---|
625 | "for user session [%s]", self.session[usernameKeyName]) |
---|
626 | |
---|
627 | attributeResponse = PIPAttributeResponse() |
---|
628 | attributeResponse[Subject.ROLES_NS] = [] |
---|
629 | |
---|
630 | # Unpack assertion attribute values and add to the response object |
---|
631 | for credentialItem in credentialWallet.credentials.values(): |
---|
632 | for statement in credentialItem.credential.attributeStatements: |
---|
633 | for attribute in statement.attributes: |
---|
634 | attributeResponse[Subject.ROLES_NS] += [ |
---|
635 | attributeValue.value |
---|
636 | for attributeValue in attribute.attributeValues |
---|
637 | if attributeValue.value not in attributeResponse[ |
---|
638 | Subject.ROLES_NS] |
---|
639 | ] |
---|
640 | |
---|
641 | log.debug("SamlPIPMiddleware.attributeQuery response: %r", |
---|
642 | attributeResponse) |
---|
643 | |
---|
644 | return attributeResponse |
---|
645 | |
---|
646 | |
---|
647 | from authkit.authenticate.multi import MultiHandler |
---|
648 | |
---|
649 | class AuthorizationMiddlewareError(Exception): |
---|
650 | """Base class for AuthorizationMiddlewareBase exceptions""" |
---|
651 | |
---|
652 | class AuthorizationMiddlewareConfigError(Exception): |
---|
653 | """AuthorizationMiddlewareBase configuration related exceptions""" |
---|
654 | |
---|
655 | |
---|
656 | class AuthorizationMiddlewareBase(NDGSecurityMiddlewareBase): |
---|
657 | '''Virtual class - A base Handler to call Policy Enforcement Point |
---|
658 | middleware to intercept requests and enforce access control decisions. |
---|
659 | |
---|
660 | Extend THIS class adding the new type to any WSGI middleware chain ahead of |
---|
661 | the application(s) which it is to protect. To make an implementation for |
---|
662 | this virtual class, set PIP_MIDDLEWARE_CLASS in the derived type to a |
---|
663 | valid Policy Information Point Class. Use in conjunction with |
---|
664 | ndg.security.server.wsgi.authn.AuthenticationMiddleware |
---|
665 | ''' |
---|
666 | PEP_PARAM_PREFIX = 'pep.filter.' |
---|
667 | PIP_PARAM_PREFIX = 'pip.' |
---|
668 | PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler" |
---|
669 | |
---|
670 | |
---|
671 | class PIP_MIDDLEWARE_CLASS(object): |
---|
672 | """Policy Information Point WSGI middleware abstract base, |
---|
673 | implementations should retrieve user credentials to enable the PDP to |
---|
674 | make access control decisions |
---|
675 | """ |
---|
676 | def __init__(self, app, global_conf, prefix='', **local_conf): |
---|
677 | raise NotImplementedError(' '.join( |
---|
678 | AuthorizationMiddlewareBase.PIP_MIDDLEWARE_CLASS.__doc__.split()) |
---|
679 | ) |
---|
680 | |
---|
681 | def __init__(self, app, global_conf, prefix='', **app_conf): |
---|
682 | """Set-up Policy Enforcement Point to enforce access control decisions |
---|
683 | based on the URI path requested and/or the HTTP response code set by |
---|
684 | application(s) to be protected. An AuthKit MultiHandler is setup to |
---|
685 | handle the latter. PEPResultHandlerMiddleware handles the output |
---|
686 | set following an access denied decision |
---|
687 | @type app: callable following WSGI interface |
---|
688 | @param app: next middleware application in the chain |
---|
689 | @type global_conf: dict |
---|
690 | @param global_conf: PasteDeploy global configuration dictionary |
---|
691 | @type prefix: basestring |
---|
692 | @param prefix: prefix for configuration items |
---|
693 | @type app_conf: dict |
---|
694 | @param app_conf: PasteDeploy application specific configuration |
---|
695 | dictionary |
---|
696 | """ |
---|
697 | authzPrefix = prefix + AuthorizationMiddlewareBase.PEP_PARAM_PREFIX |
