Changeset 6633


Ignore:
Timestamp:
24/02/10 16:01:49 (9 years ago)
Author:
pjkersha
Message:

Merging in changes from 6557

Location:
TI12-security/branches/ndg-security-1.5.x
Files:
3 added
13 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authn.py

    r6440 r6633  
    325325    ndg.security.server.wsgi.openid.relyingparty.OpenIDRelyingPartyMiddleware  
    326326    which performs a similar function. 
    327     """ 
     327    """     
     328    _sslAuthnSucceeded = lambda self: self.environ.get( 
     329                    AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME, 
     330                    False) 
     331         
     332    sslAuthnSucceeded = property(fget=_sslAuthnSucceeded, 
     333                                 doc="Boolean indicating SSL authentication " 
     334                                     "has succeeded in " 
     335                                     "AuthKitSSLAuthnMiddleware upstream of " 
     336                                     "this middleware")    
    328337     
    329338    @NDGSecurityMiddlewareBase.initCall 
     
    369378                                   "'REMOTE_USER' environment variable is set") 
    370379     
    371     _sslAuthnSucceeded = lambda self: self.environ.get( 
    372                     AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME, 
    373                     False) 
    374          
    375     sslAuthnSucceeded = property(fget=_sslAuthnSucceeded, 
    376                                  doc="Boolean indicating SSL authentication " 
    377                                      "has succeeded in " 
    378                                      "AuthKitSSLAuthnMiddleware upstream of " 
    379                                      "this middleware") 
    380      
    381380    def __init__(self, app, app_conf, **local_conf): 
    382381        super(AuthKitRedirectResponseMiddleware, self).__init__(app, app_conf, 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r6284 r6633  
    586586                                                    uri=attributeAuthorityURI) 
    587587            for assertion in response.assertions: 
    588                 credentialWallet.addCredential(assertion) 
     588                credentialWallet.addCredential(assertion, 
     589                                   attributeAuthorityURI=attributeAuthorityURI, 
     590                                   verifyCredential=False) 
    589591             
    590592            log.debug("SamlPIPMiddleware.attributeQuery: updating Credential " 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/myproxy/__init__.py

    r6202 r6633  
    142142            """Wrap MyProxy logon method as a WSGI app 
    143143            """ 
    144             if environ['HTTP_METHOD'] == 'GET': 
     144            if environ.get('REQUEST_METHOD') == 'GET': 
    145145                # No certificate request passed with GET call 
    146146                # TODO: retire this method? - keys are generated here instead of 
     
    148148                certReq = None 
    149149                     
    150             elif environ['HTTP_METHOD'] == 'POST': 
     150            elif environ.get('REQUEST_METHOD') == 'POST': 
    151151                 
    152152                pemCertReq = environ[ 
     
    160160                status = self.getStatusMessage(httplib.UNAUTHORIZED) 
    161161                response = ("HTTP request method %r not recognised for this " 
    162                             "request " % environ['HTTP_METHOD']) 
     162                            "request " % environ.get('REQUEST_METHOD',  
     163                                                     '<Not set>')) 
    163164                 
    164165            try: 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/saml/__init__.py

    r6069 r6633  
    223223        response = soapResponse.serialize() 
    224224         
     225        log.debug("SOAPAttributeInterfaceMiddleware.__call__: sending response " 
     226                  "...\n\n%s", 
     227                  response) 
    225228        start_response("200 OK", 
    226229                       [('Content-length', str(len(response))), 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/ssl.py

    r6440 r6633  
    5656    CACERT_FILEPATH_LIST_OPTNAME = 'caCertFilePathList' 
    5757    CLIENT_CERT_DN_MATCH_LIST_OPTNAME = 'clientCertDNMatchList' 
     58    CLIENT_CERT_DN_MATCH_LIST_SEP_PAT = re.compile(',\s*') 
    5859    SSL_KEYNAME_OPTNAME = 'sslKeyName' 
    5960    SSL_CLIENT_CERT_KEYNAME_OPTNAME = 'sslClientCertKeyName' 
     
