Changeset 5181 for TI12-security

Timestamp:

07/04/09 16:40:44 (11 years ago)

Author:

pjkersha

Message:

Added a Policy Information Point to encapsulate subject attribute retrieval.

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/AttCert.py (modified) (4 diffs)
• ndg.security.common/ndg/security/common/authz/msi.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/credentialwallet.py (modified) (7 diffs)
• ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/wsgi/authn.py (modified) (4 diffs)
• ndg.security.server/ndg/security/server/wsgi/authz/__init__.py (modified) (6 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py (modified) (10 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/clientbase.py (modified) (7 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py (modified) (12 diffs)
• ndg.security.test/ndg/security/test/integration/authz/securedapp.ini (modified) (3 diffs)
• ndg.security.test/ndg/security/test/integration/authz/securityservices.ini (modified) (2 diffs)
• ndg.security.test/ndg/security/test/integration/combinedservices/serverapp.py (modified) (9 diffs)
• ndg.security.test/ndg/security/test/integration/combinedservices/services.ini (modified) (1 diff)
• ndg.security.test/ndg/security/test/integration/openid/securityservices.ini (modified) (1 diff)
• ndg.security.test/ndg/security/test/integration/openidprovider/securityservices.ini (modified) (1 diff)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py

@@ -36 +36 @@
 
 
-#_____________________________________________________________________________
 class AttCertError(Exception):  
     """Exception handling for NDG Attribute Certificate class."""
 
-#_____________________________________________________________________________
+class AttCertNotBeforeTimeError(AttCertError):
+    """Current time is before the Attribute Certificate's not before time"""
+
+class AttCertExpired(AttCertError):
+    """Current time is after the Attribute Certificate's not after time"""
+
 class AttCertReadOnlyDict(dict):
     def __init__(self, inputDict):
@@ -46 +50 @@
         
     def __setitem__(self, key, item):
-        raise KeyError, "Items are read-only in this dictionary"
+        raise KeyError("Items are read-only in this dictionary")
        
-#_____________________________________________________________________________
 class _MetaAttCert(type):
     """Enable AttCert to have read only class variables e.g.
@@ -58 +61 @@
     ... raises - AttributeError: can't set attribute"""
     
-    #_________________________________________________________________________    
     def __getVersion(cls):
         '''Version of THIS format for the certificate'''
@@ -1041 +1043 @@
         version (default is True)
 
-        @param chkProvenanceset to True to check provenance value is valid
+        @param chkProvenance: set to True to check provenance value is valid
         (default is True)
 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/msi.py

@@ -88 +88 @@
         return resource
 
-class Subject(object):
+class _AttrDict(dict):
+    """Utility class for holding a constrained list of attributes governed
+    by a namespace list"""
+    namespaces = ()
+    def __init__(self, **attributes):
+        invalidAttributes = [attr for attr in attributes \
+                             if attr not in self.__class__.namespaces]
+        if len(invalidAttributes) > 0:
+            raise TypeError("The following attribute namespace(s) are not "
+                            "recognised: %s" % invalidAttributes)
+            
+        self.update(attributes)
+
+    def __setitem__(self, key, val):
+        if key not in self.__class__.namespaces:
+            raise KeyError('Namespace "%s" not recognised.  Valid namespaces '
+                           'are: %s' % self.__class__.namespaces)
+            
+        dict.__setitem__(self, key, val)
+
+
+    def update(self, d, **kw):        
+        for dictArg in (d, kw):
+            for k in dictArg:
+                if key not in self.__class__.namespaces:
+                    raise KeyError('Namespace "%s" not recognised.  Valid '
+                                   'namespaces are: %s' %
+                                   self.__class__.namespaces)
+        
+        dict.update(self, d, **kw)
+
+class Subject(_AttrDict):
     '''Subject designator'''
-    def __init__(self, attributes={}):
-        self.attributes = attributes
-
-class Resource(object):
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:subject:userId",
+        "urn:ndg:security:authz:1.0:attr:subject:sessionId",
+        "urn:ndg:security:authz:1.0:attr:subject:sessionManagerURI",
+        "urn:ndg:security:authz:1.0:attr:subject:roles"        
+    )
+    (USERID_NS, SESSIONID_NS, SESSIONMANAGERURI_NS, ROLES_NS) = namespaces
+
+class Resource(_AttrDict):
     '''Resource designator'''
-    def __init__(self, uri=''):
-        self.uri = uri
-        
-    def __str__(self):
-        return self.uri
-       
-    def __eq__(self, uri):
-        return self.uri == uri
-    
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:resource:uri",
+    )
+    (URI_NS,) = namespaces
+           
 class Request(object):
     '''Request to send to a PDP'''
@@ -129 +161 @@
         
