Context Navigation

← Previous Change
Next Change →

Changeset 5168 for TI12-security

Timestamp:

03/04/09 17:14:44 (11 years ago)

Author:

pjkersha

Message:

Added new access control interface and functionality to OpenID Provider to enable a custom context object to be passed between login and logout calls.

Location:

TI12-security/trunk/python

Files:

: 3 added
: 10 edited

ndg.security.common/ndg/security/common/authz/msi.py (added)
ndg.security.common/ndg/security/common/authz/xacml/__init__.py (modified) (9 diffs)
ndg.security.common/ndg/security/common/authz/xacml/attr.py (added)
ndg.security.common/ndg/security/common/authz/xacml/cond.py (modified) (7 diffs)
ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py (modified) (2 diffs)
ndg.security.server/ndg/security/server/wsgi/authz/__init__.py (modified) (8 diffs)
ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (7 diffs)
ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py (modified) (3 diffs)
ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/__init__.py (modified) (2 diffs)
ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py (modified) (4 diffs)
ndg.security.test/ndg/security/test/integration/authz/policy.xml (added)
ndg.security.test/ndg/security/test/integration/authz/securedapp.ini (modified) (1 diff)
ndg.security.test/ndg/security/test/integration/authz/securityservices.ini (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/xacml/init.py

-                      r5165
+                      r5168
 log = logging.getLogger(__name__)
+from ndg.security.common.authz.xacml.cond import FunctionFactory
+#from ndg.security.common.authz.xacml.cond import FunctionFactory
+import ndg.security.common.authz.xacml.cond
+class FunctionFactory:
+    pass
 # For parsing: ElementTree helpers
 …
     def match(self, context):
         '''determines whether this <code>TargetMatch</code> matches
+        '''determines whether this TargetMatch matches
         the input request (whether it is applicable)
 …
     def encode(self, output, indenter=None):
         '''Encodes this TargetMatch</code> into its XML representation
         and writes this encoding to the given <code>OutputStream</code> with no
+        '''Encodes this TargetMatch into its XML representation
+        and writes this encoding to the given OutputStream with no
         indentation.
         @param output a stream into which the XML-encoded data is written'''
 …
         self.attributeValue = attributeValue
         self.indeterminate = indeterminate
+class Evaluatable(XacmlBase):
+    '''Generic interface that is implemented by all objects that can appear in
+    an ApplyType. This lets the evaluation code of Apply and
+    functions iterate through their members and evaluate them, working only
+    on the returned values or errors.'''
+    def evaluate(self, context):
+        '''Evaluates the object using the given context, and either returns an
+        error or a resulting value.
+        @param context the representation of the request
+        @return the result of evaluation'''
+        raise NotImplementedError()
+    def getType(self):
+        '''Get the type of this object.  This may be the data type of an
+        Attribute or the return type of an
+        AttributeDesignator, etc.
+        @return the type of data represented by this object'''
+        raise NotImplementedError()
+    def evaluatesToBag(self):
+        '''Tells whether evaluation will return a bag or a single value.
+        @return true if evaluation will return a bag, false otherwise'''
+        raise NotImplementedError()
+    def getChildren(self):
+        '''Returns all children, in order, of this element in the Condition
+        tree, or en empty set if this element has no children. In XACML 1.x,
+        only the ApplyType ever has children.
+        @return a list of Evaluatables'''
+        raise NotImplementedError()
+    def encode(self, output, indenter=None):
+        '''Encodes this Evaluatable into its XML representation and
+        writes this encoding to the given OutputStream with
+        indentation.
+        @param output a stream into which the XML-encoded data is written
+        @param indenter an object that creates indentation strings'''
+        raise NotImplementedError()
 class Effect(XacmlBase):
     def __str__(self):
         raise NotImplementedError()
 class DenyEffect(Effect):
     def __str__(self):
 …
 class Attribute(XacmlBase):
+    def __init__(self, id, type=None, issuer=None, issueInstant=None, value=None):
+    def __init__(self, id, type=None, issuer=None, issueInstant=None,
+                 value=None):
         self.id = id
         self.type = type or value.__class__
 …
     def getCurrentTime(self):
         '''Returns the cached value for the current time. If the value has
         never been set by a call to <code>setCurrentTime</code>, or if caching
+        never been set by a call to setCurrentTime, or if caching
         is not enabled in this instance, then this will return null.'''
         raise NotImplementedError()
 …
     def getCurrentDate(self):
         '''Returns the cached value for the current date. If the value has
         never been set by a call to <code>setCurrentDate</code>, or if caching
+        never been set by a call to setCurrentDate, or if caching
         is not enabled in this instance, then this will return null.'''
         raise NotImplementedError()
 …
     def getCurrentDateTime(self):
         '''Returns the cached value for the current dateTime. If the value has
         never been set by a call to <code>setCurrentDateTime</code>, or if
+        never been set by a call to setCurrentDateTime, or if
         caching is not enabled in this instance, then this will return null.
         '''
 …
         Indeterminate result'''
         raise NotImplementedError()
-class Apply(Evaluatable):
-    '''Represents the XACML ApplyType and ConditionType XML types.'''
-    def __init__(self, function, evals, bagFunction=None, isCondition=False):
-        '''Constructs an Apply object. Throws an
-        IllegalArgumentException if the given parameter list
-        isn't valid for the given function.
-        @param function the Function to use in evaluating the elements in the
-        apply
-        @param evals the contents of the apply which will be the parameters
-        to the function, each of which is an Evaluatable
-        @param bagFunction the higher-order function to use
-        @param isCondition Rrue if this Apply is a Condition, False otherwise
-        '''
-        # check that the given inputs work for the function
-        inputs = evals
-        if bagFunction is not None:
-            inputs = [bagFunction]
-            inputs += evals
-        function.checkInputs(inputs)
-        # if everything checks out, then store the inputs
-        self.function = function
-        self.evals = tuple(evals)
-        self.bagFunction = bagFunction
-        self.isCondition = isCondition
-    @staticmethod
-    def getConditionInstance(root, xpathVersion):
-        '''Returns an instance of an Apply based on the given DOM
-        root node. This will actually return a special kind of
-        Apply, namely an XML ConditionType, which is the root
-        of the condition logic in a RuleType. A ConditionType is the same
-        as an ApplyType except that it must use a FunctionId that returns
-        a boolean value.
-        @param root the DOM root of a ConditionType XML type
-        @param xpathVersion the XPath version to use in any selectors or XPath
-                            functions, or null if this is unspecified (ie, not
-                            supplied in the defaults section of the policy)
-        '''
-        raise NotImplementedError()
-    def getInstance(self,
-                    root,
-                    factory=None,
-                    isCondition=False,
-                    xpathVersion=None):
-        '''Returns an instance of Apply based on the given DOM root.
-        @param root the DOM root of an ApplyType XML type
-        @param xpathVersion the XPath version to use in any selectors or XPath
-                            functions, or null if this is unspecified (ie, not
-                            supplied in the defaults section of the policy)'''
-        raise NotImplementedError()
-    @staticmethod
-    def getFunction(root, version, factory):
-        '''Helper method that tries to get a function instance'''
-        raise NotImplementedError()
-    def getFunction(self):
-        '''Returns the Function used by this Apply.
-        @return the Function'''
-        return function
-    def getChildren(self):
-        '''Returns the List of children for this Apply.
-        The List contains Evaluatables. The list is
-        unmodifiable, and may be empty.
-        @return a List of Evaluatables'''
-        return self.evals
-    def getHigherOrderFunction(self):
-        '''Returns the higher order bag function used by this Apply
-        if it exists, or null if no higher order function is used.
-        @return the higher order Function or null'''
-        return self.bagFunction
-    def isCondition(self):
-        '''Returns whether or not this ApplyType is actually a ConditionType.
-        @return whether or not this represents a ConditionType'''
-        return isCondition
-    def evaluate(self, context):
-        '''Evaluates the apply object using the given function. This will in
-        turn call evaluate on all the given parameters, some of which may be
-        other Apply objects.
-        @param context the representation of the request
-        @return the result of trying to evaluate this apply object'''
-        parameters = self.evals
-        # see if there is a higher-order function in here
-        if bagFunction != None:
-            # this is a special case, so we setup the parameters, starting
-            # with the function
-            parameters = [bagFunction]
-            # now we evaluate all the parameters, returning INDETERMINATE
-            # if that's what any of them return, and otherwise tracking
-            # all the AttributeValues that get returned
-            for eval in self.evals:
-                result = eval.evaluate(context)
-                # in a higher-order case, if anything is INDETERMINATE, then
-                # we stop right away
-                if result.indeterminate():
-                    return result
-                parameters.add(result.getAttributeValue())
-        # now we can call the base function
-        return function.evaluate(parameters, context)
-    def getType(self):
-        '''Returns the type of attribute that this object will return on a call
-        to evaluate. In practice, this will always be the same as
-        the result of calling getReturnType on the function used
-        by this object.
-        @return the type returned by evaluate'''
-        return self.function.getReturnType()
-    def evaluatesToBag(self):
-        '''Returns whether or not the Function will return a bag
-        of values on evaluation.
-        @return true if evaluation will return a bag of values, false otherwise
-        '''
-        return self.function.returnsBag()
-    def encode(self, output, indenter):
-        '''Encodes this Apply into its XML representation and
-        writes this encoding to the given OutputStream with
-        indentation.
-        @param output a stream into which the XML-encoded data is written
-        @param indenter an object that creates indentation strings'''
-        raise NotImplementedError()

