Ignore:
Timestamp:
22/05/09 10:11:16 (11 years ago)
Author:
pjkersha
Message:

Completed AuthorizationMiddleware? unit tests ndg.security.test.unit.wsgi.authz:

  • Test 8, 'test08AccessDeniedForAdminQueryArg' tries out the use case for a URI which can display additional content for users with admin privileges. The caller needs to be able to display the correct content according to whether the user has admin rights or not:
    1. the caller invokes /securedURI?admin=1
    2. if the user has admin, rights the PDP will grant access and the PEP will deliver this URI.
    3. if the user doesn't have admin rights, a special overloaded PEP result handler class detects that access was denied for the admin URI and redirects the user to a modified URI subtracting the admin flag. The application code can then deliver the appropriate content minus admin privileges.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz.py

    r5329 r5330  
    1212log = logging.getLogger(__name__) 
    1313from time import time 
    14 import httplib 
     14from urlparse import urlunsplit 
    1515 
    1616from ndg.security.server.wsgi import NDGSecurityPathFilter 
     
    3333    implemented in the AuthorizationHandler.  See below ... 
    3434     
    35     TODO: possible refactor to incorporate user role registration interface. 
    36     For ESG collaboration, the scenario following access denied is to g""" 
     35    This class can be overridden to define custom behaviour for the access 
     36    denied response e.g. include an interface to enable users to register for 
     37    the dataset from which they have been denied access.  See  
     38    AuthorizationMiddleware pepResultHandler keyword 
     39    """ 
    3740    propertyDefaults = { 
    3841        'sessionKey': 'beaker.session.ndg.security' 
     
    6467            return self._setErrorResponse(code=401) 
    6568        else: 
    66             # TODO: refactor to include a call to another interface - possibly 
    67             # - another WSGI app to set a user friendly output and include  
    68             # links to enable the user to register for new access privileges 
    69              
    7069            # Get response message from PDP recorded by PEP 
    71             msg = getattr(self.session.get('pepCtx', {}).get('response'), 
    72                           'message', '') 
     70            pepCtx = self.session.get('pepCtx', {}) 
     71            pdpResponse = pepCtx.get('response') 
     72            msg = getattr(pdpResponse, 'message', '') 
    7373                 
    7474            response = \ 
     
    140140                                       'environ' % self.sessionKey) 
    141141             
    142         resourceURI = self.pathInfo 
     142        queryString = environ.get('QUERY_STRING', '') 
     143        resourceURI = urlunsplit(('', '', self.pathInfo, queryString, '')) 
    143144         
    144145        # Check for a secured resource 
    145         matchingTargets = self._getMatchingTargets() 
     146        matchingTargets = self._getMatchingTargets(resourceURI) 
    146147        targetMatch = len(matchingTargets) > 0 
    147148        if not targetMatch: 
     
    209210            return self._setErrorResponse(code=int(PEPFilter.triggerStatus)) 
    210211 
    211     def _getMatchingTargets(self): 
     212    def _getMatchingTargets(self, resourceURI): 
    212213        """This method may only be called following __call__ as __call__ 
    213214        updates the pathInfo property 
    214215         
     216        @type resourceURI: basestring 
     217        @param resourceURI: the URI of the requested resource 
    215218        @rtype: list 
    216219        @return: return list of policy target objects matching the current  
    217220        path  
    218221        """ 
    219         resourceURI = self.pathInfo 
    220222        matchingTargets = [target for target in self.policy.targets  
    221223                           if target.regEx.match(resourceURI) is not None] 
     
    304306        app = MultiHandler(pepFilter) 
    305307         
    306         pepResultHandlerClassName = app_conf.pop(prefix+"pep.resultHandler",  
     308        pepResultHandlerClassName = app_conf.pop(prefix+"pepResultHandler",  
    307309                                                 None)  
    308310        if pepResultHandlerClassName is None: 
    309311            pepResultHandler = PEPResultHandlerMiddleware 
    310312        else: 
    311             pepResultHandler = importClass(pepResultHandlerClassName) 
    312             if not isinstance(pepResultHandler, PEPResultHandlerMiddleware): 
    313                 raise AuthorizationMiddlewareConfigError("Expecting " 
    314                     "PEPResultHandlerMiddleware derived class for " 
    315                     "pepResultHandler setting; got %s" % pepResultHandler) 
     313            pepResultHandler = importClass(pepResultHandlerClassName, 
     314                                        objectType=PEPResultHandlerMiddleware) 
    316315             
    317316        app.add_method(PEPFilter.id, 
Note: See TracChangeset for help on using the changeset viewer.