         
+from ndg.security.common.sessionmanager import SessionManagerClient, \
+    SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession, \
+    AttributeRequestDenied
+                    
+from ndg.security.common.authz.pdp import PDPUserNotLoggedIn, \
+    PDPUserAccessDenied
+    
+class SubjectRetrievalError(Exception):
+    """Generic exception class for errors related to information about the
+    subject"""
+    
+class InvalidAttributeCertificate(SubjectRetrievalError):
+    "The certificate containing authorisation roles is invalid"
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                       InvalidAttributeCertificate.__doc__)
+        
+class AttributeCertificateNotBeforeTimeError(SubjectRetrievalError):
+    ("There is a time issuing error with certificate containing authorisation "
+    "roles")
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                AttributeCertificateNotBeforeTimeError.__doc__)
+        
+class AttributeCertificateExpired(SubjectRetrievalError):
+    "The certificate containing authorisation roles has expired"
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                       AttributeCertificateExpired.__doc__)
+            
+class SessionExpiredMsg(SubjectRetrievalError):
+    'Session has expired.  Please re-login at your home organisation'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__)
+
+class SessionNotFoundMsg(SubjectRetrievalError):
+    'No session was found.  Please try re-login with your home organisation'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                       SessionNotFoundMsg.__doc__)
+
+class InvalidSessionMsg(SubjectRetrievalError):
+    'Session is invalid.  Please try re-login with your home organisation'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                       InvalidSessionMsg.__doc__)
+
+class InitSessionCtxError(SubjectRetrievalError):
+    'A problem occurred initialising a session connection'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self, msg or 
+                                       InitSessionCtxError.__doc__)
+
+class AttributeCertificateRequestError(SubjectRetrievalError):
+    'A problem occurred requesting a certificate containing authorisation roles'
+    def __init__(self, msg=None):
+        SubjectRetrievalError.__init__(self,msg or 
+                                    AttributeCertificateRequestError.__doc__)
+
+class PIPAttributeQuery(_AttrDict):
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:subject",
+        "urn:ndg:security:authz:1.0:attr:attributeAuthorityURI",
+    )  
+    (SUBJECT_NS, ATTRIBUTEAUTHORITY_NS) = namespaces    
+
+class PIPAttributeResponse(_AttrDict):
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:attributeCertificate",
+    )
+    (ATTRIBUTECERTIFICATE_NS,) = namespaces
+
+
+from ndg.security.common.wssecurity import WSSecurityConfig
+from ndg.security.common.credentialwallet import CredentialWallet
+
+class PIP(object):
+    """Policy Information Point - this implementation enables the PDP to 
+    retrieve attributes about the Subject"""
+
+    def __init__(self, prefix='', **cfg):
+        '''Set-up WS-Security and SSL settings for connection to an
+        Attribute Authority
+        
+        @type **cfg: dict
+        @param **cfg: keywords including 'sslCACertFilePathList' used to set a
+        list of CA certificates for an SSL connection to the Attribute
+        Authority if used and also WS-Security settings as used by
+        ndg.security.common.wssecurity.WSSecurityConfig
+        '''
+        self._subjectCache = {}
+        
+        self.wssecurityCfg = WSSecurityConfig()
+        wssePrefix = prefix + 'wssecurity'
+        self.wssecurityCfg.update(cfg, prefix=wssePrefix)
+                 
+        self.sslCACertFilePathList = cfg.get(prefix+'sslCACertFilePathList',[])
+
+    def attributeQuery(self, attributeQuery):
+        """Query the Attribute Authority specified in the request to retrieve
+        the attributes if any corresponding to the subject
+        
+        @type attributeResponse: PIPAttributeQuery
+        @param attributeResponse: 
+        @rtype: PIPAttributeResponse
+        @return: response containing the attributes retrieved from the
+        Attribute Authority"""
+        
+        subject = attributeQuery[PIPAttributeQuery.SUBJECT_NS]
+        sessionId = subject[Subject.SESSIONID_NS]
+        attributeAuthorityURI = attributeQuery[
+                                    PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS]
+        
+        # Check this subject's cache for an Attribute Certificate previously
+        # retrieved.
+        attributeCertificate = None
+        if self._subjectCache.get(sessionId) is not None:
+            subjectCred = subjectCache.credentialByURI.get(
+                                                        attributeAuthorityURI)
+            
+            if subjectCred is not None:
+                if subjectCred['attCert'].isValid():
+                    attributeCertificate = subjectCred['attCert']
+        
+        # If no Attribute Certificate is available, retrieve from the relevant
+        # Attribute Authority      
+        if attributeCertificate is None:  
+            sessionId = subject[Subject.SESSIONID_NS]
+            attributeCertificate = self._getAttributeCertificate(
+                                        sessionId,
+                                        subject[Subject.SESSIONMANAGERURI_NS],
+                                        attributeAuthorityURI)
+            
+            # Make a new wallet for this subject
+            self._subjectCache[sessionId] = \
+                        CredentialWallet(userId=attributeCertificate.userId)
+                        
+            self._subjectCache[sessionId].addCredential(
+                                attributeCertificate,
+                                attributeAuthorityURI=attributeAuthorityURI)
+
+        attributeResponse = PIPAttributeResponse()
+        attributeResponse[PIPAttributeResponse.ATTRIBUTECERTIFICATE_NS] = \
+                                                        attributeCertificate
+         
+        return attributeResponse
+    
+    
+    def _getAttributeCertificate(self, 
+                                 sessionId,
+                                 sessionManagerURI,
+                                 attributeAuthorityURI):
+        '''Retrieve an Attribute Certificate using the subject's Session
+        Manager
+        
+        @type sessionId: basestring
+        @param sessionId: Session Manager session handle
+        @type sessionManagerURI: basestring
+        @param sessionManagerURI: URI to remote session manager service
+        @type attributeAuthorityURI: basestring
+        @param attributeAuthorityURI: URI to Attribute Authority service
+        '''
+        
+        try:
+            # Create Session Manager client - if a file path was set, setting
+            # are read from a separate config file section otherwise, from the
+            # PDP config object
+            smClnt = SessionManagerClient(
+                            uri=sessionManagerURI,
+                            sslCACertFilePathList=self.sslCACertFilePathList,
+                            cfg=self.wssecurityCfg)
+        except Exception, e:
+            log.error("Creating Session Manager client: %s" % e)
+            raise InitSessionCtxError()
+        
+         
+        try:
+            # Make request for attribute certificate
+            attCert = smClnt.getAttCert(
+                                attributeAuthorityURI=attributeAuthorityURI,
+                                sessID=sessionId)
+        
+        except AttributeRequestDenied, e:
+            log.error("Request for attribute certificate denied: %s" % e)
+            raise PDPUserAccessDenied()
+        
+        except SessionNotFound, e:
+            log.error("No session found: %s" % e)
+            raise SessionNotFoundMsg()
+
+        except SessionExpired, e:
+            log.error("Session expired: %s" % e)
+            raise SessionExpiredMsg()
+
+        except SessionCertTimeError, e:
+            log.error("Session cert. time error: %s" % e)
+            raise InvalidSessionMsg()
+            
+        except InvalidSession, e:
+            log.error("Invalid user session: %s" % e)
+            raise InvalidSessionMsg()
+
+        except Exception, e:
+            log.error("Request from Session Manager [%s] to Attribute "
+                      "Authority [%s] for attribute certificate: %s: %s" % 
+                      (sessionManagerURI,
+                       attributeAuthorityURI,
+                       e.__class__, e))
+            raise AttributeCertificateRequestError()
+        
+        try:
+            attCert.isValid(raiseExcep=True)
+        
+        except AttCertNotBeforeTimeError, e:   
+            log.exception(e)
+            raise AttributeCertificateNotBeforeTimeError()
+        
+        except AttCertExpired, e:   
+            log.exception(e)
+            raise AttributeCertificateExpired()
+
+        except AttCertError, e:
+            log.exception(e)
+            raise InvalidAttributeCertificate()
+            
+        return attCert
+
+           
+           
 class PDP(object):
-    def __init__(self, policyFilePath):
+    """Policy Decision Point"""
+    
+    def __init__(self, policyFilePath=Policy(), pip=None):
+        """Read in a file which determines access policy"""
         self.policy = Policy.Parse(policyFilePath)
+        self.pip = pip
         
     def evaluate(self, request):
         '''Make access control decision'''
-            
-        for attr in request.resource.attributes:
-            if attr in request.subject.attributes:
+        
+        # Look for matching targets to the given resource
+        resourceURI = request.resource[Resource.URI_NS]
+        matchingTargets = [target for target in self.policy.targets 
+                           if target.regEx.match(resourceURI) is not None]
+        
+        knownAttributeAuthorityURIs = []
+        for matchingTarget in matchingTargets:
+            
+            # Make call to the Policy Information Point to pull user
+            # attributes applicable to this resource
+            if matchingTarget.attributeAuthorityURI not in \
+               knownAttributeAuthorityURIs:
+                
+                attributeQuery = PIPAttributeQuery()
+                attributeQuery[PIPAttributeQuery.SUBJECT_NS]=request.subject
+                
+                attributeQuery[PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] = \
+                                        matchingTarget.attributeAuthorityURI
+                
+                attributeResponse = self.pip.attributeQuery(attributeQuery)
+                knownAttributeAuthorityURIs.append(
+                                        matchingTarget.attributeAuthorityURI)
+                
+                attributeCertificate = attributeResponse[
+                                PIPAttributeResponse.ATTRIBUTECERTIFICATE_NS]
+                request.subject[Subject.ROLES_NS] = attributeCertificate.roles 
+               
+        # Match the subject's attributes against the target
+        for attr in matchingTarget.attributes:
+            if attr in request.subject[Subject.ROLES_NS]:
                 return Response(Response.DECISION_PERMIT)
             

TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py

@@ -305 +305 @@
         '_cfg',
         '_credentials',
+        '_credentialsKeyedByURI',
         '_dn',
         '_attributeAuthorityURI'
@@ -413 +414 @@
             self.audit()
 
+    def __getstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        return dict([(attrName, getattr(self, attrName)) \
+                     for attrName in CredentialWallet._protectedAttrs])
+        
+    def __setstate__(self):
+        '''Enable pickling for use with beaker.session'''
+        pass
+    
     def parseConfig(self, cfg, prefix='', section='DEFAULT'):
         '''Extract parameters from _cfg config object'''
@@ -631 +641 @@
         
     def _getCredentials(self):
-        """Get Property method.  Credentials are read-only
+        """Get Property method.  Credentials doct is read-only but also see 
+        addCredential method
         
         @rtype: dict
@@ -642 +653 @@
                                "issuing authorities")
 
-
+    def _getCredentialsKeyedByURI(self):
+        """Get Property method for credentials keyed by Attribute Authority URI
+        Credentials dict is read-only but also see addCredential method
+        
+        @rtype: dict
+        @return: cached ACs indexed by issuing Attribute Authority"""
+        return self._credentialsKeyedByURI
+    
+    # Publish attribute
+    credentialsKeyedByURI = property(fget=_getCredentials,
+                           doc="List of Attribute Certificates linked to "
+                               "attribute authority URI")
+        
     def _getCACertFilePathList(self):
         """Get CA cert or certs used to validate AC signatures and signatures
@@ -845 +868 @@
 
 
-    def addCredential(self, attCert, bUpdateCredentialRepository=True):
+    def addCredential(self, 
+                      attCert, 
+                      attributeAuthorityURI=None,
+                      bUpdateCredentialRepository=True):
         """Add a new attribute certificate to the list of credentials held.
 
         @type attCert:
         @param attCert: new attribute Certificate to be added
+        @type attributeAuthorityURI: basestring
+        @param attributeAuthorityURI: input the Attribute Authority URI from
+        which attCert was retrieved.  This is added to a dict to enable access
+        to a given Attribute Certificate keyed by Attribute Authority URI. 
+        See the getCredential method.
         @type bUpdateCredentialRepository: bool
         @param bUpdateCredentialRepository: if set to True, and a repository 
@@ -857 +888 @@
         @return: True if certificate was added otherwise False.  - If an
         existing certificate from the same issuer has a later expiry it will
-        take precence and the new input certificate is ignored."""
+        take precedence and the new input certificate is ignored."""
 
         # Check input
         if not isinstance(attCert, AttCert):
-            raise CredentialWalletError("Attribute Certificate must be an AttCert "
-                                  "type object")
+            raise CredentialWalletError("Attribute Certificate must be an "
+                                        "AttCert type object")
 
         # Check certificate validity
@@ -897 +928 @@
             # from the CredentialRepository during creation of the wallet will
             # have +ve IDs previously allocated by the database
-            self._credentials[issuerName] = {'id': -1, 'attCert': attCert}
-
+            self._credentials[issuerName] = {
+                'id': -1, 
+                'attCert': attCert,
+                'attributeAuthorityURI': attributeAuthorityURI
+            }
+
+            if attributeAuthorityURI:
+                self._credentialsKeyedByURI[attributeAuthorityURI] = \
+                    self._credentials[issuerName]
+            
             # Update the Credentials Repository - the permanent store of user
             # authorisation credentials.  This allows credentials for previous

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py

@@ -238 +238 @@
             self.cfg = cfg
         else:
-            raise TypeError("cfg keyword set to %s type.  cfg must be a "
-                            "file path string, RawConfigParser derived "
-                            "class instance or WSSecurityConfig type" %
-                            cfg.__class__)
-
+            self.cfg = cfgClass()
+                
         # Also update config from keywords set 
-        log.debug("BaseSignatureHandler.__init__: setting config from "
+        log.debug("BaseSignatureHandler.__init__: updating config from "
                   "keywords...")
         

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

@@ -118 +118 @@
             self.smURI = None
             
-        if self.cfg.has_option(defSection, 'sessionManagerEnvironKey'):        
-            self.smEnvironKey = self.cfg.get(defSection, 
-                                             'sessionManagerEnvironKey')
-        else:
-            self.smEnvironKey = None
+        if self.cfg.has_option(defSection, 'sessionManagerEnvironKeyName'):        
+            self.smEnvironKeyName = self.cfg.get(defSection, 
+                                             'sessionManagerEnvironKeyName')
+        else:
+            self.smEnvironKeyName = None
             
         if self.cfg.has_option(defSection, 'attributeAuthorityURI'):        
@@ -129 +129 @@
             self.aaURI = None
             
-        if self.cfg.has_option(defSection, 'attributeAuthorityEnvironKey'):        
-            self.aaEnvironKey = self.cfg.get(defSection, 
-                                             'attributeAuthorityEnvironKey')
-        else:
-            self.aaEnvironKey = None
+        if self.cfg.has_option(defSection, 'attributeAuthorityEnvironKeyName'):        
+            self.aaEnvironKeyName = self.cfg.get(defSection, 
+                                             'attributeAuthorityEnvironKeyName')
+        else:
+            self.aaEnvironKeyName = None
         
         # ... for SSL connections to security web services

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -52 +52 @@
         try:    
             smClnt = WSGISessionManagerClient(
-                        environ=request.environ,
-                        uri=session['ndgSec']['h'],
-                        environKey=self.cfg.smEnvironKey,
-                        attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,
-                        tracefile=self.cfg.tracefile,
-                        httpProxyHost=self.cfg.httpProxyHost,
-                        noHttpProxyList=self.cfg.noHttpProxyList,
-                        sslCACertFilePathList=self.cfg.sslCACertFilePathList,
-                        **self.cfg.wss)                                
+                    environ=request.environ,
+                    uri=session['ndgSec']['h'],
+                    environKeyName=self.cfg.smEnvironKeyName,
+                    attributeAuthorityEnvironKeyName=self.cfg.aaEnvironKeyName,
+                    tracefile=self.cfg.tracefile,
+                    httpProxyHost=self.cfg.httpProxyHost,
+                    noHttpProxyList=self.cfg.noHttpProxyList,
+                    sslCACertFilePathList=self.cfg.sslCACertFilePathList,
+                    **self.cfg.wss)                                
         except Exception, e:
             c.xml = ('Error establishing security context.  Please report '
@@ -109 +109 @@
         try:    
             smClnt = WSGISessionManagerClient(
-                        environ=request.environ,
-                        uri=self.cfg.smURI,
-                        environKey=self.cfg.smEnvironKey,
-                        attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,
-                        tracefile=self.cfg.tracefile,
-                        httpProxyHost=self.cfg.httpProxyHost,
-                        noHttpProxyList=self.cfg.noHttpProxyList,
-                        **self.cfg.wss)
+                    environ=request.environ,
+                    uri=self.cfg.smURI,
+                    environKeyName=self.cfg.smEnvironKeyName,
+                    attributeAuthorityEnvironKeyName=self.cfg.aaEnvironKeyName,
+                    tracefile=self.cfg.tracefile,
+                    httpProxyHost=self.cfg.httpProxyHost,
+                    noHttpProxyList=self.cfg.noHttpProxyList,
+                    **self.cfg.wss)
                                 