    7879    AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.' 
    7980                                       'ApacheSSLAuthnMiddleware.authenticated') 
    80      
     81 
    8182    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf): 
    8283         
     
    212213        if isinstance(value, basestring): 
    213214            # Try parsing a space separated list of file paths 
    214             self.__clientCertDNMatchList = [X500DN(dn=dn)  
    215                                             for dn in value.split()] 
     215            pat = ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_SEP_PAT 
     216            dnList = pat.split(value) 
     217            self.__clientCertDNMatchList = [X500DN(dn=dn) for dn in dnList] 
    216218             
    217219        elif isinstance(value, (list, tuple)): 
     
    225227                    raise TypeError('Expecting a string, or %r type for "%s" ' 
    226228                                    'list item; got %r' %  
    227                 (X500DN, 
    228                  ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME, 
    229                  type(dn))) 
     229                    (X500DN, 
     230                     ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME, 
     231                     type(dn))) 
    230232                     
    231233        else: 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

    r6022 r6633  
    2525        </Attributes> 
    2626    </Target> 
     27    <!-- Test inclusion of ampersand --> 
     28    <Target> 
     29        <URIPattern>^/test_securedURI[?&amp;]MyQueryParam=100</URIPattern> 
     30        <Attributes> 
     31            <Attribute> 
     32                <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     33                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
     34            </Attribute> 
     35        </Attributes>         
     36    </Target> 
    2737</Policy> 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/authz/msi/test_msi.py

    r6069 r6633  
    5959                assert(attribute.attributeAuthorityURI) 
    6060 
     61                         
    6162 
    6263class PIPPlaceholder(PIPBase): 
     
    8182    PERMITTED_RESOURCE_URI = '/test_securedURI' 
    8283    DENIED_RESOURCE_URI = '/test_accessDeniedToSecuredURI' 
     84    WITH_ESCAPE_CHARS_RESOURCE_URI = '/test_securedURI?MyQueryParam=100' 
    8385     
    8486    def setUp(self): 
     
    104106        self.assert_(response.status == Response.DECISION_DENY) 
    105107 
     108    def test03WithEscapeCharsInPolicy(self): 
     109        self.request.resource[Resource.URI_NS 
     110                              ] = PDPTestCase.WITH_ESCAPE_CHARS_RESOURCE_URI       
     111        response = self.pdp.evaluate(self.request) 
     112         
     113        self.assert_(response.status == Response.DECISION_PERMIT) 
     114 
    106115         
    107116if __name__ == "__main__": 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

    r6069 r6633  
    248248         
    249249    def setUp(self): 
    250         self.assertion =self._createAssertion() 
     250        self.assertion = self._createAssertion() 
    251251         
    252252    def _createAssertion(self, timeNow=None, validityDuration=60*60*8, 
     
    322322        self.assert_(len(wallet.credentials) == 0) 
    323323 
    324     def test04ReplaceCredential(self): 
     324    def test04ClockSkewTolerance(self): 
     325        # Add a short lived credential but with the wallet set to allow for 
     326        # a clock skew of  
     327        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
     328        wallet = SAMLCredentialWallet() 
     329         
     330        # Set a tolerance of five seconds 
     331        wallet.clockSkewTolerance = 5.*60*60 
     332        wallet.addCredential(shortExpiryAssertion) 
     333         
     334        self.assert_(len(wallet.credentials) == 1) 
     335        sleep(2) 
     336        wallet.audit() 
     337        self.assert_(len(wallet.credentials) == 1) 
     338         
     339    def test05ReplaceCredential(self): 
    325340        # Replace an existing credential from a given institution with a more 
    326341        # up to date one 
     
    332347        wallet.addCredential(newAssertion) 
    333348        self.assert_(len(wallet.credentials) == 1) 
    334         self.assert_(newAssertion.conditions.notOnOrAfter==\ 
     349        self.assert_(newAssertion.conditions.notOnOrAfter == \ 
    335350                     wallet.credentials[ 
    336351                        SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME 
    337352                    ].credential.conditions.notOnOrAfter) 
    338353         
    339     def test05CredentialsFromSeparateSites(self): 
     354    def test06CredentialsFromSeparateSites(self): 
    340355        wallet = self._addCredential() 
    341356        wallet.addCredential(self._createAssertion(issuerName="MySite")) 
    342357        self.assert_(len(wallet.credentials) == 2) 
    343358 
    344     def test06Pickle(self): 
     359    def test07Pickle(self): 
    345360        wallet = self._addCredential() 
    346361        outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w') 
     
