Changeset 6271

Timestamp:

07/01/10 14:12:08 (10 years ago)

Author:

pjkersha

Message:

Working Genshi PEP result handler plugin

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (9 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py (modified) (6 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/layout/default.css (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/templates/accessdenied.html (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/session.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/CEDA_RightButton60.png (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/NERC_Logo.gif (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/NERC_Logo_Swindon.gif (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/badc logo_sm.jpg (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/badc_logo4ndg.jpg (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/default.css (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/icons (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/icons/help.png (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/ndg_logo_circle.gif (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/neodc_logo4ndg.jpg (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/openid-inputicon.gif (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/pep_result_handler/layout/stfc-circle-sm.gif (added)
• ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -16 +16 @@
 from urlparse import urlunsplit
 from httplib import UNAUTHORIZED, FORBIDDEN
-        
+
+from paste.cascade import Cascade
+from paste.urlparser import StaticURLParser
 from authkit.authenticate.multi import MultiHandler
 
@@ -32 +34 @@
 from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 
                                               SessionHandlerMiddleware)
-    
+from ndg.security.server.wsgi.authz.result_handler import \
+    PEPResultHandlerMiddlewareBase
+from ndg.security.server.wsgi.authz.result_handler.basic import \
+    PEPResultHandlerMiddleware
+
 from ndg.security.common.authz.msi import (Policy, PIP, PIPBase, 
                                            PIPAttributeQuery, 
@@ -41 +47 @@
 class PEPFilterError(Exception):
     """Base class for PEPFilter exception types"""
+    
     
 class PEPFilterConfigError(PEPFilterError):
@@ -61 +68 @@
     
     SESSION_KEYNAME = 'sessionKey'
-
-    # Key names for PEP context information
-    PEPCTX_SESSION_KEYNAME = 'pepCtx'
-    PEPCTX_REQUEST_SESSION_KEYNAME = 'request'
-    PEPCTX_RESPONSE_SESSION_KEYNAME = 'response'
-    PEPCTX_TIMESTAMP_SESSION_KEYNAME = 'timestamp'
     POLICY_FILEPATH_PARAMNAME = 'filePath'
     
@@ -622 +623 @@
     """AuthorizationMiddlewareBase configuration related exceptions"""
  
- 
-# Import here to avoid import error
-from ndg.security.server.wsgi.authz.result_handler.basic import \
-    PEPResultHandlerMiddleware
    
 class AuthorizationMiddlewareBase(NDGSecurityMiddlewareBase):
@@ -640 +637 @@
     PIP_PARAM_PREFIX = 'pip.'
     PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler"
-    
-        
+    PEP_RESULT_HANDLER_PARAM_PREFIX = PEP_RESULT_HANDLER_PARAMNAME + '.'
+    PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir'
+    
     class PIP_MIDDLEWARE_CLASS(object):
         """Policy Information Point WSGI middleware abstract base, 
@@ -668 +666 @@
         dictionary
         """
-        authzPrefix = prefix + AuthorizationMiddlewareBase.PEP_PARAM_PREFIX
+        cls = AuthorizationMiddlewareBase
+        
+        # Allow for static content for use with PEP result handler middleware        
+        pepResultHandlerParamPrefix = prefix + \
+                                            cls.PEP_RESULT_HANDLER_PARAM_PREFIX
+        pepResultHandlerStaticContentDirParamName = \
+            pepResultHandlerParamPrefix + \
+            cls.PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME
+        
+        pepResultHandlerStaticContentDir = app_conf.get(
+                                    pepResultHandlerStaticContentDirParamName)
+        if pepResultHandlerStaticContentDir is not None:    
+            staticApp = StaticURLParser(pepResultHandlerStaticContentDir)
+            app = Cascade([app, staticApp], catch=(404,))
+
+        authzPrefix = prefix + cls.PEP_PARAM_PREFIX
         pepFilter = PEPFilter(app,
                               global_conf,
@@ -678 +691 @@
         # so that it can take a copy of the beaker session object from environ
         # ahead of the PDP's request to it for an Attribute Certificate
-        pipPrefix = AuthorizationMiddlewareBase.PIP_PARAM_PREFIX
+        pipPrefix = cls.PIP_PARAM_PREFIX
         pipFilter = self.__class__.PIP_MIDDLEWARE_CLASS(pepFilter,
                                                         global_conf,
@@ -688 +701 @@
 