             username = request.params['username']
@@ -225 +225 @@
                                     environ=request.environ,
                                     uri=self.cfg.aaURI,
-                                    environKey=self.cfg.aaEnvironKey,
+                                    environKeyName=self.cfg.aaEnvironKeyName,
                                     tracefile=self.cfg.tracefile,
                                     httpProxyHost=self.cfg.httpProxyHost,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py

@@ -45 +45 @@
             smClnt = WSGISessionManagerClient(uri=session['ndgSec']['h'],
                         environ=request.environ,
-                        environKey=self.cfg.smEnvironKey,
+                        environKeyName=self.cfg.smEnvironKeyName,
                         tracefile=cfg.tracefile,
                         sslCACertFilePathList=cfg.sslCACertFilePathList,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

@@ -128 +128 @@
         aaClnt = WSGIAttributeAuthorityClient(environ=pylons.request.environ,
                                         uri=cfg.aaURI,
-                                        environKey=cfg.aaEnvironKey,
+                                        environKeyName=cfg.aaEnvironKeyName,
                                         tracefile=cfg.tracefile,
                                         httpProxyHost=cfg.httpProxyHost,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authn.py

@@ -29 +29 @@
         try:
             client = WSGISessionManagerClient(environ=environ,
-                                        environKey=self.sessionManagerFilterID)
+                                    environKeyName=self.sessionManagerFilterID)
             res = client.connect(username, passphrase=password)
 
@@ -76 +76 @@
         self._redirectURI = None
         super(AuthenticationRedirectMiddleware, self).__init__(app, 
-                                                      global_conf, 
-                                                      **app_conf)
+                                                               global_conf, 
+                                                               **app_conf)
         
     @NDGSecurityMiddlewareBase.initCall
@@ -196 +196 @@
             session.pop('username', None)
             session.pop('sessionManagerURI', None)
+            session.pop('sessionId', None)
             session.save()
         else:
@@ -204 +205 @@
                 # eval is safe here because AuthKit cookie is signed and 
                 # AuthKit middleware checks for tampering
-                if 'sessionManagerURI' not in session:
+                if 'sessionManagerURI' not in session or \
+                   'sessionId' not in session:
                     axData = eval(environ['REMOTE_USER_DATA'])
                     sessionManagerURI=axData['ax']['value.sessionManagerURI.1']
                     session['sessionManagerURI'] = sessionManagerURI
-                
+
+                    sessionId = axData['ax']['value.sessionId.1']
+                    session['sessionId'] = sessionId
+                    
                 # Reset cookie removing user data
                 environ['paste.auth_tkt.set_user'](session['username'])

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz/__init__.py

@@ -15 +15 @@
 from ndg.security.server.wsgi import NDGSecurityPathFilter
 from ndg.security.common.X509 import X500DN
-from ndg.security.common.authz.msi import Policy
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \
     NDGSecurityMiddlewareConfigError
@@ -22 +21 @@
     NDGSecurityMiddlewareConfigError
 
-from ndg.security.common.authz.msi import PDP, Request, Resource
-from ndg.security.common.wssecurity import WSSecurityConfig
-from ndg.security.common.sessionmanager import SessionManagerClient, \
-    SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession, \
-    AttributeRequestDenied                   
-    
-class SubjectRetrievalError(Exception):
-    """Generic exception class for errors related to information about the
-    subject"""
-    
-class InvalidAttributeCertificate(SubjectRetrievalError):
-    "The certificate containing authorisation roles is invalid"
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or 
-                                       InvalidAttributeCertificate.__doc__)
-    
-class SessionExpiredMsg(SubjectRetrievalError):
-    'Session has expired.  Please re-login'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__)
-
-class InvalidSessionMsg(SubjectRetrievalError):
-    'Session is invalid.  Please try re-login'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or 
-                                       InvalidSessionMsg.__doc__)
-
-class InitSessionCtxError(SubjectRetrievalError):
-    'A problem occurred initialising a session connection'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or 
-                                       InitSessionCtxError.__doc__)
-
-class AttributeCertificateRequestError(SubjectRetrievalError):
-    'A problem occurred requesting a certificate containing authorisation roles'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self,msg or 
-                                    AttributeCertificateRequestError.__doc__)
+from ndg.security.common.authz.msi import PIP, PDP, Request, Response, \
+    Resource, Subject
 
 class PEPMiddleware(NDGSecurityPathFilter):
@@ -76 +39 @@
     def __init__(self, app, global_conf, prefix='', **app_conf):
         
+        # Policy Enforcement Point
+        pipCfg = PEPMiddleware._filterKeywords(app_conf, 'pip.')
+        pip = PIP(**pipCfg)
+
+        # Policy Decision Point
         pdpCfg = PEPMiddleware._filterKeywords(app_conf, 'pdp.')
-        self.pdp = PDP(**pdpCfg)
-
-        self.wssecurityCfg = WSSecurityConfig()
-        wssePrefix = 'sessionManagerClient.wssecurity'
-        self.wssecurityCfg.update(app_conf, prefix=wssePrefix)
-        
-        PEPMiddleware._filterKeywords(app_conf, wssePrefix+'.')
-                 
-        self.sslCACertFilePathList = app_conf.pop(
-                            'sessionManagerClient.sslCACertFilePathList', [])
+        self.pdp = PDP(pip=pip, **pdpCfg)
         
