Changeset 7364

Timestamp:

25/08/10 16:40:51 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 2: XACML-Security Integration

• Started work making PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_server/ndg/security/server/wsgi/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authz/pep.py (modified) (8 diffs)
• ndg_security_server/ndg/security/server/wsgi/session.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py (modified) (7 diffs)
• ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml (modified) (1 diff)
• ndg_security_test/ndg/security/test/integration/full_system (modified) (1 prop)
• ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authz/request-filter.xml (added)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/__init__.py

@@ -32 +32 @@
         'mountPath': '/',
     }
+    __slots__ = ('_app', '_environ', '_start_response', '_pathInfo', '_path',
+                 '_mountPath')
     
     def __init__(self, app, app_conf, prefix='', **local_conf):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

@@ -19 +19 @@
 from ndg.saml.saml2.binding.soap.client.authzdecisionquery import \
                                             AuthzDecisionQuerySslSOAPBinding
+                                            
+from ndg.xacml import core as _xacmlCore
+from ndg.xacml.core.context.pdp import PDP
+from ndg.xacml.core import context as _xacmlCtx
+from ndg.xacml.parsers.etree.factory import ReaderFactory as \
+    XacmlPolicyReaderFactory
+    
 from ndg.security.server.wsgi.session import (SessionMiddlewareBase, 
                                               SessionHandlerMiddleware)
@@ -45 +52 @@
     @type __client: ndg.saml.saml2.binding.soap.client.authzdecisionquery.AuthzDecisionQuerySslSOAPBinding
     '''
+    AUTHZ_SERVICE_URI = 'authzServiceURI'
     AUTHZ_DECISION_QUERY_PARAMS_PREFIX = 'authzDecisionQuery.'
     SESSION_KEY_PARAM_NAME = 'sessionKey'
-    CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions'
+    CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions'   
+    LOCAL_PDP_FILEPATH_PARAM_NAME = 'localPolicyFilePath'
     
     CREDENTIAL_WALLET_SESSION_KEYNAME = \
@@ -55 +64 @@
     
     PARAM_NAMES = (
-        'authzServiceURI',
-        'sessionKey',
-        'cacheDecisions'
+        AUTHZ_SERVICE_URI,
+        SESSION_KEY_PARAM_NAME,
+        CACHE_DECISIONS_PARAM_NAME,
+        LOCAL_PDP_FILEPATH_PARAM_NAME
     )
     __slots__ = (
-        '_app', '__client', '__session',
-    ) + tuple(["__%s" % i for i in PARAM_NAMES])
-    del i
-    
+        '_app', '__client', '__session', '__localPdp'
+    ) + tuple(('__' + '$__'.join(PARAM_NAMES)).split('$'))
+            
     def __init__(self, app):
         '''
@@ -75 +84 @@
         self.__sessionKey = None
         self.__cacheDecisions = False
+        self.__localPdp = None
+        self.__localPolicyFilePath = None
+
+    def _getLocalPolicyFilePath(self):
+        return self.__localPolicyFilePath
+
+    def _setLocalPolicyFilePath(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "localPolicyFilePath" '
+                            'attribute; got %r' % type(value))
+            
+        self.__localPolicyFilePath = value
+
+    localPolicyFilePath = property(_getLocalPolicyFilePath, 
+                                   _setLocalPolicyFilePath, 
+                                   doc="Policy file path for local PDP. It's "
+                                       "initialised to None in which case the "
+                                       "local PDP is disabled and all access "
+                                       "control queries will be routed through "
+                                       "to the authorisation service")
+
+    def _getLocalPdp(self):
+        return self.__localPdp
+
+    def _setLocalPdp(self, value):
+        self.__localPdp = value
+
+    localPdp = property(_getLocalPdp, _setLocalPdp, 
+                        doc="File path for a local PDP which can be used to "
+                            "filters requests from the authorisation service "
+                            "so avoiding the web service call performance "
+                            "penalty")
 
     def _getClient(self):
@@ -156 +197 @@
             paramName = prefix + name
             value = kw.get(paramName)
-            if value is None:
+            
+            if value is not None:
+                setattr(self, name, value)
+                
+            elif value != self.__class__.LOCAL_PDP_FILEPATH_PARAM_NAME:
+                # Policy file setting is optional
                 raise SamlPepFilterConfigError('Missing option %r' % paramName)
             
-            setattr(self, name, value)
+        # Initialise the local PDP  
+        if self.localPolicyFilePath:
+            self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath, 
+                                                   XacmlPolicyReaderFactory)
                     
     @classmethod
@@ -197 +246 @@
                                            'in environ' % self.sessionKey)
         self.session = environ[self.sessionKey]
-        
+
+        return self.enforce(environ, start_response)
+
+    def enforce(self, environ, start_response):
+        """Get access control decision from PDP(s) and enforce the decision
+        
+        @type environ: dict
+        @param environ: WSGI environment variables dictionary
+        @type start_response: function
+        @param start_response: standard WSGI start response function
+        @rtype: iterable
+        @return: response
+        """
         request = webob.Request(environ)
         
+        # Apply local PDP if set
+        if self.__localPdp is not None:
+            self.__localPdp.evaluate()
+            
         # Check for cached decision
         if self.cacheDecisions:
@@ -251 +316 @@
                       "from %r", self.authzServiceURI)
             
+            response = webob.Response()
             response.body = ('An error occurred retrieving an access decision '
                              'for %r for user %r' % (
@@ -331 +397 @@
         if save:
             self.session.save()     
+
+    def enforceFromLocalPdp(self, subjectId, resourceURI):
+        """A local PDP can filter out some requests to avoid the need to call
+        out to the authorisation service 
+        """
+        xacmlRequest = self._createXacmlRequestCtx(subjectId, resourceURI)
+        xacmlResponse = self.__localPdp.evaluate(xacmlRequest)
+
+    def _createXacmlRequestCtx(self, resourceURI):
+        request = _xacmlCtx.request.Request()
+        
+        resource = _xacmlCtx.request.Resource()
+        resourceAttribute = _xacmlCore.attribute.Attribute()
+        resource.attributes.append(resourceAttribute)
+        
+        resourceAttribute.attributeId = \
+                                    _xacmlCore.Identifiers.Resource.RESOURCE_ID
+                            
+        resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER
+        resourceAttribute.attributeValues.append(AnyUriAttributeValue())
+        resourceAttribute.attributeValues[-1].value = resourceURI
+
+        request.resources.append(resource)
+        
+        return request
+        
+

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

@@ -27 +27 @@
     @type propertyDefaults: dict
     @cvar propertyDefaults: valid configuration property keywords 
-    """   
+    """ 
+    __slots__ = ()
     propertyDefaults = {
         'sessionKey': 'beaker.session.ndg.security'
@@ -44 +45 @@
     isAuthenticated = property(fget=_isAuthenticated,
                                doc='boolean to indicate is user logged in')
-       
+      
 
 class SessionHandlerMiddlewareError(NDGSecurityMiddlewareError):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

@@ -20 +20 @@
 from ndg.saml.common import SAMLVersion
 
+
+from ndg.xacml.core import Identifiers
 from ndg.xacml.core.context.pdp import PDP
 from ndg.xacml.core import context as _xacmlContext
@@ -89 +91 @@
         self.__assertionLifetime = 0.
         self.__policyFilePath = None
-        
-        # Policy Information Point
-        self.pip = PIP()
     
     @classmethod
@@ -161 +160 @@
             # Check for PIP attribute related items
             if __optName.startswith(pipPrefix):
+                if self.pip is None:    
+                    # Create Policy Information Point so that settings can be 
+                    # assigned
+                    self.pip = PIP()
+                    
                 setattr(self.pip, __optName[pipPrefixLen:], val)
             else:
@@ -347 +351 @@
         @type designator: ndg.xacml.core.expression.Expression derived type
         @return: list of attribute values for subject corresponding to given
-        policy designator.  Return None if none can be found
+        policy designator.  Return None if none can be found or if no PIP has
+        been assigned to this handler
         @rtype: ndg.xacml.utils.TypedList(<designator attribute type>) / None
-        """
-        return self.pip.attributeQuery(request, designator)
+        type
+        """
+        if self.pip is None:
+            return None
+        else:
+            return self.pip.attributeQuery(request, designator)
     
     def _createXacmlRequestCtx(self, samlAuthzDecisionQuery):
@@ -381 +390 @@
         XacmlStringAttributeValue = xacmlAttributeValueFactory(
                                     'http://www.w3.org/2001/XMLSchema#string')
-
-        # TODO: get attributes - replace hard coded values
-        roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr"
-        roleAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
-        
-        roleAttribute.attributeValues.append(XacmlStringAttributeValue())
-        roleAttribute.attributeValues[-1].value = 'staff' 
-        
-        xacmlSubject.attributes.append(roleAttribute)
                                   
         xacmlRequest.subjects.append(xacmlSubject)
@@ -397 +397 @@
         resource.attributes.append(resourceAttribute)
         
-        resourceAttribute.attributeId = \
-                            "urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+        resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID
                             
         resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER
@@ -413 +412 @@
             xacmlRequest.action.attributes.append(xacmlActionAttribute)
             
-            xacmlActionAttribute.attributeId = \
-                                "urn:oasis:names:tc:xacml:1.0:action:action-id"
+            xacmlActionAttribute.attributeId = Identifiers.Action.ACTION_ID
             xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER
             xacmlActionAttribute.attributeValues.append(

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

@@ -95 +95 @@
                 </Resource>
             </Resources>
+            <Actions>
+                <Action>
+                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                        <ActionAttributeDesignator
+                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
+                    </ActionMatch>
+                </Action>
+            </Actions>
         </Target>
         

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

@@ -97 +97 @@
 pep.cacheDecisions = True
 
+# Including this setting activates a simple PDP local to this PEP which filters 
+# requests to cut down on calls to the authorisation service.  This is useful
+# for example to avoid calling the authorisation service for non-secure content
+# such as HTML CSS or graphics.  Note that filters based on resource URI 
+# requested alone.  Subject, action and environment settings are not passed in 
+# the request context to the local PDP.
+#
+# The policy content should be set carefully to avoid unintended override of the
+# authorisation service's policy
+pep.localPolicyFilePath = %(here)s/request-filter.xml
+
 # Settings for Policy Information Point used by the Policy Decision Point to
 # retrieve subject attributes from the Attribute Authority associated with the

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

@@ -32 +32 @@
 authz.pep.cacheDecisions = True
 
+# Including this setting activates a simple PDP local to this PEP which filters 
+# requests to cut down on calls to the authorisation service.  This is useful
+# for example to avoid calling the authorisation service for non-secure content
+# such as HTML CSS or graphics.  Note that filters based on resource URI 
+# requested alone.  Subject, action and environment settings are not passed in 
+# the request context to the local PDP.
+#
+# The policy content should be set carefully to avoid unintended override of the
+# authorisation service's policy
+authz.pep.localPolicyFilePath = %(here)s/request-filter.xml
+
 # If omitted, DN of SSL Cert is used
 authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test