Changeset 7327

Timestamp:

16/08/10 13:54:09 (9 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• added unit tests for XACML Context handler

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/X509.py (modified) (2 diffs)
• ndg_security_common/ndg/security/common/authz/pip/esginterface.py (deleted)
• ndg_security_server/ndg/security/server/wsgi/authz/service.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (6 diffs)
• ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py (modified) (8 diffs)
• ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/x509/test_x509.py (modified) (3 diffs)
• ndg_security_test/ndg/security/test/unit/xacml/pip-mapping.txt (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/xacml/saml_ctx_handler.cfg (added)
• ndg_security_test/ndg/security/test/unit/xacml/test_saml_ctx_handler.py (added)
• ndg_security_test/ndg/security/test/unit/xacml/test_saml_pip.py (modified) (4 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/X509.py

@@ -698 +698 @@
         'userid':                       'UID'
     }
-    PARSER_RE_STR = '/(%s)=' % '|'.join(__shortNameLUT.keys() + 
-                                        __shortNameLUT.values())
-    
-    PARSER_RE = re.compile(PARSER_RE_STR)
+    SLASH_PARSER_RE_STR = '/(%s)=' % '|'.join(__shortNameLUT.keys() + 
+                                              __shortNameLUT.values())    
+    SLASH_PARSER_RE = re.compile(SLASH_PARSER_RE_STR)
+
+    COMMA_PARSER_RE_STR = '[,]?\s*(%s)=' % '|'.join(__shortNameLUT.keys() + 
+                                                    __shortNameLUT.values())    
+    COMMA_PARSER_RE = re.compile(COMMA_PARSER_RE_STR)
     
     def __init__(self, dn=None, m2CryptoX509Name=None, separator=None):
@@ -894 +897 @@
             self.__separator = separator
 
-
         # If no separator has been set, parse if from the DN string            
         if self.__separator is None:
             self.__separator = self.parseSeparator(dn)
 
+        if self.__separator == '/':
+            parserRe = self.__class__.SLASH_PARSER_RE
+            
+        elif self.__separator == ',':
+            parserRe = self.__class__.COMMA_PARSER_RE
+        else:
+            raise X500DNError("DN field separator %r not recognised" % 
+                              self.__separator)
+        
         try:
-            dnFields = X500DN.PARSER_RE.split(dn)
+            dnFields = parserRe.split(dn)
             if len(dnFields) < 2:
                 raise X500DNError("Error parsing DN string: \"%s\"" % dn)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/service.py

@@ -49 +49 @@
     
     POLICY_FILEPATH_OPTNAME = 'policyFilePath'
-    PIP_CFG_PREFIX = 'pip.'
     
     __slots__ = (
@@ -98 +97 @@
             
         # Initialise the XACML Context handler
-        ctxHandlerPrefix = prefix + \
-                                self.__class__.XACML_CTX_HANDLER_PARAM_PREFIX
-        lenCtxHandlerPrefix = len(ctxHandlerPrefix)
-                                
-        for optName, value in app_conf.items():
-            if optName.startswith(ctxHandlerPrefix):
-                attrName = optName[lenCtxHandlerPrefix:]
-                setattr(self.__xacmlCtxHandler, attrName, value)
-                
-        # Read XACML policy into PDP
-        self.__xacmlCtxHandler.pdp = PDP.fromPolicySource(policyFilePath,
-                                                XacmlEtreePolicyReaderFactory)
         
     @classmethod

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -12 +12 @@
 log = logging.getLogger(__name__)
 
+from os import path
+from ConfigParser import SafeConfigParser, ConfigParser
 from datetime import datetime, timedelta
 from uuid import uuid4
@@ -18 +20 @@
 from ndg.saml.common import SAMLVersion
 
+from ndg.xacml.core.context.pdp import PDP
 from ndg.xacml.core import context as _xacmlContext
 from ndg.xacml.core.attribute import Attribute as XacmlAttribute
 from ndg.xacml.core.attributevalue import AttributeValueClassFactory as \
     XacmlAttributeValueClassFactory
-from ndg.xacml.parsers.etree.factory import ReaderFactory
+from ndg.xacml.parsers.etree.factory import ReaderFactory as \
+    XacmlPolicyReaderFactory
 
 from ndg.security.server.xacml.pip.saml_pip import PIP
@@ -65 +69 @@
     Interface
     """
+    DEFAULT_OPT_PREFIX = 'saml_ctx_handler.'
+    PIP_OPT_PREFIX = 'pip.'
+    
     __slots__ = (
         '__policyFilePath',
@@ -74 +81 @@
         super(SamlCtxHandler, self).__init__()
         
