Ignore:
Timestamp:
05/01/10 09:45:34 (11 years ago)
Author:
pjkersha
Message:
  • Refactored PEP result handler code from authz into separate ndg.security.server.wsgi.authz.result_handler package
  • Refactored session handling classes from ndg.security.server.wsgi.authn to new ndg.security.server.wsgi.session module
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r6263 r6264  
    3131                                            SessionHandlerMiddleware) 
    3232 
     33from ndg.security.server.wsgi.authz.result_handler.basic import \ 
     34    PEPResultHandlerMiddleware 
     35     
    3336from ndg.security.common.authz.msi import (Policy, PIP, PIPBase,  
    3437                                           PIPAttributeQuery,  
    3538                                           PIPAttributeResponse, PDP, Request,  
    3639                                           Response, Resource, Subject) 
    37  
    38  
    39 class PEPResultHandlerMiddleware(SessionMiddlewareBase): 
    40     """This middleware is invoked if access is denied to a given resource.  It 
    41     is incorporated into the call stack by passing it in to a MultiHandler  
    42     instance.  The MultiHandler is configured in the AuthorizationMiddlewareBase  
    43     class below.  The MultiHandler is passed a checker method which determines 
    44     whether to allow access, or call this interface.   The checker is 
    45     implemented in the AuthorizationHandler.  See below ... 
    46      
    47     This class can be overridden to define custom behaviour for the access 
    48     denied response e.g. include an interface to enable users to register for 
    49     the dataset from which they have been denied access.  See  
    50     AuthorizationMiddlewareBase pepResultHandler keyword. 
    51      
    52     SessionMiddlewareBase base class defines user session key and  
    53     isAuthenticated property 
    54     """ 
    55      
    56     def __init__(self, app, global_conf, prefix='', **app_conf): 
    57         ''' 
    58         @type app: callable following WSGI interface 
    59         @param app: next middleware application in the chain       
    60         @type global_conf: dict         
    61         @param global_conf: PasteDeploy global configuration dictionary 
    62         @type prefix: basestring 
    63         @param prefix: prefix for configuration items 
    64         @type app_conf: dict         
    65         @param app_conf: PasteDeploy application specific configuration  
    66         dictionary 
    67         ''' 
    68         super(PEPResultHandlerMiddleware, self).__init__(app, 
    69                                                          global_conf, 
    70                                                          prefix=prefix, 
    71                                                          **app_conf) 
    72                 
    73     @NDGSecurityMiddlewareBase.initCall 
    74     def __call__(self, environ, start_response): 
    75          
    76         log.debug("PEPResultHandlerMiddleware.__call__ ...") 
    77          
    78         self.session = self.environ.get(self.sessionKey) 
    79         if not self.isAuthenticated: 
    80             # This check is included as a precaution: this condition should be 
    81             # caught be the AuthNRedirectHandlerMiddleware or PEPFilter 
    82             log.warning("PEPResultHandlerMiddleware: user is not " 
    83                         "authenticated - setting HTTP 401 response") 
    84             return self._setErrorResponse(code=UNAUTHORIZED) 
    85         else: 
    86             # Get response message from PDP recorded by PEP 
    87             pepCtx = self.session.get('pepCtx', {}) 
    88             pdpResponse = pepCtx.get('response') 
    89             msg = getattr(pdpResponse, 'message', '') 
    90                  
    91             response = ("Access is forbidden for this resource:%s" 
    92                         "Please check with your site administrator that you " 
    93                         "have the required access privileges." %  
    94                         msg.join(('\n\n',)*2)) 
    95  
    96             return self._setErrorResponse(code=FORBIDDEN, msg=response) 
    9740 
    9841 
     
    11760    MIDDLEWARE_ID = 'PEPFilter' 
    11861    POLICY_PARAM_PREFIX = 'policy.' 
     62     
    11963    SESSION_KEYNAME = 'sessionKey' 
     64 
     65    # Key names for PEP context information 
     66    PEPCTX_SESSION_KEYNAME = 'pepCtx' 
     67    PEPCTX_REQUEST_KEYNAME = 'request' 
     68    PEPCTX_RESPONSE_KEYNAME = 'response' 
     69    PEPCTX_TIMESTAMP_KEYNAME = 'timestamp' 
    12070    POLICY_FILEPATH_PARAMNAME = 'filePath' 
    12171     
     
    220170        # Record the result in the user's session to enable later  
    221171        # interrogation by the AuthZResultHandlerMiddleware 
    222         session['pepCtx'] = {'request': request, 'response': response, 
    223                              'timestamp': time()} 
    224         session.save() 
    225172         
    226173        if response.status == Response.DECISION_PERMIT: 
     
    244191            return self._setErrorResponse(code=triggerStatusCode) 
    245192 
     193    @classmethod 
     194    def setSession(cls, session, save=True): 
     195        session[cls.PEPCTX_SESSION_KEYNAME] = { 
     196            cls.PEPCTX_REQUEST_KEYNAME: request,  
     197            cls.PEPCTX_RESPONSE_KEYNAME: response, 
     198            cls.PEPCTX_TIMESTAMP_KEYNAME: time() 
     199        } 
     200         
     201        if save: 
     202            session.save() 
     203         
    246204    def _getMatchingTargets(self, resourceURI): 
    247205        """This method may only be called following __call__ as __call__ 
Note: See TracChangeset for help on using the changeset viewer.