Changeset 7414 for TI12-security


Ignore:
Timestamp:
02/09/10 11:43:37 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Tested local PDP with integration tests. ndg.security.test.integration.full_system. This completes the functionality for the XACML integration - now preparing a new release.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/genshi/__init__.py

    r7077 r7414  
    2222from genshi.template import TemplateLoader 
    2323 
     24from ndg.saml.saml2.core import DecisionType 
    2425from ndg.security.server.wsgi.authz.result_handler import \ 
    2526    PEPResultHandlerMiddlewareBase 
     
    3334     
    3435    MSG_TMPL = ( 
    35         "Access is forbidden for this resource:<br/><br/>" 
    3636        "$pdpResponseMsg<br/><br/>" 
    37         "Please check with your site administrator that you have the required " 
    38         "access privileges." 
     37        "Please report this to your site administrator and check that you " 
     38        "have the required access privileges." 
    3939    ) 
    4040     
     
    104104        else: 
    105105            # Get response message from PDP recorded by PEP 
    106             cls = GenshiPEPResultHandlerMiddleware 
     106            cls = self.__class__ 
    107107            pepCtx = session.get(cls.PEPCTX_SESSION_KEYNAME, {}) 
    108108            pdpResponse = pepCtx.get(cls.PEPCTX_RESPONSE_SESSION_KEYNAME) 
    109             pdpResponseMsg = getattr(pdpResponse, 'message', '') or '' 
    110                  
     109            if pdpResponse is not None: 
     110                # Expecting a SAML response - parse decision values from this 
     111                pdpResponseMsg = ("The authorisation policy has set " 
     112                                  "access denied for this resource.") 
     113                for assertion in pdpResponse.assertions: 
     114                    for authzDecisionStatement in \ 
     115                         assertion.authzDecisionStatements: 
     116                        if (authzDecisionStatement.decision.value ==  
     117                            DecisionType.INDETERMINATE_STR): 
     118                            pdpResponseMsg = ("An error occurred making an " 
     119                                              "access decision.") 
     120                            break 
     121            else: 
     122                pdpResponseMsg = "Access is denied for this resource." 
     123                  
    111124            msg = Template(self.messageTemplate).substitute( 
    112125                                                pdpResponseMsg=pdpResponseMsg) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

    r7357 r7414  
    1616    """ 
    1717    method = { 
    18 "/": 'default', 
    19 "/test_401": "test_401", 
    20 "/test_403": "test_403", 
    21 "/test_securedURI": "test_securedURI", 
    22 "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI", 
    23 "/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg":  
    24     "test_logoutWithReturn2QueryArg", 
    25 "/test_logoutViaHttpReferrer": "test_logoutViaHttpReferrer" 
     18        "/": 'default', 
     19        "/test_401": "test_401", 
     20        "/test_403": "test_403", 
     21        "/test_securedURI": "test_securedURI", 
     22        "/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI", 
     23        "/test_logoutWithReturn2QueryArg": "test_logoutWithReturn2QueryArg" 
    2624    } 
    27     header = """        <h1>Authorisation Integration Tests:</h1> 
     25    header = """        <h1>NDG Security Authorisation Integration Tests:</h1> 
    2826        <p>These tests use require the security services application to be 
    2927        running.  See securityserviceapp.py and securityservices.ini in the  
     
    6260             
    6361    def default(self, environ, start_response): 
     62        links = self.method.copy() 
     63        del links['/'] 
     64        del links['/test_logoutWithReturn2QueryArg'] 
     65        links['/logout?ndg.security.logout.r=/test_logoutWithReturn2QueryArg' 
     66              ] = 'test_logoutWithReturn2QueryArg' 
     67         
    6468        if 'username' in environ.get(self.beakerSessionKeyName, {}): 
    6569            response = """<html> 
     
    7377""" % (AuthZTestApp.header, 
    7478       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    75                  for link,name in self.method.items() if name != 'default']), 
     79                  for link, name in links.items()]), 
    7680       environ[self.beakerSessionKeyName]['username']) 
    7781         
     
    8589        %s 
    8690        <ul>%s</ul> 
     91        <p>You are logged out.  <a href="/test_401">Login</a></p> 
    8792    </body> 
    8893</html> 
    8994""" % (AuthZTestApp.header, 
    9095       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    91                  for link,name in self.method.items() if name != 'default']) 
     96                 for link,name in links.items()]) 
    9297       ) 
    9398 
     
