Changeset 5086 for TI12-security


Ignore:
Timestamp:
09/03/09 16:54:57 (11 years ago)
Author:
pjkersha
Message:

ndg.security.test.integration.authz: integration test including OpenID provider, relying party and PEP and PDP components. PDP is currently placeholder requiring integration with user credentials callout to Session Manager.

Location:
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

    r5039 r5086  
    1414pipeline = SessionMiddlewareFilter 
    1515                   AuthenticationFilter 
    16            TestApp 
     16                   PDPMiddlewareFilter 
     17                   PEPMiddlewareFilter 
     18                   AuthZTestApp 
    1719 
    18 [app:TestApp] 
    19 paste.app_factory = ndg.security.test.integration.authz.securedapp:TestAuthNMiddleware 
     20[app:AuthZTestApp] 
     21paste.app_factory = ndg.security.test.integration.authz.securedapp:AuthZTestMiddleware.app_factory 
    2022 
    2123#______________________________________________________________________________ 
     
    4345authkit.cookie.secret=secret encryption string 
    4446authkit.cookie.signoutpath = /logout 
     47 
     48[filter:PEPMiddlewareFilter] 
     49paste.filter_app_factory=ndg.security.server.wsgi.pep:PEPMiddleware.filter_app_factory 
     50prefix = pep. 
     51pep.pathMatchList = /test_securedURI 
     52 
     53[filter:PDPMiddlewareFilter] 
     54#paste.filter_app_factory=ndg.security.server.wsgi.pdp:PDPMiddleware.filter_app_factory 
     55#prefix = pdp. 
     56#paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPMiddlewareAppFactory 
     57paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPHandlerMiddleware.filter_app_factory 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.py

    r5037 r5086  
    4545def filter_app_factory(app, globalConfig, **localConfig): 
    4646    return AuthZTestMiddleware(app, globalConfig, **localConfig) 
     47 
     48class AuthZTestMiddleware(object): 
     49    method = { 
     50"/": 'default', 
     51"/test_401": "test_401", 
     52"/test_403": "test_403", 
     53"/test_securedURI": "test_securedURI" 
     54    } 
     55 
     56    def __init__(self, app, globalConfig, **localConfig): 
     57        self.app = app 
     58             
     59    def __call__(self, environ, start_response): 
     60         
     61        methodName = self.method.get(environ['PATH_INFO'], '').rstrip() 
     62        if methodName: 
     63            action = getattr(self, methodName) 
     64            return action(environ, start_response) 
     65        elif environ['PATH_INFO'] == '/logout': 
     66            return self.default(environ, start_response) 
     67         
     68        elif self.app is not None: 
     69            return self.app(environ, start_response) 
     70        else: 
     71            start_response('404 Not Found', [('Content-type', 'text/plain')]) 
     72            return "Authorisation integration tests: invalid URI" 
     73             
     74    def default(self, environ, start_response): 
     75        if 'REMOTE_USER' in environ: 
     76            response = """<html> 
     77    <head/> 
     78    <body> 
     79        <p>Authenticated!</p> 
     80        <p><a href="/logout">logout</a></p> 
     81    </body> 
     82</html>""" 
     83            start_response('200 OK',  
     84                           [('Content-type', 'text/html'), 
     85                            ('Content-length', str(len(response)))]) 
     86        else: 
     87            response = """ 
     88<head/> 
     89<body> 
     90    <h1>Authorisation integration tests:</h1> 
     91    <ul>%s</ul> 
     92</body> 
     93""" % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     94       for link,name in self.method.items() if name != 'default']) 
     95 
     96            start_response('200 OK',  
     97                           [('Content-type', 'text/html'), 
     98                            ('Content-length', str(len(response)))]) 
     99        return response 
     100 
     101    def test_401(self, environ, start_response): 
     102        if 'REMOTE_USER' in environ: 
     103            response = """<html> 
     104    <head/> 
     105    <body> 
     106        <h1>Authenticated!</h1> 
     107        <p><a href="/logout">logout</a></p> 
     108    </body> 
     109</html>""" 
     110            start_response('200 OK',  
     111                           [('Content-type', 'text/html'), 
     112                            ('Content-length', str(len(response)))]) 
     113        else: 
     114            response = "Trigger OpenID Relying Party..." 