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/xacml/cond.py

-                      r5165
+                      r5168
 from ndg.security.common.utils import UniqList
+class FunctionBase(object):
+from ndg.security.common.authz.xacml.attr import AnyURIAttribute, \
+    Base64BinaryAttribute, BooleanAttribute, DateAttribute, DateTimeAttribute,\
+    DayTimeDurationEqual, DoubleAttribute, HexBinaryAttribute, \
+    IntegerAttribute, RFC822NameAttribute, StringAttribute, TimeAttribute, \
+    X500NameAttribute, YearMonthDurationAttribute
+class Evaluatable(object):
+    '''Generic interface that is implemented by all objects that can appear in
+    an ApplyType. This lets the evaluation code of Apply and
+    functions iterate through their members and evaluate them, working only
+    on the returned values or errors.'''
+    def evaluate(self, context):
+        '''Evaluates the object using the given context, and either returns an
+        error or a resulting value.
+        @param context the representation of the request
+        @return the result of evaluation'''
+        raise NotImplementedError()
+    def getType(self):
+        '''Get the type of this object.  This may be the data type of an
+        Attribute or the return type of an
+        AttributeDesignator, etc.
+        @return the type of data represented by this object'''
+        raise NotImplementedError()
+    def evaluatesToBag(self):
+        '''Tells whether evaluation will return a bag or a single value.
+        @return true if evaluation will return a bag, false otherwise'''
+        raise NotImplementedError()
+    def getChildren(self):
+        '''Returns all children, in order, of this element in the Condition
+        tree, or en empty set if this element has no children. In XACML 1.x,
+        only the ApplyType ever has children.
+        @return a list of Evaluatables'''
+        raise NotImplementedError()
+    def encode(self, output, indenter=None):
+        '''Encodes this Evaluatable into its XML representation and
+        writes this encoding to the given OutputStream with
+        indentation.
+        @param output a stream into which the XML-encoded data is written
+        @param indenter an object that creates indentation strings'''
+        raise NotImplementedError()
+class Apply(Evaluatable):
+    '''Represents the XACML ApplyType and ConditionType XML types.'''
+    def __init__(self, function, evals, bagFunction=None, isCondition=False):
+        '''Constructs an Apply object. Throws an
+        IllegalArgumentException if the given parameter list
+        isn't valid for the given function.
+        @param function the Function to use in evaluating the elements in the
+        apply
+        @param evals the contents of the apply which will be the parameters
+        to the function, each of which is an Evaluatable
+        @param bagFunction the higher-order function to use
+        @param isCondition Rrue if this Apply is a Condition, False otherwise
+        '''
+        # check that the given inputs work for the function
+        inputs = evals
+        if bagFunction is not None:
+            inputs = [bagFunction]
+            inputs += evals
+        function.checkInputs(inputs)
+        # if everything checks out, then store the inputs
+        self.function = function
+        self.evals = tuple(evals)
+        self.bagFunction = bagFunction
+        self.isCondition = isCondition
+    @staticmethod
+    def getConditionInstance(root, xpathVersion):
+        '''Returns an instance of an Apply based on the given DOM
+        root node. This will actually return a special kind of
+        Apply, namely an XML ConditionType, which is the root
+        of the condition logic in a RuleType. A ConditionType is the same
+        as an ApplyType except that it must use a FunctionId that returns
+        a boolean value.
+        @param root the DOM root of a ConditionType XML type
+        @param xpathVersion the XPath version to use in any selectors or XPath
+                            functions, or null if this is unspecified (ie, not
+                            supplied in the defaults section of the policy)
+        '''
+        raise NotImplementedError()
+    def getInstance(self,
+                    root,
+                    factory=None,
+                    isCondition=False,
+                    xpathVersion=None):
+        '''Returns an instance of Apply based on the given DOM root.
+        @param root the DOM root of an ApplyType XML type
+        @param xpathVersion the XPath version to use in any selectors or XPath
+                            functions, or null if this is unspecified (ie, not
+                            supplied in the defaults section of the policy)'''
+        raise NotImplementedError()
+    @staticmethod
+    def getFunction(root, version, factory):
+        '''Helper method that tries to get a function instance'''
+        raise NotImplementedError()
+    def getFunction(self):
+        '''Returns the Function used by this Apply.
+        @return the Function'''
+        return function
+    def getChildren(self):
+        '''Returns the List of children for this Apply.
+        The List contains Evaluatables. The list is
+        unmodifiable, and may be empty.
+        @return a List of Evaluatables'''
+        return self.evals
+    def getHigherOrderFunction(self):
+        '''Returns the higher order bag function used by this Apply
+        if it exists, or null if no higher order function is used.
+        @return the higher order Function or null'''
+        return self.bagFunction
+    def isCondition(self):
+        '''Returns whether or not this ApplyType is actually a ConditionType.
+        @return whether or not this represents a ConditionType'''
+        return isCondition
+    def evaluate(self, context):
+        '''Evaluates the apply object using the given function. This will in
+        turn call evaluate on all the given parameters, some of which may be
+        other Apply objects.
+        @param context the representation of the request
+        @return the result of trying to evaluate this apply object'''
+        parameters = self.evals
+        # see if there is a higher-order function in here
+        if bagFunction != None:
+            # this is a special case, so we setup the parameters, starting
+            # with the function
+            parameters = [bagFunction]
+            # now we evaluate all the parameters, returning INDETERMINATE
+            # if that's what any of them return, and otherwise tracking
+            # all the AttributeValues that get returned
+            for eval in self.evals:
+                result = eval.evaluate(context)
+                # in a higher-order case, if anything is INDETERMINATE, then
+                # we stop right away
+                if result.indeterminate():
+                    return result
+                parameters.add(result.getAttributeValue())
+        # now we can call the base function
+        return function.evaluate(parameters, context)
+    def getType(self):
+        '''Returns the type of attribute that this object will return on a call
+        to evaluate. In practice, this will always be the same as
+        the result of calling getReturnType on the function used
+        by this object.
+        @return the type returned by evaluate'''
+        return self.function.getReturnType()
+    def evaluatesToBag(self):
+        '''Returns whether or not the Function will return a bag
+        of values on evaluation.
+        @return true if evaluation will return a bag of values, false otherwise
+        '''
+        return self.function.returnsBag()
+    def encode(self, output, indenter):
+        '''Encodes this Apply into its XML representation and
+        writes this encoding to the given OutputStream with
+        indentation.
+        @param output a stream into which the XML-encoded data is written
+        @param indenter an object that creates indentation strings'''
+        raise NotImplementedError()
+class Function(object):
+    '''Interface that all functions in the system must implement.'''
+    def evaluate(self, inputs, context):
+        '''Evaluates the Function using the given inputs.
+        The List contains Evaluatables which are all
+        of the correct type if the Function has been created as
+        part of an Apply or TargetMatch, but which
+        may otherwise be invalid. Each parameter should be evaluated by the
+        Function, unless this is a higher-order function (in
+        which case the Apply has already evaluated the inputs
+        to check for any INDETERMINATE conditions), or the Function
+        doesn't need to evaluate all inputs to determine a result (as in the
+        case of the or function). The order of the List is
+        significant, so a Function should have a very good reason
+        if it wants to evaluate the inputs in a different order.
+        <p>
+        Note that if this is a higher-order function, like any-of, then
+        the first argument in the List will actually be a Function
+        object representing the function to apply to some bag. In this case,
+        the second and any subsequent entries in the list are
