Changeset 7843


Ignore:
Timestamp:
25/01/11 10:22:43 (8 years ago)
Author:
pjkersha
Message:

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • Moved PasteDeployAppServer? class to ndg.security.server.utils.paste_utils module so that it can be included in scripts as part of the paster templates.
  • tidied and rationalised attribute and authorisation service scripts.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
11 added
2 deleted
12 edited
1 moved

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/Tests/httpBasicAuthWSGI/httpBasicAuthWSGI.py

    r7080 r7843  
    4242 
    4343# To start the Site A Attribute Authority run  
    44 # $ paster serve site-a.ini or run this file as a script 
     44# $ paster serve attribute-service.ini or run this file as a script 
    4545# $ ./siteAServerApp.py [port #] 
    4646if __name__ == '__main__': 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/Makefile

    r7842 r7843  
    121121AUTHZ_SERVICE_INI_FILEPATH_TMP = ${AUTHZ_SERVICE_DEST_DIR}${AUTHZ_SERVICE_INI_FILENAME} 
    122122AUTHZ_SERVICE_INI_TMPL_FILEPATH = ${AUTHZ_SERVICE_INI_FILEPATH_TMP}_tmpl 
    123 AUTHZ_SERVICE_FILES = ${AUTHZ_SERVICE_INI_FILENAME} pip-mapping.txt policy.xml public 
     123AUTHZ_SERVICE_FILES = ${AUTHZ_SERVICE_INI_FILENAME} pip-mapping.txt policy.xml \ 
     124        public authorisationserviceapp.py 
    124125AUTHZ_SERVICE_PKI_DEST_DIR = ${AUTHZ_SERVICE_DEST_DIR}pki/ 
    125126AUTHZ_SERVICE_CA_DEST_DIR = ${AUTHZ_SERVICE_PKI_DEST_DIR}ca/ 
     
    165166ATTR_SERVICE_DIRNAME = attributeservice/ 
    166167ATTR_SERVICE_SRC_DIR = ${TEST_CONFIG_SRC_DIR}attributeauthority/sitea/ 
    167 ATTR_SERVICE_STATIC_CONTENT_SRC_DIR = ${ATTR_SERVICE_SRC_DIR}public/ 
    168 ATTR_SERVICE_SRC_INI_FILENAME = site-a.ini 
    169 ATTR_SERVICE_SRC_INI_FILEPATH = ${ATTR_SERVICE_SRC_DIR}${ATTR_SERVICE_SRC_INI_FILENAME} 
    170168ATTR_SERVICE_DEST_DIR = ${DEST_DIR}${ATTR_SERVICE_DIRNAME} 
    171169ATTR_SERVICE_INI_FILENAME = attribute-service.ini 
    172170ATTR_SERVICE_INI_FILEPATH_TMP = ${ATTR_SERVICE_DEST_DIR}${ATTR_SERVICE_INI_FILENAME} 
    173171ATTR_SERVICE_INI_TMPL_FILEPATH = ${ATTR_SERVICE_INI_FILEPATH_TMP}_tmpl 
     172ATTR_SERVICE_FILES = ${ATTR_SERVICE_INI_FILENAME} public attributeauthorityapp.py 
    174173ATTR_SERVICE_STATIC_CONTENT_DEST_DIR = ${ATTR_SERVICE_DEST_DIR}public/ 
    175174ATTR_SERVICE_PKI_DEST_DIR = ${ATTR_SERVICE_DEST_DIR}pki/ 
     
    180179        @-echo Preparing Attribute Service template ... 
    181180        @-echo 
    182         @-echo Copying test ini file ... 
    183181        -mkdir ${ATTR_SERVICE_DEST_DIR} 
    184         cp -r ${ATTR_SERVICE_SRC_INI_FILEPATH} ${ATTR_SERVICE_INI_FILEPATH_TMP} 
     182        @-echo Copying content directories and files ... 
     183        for i in ${ATTR_SERVICE_FILES}; do \ 
     184                cp -r ${ATTR_SERVICE_SRC_DIR}$$i ${ATTR_SERVICE_DEST_DIR} ; \ 
     185        done ; 
    185186        @-echo Making substitutions for template variables ... 
    186187        sed -e s/'# Description:.*'/'# Description: Paster ini file for SAML Attribute Service'/ \ 
     
    194195        rm -f ${ATTR_SERVICE_INI_FILEPATH_TMP} 
    195196        @-echo 
    196         @-echo Copying static content directories and files ... 
    197         cp -r ${ATTR_SERVICE_STATIC_CONTENT_SRC_DIR} ${ATTR_SERVICE_STATIC_CONTENT_DEST_DIR} 
    198197        @-echo Create PKI directory and copying files ... 
    199198        -mkdir ${ATTR_SERVICE_PKI_DEST_DIR} 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/attributeservice/attribute-service.ini_tmpl

    r7822 r7843  
    11# 
    2 # Description: Paster template for SAML Attribute Service 
     2# Description: Paster ini file for SAML Attribute Service 
    33#  
    44# NERC Data Grid Project 
     