     115            start_response('401 Unauthorized',  
     116                           [('Content-type', 'text/plain'), 
     117                            ('Content-length', str(len(response)))]) 
     118        return response 
     119 
     120    def test_403(self, environ, start_response): 
     121        if 'REMOTE_USER' in environ: 
     122            response = """<html> 
     123    <head/> 
     124    <body> 
     125        <h1>Authorised!</h1> 
     126        <p><a href="/logout">logout</a></p> 
     127    </body> 
     128</html>""" 
     129            start_response('200 OK',  
     130                           [('Content-type', 'text/html'), 
     131                            ('Content-length', str(len(response)))]) 
     132        else: 
     133            response = "Trigger AuthZ..." 
     134            start_response('403 Forbidden',  
     135                           [('Content-type', 'text/plain'), 
     136                            ('Content-length', str(len(response)))]) 
     137        return response 
     138 
     139    def test_securedURI(self, environ, start_response): 
     140        response = """<html> 
     141    <head/> 
     142    <body> 
     143        <h1>Access allowed!</h1> 
     144        <p><a href="/logout">logout</a></p> 
     145    </body> 
     146</html>""" 
     147        start_response('200 OK',  
     148                       [('Content-type', 'text/html'), 
     149                        ('Content-length', str(len(response)))]) 
     150        return response 
     151     
     152    @classmethod 
     153    def app_factory(cls, globalConfig, **localConfig): 
     154        return cls(None, globalConfig, **localConfig) 
     155     
     156    @classmethod 
     157    def filter_app_factory(cls, app, globalConfig, **localConfig): 
     158        return cls(app, globalConfig, **localConfig) 
    47159     
    48160# To start run  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini

    r5037 r5086  
    22# NERC DataGrid Security 
    33# 
    4 # Paste configuration for authorization integration tests 
     4# Paste configuration for combined Session Manager, Attribute Authority, 
     5# OpenID Relying Party and Provider services 
    56# 
    67# The %(here)s variable will be replaced with the parent directory of this file 
    78# 
    89# Author: P J Kershaw 
    9 # date: 05/02/09 
     10# date: 26/02/09 
    1011# Copyright: (C) 2009 Science and Technology Facilities Council 
    1112# license: BSD - see LICENSE file in top-level directory 
     
    1415 
    1516[DEFAULT] 
     17portNum = 7443 
     18hostname = localhost 
     19scheme = http 
     20baseURI = %(scheme)s://%(hostname)s:%(portNum)s 
     21openIDProviderIDBase = /openid 
     22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
     23testConfigDir = %(here)s/../../config 
     24 
     25#______________________________________________________________________________ 
     26# Attribute Authority settings 
     27# 'name' setting MUST agree with map config file 'thisHost' name attribute 
     28attributeAuthority.name: Site A 
     29 
     30# Lifetime is measured in seconds 
     31attributeAuthority.attCertLifetime: 28800  
     32 
     33# Allow an offset for clock skew between servers running  
     34# security services. NB, measured in seconds - use a minus sign for time in the 
     35# past 
     36attributeAuthority.attCertNotBeforeOff: 0 
     37 
     38# All Attribute Certificates issued are recorded in this dir 
     39attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog 
     40 
     41# Files in attCertDir are stored using a rotating file handler 
     42# attCertFileLogCnt sets the max number of files created before the first is  
     43# overwritten 
     44attributeAuthority.attCertFileName: ac.xml 
     45attributeAuthority.attCertFileLogCnt: 16 
     46attributeAuthority.dnSeparator:/ 
     47 
     48# Location of role mapping file 
     49attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml 
     50 
     51# Settings for custom AttributeInterface derived class to get user roles for given  
     52# user ID 
     53attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea 
     54attributeAuthority.attributeInterface.modName: siteAUserRoles 
     55attributeAuthority.attributeInterface.className: TestUserRoles 
     56 
     57# Config for XML signature of Attribute Certificate 
     58attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key 
     59attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt 
     60attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt 
     61 
     62#______________________________________________________________________________ 
     63# Session Manager specific settings - commented out settings will take their 
     64# default settings.  To override the defaults uncomment and set as required. 
