Changeset 6271
- Timestamp:
- 07/01/10 14:12:08 (11 years ago)
- Location:
- TI12-security/trunk/NDGSecurity/python
- Files:
-
- 14 added
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py
r6265 r6271 16 16 from urlparse import urlunsplit 17 17 from httplib import UNAUTHORIZED, FORBIDDEN 18 18 19 from paste.cascade import Cascade 20 from paste.urlparser import StaticURLParser 19 21 from authkit.authenticate.multi import MultiHandler 20 22 … … 32 34 from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 33 35 SessionHandlerMiddleware) 34 36 from ndg.security.server.wsgi.authz.result_handler import \ 37 PEPResultHandlerMiddlewareBase 38 from ndg.security.server.wsgi.authz.result_handler.basic import \ 39 PEPResultHandlerMiddleware 40 35 41 from ndg.security.common.authz.msi import (Policy, PIP, PIPBase, 36 42 PIPAttributeQuery, … … 41 47 class PEPFilterError(Exception): 42 48 """Base class for PEPFilter exception types""" 49 43 50 44 51 class PEPFilterConfigError(PEPFilterError): … … 61 68 62 69 SESSION_KEYNAME = 'sessionKey' 63 64 # Key names for PEP context information65 PEPCTX_SESSION_KEYNAME = 'pepCtx'66 PEPCTX_REQUEST_SESSION_KEYNAME = 'request'67 PEPCTX_RESPONSE_SESSION_KEYNAME = 'response'68 PEPCTX_TIMESTAMP_SESSION_KEYNAME = 'timestamp'69 70 POLICY_FILEPATH_PARAMNAME = 'filePath' 70 71 … … 622 623 """AuthorizationMiddlewareBase configuration related exceptions""" 623 624 624 625 # Import here to avoid import error626 from ndg.security.server.wsgi.authz.result_handler.basic import \627 PEPResultHandlerMiddleware628 625 629 626 class AuthorizationMiddlewareBase(NDGSecurityMiddlewareBase): … … 640 637 PIP_PARAM_PREFIX = 'pip.' 641 638 PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler" 642 643 639 PEP_RESULT_HANDLER_PARAM_PREFIX = PEP_RESULT_HANDLER_PARAMNAME + '.' 640 PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir' 641 644 642 class PIP_MIDDLEWARE_CLASS(object): 645 643 """Policy Information Point WSGI middleware abstract base, … … 668 666 dictionary 669 667 """ 670 authzPrefix = prefix + AuthorizationMiddlewareBase.PEP_PARAM_PREFIX 668 cls = AuthorizationMiddlewareBase 669 670 # Allow for static content for use with PEP result handler middleware 671 pepResultHandlerParamPrefix = prefix + \ 672 cls.PEP_RESULT_HANDLER_PARAM_PREFIX 673 pepResultHandlerStaticContentDirParamName = \ 674 pepResultHandlerParamPrefix + \ 675 cls.PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME 676 677 pepResultHandlerStaticContentDir = app_conf.get( 678 pepResultHandlerStaticContentDirParamName) 679 if pepResultHandlerStaticContentDir is not None: 680 staticApp = StaticURLParser(pepResultHandlerStaticContentDir) 681 app = Cascade([app, staticApp], catch=(404,)) 682 683 authzPrefix = prefix + cls.PEP_PARAM_PREFIX 671 684 pepFilter = PEPFilter(app, 672 685 global_conf, … … 678 691 # so that it can take a copy of the beaker session object from environ 679 692 # ahead of the PDP's request to it for an Attribute Certificate 680 pipPrefix = AuthorizationMiddlewareBase.PIP_PARAM_PREFIX693 pipPrefix = cls.PIP_PARAM_PREFIX 681 694 pipFilter = self.__class__.PIP_MIDDLEWARE_CLASS(pepFilter, 682 695 global_conf, … … 688 701 689 702 pepResultHandlerClassName = app_conf.pop( 690 prefix+AuthorizationMiddlewareBase.PEP_RESULT_HANDLER_PARAMNAME,691 None)703 prefix+cls.PEP_RESULT_HANDLER_PARAMNAME, 704 None) 692 705 if pepResultHandlerClassName is None: 693 706 pepResultHandler = PEPResultHandlerMiddleware 694 707 else: 695 708 pepResultHandler = importClass(pepResultHandlerClassName, 696 objectType=PEPResultHandlerMiddleware)697 709 objectType=PEPResultHandlerMiddlewareBase) 710 698 711 app.add_method(PEPFilter.MIDDLEWARE_ID, 699 712 pepResultHandler.filter_app_factory, 700 713 global_conf, 701 prefix=p refix,714 prefix=pepResultHandlerParamPrefix, 702 715 **app_conf) 703 716 704 app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc) 705 706 super(AuthorizationMiddlewareBase, self).