Changeset 5555


Ignore:
Timestamp:
04/08/09 14:32:51 (10 years ago)
Author:
pjkersha
Message:

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Location:
TI12-security/trunk/python
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authn.py

    r5549 r5555  
    439439         
    440440        app = authkit.authenticate.middleware(app, app_conf)         
    441         app = SessionMiddleware(app,  
    442                                 environ_key='beaker.session.ndg.security', 
    443                                 **app_conf) 
    444441         
    445442        MultiHandler.__init__(self, app) 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py

    r5549 r5555  
    5353        'sslPeerCertAuthN': True, 
    5454        'signinInterfaceMiddlewareClass': None, 
    55         'baseURL': '', 
    56 #        'sessionKey': 'beaker.session.ndg.security' 
     55        'baseURL': '' 
    5756    } 
    5857    propertyDefaults.update(sslPropertyDefaults) 
     
    139138                                                "WSGI stack") 
    140139         
    141         # Put this check in here after sessiionKey has been set by the  
     140        # Put this check in here after sessionKey has been set by the  
    142141        # super class __init__ above 
    143142        self.sessionKey = authOpenIDHandler.session_middleware 
     
    151150                                                           prefix=prefix,  
    152151                                                           **app_conf) 
    153          
    154 #    @classmethod 
    155 #    def filter_app_factory(cls, app, app_conf, **local_conf): 
    156 #        """Override to enforce correct ordering of beaker session middleware 
    157 #        in WSGI stack""" 
    158 #        app = cls(app, app_conf, **local_conf) 
    159 #        app = SessionMiddleware(app, environ_key=app.sessionKey, **app_conf) 
    160 #        return app 
    161152     
    162153    @NDGSecurityMiddlewareBase.initCall      
     
    214205                                                 (filteredQuery,) + \ 
    215206                                                 splitURI[4:]) 
    216  
    217 #        if self.signoutPath is not None and self.pathInfo == self.signoutPath: 
    218 #            # Redirect to referrer ... 
    219 #            referrer = session.get( 
    220 #                    'ndg.security.server.wsgi.openid.relyingparty.referer') 
    221 #            if referrer is not None: 
    222 #                def setRedirectResponse(status, header, exc_info=None): 
    223 #                    """Add a redirect 'location' item to header and replacing 
    224 #                    any previous setting""" 
    225 #                    filteredHeader = [(field, val) for field, val in header  
    226 #                                      if field.lower() != 'location']         
    227 #                    filteredHeader.extend([('Location', referrer)]) 
    228 #                    return start_response(self.getStatusMessage(302),  
    229 #                                          filteredHeader, 
    230 #                                          exc_info) 
    231 #                     
    232 #                return self._app(environ, setRedirectResponse) 
    233 #            else: 
    234 #                log.debug('No referrer set for redirect following logout') 
    235                  
    236         # Set a return to address following logout.   
    237         # TODO: This code will need to be refactored if this middleware is  
    238         # deployed externally via a proxy - HTTP_REFERER will be the internal  
    239         # URI instead of the one exposed outside 
    240         if 'HTTP_REFERER' in environ: 
    241             session['ndg.security.server.wsgi.openid.relyingparty.referer'] = \ 
    242                 environ['HTTP_REFERER'] 
    243             session.save() 
    244207         
    245208        # See _start_response doc for an explanation... 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/__init__.py