     65# See ndg.security.server.sessionmanager module for details 
     66 
     67# Credential Wallet Settings - global to all user sessions 
     68# 
     69# CA certificates for Attribute Certificate signature validation 
     70sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
     71 
     72# CA certificates for SSL connection peer cert. validation - required if 
     73# connecting to an Attribute Authority over SSL 
     74sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
     75 
     76# Allow Get Attribute Certificate calls to try to get a mapped certificate 
     77# from another organisation trusted by the target Attribute Authority 
     78sessionManager.credentialWallet.mapFromTrustedHosts=True 
     79sessionManager.credentialWallet.rtnExtAttCertList=True 
     80 
     81# Refresh an Attribute Certificate, if an existing one in the wallet has only 
     82# this length of time left before it expires 
     83credentialWallet.attCertRefreshElapse=7200 
     84 
     85# Pointer to WS-Security settings.  These WS-Security settings are for use 
     86# by user credential wallets held in user sessions hosted by the Session 
     87# Manager.  They enable individual wallets to query Attribute Authorities for 
     88# user Attribute Certificates.  Nb. the difference between these settings and 
     89# the WS-Security section for handling requests to the Session Manager. 
     90# 
     91# Settings are identified by a prefix.   
     92sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity 
     93 
     94# ...A section name could also be used. 
     95#sessionManager.credentialWallet.wssCfgSection= 
     96 
     97# SOAP Signature Handler settings for the Credential Wallet's Attribute  
     98# Authority interface 
     99# 
     100# CA Certificates used to verify X.509 certs used in Attribute Certificates. 
     101# The CA certificates of other NDG trusted sites should go here.  NB, multiple 
     102# values should be delimited by a space 
     103sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt 
     104 
     105# Signature of an outbound message 
     106# 
     107# Certificate associated with private key used to sign a message.  The sign  
     108# method will add this to the BinarySecurityToken element of the WSSE header.   
     109# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.   
     110# As an alternative, use signingCertChain - see below... 
     111 
     112# PEM encoded cert 
     113sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt 
     114 
     115# ... or provide file path to PEM encoded private key file 
     116sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key 
     117 
     118# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     119# signed message.  See __setReqBinSecTokValType method and binSecTokValType  
     120# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
     121# give full namespace to alternative - see  
     122# ZSI.wstools.Namespaces.OASIS.X509TOKEN 
     123# 
     124# binSecTokValType determines whether signingCert or signingCertChain  
     125# attributes will be used. 
     126sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3 
     127 
     128# Add a timestamp element to an outbound message 
     129sessionManager.credentialWallet.wssecurity.addTimestamp: True 
     130 
     131# For WSSE 1.1 - service returns signature confirmation containing signature  
     132# value sent by client 
     133sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True 
     134 
     135# Authentication service properties  
     136sessionManager.authNService.moduleFilePath:  
     137sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn 
     138sessionManager.authNService.className: UserX509CertAuthN 
     139 
     140# Specific settings for UserCertAuthN Session Manager authentication plugin 
     141# This sets up PKI credentials for a single test account 
     142sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt 
     143sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key 
     144sessionManager.authNService.userPriKeyPwd: testpassword 
    16145 
    17146[server:main] 
    18147use = egg:Paste#http 
    19148host = 0.0.0.0 
    20 port = 7443 
    21  
    22 # Play with this pipeline at your peril! ... 
    23 # 
    24 # The order is counter-intuitive here because of the way intercepts are made 
    25 # by wrapping start_response calls. 
    26 # 1) PEP checks for a secured URI: if secured raise a 403 
    27 # 2) PDP catches the 403 and  
    28 #  a) checks for user logged in, if not, raise 401. 
