source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py @ 5681

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py@5681
Revision 5681, 5.3 KB checked in by pjkersha, 11 years ago (diff)

Integrated SOAP SAML Attribute Query interface into Attribute Authority Client unit tests.

Line 
1"""NDG Attribute Authority User Roles class - acts as an interface between
2the data centre's user roles configuration and the Attribute Authority
3                                                                               
4NERC Data Grid Project
5"""
6__author__ = "P J Kershaw"
7__date__ = "29/07/05"
8__copyright__ = "(C) 2009 Science and Technology Facilities Council"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = '$Id:siteAUserRoles.py 4371 2008-10-29 09:44:51Z pjkersha $'
12
13from datetime import datetime, timedelta
14from uuid import uuid4
15
16
17from ndg.security.server.attributeauthority import AttributeInterface, \
18    InvalidRequestorId, AttributeNotKnownError, AttributeReleaseDenied, \
19    UserIdNotKnown
20from saml.common.xml import SAMLConstants
21from saml.saml2.core import Response, Assertion, Attribute, AttributeValue, \
22    AttributeStatement, SAMLVersion, Subject, NameID, Issuer, AttributeQuery, \
23    XSStringAttributeValue, XSGroupRoleAttributeValue, Conditions, Status, \
24    StatusCode
25
26
27class TestUserRoles(AttributeInterface):
28    """Test User Roles class dynamic import for Attribute Authority"""
29   
30    SAML_ATTRIBUTE_NAMES = (
31        'urn:esg:email:address',
32        'urn:esg:first:name', 
33        'urn:esg:last:name'
34    )
35    SAML_ATTRIBUTE_VALUES = (
36        'p.kershaw@somewhere.ac.uk',
37        'Philip',
38        'Kershaw'
39    )
40    SAML_ATTRIBUTE_FRIENDLY_NAMES = (
41        "emailAddress",
42        "FirstName",
43        "LastName"
44    )
45    SAML_ATTRIBUTE_FORMATS = (SAMLConstants.XSD_NS+"#"+\
46                            XSStringAttributeValue.TYPE_LOCAL_NAME,) * 3
47    SAML_ATTRIBUTES = []
48   
49    for name, val, format, friendlyName in zip(SAML_ATTRIBUTE_NAMES,
50                                               SAML_ATTRIBUTE_VALUES,
51                                               SAML_ATTRIBUTE_FORMATS,
52                                               SAML_ATTRIBUTE_FRIENDLY_NAMES):
53        SAML_ATTRIBUTES.append(Attribute())
54        SAML_ATTRIBUTES[-1].name = name
55        SAML_ATTRIBUTES[-1].nameFormat = format
56        SAML_ATTRIBUTES[-1].friendlyName = friendlyName
57        SAML_ATTRIBUTES[-1].attributeValues.append(XSStringAttributeValue())
58        SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
59
60    del name, val, format, friendlyName
61   
62    VALID_USER_IDS = ("https://openid.localhost/philip.kershaw",)
63    VALID_REQUESTOR_IDS = ("Site A", "Site B")
64    INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = "Site B"
65   
66    def __init__(self, propertiesFilePath=None):
67        pass
68
69    def getRoles(self, userId):
70        return [
71            'urn:siteA:security:authz:1.0:attr:postdoc',
72            'urn:siteA:security:authz:1.0:attr:staff', 
73            'urn:siteA:security:authz:1.0:attr:undergrad', 
74            'urn:siteA:security:authz:1.0:attr:coapec'
75        ] 
76
77    def getAttributes(self, attributeQuery, response, assertionLifetime):
78        '''Test Attribute Authority SAML Attribute Query interface'''
79       
80        userId = attributeQuery.subject.nameID.value
81        requestedAttributeNames = [attribute.name
82                                   for attribute in attributeQuery.attributes]
83        requestorId = attributeQuery.issuer.value
84       
85        if userId not in TestUserRoles.VALID_USER_IDS:
86            raise UserIdNotKnown('Subject Id "%s" is not known to this '
87                                 'authority' % userId)
88           
89        if requestorId not in TestUserRoles.VALID_REQUESTOR_IDS:
90            raise InvalidRequestorId('Requestor identity "%s" is invalid' %
91                                     requestorId)
92       
93        unknownAttrNames = [attrName for attrName in requestedAttributeNames
94                            if attrName not in 
95                            TestUserRoles.SAML_ATTRIBUTE_NAMES]
96       
97        if len(unknownAttrNames) > 0:
98            raise AttributeNotKnownError("Unknown attributes requested: %r" %
99                                         unknownAttrNames)
100           
101        if requestorId == TestUserRoles.INSUFFICIENT_PRIVILEGES_REQUESTOR_ID:
102            raise AttributeReleaseDenied("Attribute release denied for the "
103                                         'requestor "%s"' % requestorId)
104       
105        # Create a new assertion to hold the attributes to be returned
106        assertion = Assertion()
107       
108        assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
109        assertion.id = str(uuid4())
110        assertion.issueInstant = response.issueInstant
111       
112        assertion.conditions = Conditions()
113        assertion.conditions.notBefore = assertion.issueInstant
114        assertion.conditions.notOnOrAfter = assertion.conditions.notBefore + \
115            timedelta(seconds=assertionLifetime)
116       
117        assertion.subject = Subject() 
118        assertion.subject.nameID = NameID()
119        assertion.subject.nameID.format = attributeQuery.subject.nameID.format
120        assertion.subject.nameID.value = attributeQuery.subject.nameID.value
121
122        attributeStatement = AttributeStatement()
123       
124        # Add test set of attributes
125        for attribute in TestUserRoles.SAML_ATTRIBUTES:
126            attributeStatement.attributes.append(attribute)
127 
128        assertion.attributeStatements.append(attributeStatement)       
129        response.assertions.append(assertion)
130 
Note: See TracBrowser for help on using the repository browser.