         pepResultHandlerClassName = app_conf.pop(
-                prefix+AuthorizationMiddlewareBase.PEP_RESULT_HANDLER_PARAMNAME, 
-                None)
+                                        prefix+cls.PEP_RESULT_HANDLER_PARAMNAME, 
+                                        None)
         if pepResultHandlerClassName is None:
             pepResultHandler = PEPResultHandlerMiddleware
         else:
             pepResultHandler = importClass(pepResultHandlerClassName,
-                                        objectType=PEPResultHandlerMiddleware)
-            
+                                    objectType=PEPResultHandlerMiddlewareBase)
+                               
         app.add_method(PEPFilter.MIDDLEWARE_ID,
                        pepResultHandler.filter_app_factory,
                        global_conf,
-                       prefix=prefix,
+                       prefix=pepResultHandlerParamPrefix,
                        **app_conf)
         
-        app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc)                
-        
-        super(AuthorizationMiddlewareBase, self).__init__(app,
-                                                      global_conf,
-                                                      prefix=prefix,
-                                                      **app_conf)
+        app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc)
+
+        super(AuthorizationMiddlewareBase, self).__init__(app, {})
  
 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/__init__.py

@@ -12 +12 @@
 __revision__ = "$Id: $"
 __license__ = "BSD - see LICENSE file in top-level directory"
+from ndg.security.server.wsgi.session import SessionMiddlewareBase
+
+
+class PEPResultHandlerMiddlewareBase(SessionMiddlewareBase):
+    """Abstract Base class for Policy Enforcement Point result handler 
+    specialisations"""
+    
+    @SessionMiddlewareBase.initCall
+    def __call__(self, environ, start_response):
+        """Set access denied response in derived class
+        
+        @type environ: dict
+        @param environ: WSGI environment variables dictionary
+        @type start_response: function
+        @param start_response: standard WSGI start response function
+        @rtype: iterable
+        @return: response
+        """ 
+        raise NotImplementedError()

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py

@@ -18 +18 @@
 
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
-from ndg.security.server.wsgi.session import SessionMiddlewareBase
-from ndg.security.server.wsgi.authz import PEPFilter
+from ndg.security.server.wsgi.authz.result_handler import (
+                                                PEPResultHandlerMiddlewareBase)
 
 
-class PEPResultHandlerMiddleware(SessionMiddlewareBase):
+class PEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase):
     """This middleware is invoked if access is denied to a given resource.  It
     is incorporated into the call stack by passing it in to a MultiHandler 
@@ -35 +35 @@
     AuthorizationMiddlewareBase pepResultHandler keyword.
     
-    SessionMiddlewareBase base class defines user session key and 
-    isAuthenticated property
+    PEPResultHandlerMiddlewareBase (SessionMiddlewareBase) base class defines 
+    user session key and isAuthenticated property
     """
     
@@ -56 +56 @@
                                                          **app_conf)
                
-    @NDGSecurityMiddlewareBase.initCall
+    @PEPResultHandlerMiddlewareBase.initCall
     def __call__(self, environ, start_response):
         
         log.debug("PEPResultHandlerMiddleware.__call__ ...")
         
