source: TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py @ 5703

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/siteAUserRoles.py@5703
Revision 5703, 6.1 KB checked in by pjkersha, 11 years ago (diff)

Attribute Authority Client unit tests: added tests for invalid conditions for SAML Attribute Queries.

Line 
1"""NDG Attribute Authority User Roles class - acts as an interface between
2the data centre's user roles configuration and the Attribute Authority
3                                                                               
4NERC Data Grid Project
5"""
6__author__ = "P J Kershaw"
7__date__ = "29/07/05"
8__copyright__ = "(C) 2009 Science and Technology Facilities Council"
9__license__ = "BSD - see LICENSE file in top-level directory"
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = '$Id:siteAUserRoles.py 4371 2008-10-29 09:44:51Z pjkersha $'
12
13from datetime import datetime, timedelta
14from uuid import uuid4
15
16
17from ndg.security.server.attributeauthority import AttributeInterface, \
18    InvalidRequestorId, AttributeNotKnownError, AttributeReleaseDenied, \
19    UserIdNotKnown
20from saml.common.xml import SAMLConstants
21from saml.saml2.core import Response, Assertion, Attribute, AttributeValue, \
22    AttributeStatement, SAMLVersion, Subject, NameID, Issuer, AttributeQuery, \
23    XSStringAttributeValue, XSGroupRoleAttributeValue, Conditions, Status, \
24    StatusCode
25
26
27class TestUserRoles(AttributeInterface):
28    """Test User Roles class dynamic import for Attribute Authority"""
29    ATTRIBUTE_NAMES = (
30        "urn:siteA:security:authz:1.0:attr",
31    )
32   
33    ATTRIBUTE_VALUES = (
34        'urn:siteA:security:authz:1.0:attr:postdoc',
35        'urn:siteA:security:authz:1.0:attr:staff', 
36        'urn:siteA:security:authz:1.0:attr:undergrad', 
37        'urn:siteA:security:authz:1.0:attr:coapec',
38        'urn:siteA:security:authz:1.0:attr:rapid'
39    )
40
41    SAML_ATTRIBUTE_NAMES = ATTRIBUTE_NAMES + (
42        'urn:esg:email:address',
43        'urn:esg:first:name', 
44        'urn:esg:last:name'
45    )
46   
47    SAML_ATTRIBUTE_VALUES = (
48        ATTRIBUTE_VALUES,
49        ('p.kershaw@somewhere.ac.uk',),
50        ('Philip',),
51        ('Kershaw',)
52    )
53   
54    SAML_ATTRIBUTE_FRIENDLY_NAMES = ('',)*len(ATTRIBUTE_NAMES) + (
55        "emailAddress",
56        "FirstName",
57        "LastName"
58    )
59    SAML_ATTRIBUTE_FORMATS = (SAMLConstants.XSD_NS+"#"+\
60                            XSStringAttributeValue.TYPE_LOCAL_NAME,) * \
61                            len(SAML_ATTRIBUTE_NAMES)
62    SAML_ATTRIBUTES = []
63   
64    for name, vals, format, friendlyName in zip(SAML_ATTRIBUTE_NAMES,
65                                               SAML_ATTRIBUTE_VALUES,
66                                               SAML_ATTRIBUTE_FORMATS,
67                                               SAML_ATTRIBUTE_FRIENDLY_NAMES):
68        SAML_ATTRIBUTES.append(Attribute())
69        SAML_ATTRIBUTES[-1].name = name
70        SAML_ATTRIBUTES[-1].nameFormat = format
71        SAML_ATTRIBUTES[-1].friendlyName = friendlyName
72        for val in vals:
73            SAML_ATTRIBUTES[-1].attributeValues.append(XSStringAttributeValue())
74            SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
75
76    del name, val, vals, format, friendlyName
77   
78    # 8 hours validity for issued assertions
79    SAML_ASSERTION_LIFETIME = 8*60*60
80   
81    VALID_USER_IDS = ("https://openid.localhost/philip.kershaw",)
82    VALID_REQUESTOR_IDS = ("Site A", "Site B")
83    INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = "Site B"
84   
85    def __init__(self, propertiesFilePath=None):
86        pass
87
88    def getRoles(self, userId):
89        return TestUserRoles.ATTRIBUTE_VALUES
90
91    def getAttributes(self, attributeQuery, response):
92        '''Test Attribute Authority SAML Attribute Query interface'''
93       
94        userId = attributeQuery.subject.nameID.value
95        requestedAttributeNames = [attribute.name
96                                   for attribute in attributeQuery.attributes]
97        requestorId = attributeQuery.issuer.value
98       
99        if userId not in TestUserRoles.VALID_USER_IDS:
100            raise UserIdNotKnown('Subject Id "%s" is not known to this '
101                                 'authority' % userId)
102           
103        if requestorId not in TestUserRoles.VALID_REQUESTOR_IDS:
104            raise InvalidRequestorId('Requestor identity "%s" is invalid' %
105                                     requestorId)
106       
107        unknownAttrNames = [attrName for attrName in requestedAttributeNames
108                            if attrName not in 
109                            TestUserRoles.SAML_ATTRIBUTE_NAMES]
110       
111        if len(unknownAttrNames) > 0:
112            raise AttributeNotKnownError("Unknown attributes requested: %r" %
113                                         unknownAttrNames)
114           
115        if requestorId == TestUserRoles.INSUFFICIENT_PRIVILEGES_REQUESTOR_ID:
116            raise AttributeReleaseDenied("Attribute release denied for the "
117                                         'requestor "%s"' % requestorId)
118       
119        # Create a new assertion to hold the attributes to be returned
120        assertion = Assertion()
121       
122        assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
123        assertion.id = str(uuid4())
124        assertion.issueInstant = response.issueInstant
125       
126        assertion.conditions = Conditions()
127        assertion.conditions.notBefore = assertion.issueInstant
128        assertion.conditions.notOnOrAfter = assertion.conditions.notBefore + \
129            timedelta(seconds=TestUserRoles.SAML_ASSERTION_LIFETIME)
130       
131        assertion.subject = Subject() 
132        assertion.subject.nameID = NameID()
133        assertion.subject.nameID.format = attributeQuery.subject.nameID.format
134        assertion.subject.nameID.value = attributeQuery.subject.nameID.value
135
136        attributeStatement = AttributeStatement()
137       
138        # Add test set of attributes
139        for name in requestedAttributeNames:
140            attributeFound = False
141            for attribute in TestUserRoles.SAML_ATTRIBUTES:
142                if attribute.name == name:
143                    attributeFound = True
144                    break
145           
146            if attributeFound:
147                attributeStatement.attributes.append(attribute)
148            else:
149                raise AttributeNotKnownError("Unknown attribute requested: %s"%
150                                             name)
151 
152        assertion.attributeStatements.append(attributeStatement)       
153        response.assertions.append(assertion)
154 
Note: See TracBrowser for help on using the repository browser.