    1616attributeQueryInterfaceEnvironKeyName = attributeQueryInterface 
    1717 
     18# This is set to a test SQLite database alter as needed 
     19dbConnectionString = sqlite:///%(here)s/user.db 
     20 
    1821[server:main] 
    1922use = egg:Paste#http 
    2023host = 0.0.0.0 
    21 port = 5000 
     24port = %%{portNumber} 
    2225 
    23 [app:mainApp] 
    24 paste.app_factory = ndg.security.test.config.attributeauthority.sitea.sitea_attributeauthority:app_factory 
     26[app:AttributeAuthorityStaticContent] 
     27use = egg:Paste#static 
     28document_root = %(here)s/public 
    2529 
    26 # Chain of SOAP Middleware filters - Nb. WS-Security filters apply to the SOAP 
    27 # Binding filter only. 
     30# Chain of Middleware filters 
    2831[pipeline:main] 
    29 pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter mainApp 
     32pipeline = AttributeAuthorityFilter AttributeAuthoritySamlSoapBindingFilter AttributeAuthorityStaticContent 
    3033 
    3134 
     
    4750attributeAuthority.assertionLifetime: 28800  
    4851 
    49 # Settings for custom AttributeInterface derived class to get user roles for given  
    50 # user ID 
    51 attributeAuthority.attributeInterface.modFilePath: %(here)s 
    52 attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles 
     52# Attribute Interface - determines how a given attribute query interfaces with a 
     53# backend database or other persistent store.  The one here is an SQLAlchemy 
     54# based one.  The database connection string is the global setting - see the  
     55# DEFAULT section.  
     56attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface 
     57attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s 
     58 
     59# This does a sanity check to ensure the subject of the query is known to this 
     60# authority. 
     61attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}' 
     62 
     63# Map the given SAML attributes identifiers to the equivalent SQL query to  
     64# retrieve them.  Any number can be set.  They should have the form, 
     65# 
     66# attributeAuthority.attributeInterface.samlAttribute2SqlQuery.<id> 
     67# 
     68# where <id> can be any unique string.  The userId string is the value passed 
     69# from the client subject NameID field.  Each value consists of double quoted 
     70# space delimited entries.  The first entry is the attribute type, the second 
     71# is the SQL query needed to retrieve the attributes for the given type and  
     72# used id.  A third entry may be added to specify a conversion routine which 
     73# converts the retrieved attribute value(s) into a SAML Attribute Value instance. 
     74# If this omitted, then the retrieved value is converted by default into an  
     75# xs:string type.  All the options below are set to do this apart from the last 
     76# which uses a special test routine to convert to the ESGF Group/Role Attribute 
     77# Value type 
     78attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'" 
     79attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'" 
     80attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'" 
     81attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where attributetype = 'urn:siteA:security:authz:1.0:attr' and openid = '${userId}'" 
     82attributeAuthority.attributeInterface.samlAttribute2SqlQuery.esgGroupRole =  
     83        "urn:esg:sitea:grouprole" "select attributename from attributes where attributetype = 'urn:esg:sitea:grouprole' and openid = '${userId}'" "ndg.security.test.unit.dbAttr2ESGFGroupRole" 
     84 
     85# Set the permissable requestor Distinguished Names as set in the SAML client  
     86# query issuer field.  Comment out or remove if this is not required.  Nb. 
     87# filtering of clients can be more securely applied by whitelisting at the SSL 
     88# level. 
     89attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority, 
     90                                                           /O=Site B/CN=Authorisation Service,  
     91                                                           /CN=test/O=NDG/OU=BADC, 
     92                                                           /O=NDG/OU=Security/CN=localhost 
     93 
     94# Alternative test AttributeInterface class.  This uses fixed parameter values  
     95# instead of a database 
     96#attributeAuthority.attributeInterface.modFilePath: %(here)s 
     97#attributeAuthority.attributeInterface.className: sitea_attributeinterface.TestUserRoles 
    5398 
    5499# SAML SOAP Binding to the Attribute Authority 
     
    65110#saml.soapbinding.serialise = ndg.saml.xml.etree:AttributeQueryElementTree.toXML 
    66111 
    67 saml.soapbinding.mountPath = %%{mountPoint} 
     112saml.soapbinding.mountPath = %%{mountPath} 
    68113saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 
    69114 
     