    29 #  b) checks user authorisation credentials - if OK set 200 response, if not 
    30 # set 403 (and display access denied) message 
    31 # 3) AuthKit middleware (part of OpenIDRelyingPartyFilter) intercepts any 
    32 # 401 code set and triggers OpenID Relying Party Signin 
    33 # 4) If the request got through this chain with a 200 code then invoke the 
    34 # response from the AuthZTestApp.  AuthZTestApp is the app that is being 
    35 # protected. 
     149port = %(portNum)s 
     150 
     151[filter-app:OpenIDProviderApp] 
     152use = egg:Paste#httpexceptions 
     153next = cascade 
     154 
     155# Composite for OpenID Provider to enable settings for picking up static  
     156# content 
     157[composit:cascade] 
     158use = egg:Paste#cascade 
     159app1 = OpenIDProviderStaticContent 
     160app2 = OpenIDProviderMiddlewareApp 
     161catch = 404 
     162 
     163[app:OpenIDProviderStaticContent] 
     164use = egg:Paste#static 
     165document_root = %(here)s/openidprovider 
     166 
    36167[pipeline:main] 
    37 pipeline = SessionMiddlewareFilter 
     168pipeline = wsseSignatureVerificationFilter  
     169                   AttributeAuthorityFilter  
     170           SessionManagerFilter  
     171           wsseSignatureFilter  
     172                   SessionMiddlewareFilter 
    38173                   OpenIDRelyingPartyFilter 
    39                    PDPMiddlewareFilter 
    40                    PEPMiddlewareFilter 
    41                    AuthZTestApp 
    42  
    43 [app:AuthZTestApp] 
    44 paste.app_factory = ndg.security.test.integration.authz.securityservicesapp:app_factory 
    45  
    46 [filter:PEPMiddlewareFilter] 
    47 paste.filter_app_factory=ndg.security.server.wsgi.pep:PEPMiddleware.filter_app_factory 
    48 prefix = pep. 
    49 pep.pathMatchList = /test_securedURI 
    50  
    51 [filter:PDPMiddlewareFilter] 
    52 #paste.filter_app_factory=ndg.security.server.wsgi.pdp:PDPMiddleware.filter_app_factory 
    53 #prefix = pdp. 
    54 #paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPMiddlewareAppFactory 
    55 paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPHandlerMiddleware.filter_app_factory 
     174                   OpenIDProviderApp 
    56175 
    57176#______________________________________________________________________________ 
     
    74193openid.relyingparty.sessionKey = beaker.session 
    75194openid.relyingparty.baseURL = %(authkit.openid.baseurl)s 
     195#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface 
     196#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates 
    76197openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate 
    77198openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates 
    78199openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public 
    79200openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s 
     201openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s 
    80202openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif 
    81203openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council 
     
    99221authkit.openid.session.secret = random string 
    100222 
    101 authkit.openid.baseurl = http://localhost:7443 
     223authkit.openid.baseurl = %(baseURI)s 
    102224 
    103225# Template for signin 
     
    107229#authkit.openid.urltouser =  
    108230 
     231#______________________________________________________________________________ 
     232# OpenID Provider WSGI Settings 
     233[app:OpenIDProviderMiddlewareApp] 
     234paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory 
     235openid.provider.path.openidserver=/OpenID/Provider/server 
     236openid.provider.path.login=/OpenID/Provider/login 
     237openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit 
     238 
     239# Yadis based discovery only - the 'id' path is configured to return 404 not 
     240# found - see ndg.security.server.wsgi.openid.provider.renderinginterface. 
