Changeset 7364
- Timestamp:
- 25/08/10 16:40:51 (11 years ago)
- Location:
- TI12-security/trunk/NDGSecurity/python
- Files:
-
- 1 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/__init__.py
r7077 r7364 32 32 'mountPath': '/', 33 33 } 34 __slots__ = ('_app', '_environ', '_start_response', '_pathInfo', '_path', 35 '_mountPath') 34 36 35 37 def __init__(self, app, app_conf, prefix='', **local_conf): -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py
r7361 r7364 19 19 from ndg.saml.saml2.binding.soap.client.authzdecisionquery import \ 20 20 AuthzDecisionQuerySslSOAPBinding 21 22 from ndg.xacml import core as _xacmlCore 23 from ndg.xacml.core.context.pdp import PDP 24 from ndg.xacml.core import context as _xacmlCtx 25 from ndg.xacml.parsers.etree.factory import ReaderFactory as \ 26 XacmlPolicyReaderFactory 27 21 28 from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 22 29 SessionHandlerMiddleware) … … 45 52 @type __client: ndg.saml.saml2.binding.soap.client.authzdecisionquery.AuthzDecisionQuerySslSOAPBinding 46 53 ''' 54 AUTHZ_SERVICE_URI = 'authzServiceURI' 47 55 AUTHZ_DECISION_QUERY_PARAMS_PREFIX = 'authzDecisionQuery.' 48 56 SESSION_KEY_PARAM_NAME = 'sessionKey' 49 CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions' 57 CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions' 58 LOCAL_PDP_FILEPATH_PARAM_NAME = 'localPolicyFilePath' 50 59 51 60 CREDENTIAL_WALLET_SESSION_KEYNAME = \ … … 55 64 56 65 PARAM_NAMES = ( 57 'authzServiceURI', 58 'sessionKey', 59 'cacheDecisions' 66 AUTHZ_SERVICE_URI, 67 SESSION_KEY_PARAM_NAME, 68 CACHE_DECISIONS_PARAM_NAME, 69 LOCAL_PDP_FILEPATH_PARAM_NAME 60 70 ) 61 71 __slots__ = ( 62 '_app', '__client', '__session', 63 ) + tuple(["__%s" % i for i in PARAM_NAMES]) 64 del i 65 72 '_app', '__client', '__session', '__localPdp' 73 ) + tuple(('__' + '$__'.join(PARAM_NAMES)).split('$')) 74 66 75 def __init__(self, app): 67 76 ''' … … 75 84 self.__sessionKey = None 76 85 self.__cacheDecisions = False 86 self.__localPdp = None 87 self.__localPolicyFilePath = None 88 89 def _getLocalPolicyFilePath(self): 90 return self.__localPolicyFilePath 91 92 def _setLocalPolicyFilePath(self, value): 93 if not isinstance(value, basestring): 94 raise TypeError('Expecting string type for "localPolicyFilePath" ' 95 'attribute; got %r' % type(value)) 96 97 self.__localPolicyFilePath = value 98 99 localPolicyFilePath = property(_getLocalPolicyFilePath, 100 _setLocalPolicyFilePath, 101 doc="Policy file path for local PDP. It's " 102 "initialised to None in which case the " 103 "local PDP is disabled and all access " 104 "control queries will be routed through " 105 "to the authorisation service") 106 107 def _getLocalPdp(self): 108 return self.__localPdp 109 110 def _setLocalPdp(self, value): 111 self.__localPdp = value 112 113 localPdp = property(_getLocalPdp, _setLocalPdp, 114 doc="File path for a local PDP which can be used to " 115 "filters requests from the authorisation service " 116 "so avoiding the web service call performance " 117 "penalty") 77 118 78 119 def _getClient(self): … … 156 197 paramName = prefix + name 157 198 value = kw.get(paramName) 158 if value is None: 199 200 if value is not None: 201 setattr(self, name, value) 202 203 elif value != self.__class__.LOCAL_PDP_FILEPATH_PARAM_NAME: 204 # Policy file setting is optional 159 205 raise SamlPepFilterConfigError('Missing option %r' % paramName) 160 206 161 setattr(self, name, value) 207 # Initialise the local PDP 208 if self.localPolicyFilePath: 209 self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath, 210 XacmlPolicyReaderFactory) 162 211 163 212 @classmethod … … 197 246 'in environ' % self.sessionKey) 198 247 self.session = environ[self.sessionKey] 199 248 249 return self.enforce(environ, start_response) 250 251 def enforce(self, environ, start_response): 252 """Get access control decision from PDP(s) and enforce the decision 253 254 @type environ: dict 255 @param environ: WSGI environment variables dictionary 256 @type start_response: function 257 @param start_response: standard WSGI start response function 258 @rtype: iterable 259 @return: response 260 """ 200 261 request = webob.Request(environ) 201 262 263 # Apply local PDP if set 264 if self.__localPdp is not None: 265 self.__localPdp.evaluate() 266 202 267 # Check for cached decision 203 268 if self.cacheDecisions: … … 251 316 "from %r", self.authzServiceURI) 252 317 318 response = webob.Response() 253 319 response.body = ('An error occurred retrieving an access decision ' 254 320 'for %r for user %r' % ( … … 331 397 if save: 332 398 self.session.save() 399 400 def enforceFromLocalPdp(self, subjectId, resourceURI): 401 """A local PDP can filter out some requests to avoid the need to call 402 out to the authorisation service 403 """ 404 xacmlRequest = self._createXacmlRequestCtx(subjectId, resourceURI) 405 xacmlResponse = self.__localPdp.evaluate(xacmlRequest) 406 407 def _createXacmlRequestCtx(self, resourceURI): 408 request = _xacmlCtx.request.Request() 409 410 resource = _xacmlCtx.request.Resource() 411 resourceAttribute = _xacmlCore.attribute.Attribute() 412 resource.attributes.append(resourceAttribute) 413 414 resourceAttribute.attributeId = \ 415 _xacmlCore.Identifiers.Resource.RESOURCE_ID 416 417 resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 418 resourceAttribute.attributeValues.append(AnyUriAttributeValue()) 419 resourceAttribute.attributeValues[-1].value = resourceURI 420 421 request.resources.append(resource) 422 423 return request 424 425 -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py