__init__(app, 707 global_conf, 708 prefix=prefix, 709 **app_conf) 717 app.add_checker(PEPFilter.MIDDLEWARE_ID, pepInterceptFunc) 718 719 super(AuthorizationMiddlewareBase, self).__init__(app, {}) 710 720 711 721 -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/__init__.py
r6264 r6271 12 12 __revision__ = "$Id: $" 13 13 __license__ = "BSD - see LICENSE file in top-level directory" 14 from ndg.security.server.wsgi.session import SessionMiddlewareBase 15 16 17 class PEPResultHandlerMiddlewareBase(SessionMiddlewareBase): 18 """Abstract Base class for Policy Enforcement Point result handler 19 specialisations""" 20 21 @SessionMiddlewareBase.initCall 22 def __call__(self, environ, start_response): 23 """Set access denied response in derived class 24 25 @type environ: dict 26 @param environ: WSGI environment variables dictionary 27 @type start_response: function 28 @param start_response: standard WSGI start response function 29 @rtype: iterable 30 @return: response 31 """ 32 raise NotImplementedError() -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py
r6265 r6271 18 18 19 19 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase 20 from ndg.security.server.wsgi. session import SessionMiddlewareBase21 from ndg.security.server.wsgi.authz import PEPFilter 20 from ndg.security.server.wsgi.authz.result_handler import ( 21 PEPResultHandlerMiddlewareBase) 22 22 23 23 24 class PEPResultHandlerMiddleware( SessionMiddlewareBase):24 class PEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase): 25 25 """This middleware is invoked if access is denied to a given resource. It 26 26 is incorporated into the call stack by passing it in to a MultiHandler … … 35 35 AuthorizationMiddlewareBase pepResultHandler keyword. 36 36 37 SessionMiddlewareBase base class defines user session key and38 isAuthenticated property37 PEPResultHandlerMiddlewareBase (SessionMiddlewareBase) base class defines 38 user session key and isAuthenticated property 39 39 """ 40 40 … … 56 56 **app_conf) 57 57 58 @ NDGSecurityMiddlewareBase.initCall58 @PEPResultHandlerMiddlewareBase.initCall 59 59 def __call__(self, environ, start_response): 60 60 61 61 log.debug("PEPResultHandlerMiddleware.__call__ ...") 62 62 63 se lf.session = self.environ.get(self.sessionKey)63 session = self.environ.get(self.sessionKey) 64 64 if not self.isAuthenticated: 65 65 # This check is included as a precaution: this condition should be … … 70 70 else: 71 71 # Get response message from PDP recorded by PEP 72 pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {}) 73 pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME) 72 pepCtx = session.get( 73 PEPResultHandlerMiddleware.PEPCTX_SESSION_KEYNAME, {}) 74 pdpResponse = pepCtx.get( 75 PEPResultHandlerMiddleware.PEPCTX_RESPONSE_SESSION_KEYNAME) 74 76 msg = getattr(pdpResponse, 'message', '') or '' 75 77 -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py