    353368            SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI)) 
    354369         
     370        self.assert_(unpickledWallet.credentials.items()[0][1].issuerName == \ 
     371                     BaseTestCase.SITEA_SAML_ISSUER_NAME) 
     372 
     373    def test08CreateFromConfig(self): 
     374        wallet = SAMLCredentialWallet.fromConfig( 
     375                                SAMLCredentialWalletTestCase.CONFIG_FILEPATH) 
     376        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01)) 
     377        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw') 
    355378         
    356379if __name__ == "__main__": 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/credentialwallet/test_samlcredentialwallet.cfg

    r6040 r6633  
    99# $Id:$ 
    1010[DEFAULT] 
    11 clockSkew = 0. 
     11clockSkewTolerance = 0.01 
    1212userId = https://openid.localhost/philip.kershaw 
    13 issuerDN = /O=Site A/CN=Authorisation Service 
    14 attributeAuthorityURI = https://localhost:5443/AttributeAuthority/saml 
    15 queryAttributes.0 = urn:esg:first:name, FirstName, http://www.w3.org/2001/XMLSchema#string 
    16 queryAttributes.roles = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string 
    17  
    18 # SSL Context Proxy settings 
    19 sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca 
    20 sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.crt 
    21 sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/test.key 
    22 sslValidDNs = /C=UK/ST=Oxfordshire/O=BADC/OU=Security/CN=localhost, /O=Site A/CN=Attribute Authority 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/test_validation.py

    r6276 r6633  
    6363    x509CertFilePath = mkDataDirPath(os.path.join('pki', 'localhost.crt')) 
    6464     
    65     def get_current_cert(self): 
    66         return X509.load_cert(X509StoreCtxPlaceHolder.x509CertFilePath) 
     65    def get1_chain(self): 
     66        return [X509.load_cert(X509StoreCtxPlaceHolder.x509CertFilePath)] 
    6767     
    6868class IdPValidationTestCase(BaseTestCase): 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test.ini

    r6107 r6633  
    66[DEFAULT] 
    77username = testuser 
    8 #password =  
     8password = testpasswd 
    99 
    1010[server:main] 
     
    2323http.auth.basic.rePathMatchList = .* 
    2424myproxy.logonFuncEnvKeyName = myProxyLogon 
    25 #myproxy.client.hostname = localhost 
    26 myproxy.client.hostname = glue.badc.rl.ac.uk 
    27 myproxy.client.serverDN = /O=NDG/OU=BADC/CN=glue.badc.rl.ac.uk 
     25myproxy.client.hostname = localhost 
     26myproxy.client.serverDN = /O=NDG/OU=BADC/CN=localhost 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test_myproxy.py

    r6202 r6633  
    2020from paste.deploy import loadapp 
    2121 
    22 from M2Crypto import X509 
     22from M2Crypto import X509, RSA, EVP, m2 
    2323 
    2424from ndg.security.test.unit import BaseTestCase 
     
    210210         
    211211        # Create key pair 
     212        nBitsForKey = 2048 
    212213        keys = RSA.gen_key(nBitsForKey, m2.RSA_F4) 
    213214        certReq = X509.Request() 
     
    224225        certReq.set_subject_name(x509Name) 
    225226         
    226         certReq.sign(pubKey, messageDigest) 
     227        certReq.sign(pubKey, "md5") 
    227228 
    228229        pemCertReq = certReq.as_pem() 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini

    r5779 r6633  
    2323ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt 
    2424ssl.rePathMatchList = ^/secured/.*$ ^/restrict.* 
    25 ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test /O=localhost/OU=local/CN=test2 
     25ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test, /O=localhost/OU=local client/CN=test 2 
Note: See TracChangeset for help on using the changeset viewer.