Changeset 7356


Ignore:
Timestamp:
23/08/10 16:31:46 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • implemented caching of authorisation decision statements in the PEP to cut down on calls to authorisation service.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet
Files:
3 deleted
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet

    • Property svn:ignore
      •  

        old new  
        11NDGCredentialWalletPickle.dat 
        22SAMLCredentialWalletPickle.dat 
         3*.dat 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/credentialwallet/test_credentialwallet.py

    r7077 r7356  
    3030from ndg.security.test.unit import BaseTestCase 
    3131from ndg.security.common.utils.etree import prettyPrint 
    32 from ndg.security.common.credentialwallet import SAMLCredentialWallet 
    33  
    34  
    35 class SAMLCredentialWalletTestCase(BaseTestCase): 
     32from ndg.security.common.credentialwallet import (SAMLAttributeWallet, 
     33                                                  SAMLAuthzDecisionWallet) 
     34 
     35 
     36class CredentialWalletBaseTestCase(BaseTestCase): 
    3637    THIS_DIR = os.path.dirname(__file__) 
    3738    CONFIG_FILENAME = 'test_samlcredentialwallet.cfg' 
    3839    CONFIG_FILEPATH = os.path.join(THIS_DIR, CONFIG_FILENAME) 
    39     PICKLE_FILENAME = 'SAMLCredentialWalletPickle.dat' 
    40     PICKLE_FILEPATH = os.path.join(THIS_DIR, PICKLE_FILENAME) 
     40     
     41     
     42class SAMLAttributeWalletTestCase(CredentialWalletBaseTestCase): 
     43    PICKLE_FILENAME = 'SAMLAttributeWalletPickle.dat' 
     44    PICKLE_FILEPATH = os.path.join(CredentialWalletBaseTestCase.THIS_DIR,  
     45                                   PICKLE_FILENAME) 
    4146     
    4247    ASSERTION_STR = ( 
     
    6368     
    6469    def __init__(self, *arg, **kw): 
    65         super(SAMLCredentialWalletTestCase, self).__init__(*arg, **kw) 
     70        super(SAMLAttributeWalletTestCase, self).__init__(*arg, **kw) 
    6671         
    6772    def setUp(self): 
     
    7580        timeExpires = timeNow + timedelta(seconds=validityDuration) 
    7681        assertionStr = Template( 
    77             SAMLCredentialWalletTestCase.ASSERTION_STR).substitute( 
     82            self.__class__.ASSERTION_STR).substitute( 
    7883                dict( 
    7984                 issuerName=issuerName, 
     
    9095 
    9196    def _addCredential(self): 
    92         wallet = SAMLCredentialWallet()    
    93         wallet.addCredential( 
    94             self.assertion,  
    95             attributeAuthorityURI=\ 
    96                 SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI) 
     97        wallet = SAMLAttributeWallet()    
     98        wallet.addCredential(self.assertion, issuerEndpoint=\ 
     99        self.__class__.SITEA_ATTRIBUTEAUTHORITY_SAML_URI) 
    97100        return wallet 
    98101     
     
    101104         
    102105        self.assert_(len(wallet.credentials) == 1) 
    103         self.assert_( 
    104             SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI in \ 
    105             wallet.credentialsKeyedByURI) 
    106         self.assert_(SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME in \ 
     106        self.assert_(self.__class__.SITEA_ATTRIBUTEAUTHORITY_SAML_URI in \ 
     107                     wallet.credentialsKeyedByURI) 
     108        self.assert_(self.__class__.SITEA_SAML_ISSUER_NAME in \ 
    107109                     wallet.credentials) 
    108110         
    109111        assertion = wallet.credentials[ 
    110             SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME 
     112            self.__class__.SITEA_SAML_ISSUER_NAME 
    111113        ].credential 
    112114         
     
    115117     
    116118    def test02VerifyCredential(self): 
    117         wallet = SAMLCredentialWallet() 
     119        wallet = SAMLAttributeWallet() 
    118120        self.assert_(wallet.isValidCredential(self.assertion)) 
    119121         
     
    132134        # is carried to prune expired credentials 
    133135        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
    134         wallet = SAMLCredentialWallet() 
     136        wallet = SAMLAttributeWallet() 
    135137        wallet.addCredential(shortExpiryAssertion) 
    136138         
     