    r5221 r5555  
    99__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1010__revision__ = "$Id$" 
     11 
     12class AuthZTestApp(object): 
     13    """This class simulates the application to be secured by the NDG Security 
     14    authorization middleware 
     15    """ 
     16    method = { 
     17"/": 'default', 
     18"/test_401": "test_401", 
     19"/test_403": "test_403", 
     20"/test_securedURI": "test_securedURI", 
     21"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI" 
     22    } 
     23    header = """        <h1>Authorisation Integration Tests:</h1> 
     24        <p>These tests use require the security services application to be 
     25        running.  See securityserviceapp.py and securityservices.ini in the  
     26        authz_lite/ integration test directory.</p> 
     27        <h2>To Run:</h2> 
     28        <p>Try any of the links below.  When prompt for username and password, 
     29        enter one of the sets of credentials from securityservices.ini 
     30        openid.provider.authN.userCreds section.  The defaults are: 
     31        </p> 
     32        <p>pjk/testpassword</p> 
     33        <p>another/testpassword</p> 
     34        <p>The attributeinterface.py AttributeAuthority plugin is configured to 
     35        grant access to 'pjk' for all URLs below apart from  
     36        'test_accessDeniedToSecuredURI'.  The 'another' account will be denied 
     37        access from all URLs apart from 'test_401'</p> 
     38""" 
     39 
     40    def __init__(self, app, globalConfig, **localConfig): 
     41        self.beakerSessionKeyName = globalConfig['beakerSessionKeyName'] 
     42        self.app = app 
     43             
     44    def __call__(self, environ, start_response): 
     45         
     46        methodName = self.method.get(environ['PATH_INFO'], '').rstrip() 
     47        if methodName: 
     48            action = getattr(self, methodName) 
     49            return action(environ, start_response) 
     50        elif environ['PATH_INFO'] == '/logout': 
     51            return self.default(environ, start_response) 
     52         
     53        elif self.app is not None: 
     54            return self.app(environ, start_response) 
     55        else: 
     56            start_response('404 Not Found', [('Content-type', 'text/plain')]) 
     57            return "Authorisation integration tests: invalid URI" 
     58             
     59    def default(self, environ, start_response): 
     60        if 'username' in environ.get(self.beakerSessionKeyName, {}): 
     61            response = """<html> 
     62    <head/> 
     63    <body> 
     64        %s 
     65        <ul>%s</ul> 
     66        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
     67    </body> 
     68</html> 
     69""" % (AuthZTestApp.header, 
     70       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     71                 for link,name in self.method.items() if name != 'default']), 
     72       environ[self.beakerSessionKeyName]['username']) 
     73         
     74            start_response('200 OK',  
     75                           [('Content-type', 'text/html'), 
     76                            ('Content-length', str(len(response)))]) 
     77        else: 
     78            response = """<html> 
     79    <head/> 
     80    <body> 
     81        %s 
     82        <ul>%s</ul> 
     83    </body> 
     84</html> 
     85""" % (AuthZTestApp.header, 
     86       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     87                 for link,name in self.method.items() if name != 'default']) 
     88       ) 
     89 
     90            start_response('200 OK',  
     91                           [('Content-type', 'text/html'), 
     92                            ('Content-length', str(len(response)))]) 
     93        return response 
     94 
     95    def test_401(self, environ, start_response): 
     96        """Trigger the Authentication middleware by returning a 401  
     97        Unauthorized HTTP status code from this URI""" 
     98        username = environ[self.beakerSessionKeyName].get('username') 
     99        if username: 
     100            response = """<html> 
     101        <head/> 
     102        <body> 
     103            <h1>Authenticated!</h1> 
     104            <ul>%s</ul> 
     105            <p>You are logged in.  <a href="/logout">Logout</a></p> 
     106        </body> 
     107    </html> 
     108    """ % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     109                     for link,name in self.method.items() if name != 'default']) 
     110     
     111            start_response('200 OK',  
     112                           [('Content-type', 'text/html'), 
     113                            ('Content-length', str(len(response)))]) 
     114        else: 
     115            response = "This page shouldn't be displayed!" 
     116            start_response('401 Unauthorized',  
     117                           [('Content-type', 'text/plain'), 
     118                            ('Content-length', str(len(response)))]) 
     119             
     120        return response 
     121 
     122    def test_403(self, environ, start_response): 
     123        """Trigger the Authorization middleware by returning a 403 Forbidden 
     124        HTTP status code from this URI""" 
     125         
     126        username = environ[self.beakerSessionKeyName].get('username') 
     127        if username: 
     128            response = """<html> 
     129    <head/> 
     130    <body> 
     131        <h1>Authorised!</h1> 
     132        <ul>%s</ul> 
     133        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
     134    </body> 
     135</html> 
     136""" % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     137                 for link,name in self.method.items() if name != 'default']), 
     138       username) 
     139 
     140            start_response('200 OK',  
     141                           [('Content-type', 'text/html'), 
     142                            ('Content-length', str(len(response)))]) 
     143        else: 
     144            response = "This page shouldn't be displayed!" 
     145            start_response('403 Forbidden',  
     146                           [('Content-type', 'text/plain'), 
     147                            ('Content-length', str(len(response)))]) 
     148 
     149        return response 
     150 
     151    def test_securedURI(self, environ, start_response): 
     152        """To be secured, the Authorization middleware must have this URI in 
     153        its policy""" 
     154        response = """<html> 
     155    <head/> 
     156    <body> 
     157        <h1>Authorised for path [%s]!</h1> 
     158        <ul>%s</ul> 
     159        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
     160    </body> 
     161</html> 
     162""" % (environ['PATH_INFO'], 
     163       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     164                 for link,name in self.method.items() if name != 'default']), 
     165       environ[self.beakerSessionKeyName]['username']) 
     166 
     167 
     168        start_response('200 OK',  
     169                       [('Content-type', 'text/html'), 
     170                        ('Content-length', str(len(response)))]) 
     171        return response 
     172 
     173 
     174    def test_accessDeniedToSecuredURI(self, environ, start_response): 
     175        """To be secured, the Authorization middleware must have this URI in 
     176        its policy and the user must not have the required role as specified 
     177        in the policy.  See ndg.security.test.config.attributeauthority.sitea 
     178        for user role settings retrieved from the attribute authority""" 
     179        response = """<html> 
     180    <head/> 
     181    <body> 
     182        <h1>Authorised for path [%s]!</h1> 
     183        <ul>%s</ul> 
     184        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
     185    </body> 
     186</html> 
     187""" % (environ['PATH_INFO'], 
     188       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     189                 for link,name in self.method.items() if name != 'default']), 
     190       environ[self.beakerSessionKeyName]['username']) 
     191 
     192 
     193        start_response('200 OK',  
     194                       [('Content-type', 'text/html'), 
     195                        ('Content-length', str(len(response)))]) 
     196        return response 
     197    
     198    @classmethod 
     199    def app_factory(cls, globalConfig, **localConfig): 
     200        return cls(None, globalConfig, **localConfig) 
     201     
     202    @classmethod 
     203    def filter_app_factory(cls, app, globalConfig, **localConfig): 
     204        return cls(app, globalConfig, **localConfig) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