+        AttributeValue objects (no INDETERMINATE values are
+        allowed, so the function is not given the option of dealing with
+        attributes that cannot be resolved). A function needs to know if it's
+        a higher-order function, and therefore whether or not to look for
+        this case. Also, a higher-order function is responsible for checking
+        that the inputs that it will pass to the Function
+        provided as the first parameter are valid, ie. it must do a
+        checkInputs on its sub-function when
+        checkInputs is called on the higher-order function.
+        @param inputs the List of inputs for the function
+        @param context the representation of the request
+        @return a result containing the AttributeValue computed
+                when evaluating the function, or Status
+                specifying some error condition'''
+        raise NotImplementedError()
+    def getIdentifier(self):
+        '''Returns the identifier of this function as known by the factories.
+        In the case of the standard XACML functions, this will be one of the
+        URIs defined in the standard namespace. This function must always
+        return the complete namespace and identifier of this function.
+        @return the function's identifier'''
+        raise NotImplementedError()
+    def getReturnType(self):
+        '''Provides the type of AttributeValue that this function
+        returns from evaluate in a successful evaluation.
+        @return the type returned by this function
+        '''
+        raise NotImplementedError()
+    def returnsBag(self):
+        '''Tells whether this function will return a bag of values or just a
+        single value.
+        @return true if evaluation will return a bag, false otherwise'''
+        raise NotImplementedError()
+    def checkInputs(self, inputs):
+        '''Checks that the given inputs are of the right types, in the right
+        order, and are the right number for this function to evaluate. If
+        the function cannot accept the inputs for evaluation, an
+        IllegalArgumentException is thrown.
+        @param inputs a list of Evaluatables, with the first argument being a
+        Function if this is a higher-order function
+        @throws TypeError if the inputs do match what the function accepts for
+        evaluation
+        '''
+        raise NotImplementedError()
+    def checkInputsNoBag(self, inputs):
+        '''Checks that the given inputs are of the right types, in the right
+        order, and are the right number for this function to evaluate. If
+        the function cannot accept the inputs for evaluation, an
+        IllegalArgumentException is thrown. Unlike the other
+        checkInput method in this interface, this assumes that
+        the parameters will never provide bags of values. This is useful if
+        you're considering a target function which has a designator or
+        selector in its input list, but which passes the values from the
+        derived bags one at a time to the function, so the function doesn't
+        have to deal with the bags that the selector or designator
+        generates.
+        @param inputs a list of Evaluatables, with the first argument being a
+        Function if this is a higher-order function
+        @throws TypeError if the inputs do match what the function accepts for
+        evaluation'''
+        raise NotImplementedError()
+class FunctionBase(Function):
     FUNCTION_NS = "urn:oasis:names:tc:xacml:1.0:function:"
     supportedIdentifiers = ()
 …
                  returnType='',
                  returnsBag=False):
+        '''
+        @param functionName the name of this function as used by the factory
+                            and any XACML policies
+        @param functionId an optional identifier that can be used by your
+                          code for convenience
+        @param paramTypes the type of each parameter, in order, required by
+                          this function, as used by the factory and any XACML
+                           documents
+        @param paramIsBag whether or not each parameter is actually a bag
+                          of values
+        @param returnType the type returned by this function, as used by
+                          the factory and any XACML documents
+        @param returnsBag whether or not this function returns a bag of values
+        '''
         self.functionName = functionName
 …
 # TODO: Condition classes - minimal implementation until opportunity to fully
 # implement
-class Function(object):
-    def __init__(self, *arg, **kw):
-        raise NotImplementedError()
-    @classmethod
-    def getInstance(cls, root):
-        raise NotImplementedError()
 class BagFunction(FunctionBase):
     def __init__(self, *arg, **kw):
 …
 class MatchFunction(FunctionBase):
+    NAME_REGEXP_STRING_MATCH = \
+          "urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"
+    NAME_RFC822NAME_MATCH = \
+          "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"
+    NAME_X500NAME_MATCH = \
+          "urn:oasis:names:tc:xacml:1.0:function:x500Name-match"
+    NAME_REGEXP_STRING_MATCH = FunctionBase.FUNCTION_NS + "regexp-string-match"
+    NAME_RFC822NAME_MATCH = FunctionBase.FUNCTION_NS + "rfc822Name-match"
+    NAME_X500NAME_MATCH = FunctionBase.FUNCTION_NS + "x500Name-match"
     supportedIdentifiers = (NAME_REGEXP_STRING_MATCH,
 …
 class EqualFunction(FunctionBase):
     supportedIdentifiers = (
           "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal",
           "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal",
           "urn:oasis:names:tc:xacml:1.0:function:boolean-equal",
           "urn:oasis:names:tc:xacml:1.0:function:date-equal",
           "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal",
           "urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal",
           "urn:oasis:names:tc:xacml:1.0:function:double-equal",
           "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal",
           "urn:oasis:names:tc:xacml:1.0:function:integer-equal",
           "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal",
           "urn:oasis:names:tc:xacml:1.0:function:string-equal",
           "urn:oasis:names:tc:xacml:1.0:function:time-equal",
           "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal",
           "urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal"
+          FunctionBase.FUNCTION_NS + "anyURI-equal",
+          FunctionBase.FUNCTION_NS + "base64Binary-equal",
+          FunctionBase.FUNCTION_NS + "boolean-equal",
+          FunctionBase.FUNCTION_NS + "date-equal",
+          FunctionBase.FUNCTION_NS + "dateTime-equal",
+          FunctionBase.FUNCTION_NS + "dayTimeDuration-equal",
+          FunctionBase.FUNCTION_NS + "double-equal",
+          FunctionBase.FUNCTION_NS + "hexBinary-equal",
+          FunctionBase.FUNCTION_NS + "integer-equal",
+          FunctionBase.FUNCTION_NS + "rfc822Name-equal",
+          FunctionBase.FUNCTION_NS + "string-equal",
+          FunctionBase.FUNCTION_NS + "time-equal",
+          FunctionBase.FUNCTION_NS + "x500Name-equal",
+          FunctionBase.FUNCTION_NS + "yearMonthDuration-equal"
+    )
 …
+    }
+    typeMap = {NAME_STRING_EQUAL: "http://www.w3.org/2001/XMLSchema#string"}
+    def __init__(self, functionName, **kw):
+          super(EqualFunction, self).__init__(functionName, **kw)
+    _attrClasses = (
+        AnyURIAttribute,
+        Base64BinaryAttribute,
+        BooleanAttribute,
+        DateAttribute,
+        DateTimeAttribute,
+        DayTimeDurationEqual,
+        DoubleAttribute,
+        HexBinaryAttribute,
+        IntegerAttribute,
+        RFC822NameAttribute,
+        StringAttribute,
+        TimeAttribute,
+        X500NameAttribute,
+        YearMonthDurationAttribute
+    )
+    typeMap = dict([(i, j.identifier) for i,j in zip(supportedIdentifiers,
+                                                     _attrClasses)])
+    def __init__(self, functionName, argumentType=None, **kw):
+        if kw.get('functionId') is None:
+            kw['functionId'] = 0
+        if kw.get('paramType') is None:
+            kw['paramType'] = EqualFunction._getArgumentType(functionName)
+        super(EqualFunction, self).__init__(functionName, **kw)
     def evaluate(self, inputs, evaluationCtx):
 …
         return EvaluationResult(argValues[0] == argValues[1])
+    def getArgumentType(functionName):
+        datatype = EqualFunction.typeMap.get(functionName);
+        if datatype is None:
+            raise AttributeError("Not a standard function: %s" % functionName)
+    @classmethod
+    def _getArgumentType(cls, functionName):
+        argumentType = cls.typeMap.get(functionName)
+        if argumentType is None:
+            if functionName in cls.supportedIdentifiers:
+                raise NotImplementedError('No implementation is currently '
+                                          'available for "%s"' % functionName)
+            else:
+                raise TypeError("Not a standard function: %s" % functionName)
         return datatype
+        return argumentType
 class AddFunction(FunctionBase):