r7077 r7364 27 27 @type propertyDefaults: dict 28 28 @cvar propertyDefaults: valid configuration property keywords 29 """ 29 """ 30 __slots__ = () 30 31 propertyDefaults = { 31 32 'sessionKey': 'beaker.session.ndg.security' … … 44 45 isAuthenticated = property(fget=_isAuthenticated, 45 46 doc='boolean to indicate is user logged in') 46 47 47 48 48 49 class SessionHandlerMiddlewareError(NDGSecurityMiddlewareError): -
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py
r7357 r7364 20 20 from ndg.saml.common import SAMLVersion 21 21 22 23 from ndg.xacml.core import Identifiers 22 24 from ndg.xacml.core.context.pdp import PDP 23 25 from ndg.xacml.core import context as _xacmlContext … … 89 91 self.__assertionLifetime = 0. 90 92 self.__policyFilePath = None 91 92 # Policy Information Point93 self.pip = PIP()94 93 95 94 @classmethod … … 161 160 # Check for PIP attribute related items 162 161 if __optName.startswith(pipPrefix): 162 if self.pip is None: 163 # Create Policy Information Point so that settings can be 164 # assigned 165 self.pip = PIP() 166 163 167 setattr(self.pip, __optName[pipPrefixLen:], val) 164 168 else: … … 347 351 @type designator: ndg.xacml.core.expression.Expression derived type 348 352 @return: list of attribute values for subject corresponding to given 349 policy designator. Return None if none can be found 353 policy designator. Return None if none can be found or if no PIP has 354 been assigned to this handler 350 355 @rtype: ndg.xacml.utils.TypedList(<designator attribute type>) / None 351 """ 352 return self.pip.attributeQuery(request, designator) 356 type 357 """ 358 if self.pip is None: 359 return None 360 else: 361 return self.pip.attributeQuery(request, designator) 353 362 354 363 def _createXacmlRequestCtx(self, samlAuthzDecisionQuery): … … 381 390 XacmlStringAttributeValue = xacmlAttributeValueFactory( 382 391 'http://www.w3.org/2001/XMLSchema#string') 383 384 # TODO: get attributes - replace hard coded values385 roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"386 roleAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER387 388 roleAttribute.attributeValues.append(XacmlStringAttributeValue())389 roleAttribute.attributeValues[-1].value = 'staff'390 391 xacmlSubject.attributes.append(roleAttribute)392 392 393 393 xacmlRequest.subjects.append(xacmlSubject) … … 397 397 resource.attributes.append(resourceAttribute) 398 398 399 resourceAttribute.attributeId = \ 400 "urn:oasis:names:tc:xacml:1.0:resource:resource-id" 399 resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID 401 400 402 401 resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER … … 413 412 xacmlRequest.action.attributes.append(xacmlActionAttribute) 414 413 415 xacmlActionAttribute.attributeId = \ 416 "urn:oasis:names:tc:xacml:1.0:action:action-id" 414 xacmlActionAttribute.attributeId = Identifiers.Action.ACTION_ID 417 415 xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER 418 416 xacmlActionAttribute.attributeValues.append( -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml
r7357 r7364 95 95 </Resource> 96 96 </Resources> 97 <Actions> 98 <Action> 99 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 100 <ActionAttributeDesignator 101 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 102 DataType="http://www.w3.org/2001/XMLSchema#string"/> 103 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 104 </ActionMatch> 105 </Action> 106 </Actions> 97 107 </Target> 98 108 -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system
-
Property
svn:ignore
set to
pip-session-cache
-
Property
svn:ignore
set to
-
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini
r7357 r7364 97 97 pep.cacheDecisions = True 98 98 99 # Including this setting activates a simple PDP local to this PEP which filters 100 # requests to cut down on calls to the authorisation service. This is useful 101 # for example to avoid calling the authorisation service for non-secure content 102 # such as HTML CSS or graphics. Note that filters based on resource URI 103 # requested alone. Subject, action and environment settings are not passed in 104 # the request context to the local PDP. 105 # 106 # The policy content should be set carefully to avoid unintended override of the 107 # authorisation service's policy 108 pep.localPolicyFilePath = %(here)s/request-filter.xml 109 99 110 # Settings for Policy Information Point used by the Policy Decision Point to 100 111 # retrieve subject attributes from the Attribute Authority associated with the -
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini
r7353 r7364 32 32 authz.pep.cacheDecisions = True 33 33 34 # Including this setting activates a simple PDP local to this PEP which filters 35 # requests to cut down on calls to the authorisation service. This is useful 36 # for example to avoid calling the authorisation service for non-secure content 37 # such as HTML CSS or graphics. Note that filters based on resource URI 38 # requested alone. Subject, action and environment settings are not passed in 39 # the request context to the local PDP. 40 # 41 # The policy content should be set carefully to avoid unintended override of the 42 # authorisation service's policy 43 authz.pep.localPolicyFilePath = %(here)s/request-filter.xml 44 34 45 # If omitted, DN of SSL Cert is used 35 46 authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test
Note: See TracChangeset
for help on using the changeset viewer.