-        # Proxy object for SAML Response Issuer attributes.  By generating a 
-        # proxy the Response objects inherent attribute validation can be 
-        # applied to Issuer related config parameters before they're assigned to
-        # the response issuer object generated in the authorisation decision 
-        # query response
+        # Proxy object for SAML AuthzDecisionQueryResponse Issuer attributes.  
+        # By generating a proxy the Response objects inherent attribute 
+        # validation can be applied to Issuer related config parameters before 
+        # they're assigned to the response issuer object generated in the 
+        # authorisation decision query response
         self.__issuerProxy = _saml.Issuer()
         self.__assertionLifetime = 0.
+        self.__policyFilePath = None
         
         # Policy Information Point
         self.pip = PIP()
-
+    
+    @classmethod
+    def fromConfig(cls, cfg, **kw):
+        '''Alternative constructor makes object from config file settings
+        @type cfg: basestring /ConfigParser derived type
+        @param cfg: configuration file path or ConfigParser type object
+        @rtype: ndg.security.server.xacml.ctx_handler.saml_ctx_handler
+        @return: new instance of this class
+        '''
+        obj = cls()
+        obj.parseConfig(cfg, **kw)
+        
+        if obj.policyFilePath:
+            obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
+                                           XacmlPolicyReaderFactory)
+            
+        return obj
+
+    def parseConfig(self, cfg, prefix=DEFAULT_OPT_PREFIX, section='DEFAULT'):
+        '''Read config settings from a file, config parser object or dict
+        
+        @type cfg: basestring / ConfigParser derived type / dict
+        @param cfg: configuration file path or ConfigParser type object
+        @type prefix: basestring
+        @param prefix: prefix for option names e.g. "attributeQuery."
+        @type section: basetring
+        @param section: configuration file section from which to extract
+        parameters.
+        '''  
+        if isinstance(cfg, basestring):
+            cfgFilePath = path.expandvars(cfg)
+            
+            # Add a 'here' helper option for setting dir paths in the config
+            # file
+            hereDir = path.abspath(path.dirname(cfgFilePath))
+            _cfg = SafeConfigParser(defaults={'here': hereDir})
+            
+            # Make option name reading case sensitive
+            _cfg.optionxform = str
+            _cfg.read(cfgFilePath)
+            items = _cfg.items(section)
+            
+        elif isinstance(cfg, ConfigParser):
+            items = cfg.items(section)
+         
+        elif isinstance(cfg, dict):
+            items = cfg.items()     
+        else:
+            raise AttributeError('Expecting basestring, ConfigParser or dict '
+                                 'type for "cfg" attribute; got %r type' % 
+                                 type(cfg))
+        
+        self.__parseFromItems(items, prefix=prefix)
+        
+    def __parseFromItems(self, items, prefix=DEFAULT_OPT_PREFIX): 
+        """Update from list of tuple name, value pairs - for internal use
+        by parseKeywords and parseConfig
+        """
+        prefixLen = len(prefix) 
+        pipPrefix = self.__class__.PIP_OPT_PREFIX
+        pipPrefixLen = len(pipPrefix)
+        
+        def _setAttr(__optName):
+            # Check for PIP attribute related items
+            if __optName.startswith(pipPrefix):
+                setattr(self.pip, __optName[pipPrefixLen:], val)
+            else:
+                setattr(self, __optName, val)
+                
+        for optName, val in items:
+            if prefix:
+                # Filter attributes based on prefix
+                if optName.startswith(prefix):
+                    _optName = optName[prefixLen:]
+                    _setAttr(_optName)
+            else:
+                # No prefix set - attempt to set all attributes   
+                _setAttr(optName)
+        
+    def parseKeywords(self, prefix=DEFAULT_OPT_PREFIX, **kw):
+        """Update object from input keywords
+        
+        @type prefix: basestring
+        @param prefix: if a prefix is given, only update self from kw items 
+        where keyword starts with this prefix
+        @type kw: dict
+        @param kw: items corresponding to class instance variables to 
+        update.  Keyword names must match their equivalent class instance 
+        variable names.  However, they may prefixed with <prefix>
+        """
+        self.__parseFromItems(kw.items(), prefix=prefix)
+                
+    @classmethod
+    def fromKeywords(cls, prefix=DEFAULT_OPT_PREFIX, **kw):
+        """Create a new instance initialising instance variables from the 
+        keyword inputs
+        @type prefix: basestring
+        @param prefix: if a prefix is given, only update self from kw items 
+        where keyword starts with this prefix
+        @type kw: dict
+        @param kw: items corresponding to class instance variables to 
+        update.  Keyword names must match their equivalent class instance 
+        variable names.  However, they may prefixed with <prefix>
+        @return: new instance of this class
+        @rtype: ndg.saml.saml2.binding.soap.client.SOAPBinding or derived type
+        """
+        obj = cls()
+        obj.parseKeywords(prefix=prefix, **kw)
+        
+        if obj.policyFilePath:
+            obj.pdp = PDP.fromPolicySource(obj.policyFilePath, 
+                                           XacmlPolicyReaderFactory)
+                    
+        return obj
+                                       
+    def _getPolicyFilePath(self):
+        return self.__policyFilePath
+
+    def _setPolicyFilePath(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "policyFilePath"; got '
+                            '%r' % type(value))
+        self.__policyFilePath = path.expandvars(value)
+
+    policyFilePath = property(_getPolicyFilePath, 
+                              _setPolicyFilePath, 
+                              doc="Policy file path for policy used by the PDP")
+       
     def _getIssuerFormat(self):
         if self.__issuerProxy is None:
@@ -131 +266 @@
                                      "set assertion conditions notOnOrAfter "
                                      "time")
-        
+ 
     def handlePEPRequest(self, pepRequest):
         """Handle request from Policy Enforcement Point
@@ -181 +316 @@
         
