Changeset 7364 for TI12-security/trunk


Ignore:
Timestamp:
25/08/10 16:40:51 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Started work making PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
1 added
8 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/__init__.py

    r7077 r7364  
    3232        'mountPath': '/', 
    3333    } 
     34    __slots__ = ('_app', '_environ', '_start_response', '_pathInfo', '_path', 
     35                 '_mountPath') 
    3436     
    3537    def __init__(self, app, app_conf, prefix='', **local_conf): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

    r7361 r7364  
    1919from ndg.saml.saml2.binding.soap.client.authzdecisionquery import \ 
    2020                                            AuthzDecisionQuerySslSOAPBinding 
     21                                             
     22from ndg.xacml import core as _xacmlCore 
     23from ndg.xacml.core.context.pdp import PDP 
     24from ndg.xacml.core import context as _xacmlCtx 
     25from ndg.xacml.parsers.etree.factory import ReaderFactory as \ 
     26    XacmlPolicyReaderFactory 
     27     
    2128from ndg.security.server.wsgi.session import (SessionMiddlewareBase,  
    2229                                              SessionHandlerMiddleware) 
     
    4552    @type __client: ndg.saml.saml2.binding.soap.client.authzdecisionquery.AuthzDecisionQuerySslSOAPBinding 
    4653    ''' 
     54    AUTHZ_SERVICE_URI = 'authzServiceURI' 
    4755    AUTHZ_DECISION_QUERY_PARAMS_PREFIX = 'authzDecisionQuery.' 
    4856    SESSION_KEY_PARAM_NAME = 'sessionKey' 
    49     CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions' 
     57    CACHE_DECISIONS_PARAM_NAME = 'cacheDecisions'    
     58    LOCAL_PDP_FILEPATH_PARAM_NAME = 'localPolicyFilePath' 
    5059     
    5160    CREDENTIAL_WALLET_SESSION_KEYNAME = \ 
     
    5564     
    5665    PARAM_NAMES = ( 
    57         'authzServiceURI', 
    58         'sessionKey', 
    59         'cacheDecisions' 
     66        AUTHZ_SERVICE_URI, 
     67        SESSION_KEY_PARAM_NAME, 
     68        CACHE_DECISIONS_PARAM_NAME, 
     69        LOCAL_PDP_FILEPATH_PARAM_NAME 
    6070    ) 
    6171    __slots__ = ( 
    62         '_app', '__client', '__session', 
    63     ) + tuple(["__%s" % i for i in PARAM_NAMES]) 
    64     del i 
    65      
     72        '_app', '__client', '__session', '__localPdp' 
     73    ) + tuple(('__' + '$__'.join(PARAM_NAMES)).split('$')) 
     74             
    6675    def __init__(self, app): 
    6776        ''' 
     
    7584        self.__sessionKey = None 
    7685        self.__cacheDecisions = False 
     86        self.__localPdp = None 
     87        self.__localPolicyFilePath = None 
     88 
     89    def _getLocalPolicyFilePath(self): 
     90        return self.__localPolicyFilePath 
     91 
     92    def _setLocalPolicyFilePath(self, value): 
     93        if not isinstance(value, basestring): 
     94            raise TypeError('Expecting string type for "localPolicyFilePath" ' 
     95                            'attribute; got %r' % type(value)) 
     96             
     97        self.__localPolicyFilePath = value 
     98 
     99    localPolicyFilePath = property(_getLocalPolicyFilePath,  
     100                                   _setLocalPolicyFilePath,  
     101                                   doc="Policy file path for local PDP. It's " 
     102                                       "initialised to None in which case the " 
     103                                       "local PDP is disabled and all access " 
     104                                       "control queries will be routed through " 
     105                                       "to the authorisation service") 
     106 
     107    def _getLocalPdp(self): 
     108        return self.__localPdp 
     109 
     110    def _setLocalPdp(self, value): 
     111        self.__localPdp = value 
     112 
     113    localPdp = property(_getLocalPdp, _setLocalPdp,  
     114                        doc="File path for a local PDP which can be used to " 
     115                            "filters requests from the authorisation service " 
     116                            "so avoiding the web service call performance " 
     117                            "penalty") 
    77118 
    78119    def _getClient(self): 
     