r6268 r6271 11 11 __revision__ = "$Id: $" 12 12 __license__ = "BSD - see LICENSE file in top-level directory" 13 import logging 14 log = logging.getLogger(__name__) 15 16 from os import path 17 from httplib import UNAUTHORIZED, FORBIDDEN 13 18 from string import Template 19 20 from paste.cascade import Cascade 21 from paste.urlparser import StaticURLParser 14 22 from genshi.template import TemplateLoader 15 23 16 from httplib import UNAUTHORIZED, FORBIDDEN 17 18 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase 19 from ndg.security.server.wsgi.session import SessionMiddlewareBase 24 from ndg.security.server.wsgi.authz.result_handler import \ 25 PEPResultHandlerMiddlewareBase 20 26 21 27 22 class GenshiPEPResultHandlerMiddleware( SessionMiddlewareBase):28 class GenshiPEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase): 23 29 """Genshi based PEP result handler 24 30 """ 25 31 DEFAULT_TMPL_NAME = 'accessdenied.html' 26 32 DEFAULT_TMPL_DIR = path.join(path.dirname(__file__), 'templates') 27 DEFAULT_STATIC_CONTENT_DIR = path.join(path.dirname(__file__), 'layout')28 33 29 34 MSG_TMPL = ( … … 38 43 'templateName': DEFAULT_TMPL_NAME, 39 44 'templateRootDir': DEFAULT_TMPL_DIR, 40 ' staticContentRootDir': DEFAULT_STATIC_CONTENT_DIR,45 'baseURL': '', 41 46 'heading': '', 47 'title': '', 42 48 'leftLogo': '', 43 49 'leftAlt': '', … … 64 70 dictionary 65 71 ''' 66 super(GenshiPEPResultHandlerMiddleware, self).__init__(app, 67 global_conf, 68 prefix=prefix, 69 **app_conf) 72 super(GenshiPEPResultHandlerMiddleware, self).__init__(app, {}) 70 73 71 74 # Initialise attributes … … 75 78 # Update from keywords 76 79 for i in app_conf: 77 setattr(self, i, app_conf[i]) 80 if prefix and i.startswith(prefix): 81 attrName = i.rsplit(prefix, 2)[-1] 82 setattr(self, attrName, app_conf[i]) 78 83 79 84 self.__loader = TemplateLoader(self.templateRootDir, auto_reload=True) 80 81 @ NDGSecurityMiddlewareBase.initCall85 86 @PEPResultHandlerMiddlewareBase.initCall 82 87 def __call__(self, environ, start_response): 83 88 """Render access denied message or else if user is not authenticated, … … 91 96 @return: response 92 97 """ 98 session = self.environ.get(self.sessionKey) 93 99 if not self.isAuthenticated: 94 100 # sets 401 response to be trapped by authentication handler 95 log.warning(" PEPResultHandlerMiddleware: user is not "101 log.warning("GenshiPEPResultHandlerMiddleware: user is not " 96 102 "authenticated - setting HTTP 401 response") 97 103 return self._setErrorResponse(code=UNAUTHORIZED) 98 104 else: 99 105 # Get response message from PDP recorded by PEP 100 pepCtx = self.session.get(PEPFilter.PEPCTX_SESSION_KEYNAME, {}) 101 pdpResponse = pepCtx.get(PEPFilter.PEPCTX_RESPONSE_SESSION_KEYNAME) 106 cls = GenshiPEPResultHandlerMiddleware 107 pepCtx = session.get(cls.PEPCTX_SESSION_KEYNAME, {}) 108 pdpResponse = pepCtx.get(cls.PEPCTX_RESPONSE_SESSION_KEYNAME) 102 109 pdpResponseMsg = getattr(pdpResponse, 'message', '') or '' 103 110 … … 106 113 107 114 response = self._render(xml=msg) 108 start_response( 109 GenshiPEPResultHandlerMiddleware.getStatusMessage(FORBIDDEN), 110 [('Content-type', 'text/html'), 111 ('Content-Length', str(len(response)))]) 115 start_response(cls.getStatusMessage(FORBIDDEN), 116 [('Content-type', 'text/html'), 117 ('Content-Length', str(len(response)))]) 112 118 113 119 return response -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/layout/default.css
r6268 r6271 1 1 /* 2 * NDG Security OpenID Provider and Relying Party Stylesheet 2 * NDG Security PEP Response handler, OpenID Provider and Relying Party 3 * Stylesheet 3 4 */ 4 5 … … 12 13 line-height:1.4; 13 14 font-size: small; 15 } 16 17 /* 18 * PEP Access Denied message panel 19 */ 20 #accessDeniedMessage { 21 font-size:0.9em; 22 color: black; 23 background-color: #e6f0f8; 24 margin-top:10px; 25 margin-bottom: 20px; 26 padding-top: 10px; 27 padding-right: 10px; 28 padding-left: 7px; 29 padding-bottom: 10px; 14 30 } 15 31 -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/templates/accessdenied.html