     def pipQuery(self, request, designator):
-        """Query a Policy Information Point to retrieve the attribute values
+        """Implements interface method:
+        
+        Query a Policy Information Point to retrieve the attribute values
         corresponding to the specified input designator.  Optionally, update the
         request context.  This could be a subject, environment or resource.  
         Matching attributes values are returned
-        """
-        return self.pip.query(request, designator)
+        
+        @param request: request context
+        @type request: ndg.xacml.core.context.request.Request
+        @param designator: designator requiring additional subject attribute 
+        information
+        @type designator: ndg.xacml.core.expression.Expression derived type
+        @return: list of attribute values for subject corresponding to given
+        policy designator.  Return None if none can be found
+        @rtype: ndg.xacml.utils.TypedList(<designator attribute type>) / None
+        """
+        return self.pip.attributeQuery(request, designator)
     
     def _createXacmlRequestCtx(self, samlAuthzDecisionQuery):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

@@ -15 +15 @@
 from ConfigParser import SafeConfigParser, ConfigParser
 
+from ndg.xacml.core.attributedesignator import SubjectAttributeDesignator
+from ndg.xacml.core.attribute import Attribute as XacmlAttribute
+from ndg.xacml.core.attributevalue import AttributeValueClassFactory as \
+    XacmlAttributeValueClassFactory
 from ndg.xacml.core.context.pipinterface import PIPInterface
-from ndg.xacml.core.context.request import Request
+from ndg.xacml.core.context.request import Request as XacmlRequestCtx
 
 from ndg.saml.saml2.core import (AttributeQuery as SamlAttributeQuery, 
                                  Attribute as SamlAttribute)
-from ndg.saml.utils import TypedList
+from ndg.saml.utils import TypedList as SamlTypedList
 from ndg.saml.saml2.binding.soap.client.attributequery import \
                                             AttributeQuerySslSOAPBinding
@@ -47 +51 @@
     DEFAULT_OPT_PREFIX = 'saml_pip.'
 
+    XACML_ATTR_VAL_CLASS_FACTORY = XacmlAttributeValueClassFactory()
+    
     __slots__ = (
         '__subjectAttributeId',
@@ -113 +119 @@
         @type cfg: basestring /ConfigParser derived type
         @param cfg: configuration file path or ConfigParser type object
-        @rtype: ndg.saml.saml2.binding.soap.client.SOAPBinding
+        @rtype: ndg.security.server.xacml.pip.saml_pip.PIP
         @return: new instance of this class
         '''
@@ -120 +126 @@
         
         return obj
-    
-    def __setAttr(self, optName, val): 
-        """Helper method to differentiate attribute query binding option names
-        from other config options
-        
-        @param optName: config file option name
-        @type optName: basestring
-        @param val: corresponding value
-        @type val: basestring
-        """
-        if optName.startswith(self.__class__.ATTRIBUTE_QUERY_ATTRNAME):
-            setattr(self, 
-                    optName[self.__class__.ATTRIBUTE_QUERY_ATTRNAME_OFFSET:],
-                    val)
-        else:
-            setattr(self, optName, val)
 
     def parseConfig(self, cfg, prefix=DEFAULT_OPT_PREFIX, section='DEFAULT'):
@@ -204 +194 @@
             setattr(self.__attributeQueryBinding, queryAttrName, value)
         else:
-            super(PIP, self).__setattr__(name, value)    
+            super(PIP, self).__setattr__(name, value)
     
     def readMappingFile(self):
@@ -218 +208 @@
         
     def attributeQuery(self, context, attributeDesignator):
-        """Query this PIP for attributes.   
+        """Query this PIP for the given request context attribute specified by
+        the attribute designator.  Nb. this implementation is only intended to
+        accept queries for a given *subject* in the request
         
