Changeset 7337


Ignore:
Timestamp:
18/08/10 14:09:19 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • renamed authz_lite integration test - 'full_system', started adding in Authorisation Service.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system
Files:
1 added
2 edited
1 moved

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

    r7077 r7337  
    11<?xml version="1.0" encoding="UTF-8"?> 
    2 <Policy PolicyId="AuthZ Lite - Authorisation Integration Tests" xmlns="urn:ndg:security:authz:1.1:policy"> 
    3     <Description>Restrict access for Authorization integration tests</Description> 
     2<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy" 
     3    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04" 
     4    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     5    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd" 
     6    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 
     7    <Description> 
     8        Example for NDG Security unit tests: allow access for resource URIs  
     9        defined in the rules.  All other URIs are blocked from access 
     10         
     11        See ndg.security.test.unit.wsgi.authz.test_authz to see the various  
     12        rules tested out 
     13    </Description> 
    414     
     15    <!--  
     16        The Policy target(s) define which requests apply to the whole policy 
     17    --> 
    518    <Target> 
    6         <URIPattern>^/test_securedURI*$</URIPattern> 
    7         <Attributes> 
    8             <Attribute> 
    9                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
    10                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    11             </Attribute> 
    12         </Attributes> 
    13     </Target> 
    14     <Target> 
    15         <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern> 
    16         <Attributes> 
    17             <Attribute> 
    18                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name> 
    19                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    20             </Attribute> 
    21             <Attribute> 
    22                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name> 
    23                 <AttributeAuthorityURI>https://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    24             </Attribute> 
    25         </Attributes> 
    26     </Target> 
     19        <Resources> 
     20            <Resource> 
     21                <!-- Pattern match all request URIs beginning with / --> 
     22                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     23                    <ResourceAttributeDesignator 
     24                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     25                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> 
     27                </ResourceMatch> 
     28            </Resource> 
     29        </Resources> 
     30    </Target>    
     31     
     32    <!-- Deny everything by default --> 
     33    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> 
     34    <!--  
     35        Following rules punch holes through the deny everything rule above 
     36        because the rule combining algorithm is set to permit overrides - see  
     37        Policy element above 
     38    --> 
     39    <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit"> 
     40        <!--  
     41            Define a URI with public access 
     42             
     43            Rule target(s) define which requests apply to the particular rule 
     44        --> 
     45        <Target> 
     46            <Resources> 
     47                <Resource> 
     48                    <!-- Match the request URI --> 
     49                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     50                        <ResourceAttributeDesignator 
     51                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     52                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     53                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue> 
     54                    </ResourceMatch> 
     55                </Resource> 
     56            </Resources> 
     57        </Target> 
     58    </Rule> 
     59 
     60    <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit"> 
     61        <!--  
     62            Define URIs which this policy permits but for which the underlying 
     63            app returns 40x HTTP response 
     64        --> 
     65        <Target> 
     66            <Resources> 
     67                <Resource> 
     68                    <!-- Match the request URI --> 
     69                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     70                        <ResourceAttributeDesignator 
     71                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     72                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     73                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue> 
     74                    </ResourceMatch> 
     75                </Resource> 
     76            </Resources> 
     77        </Target> 
     78    </Rule> 
     79     
     80    <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 
     81        <!--  
     82            Secure a URI path and all sub-paths using a regular expression to  
     83            define a URI pattern 
     84        --> 
     85        <Target> 
     86            <Resources> 
     87                <Resource> 
     88                    <!-- Pattern match the request URI --> 
     89                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     90                        <ResourceAttributeDesignator 
     91                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     92                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     93                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue> 
     94                    </ResourceMatch> 
     95                </Resource> 
     96            </Resources> 
     97        </Target> 
     98         
     99        <!--  
     100            The condition narrows down the constraints layed down in the target to 
     101            something more specific 
     102             
     103            The user must have at least one of the roles set - in this 
     104            case 'staff' 
     105        --> 
     106        <Condition> 
     107            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
     108                <SubjectAttributeDesignator  
     109                    AttributeId="urn:siteA:security:authz:1.0:attr"  
     110                    DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     111                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
     112                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     113                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
     114                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 
     115                </Apply> 
     116            </Apply> 
     117        </Condition> 
     118    </Rule> 
     119    <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit"> 
     120        <Target> 
     121            <Resources> 
     122                <Resource> 
     123                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     124                        <ResourceAttributeDesignator 
     125                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     126                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     127                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 
     128                    </ResourceMatch> 
     129                </Resource> 
     130            </Resources> 
     131        </Target> 
     132        <Condition> 
     133            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
     134                <SubjectAttributeDesignator  
     135                    AttributeId="urn:siteA:security:authz:1.0:attr"  
     136                    DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
     138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue> 
     139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue> 
     140                </Apply> 
     141            </Apply> 
     142        </Condition> 
     143    </Rule> 
     144    <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> 
     145        <!--  
     146            This rule is a modified version of the above to allow for a real use 
     147            case where adding a special query argument grants extra privileges 
     148            associated with an administrator 
     149        --> 
     150        <Target> 
     151            <Resources> 
     152                <Resource> 
     153                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     154                        <ResourceAttributeDesignator 
     155                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     156                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     157                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> 
     158                    </ResourceMatch> 
     159                </Resource> 
     160            </Resources> 
     161            <Subjects> 
     162                <Subject> 
     163                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     164                        <SubjectAttributeDesignator  
     165                            AttributeId="urn:siteA:security:authz:1.0:attr"  
     166                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     167                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue> 
     168                    </SubjectMatch> 
     169                </Subject> 
     170            </Subjects> 
     171        </Target> 
     172    </Rule> 
    27173</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7292 r7337  
    22# NERC DataGrid Security 
    33# 
    4 # Paste configuration for combined Attribute Authority, OpenID Relying Party  
    5 # and Provider services 
     4# Paste configuration for combined SAML Attribute Authority and Authorisation 
     5# Services, OpenID Relying Party and Provider services and SSL client  
     6# authentication filters.  This is for test purposes only.  A production system 
     7# might deploy these on different hosts or separate WSGI scripts. 
    68# 
    79# The %(here)s variable will be replaced with the parent directory of this file 
     