    r5454 r5555  
    3030 
    3131[app:AuthZTestApp] 
    32 paste.app_factory = ndg.security.test.integration.authz.securedapp:AuthZTestMiddleware.app_factory 
     32paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory 
    3333 
    3434[filter:AuthenticationFilter] 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securedapp.ini

    r5451 r5555  
    2020[DEFAULT] 
    2121testConfigDir = %(here)s/../../config 
     22beakerSessionKeyName = beaker.session.ndg.security 
    2223 
    2324[server:main] 
     
    2728 
    2829[pipeline:main] 
    29 pipeline = AuthenticationFilter AuthorizationFilter AuthZTestApp 
     30pipeline = BeakerSessionFilter  
     31                   AuthenticationFilter  
     32                   AuthorizationFilter  
     33                   AuthZTestApp 
    3034 
    3135[app:AuthZTestApp] 
    32 paste.app_factory = ndg.security.test.integration.authz_lite.securedapp:AuthZTestMiddleware.app_factory 
     36paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory 
     37 
     38 
     39[filter:BeakerSessionFilter] 
     40paste.filter_app_factory = beaker.middleware:SessionMiddleware 
     41 
     42# Cookie name 
     43beaker.session.key = ndg.security.session 
     44 
     45# WSGI environ key name 
     46environ_key = %(beakerSessionKeyName)s 
     47beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW 
     48beaker.cache.data_dir = %(here)s/authn/beaker/cache 
     49beaker.session.data_dir = %(here)s/authn/beaker/sessions 
     50 
    3351 
    3452[filter:AuthenticationFilter] 
     