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/init.py

-                      r5067
+                      r5168
 from ZSI.wstools.Namespaces import ENCRYPTION, WSU
 from ZSI.wstools.Namespaces import OASIS as _OASIS
+from ConfigParser import RawConfigParser
 # Enable settings from a config file
 …
             self.cfg = cfgClass()
             self.cfg.read(cfg)
+        else:
+            self.cfg.parse(section=cfgFileSection, prefix=cfgFilePrefix)
+        elif isinstance(cfg, RawConfigParser):
             log.debug("BaseSignatureHandler.__init__: config object input ...")
             self.cfg = cfgClass(cfg=cfg)
-        if cfg: # config object or config file path was set
-            log.debug("BaseSignatureHandler.__init__: Processing config "
-                      "file...")
             self.cfg.parse(section=cfgFileSection, prefix=cfgFilePrefix)
+        elif isinstance(cfg, WSSecurityConfig):
+            log.debug("BaseSignatureHandler.__init__:  WSSSecurityConfig "
+                      "object input ...")
+            self.cfg = cfg
+        else:
+            raise TypeError("cfg keyword set to %s type.  cfg must be a "
+                            "file path string, RawConfigParser derived "
+                            "class instance or WSSecurityConfig type" %
+                            cfg.__class__)
         # Also update config from keywords set

