Changeset 6604


Ignore:
Timestamp:
22/02/10 14:14:34 (9 years ago)
Author:
pjkersha
Message:

Fix for ticket #1102: added capability to set return to URI as a query argument to allow for cases where HTTP_REFERER is not set. To use applications should set the logout link to  http://<app domain>/<SCRIPT_NAME>/<logout path>?ndg.security.logout.r=<quoted return to URI>.

Location:
TI12-security/trunk/NDGSecurity/python
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/.pydevproject

    r6570 r6604  
    66<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property> 
    77<pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH"> 
    8 <path>/ndg_security_python</path> 
     8<path>/ndg_security_python/ndg_security_client</path> 
     9<path>/ndg_security_python/ndg_security_common</path> 
     10<path>/ndg_security_python/ndg_security_server</path> 
     11<path>/ndg_security_python/ndg_security_test</path> 
    912</pydev_pathproperty> 
    1013<pydev_pathproperty name="org.python.pydev.PROJECT_EXTERNAL_SOURCE_PATH"> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/__init__.py

    r6597 r6604  
    2828    def __setitem__(self, key, val): 
    2929        if key not in self.__class__.namespaces: 
    30             raise KeyError('Namespace "%s" not recognised.  Valid namespaces ' 
    31                            'are: %s' % self.__class__.namespaces) 
     30            raise KeyError('Namespace %r not recognised.  Valid namespaces ' 
     31                           'are: %r' % (key, self.__class__.namespaces)) 
    3232             
    3333        dict.__setitem__(self, key, val) 
     
    5050        
    5151         
    52 class SubjectBase(object): 
     52class SubjectBase(_AttrDict): 
    5353    '''Base class Subject designator''' 
    54     namespaces = ("urn:ndg:security:authz:1.0:attr:subject:roles", ) 
    55     (ROLES_NS,) = namespaces 
     54    namespaces = ( 
     55        "urn:ndg:security:authz:1.0:attr:subject:userId", 
     56        "urn:ndg:security:authz:1.0:attr:subject:roles",  
     57    ) 
     58    (USERID_NS, ROLES_NS,) = namespaces 
     59 
     60 
     61class Subject(SubjectBase): 
     62    """Container for information about the subject of the query""" 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/msi.py

    r6597 r6604  
    2020from ndg.security.common.utils import TypedList 
    2121from ndg.security.common.utils.etree import QName 
    22 from ndg.security.common.authz import _AttrDict, SubjectBase 
     22from ndg.security.common.authz import (_AttrDict, SubjectBase, Subject, 
     23                                       SubjectRetrievalError) 
    2324from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery,  
    24                                            PIPAttributeResponse, 
    25                                            SubjectRetrievalError) 
     25                                           PIPAttributeResponse) 
    2626 
    2727 
     
    346346 
    347347 
    348 class Subject(SubjectBase): 
    349     '''MSI Subject designator''' 
    350  
    351  
    352348class Resource(_AttrDict): 
    353349    '''Resource designator''' 
     
    360356class Request(object): 
    361357    '''Request to send to a PDP''' 
     358#    __slots__ = ('__subject', '__resource') 
     359     
    362360    def __init__(self, subject=Subject(), resource=Resource()): 
    363361        self.subject = subject 
     
    368366     
    369367    def _setSubject(self, subject): 
    370         if not isinstance(subject, Subject,): 
    371             raise TypeError("Expecting %s type for Request subject; got %r" % 
    372                             (Subject.__class__.__name__, subject)) 
     368        if not isinstance(subject, SubjectBase): 
     369            raise TypeError("Expecting %r type for Request subject; got %r" % 
     370                            (Subject, type(subject))) 
    373371        self.__subject = subject 
    374372 
     
    390388                        fset=_setResource, 
    391389                        doc="Resource to be protected") 
    392  
     390# 
     391#    def __getstate__(self): 
     392#        '''Enable pickling''' 
     393#        _dict = {} 
     394#        for attrName in Request.__slots__: 
     395#            # Ugly hack to allow for derived classes setting private member 
     396#            # variables 
     397#            if attrName.startswith('__'): 
     398#                attrName = "_Request" + attrName 
     399#                 
     400#            _dict[attrName] = getattr(self, attrName) 
     401#             
     402#        return _dict 
     403 
     404#    def __setstate__(self, attrDict): 
     405#        '''Enable pickling''' 
     406#        for attrName, val in attrDict.items(): 
     407#            setattr(self, attrName, val) 
     408             
    393409 
    394410class Response(object): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/pip/__init__.py

    r6597 r6604  
    1212__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1313__revision__ = "$Id: __init__.py 3755 2008-04-04 09:11:44Z pjkersha $" 
    14 from ndg.security.common.authz import _AttrDict 
     14from ndg.security.common.authz import _AttrDict, Subject 
    1515 
    1616 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/pip/ndginterface.py

    r6598 r6604  
    3434     
    3535from ndg.security.common.authz import SubjectBase, SubjectRetrievalError  
    36 from ndg.security.common.authz.pip import (PIPAttributeQuery,  
    37                                            PIPAttributeResponse)           
    38 from ndg.security.common.authz.pdp import PDPUserAccessDenied 
     36from ndg.security.common.authz.pip import (PIPAttributeQuery, PIPBase, 
     37                                           PIPAttributeResponse) 
    3938 
    4039 
     