-        self.session = self.environ.get(self.sessionKey)
+        session = self.environ.get(self.sessionKey)
         if not self.isAuthenticated:
             # This check is included as a precaution: this condition should be
@@ -70 +70 @@
         else:
             # Get response message from PDP recorded by PEP
-            pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {})
-            pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME)
+            pepCtx = session.get(
+                    PEPResultHandlerMiddleware.PEPCTX_SESSION_KEYNAME, {})
+            pdpResponse = pepCtx.get(
+                    PEPResultHandlerMiddleware.PEPCTX_RESPONSE_SESSION_KEYNAME)
             msg = getattr(pdpResponse, 'message', '') or ''
                 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py

@@ -11 +11 @@
 __revision__ = "$Id: $"
 __license__ = "BSD - see LICENSE file in top-level directory"
+import logging
+log = logging.getLogger(__name__)
+
+from os import path
+from httplib import UNAUTHORIZED, FORBIDDEN
 from string import Template
+
+from paste.cascade import Cascade
+from paste.urlparser import StaticURLParser
 from genshi.template import TemplateLoader
 
-from httplib import UNAUTHORIZED, FORBIDDEN
-
-from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
-from ndg.security.server.wsgi.session import SessionMiddlewareBase
+from ndg.security.server.wsgi.authz.result_handler import \
+    PEPResultHandlerMiddlewareBase
 
 
-class GenshiPEPResultHandlerMiddleware(SessionMiddlewareBase):
+class GenshiPEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase):
     """Genshi based PEP result handler
     """       
     DEFAULT_TMPL_NAME = 'accessdenied.html'
     DEFAULT_TMPL_DIR = path.join(path.dirname(__file__), 'templates')
-    DEFAULT_STATIC_CONTENT_DIR = path.join(path.dirname(__file__), 'layout')
     
     MSG_TMPL = (
@@ -38 +43 @@
         'templateName': DEFAULT_TMPL_NAME,
         'templateRootDir': DEFAULT_TMPL_DIR,
-        'staticContentRootDir': DEFAULT_STATIC_CONTENT_DIR,
+        'baseURL': '',
         'heading': '',
+        'title': '',
         'leftLogo': '',
         'leftAlt': '',
@@ -64 +70 @@
         dictionary
         '''
-        super(GenshiPEPResultHandlerMiddleware, self).__init__(app,
-                                                               global_conf,
-                                                               prefix=prefix,
-                                                               **app_conf) 
+        super(GenshiPEPResultHandlerMiddleware, self).__init__(app, {}) 
                
         # Initialise attributes
@@ -75 +78 @@
         # Update from keywords   
         for i in app_conf:
-            setattr(self, i, app_conf[i])
+            if prefix and i.startswith(prefix):
+                attrName = i.rsplit(prefix, 2)[-1]
+                setattr(self, attrName, app_conf[i])
             
         self.__loader = TemplateLoader(self.templateRootDir, auto_reload=True)
-        
-    @NDGSecurityMiddlewareBase.initCall
+
+    @PEPResultHandlerMiddlewareBase.initCall
     def __call__(self, environ, start_response):
         """Render access denied message or else if user is not authenticated,
@@ -91 +96 @@
         @return: response
         """ 
+        session = self.environ.get(self.sessionKey)
         if not self.isAuthenticated:
             # sets 401 response to be trapped by authentication handler
-            log.warning("PEPResultHandlerMiddleware: user is not "
+            log.warning("GenshiPEPResultHandlerMiddleware: user is not "
                         "authenticated - setting HTTP 401 response")
             return self._setErrorResponse(code=UNAUTHORIZED)
         else:
             # Get response message from PDP recorded by PEP
-            pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {})
-            pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME)
+            cls = GenshiPEPResultHandlerMiddleware
+            pepCtx = session.get(cls.PEPCTX_SESSION_KEYNAME, {})
+            pdpResponse = pepCtx.get(cls.PEPCTX_RESPONSE_SESSION_KEYNAME)
             pdpResponseMsg = getattr(pdpResponse, 'message', '') or ''
                 
@@ -106 +113 @@
 
             response = self._render(xml=msg)
-            start_response(
-                GenshiPEPResultHandlerMiddleware.getStatusMessage(FORBIDDEN),
-                [('Content-type', 'text/html'),
-                 ('Content-Length', str(len(response)))])
+            start_response(cls.getStatusMessage(FORBIDDEN),
+                           [('Content-type', 'text/html'),
+                            ('Content-Length', str(len(response)))])
             
             return response

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/layout/default.css

@@ -1 +1 @@
 /*
-* NDG Security OpenID Provider and Relying Party Stylesheet
+* NDG Security PEP Response handler, OpenID Provider and Relying Party 
+* Stylesheet
 */
 