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz/init.py

-                      r5157
+                      r5168
 from ndg.security.server.wsgi import NDGSecurityPathFilter
 from ndg.security.common.X509 import X500DN
+from ndg.security.common.authz.xacml import Request, Subject, Attribute, Policy
+from ndg.security.common.authz.xacml import PDP as XacmlPDP
+from ndg.security.common.authz.msi import Policy
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \
     NDGSecurityMiddlewareConfigError
-# TODO: move this class to separate resource constraint module
-class Resource(object):
-    def __init__(self, uri, attributes=[]):
-        self.uri = uri
-        self.attributes = attributes
-    def __eq__(self, uri):
-        return self.uri == uri
-from ndg.security.common.authz.pdp import PDPInterface
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \
     NDGSecurityMiddlewareConfigError
+class Action(object):
+    pass
+class Environment(object):
+    pass
+from elementtree import ElementTree as ET
+class PDP(XacmlPDP):
+    def __init__(self, policyFilePath=None):
+        if policyFilePath:
+            elem = ET.parse(policyFilePath)
+            root = elem.getroot()
+            self.policy = Policy.getInstance(root)
+        else:
+            self.policy = Policy()
+    def evaluate(self, request):
+        '''Make access control decision'''
+        if action is None:
+            action = Action()
+        if environ is None:
+            environ = Environment()
+        #super(PDP, self).accessPermitted(subject, resource, action, environ)
+        for attr in resource.attributes:
+            if attr in subject.attributes:
+                return True
+        return False
+class PDPMiddlewareConfigError(NDGSecurityMiddlewareConfigError):
+    '''Policy Decision Point Middleware Configuration error'''
+from ndg.security.common.authz.msi import PDP, Request, Resource
+from ndg.security.common.wssecurity import WSSecurityConfig
+from ndg.security.common.sessionmanager import SessionManagerClient, \
+    SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession, \
+    AttributeRequestDenied
+class SubjectRetrievalError(Exception):
+    """Generic exception class for errors related to information about the
+    subject"""
+class InvalidAttributeCertificate(SubjectRetrievalError):
+    "The certificate containing authorisation roles is invalid"
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or
+                                       InvalidAttributeCertificate.__doc__)
+class SessionExpiredMsg(SubjectRetrievalError):
+    'Session has expired.  Please re-login'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__)
+class InvalidSessionMsg(SubjectRetrievalError):
+    'Session is invalid.  Please try re-login'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or
+                                       InvalidSessionMsg.__doc__)
+class InitSessionCtxError(SubjectRetrievalError):
+    'A problem occurred initialising a session connection'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or
+                                       InitSessionCtxError.__doc__)
+class AttributeCertificateRequestError(SubjectRetrievalError):
+    'A problem occurred requesting a certificate containing authorisation roles'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self,msg or
+                                    AttributeCertificateRequestError.__doc__)
 class PEPMiddleware(NDGSecurityPathFilter):
 …
     def __init__(self, app, global_conf, prefix='', **app_conf):
+        pdpCfg = {}
+        pdpCfgPfx = prefix + 'pdp.'
+        pdpCfgLen = len(pdpCfgPfx)
+        for k,v in app_conf.items():
+            if k.startswith(pdpCfgPfx):
+                pdpCfg[k[pdpCfgLen:]] = app_conf.pop(k)
+        pdpCfg = PEPMiddleware._filterKeywords(app_conf, 'pdp.')
+        self.pdp = PDP(**pdpCfg)
+        self.wssecurityCfg = WSSecurityConfig()
+        wssePrefix = 'sessionManagerClient.wssecurity'
+        self.wssecurityCfg.update(app_conf, prefix=wssePrefix)
+        PEPMiddleware._filterKeywords(app_conf, wssePrefix+'.')
+        self.pdp = PDP(**pdpCfg)
+        super(PEPMiddleware, self).__init__(app,
+                                            global_conf,
+                                            prefix=prefix,
+        self.sslCACertFilePathList = app_conf.pop(
+                            'sessionManagerClient.sslCACertFilePathList', [])
+        super(PEPMiddleware, self).__init__(app,
+                                            global_conf,
+                                            prefix=prefix,
                                             **app_conf)
+    @staticmethod
+    def _filterKeywords(conf, prefix):
+        filteredConf = {}
+        prefixLen = len(prefix)
+        for k, v in conf.items():
+            if k.startswith(prefix):
+                filteredConf[k[prefixLen:]] = conf.pop(k)
+        return filteredConf
     @NDGSecurityPathFilter.initCall
     def __call__(self, environ, start_response):
+        self.session = self.environ.get(self.sessionKey)
         if self.isAuthenticated:
             if self.isAuthorized():
 …
         else:
             response = "Not authenticated"
             start_response(PEPMiddleware.getStatusMessage(401),
+            start_response(PEPMiddleware.getStatusMessage(401),
                            [('Content-type', 'text/plain') ,
                             ('Content-length', str(len(response)))])
             return response
+    def _getAttributeCertificate(self, attributeAuthorityURI):
+        try:
+            # Create Session Manager client - if a file path was set, setting