    144146        # a clock skew of  
    145147        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
    146         wallet = SAMLCredentialWallet() 
     148        wallet = SAMLAttributeWallet() 
    147149         
    148150        # Set a tolerance of five seconds 
     
    167169        self.assert_(newAssertion.conditions.notOnOrAfter == \ 
    168170                     wallet.credentials[ 
    169                         SAMLCredentialWalletTestCase.SITEA_SAML_ISSUER_NAME 
     171                        self.__class__.SITEA_SAML_ISSUER_NAME 
    170172                    ].credential.conditions.notOnOrAfter) 
    171173         
     
    177179    def test07Pickle(self): 
    178180        wallet = self._addCredential() 
    179         outFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH, 'w') 
     181        outFile = open(self.__class__.PICKLE_FILEPATH, 'w') 
    180182        pickle.dump(wallet, outFile) 
    181183        outFile.close() 
    182184         
    183         inFile = open(SAMLCredentialWalletTestCase.PICKLE_FILEPATH) 
     185        inFile = open(self.__class__.PICKLE_FILEPATH) 
    184186        unpickledWallet = pickle.load(inFile) 
    185187        self.assert_(unpickledWallet.credentialsKeyedByURI.get( 
    186             SAMLCredentialWalletTestCase.SITEA_ATTRIBUTEAUTHORITY_SAML_URI)) 
     188            self.__class__.SITEA_ATTRIBUTEAUTHORITY_SAML_URI)) 
    187189         
    188190        self.assert_(unpickledWallet.credentials.items()[0][1].issuerName == \ 
     