    2729attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface 
    2830 
     31# ... and Authorisation Service 
     32authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface 
     33 
    2934dbConnectionString = sqlite:///%(testConfigDir)s/user.db 
    3035 
     
    5762pipeline = AttributeAuthorityFilter  
    5863           AttributeAuthoritySamlSoapBindingFilter 
     64           AuthorisationServiceFilter 
     65           AuthorisationSamlSoapBindingFilter 
    5966                   SessionMiddlewareFilter 
    6067                   SSLCientAuthKitFilter 
     
    378385saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName  
    379386 
     387#______________________________________________________________________________ 
     388# SAML/SOAP query interface to the Authorisation Service 
     389[filter:AuthorisationSamlSoapBindingFilter] 
     390paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory 
     391prefix = saml. 
     392 
     393# The URI path for this service 
     394saml.mountPath = /AuthorisationService 
     395 
     396# The key name in environ which the upstream authorisation service must assign 
     397# to its authorisation query callback - see the AuthorisationServiceFilter  
     398# settings below... 
     399saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s 
     400 
     401# ElementTree based XML parsing and serialisation used for SAML messages 
     402saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML 
     403saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML 
     404 
     405# Sets the identity of THIS authorisation service when filling in SAML responses 
     406saml.issuerName = /O=Test/OU=Authorisation Service 
     407saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     408 
     409#______________________________________________________________________________ 
     410# Authorisation Service WSGI settings 
     411[filter:AuthorisationServiceFilter] 
     412# This filter is a container for a binding to a SOAP/SAML based interface to the 
     413# Authorisation Service.  It contains a XACML Context handler which manages 
     414# requests from Policy Enforcement Points to the PDP and also enables the PDP 
     415# to make attribute queries to Policy Information Point 
     416paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory 
     417prefix = authz. 
     418 
     419# Expose this filter's authorisation decision query callback via this key name 
     420# in environ 
     421authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s 
     422 
     423# Lifetime for authorisation assertions issued from this service 
     424authz.xacmlContext.assertionLifetime = 86400 
     425 
     426# 
     427# XACML Context handler manages PEP (Policy Information Point) requests and the  
     428# PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point) 
     429#  
     430 
     431# XACML Policy file 
     432authz.ctx_handler.policyFilePath = %(here)s/policy.xml 
     433 
     434# Settings for SAML authorisation decision response to a Policy Enforcement Point 
     435# making a decision query 
     436authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost 
     437authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     438authz.ctx_handler.assertionLifetime = 86400 
     439 
     440# 
     441# Policy Information Point interface settings 
     442# 
     443# The Context handler is a client to the PIP, passing on attribute queries  
     444# on behalf of the PDP onwards to the PIP 
     445 
     446#  
     447# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
     448# query from the XACML context handler, checks the attribute(s) being queried  
     449# for and looks up this mapping to determine which attribute authority to query  
     450# to find out if the subject has the attribute in their entitlement 
     451authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt 
     452 
     453# The attribute ID of the subject value to extract from the XACML request 
     454# context and pass in the SAML attribute query 
     455authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid 
     456 
     457# The context handler  
     458authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s 
     459authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s 
     460 
     461# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority 
     462authz.ctx_handler.pip.attributeQuery.sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.crt 
     463authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.key 
     464authz.ctx_handler.pip.attributeQuery.sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca 
     465 
    380466# Logging configuration 
    381467[loggers] 
Note: See TracChangeset for help on using the changeset viewer.