     241# buffet.BuffetRendering class 
     242openid.provider.path.id=/OpenID/Provider/id/${userIdentifier} 
     243openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier} 
     244 
     245# Yadis based discovery for idselect mode - this is where the user has entered 
     246# a URI at the Relying Party which identifies their Provider only and not their 
     247# full ID URI.  e.g. https://badc.nerc.ac.uk instead of  
     248# https://badc.nerc.ac.uk/John 
     249openid.provider.path.serveryadis=%(openIDProviderIDBase)s 
     250openid.provider.path.allow=/OpenID/Provider/allow 
     251openid.provider.path.decide=/OpenID/Provider/decide 
     252openid.provider.path.mainpage=/OpenID/Provider/home 
     253 
     254openid.provider.session_middleware=beaker.session  
     255openid.provider.base_url=%(baseURI)s 
     256openid.provider.trace=False 
     257openid.provider.consumer_store_dirpath=%(here)s/openidprovider 
     258openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering 
     259#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface 
     260 
     261openid.provider.rendering.templateType = kid 
     262openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates 
     263openid.provider.rendering.kid.assume_encoding= utf-8 
     264openid.provider.rendering.kid.encoding = utf-8 
     265 
     266# Layout 
     267openid.provider.rendering.baseURL = %(openid.provider.base_url)s 
     268openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif 
     269openid.provider.rendering.leftAlt = Natural Environment Research Council 
     270openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/ 
     271openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif 
     272openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development. 
     273openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/ 
     274openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif 
     275openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png 
     276 
     277 
     278#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler 
     279#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler 
     280 
     281# Basic Authentication interface to demonstrate capabilities 
     282#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface 
     283#openid.provider.authN.userCreds=pjk:test 
     284#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw 
     285 
     286# Link Authentication to a Session Manager instance running in the same WSGI 
     287# stack or on a remote service 
     288openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface 
     289 
     290# Omit or leave as blank if the Session Manager is accessible locally in the 
     291# same WSGI stack. 
     292#openid.provider.authN.sessionManagerURI= 
     293 
     294# environ dictionary key to Session Manager WSGI instance held locally.  The 
     295# setting below is the default and can be omitted if it matches the filterID 
     296# set for the Session Manager 
     297openid.provider.authN.environKey=filter:SessionManagerFilter 
     298 
     299# Database connection to enable check between username and OpenID identifier 
     300openid.provider.authN.connectionString: postgres://postgres:testpassword@%(hostname)s/testUserDb 
     301openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier' 
     302openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username' 
     303 
     304# Basic authentication for testing/admin - comma delimited list of  
     305# <username>:<password> pairs 
     306#openid.provider.usercreds=pjk:test 
     307 
     308#______________________________________________________________________________ 
     309# Attribute Authority WSGI settings 
     310# 
     311[filter:AttributeAuthorityFilter] 
     312# This filter is a container for a binding to a SOAP based interface to the 
     313# Attribute Authority 
     314paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
     315 
     316# Use this ZSI generated SOAP service interface class to handle i/o for this 
     317# filter 
     318ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS 
     319 
     320# SOAP Binding Class specific keywords are in this section identified by this 
     321# prefix: 
     322ServiceSOAPBindingPropPrefix = AttributeAuthority 
     323 
     324# The AttributeAuthority class has settings in the default section above  
     325# identified by this prefix: 
     326AttributeAuthority.propPrefix = attributeAuthority 
     327AttributeAuthority.propFilePath = %(here)s/securityservices.ini 
     328AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     329 
     330# Provide an identifier for this filter so that main WSGI app  
     331# CombinedServicesWSGI Session Manager filter can call this Attribute Authority 
     332# directly 
     333referencedFilters = filter:wsseSignatureVerificationFilter 
     334 
     335# Path from URL for Attribute Authority in this Paste deployment 
     336path = /AttributeAuthority 
     337 
     338# External endpoint for this Attribute Authority - must agree with setting used 
     339# to invoke this service set in: 
     340# * serverapp.py  
     341# * or port in [server:main] if calling with paster serve securityservices.ini 
     342# * or something else e.g. proxied through Apache? 