@@ -12 +13 @@
         line-height:1.4;
         font-size: small;
+}
+
+/*
+* PEP Access Denied message panel
+*/
+#accessDeniedMessage {
+    font-size:0.9em;
+    color: black;
+    background-color: #e6f0f8;
+    margin-top:10px; 
+    margin-bottom: 20px; 
+    padding-top: 10px; 
+    padding-right: 10px; 
+    padding-left: 7px; 
+    padding-bottom: 10px;
 }
 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/templates/accessdenied.html

@@ -7 +7 @@
     </head>
     <body>
+        <?python from genshi import HTML ?>        
         <div id="main">
             <div py:replace="header()"/>
             <div id="errorContent">
-                <div class="error" py:if="c.xml">
-                $xml
+                <div class="error" py:if="xml">
+                ${HTML(xml)}
                 </div>
             </div>

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/__init__.py

@@ -15 +15 @@
 
 from paste.cascade import Cascade
-from paste.registry import RegistryManager
-from paste.urlparser import StaticURLParser
-        
+from paste.urlparser import StaticURLParser     
 from genshi.template import TemplateLoader
 

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

@@ -28 +28 @@
         'sessionKey': 'beaker.session.ndg.security'
     }
+
+    # Key names for PEP context information
+    PEPCTX_SESSION_KEYNAME = 'pepCtx'
+    PEPCTX_REQUEST_SESSION_KEYNAME = 'request'
+    PEPCTX_RESPONSE_SESSION_KEYNAME = 'response'
+    PEPCTX_TIMESTAMP_SESSION_KEYNAME = 'timestamp'
    
     _isAuthenticated = lambda self: \

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini

@@ -78 +78 @@
 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory
 prefix = authz.
+authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
+authz.pepResultHandler.staticContentDir = %(here)s/pep_result_handler
+authz.pepResultHandler.baseURL = http://localhost:7080
+authz.pepResultHandler.heading = Access Denied
+authz.pepResultHandler.messageTemplate = Access is forbidden for this resource:<div id="accessDeniedMessage">$pdpResponseMsg</div>Please check with your site administrator that you have the required access privileges.
+authz.pepResultHandler.footerText = This site is for test purposes only.
+authz.pepResultHandler.rightLink = http://ceda.ac.uk/
+authz.pepResultHandler.rightImage = %(authz.pepResultHandler.baseURL)s/layout/CEDA_RightButton60.png
+authz.pepResultHandler.rightAlt = Centre for Environmental Data Archival
+authz.pepResultHandler.helpIcon = %(authz.pepResultHandler.baseURL)s/layout/icons/help.png
+
 policy.filePath = %(here)s/policy.xml
 

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -35 +35 @@
 port = %(portNum)s
 
-[filter-app:OpenIDProviderFilterApp]
-use = egg:Paste#httpexceptions
-next = cascade
-
-# Composite for OpenID Provider to enable settings for picking up static 
-# content
-[composit:cascade]
-use = egg:Paste#cascade
-app1 = OpenIDProviderStaticContent
-app2 = OpenIDProviderApp
-catch = 404
-
-[app:OpenIDProviderStaticContent]
-use = egg:Paste#static
-document_root = %(here)s/openidprovider
+# Provider borrows content from RP static content dir so the cascade is not
+# needed(!)
+#[filter-app:OpenIDProviderFilterApp]
+#use = egg:Paste#httpexceptions
+#next = cascade
+#
+## Composite for OpenID Provider to enable settings for picking up static 
+## content
+#[composit:cascade]
+#use = egg:Paste#cascade
+#app1 = OpenIDProviderStaticContent
+#app2 = OpenIDProviderApp
+#catch = 404
+#
+#[app:OpenIDProviderStaticContent]
+#use = egg:Paste#static
+#document_root = %(here)s/openidprovider
 
 # Ordering of filters and app is critical