         @param context: the request context
         @type context: ndg.xacml.core.context.request.Request
-        @rtype: 
-        @return: attribute values found for query subject
+        @param designator: 
+        @type designator: ndg.xacml.core.attributedesignator.SubjectAttributeDesignator
+        @rtype: ndg.xacml.utils.TypedList(<attributeDesignator.dataType>) / None
+        @return: attribute values found for query subject or None if none 
+        could be found
         """
-        if not isinstance(context, Request):
+        
+        # Check the attribute designator type - this implementation takes
+        # queries for request context subjects only
+        if not isinstance(attributeDesignator, SubjectAttributeDesignator):
+            log.debug('This PIP query interface can only accept subject '
+                      'attribute designator related queries')
+            return None
+        
+        if not isinstance(context, XacmlRequestCtx):
             raise TypeError('Expecting %r type for context input; got %r' %
-                            (Request, type(context)))
+                            (XacmlRequestCtx, type(context)))
         
         # TODO: Check for cached attributes for this subject (i.e. user)        
@@ -243 +246 @@
                       attributeDesignator.attributeId)
             
-            return []
+            return None
         
         # Get subject from the request context
@@ -283 +286 @@
             self.attributeQueryBinding.subjectID = ''
             self.attributeQueryBinding.subjectIdFormat = ''
-            self.attributeQueryBinding.query.attributes = TypedList(
+            self.attributeQueryBinding.query.attributes = SamlTypedList(
                                                                 SamlAttribute)
         
-        # Unpack SAML assertion attribute values corresponding to the name 
-        # format specified
-        attributeValues = []
+        # Unpack SAML assertion attribute corresponding to the name 
+        # format specified and copy into XACML attributes      
+        xacmlAttribute = XacmlAttribute()
+        xacmlAttribute.attributeId = attributeDesignator.attributeId
+        xacmlAttribute.dataType = attributeFormat
+        
+        # Create XACML class from SAML type identifier
+        factory = self.__class__.XACML_ATTR_VAL_CLASS_FACTORY
+        xacmlAttrValClass = factory(attributeFormat)
+        
         for assertion in response.assertions:
             for statement in assertion.attributeStatements:
                 for attribute in statement.attributes:
                     if attribute.nameFormat == attributeFormat:
-                        attributeValues.append(attribute.attributeValues)
+                        # Convert SAML Attribute values to XACML equivalent 
+                        # types
+                        for samlAttrVal in attribute.attributeValues:  
+                            # Instantiate and initial new XACML value
+                            xacmlAttrVal = xacmlAttrValClass(
+                                                        value=samlAttrVal.value)
+                            
+                            xacmlAttribute.attributeValues.append(xacmlAttrVal)
         
         # Update the XACML request context subject with the new attributes
-        xacmlCtxSubject.attributes.append(attributeValues)
+        xacmlCtxSubject.attributes.append(xacmlAttribute)
         
         # Return the attributes to the caller to comply with the interface
-        return attributeValues
+        return xacmlAttribute.attributeValues
        

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

@@ -131 +131 @@
         X500DN.fromString("/O=Site A/CN=Authorisation Service"), 
         X500DN.fromString("/O=Site B/CN=Authorisation Service"),
-        X500DN.fromString('/CN=test/O=NDG/OU=BADC')
+        X500DN.fromString('/CN=test/O=NDG/OU=BADC'),
+        X500DN.fromString('/O=NDG/OU=Security/CN=localhost')
     )
     