+            # are read from a separate config file section otherwise, from the
+            # PDP config object
+            smClnt = SessionManagerClient(
+                            uri=self.session['sessionManagerURI'],
+                            sslCACertFilePathList=self.sslCACertFilePathList,
+                            cfg=self.wssecurityCfg)
+        except Exception, e:
+            log.error("Creating Session Manager client: %s" % e)
+            raise InitSessionCtxError()
+        try:
+            # Make request for attribute certificate
+            attCert = smClnt.getAttCert(
+                                attributeAuthorityURI=attributeAuthorityURI,
+                                sessID=self.session['sessionID'])
+            return attCert
+        except AttributeRequestDenied, e:
+            log.error("Request for attribute certificate denied: %s" % e)
+            raise PDPUserAccessDenied()
+        except SessionNotFound, e:
+            log.error("No session found: %s" % e)
+            raise PDPUserNotLoggedIn()
+        except SessionExpired, e:
+            log.error("Session expired: %s" % e)
+            raise InvalidSessionMsg()
+        except SessionCertTimeError, e:
+            log.error("Session cert. time error: %s" % e)
+            raise InvalidSessionMsg()
+        except InvalidSession, e:
+            log.error("Invalid user session: %s" % e)
+            raise InvalidSessionMsg()
+        except Exception, e:
+            log.error("Request from Session Manager [%s] to Attribute "
+                      "Authority [%s] for attribute certificate: %s: %s" %
+                      (self.session['sessionManagerURI'],
+                       attributeAuthorityURI,
+                       e.__class__, e))
+            raise AttributeCertificateRequestError()
     def isAuthorized(self):
         '''Check constraints on the requested URI and return boolean - access
 …
         environ = self.environ
+        # TODO: Refactor here perhaps calling resource constraint look-up or do
+        # inside PDP call?
+        resource = self.environ.get('ndg.security.server.wsgi.pep.resource') or \
+            Resource(self.pathInfo)
+        session = self.environ[self.sessionKey]
+        user = Attribute(id='userId', value=session['username'])
+        sessionManager = Attribute(id='sessionManagerURI',
+                                   value=session['sessionManagerURI'])
+        role = Attribute(id='role', value='someAttribute')
+        subject = Subject(attributes={user.id: user,
+                                      sessionManager.id: sessionManager,
+                                      role.id: role})
+        request = Request(subject, resource, environment=self.environ)
+        # Make a request object to pass to the PDP
+        request = Request()
+        request.subject.attributes['userId'] = self.session['username']
+        request.resource = self.environ.get(
+            'ndg.security.server.wsgi.pep.resource') or Resource(self.pathInfo)
+        # Look for matching targets to the given resource
+        matchingTargets = [target for target in self.pdp.policy.targets
+                           if target.regEx.match(request.resource.uri) \
+                           is not None]
+        attributeAuthorityURIs = []
+        for matchingTarget in matchingTargets:
+            # Make call to relevant Attribute Authority if not already
+            # requested
+            if matchingTarget.attributeAuthorityURI not in \
+               attributeAuthorityURIs:
+                attributeCertificate = self._getAttributeCertificate(
+                                        matchingTarget.attributeAuthorityURI)
+                attributeAuthorityURIs.append(
+                                        matchingTarget.attributeAuthorityURI)
+            request.subject.attributes.update(
+                                        {'roles': attributeCertificate.roles})
         response = self.pdp.evaluate(request)
         return status
 …
         response'''
         response = "Access Denied"
         start_response(PEPMiddleware.getStatusMessage(403),
+        start_response(PEPMiddleware.getStatusMessage(403),
                        [('Content-type', 'text/plain') ,
                         ('Content-length', str(len(response)))])
 …
                   "%r", status, headers)
         if status.startswith(cls.triggerStatus) or environ['PATH_INFO']=='/test_securedURI':
             environ['ndg.security.server.wsgi.pep.resource'] = Resource(environ['PATH_INFO'], attributes=['someAttribute'])
+        if status.startswith(cls.triggerStatus) or environ['PATH_INFO'] == '/test_securedURI':
+#            environ['ndg.security.server.wsgi.pep.resource'] = Resource(environ['PATH_INFO'])
             log.debug("PEPMiddleware.checker returning True")
             return True
 …
         app = MultiHandler(app)
         app.add_method(PEPMiddleware.id,
                        PEPMiddleware.filter_app_factory,
+        app.add_method(PEPMiddleware.id,
+                       PEPMiddleware.filter_app_factory,
                        global_conf,
                        prefix=prefix,
 …
         super(AuthorizationMiddleware, self).__init__(app,
                                                       global_conf,
                                                       prefix=prefix,
+        super(AuthorizationMiddleware, self).__init__(app,
+                                                      global_conf,
+                                                      prefix=prefix,
                                                       **app_conf)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/init.py