    108153level=NOTSET 
    109154formatter=generic 
    110 args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2) 
     155args=(os.path.join('%%{outputDir}', 'log', 'service.log'), 'a', 10000, 2) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/authorisationservice/authorisation-service.ini_tmpl

    r7822 r7843  
    11# 
    2 # Title: INI file for NDG Security SAML Authorisation Service with XACML PDP   
    3 # 
    4 # Description: Paster template 
     2# Description: Paster ini file for SAML/XACML based Authorisation Service 
    53# 
    64# Author: P J Kershaw 
     
    1513# 
    1614[DEFAULT] 
    17  
    18  
    19 # This apply if the service is run with paster otherwise it's ignored e.g. if  
    20 # the service is run in mod_wsgi 
    21 port = 5000 
    22 baseURI = localhost:%(port)s 
    2315authorisationDecisionFuncEnvironKeyName = saml.authz.queryInterfaceEnvironKey 
    2416 
     
    3123samlIssuerFormat = %%{issuerFormat} 
    3224 
     25 
     26 
    3327[server:main] 
    3428use = egg:Paste#http 
    3529host = 0.0.0.0 
    36 port = %(port)s 
     30port = 5100 
     31 
     32# Add static content here if required but note that none is needed for the  
     33# service to function 
     34[app:AuthorisationServiceStaticContent] 
     35use = egg:Paste#static 
     36document_root = %(here)s/public 
    3737 
    3838[pipeline:main] 
    39 pipeline = AuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter TestApp 
    40  
    41 [app:TestApp] 
    42 paste.app_factory = ndg.saml.test.binding.soap:TestApp 
     39pipeline = AuthorisationServiceFilter SAMLSoapAuthzDecisionInterfaceFilter AuthorisationServiceStaticContent 
    4340 
    4441#______________________________________________________________________________ 
     
    4946 
    5047# The URI path for this service 
    51 saml.mountPath = %%{mountPoint} 
     48saml.mountPath = %%{mountPath} 
    5249 
    5350# The key name in environ which the upstream authorisation service must assign 
     
    104101# optimise performance.  Set this flag to True/False to enable/disable caching 
    105102# respectively.  If this setting is omitted it defaults to True 
    106 #authz.ctx_handler.pip.cacheSessions = True 
     103#authz.ctx_handler.pip.cacheSessions = False 
    107104 
    108105# Set the directory for cached information to be stored.  This options is  
    109106# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then 
    110 # sessions will be cached in memory only.  If the service is stopped all cached 
    111 # information would be lost 
     107# sessions will be cached in memory only.  In this case, if the service is  
     108# stopped all cached information would be lost 
    112109#authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache 
    113110 
    114111# Set timeout (seconds) for a cached session - following the timeout any existing 
    115112# session will be deleted.  This option is ignored if  
    116 # authz.ctx_handler.pip.cacheSessions = False or is omitted.  If this option is 
    117 # omitted, no timeout is set.  If none is set and  
    118 # authz.ctx_handler.pip.sessionCacheDataDir is set, sessions will be effectively 
    119 # cached permanently(!) only an assertion expiry could invalidate a given assertion 
    120 # previously cached. 
     113# authz.ctx_handler.pip.cacheSessions = False.  If this option is omitted, no  
     114# timeout is set.  If none is set and authz.ctx_handler.pip.sessionCacheDataDir  
     115# is set, sessions will be effectively cached permanently(!) only an assertion  
     116# expiry could invalidate a given assertion previously cached. 
    121117#authz.ctx_handler.pip.sessionCacheTimeout = 3600 
    122118 
     
    185181level=NOTSET 
    186182formatter=generic 
    187 args=(os.path.join('%(here)s', 'service.log'), 'a', 10000, 2) 
     183args=(os.path.join('%%{outputDir}', 'log', 'service.log'), 'a', 10000, 2) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/README

    r7829 r7843  
    88   %(here)s settings with the specific file path): 
    99    
    10    $ paster serve site-a.ini 
     10   $ paster serve attribute-service.ini 
    1111       
    12  - sitea_attributeauthority.py: script to invoke the service: 
     12 - attributeauthorityapp.py: script to invoke the service: 
    1313  
    1414   $ python ./sitea_attributeauthority.py 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeauthorityapp.py

