Ignore:
Timestamp:
08/02/10 17:12:29 (10 years ago)
Author:
pjkersha
Message:

Patches to CredentialWallet?, SAML interfaces and authz middleware for WPS testing.

Location:
TI12-security/trunk/NDGSecurity/python
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/Makefile

    r6440 r6512  
    1010# @license: BSD - LICENSE file 
    1111# 
    12 # $Id$ 
     12# $Id:$ 
    1313EGG_DIRS=ndg_security_common ndg_security_client ndg_security_server \ 
    1414ndg_security_test ndg_security 
     
    1717PYTHON=python 
    1818 
    19 eggs: 
     19Eggs: 
     20        @echo "Running setup bdist_egg in these directories ${EGG_DIRS} ..." 
    2021        @-for dir in ${EGG_DIRS}; do \ 
    2122                cd $$dir; \ 
     
    4546force: replace 
    4647 
    47 NDG_EGG_DIST_USER= 
    48 NDG_EGG_DIST_HOST= 
    49 NDG_EGG_DIST_DIR= 
     48#NDG_EGG_DIST_USER= 
     49#NDG_EGG_DIST_HOST= 
     50#NDG_EGG_DIST_DIR= 
    5051 
    51 install_eggs: eggs 
     52install_eggs: Eggs 
     53    @echo "Installing eggs to ${NDG_EGG_DIST_HOST}:${NDG_EGG_DIST_DIR} ..." 
     54    chown ${NDG_EGG_DIST_USER}:cedadev ndg_*/dist/*.egg 
    5255        scp ndg_*/dist/*.egg ${NDG_EGG_DIST_USER}@${NDG_EGG_DIST_HOST}:${NDG_EGG_DIST_DIR} 
    5356 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

    r6202 r6512  
    297297        credentialWallet = cls() 
    298298        credentialWallet.parseConfig(cfg, **kw) 
     299         
     300        return credentialWallet 
    299301 
    300302    def parseConfig(self, cfg, prefix='', section='DEFAULT'): 
     
    410412    Attribute Assertions 
    411413    """ 
    412     __slots__ = () 
     414    CONFIG_FILE_OPTNAMES = CredentialWalletBase.CONFIG_FILE_OPTNAMES + ( 
     415                           "clockSkewTolerance", ) 
     416    __slots__ = ("__clockSkewTolerance",) 
    413417     
    414418    CREDENTIAL_REPOSITORY_NOT_SUPPORTED_MSG = ("SAMLCredentialWallet doesn't " 
     
    417421                                               "interface") 
    418422 
    419     @classmethod 
    420     def fromConfig(cls, cfg, **kw): 
    421         '''Alternative constructor makes object from config file settings 
    422         @type cfg: basestring /ConfigParser derived type 
    423         @param cfg: configuration file path or ConfigParser type object 
    424         @rtype: ndg.security.common.credentialWallet.SAMLCredentialWallet 
    425         @return: new instance of this class 
    426         ''' 
    427         credentialWallet = cls() 
    428         credentialWallet.parseConfig(cfg, **kw) 
    429          
    430         return credentialWallet 
     423    def __init__(self): 
     424        super(SAMLCredentialWallet, self).__init__() 
     425        self.__clockSkewTolerance = timedelta(seconds=0.) 
     426 
     427    def _getClockSkewTolerance(self): 
     428        return self.__clockSkewTolerance 
     429 
     430    def _setClockSkewTolerance(self, value): 
     431        if isinstance(value, (float, int, long)): 
     432            self.__clockSkewTolerance = timedelta(seconds=value) 
     433             
     434        elif isinstance(value, basestring): 
     435            self.__clockSkewTolerance = timedelta(seconds=float(value)) 
     436        else: 
     437            raise TypeError('Expecting float, int, long or string type for ' 
     438                            '"clockSkewTolerance"; got %r' % type(value)) 
     439 
     440    clockSkewTolerance = property(_getClockSkewTolerance,  
     441                                  _setClockSkewTolerance,  
     442                                  doc="Allow a tolerance (seconds) for " 
     443                                      "checking timestamps of the form: " 
     444                                      "notBeforeTime - tolerance < now < " 
     445                                      "notAfterTime + tolerance") 
    431446 
    432447    def parseConfig(self, cfg, prefix='', section='DEFAULT'): 
     
    461476                      credential,  
    462477                      attributeAuthorityURI=None, 
    463                       bUpdateCredentialRepository=False): 
     478                      bUpdateCredentialRepository=False, 
     479                      verifyCredential=True): 
    464480        """Add a new assertion to the list of assertion credentials held. 
    465481 
     