         super(PEPMiddleware, self).__init__(app,
@@ -117 +76 @@
                            [('Content-type', 'text/plain') ,
                             ('Content-length', str(len(response)))])
-            return response            
-
-    def _getAttributeCertificate(self, attributeAuthorityURI):
-        try:
-            # Create Session Manager client - if a file path was set, setting
-            # are read from a separate config file section otherwise, from the
-            # PDP config object
-            smClnt = SessionManagerClient(
-                            uri=self.session['sessionManagerURI'],
-                            sslCACertFilePathList=self.sslCACertFilePathList,
-                            cfg=self.wssecurityCfg)
-        except Exception, e:
-            log.error("Creating Session Manager client: %s" % e)
-            raise InitSessionCtxError()
-        
-         
-        try:
-            # Make request for attribute certificate
-            attCert = smClnt.getAttCert(
-                                attributeAuthorityURI=attributeAuthorityURI,
-                                sessID=self.session['sessionID'])
-            return attCert
-        
-        except AttributeRequestDenied, e:
-            log.error("Request for attribute certificate denied: %s" % e)
-            raise PDPUserAccessDenied()
-        
-        except SessionNotFound, e:
-            log.error("No session found: %s" % e)
-            raise PDPUserNotLoggedIn()
-
-        except SessionExpired, e:
-            log.error("Session expired: %s" % e)
-            raise InvalidSessionMsg()
-
-        except SessionCertTimeError, e:
-            log.error("Session cert. time error: %s" % e)
-            raise InvalidSessionMsg()
-            
-        except InvalidSession, e:
-            log.error("Invalid user session: %s" % e)
-            raise InvalidSessionMsg()
-
-        except Exception, e:
-            log.error("Request from Session Manager [%s] to Attribute "
-                      "Authority [%s] for attribute certificate: %s: %s" % 
-                      (self.session['sessionManagerURI'],
-                       attributeAuthorityURI,
-                       e.__class__, e))
-            raise AttributeCertificateRequestError()
-        
+            return response                    
         
     def isAuthorized(self):
@@ -176 +85 @@
         # Make a request object to pass to the PDP
         request = Request()
-        request.subject.attributes['userId'] = self.session['username']
-        request.resource = self.environ.get(
-            'ndg.security.server.wsgi.pep.resource') or Resource(self.pathInfo)
+        request.subject[Subject.USERID_NS] = self.session['username']
+        request.subject[Subject.SESSIONID_NS] = self.session['sessionId']
+        request.subject[Subject.SESSIONMANAGERURI_NS] = self.session[
+                                                        'sessionManagerURI']
         
-        # Look for matching targets to the given resource
-        matchingTargets = [target for target in self.pdp.policy.targets 
-                           if target.regEx.match(request.resource.uri) \
-                           is not None]
-        
-        attributeAuthorityURIs = []
-        for matchingTarget in matchingTargets:
-            
-            # Make call to relevant Attribute Authority if not already
-            # requested 
-            if matchingTarget.attributeAuthorityURI not in \
-               attributeAuthorityURIs:
-                attributeCertificate = self._getAttributeCertificate(
-                                        matchingTarget.attributeAuthorityURI)
-                attributeAuthorityURIs.append(
-                                        matchingTarget.attributeAuthorityURI)
-                
-            request.subject.attributes.update(
-                                        {'roles': attributeCertificate.roles})
+        resourceURI = self.environ.get('ndg.security.server.wsgi.pep.resource')
+        request.resource[Resource.URI_NS] = resourceURI or self.pathInfo
             
         response = self.pdp.evaluate(request)
-        return status
+        return response.status == Response.DECISION_PERMIT
     
     def accessDeniedResponse(self):
@@ -208 +101 @@
         response'''
         response = "Access Denied"
-        start_response(PEPMiddleware.getStatusMessage(403),
-                       [('Content-type', 'text/plain') ,
-                        ('Content-length', str(len(response)))])
+        self.start_response(PEPMiddleware.getStatusMessage(403),
+                            [('Content-type', 'text/plain') ,
+                             ('Content-length', str(len(response)))])
         return response            
    

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py

@@ -30 +30 @@
     URI to logout method AXResponse instance
     """
-    def __init__(self, uri=None, environKeyName=None, sessionId=None):
+    def __init__(self, uri=None, environKeyNameName=None, sessionId=None):
         self.uri = uri
-        self.environKeyName = environKeyName
+        self.environKeyNameName = environKeyNameName
         self.sessionId = sessionId
 
@@ -116 +116 @@
         try:
             authNCtx = SessionManagerAuthNCtx(uri=self._client.uri,
-                                    environKeyName=self._client._environKey)
+                                environKeyNameName=self._client.environKeyName)
             self._client.environ = environ
             authNCtx.sessionId = self._client.connect(username, 
@@ -188 +188 @@
         
         try:
-            self._client.environ = environ
             self._client.disconnect(sessID=authNCtx.sessionId)
             

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py

@@ -20 +20 @@
 from ndg.security.server.wsgi.openid.provider.axinterface import \
     AXInterface, AXInterfaceConfigError, MissingRequiredAttrs
-    
+from ndg.security.server.wsgi.openid.provider import AuthNInterfaceCtx    
     
 class SessionManagerAXInterface(AXInterface):
@@ -34 +34 @@
         'sessionManagerURI', 
         'sessionManagerURITypeURI',
-        'sessionId',
-        'sessionIdTypeURI')
+        'sessionIdTypeURI'
+    )
     
     def __init__(self, **cfg):
@@ -48 +48 @@
             if val is None:
                 raise AXInterfaceConfigError("Missing configuration setting: "
-                                             "%s" % val)   
+                                             '"%s"' % name)   
                    
             setattr(self, name, val)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py

@@ -33 +33 @@
     """
     
-    environKey = "ndg.security.server.wsgi.attributeAuthorityFilter"
+    defaultEnvironKeyName = "ndg.security.server.wsgi.attributeAuthorityFilter"
             
-    _getRef = lambda self:self._environ[self._environKey].serviceSOAPBinding.aa
-    ref = property(fget=_getRef, doc="Attribute Authority local instance")
+    _getLocalClient = lambda self:self._environ[
+                                    self.environKeyName].serviceSOAPBinding.aa
+    localClient = property(fget=_getLocalClient, 
+                           doc="Attribute Authority local instance")
 
-    def __init__(self, environKey=None, environ={}, **clientKw):
+    def __init__(self, environKeyName=None, environ={}, **clientKw):
+        """Initialise an interface to an Attribute Authority accessible either 
+        via a keyword to a WSGI environ dictionary or via a web service call
+        
+        @type environKeyName: basestring or None
+        @param environKeyName: dict key reference to service object to be 
+        invoked.  This may be set later using the environKeyName property
+        or may be omitted altogether if the service is to be invoked via a
+        web service call
+        @type environ: dict
+        @param environ: WSGI environment dictionary containing a reference to
+        the service object.  This may not be known at instantiation of this
+        class.  environ is not required if the service is to be invoked over
+        a web service interface
+        @type clientKw: dict
+        @param clientKw: custom keywords to instantiate a web service client
+        interface.  Derived classes are responsible for instantiating this
+        from an extended version of this __init__ method.
+        """
 
         log.debug("WSGIAttributeAuthorityClient.__init__ ...")
         