    3856# Set redirect for OpenID Relying Party in the Security Services app instance 
    3957authN.redirectURI = http://localhost:7443/verify 
    40  
    41 # Beaker Session set-up 
    42 beaker.session.key = ndg.security.session 
    43 beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW 
    44 beaker.cache.data_dir = %(here)s/authn/beaker/cache 
    45 beaker.session.data_dir = %(here)s/authn/beaker/sessions 
    4658 
    4759# AuthKit Set-up 
     
    5769# suspected problem with AuthKit setting it when a HTTP Proxy is in place 
    5870authkit.cookie.includeip = False 
     71 
     72# environ key name for beaker session 
     73authkit.session.middleware = %(beakerSessionKeyName)s 
    5974 
    6075[filter:AuthorizationFilter] 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini

    r5454 r5555  
    2222openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
    2323testConfigDir = %(here)s/../../config 
     24beakerSessionKeyName = beaker.session.ndg.security.services 
    2425 
    2526#______________________________________________________________________________ 
     
    9596beaker.session.key = openid 
    9697beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU 
    97 # These options enable cookie only type sessions with the cookie content  
    98 # encrypted 
    99 #beaker.session.type = cookie 
    100 #beaker.session.validate_key = 0123456789abcdef 
    101 #beaker.session.encrypt_key = fedcba9876543210 
    10298 
    10399# If you'd like to fine-tune the individual locations of the cache data dirs 
     
    108104beaker.session.cookie_expires = True 
    109105 
     106# Key name for keying into environ dictionary 
     107environ_key = %(beakerSessionKeyName)s 
     108 
    110109[filter:OpenIDRelyingPartyFilter] 
    111110paste.filter_app_factory =  
    112111        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory 
    113112 
    114 openid.relyingparty.sessionKey = beaker.session 
    115113openid.relyingparty.baseURL = %(authkit.openid.baseurl)s 
    116114openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt 
     
    119117openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca 
    120118openid.relyingparty.providerWhitelistFilePath = 
    121 #openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface 
    122 #openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates 
    123119openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate 
    124120openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates 
     
    143139# Authentication Filter used to secure a given app 
    144140authkit.cookie.name=ndg.security.auth 
     141 
    145142authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
    146143authkit.cookie.signoutpath = /logout 
     
    156153authkit.openid.session.secret = random string 
    157154 
     155# Key name for dereferencing beaker.session object held in environ 
     156authkit.openid.session.middleware = %(beakerSessionKeyName)s 
     157 
    158158authkit.openid.baseurl = %(baseURI)s 
    159159 
     
    168168[app:OpenIDProviderMiddlewareApp] 
    169169paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory 
     170 
    170171openid.provider.path.openidserver=/OpenID/Provider/server 
    171172openid.provider.path.login=/OpenID/Provider/login 
     
    187188openid.provider.path.mainpage=/OpenID/Provider/home 
    188189 
    189 openid.provider.session_middleware=beaker.session  
     190openid.provider.session_middleware=%(beakerSessionKeyName)s 
    190191openid.provider.base_url=%(baseURI)s 
    191192openid.provider.trace=False 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securedapp.ini

