Changeset 7330 for TI12-security


Ignore:
Timestamp:
16/08/10 16:35:11 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • integrating XACML context handler with authorisation service.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/service.py

    r7327 r7330  
    1212log = logging.getLogger(__name__) 
    1313 
    14 from ndg.xacml.core.context.pdp import PDP 
    15 from ndg.xacml.parsers.etree.factory import ReaderFactory as \ 
    16     XacmlEtreePolicyReaderFactory 
    17  
    18 from ndg.security.common.authz.pip.esginterface import PIP 
    1914from ndg.security.server.xacml.ctx_handler import saml_ctx_handler 
    2015 
     
    4136    ENVIRON_KEYNAME_QUERY_IFACE_OPTNAME = 'queryInterfaceKeyName' 
    4237     
    43     XACML_CTX_HANDLER_PARAM_PREFIX = 'xacmlContext.' 
     38    XACML_CTX_HANDLER_PARAM_PREFIX = 'ctx_handler.' 
    4439     
    4540    # For loop based assignment where possible of config options in initialise() 
     
    8681        self.queryInterface = self.createQueryInterface()     
    8782         
    88         # Initialise the Policy Information Point  
    89         pipCfgPrefix = prefix + cls.PIP_CFG_PREFIX 
    90         pip = PIP.fromConfig(app_conf, prefix=pipCfgPrefix) 
    91          
    92         policyFilePathOptName = prefix + cls.POLICY_FILEPATH_OPTNAME 
    93         policyFilePath = app_conf.get(policyFilePathOptName) 
    94         if policyFilePath is None: 
    95             raise AuthorisationServiceMiddlewareConfigError("No XACML policy " 
    96                                                             "file set") 
     83        # Initialise the XACML Context handler.  This handles PEP requests and 
     84        # PDP queries to the PIP 
     85        ctxHandlerPrefix = prefix + cls.XACML_CTX_HANDLER_PARAM_PREFIX 
     86        self.__xacmlCtxHandler = saml_ctx_handler.SamlCtxHandler.fromKeywords( 
     87                                                ctxHandlerPrefix, **app_conf) 
    9788             
    9889        # Initialise the XACML Context handler 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

    r7327 r7330  
    233233 
    234234    issuerFormat = property(_getIssuerFormat, _setIssuerFormat,  
    235                             doc="Issuer format") 
     235                            doc="Issuer format of SAML Authorisation Query " 
     236                                "Response") 
    236237 
    237238    def _getIssuerName(self): 
     
    280281        xacmlRequest = self._createXacmlRequestCtx(samlAuthzDecisionQuery) 
    281282         
     283        # Add a reference to this context so that the PDP can invoke queries 
     284        # back to the PIP 
     285        xacmlRequest.ctxHandler = self 
     286         
    282287        # Call the PDP 
    283288        xacmlResponse = self.pdp.evaluate(xacmlRequest) 
     
    287292                                                         pepRequest.response) 
    288293         
     294        # Assume only a single assertion authorisation decision statements 
    289295        samlAuthzDecisionStatement = samlResponse.assertions[0 
    290296                                                ].authzDecisionStatements[0] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini

    r7257 r7330  
    4040prefix = authz. 
    4141authz.queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC 
    42 authz.policyFilePath = %(here)s/policy.xml 
     42 
    4343authz.xacmlContext.assertionLifetime = 86400 
     44 
     45# 
     46# XACML Context handler manages PEP (Policy Information Point) requests and the  
     47# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point) 
     48#  
     49 
     50# XACML Policy file 
     51authz.ctx_handler.policyFilePath = %(here)s/policy.xml 
     52 
     53# Settings for SAML authorisation decision response to a Policy Enforcement Point 
     54# making a decision query 
     55authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost 
     56authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     57authz.ctx_handler.assertionLifetime = 86400 
     58 
     59# 
     60# Policy Information Point interface settings 
     61# 
     62# The Context handler is a client to the PIP, passing on attribute queries  
     63# on behalf of the PDP onwards to the PIP 
     64 
     65#  
     66# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
     67# query from the XACML context handler, checks the attribute(s) being queried  
     68# for and looks up this mapping to determine which attribute authority to query  
     69# to find out if the subject has the attribute in their entitlement 
     70authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt 
     71 
     72# The attribute ID of the subject value to extract from the XACML request 
     73# context and pass in the SAML attribute query 
     74authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid 
     75 
     76# The context handler  
     77authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s 
     78authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s 
     79 
     80# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority 
     81authz.ctx_handler.pip.attributeQuery.sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.crt 
     82authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.key 
     83authz.ctx_handler.pip.attributeQuery.sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca 
     84 
    4485 
    4586# Logging configuration 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/xacml/saml_ctx_handler.cfg

    r7327 r7330  
    1616saml_ctx_handler.policyFilePath = $NDGSEC_TEST_CONFIG_DIR/authorisationservice/policy.xml 
    1717 
     18# Details for SAML authorisation decision response to a Policy Enforcement Point 
     19# making a decision query 
     20saml_ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost 
     21saml_ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     22saml_ctx_handler.assertionLifetime = 86400 
     23 
     24# 
     25# Policy Information Point interface settings 
     26# 
     27# The Context handler is a client to the PIP, passing on attribute queries  
     28# on behalf of the PDP onwards to the PIP 
     29 
     30#  
    1831# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
    1932# query from the XACML context handler, checks the attribute(s) being queried  
     
    2639saml_ctx_handler.pip.subjectAttributeId = urn:esg:openid 
    2740 
    28 saml_ctx_handler.pip.attributeQuery.issuerName = O=NDG, OU=Security, CN=localhost 
    29 saml_ctx_handler.pip.attributeQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     41# The context handler  
     42saml_ctx_handler.pip.attributeQuery.issuerName = %(saml_ctx_handler.issuerName)s 
     43saml_ctx_handler.pip.attributeQuery.issuerFormat = %(saml_ctx_handler.issuerFormat)s 
    3044 
    3145# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/xacml/test_saml_ctx_handler.py

    r7327 r7330  
    5252        self.assert_(handler) 
    5353        self.assert_(handler.pip.attributeQuery) 
     54        self.assert_(handler.policyFilePath) 
     55        self.assert_(handler.issuerName) 
     56        self.assert_(handler.issuerFormat) 
     57        self.assert_(handler.assertionLifetime) 
    5458         
    5559if __name__ == "__main__": 
Note: See TracChangeset for help on using the changeset viewer.