    473489        @type bUpdateCredentialRepository: bool 
    474490        @param bUpdateCredentialRepository: if set to True, and a repository  
    475         exists it will be updated with the new credentials also 
     491        exists it will be updated with the new credentials also. Nb. a derived 
     492        class will need to be implemented to enable this capability - see 
     493        the updateCredentialRepository method. 
     494        @type verifyCredential: bool 
     495        @param verifyCredential: if set to True, test validity of credential 
     496        by calling isValidCredential method. 
    476497         
    477498        @rtype: bool 
    478         @return: True if certificate was added otherwise False.  - If an 
     499        @return: True if credential was added otherwise False.  - If an 
    479500        existing certificate from the same issuer has a later expiry it will 
    480501        take precedence and the new input certificate is ignored.""" 
     
    485506                                        "%r type object" % Assertion)         
    486507 
    487         if not self.isValidCredential(credential): 
     508        if verifyCredential and not self.isValidCredential(credential): 
    488509            raise CredentialWalletError("Validity time error with assertion %r" 
    489                                         % assertion) 
     510                                        % credential) 
    490511         
    491512        # Check to see if there is an existing Attribute Certificate held 
    492513        # that was issued by the same host.  If so, compare the expiry time. 
    493514        # The one with the latest expiry will be retained and the other 
    494         # ingored 
     515        # ignored 
    495516        bUpdateCred = True 
     517        if credential.issuer is None: 
     518            raise AttributeError("Adding SAML assertion to wallet: no issuer " 
     519                                 "set") 
     520             
    496521        issuerName = credential.issuer.value 
    497522         
     
    551576        """Validate SAML assertion time validity""" 
    552577        utcNow = datetime.utcnow() 
    553         if utcNow < assertion.conditions.notBefore: 
     578        if utcNow < assertion.conditions.notBefore - self.clockSkewTolerance: 
    554579            msg = ('The current clock time [%s] is before the SAML Attribute ' 
    555                    'Response assertion conditions not before time [%s]' %  
     580                   'Response assertion conditions not before time [%s] '  
     581                   '(with clock skew tolerance = %s)' %  
    556582                   (SAMLDateTime.toString(utcNow), 
    557                     assertion.conditions.notBefore)) 
     583                    assertion.conditions.notBefore, 
     584                    self.clockSkewTolerance)) 
    558585            log.warning(msg) 
    559586            return False 
    560587             
    561         if utcNow >= assertion.conditions.notOnOrAfter: 
     588        if (utcNow >=  
     589            assertion.conditions.notOnOrAfter + self.clockSkewTolerance): 
    562590            msg = ('The current clock time [%s] is on or after the SAML ' 
    563591                   'Attribute Response assertion conditions not on or after ' 
    564                    'time [%s]' %  
     592                   'time [%s] (with clock skew tolerance = %s)' %  
    565593                   (SAMLDateTime.toString(utcNow), 
    566                     assertion.conditions.notOnOrAfter)) 
     594                    assertion.conditions.notOnOrAfter, 
     595                    self.clockSkewTolerance)) 
    567596            log.warning(msg) 
    568597            return False 
     
    834863        _dict = super(NDGCredentialWallet, self).__getstate__() 
    835864         
    836         for attrName in SAMLCredentialWallet.__slots__: 
     865        for attrName in NDGCredentialWallet.__slots__: 
    837866            # Ugly hack to allow for derived classes setting private member 
    838867            # variables 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r6284 r6512  
    586586                                                    uri=attributeAuthorityURI) 
    587587            for assertion in response.assertions: 
    588                 credentialWallet.addCredential(assertion) 
     588                credentialWallet.addCredential(assertion, 
     589                                   attributeAuthorityURI=attributeAuthorityURI, 
     590                                   verifyCredential=False) 
    589591             
    590592            log.debug("SamlPIPMiddleware.attributeQuery: updating Credential " 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

    r6069 r6512  
    223223        response = soapResponse.serialize() 
    224224         
     225        log.debug("SOAPAttributeInterfaceMiddleware.__call__: sending response " 
     226                  "...\n\n%s", 
     227                  response) 
    225228        start_response("200 OK", 
    226229                       [('Content-length', str(len(response))), 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

    r6022 r6512  
    2525        </Attributes> 
    2626    </Target> 
     27    <!-- Test inclusion of ampersand --> 
     28    <Target> 
     29        <URIPattern>^/test_securedURI[?&amp;]MyQueryParam=100</URIPattern> 
     30        <Attributes> 
     31            <Attribute> 
     32                <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     33                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
     34            </Attribute> 
     35        </Attributes>         
     36    </Target> 
    2737</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py

    r6069 r6512  
    5959                assert(attribute.attributeAuthorityURI) 
    6060 
     61                         
    6162 
    6263class PIPPlaceholder(PIPBase): 
     
    8182    PERMITTED_RESOURCE_URI = '/test_securedURI' 
    8283    DENIED_RESOURCE_URI = '/test_accessDeniedToSecuredURI' 
     84    WITH_ESCAPE_CHARS_RESOURCE_URI = '/test_securedURI?MyQueryParam=100' 
    8385     
    8486    def setUp(self): 
     
    104106        self.assert_(response.status == Response.DECISION_DENY) 
    105107 
     108    def test03WithEscapeCharsInPolicy(self): 
     109        self.request.resource[Resource.URI_NS 
     110                              ] = PDPTestCase.WITH_ESCAPE_CHARS_RESOURCE_URI       
     111        response = self.pdp.evaluate(self.request) 
     112         
     113        self.assert_(response.status == Response.DECISION_PERMIT) 
     114 
    106115         
    107116if __name__ == "__main__": 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

    r6069 r6512  
    248248         
    249249    def setUp(self): 
    250         self.assertion =self._createAssertion() 
     250        self.assertion = self._createAssertion() 
    251251         
    252252    def _createAssertion(self, timeNow=None, validityDuration=60*60*8, 
     
    322322        self.assert_(len(wallet.credentials) == 0) 
    323323 
    324     def test04ReplaceCredential(self): 
     324    def test04ClockSkewTolerance(self): 
     325        # Add a short lived credential but with the wallet set to allow for 
     326        # a clock skew of  
     327        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
     328        wallet = SAMLCredentialWallet() 
     329         
     330        # Set a tolerance of five seconds 
     331        wallet.clockSkewTolerance = 5.*60*60 
     332        wallet.addCredential(shortExpiryAssertion) 
     333         
     334        self.assert_(len(wallet.credentials) == 1) 
     335        sleep(2) 
     336        wallet.audit() 
     337        self.assert_(len(wallet.credentials) == 1) 
     338         
     339    def test05ReplaceCredential(self): 
    325340        # Replace an existing credential from a given institution with a more 
    326341        # up to date one 
     
    332347        wallet.addCredential(newAssertion) 
    333348        self.assert_(len(wallet.credentials) == 1) 
    334         self.assert_(newAssertion.conditions.notOnOrAfter==\ 
     349        self.assert_(newAssertion.conditions.notOnOrAfter == \ 
    335350                     wallet.credentials[ 
    336351                        SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME 
    337352                    ].credential.conditions.notOnOrAfter) 
    338353         
    339     def test05CredentialsFromSeparateSites(self): 
     354    def test06CredentialsFromSeparateSites(self): 
    340355        wallet = self._addCredential() 
    341356        wallet.addCredential(self._createAssertion(issuerName="MySite")) 
    342357        self.assert_(len(wallet.credentials) == 2) 
    343358 
    344     def test06Pickle(self): 
     359    def test07Pickle(self): 
    345360        wallet = self._addCredential() 
    346361        outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w') 
     
    353368            SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI)) 
    354369         
     370        self.assert_(unpickledWallet.credentials.items()[0][1].issuerName == \ 
     371                     BaseTestCase.SITEA_SAML_ISSUER_NAME) 
     372 
     373    def test08CreateFromConfig(self): 
     374        wallet = SAMLCredentialWallet.fromConfig( 
     375                                SAMLCredentialWalletTestCase.CONFIG_FILEPATH) 
     376        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01)) 
     377        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw') 
    355378         
    356379if __name__ == "__main__": 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg

    r6040 r6512  
    99# $Id:$ 
    1010[DEFAULT] 
    11 clockSkew = 0. 
     11clockSkewTolerance = 0.01 
    1212userId = https://openid.localhost/philip.kershaw 
    13 issuerDN = /O=Site A/CN=Authorisation Service 
    14 attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml 
    15 queryAttributes.0 = urn:esg:first:name, FirstName, http://www.w3.org/2001/XMLSchema#string 
    16 queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string 
    17  
    18 # SSL Context Proxy settings 
    19 sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca 
    20 sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.crt 
    21 sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.key 
    22 sslValidDNs = /C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost, /O=Site A/CN=Attribute Authority 
Note: See TracChangeset for help on using the changeset viewer.