    110109                                    AttributeCertificateRequestError.__doc__) 
    111110         
    112          
     111class AttributeCertificateRequestDenied(SubjectRetrievalError): 
     112    'The request for a certificate containing authorisation roles was denied' 
     113    def __init__(self, msg=None): 
     114        SubjectRetrievalError.__init__(self, msg or  
     115                                    AttributeCertificateRequestError.__doc__) 
     116         
     117          
    113118class PIP(PIPBase): 
    114119    """Policy Information Point - this implementation enables the PDP to  
     
    261266        except AttributeRequestDenied, e: 
    262267            log.error("Request for attribute certificate denied: %s" % e) 
    263             raise PDPUserAccessDenied() 
     268            raise AttributeCertificateRequestDenied() 
    264269         
    265270        except SessionNotFound, e: 
     
    326331            log.error("Request for attribute certificate denied: %s", 
    327332                      traceback.format_exc()) 
    328             raise PDPUserAccessDenied() 
     333            raise AttributeCertificateRequestDenied() 
    329334         
    330335        # TODO: handle other specific Exception types here for more fine 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r6597 r6604  
    3939from ndg.security.server.wsgi.authz.result_handler.basic import \ 
    4040    PEPResultHandlerMiddleware 
    41  
    42 from ndg.security.common.authz.msi import (Policy, PIP, PIPBase,  
    43                                            PIPAttributeQuery,  
    44                                            PIPAttributeResponse, PDP, Request,  
    45                                            Response, Resource, Subject) 
     41     
     42from ndg.security.common.authz.pip import (PIPBase, PIPAttributeQuery, 
     43                                           PIPAttributeResponse) 
     44 
     45# The NDG Interface Subject type includes support for Session Manager related 
     46# keywords which are not needed by the newer SamlPIPMiddleware 
     47from ndg.security.common.authz.pip.ndginterface import PIP, Subject 
     48from ndg.security.common.authz.msi import (Policy, PDP, Request,  
     49                                           Response, Resource) 
    4650 
    4751 
     
    150154                  "user authorisation ...") 
    151155         
    152         # Make a request object to pass to the PDP 
    153         request = Request() 
     156        # Make a request object to pass to the PDP.  Set an NDG type Subject 
     157        # which has the extra keyword support for Session Manager and  
     158        # Session ID needed by NdgPIPMiddleware.  This can be deprecated in a  
     159        # future release when the SOAP/WSL attribute interface is withdrawn 
     160        # and completely replaced by the SAML one 
     161        request = Request(subject=Subject()) 
    154162        request.subject[Subject.USERID_NS] = session['username'] 
    155163         
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authzservice.py

    r6597 r6604  
    1313 
    1414from ndg.security.common.utils.factory import importModuleObject 
    15 from ndg.security.common.authz.msi import Policy, PDP 
     15from ndg.security.common.authz import Subject 
     16from ndg.security.common.authz.msi import (Policy, PDP, Request, Response, 
     17                                           Resource) 
    1618from ndg.security.common.authz.pip.esg import PIP 
    1719 
     
    174176            self.__authzDecisionFunc = importModuleObject(value) 
    175177             
    176         elif iscallable(value): 
     178        elif callable(value): 
    177179            self.__authzDecisionFunc = value 
    178180        else: 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

    r6440 r6604  
    1414log = logging.getLogger(__name__) 
    1515 
     16import urllib 
     17from paste.request import parse_querystring 
     18 
    1619from ndg.security.server.wsgi import (NDGSecurityMiddlewareBase, 
    1720                                      NDGSecurityMiddlewareError) 
     
    8992     
    9093    AUTH_TKT_SET_USER_ENVIRON_KEYNAME = 'paste.auth_tkt.set_user' 
     94     
     95    LOGOUT_RETURN2URI_ARGNAME = 'ndg.security.logout.r' 
    9196     
    9297    PARAM_PREFIX = 'sessionHandler.' 
     
    179184        session.save() 
    180185         
    181         referrer = environ.get('HTTP_REFERER') 
     186        if self.__class__.LOGOUT_RETURN2URI_ARGNAME in environ['QUERY_STRING']: 
     187            params = dict(parse_querystring(environ)) 
     188         
     189            # Store the return URI query argument in a beaker session 
     190            quotedReferrer = params.get( 
     191                                self.__class__.LOGOUT_RETURN2URI_ARGNAME, '') 
     192            referrer = urllib.unquote(quotedReferrer) 
     193        else: 
     194            referrer = environ.get('HTTP_REFERER') 
     195         
    182196        if referrer is not None: 
    183197            def _start_response(status, header, exc_info=None): 
     
    191205                                      exc_info) 
    192206                 
    193             return _start_response         
     207            return _start_response 
    194208        else: 
    195209            log.error('No referrer set for redirect following logout') 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

    r6575 r6604  
    406406# SAML SOAP Binding to the Attribute Authority 
    407407[filter:AttributeAuthoritySamlSoapBindingFilter] 
    408 paste.filter_app_factory = ndg.security.server.wsgi.saml.attributeinterface:SOAPAttributeInterfaceMiddleware.filter_app_factory 
     408paste.filter_app_factory = ndg.security.server.wsgi.saml:SOAPQueryInterfaceMiddleware.filter_app_factory 
    409409prefix = saml.soapbinding. 
     410 
     411saml.soapbinding.deserialise = saml.xml.etree:AttributeQueryElementTree.fromXML 
     412 
     413# Specialisation to incorporate ESG Group/Role type 
     414saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML 
    410415 
    411416saml.soapbinding.pathMatchList = /AttributeAuthority/saml 
Note: See TracChangeset for help on using the changeset viewer.