Changeset 7361 for TI12-security


Ignore:
Timestamp:
25/08/10 11:03:04 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • working caching with ndg.security.test.integration.full_system integration test. Caching works at the app, caching authz decisions but also at the PIP inside the authorisation service, caching Attribute Authority query results.
  • TODO: make PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

    r7359 r7361  
    443443            
    444444    @abstractmethod 
    445     def auditCredentials(self, userId=None, **attCertValidKeys): 
     445    def auditCredentials(self, userId=None, **assertionValidKeys): 
    446446        """Check the attribute certificates held in the repository and delete 
    447447        any that have expired 
     
    449449        @type userId: basestring/list or tuple 
    450450        @param userId: audit credentials for the input user ID or list of IDs 
    451         @type attCertValidKeys: dict 
    452         @param **attCertValidKeys: keywords which set how to check the  
    453         Attribute Certificate e.g. check validity time, XML signature, version 
    454          etc.  Default is check validity time only - See AttCert class""" 
     451        @type assertionValidKeys: dict 
     452        @param **assertionValidKeys: keywords which set how to check the  
     453        assertion e.g. XML signature, version etc.  Default is check validity  
     454        time only 
     455        """ 
    455456        raise NotImplementedError( 
    456457            self.auditCredentials.__doc__.replace('\n       ','')) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r7357 r7361  
    2222 
    2323from ndg.security.common.utils.classfactory import importClass 
    24 from ndg.security.common.credentialwallet import SAMLAttributeWallet 
    2524from ndg.security.server.wsgi import NDGSecurityMiddlewareBase 
    2625from ndg.security.server.wsgi.authz.pep import SamlPepFilter 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

    r7359 r7361  
    202202        # Check for cached decision 
    203203        if self.cacheDecisions: 
    204             cachedAssertion = self._retrieveAuthzDecision(request.url) 
     204            assertions = self._retrieveCachedAssertions(request.url) 
    205205        else: 
    206             cachedAssertion = None    
    207              
    208         if cachedAssertion is not None: 
    209             assertions = (cachedAssertion,) 
    210         else:  
     206            assertions = None   
     207              
     208        noCachedAssertion = assertions is None or len(assertions) == 0 
     209        if noCachedAssertion: 
    211210            # No stored decision in cache, invoke the authorisation service    
    212211            self.client.resourceURI = request.url 
     
    260259            return response(environ, start_response)      
    261260                
    262         if self.cacheDecisions: 
    263             self._cacheAuthzDecision(request.url, [assertion]) 
     261        # Cache assertion if flag is set and it's one that's been freshly  
     262        # obtained from an authorisation decision query rather than one  
     263        # retrieved from the cache 
     264        if self.cacheDecisions and noCachedAssertion: 
     265            self._cacheAssertions(request.url, [assertion]) 
    264266             
    265267        # If got through to here then all is well, call next WSGI middleware/app 
    266268        return self._app(environ, start_response) 
    267269 
    268     def _retrieveAuthzDecision(self, resourceId): 
    269         """Return assertion containing authorisation decision for the given 
     270    def _retrieveCachedAssertions(self, resourceId): 
     271        """Return assertions containing authorisation decision for the given 
    270272        resource ID. 
    271273         
     
    280282        walletKeyName = self.__class__.CREDENTIAL_WALLET_SESSION_KEYNAME 
    281283        credWallet = self.session.get(walletKeyName) 
     284        if credWallet is None: 
     285            return None 
    282286         
    283287        # Wallet has a dictionary of credential objects keyed by resource ID 
    284         credentials = getattr(credWallet, 'credentials', {}) 
    285          
    286         # Retrieve assertion from Credential object 
    287         assertion = getattr(credentials.get(resourceId), 'credential', None) 
    288         return assertion 
    289          
    290          
    291     def _cacheAuthzDecision(self, resourceId, assertions): 
     288        return credWallet.retrieveCredentials(resourceId) 
     289         
     290    def _cacheAssertions(self, resourceId, assertions): 
    292291        """Cache an authorisation decision from a response retrieved from the  
    293292        authorisation service.  This is invoked only if cacheDecisions boolean 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7350 r7361  
    444444# on behalf of the PDP onwards to the PIP 
    445445 
     446# The PIP can cache assertions retrieved from Attribute Authority calls to 
     447# optimise performance.  Set this flag to True/False to enable/disable caching 
     448# respectively.  If this setting is omitted it defaults to True 
     449authz.ctx_handler.pip.cacheSessions = True 
     450 
     451# Set the directory for cached information to be stored.  This options is  
     452# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then 
     453# sessions will be cached in memory only.  If the service is stopped all cached 
     454# information would be lost 
     455authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache 
     456 
    446457#  
    447458# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a  
Note: See TracChangeset for help on using the changeset viewer.