    220225        return response 
    221226     
    222     def test_logoutViaHttpReferrer(self, environ, start_response): 
    223         """Test logout - the middleware works out where to return to by checking 
    224         the HTTP_REFERER environ setting 
    225         """ 
    226         response = """<html> 
    227     <head/> 
    228     <body> 
    229         <h1>Logged Out</h1> 
    230         <p>Successfully redirected to specified return to HTTP_REFERER=%s  
    231         following logout.   
    232         <a href="/">Return to tests</a></p> 
    233     </body> 
    234 </html> 
    235 """ % environ['PATH_INFO'] 
    236  
    237         start_response('200 OK',  
    238                        [('Content-type', 'text/html'), 
    239                         ('Content-length', str(len(response)))]) 
    240         return response 
    241      
    242227    @classmethod 
    243228    def app_factory(cls, globalConfig, **localConfig): 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/request-filter.xml

    r7413 r7414  
    66    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 
    77    <Description> 
    8         Example for NDG Security unit tests: allow access for resource URIs  
    9         defined in the rules.  All other URIs are blocked from access 
    10          
    11         See ndg.security.test.unit.wsgi.authz.test_authz to see the various  
    12         rules tested out 
     8        Policy used by a PDP local to the PEP to filter out some requests from  
     9        being passed on to the main authorisation service 
    1310    </Description> 
    1411     
     
    2421                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2522                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    26                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue> 
     23                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(?!layout).*$</AttributeValue> 
    2724                </ResourceMatch> 
    2825            </Resource> 
    2926        </Resources> 
    3027    </Target>    
    31      
    32     <!-- Deny everything by default --> 
    33     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> 
    34     <!--  
    35         Following rules punch holes through the deny everything rule above 
    36         because the rule combining algorithm is set to permit overrides - see  
    37         Policy element above 
    38     --> 
    39     <Rule RuleId="Graphics and CSS" Effect="Permit"> 
    40         <!--  
    41             Public access for graphics and CSS content 
    42         --> 
    43         <Target> 
    44             <Resources> 
    45                 <Resource> 
    46                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    47                         <ResourceAttributeDesignator 
    48                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    49                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    50                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/layout/</AttributeValue> 
    51                     </ResourceMatch> 
    52                 </Resource> 
    53             </Resources> 
    54         </Target> 
    55     </Rule> 
    56  
    57     <Rule RuleId="urn:ndg:security:public-uri" Effect="Permit"> 
    58         <!--  
    59             Define a URI with public access 
    60              
    61             Rule target(s) define which requests apply to the particular rule 
    62         --> 
    63         <Target> 
    64             <Resources> 
    65                 <Resource> 
    66                     <!-- Match the request URI --> 
    67                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    68                         <ResourceAttributeDesignator 
    69                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    70                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    71                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutViaHttpReferrer|test_logoutWithReturn2QueryArg)?$</AttributeValue> 
    72                     </ResourceMatch> 
    73                 </Resource> 
    74             </Resources> 
    75         </Target> 
    76     </Rule> 
    77  
    78     <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 
    79         <!--  
    80             Demonstrate a URI secured with an attribute which the test user  
    81             doesn't have  
    82         --> 
    83         <Target> 
    84             <Resources> 
    85                 <Resource> 
    86                     <!-- Match the request URI --> 
    87                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    88                         <ResourceAttributeDesignator 
    89                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    90                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    91                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 
    92                     </ResourceMatch> 
    93                 </Resource> 
    94             </Resources> 
    95             <Subjects> 
    96                 <Subject> 
    97                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
    98                         <SubjectAttributeDesignator  
    99                             AttributeId="urn:siteA:security:authz:1.0:attr"  
    100                             DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    101                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 
    102                     </SubjectMatch> 
    103                 </Subject> 
    104             </Subjects> 
    105         </Target> 
    106     </Rule> 
    107      
    108     <Rule RuleId="urn:ndg:security:secured-uri-rule" Effect="Permit"> 
    109         <!--  
    110             Secure a URI path and all sub-paths using a regular expression to  
    111             define a URI pattern 
    112         --> 
    113         <Target> 
    114             <Resources> 
    115                 <Resource> 
    116                     <!-- Match 'test_securedURI' --> 
    117                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    118                         <ResourceAttributeDesignator 
    119                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    120                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    121                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 
    122                     </ResourceMatch> 
    123                 </Resource> 
    124             </Resources> 
    125         </Target> 
    126          
    127         <!--  
    128             The condition narrows down the constraints layed down in the target to 
    129             something more specific 
    130              
    131             The user must have at least one of the roles set - in this 
    132             case 'staff' 
    133         --> 
    134         <Condition> 
    135             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    136                 <SubjectAttributeDesignator  
    137                     AttributeId="urn:siteA:security:authz:1.0:attr"  
    138                     DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    139                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    140                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
    141                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
    142                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 
    143                 </Apply> 
    144             </Apply> 
    145         </Condition> 
    146     </Rule> 
     28    <Rule RuleId="Catch all" Effect="Deny"></Rule> 
    14729</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7364 r7414  
    9191resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 
    9292resultHandler.staticContentDir = %(here)s/pep_result_handler 
     93resultHandler.heading = NDG Security Integration Tests 
    9394 
    9495# Settings for the PEP (Policy Enforcement Point) 
Note: See TracChangeset for help on using the changeset viewer.