     343# This setting is used by Attribute Authority clients in this WSGI stack to see 
     344# if a request is being made to the local service or to another Attribute  
     345# Authority running elsewhere 
     346publishedURI = %(baseURI)s%(path)s 
     347 
     348# Enable ?wsdl query argument to list the WSDL content 
     349enableWSDLQuery = True 
     350charset = utf-8 
     351filterID = %(__name__)s 
     352 
     353#______________________________________________________________________________ 
     354# Session Manager WSGI settings 
     355# 
     356[filter:SessionManagerFilter] 
     357# This filter is a container for a binding to a SOAP based interface to the 
     358# Session Manager 
     359paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
     360 
     361# Use this ZSI generated SOAP service interface class to handle i/o for this 
     362# filter 
     363ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS 
     364 
     365# SOAP Binding Class specific keywords are in this section identified by this 
     366# prefix: 
     367ServiceSOAPBindingPropPrefix = SessionManager 
     368 
     369# The SessionManager class has settings in the default section above identified 
     370# by this prefix: 
     371SessionManager.propPrefix = sessionManager 
     372SessionManager.propFilePath = %(here)s/securityservices.ini 
     373 
     374# This filter references other filters - a local Attribute Authority (optional) 
     375# and a WS-Security signature verification filter (required if using signature 
     376# to authenticate user in requests 
     377SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
     378SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     379 
     380# The SessionManagerWS SOAP interface class needs to know about these other  
     381# filters 
     382referencedFilters = filter:wsseSignatureVerificationFilter  
     383                                        filter:AttributeAuthorityFilter 
     384 
     385# Path from URI for Session Manager in this Paste deployment 
     386path = /SessionManager 
     387 
     388# External endpoint for this Session Manager - must agree with setting used to 
     389# invoke this service set in: 
     390# * securityservicesapp.py  
     391# * or port in [server:main] if calling with paster serve securityservices.ini 
     392# * or something else e.g. proxied through Apache? 
     393# This setting is used by Session Manager clients in this WSGI stack to see if 
     394# a request is being made to the local service or to another session manager 
     395# running elsewhere 
     396publishedURI = %(baseURI)s%(path)s 
     397 
     398# Enable ?wsdl query argument to list the WSDL content 
     399enableWSDLQuery = True 
     400charset = utf-8 
     401 
     402# Provide an identifier for this filter so that main WSGI app  
     403# CombinedServicesWSGI can call this Session Manager directly 
     404filterID = %(__name__)s 
     405 
     406#______________________________________________________________________________ 
     407# WS-Security Signature Verification 
     408[filter:wsseSignatureVerificationFilter] 
     409paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 
     410filterID = %(__name__)s 
     411 
     412# Settings for WS-Security SignatureHandler class used by this filter 
     413wsseCfgFilePrefix = wssecurity 
     414 
     415# Verify against known CAs - Provide a space separated list of file paths 
     416wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
     417 
     418#______________________________________________________________________________ 
     419# Apply WS-Security Signature  
     420[filter:wsseSignatureFilter] 
     421paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter 
     422 
     423# Reference the verification filter in order to be able to apply signature 
     424# confirmation 
     425referencedFilters = filter:wsseSignatureVerificationFilter 
     426wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     427 
     428# Last filter in chain of SOAP handlers writes the response 
     429writeResponse = True 
     430 
     431# Settings for WS-Security SignatureHandler class used by this filter 
     432wsseCfgFilePrefix = wssecurity 
     433 
     434# Certificate associated with private key used to sign a message.  The sign  
     435# method will add this to the BinarySecurityToken element of the WSSE header.   
     436wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 
     437 
     438# PEM encoded private key file 
     439wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 
     440 
     441# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     442# signed message.  See __setReqBinSecTokValType method and binSecTokValType  
     443# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
     444# give full namespace to alternative - see  
     445# ZSI.wstools.Namespaces.OASIS.X509TOKEN 
     446# 
     447# binSecTokValType determines whether signingCert or signingCertChain  
     448# attributes will be used. 