-        self._environKey=environKey or WSGIAttributeAuthorityClient.environKey
+        self.environKeyName = environKeyName or \
+                            WSGIAttributeAuthorityClient.defaultEnvironKeyName
         
         # Standard WSGI environment dict
@@ -48 +69 @@
         
         if clientKw.get('uri'):
-            self._client = AttributeAuthorityClient(**clientKw)
+            self.wsClient = AttributeAuthorityClient(**clientKw)
         else:
-            self._client = None
+            self.wsClient = None
             
     def getHostInfo(self):
@@ -60 +81 @@
         configuration held by the AA"""
         
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             # Connect to local instance
-            return self.ref.hostInfo
+            return self.localClient.hostInfo
         
-        elif self._client is None:            
+        elif self.wsClient is None:            
             raise WSGIAttributeAuthorityClientConfigError("No reference to a "
                         "local Attribute Authority is set and no SOAP client "
@@ -70 +91 @@
         else:            
             # Make connection to remote service
-            return self._client.getHostInfo()
+            return self.wsClient.getHostInfo()
         
         
@@ -86 +107 @@
         from the map configuration"""
         
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             # Connect to local instance
-            return self.ref.getTrustedHostInfo(**kw)
-        elif self._client is None:            
+            return self.localClient.getTrustedHostInfo(**kw)
+        
+        elif self.wsClient is None:            
             raise WSGIAttributeAuthorityClientConfigError("No reference to a "
                         "local Attribute Authority is set and no SOAP client "
@@ -95 +117 @@
         else:
             # Make connection to remote service
-            return self._client.getTrustedHostHostInfo(**kw)
+            return self.wsClient.getTrustedHostHostInfo(**kw)
 
 
@@ -106 +128 @@
         from the map configuration"""
         
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             # Connect to local instance - combine this host's info with info
             # from other trusted hosts
-            allHostsInfo = self.ref.hostInfo
-            allHostsInfo.update(self.ref.getTrustedHostInfo())
+            allHostsInfo = self.localClient.hostInfo
+            allHostsInfo.update(self.localClient.getTrustedHostInfo())
             return allHostsInfo
-        elif self._client is None:            
+        elif self.wsClient is None:            
             raise WSGIAttributeAuthorityClientConfigError("No reference to a "
                         "local Attribute Authority is set and no SOAP client "
@@ -118 +140 @@
         else:
             # Make connection to remote service
-            return self._client.getAllHostsInfo()
+            return self.wsClient.getAllHostsInfo()
 
 
@@ -136 +158 @@
         service"""
         
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             # Connect to local instance
             if 'userX509Cert' in kw:
                 kw['holderX509Cert'] = kw.pop('userX509Cert')
 
-            return self.ref.getAttCert(**kw)
-        elif self._client is None:            
+            return self.localClient.getAttCert(**kw)
+        elif self.wsClient is None:            
             raise WSGIAttributeAuthorityClientConfigError("No reference to a "
                         "local Attribute Authority is set and no SOAP client "
@@ -151 +173 @@
                 kw['userX509Cert'] = kw.pop('holderX509Cert')
                 
-            return self._client.getAttCert(**kw)
+            return self.wsClient.getAttCert(**kw)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/clientbase.py

@@ -23 +23 @@
     '''
 
-    environKey = ''
+    defaultEnvironKeyName = ''
     
-    def __init__(self,
-                 environKey=None, 
-                 environ={}, 
-                 **clientKw):
- 
-        self._environKey = environKey or WSGICLientBase.environKey
+    def __init__(self, environKeyName=None, environ={}, **clientKw):
+        """Initialise an interface to a service accessible either via a
+        keyword to a WSGI environ dictionary or via a web service call
+        
+        @type environKeyName: basestring or None
+        @param environKeyName: dict key reference to service object to be 
+        invoked.  This may be set later using the environKeyName property
+        or may be omitted altogether if the service is to be invoked via a
+        web service call
+        @type environ: dict
+        @param environ: WSGI environment dictionary containing a reference to
+        the service object.  This may not be known at instantiation of this
+        class.  environ is not required if the service is to be invoked over
+        a web service interface
+        @type clientKw: dict
+        @param clientKw: custom keywords to instantiate a web service client
+        interface.  Derived classes are responsible for instantiating this
+        from an extended version of this __init__ method.
+        """
+        
+        self._environKeyName = environKeyName or \
+                               WSGICLientBase.defaultEnvironKeyName
                         
         # Standard WSGI environment dict
@@ -37 +53 @@
         # Derived class could instantiate required client type if a 'uri'
         # key is set in clientKw    
-        self._client = None
+        self._wsClient = None
         
+    def _getWSClient(self):
+        return getattr(self, '_wsClient', None)
+    
+    def _setWSClient(self, wsClient):
+        self._wsClient = wsClient
+    
+    wsClient = property(fget=_getWSClient,
+                        fset=_setWSClient, 
+                        doc="Web service client to service to be invoked")
+    
+    def _getWSClientURI(self):
+        return getattr(self.wsClient, 'uri', None)
 
+    uri = property(fget=_getWSClientURI,
+                   doc="URI for web service or None if no WS Client is set")
+
+    def _setEnvironKeyName(self, keyName):
+        if not isinstance(keyName, (None.__class__, basestring)):
+            raise TypeError("environKeyName must be string or None type; got "
+                            "%s" % keyName)
+            
+        self._environKeyName = keyName
+
+    def _getEnvironKeyName(self):
+        return self._environKeyName
+    
+    environKeyName = property(fget=_getEnvironKeyName,
+                              fset=_setEnvironKeyName,
+                              doc="key in environ dict holding reference to "
+                                  "service to be invoked.  This may be None "
+                                  "if the service is to be invoked via the "
+                                  "web service client")
+    
     def _setEnviron(self, environ):
         if not isinstance(environ, dict):
@@ -45 +93 @@
         self._environ = environ
         
-    def _getEnviron(self, environ):
+    def _getEnviron(self):
         return self._environ
     
@@ -52 +100 @@
                        doc="WSGI environ dictionary")
 
-    def _getRef(self):
+    def _getLocalClient(self):
         """Get reference to WSGI service instance in environ"""
         raise NotImplementedError()
     
-    ref = property(fget=_getRef, doc="local instance")
+    localClient = property(fget=_getLocalClient, doc="local instance")
     
-    def _refInEnviron(self):
+    def _localClientInEnviron(self):
         '''Check whether a reference is present in the WSGI environ to the 
         service to be queried.  Check also that if a URI was specified by the
@@ -71 +119 @@
         referenced must have a published URI attribute
         '''
-        if self._environKey not in self._environ:
+        if self._environKeyName not in self._environ:
             log.debug("Checking for referenced WSGI service in environ: "
                       "the given key was not found in the environ dictionary")
             return False
         
-        if self._client:
+        if self._wsClient:
             # A SOAP client was initialised - check to see if its URI matches
             # the URI for the service referenced in environ
-            requestedURI = getattr(self._client, 'uri', None)
+            requestedURI = getattr(self._wsClient, 'uri', None)
             if requestedURI is None:
                 log.debug("Checking for referenced WSGI service in environ: "
@@ -86 +134 @@
                 return True
             
-            serviceURI = getattr(self._environ[self._environKey], 
+            serviceURI = getattr(self._environ[self._environKeyName], 
                                  'publishedURI',
                                  None)
@@ -104 +152 @@
     