    r7842 r7843  
    1010__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1111__revision__ = "$Id$" 
    12 import os 
    13 from os.path import dirname, abspath, join 
     12from os import path 
    1413import optparse 
    15 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     14from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    1615 
    17 INI_FILENAME = 'site-a.ini' 
     16INI_FILENAME = 'attribute-service.ini' 
    1817 
    1918 
    20 from ndg.security.test.unit import BaseTestCase 
    21  
    22 # Initialize environment for unit tests 
    23 if BaseTestCase.configDirEnvVarName not in os.environ: 
    24     os.environ[BaseTestCase.configDirEnvVarName] = \ 
    25                                 dirname(dirname(abspath(dirname(__file__)))) 
    26  
    2719# To start the Site A Attribute Authority run  
    28 # $ paster serve site-a.ini or run this file as a script 
     20# $ paster serve attribute-service.ini or run this file as a script 
    2921# $ ./sitea_attributeauthority.py [--port #][--conf <config file path>] 
    3022if __name__ == '__main__': 
    31     import sys 
    32     import logging 
    33          
    34     cfgFilePath = os.path.join(dirname(abspath(__file__)), INI_FILENAME)   
     23    cfgFilePath = path.join(path.dirname(path.abspath(__file__)), INI_FILENAME)   
    3524         
    3625    parser = optparse.OptionParser() 
     
    3827                      "--port", 
    3928                      dest="port", 
    40                       default=5000, 
     29                      default=7443, 
    4130                      type='int', 
    4231                      help="port number to run under") 
    4332 
    4433    parser.add_option("-c", 
     34                      "--cert-file", 
     35                      dest='certFilePath', 
     36                      help="SSL Certificate file") 
     37 
     38    parser.add_option("-k", 
     39                      "--private-key-file", 
     40                      dest='priKeyFilePath', 
     41                      help="SSL private key file") 
     42 
     43    parser.add_option("-f", 
    4544                      "--conf", 
    4645                      dest="configFilePath", 
     
    4847                      help="Configuration file path") 
    4948     
    50     # Initialise test user database 
    51     from ndg.security.test.unit import BaseTestCase 
    52     BaseTestCase.initDb() 
     49    opt = parser.parse_args()[0]         
    5350     
    54     opt = parser.parse_args()[0]         
     51    if opt.certFilePath:     
     52        from OpenSSL import SSL 
     53         
     54        ssl_context = SSL.Context(SSL.SSLv23_METHOD) 
     55        ssl_context.set_options(SSL.OP_NO_SSLv2) 
     56     
     57        ssl_context.use_privatekey_file(opt.priKeyFilePath) 
     58        ssl_context.use_certificate_file(opt.certFilePath) 
     59    else: 
     60        ssl_context = None 
     61         
    5562    server = PasteDeployAppServer(cfgFilePath=opt.configFilePath,  
    56                                   port=opt.port)  
     63                                  port=opt.port, 
     64                                  ssl_context=ssl_context)  
    5765    server.start() 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisationserviceapp.py

    r7842 r7843  
    1313from os.path import dirname, abspath, join 
    1414import optparse  
    15       
    16 from OpenSSL import SSL 
    1715 
    1816from ndg.security.test.unit import BaseTestCase, TEST_CONFIG_DIR 
    19 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     17from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    2018 
    2119INI_FILENAME = 'authorisation-service.ini' 
     
    5351    opt = parser.parse_args()[0] 
    5452     
    55     if opt.certFilePath: 
     53    if opt.certFilePath:          
     54        from OpenSSL import SSL 
     55         
    5656        ssl_context = SSL.Context(SSL.SSLv23_METHOD) 
    5757        ssl_context.set_options(SSL.OP_NO_SSLv2) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservicesapp.py

    r7829 r7843  
    1111__revision__ = "$Id$" 
    1212import os 
    13 from os.path import dirname, abspath, join 
     13from os.path import dirname, abspath 
    1414import optparse  
    1515      
     
    1717 
    1818from ndg.security.test.unit import BaseTestCase, TEST_CONFIG_DIR 
    19 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     19from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    2020 
    2121INI_FILENAME = 'securityservices.ini' 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/openidprovider.py

    r7796 r7843  
    1616 
    1717from ndg.security.test.unit import BaseTestCase, TEST_CONFIG_DIR 
    18 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     18from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    1919 
    2020INI_FILENAME = 'openidprovider.ini' 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/openidrelyingparty.py

    r7822 r7843  
    1414import optparse 
    1515 
    16 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     16from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    1717 
    1818    
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

    r7828 r7843  
    3232 
    3333from ndg.security.common.X509 import X500DN 
    34 from ndg.security.test.unit.wsgi import PasteDeployAppServer 
     34from ndg.security.server.utils.paste_utils import PasteDeployAppServer 
    3535from ndg.security.common.saml_utils.esgf import ESGFGroupRoleAttributeValue 
    3636 
     
    184184        siteACfgFilePath = mkDataDirPath(join('attributeauthority',  
    185185                                              'sitea',  
    186                                               'site-a.ini')) 
     186                                              'attribute-service.ini')) 
    187187        self.addService(cfgFilePath=siteACfgFilePath,  
    188188                        port=(port or  
Note: See TracChangeset for help on using the changeset viewer.