-                      r5148
+                      r5168
     errorMsg = "AuthNInterface configuration error"
+class AuthNInterfaceCtx(object):
+    """Implement a derived version of this class to enable passing of any
+    login context information returned from AbstractAuthNInterface.login
+    to AbstractAuthNInterface.logout"""
 class AbstractAuthNInterface(object):
     '''OpenID Provider abstract base class for authentication configuration.
 …
         @raise AuthNInterfaceError: generic exception not described by the
         other specific exception types.
+        @rtype: AuthNInterfaceCtx
+        @return: authentication context object for use by OpenID Provider to
+        handle logout. Pass any information required by the logout method via
+        this object.  The object should be instance of a class derived from
+        AuthNInterfaceCtx
         """
         raise NotImplementedError()
 …
         raise NotImplementedError()
+    def logout(self, authNInterfaceCtx):
+        """Stub to enable custom actions for logout.
+        @type authNInterfaceCtx: AuthNInterfaceCtx
+        @param authNInterfaceCtx: authentication context object returned from
+        login method
+        """
+        raise NotImplementedError()
 from ndg.security.server.wsgi.openid.provider.axinterface import \
 …
             raise
+        # Authentication context object - set to a default.  Authentication
+        # interface object should return a context object into this variable
+        # from its login method for the logout method to reference when it is
+        # later invoked.
+        self.authNInterfaceCtx = AuthNInterfaceCtx()
         # Paths relative to base URL - Nb. remove trailing '/'
         self.paths = dict([(k, opt[k].rstrip('/'))
 …
                 # Invoke custom authentication interface plugin
                 try:
                     self._authN.logon(environ,
                                       userIdentifier,
                                       self.query['username'],
                                       self.query.get('password', ''))
+                    self.authNInterfaceCtx = self._authN.logon(environ,
+                                              userIdentifier,
+                                              self.query['username'],
+                                              self.query.get('password', ''))
                 except AuthNInterfaceError, e:
 …
                 self.session.pop('approved', None)
                 self.session.save()
+                try:
+                    self._authN.logout(self.authNInterfaceCtx)
+                except Exception, e:
+                    log.error("Unexpected exception raised during "
+                              "logout: %s" % e)
+                    msg = ("An internal error  during logout.  If the "
+                           "problem persists contact your system "
+                           "administrator.")
+                    response = self._render.errorPage(environ, start_response,
+                                                      msg)
+                    return response
             return self._redirect(start_response, self.query['success_to'])
 …
         # possibly via FetchRequest.getRequiredAttrs()
         try:
             self.axResponse(ax_req, ax_resp, self.session.get('username'))
+            self.axResponse(ax_req, ax_resp, self.authNInterfaceCtx)
         except OpenIDProviderMissingRequiredAXAttrs, e:

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py

-                      r5087
+                      r5168
 from ndg.security.server.wsgi.openid.provider import AbstractAuthNInterface, \
     AuthNInterfaceConfigError, AuthNInterfaceInvalidCredentials, \
     AuthNInterfaceUsername2IdentifierMismatch
+    AuthNInterfaceUsername2IdentifierMismatch, AuthNInterfaceCtx
 from ndg.security.server.wsgi.utils.sessionmanagerclient import \
     WSGISessionManagerClient, AuthNServiceInvalidCredentials
+class SessionManagerAuthNCtx(AuthNInterfaceCtx):
+    """Authentication Context class for passing session Id and Session Manager
+    URI to logout method AXResponse instance
+    """
+    def __init__(self, uri=None, environKeyName=None, sessionId=None):
+        self.uri = uri
+        self.environKeyName = environKeyName
+        self.sessionId = sessionId
 class SessionManagerOpenIDAuthNInterface(AbstractAuthNInterface):
     '''Authentication interface class for OpenIDProviderMiddleware to enable
 …
         try:
+            authNCtx = SessionManagerAuthNCtx(uri=self._client.uri,
+                                    environKeyName=self._client._environKey)
             self._client.environ = environ
+            self._client.connect(username, passphrase=password)
+            authNCtx.sessionId = self._client.connect(username,
+                                                      passphrase=password)[-1]
         except AuthNServiceInvalidCredentials, e:
             log.exception(e)
             raise AuthNInterfaceInvalidCredentials()
+        return authNCtx
 …
         return userIdentifiers
+    def logout(self, authNCtx):
+        """
+        @type authNCtx: SessionManagerAuthNCtx
+        @param authNCtx: authentication context object returned from
+        login method
+        """
+        if not isinstance(authNCtx, SessionManagerAuthNCtx):
+            log.error("Expecting SessionManagerAuthNCtx type for authNCtx; "
+                      "got: %s" % authNCtx.__class__.__name__)
+            raise AuthNInterfaceConfigError("Expecting SessionManagerAuthNCtx "
+                                            "type for authNCtx; got: %s" %
+                                            authNCtx.__class__.__name__)
+        try:
+            self._client.environ = environ
+            self._client.disconnect(sessID=authNCtx.sessionId)
+        except Exception, e:
+            log.exception(e)
+            raise AuthNInterfaceInvalidCredentials()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/init.py