---|
698 | pepFilter = PEPFilter(app, |
---|
699 | global_conf, |
---|
700 | prefix=authzPrefix, |
---|
701 | **app_conf) |
---|
702 | pepInterceptFunc = pepFilter.multiHandlerInterceptFactory() |
---|
703 | |
---|
704 | # Slot in the Policy Information Point in the WSGI stack at this point |
---|
705 | # so that it can take a copy of the beaker session object from environ |
---|
706 | # ahead of the PDP's request to it for an Attribute Certificate |
---|
707 | pipPrefix = AuthorizationMiddlewareBase.PIP_PARAM_PREFIX |
---|
708 | pipFilter = self.__class__.PIP_MIDDLEWARE_CLASS(pepFilter, |
---|
709 | global_conf, |
---|
710 | prefix=pipPrefix, |
---|
711 | **app_conf) |
---|
712 | pepFilter.pdp.pip = pipFilter |
---|
713 | |
---|
714 | app = MultiHandler(pipFilter) |
---|
715 | |
---|
716 | pepResultHandlerClassName = app_conf.pop( |
---|
717 | prefix+AuthorizationMiddlewareBase.PEP_RESULT_HANDLER_PARAMNAME, |
---|
718 | None) |
---|
719 | if pepResultHandlerClassName is None: |
---|
720 | pepResultHandler = PEPResultHandlerMiddleware |
---|
721 | else: |
---|
722 | pepResultHandler = importClass(pepResultHandlerClassName, |
---|
723 | objectType=PEPResultHandlerMiddleware) |
---|
724 | |
---|
725 | app.add_method(PEPFilter.MIDDLEWARE_ID, |
---|
726 | pepResultHandler.filter_app_factory, |
---|
727 | global_conf, |
---|
728 | prefix=prefix, |
---|
729 | **app_conf) |
---|
730 | |
---|
731 | app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc) |
---|
732 | |
---|
733 | super(AuthorizationMiddlewareBase, self).__init__(app, |
---|
734 | global_conf, |
---|
735 | prefix=prefix, |
---|
736 | **app_conf) |
---|
737 | |
---|
738 | |
---|
739 | class NDGAuthorizationMiddleware(AuthorizationMiddlewareBase): |
---|
740 | """Implementation of AuthorizationMiddlewareBase using the NDG Policy |
---|
741 | Information Point interface. This retrieves attributes over the SOAP/WSDL |
---|
742 | Attribute Authority interface |
---|
743 | (ndg.security.server.wsgi.attributeauthority.AttributeAuthoritySOAPBindingMiddleware) |
---|
744 | and caches NDG Attribute Certificates in an |
---|
745 | ndg.security.common.credentialWallet.NDGCredentialWallet |
---|
746 | """ |
---|
747 | PIP_MIDDLEWARE_CLASS = NdgPIPMiddleware |
---|
748 | |
---|
749 | |
---|
750 | class AuthorizationMiddleware(NDGAuthorizationMiddleware): |
---|
751 | """Include this class for backwards compatibility - see warning message |
---|
752 | in FUTURE_DEPRECATION_WARNING_MSG class variable""" |
---|
753 | FUTURE_DEPRECATION_WARNING_MSG = ( |
---|
754 | "AuthorizationMiddleware will be deprecated in future releases. " |
---|
755 | "NDGAuthorizationMiddleware is a drop in replacement but should be " |
---|
756 | "replaced with SAMLAuthorizationMiddleware instead") |
---|
757 | |
---|
758 | def __init__(self, *arg, **kw): |
---|
759 | warnings.warn(AuthorizationMiddleware.FUTURE_DEPRECATION_WARNING_MSG, |
---|
760 | PendingDeprecationWarning) |
---|
761 | log.warning(AuthorizationMiddleware.FUTURE_DEPRECATION_WARNING_MSG) |
---|
762 | super(AuthorizationMiddleware, self).__init__(*arg, **kw) |
---|
763 | |
---|
764 | |
---|
765 | class SAMLAuthorizationMiddleware(AuthorizationMiddlewareBase): |
---|
766 | """Implementation of AuthorizationMiddlewareBase using the SAML Policy |
---|
767 | Information Point interface. This retrieves attributes over the SOAP/SAML |
---|
768 | Attribute Authority interface |
---|
769 | (ndg.security.server.wsgi.saml.SOAPAttributeInterfaceMiddleware) and caches |
---|
770 | SAML Assertions in a |
---|
771 | ndg.security.common.credentialWallet.SAMLCredentialWallet |
---|
772 | """ |
---|
773 | PIP_MIDDLEWARE_CLASS = SamlPIPMiddleware |
---|
774 | |
---|