r6268 r6271 7 7 </head> 8 8 <body> 9 <?python from genshi import HTML ?> 9 10 <div id="main"> 10 11 <div py:replace="header()"/> 11 12 <div id="errorContent"> 12 <div class="error" py:if=" c.xml">13 $ xml13 <div class="error" py:if="xml"> 14 ${HTML(xml)} 14 15 </div> 15 16 </div> -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/__init__.py
r6107 r6271 15 15 16 16 from paste.cascade import Cascade 17 from paste.registry import RegistryManager 18 from paste.urlparser import StaticURLParser 19 17 from paste.urlparser import StaticURLParser 20 18 from genshi.template import TemplateLoader 21 19 -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py
r6265 r6271 28 28 'sessionKey': 'beaker.session.ndg.security' 29 29 } 30 31 # Key names for PEP context information 32 PEPCTX_SESSION_KEYNAME = 'pepCtx' 33 PEPCTX_REQUEST_SESSION_KEYNAME = 'request' 34 PEPCTX_RESPONSE_SESSION_KEYNAME = 'response' 35 PEPCTX_TIMESTAMP_SESSION_KEYNAME = 'timestamp' 30 36 31 37 _isAuthenticated = lambda self: \ -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini
r6063 r6271 78 78 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory 79 79 prefix = authz. 80 authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 81 authz.pepResultHandler.staticContentDir = %(here)s/pep_result_handler 82 authz.pepResultHandler.baseURL = http://localhost:7080 83 authz.pepResultHandler.heading = Access Denied 84 authz.pepResultHandler.messageTemplate = Access is forbidden for this resource:<div id="accessDeniedMessage">$pdpResponseMsg</div>Please check with your site administrator that you have the required access privileges. 85 authz.pepResultHandler.footerText = This site is for test purposes only. 86 authz.pepResultHandler.rightLink = http://ceda.ac.uk/ 87 authz.pepResultHandler.rightImage = %(authz.pepResultHandler.baseURL)s/layout/CEDA_RightButton60.png 88 authz.pepResultHandler.rightAlt = Centre for Environmental Data Archival 89 authz.pepResultHandler.helpIcon = %(authz.pepResultHandler.baseURL)s/layout/icons/help.png 90 80 91 policy.filePath = %(here)s/policy.xml 81 92 -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini
r6260 r6271 35 35 port = %(portNum)s 36 36 37 [filter-app:OpenIDProviderFilterApp] 38 use = egg:Paste#httpexceptions 39 next = cascade 40 41 # Composite for OpenID Provider to enable settings for picking up static 42 # content 43 [composit:cascade] 44 use = egg:Paste#cascade 45 app1 = OpenIDProviderStaticContent 46 app2 = OpenIDProviderApp 47 catch = 404 48 49 [app:OpenIDProviderStaticContent] 50 use = egg:Paste#static 51 document_root = %(here)s/openidprovider 37 # Provider borrows content from RP static content dir so the cascade is not 38 # needed(!) 39 #[filter-app:OpenIDProviderFilterApp] 40 #use = egg:Paste#httpexceptions 41 #next = cascade 42 # 43 ## Composite for OpenID Provider to enable settings for picking up static 44 ## content 45 #[composit:cascade] 46 #use = egg:Paste#cascade 47 #app1 = OpenIDProviderStaticContent 48 #app2 = OpenIDProviderApp 49 #catch = 404 50 # 51 #[app:OpenIDProviderStaticContent] 52 #use = egg:Paste#static 53 #document_root = %(here)s/openidprovider 52 54 53 55 # Ordering of filters and app is critical
Note: See TracChangeset
for help on using the changeset viewer.