     # Define as property for convenient call syntax
-    refInEnviron = property(fget=_refInEnviron,
-                            doc="return True if referenced instance is "
-                                "available in WSGI environ")
+    localClientInEnviron = property(fget=_localClientInEnviron,
+                                    doc="return True if referenced instance "
+                                        "is available in WSGI environ")

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py

@@ -95 +95 @@
     keyword
     
-    @type environKey: basestring
-    @cvar environKey: default WSGI environ keyword name for reference to a 
-    local Session Manager instance.  Override with the environKey keyword to 
-    __init__
-    
-    @type attributeAuthorityEnvironKey: basestring
-    @cvar attributeAuthorityEnvironKey: default WSGI environ keyword name for 
-    reference to a local Attribute Authority instance used in calls to 
-    getAttCert().  Override with the attributeAuthorityEnvironKey keyword to
-    __init__
+    @type defaultEnvironKeyName: basestring
+    @cvar defaultEnvironKeyName: default WSGI environ keyword name for 
+    reference to a local Session Manager instance.  Override with the 
+    environKeyName keyword to __init__
+    
+    @type attributeAuthorityEnvironKeyName: basestring
+    @cvar attributeAuthorityEnvironKeyName: default WSGI environ keyword name 
+    for reference to a local Attribute Authority instance used in calls to 
+    getAttCert().  Override with the attributeAuthorityEnvironKeyName keyword 
+    to __init__
     """
-    environKey = "ndg.security.server.wsgi.sessionManagerFilter"
-    attributeAuthorityEnvironKey = WSGIAttributeAuthorityClient.environKey
-        
-    _getRef = lambda self:self._environ[self._environKey].serviceSOAPBinding.sm
-    ref = property(fget=_getRef, doc="local session manager instance")
+    defaultEnvironKeyName = "ndg.security.server.wsgi.sessionManagerFilter"
+    attributeAuthorityEnvironKeyName = \
+        WSGIAttributeAuthorityClient.defaultEnvironKeyName
+        
+    _getLocalClient = lambda self:self._environ[
+                                    self.environKeyName].serviceSOAPBinding.sm
+                                    
+    localClient = property(fget=_getLocalClient, 
+                           doc="local session manager instance")
 
     
     def __init__(self, 
-                 environKey=None, 
-                 attributeAuthorityEnvironKey=None,
+                 environKeyName=None, 
+                 attributeAuthorityEnvironKeyName=None,
                  environ={}, 
-                 **soapClientKw):
+                 **clientKw):
+        """Initialise an interface to a Session Manager accessible either via a
+        keyword to a WSGI environ dictionary or via a web service call
+        
+        @type environKeyName: basestring or None
+        @param environKeyName: dict key reference to service object to be 
+        invoked.  This may be set later using the environKeyName property
+        or may be omitted altogether if the service is to be invoked via a
+        web service call
+        @type environ: dict
+        @param environ: WSGI environment dictionary containing a reference to
+        the service object.  This may not be known at instantiation of this
+        class.  environ is not required if the service is to be invoked over
+        a web service interface
+        @type clientKw: dict
+        @param clientKw: custom keywords to instantiate a web service client
+        interface.  Derived classes are responsible for instantiating this
+        from an extended version of this __init__ method.
+        """
  
         log.debug("WSGISessionManagerClient.__init__ ...")
         
-        self._environKey = environKey or WSGISessionManagerClient.environKey
-        self._attributeAuthorityEnvironKey = attributeAuthorityEnvironKey or \
-                        WSGISessionManagerClient.attributeAuthorityEnvironKey
+        self.environKeyName = environKeyName or \
+                               WSGISessionManagerClient.defaultEnvironKeyName
+                               
+        self._attributeAuthorityEnvironKeyName = \
+                    attributeAuthorityEnvironKeyName or \
+                    WSGISessionManagerClient.attributeAuthorityEnvironKeyName
                         
         # Standard WSGI environment dict
         self._environ = environ
         
-        if soapClientKw.get('uri'):
-            self._client = SessionManagerClient(**soapClientKw)
-        else:
-            self._client = None
+        if clientKw.get('uri'):
+            self.wsClient = SessionManagerClient(**clientKw)
+        else:
+            self.wsClient = None
 
    
@@ -141 +166 @@
         """
     
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             log.debug("Connecting to local Session Manager instance")
             if 'username' in kw:
@@ -148 +173 @@
                 
             # Connect to local instance
-            res = self.ref.connect(username=username, **kw)
-            
-        elif self._client is None:            
+            res = self.localClient.connect(username=username, **kw)
+            
+        elif self.wsClient is None:            
             raise WSGISessionManagerClientConfigError("No reference to a "
                         "local Session Manager is set and no SOAP client "
@@ -162 +187 @@
             
             # Make connection to remote service
-            res = self._client.connect(username, **kw)
+            res = self.wsClient.connect(username, **kw)
     
             # Convert from unicode because unicode causes problems with
@@ -182 +207 @@
         # Modify keywords according to correct interface for server side /
         # SOAP client
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             if 'userDN' in kw:
                 log.warning('Removing keyword "userDN": this is not supported '
@@ -189 +214 @@
                 kw.pop('userX509Cert', None)
                 
-            self.ref.deleteUserSession(**kw)
-            
-        elif self._client is None:            
+            self.localClient.deleteUserSession(**kw)
+            
+        elif self.wsClient is None:            
             raise WSGISessionManagerClientConfigError("No reference to a "
                         "local Session Manager is set and no SOAP client "
@@ -199 +224 @@
                 kw['userDN'] = kw.pop('userX509Cert').dn
                 
-            self._client.disconnect(**kw)
+            self.wsClient.disconnect(**kw)
         
     
@@ -212 +237 @@
         the SOAP client"""
     
-        if self.refInEnviron:
-            return self.ref.getSessionStatus(**kw)
-        
-        elif self._client is None:            
+        if self.localClientInEnviron:
+            return self.localClient.getSessionStatus(**kw)
+        
+        elif self.wsClient is None:            
             raise WSGISessionManagerClientConfigError("No reference to a "
                         "local Session Manager is set and no SOAP client "
                         "to a remote service has been initialized")
         else:
-            return self._client.getSessionStatus(**kw)
+            return self.wsClient.getSessionStatus(**kw)
     
 
@@ -236 +261 @@
         """
         
-        if self.refInEnviron:
+        if self.localClientInEnviron:
             # Connect to local instance of Session Manager - next check for 
             # an Attribute Authority URI or instance running locally
@@ -243 +268 @@
                 wsgiAttributeAuthorityClient = WSGIAttributeAuthorityClient(
                                 environ=self._environ,
-                                environKey=self._attributeAuthorityEnvironKey)
-
-                if wsgiAttributeAuthorityClient.refInEnviron:
+                                environKeyName=self._attributeAuthorityEnvironKeyName)
+
+                if wsgiAttributeAuthorityClient.localClientInEnviron:
                     kw['attributeAuthority'] = wsgiAttributeAuthorityClient.ref
                 else:
@@ -252 +277 @@
                         "set and no reference is available in environ")
                     