    r5549 r5555  
    4444 
    4545[app:AuthZTestApp] 
    46 paste.app_factory = ndg.security.test.integration.openidrelyingparty_withapp.securedapp:AuthZTestApp.app_factory 
    47  
    48 [filter:AuthorizationFilter] 
    49 paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory 
    50 prefix = authz. 
    51 policy.filePath = %(here)s/policy.xml 
    52  
    53 # Settings for Policy Information Point used by the Policy Decision Point to 
    54 # retrieve subject attributes from the Attribute Authority associated with the 
    55 # resource to be accessed 
    56 pip.sslCACertFilePathList= 
    57  
    58 # List of CA certificates used to verify the signatures of  
    59 # Attribute Certificates retrieved 
    60 pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
    61  
    62 # 
    63 # WS-Security Settings for call to Attribute Authority to retrieve user  
    64 # attributes 
    65  
    66 # Signature of an outbound message 
    67  
    68 # Certificate associated with private key used to sign a message.  The sign  
    69 # method will add this to the BinarySecurityToken element of the WSSE header.   
    70 # binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.   
    71 # As an alternative, use signingCertChain - see below... 
    72  
    73 # PEM encode cert 
    74 pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 
    75  
    76 # PEM encoded private key file 
    77 pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 
    78  
    79 # Password protecting private key.  Leave blank if there is no password. 
    80 pip.wssecurity.signingPriKeyPwd= 
    81  
    82 # For signature verification.  Provide a space separated list of file paths 
    83 pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
    84  
    85 # ValueType for the BinarySecurityToken added to the WSSE header 
    86 pip.wssecurity.reqBinSecTokValType=X509v3 
    87  
    88 # Add a timestamp element to an outbound message 
    89 pip.wssecurity.addTimestamp=True 
     46paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory 
    9047 
    9148[filter:BeakerSessionFilter] 
     
    13996# Authentication Filter used to secure a given app 
    14097authkit.cookie.name=ndg.security.authkit 
     98 
    14199authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr 
    142100authkit.cookie.signoutpath = %(globalSignoutPath)s 
     
    151109authkit.openid.session.key = authkit_openid 
    152110authkit.openid.session.secret = random string 
     111 
     112# Key name for dereferencing beaker.session object held in environ 
    153113authkit.openid.session.middleware = %(beakerSessionKeyName)s 
    154114 
    155115authkit.openid.baseurl = %(baseURI)s 
     116 
     117 
     118[filter:AuthorizationFilter] 
     119paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory 
     120prefix = authz. 
     121policy.filePath = %(here)s/policy.xml 
     122 
     123# Settings for Policy Information Point used by the Policy Decision Point to 
     124# retrieve subject attributes from the Attribute Authority associated with the 
     125# resource to be accessed 
     126pip.sslCACertFilePathList= 
     127 
     128# List of CA certificates used to verify the signatures of  
     129# Attribute Certificates retrieved 
     130pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
     131 
     132# 
     133# WS-Security Settings for call to Attribute Authority to retrieve user  
     134# attributes 
     135 
     136# Signature of an outbound message 
     137 
     138# Certificate associated with private key used to sign a message.  The sign  
     139# method will add this to the BinarySecurityToken element of the WSSE header.   
     140# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.   
     141# As an alternative, use signingCertChain - see below... 
     142 
     143# PEM encode cert 
     144pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 
     145 
     146# PEM encoded private key file 
     147pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 
     148 
     149# Password protecting private key.  Leave blank if there is no password. 
     150pip.wssecurity.signingPriKeyPwd= 
     151 
     152# For signature verification.  Provide a space separated list of file paths 
     153pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
     154 
     155# ValueType for the BinarySecurityToken added to the WSSE header 
     156pip.wssecurity.reqBinSecTokValType=X509v3 
     157 
     158# Add a timestamp element to an outbound message 
     159pip.wssecurity.addTimestamp=True 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securedapp.py