-                      r5148
+                      r5168
         raise NotImplementedError()
     def __call__(self, ax_req, ax_resp, userID):
+    def __call__(self, ax_req, ax_resp, authNInterfaceCtx):
         """Add the attributes to the ax_resp object requested in the ax_req
         object.  If it is not possible to return them, raise
 …
         @param ax_resp: attribute exchange response object.  This method should
         update the settings in this object.  Use addValue and setValues methods
+        @type userID: basestring
+        @param userID: user's local ID
+        @type authNInterfaceCtx: AuthNInterfaceCtx
+        @param authNInterfaceCtx: custom authentication context information set
+        at login.  See ndg.security.server.openid.provider.AuthNInterfaceCtx
+        for more information
         """
         raise NotImplementedError()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py

-                      r5148
+                      r5168
     endpoint'''
+    propertyNames = ('sessionManagerURI', 'sessionManagerURITypeURI')
+    propertyNames = (
+        'sessionManagerURI',
+        'sessionManagerURITypeURI',
+        'sessionId',
+        'sessionIdTypeURI')
     def __init__(self, **cfg):
 …
             setattr(self, name, val)
     def __call__(self, ax_req, ax_resp, userID):
+    def __call__(self, ax_req, ax_resp, authNInterfaceCtx):
         """Add the attributes to the ax_resp object requested in the ax_req
         object.  If it is not possible to return them, raise
 …
         @param ax_resp: attribute exchange response object.  This method should
         update the settings in this object.  Use addValue and setValues methods
+        @type userID: basestring
+        @param userID: user's local ID
+        @type authNInterfaceCtx: AuthNInterfaceCtx
+        @param authNInterfaceCtx: custom authentication context information set
+        at login.  See ndg.security.server.openid.provider.AuthNInterfaceCtx
+        for more information
         """
         reqAttrURIs = ax_req.getRequiredAttrs()
 …
             ax_resp.addValue(self.sessionManagerURITypeURI,
                              self.sessionManagerURI)
+        if self.sessionIdTypeURI in reqAttrURIs:
+            if not isinstance(authNInterfaceCtx, AuthNInterfaceCtx):
+                raise AXInterfaceConfigError("Expecting AuthNInterfaceCtx "
+                                        "type for authNInterfaceCtx arg; "
+                                        "got: %s" %
+                                        authNInterfaceCtx.__class__.__name__)
+            ax_resp.addValue(self.sessionIdTypeURI,authNInterfaceCtx.sessionId)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

-                      r5165
+                      r5168
 paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory
 prefix = authz.
+authz.pdp.policyFilePath = %(here)s/policy.xml
+#authz.pep.pathMatchList = /test_securedURI
+pdp.policyFilePath = %(here)s/policy.xml
+#[filter:PDPMiddlewareFilter]
+##paste.filter_app_factory=ndg.security.server.wsgi.pdp:PDPMiddleware.filter_app_factory
+##prefix = pdp.
+##paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPMiddlewareAppFactory
+#paste.filter_app_factory = ndg.security.server.wsgi.pdp:PDPHandlerMiddleware.filter_app_factory
+# Settings for connection to the user's Session Manager
+sessionManagerClient.sslCACertFilePathList=
+#
+# WS-Security Settings for call to Session Manager
+# Signature of an outbound message
+# Certificate associated with private key used to sign a message.  The sign
+# method will add this to the BinarySecurityToken element of the WSSE header.
+# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.
+# As an alternative, use signingCertChain - see below...
+# PEM encode cert
+sessionManagerClient.wssecurity.signingCertFilePath=
+# PEM encoded private key file
+sessionManagerClient.wssecurity.signingPriKeyFilePath=
+# Password protecting private key.  Leave blank if there is no password.
+sessionManagerClient.wssecurity.signingPriKeyPwd=
+# Provide a space separated list of file paths
+sessionManagerClient.wssecurity.caCertFilePathList=
+# ValueType for the BinarySecurityToken added to the WSSE header
+sessionManagerClient.wssecurity.reqBinSecTokValType=X509v3
+# Add a timestamp element to an outbound message
+sessionManagerClient.wssecurity.addTimestamp=True

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini

-                      r5154
+                      r5168
 sessionManagerPath = /SessionManager
 sessionManagerURI = %(baseURI)s%(sessionManagerPath)s
+openid.ax.sessionManagerURI.typeURI=urn:ndg.security.openid.sessionManagerURI
+openid.ax.sessionManagerURI.typeURI=urn:ndg:security:openid:sessionManagerURI
+openid.ax.sessionId.typeURI=urn:ndg:security:openid:sessionId
 #______________________________________________________________________________
 …
 authkit.openid.ax.alias.sessionManagerURI=sessionManagerURI
+authkit.openid.ax.typeuri.sessionId=%(openid.ax.sessionId.typeURI)s
+authkit.openid.ax.required.sessionId=True
+authkit.openid.ax.alias.sessionId=sessionId
 # Template for signin
 #authkit.openid.template.obj =
 …
-#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
 openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sessionmanager.SessionManagerAXInterface
 openid.provider.axResponse.sessionManagerURI=%(sessionManagerURI)s
 openid.provider.axResponse.sessionManagerURITypeURI=%(openid.ax.sessionManagerURI.typeURI)s
+openid.provider.axResponse.sessionManagerURI=%(sessionId)s
+openid.provider.axResponse.sessionIdTypeURI=%(openid.ax.sessionId.typeURI)s
 # Basic Authentication interface to demonstrate capabilities

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 5168 for TI12-security

Legend:

Download in other formats: