Context Navigation

← Previous Change
Next Change →

Changeset 6597 for TI12-security

Timestamp:

19/02/10 14:32:13 (10 years ago)

Author:

pjkersha

Message:

New Policy Information Point class ndg.security.common.authz.pip.esg.PIP for ESG Authorisation Service.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 5 added
: 4 edited

ndg_security_common/__init__.py (added)
ndg_security_common/ndg/security/common/authz/__init__.py (modified) (1 diff)
ndg_security_common/ndg/security/common/authz/msi.py (modified) (4 diffs)
ndg_security_common/ndg/security/common/authz/pip (added)
ndg_security_common/ndg/security/common/authz/pip/__init__.py (added)
ndg_security_common/ndg/security/common/authz/pip/esg.py (added)
ndg_security_common/ndg/security/common/authz/pip/ndg.py (added)
ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/authzservice.py (modified) (7 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/init.py

-                      r5165
+                      r6597
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: __init__.py 3755 2008-04-04 09:11:44Z pjkersha $"
+class _AttrDict(dict):
+    """Utility class for holding a constrained list of attributes governed
+    by a namespace list"""
+    namespaces = ()
+    def __init__(self, **attributes):
+        invalidAttributes = [attr for attr in attributes
+                             if attr not in self.__class__.namespaces]
+        if len(invalidAttributes) > 0:
+            raise TypeError("The following attribute namespace(s) are not "
+                            "recognised: %s" % invalidAttributes)
+        self.update(attributes)
+    def __setitem__(self, key, val):
+        if key not in self.__class__.namespaces:
+            raise KeyError('Namespace "%s" not recognised.  Valid namespaces '
+                           'are: %s' % self.__class__.namespaces)
+        dict.__setitem__(self, key, val)
+    def update(self, d, **kw):
+        for dictArg in (d, kw):
+            for k in dictArg:
+                if k not in self.__class__.namespaces:
+                    raise KeyError('Namespace "%s" not recognised.  Valid '
+                                   'namespaces are: %s' %
+                                   self.__class__.namespaces)
+        dict.update(self, d, **kw)
+class SubjectRetrievalError(Exception):
+    """Generic exception class for errors related to information about the
+    subject"""
+class SubjectBase(object):
+    '''Base class Subject designator'''
+    namespaces = ("urn:ndg:security:authz:1.0:attr:subject:roles", )
+    (ROLES_NS,) = namespaces

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/msi.py

-                      r6586
+                      r6597
 from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.etree import QName
+from ndg.security.common.authz import _AttrDict, SubjectBase
+from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery,
+                                           PIPAttributeResponse,
+                                           SubjectRetrievalError)
 …
     """Error reading policy attributes from file"""
 class InvalidPolicyXmlNsError(Exception):
     """Invalid XML namespace for policy document"""
 class PolicyComponent(object):
 …
         resource.parse(root)
         return resource
+class _AttrDict(dict):
+    """Utility class for holding a constrained list of attributes governed
+    by a namespace list"""
+    namespaces = ()
+    def __init__(self, **attributes):
+        invalidAttributes = [attr for attr in attributes
+                             if attr not in self.__class__.namespaces]
+        if len(invalidAttributes) > 0:
+            raise TypeError("The following attribute namespace(s) are not "
+                            "recognised: %s" % invalidAttributes)
+        self.update(attributes)
+    def __setitem__(self, key, val):
+        if key not in self.__class__.namespaces:
+            raise KeyError('Namespace "%s" not recognised.  Valid namespaces '
+                           'are: %s' % self.__class__.namespaces)
+        dict.__setitem__(self, key, val)
+    def update(self, d, **kw):
+        for dictArg in (d, kw):
+            for k in dictArg:
+                if k not in self.__class__.namespaces:
+                    raise KeyError('Namespace "%s" not recognised.  Valid '
+                                   'namespaces are: %s' %
+                                   self.__class__.namespaces)
+        dict.update(self, d, **kw)
+class Subject(_AttrDict):
+    '''Subject designator'''
+    namespaces = (
+        "urn:ndg:security:authz:1.0:attr:subject:userId",
+        "urn:ndg:security:authz:1.0:attr:subject:sessionId",
+        "urn:ndg:security:authz:1.0:attr:subject:sessionManagerURI",
+        "urn:ndg:security:authz:1.0:attr:subject:roles"
+    )
+    (USERID_NS, SESSIONID_NS, SESSIONMANAGERURI_NS, ROLES_NS) = namespaces
+class Subject(SubjectBase):
+    '''MSI Subject designator'''
 …
                        fset=_setMessage,
                        doc="Optional message associated with response")
-from ndg.security.common.AttCert import (AttCertInvalidSignature,
-    AttCertNotBeforeTimeError, AttCertExpired, AttCertError)
-from ndg.security.common.sessionmanager import (SessionManagerClient,
-    SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession,
-    AttributeRequestDenied)
-from ndg.security.common.attributeauthority import (AttributeAuthorityClient,
-    NoTrustedHosts, NoMatchingRoleInTrustedHosts,
-    InvalidAttributeAuthorityClientCtx)
-from ndg.security.common.attributeauthority import AttributeRequestDenied as \
-    AA_AttributeRequestDenied
-from ndg.security.common.authz.pdp import (PDPUserNotLoggedIn,
-    PDPUserAccessDenied)
-class SubjectRetrievalError(Exception):
-    """Generic exception class for errors related to information about the
-    subject"""
-class InvalidAttributeCertificate(SubjectRetrievalError):
-    "The certificate containing authorisation roles is invalid"
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                       InvalidAttributeCertificate.__doc__)
-class AttributeCertificateInvalidSignature(SubjectRetrievalError):
-    ("There is a problem with the signature of the certificate containing "
-     "authorisation roles")
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                AttributeCertificateInvalidSignature.__doc__)
-class AttributeCertificateNotBeforeTimeError(SubjectRetrievalError):
-    ("There is a time issuing error with certificate containing authorisation "
-    "roles")
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                AttributeCertificateNotBeforeTimeError.__doc__)
-class AttributeCertificateExpired(SubjectRetrievalError):
-    "The certificate containing authorisation roles has expired"
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                       AttributeCertificateExpired.__doc__)
-class SessionExpiredMsg(SubjectRetrievalError):
-    'Session has expired.  Please re-login at your home organisation'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__)
-class SessionNotFoundMsg(SubjectRetrievalError):
-    'No session was found.  Please try re-login with your home organisation'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                       SessionNotFoundMsg.__doc__)
-class InvalidSessionMsg(SubjectRetrievalError):
-    'Session is invalid.  Please try re-login with your home organisation'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                       InvalidSessionMsg.__doc__)
-class InitSessionCtxError(SubjectRetrievalError):
-    'A problem occurred initialising a session connection'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                       InitSessionCtxError.__doc__)
-class AttributeCertificateRequestError(SubjectRetrievalError):
-    'A problem occurred requesting a certificate containing authorisation roles'
-    def __init__(self, msg=None):
-        SubjectRetrievalError.__init__(self, msg or
-                                    AttributeCertificateRequestError.__doc__)
-class PIPAttributeQuery(_AttrDict):
-    '''Policy Information Point Query class.'''
-    namespaces = (
-        "urn:ndg:security:authz:1.0:attr:subject",
-        "urn:ndg:security:authz:1.0:attr:attributeAuthorityURI",
+    )
-    (SUBJECT_NS, ATTRIBUTEAUTHORITY_NS) = namespaces
-class PIPAttributeResponse(dict):
-    '''Policy Information Point Response class.'''
-    namespaces = (
-        Subject.ROLES_NS,
+    )
-class PIPBase(object):
-    """Policy Information Point base class.  PIP enables PDP to get user
-    attribute information in order to make access control decisions
-    """
-    def __init__(self, prefix='', **cfg):
-        '''Initialise settings for connection to an Attribute Authority'''
-        raise NotImplementedError(PIPBase.__init__.__doc__)
-    def attributeQuery(self, attributeQuery):
-        """Query the Attribute Authority specified in the request to retrieve
-        the attributes if any corresponding to the subject
-        @type attributeResponse: PIPAttributeQuery
-        @param attributeResponse:
-        @rtype: PIPAttributeResponse
-        @return: response containing the attributes retrieved from the
-        Attribute Authority"""
-        raise NotImplementedError(PIPBase.attributeQuery.__doc__)
-from ndg.security.common.wssecurity import WSSecurityConfig
-class NdgPIP(PIPBase):
-    """Policy Information Point - this implementation enables the PDP to
-    retrieve attributes about the Subject"""
-    wsseSectionName = 'wssecurity'
-    def __init__(self, prefix='', **cfg):
-        '''Set-up WS-Security and SSL settings for connection to an
-        Attribute Authority
-        @type **cfg: dict
-        @param **cfg: keywords including 'sslCACertFilePathList' used to set a
-        list of CA certificates for an SSL connection to the Attribute
-        Authority if used and also WS-Security settings as used by
-        ndg.security.common.wssecurity.WSSecurityConfig
-        '''
-        self.wssecurityCfg = WSSecurityConfig()
-        wssePrefix = prefix + NdgPIP.wsseSectionName
-        self.wssecurityCfg.update(cfg, prefix=wssePrefix)
-        # List of CA certificates used to verify peer certificate with SSL
-        # connections to Attribute Authority
-        self.sslCACertFilePathList = cfg.get(prefix+'sslCACertFilePathList', [])
-        # List of CA certificates used to verify the signatures of
-        # Attribute Certificates retrieved
-        self.caCertFilePathList = cfg.get(prefix + 'caCertFilePathList', [])
-    def attributeQuery(self, attributeQuery):
-        """Query the Attribute Authority specified in the request to retrieve
-        the attributes if any corresponding to the subject
-        @type attributeResponse: PIPAttributeQuery
-        @param attributeResponse:
-        @rtype: PIPAttributeResponse
-        @return: response containing the attributes retrieved from the
-        Attribute Authority"""
-        subject = attributeQuery[PIPAttributeQuery.SUBJECT_NS]
-        username = subject[Subject.USERID_NS]
-        sessionId = subject[Subject.SESSIONID_NS]
-        attributeAuthorityURI = attributeQuery[
-                                    PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS]
-        sessionId = subject[Subject.SESSIONID_NS]
-        log.debug("PIP: received attribute query: %r", attributeQuery)
-        attributeCertificate = self._getAttributeCertificate(
-                    attributeAuthorityURI,
-                    username=username,
-                    sessionId=sessionId,
-                    sessionManagerURI=subject[Subject.SESSIONMANAGERURI_NS])
-        attributeResponse = PIPAttributeResponse()
-        attributeResponse[Subject.ROLES_NS] = attributeCertificate.roles
-        log.debug("PIP.attributeQuery response: %r", attributeResponse)
-        return attributeResponse
-    def _getAttributeCertificate(self,
-                                 attributeAuthorityURI,
-                                 username=None,
-                                 sessionId=None,
-                                 sessionManagerURI=None):
-        '''Retrieve an Attribute Certificate
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: URI to Attribute Authority service
-        @type username: basestring
-        @param username: subject user identifier - could be an OpenID
-        @type sessionId: basestring
-        @param sessionId: Session Manager session handle
-        @type sessionManagerURI: basestring
-        @param sessionManagerURI: URI to remote session manager service
-        @rtype: ndg.security.common.AttCert.AttCert
-        @return: Attribute Certificate containing user roles
-        '''
-        if sessionId and sessionManagerURI:
-            attrCert = self._getAttributeCertificateFromSessionManager(
-                                                     attributeAuthorityURI,
-                                                     sessionId,
-                                                     sessionManagerURI)
-        else:
-            attrCert = self._getAttributeCertificateFromAttributeAuthority(
-                                                     attributeAuthorityURI,
-                                                     username)
-        try:
-            attrCert.certFilePathList = self.caCertFilePathList
-            attrCert.isValid(raiseExcep=True)
-        except AttCertInvalidSignature, e:
-            log.exception(e)
-            raise AttributeCertificateInvalidSignature()
-        except AttCertNotBeforeTimeError, e:
-            log.exception(e)
-            raise AttributeCertificateNotBeforeTimeError()
-        except AttCertExpired, e:
-            log.exception(e)
-            raise AttributeCertificateExpired()
-        except AttCertError, e:
-            log.exception(e)
-            raise InvalidAttributeCertificate()
-        return attrCert
-    def _getAttributeCertificateFromSessionManager(self,
-                                                   attributeAuthorityURI,
-                                                   sessionId,
-                                                   sessionManagerURI):
-        '''Retrieve an Attribute Certificate using the subject's Session
-        Manager
-        @type sessionId: basestring
-        @param sessionId: Session Manager session handle
-        @type sessionManagerURI: basestring
-        @param sessionManagerURI: URI to remote session manager service
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: URI to Attribute Authority service
-        @rtype: ndg.security.common.AttCert.AttCert
-        @return: Attribute Certificate containing user roles
-        '''
-        log.debug("PIP._getAttributeCertificateFromSessionManager ...")
-        try:
-            # Create Session Manager client - if a file path was set, setting
-            # are read from a separate config file section otherwise, from the
-            # PDP config object
-            smClnt = SessionManagerClient(
-                            uri=sessionManagerURI,
-                            sslCACertFilePathList=self.sslCACertFilePathList,
-                            cfg=self.wssecurityCfg)
-        except Exception, e:
-            log.error("Creating Session Manager client: %s" % e)
-            raise InitSessionCtxError()
-        try:
-            # Make request for attribute certificate
-            return smClnt.getAttCert(
-                                attributeAuthorityURI=attributeAuthorityURI,
-                                sessID=sessionId)
-        except AttributeRequestDenied, e:
-            log.error("Request for attribute certificate denied: %s" % e)
-            raise PDPUserAccessDenied()
-        except SessionNotFound, e:
-            log.error("No session found: %s" % e)
-            raise SessionNotFoundMsg()
-        except SessionExpired, e:
-            log.error("Session expired: %s" % e)
-            raise SessionExpiredMsg()
-        except SessionCertTimeError, e:
-            log.error("Session cert. time error: %s" % e)
-            raise InvalidSessionMsg()
-        except InvalidSession, e:
-            log.error("Invalid user session: %s" % e)
-            raise InvalidSessionMsg()
-        except Exception, e:
-            log.error("Request from Session Manager [%s] to Attribute "
-                      "Authority [%s] for attribute certificate: %s: %s" %
-                      (sessionManagerURI,
-                       attributeAuthorityURI,
-                       e.__class__, e))
-            raise AttributeCertificateRequestError()
-    def _getAttributeCertificateFromAttributeAuthority(self,
-                                                       attributeAuthorityURI,
-                                                       username):
-        '''Retrieve an Attribute Certificate direct from an Attribute
-        Authority.  This method is invoked if no session ID or Session
-        Manager endpoint where provided
-        @type username: basestring
-        @param username: user identifier - may be an OpenID URI
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: URI to Attribute Authority service
-        @rtype: ndg.security.common.AttCert.AttCert
-        @return: Attribute Certificate containing user roles
-        '''
-        log.debug("PIP._getAttributeCertificateFromAttributeAuthority ...")
-        try:
-            # Create Attribute Authority client - if a file path was set,
-            # settingare read  from a separate config file section otherwise,
-            # from the PDP config object
-            aaClnt = AttributeAuthorityClient(
-                            uri=attributeAuthorityURI,
-                            sslCACertFilePathList=self.sslCACertFilePathList,
-                            cfg=self.wssecurityCfg)
-        except Exception:
-            log.error("Creating Attribute Authority client: %s",
-                      traceback.format_exc())
-            raise InitSessionCtxError()
-        try:
-            # Make request for attribute certificate
-            return aaClnt.getAttCert(userId=username)
-        except AA_AttributeRequestDenied:
-            log.error("Request for attribute certificate denied: %s",
-                      traceback.format_exc())
-            raise PDPUserAccessDenied()
-        # TODO: handle other specific Exception types here for more fine
-        # grained response info
-        except Exception, e:
-            log.error("Request to Attribute Authority [%s] for attribute "
-                      "certificate: %s: %s", attributeAuthorityURI,
-                      e.__class__, traceback.format_exc())
-            raise AttributeCertificateRequestError()
-# Backwards compatibility
-PIP = NdgPIP

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/init.py

-                      r6575
+                      r6597
         if not isinstance(attributeQuery, PIPAttributeQuery):
             raise TypeError('Expecting %r type for input "attributeQuery"; '
+                            'got %r' % (AttributeQuery, type(attributeQuery)))
+                            'got %r' % (PIPAttributeQuery,
+                                        type(attributeQuery)))
         attributeAuthorityURI = attributeQuery[

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py

-                      r6593
+                      r6597
 from ndg.security.common.utils.factory import importModuleObject
+from ndg.security.common.authz.msi import Policy, PDP, PIP
+from ndg.security.common.authz.msi import Policy, PDP
+from ndg.security.common.authz.pip.esg import PIP
 …
     POLICY_FILEPATH_OPTNAME = 'filePath'
     POLICY_CFG_PREFIX = 'policy.'
+    PIP_CFG_PREFIX = 'pip.'
     __slots__ = ('__pdp', '__authzDecisionFunc', '__authzDecisionFuncKeyName')
 …
         # Initialise the Policy Information Point
+        pip = PIP()
+        pipCfgPrefix = prefix + cls.PIP_CFG_PREFIX
+        pip = PIP.fromConfig(prefix=pipCfgPrefix, **app_conf)
         # Initialise the PDP reading in the policy
 …
         @rtype: callable
         """
+        # Nest function within AuthzServiceMiddleware method so that self is
+        # in its scope
         def getAuthzDecision(authzDecisionQuery):
             """Authorisation decision function accepts a SAML AuthzDecisionQuery
 …
             elif pdpResponse.status == Response.DECISION_INDETERMINATE:
                 log.info("AuthzServiceMiddleware.__call__: PDP returned a "
                          "status of [%s] denying access for URI path [%s] using "
                          "policy [%s]",
+                         "status of [%s] denying access for URI path [%s] "
+                         "using policy [%s]",
                          pdpResponse.decisionValue2String[response.status],
                          resourceURI,
 …
             else:
                 log.info("AuthzServiceMiddleware.__call__: PDP returned a "
                          "status of [%s] denying access for URI path [%s] using "
                          "policy [%s]",
+                         "status of [%s] denying access for URI path [%s] "
+                         "using policy [%s]",
                          pdpResponse.decisionValue2String[response.status],
                          resourceURI,
 …
             response.status.statusCode.value = StatusCode.SUCCESS_URI
+            response.status.statusMessage.value = "Response created successfully"
+            response.status.statusMessage.value = ("Response created "
+                                                   "successfully")
             assertion = Assertion()

Note: See TracChangeset for help on using the changeset viewer.