    156197            paramName = prefix + name 
    157198            value = kw.get(paramName) 
    158             if value is None: 
     199             
     200            if value is not None: 
     201                setattr(self, name, value) 
     202                 
     203            elif value != self.__class__.LOCAL_PDP_FILEPATH_PARAM_NAME: 
     204                # Policy file setting is optional 
    159205                raise SamlPepFilterConfigError('Missing option %r' % paramName) 
    160206             
    161             setattr(self, name, value) 
     207        # Initialise the local PDP   
     208        if self.localPolicyFilePath: 
     209            self.__localPdp = PDP.fromPolicySource(self.localPolicyFilePath,  
     210                                                   XacmlPolicyReaderFactory) 
    162211                     
    163212    @classmethod 
     
    197246                                           'in environ' % self.sessionKey) 
    198247        self.session = environ[self.sessionKey] 
    199          
     248 
     249        return self.enforce(environ, start_response) 
     250 
     251    def enforce(self, environ, start_response): 
     252        """Get access control decision from PDP(s) and enforce the decision 
     253         
     254        @type environ: dict 
     255        @param environ: WSGI environment variables dictionary 
     256        @type start_response: function 
     257        @param start_response: standard WSGI start response function 
     258        @rtype: iterable 
     259        @return: response 
     260        """ 
    200261        request = webob.Request(environ) 
    201262         
     263        # Apply local PDP if set 
     264        if self.__localPdp is not None: 
     265            self.__localPdp.evaluate() 
     266             
    202267        # Check for cached decision 
    203268        if self.cacheDecisions: 
     
    251316                      "from %r", self.authzServiceURI) 
    252317             
     318            response = webob.Response() 
    253319            response.body = ('An error occurred retrieving an access decision ' 
    254320                             'for %r for user %r' % ( 
     
    331397        if save: 
    332398            self.session.save()      
     399 
     400    def enforceFromLocalPdp(self, subjectId, resourceURI): 
     401        """A local PDP can filter out some requests to avoid the need to call 
     402        out to the authorisation service  
     403        """ 
     404        xacmlRequest = self._createXacmlRequestCtx(subjectId, resourceURI) 
     405        xacmlResponse = self.__localPdp.evaluate(xacmlRequest) 
     406 
     407    def _createXacmlRequestCtx(self, resourceURI): 
     408        request = _xacmlCtx.request.Request() 
     409         
     410        resource = _xacmlCtx.request.Resource() 
     411        resourceAttribute = _xacmlCore.attribute.Attribute() 
     412        resource.attributes.append(resourceAttribute) 
     413         
     414        resourceAttribute.attributeId = \ 
     415                                    _xacmlCore.Identifiers.Resource.RESOURCE_ID 
     416                             
     417        resourceAttribute.dataType = AnyUriAttributeValue.IDENTIFIER 
     418        resourceAttribute.attributeValues.append(AnyUriAttributeValue()) 
     419        resourceAttribute.attributeValues[-1].value = resourceURI 
     420 
     421        request.resources.append(resource) 
     422         
     423        return request 
     424         
     425 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

    r7077 r7364  
    2727    @type propertyDefaults: dict 
    2828    @cvar propertyDefaults: valid configuration property keywords  
    29     """    
     29    """  
     30    __slots__ = () 
    3031    propertyDefaults = { 
    3132        'sessionKey': 'beaker.session.ndg.security' 
     
    4445    isAuthenticated = property(fget=_isAuthenticated, 
    4546                               doc='boolean to indicate is user logged in') 
    46         
     47       
    4748 
    4849class SessionHandlerMiddlewareError(NDGSecurityMiddlewareError): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

    r7357 r7364  
    2020from ndg.saml.common import SAMLVersion 
    2121 
     22 
     23from ndg.xacml.core import Identifiers 
    2224from ndg.xacml.core.context.pdp import PDP 
    2325from ndg.xacml.core import context as _xacmlContext 
     
    8991        self.__assertionLifetime = 0. 
    9092        self.__policyFilePath = None 
    91          
    92         # Policy Information Point 
    93         self.pip = PIP() 
    9493     
    9594    @classmethod 
     
    161160            # Check for PIP attribute related items 
    162161            if __optName.startswith(pipPrefix): 
     162                if self.pip is None:     
     163                    # Create Policy Information Point so that settings can be  
     164                    # assigned 
     165                    self.pip = PIP() 
     166                     
    163167                setattr(self.pip, __optName[pipPrefixLen:], val) 
    164168            else: 
     
    347351        @type designator: ndg.xacml.core.expression.Expression derived type 
    348352        @return: list of attribute values for subject corresponding to given 
    349         policy designator.  Return None if none can be found 
     353        policy designator.  Return None if none can be found or if no PIP has 
     354        been assigned to this handler 
    350355        @rtype: ndg.xacml.utils.TypedList(<designator attribute type>) / None 
    351         """ 
    352         return self.pip.attributeQuery(request, designator) 
     356        type 
     357        """ 
     358        if self.pip is None: 
     359            return None 
     360        else: 
     361            return self.pip.attributeQuery(request, designator) 
    353362     
    354363    def _createXacmlRequestCtx(self, samlAuthzDecisionQuery): 
     
    381390        XacmlStringAttributeValue = xacmlAttributeValueFactory( 
    382391                                    'http://www.w3.org/2001/XMLSchema#string') 
    383  
    384         # TODO: get attributes - replace hard coded values 
    385         roleAttribute.attributeId = "urn:ndg:security:authz:1.0:attr" 
    386         roleAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER 
    387          
    388         roleAttribute.attributeValues.append(XacmlStringAttributeValue()) 
    389         roleAttribute.attributeValues[-1].value = 'staff'  
    390          
    391         xacmlSubject.attributes.append(roleAttribute) 
    392392                                   
    393393        xacmlRequest.subjects.append(xacmlSubject) 
     
    397397        resource.attributes.append(resourceAttribute) 
    398398         
    399         resourceAttribute.attributeId = \ 
    400                             "urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     399        resourceAttribute.attributeId = Identifiers.Resource.RESOURCE_ID 
    401400                             
    402401        resourceAttribute.dataType = XacmlAnyUriAttributeValue.IDENTIFIER 
     
    413412            xacmlRequest.action.attributes.append(xacmlActionAttribute) 
    414413             
    415             xacmlActionAttribute.attributeId = \ 
    416                                 "urn:oasis:names:tc:xacml:1.0:action:action-id" 
     414            xacmlActionAttribute.attributeId = Identifiers.Action.ACTION_ID 
    417415            xacmlActionAttribute.dataType = XacmlStringAttributeValue.IDENTIFIER 
    418416            xacmlActionAttribute.attributeValues.append( 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7357 r7364  
    9595                </Resource> 
    9696            </Resources> 
     97            <Actions> 
     98                <Action> 
     99                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     100                        <ActionAttributeDesignator 
     101                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
     102                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     103                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
     104                    </ActionMatch> 
     105                </Action> 
     106            </Actions> 
    97107        </Target> 
    98108         
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system

    • Property svn:ignore set to
      pip-session-cache
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7357 r7364  
    9797pep.cacheDecisions = True 
    9898 
     99# Including this setting activates a simple PDP local to this PEP which filters  
     100# requests to cut down on calls to the authorisation service.  This is useful 
     101# for example to avoid calling the authorisation service for non-secure content 
     102# such as HTML CSS or graphics.  Note that filters based on resource URI  
     103# requested alone.  Subject, action and environment settings are not passed in  
     104# the request context to the local PDP. 
     105# 
     106# The policy content should be set carefully to avoid unintended override of the 
     107# authorisation service's policy 
     108pep.localPolicyFilePath = %(here)s/request-filter.xml 
     109 
    99110# Settings for Policy Information Point used by the Policy Decision Point to 
    100111# retrieve subject attributes from the Attribute Authority associated with the 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

    r7353 r7364  
    3232authz.pep.cacheDecisions = True 
    3333 
     34# Including this setting activates a simple PDP local to this PEP which filters  
     35# requests to cut down on calls to the authorisation service.  This is useful 
     36# for example to avoid calling the authorisation service for non-secure content 
     37# such as HTML CSS or graphics.  Note that filters based on resource URI  
     38# requested alone.  Subject, action and environment settings are not passed in  
     39# the request context to the local PDP. 
     40# 
     41# The policy content should be set carefully to avoid unintended override of the 
     42# authorisation service's policy 
     43authz.pep.localPolicyFilePath = %(here)s/request-filter.xml 
     44 
    3445# If omitted, DN of SSL Cert is used 
    3546authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test 
Note: See TracChangeset for help on using the changeset viewer.