-            return self.ref.getAttCert(**kw)
-    
-        elif self._client is None:            
+            return self.localClient.getAttCert(**kw)
+    
+        elif self.wsClient is None:            
             raise WSGISessionManagerClientConfigError("No reference to a "
                         "local Session Manager is set and no SOAP client "
@@ -285 +310 @@
                             'this keyword')
 
-            return self._client.getAttCert(**kw)
+            return self.wsClient.getAttCert(**kw)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

@@ -5 +5 @@
 #
 [DEFAULT]
+testConfigDir = %(here)s/../../config
 
 [server:main]
@@ -44 +45 @@
 pdp.policyFilePath = %(here)s/policy.xml
 
-# Settings for connection to the user's Session Manager
-sessionManagerClient.sslCACertFilePathList=
+# Settings for Policy Information Point used by the Policy Decision Point to
+# retrieve subject attributes from the Attribute Authority associated with the
+# resource to be accessed
+pip.sslCACertFilePathList=
+
 #
 # WS-Security Settings for call to Session Manager
@@ -57 +61 @@
 
 # PEM encode cert
-sessionManagerClient.wssecurity.signingCertFilePath=
+pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
 
 # PEM encoded private key file
-sessionManagerClient.wssecurity.signingPriKeyFilePath=
+pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
 
 # Password protecting private key.  Leave blank if there is no password.
-sessionManagerClient.wssecurity.signingPriKeyPwd=
+pip.wssecurity.signingPriKeyPwd=
 
-# Provide a space separated list of file paths
-sessionManagerClient.wssecurity.caCertFilePathList=
+# For signature verification.  Provide a space separated list of file paths
+pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
 
 # ValueType for the BinarySecurityToken added to the WSSE header
-sessionManagerClient.wssecurity.reqBinSecTokValType=X509v3
+pip.wssecurity.reqBinSecTokValType=X509v3
 
 # Add a timestamp element to an outbound message
-sessionManagerClient.wssecurity.addTimestamp=True
+pip.wssecurity.addTimestamp=True

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini

@@ -300 +300 @@
 openid.provider.axResponse.sessionManagerURI=%(sessionManagerURI)s
 openid.provider.axResponse.sessionManagerURITypeURI=%(openid.ax.sessionManagerURI.typeURI)s
-openid.provider.axResponse.sessionManagerURI=%(sessionId)s
 openid.provider.axResponse.sessionIdTypeURI=%(openid.ax.sessionId.typeURI)s
 
@@ -319 +318 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-openid.provider.authN.environKey=filter:SessionManagerFilter
+openid.provider.authN.environKeyName=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/combinedservices/serverapp.py

@@ -31 +31 @@
         try:
             client = WSGISessionManagerClient(environ=environ,
-                                        environKey=self.sessionManagerFilterID)
+                                    environKeyName=self.sessionManagerFilterID)
             res = client.connect(username, passphrase=password)
 
@@ -38 +38 @@
             
             # Keep a reference to the session ID for test purposes
-            environ[client.environKey+'.user'] = res[-1]
+            environ[client.environKeyName+'.user'] = res[-1]
                 
         except Exception, e:
@@ -92 +92 @@
     def test_localSessionManagerGetSessionStatus(self, environ,start_response):
         client = WSGISessionManagerClient(environ=environ,
-                                        environKey=self.sessionManagerFilterID)
-        stat=client.getSessionStatus(sessID=environ[client.environKey+'.user'])
+                                    environKeyName=self.sessionManagerFilterID)
+        stat=client.getSessionStatus(
+                                sessID=environ[client.environKeyName+'.user'])
         start_response('200 OK', [('Content-type', 'text/xml')])
         return ("test_localSessionManagerGetSessionStatus succeeded. Response "
@@ -101 +102 @@
     def test_localSessionManagerDisconnect(self, environ, start_response):
         client = WSGISessionManagerClient(environ=environ,
-                                        environKey=self.sessionManagerFilterID)
-        client.disconnect(sessID=environ[client.environKey+'.user'])
+                                    environKeyName=self.sessionManagerFilterID)
+        client.disconnect(sessID=environ[client.environKeyName+'.user'])
         
         # Re-initialise user authentication
@@ -112 +113 @@
     def test_localSessionManagerGetAttCert(self, environ, start_response):
         client = WSGISessionManagerClient(environ=environ,
-                environKey=self.sessionManagerFilterID,
-                attributeAuthorityEnvironKey=self.attributeAuthorityFilterID)
-
-        attCert = client.getAttCert(sessID=environ[client.environKey+'.user'])
+            environKeyName=self.sessionManagerFilterID,
+            attributeAuthorityEnvironKeyName=self.attributeAuthorityFilterID)
+
+        attCert = client.getAttCert(
+                                sessID=environ[client.environKeyName+'.user'])
         start_response('200 OK', [('Content-type', 'text/xml')])
         return str(attCert)
@@ -121 +123 @@
     def test_localAttributeAuthorityGetHostInfo(self, environ, start_response):
         client = WSGIAttributeAuthorityClient(environ=environ,
-                                    environKey=self.attributeAuthorityFilterID)
+                                environKeyName=self.attributeAuthorityFilterID)
         hostInfo = client.getHostInfo()
         start_response('200 OK', [('Content-type', 'text/html')])
@@ -131 +133 @@
                                                        start_response):
         client = WSGIAttributeAuthorityClient(environ=environ,
-                                    environKey=self.attributeAuthorityFilterID)
+                                environKeyName=self.attributeAuthorityFilterID)
         role = environ.get('QUERY_STRING', '').split('=')[-1] or None
         hostInfo = client.getTrustedHostInfo(role=role)
@@ -142 +144 @@
                                                     start_response):
         client = WSGIAttributeAuthorityClient(environ=environ,
-                                    environKey=self.attributeAuthorityFilterID)
+                                environKeyName=self.attributeAuthorityFilterID)
         hostInfo = client.getAllHostsInfo()
         start_response('200 OK', [('Content-type', 'text/html')])
@@ -152 +154 @@
         
         client = WSGIAttributeAuthorityClient(environ=environ,
-                                    environKey=self.attributeAuthorityFilterID)
+                                environKeyName=self.attributeAuthorityFilterID)
         username=CombinedServicesWSGI.httpBasicAuthentication._userIn.users[-1]
         

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/combinedservices/services.ini

@@ -438 +438 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-#openid.provider.authN.environKey=filter:SessionManagerFilter
+#openid.provider.authN.environKeyName=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openid/securityservices.ini

@@ -295 +295 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-openid.provider.authN.environKey=filter:SessionManagerFilter
+openid.provider.authN.environKeyName=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidprovider/securityservices.ini

@@ -261 +261 @@
 # setting below is the default and can be omitted if it matches the filterID
 # set for the Session Manager
-openid.provider.authN.environKey=filter:SessionManagerFilter
+openid.provider.authN.environKeyName=filter:SessionManagerFilter
 
 # Database connection to enable check between username and OpenID identifier