    r5543 r5555  
    1212__revision__ = "$Id$" 
    1313 
    14     
    15 def app_factory(globalConfig, **localConfig): 
    16     '''AuthZTestApp factory for Paste app pattern''' 
    17     return AuthZTestApp(None, globalConfig, **localConfig) 
    18  
    19 def filter_app_factory(app, globalConfig, **localConfig): 
    20     '''AuthZTestApp factory for Paste filter app pattern''' 
    21     return AuthZTestApp(app, globalConfig, **localConfig) 
    22  
    23 class AuthZTestApp(object): 
    24     """This class simulates the application to be secured by the NDG Security 
    25     authorization middleware 
    26     """ 
    27     method = { 
    28 "/": 'default', 
    29 "/test_401": "test_401", 
    30 "/test_403": "test_403", 
    31 "/test_securedURI": "test_securedURI", 
    32 "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI" 
    33     } 
    34     header = """        <h1>Authorisation Integration Tests:</h1> 
    35         <p>Test Authorisation middleware with no Session Manager running. 
    36         See the authz/ integration test directory for a configuration including 
    37         a Session Manager</p> 
    38         <p>These tests use require the security services application to be 
    39         running.  See securityserviceapp.py and securityservices.ini in the  
    40         authz_lite/ integration test directory.</p> 
    41         <h2>To Run:</h2> 
    42         <p>Try any of the links below.  When prompt for username and password, 
    43         enter one of the sets of credentials from securityservices.ini 
    44         openid.provider.authN.userCreds section.  The defaults are: 
    45         </p> 
    46         <p>pjk/testpassword</p> 
    47         <p>another/testpassword</p> 
    48         <p>The attributeinterface.py AttributeAuthority plugin is configured to 
    49         grant access to 'pjk' for all URLs below apart from  
    50         'test_accessDeniedToSecuredURI'.  The 'another' account will be denied 
    51         access from all URLs apart from 'test_401'</p> 
    52 """ 
    53  
    54     def __init__(self, app, globalConfig, **localConfig): 
    55         self.beakerSessionKeyName = globalConfig['beakerSessionKeyName'] 
    56         self.app = app 
    57              
    58     def __call__(self, environ, start_response): 
    59          
    60         methodName = self.method.get(environ['PATH_INFO'], '').rstrip() 
    61         if methodName: 
    62             action = getattr(self, methodName) 
    63             return action(environ, start_response) 
    64         elif environ['PATH_INFO'] == '/logout': 
    65             return self.default(environ, start_response) 
    66          
    67         elif self.app is not None: 
    68             return self.app(environ, start_response) 
    69         else: 
    70             start_response('404 Not Found', [('Content-type', 'text/plain')]) 
    71             return "Authorisation integration tests: invalid URI" 
    72              
    73     def default(self, environ, start_response): 
    74         if 'username' in environ.get(self.beakerSessionKeyName, {}): 
    75             response = """<html> 
    76     <head/> 
    77     <body> 
    78         %s 
    79         <ul>%s</ul> 
    80         <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
    81     </body> 
    82 </html> 
    83 """ % (AuthZTestApp.header, 
    84        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    85                  for link,name in self.method.items() if name != 'default']), 
    86        environ[self.beakerSessionKeyName]['username']) 
    87          
    88             start_response('200 OK',  
    89                            [('Content-type', 'text/html'), 
    90                             ('Content-length', str(len(response)))]) 
    91         else: 
    92             response = """<html> 
    93     <head/> 
    94     <body> 
    95         %s 
    96         <ul>%s</ul> 
    97     </body> 
    98 </html> 
    99 """ % (AuthZTestApp.header, 
    100        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    101                  for link,name in self.method.items() if name != 'default']) 
    102        ) 
    103  
    104             start_response('200 OK',  
    105                            [('Content-type', 'text/html'), 
    106                             ('Content-length', str(len(response)))]) 
    107         return response 
    108  
    109     def test_401(self, environ, start_response): 
    110         response = """<html> 
    111     <head/> 
    112     <body> 
    113         <h1>Authenticated!</h1> 
    114         <ul>%s</ul> 
    115         <p>You are logged in.  <a href="/logout">Logout</a></p> 
    116     </body> 
    117 </html> 
    118 """ % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    119                  for link,name in self.method.items() if name != 'default']) 