     449wssecurity.reqBinSecTokValType=X509v3 
     450 
     451# Add a timestamp element to an outbound message 
     452wssecurity.addTimestamp=True 
     453 
     454# For WSSE 1.1 - service returns signature confirmation containing signature  
     455# value sent by client 
     456wssecurity.applySignatureConfirmation=True 
    109457 
    110458# Logging configuration 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservicesapp.py

    r5037 r5086  
    1313from os.path import dirname, abspath, join 
    1414 
    15 class AuthZTestMiddleware(object): 
    16     method = { 
    17 "/": 'default', 
    18 "/test_401": "test_401", 
    19 "/test_403": "test_403", 
    20 "/test_securedURI": "test_securedURI" 
    21     } 
    22  
    23     def __init__(self, app, globalConfig, **localConfig): 
    24         self.app = app 
    25              
    26     def __call__(self, environ, start_response): 
    27          
    28         methodName = self.method.get(environ['PATH_INFO'], '').rstrip() 
    29         if methodName: 
    30             action = getattr(self, methodName) 
    31             return action(environ, start_response) 
    32         elif self.app is not None: 
    33             return self.app(environ, start_response) 
    34         else: 
    35             start_response('404 Not Found', [('Content-type', 'text/plain')]) 
    36             return "Authorisation integration tests: invalid URI" 
    37              
    38     def default(self, environ, start_response): 
    39         if 'REMOTE_USER' in environ: 
    40             response = """<html> 
    41     <head/> 
    42     <body> 
    43         <p>Authenticated!</p> 
    44         <p><a href="/logout">logout</a></p> 
    45     </body> 
    46 </html>""" 
    47             start_response('200 OK',  
    48                            [('Content-type', 'text/html'), 
    49                             ('Content-length', str(len(response)))]) 
    50         else: 
    51             response = "Authorisation integration tests" 
    52             start_response('200 OK',  
    53                            [('Content-type', 'text/html'), 
    54                             ('Content-length', str(len(response)))]) 
    55         return response 
    56  
    57     def test_401(self, environ, start_response): 
    58         if 'REMOTE_USER' in environ: 
    59             response = """<html> 
    60     <head/> 
    61     <body> 
    62         <p>Authenticated!</p> 
    63         <p><a href="/logout">logout</a></p> 
    64     </body> 
    65 </html>""" 
    66             start_response('200 OK',  
    67                            [('Content-type', 'text/html'), 
    68                             ('Content-length', str(len(response)))]) 
    69         else: 
    70             response = "Trigger OpenID Relying Party..." 
    71             start_response('401 Unauthorized',  
    72                            [('Content-type', 'text/plain'), 
    73                             ('Content-length', str(len(response)))]) 
    74         return response 
    75  
    76     def test_403(self, environ, start_response): 
    77         if 'REMOTE_USER' in environ: 
    78             response = """<html> 
    79     <head/> 
    80     <body> 
    81         <p>Authorised!</p> 
    82         <p><a href="/logout">logout</a></p> 
    83     </body> 
    84 </html>""" 
    85             start_response('200 OK',  
    86                            [('Content-type', 'text/html'), 
    87                             ('Content-length', str(len(response)))]) 
    88         else: 
    89             response = "Trigger AuthZ..." 
    90             start_response('403 Forbidden',  
    91                            [('Content-type', 'text/plain'), 
    92                             ('Content-length', str(len(response)))]) 
    93         return response 
    94  
    95     def test_securedURI(self, environ, start_response): 
    96         response = "Access allowed" 
    97         start_response('200 OK',  
    98                        [('Content-type', 'text/plain'), 
    99                         ('Content-length', str(len(response)))]) 
    100         return response 
    101      
    102 def app_factory(globalConfig, **localConfig): 
    103     return AuthZTestMiddleware(None, globalConfig, **localConfig) 
    104  
    105 def filter_app_factory(app, globalConfig, **localConfig): 
    106     return AuthZTestMiddleware(app, globalConfig, **localConfig) 
    10715     
    10816# To start run  
    10917# $ paster serve services.ini or run this file as a script 
    110 # $ ./serverapp.py [port #] 
     18# $ ./securityservicesapp.py [port #] 
    11119if __name__ == '__main__': 
    11220    import sys 
Note: See TracChangeset for help on using the changeset viewer.