    190192 
    191193    def test08CreateFromConfig(self): 
    192         wallet = SAMLCredentialWallet.fromConfig( 
    193                                 SAMLCredentialWalletTestCase.CONFIG_FILEPATH) 
     194        wallet = SAMLAttributeWallet.fromConfig( 
     195                                self.__class__.CONFIG_FILEPATH) 
    194196        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01)) 
    195197        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw') 
    196198         
     199 
     200class SAMLAuthzDecisionWalletTestCase(CredentialWalletBaseTestCase): 
     201    """Test wallet for caching Authorisation Decision statements""" 
     202    PICKLE_FILENAME = 'SAMLAuthzDecisionWalletPickle.dat' 
     203    PICKLE_FILEPATH = os.path.join(CredentialWalletBaseTestCase.THIS_DIR,  
     204                                   PICKLE_FILENAME) 
     205     
     206    RESOURCE_ID = 'http://localhost/My%20Secured%20URI' 
     207    ASSERTION_STR = """ 
     208    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="$timeNow" ID="c32235a9-85df-4325-99a2-bad73668c01d"> 
     209        <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">/O=NDG/OU=BADC/CN=attributeauthority.badc.rl.ac.uk</saml:Issuer> 
     210        <saml:Subject> 
     211            <saml:NameID Format="urn:esg:openid">https://openid.localhost/philip.kershaw</saml:NameID> 
     212        </saml:Subject> 
     213        <saml:Conditions NotOnOrAfter="$timeExpires" NotBefore="$timeNow"></saml:Conditions> 
     214        <saml:AuthzDecisionStatement Decision="Permit" Resource="$resourceId"> 
     215            <saml:Action Namespace="urn:oasis:names:tc:SAML:1.0:action:ghpp">GET</saml:Action> 
     216        </saml:AuthzDecisionStatement> 
     217    </saml:Assertion> 
     218    """ 
     219     
     220    def setUp(self): 
     221        self.assertion = self._createAssertion() 
     222         
     223    def _createAssertion(self, timeNow=None, validityDuration=60*60*8, 
     224                         issuerName=BaseTestCase.SITEA_SAML_ISSUER_NAME): 
     225        if timeNow is None: 
     226            timeNow = datetime.utcnow() 
     227             
     228        timeExpires = timeNow + timedelta(seconds=validityDuration) 
     229        assertionStr = Template( 
     230            self.__class__.ASSERTION_STR).substitute( 
     231                dict( 
     232                 issuerName=issuerName, 
     233                 timeNow=SAMLDateTime.toString(timeNow),  
     234                 timeExpires=SAMLDateTime.toString(timeExpires), 
     235                 resourceId=self.__class__.RESOURCE_ID, 
     236                ) 
     237            ) 
     238 
     239        assertionStream = StringIO() 
     240        assertionStream.write(assertionStr) 
     241        assertionStream.seek(0) 
     242        assertionElem = ElementTree.parse(assertionStream).getroot() 
     243        return AssertionElementTree.fromXML(assertionElem) 
     244                     
     245    def _addCredential(self): 
     246        wallet = SAMLAuthzDecisionWallet()    
     247        wallet.addCredential(self.assertion) 
     248        return wallet 
     249     
     250    def test01AddCredential(self): 
     251        wallet = self._addCredential() 
     252         
     253        self.assert_(len(wallet.credentials) == 1) 
     254        self.assert_(self.__class__.RESOURCE_ID in wallet.credentials) 
     255 
     256        assertion = wallet.credentials[self.__class__.RESOURCE_ID].credential 
     257         
     258        print("SAML Assertion:\n%s" %  
     259              prettyPrint(AssertionElementTree.toXML(assertion))) 
     260     
     261    def test02VerifyCredential(self): 
     262        wallet = SAMLAttributeWallet() 
     263        self.assert_(wallet.isValidCredential(self.assertion)) 
     264         
     265        expiredAssertion = self._createAssertion( 
     266                                timeNow=datetime.utcnow() - timedelta(hours=24)) 
     267                                 
     268        self.assert_(not wallet.isValidCredential(expiredAssertion)) 
     269         
     270        futureAssertion = self._createAssertion( 
     271                                timeNow=datetime.utcnow() + timedelta(hours=24)) 
     272 
     273        self.assert_(not wallet.isValidCredential(futureAssertion)) 
     274         
     275    def test03AuditCredential(self): 
     276        # Add a short lived credential and ensure it's removed when an audit 
     277        # is carried to prune expired credentials 
     278        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
     279        wallet = SAMLAttributeWallet() 
     280        wallet.addCredential(shortExpiryAssertion) 
     281         
     282        self.assert_(len(wallet.credentials) == 1) 
     283        sleep(2) 
     284        wallet.audit() 
     285        self.assert_(len(wallet.credentials) == 0) 
     286 
     287    def test04ClockSkewTolerance(self): 
     288        # Add a short lived credential but with the wallet set to allow for 
     289        # a clock skew of  
     290        shortExpiryAssertion = self._createAssertion(validityDuration=1) 
     291        wallet = SAMLAuthzDecisionWallet() 
     292         
     293        # Set a tolerance of five seconds 
     294        wallet.clockSkewTolerance = 5.*60*60 
     295        wallet.addCredential(shortExpiryAssertion) 
     296         
     297        self.assert_(len(wallet.credentials) == 1) 
     298        sleep(2) 
     299        wallet.audit() 
     300        self.assert_(len(wallet.credentials) == 1) 
     301         
     302    def test05ReplaceCredential(self): 
     303        # Replace an existing credential from a given institution with a more 
     304        # up to date one 
     305        wallet = self._addCredential() 
     306        self.assert_(len(wallet.credentials) == 1) 
     307         
     308        newAssertion = self._createAssertion()   
     309 
     310        wallet.addCredential(newAssertion) 
     311        self.assert_(len(wallet.credentials) == 1) 
     312        self.assert_(newAssertion.conditions.notOnOrAfter == \ 
     313                     wallet.credentials[ 
     314                        self.__class__.RESOURCE_ID 
     315                    ].credential.conditions.notOnOrAfter) 
     316 
     317    def test06Pickle(self): 
     318        wallet = self._addCredential() 
     319        outFile = open(self.__class__.PICKLE_FILEPATH, 'w') 
     320        pickle.dump(wallet, outFile) 
     321        outFile.close() 
     322         
     323        inFile = open(self.__class__.PICKLE_FILEPATH) 
     324        unpickledWallet = pickle.load(inFile) 
     325        self.assert_(unpickledWallet.credentials.get( 
     326                                                    self.__class__.RESOURCE_ID)) 
     327         
     328    def test07CreateFromConfig(self): 
     329        wallet = SAMLAttributeWallet.fromConfig( 
     330                                self.__class__.CONFIG_FILEPATH) 
     331        self.assert_(wallet.clockSkewTolerance == timedelta(seconds=0.01)) 
     332        self.assert_(wallet.userId == 'https://openid.localhost/philip.kershaw') 
     333 
     334 
    197335if __name__ == "__main__": 
    198336    unittest.main()         
Note: See TracChangeset for help on using the changeset viewer.