    120  
    121         start_response('200 OK',  
    122                        [('Content-type', 'text/html'), 
    123                         ('Content-length', str(len(response)))]) 
    124         return response 
    125  
    126     def test_403(self, environ, start_response): 
    127         """Trigger the Authorization middleware by returning a 403 Forbidden 
    128         HTTP status code from this URI""" 
    129          
    130         response = """<html> 
    131     <head/> 
    132     <body> 
    133         <h1>Authorised!</h1> 
    134         <ul>%s</ul> 
    135         <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
    136     </body> 
    137 </html> 
    138 """ % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    139                  for link,name in self.method.items() if name != 'default']), 
    140        environ[self.beakerSessionKeyName]['username']) 
    141  
    142         start_response('200 OK',  
    143                        [('Content-type', 'text/html'), 
    144                         ('Content-length', str(len(response)))]) 
    145         return response 
    146  
    147     def test_securedURI(self, environ, start_response): 
    148         """To be secured, the Authorization middleware must have this URI in 
    149         its policy""" 
    150         response = """<html> 
    151     <head/> 
    152     <body> 
    153         <h1>Authorised for path [%s]!</h1> 
    154         <ul>%s</ul> 
    155         <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
    156     </body> 
    157 </html> 
    158 """ % (environ['PATH_INFO'], 
    159        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    160                  for link,name in self.method.items() if name != 'default']), 
    161        environ[self.beakerSessionKeyName]['username']) 
    162  
    163  
    164         start_response('200 OK',  
    165                        [('Content-type', 'text/html'), 
    166                         ('Content-length', str(len(response)))]) 
    167         return response 
    168  
    169  
    170     def test_accessDeniedToSecuredURI(self, environ, start_response): 
    171         """To be secured, the Authorization middleware must have this URI in 
    172         its policy and the user must not have the required role as specified 
    173         in the policy.  See ndg.security.test.config.attributeauthority.sitea 
    174         for user role settings retrieved from the attribute authority""" 
    175         response = """<html> 
    176     <head/> 
    177     <body> 
    178         <h1>Authorised for path [%s]!</h1> 
    179         <ul>%s</ul> 
    180         <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
    181     </body> 
    182 </html> 
    183 """ % (environ['PATH_INFO'], 
    184        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    185                  for link,name in self.method.items() if name != 'default']), 
    186        environ[self.beakerSessionKeyName]['username']) 
    187  
    188  
    189         start_response('200 OK',  
    190                        [('Content-type', 'text/html'), 
    191                         ('Content-length', str(len(response)))]) 
    192         return response 
    193     
    194     @classmethod 
    195     def app_factory(cls, globalConfig, **localConfig): 
    196         return cls(None, globalConfig, **localConfig) 
    197      
    198     @classmethod 
    199     def filter_app_factory(cls, app, globalConfig, **localConfig): 
    200         return cls(app, globalConfig, **localConfig) 
    20114     
    20215# To start run  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini

    r5543 r5555  
    2222openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
    2323testConfigDir = %(here)s/../../config 
     24beakerSessionKeyName = beaker.session.ndg.security.services 
    2425 
    2526#______________________________________________________________________________ 
     
    107108beaker.session.cookie_expires = True 
    108109 
     110# Key name for keying into environ dictionary 
     111environ_key = %(beakerSessionKeyName)s 
    109112 
    110113#______________________________________________________________________________ 
     
    112115[app:OpenIDProviderMiddlewareApp] 
    113116paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory 
     117 
    114118openid.provider.path.openidserver=/OpenID/Provider/server 
    115119openid.provider.path.login=/OpenID/Provider/login 
     
    131135openid.provider.path.mainpage=/OpenID/Provider/home 
    132136 
    133 openid.provider.session_middleware=beaker.session  
     137openid.provider.session_middleware=%(beakerSessionKeyName)s  
    134138openid.provider.base_url=%(baseURI)s 
    135139openid.provider.trace=False 
Note: See TracChangeset for help on using the changeset viewer.