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/x509/test_x509.py

@@ -25 +25 @@
 
 from ConfigParser import SafeConfigParser
+
 from ndg.security.test.unit import BaseTestCase
-
-import warnings
-_warningMsg = None
-_origWarn = warnings.warn
-def _warnWrapper(*arg, **kw):
-    global _warningMsg
-    _warningMsg = arg[0]
-    _origWarn(*arg, **kw)
-
-warnings.warn = _warnWrapper
-
-from ndg.security.common.X509 import X509CertRead, X509CertParse, X500DN, \
-    X509Stack, X509StackEmptyError, SelfSignedCert, X509CertIssuerNotFound
+from ndg.security.common.X509 import (X509CertRead, X509CertParse, X500DN, 
+    X509Stack, X509StackEmptyError, SelfSignedCert, X509CertIssuerNotFound)
+
 
 class X509TestCase(BaseTestCase):
     """Unit test X509 module"""
     CA_DIR = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR, 'ca')
-    
-    def __del__(self):
-        warnings.warn = _origWarn
-        if getattr(super(X509TestCase, self), "__del__", None):
-            super(X509TestCase, self).__del__()
         
     def setUp(self):
@@ -189 +175 @@
         self.test01X509CertRead()
         
-        # Set ridiculous bounds for expiry warning to ensure a warning message
-        # is output
-        self.assert_(self.x509Cert.isValidTime(nDaysBeforeExpiryLimit=36500), 
-                                               "Certificate has expired")
-        if not _warningMsg:
-            self.fail("No warning message was set")
-        else:
-            print("PASSED - Got warning message from X509Cert."
-                  "isValidTime: %s" % _warningMsg)
-
-    def test10ReadStackFromCADir(self):
-        
-        stack = X509Stack.fromCADir(X509TestCase.CA_DIR)
-        self.assert_(stack)
-        self.assert_(len(stack) > 0)
+        warningMsg = None
+        
+        # Capture stderr
+        try:
+            warningOutput = StringIO()
+            _stderr = sys.stderr
+            sys.stderr = warningOutput
+            
+            # Set ridiculous bounds for expiry warning to ensure a warning 
+            # message is output
+            validStatus = self.x509Cert.isValidTime(
+                                                nDaysBeforeExpiryLimit=36500)
+            self.assert_(validStatus, "Certificate has expired")
+        finally:
+            sys.stderr = _stderr
+            warningMsg = warningOutput.getvalue()
+            
+        self.assert_("UserWarning" in str(warningMsg), 
+                     "No warning message was set")
+        
+        print("PASSED - Got warning message from X509Cert.isValidTime: %s" % 
+              warningMsg)
+
         
 class X500DNTestCase(BaseTestCase):
@@ -215 +209 @@
         self.assert_(str(dn))
         print(dn)
+        
+    def test02VerifyCommaSeparatedDnParsing(self):
+        # Test parsing for ',' delimited fields
+        dnStr = 'O=NDG, OU=Security, CN=localhost'
+        dn = X500DN.fromString(dnStr)
+        self.assert_(str(dn))
+        print(dn)
+        
                                       
 if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/xacml/pip-mapping.txt

@@ -19 +19 @@
 
 # Entries are whitespace delimited <attribute id> <attribute authority>
-urn:ndg:security:attributes https://localhost:5443/AttributeAuthority
+urn:siteA:security:authz:1.0:attr https://localhost:5443/AttributeAuthority
 myattributeid https://myattributeauthority.ac.uk/
 http://someotherattributeid.schema https://another.ac.uk/attributeservice/

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/xacml/test_saml_pip.py

@@ -38 +38 @@
     CONFIG_FILEPATH = path.join(THIS_DIR, CONFIG_FILENAME)
     
-    NDGS_ATTR_ID = 'urn:ndg:security:attributes'
+    NDGS_ATTR_ID = BaseTestCase.ATTRIBUTE_NAMES[0]
     OPENID_ATTR_ID = 'urn:esg:openid'
-    OPENID = 'https://localhost:7443/pjkershaw'
     
     CLNT_CERT_FILEPATH = path.join(BaseTestCase.PKI_DIR, 'localhost.crt')
@@ -83 +82 @@
                                                             openidAttr.dataType)
         
-        openidAttrVal = anyUriAttrValue(self.__class__.OPENID)
+        openidAttrVal = anyUriAttrValue(self.__class__.OPENID_URI)
         openidAttr.attributeValues.append(openidAttrVal) 
         
@@ -115 +114 @@
         ctx = self._createXacmlRequestCtx()
         
-        attributes = pip.attributeQuery(ctx, designator)
-        self.assert_(len(attributes) > 0)
+        attributeValues = pip.attributeQuery(ctx, designator)
+        self.assert_(len(attributeValues) > 0)
+        print("PIP retrieved attribute values %r" % attributeValues)
         
     def test04InitFromConfigFile(self):
@@ -122 +122 @@
         pip = PIP.fromConfig(self.__class__.CONFIG_FILEPATH)
         self.assert_(pip.mappingFilePath)
-        
-        for i in dir(PIP):
-            print("%s = %r" % (i, getattr(pip, i)))
+
         
 if __name__ == "__main__":