Changeset 7846


Ignore:
Timestamp:
26/01/11 15:24:33 (8 years ago)
Author:
pjkersha
Message:

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

Location:
TI12-security/trunk/NDGSecurity/python
Files:
31 added
17 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/Makefile

    r7845 r7846  
    5858SERVICE_OP_YADIS_TMPL_FILEPATH = ${SERVICE_OP_YADIS_TMPL_FILEPATH_TMP}_tmpl 
    5959 
    60          
     60 
     61all: service_tmpl securedapp_tmpl authorisation_service_tmpl \ 
     62                attribute_service_tmpl openidprovider_tmpl 
     63                         
     64force: clean all 
     65 
     66                 
    6167service_tmpl: ${SERVICE_SRC_DIR} 
    6268        @-echo Preparing Generic Services template ... 
     
    132138SECUREDAPP_LOG_FILEPATH = ${SECUREDAPP_LOG_DEST_DIR}service.log 
    133139SECUREDAPP_SURPLUS_FILES = README __init__.* attributeinterface.* \ 
    134         securityservicesapp.* *.pyc authn/* openidprovider/ openidrelyparty/store/ \ 
    135         openidrelyparty/__init__.* pip-session-cache/ log/ policy.xml 
     140        securityservices*.* *.pyc authn/* openidprovider/ openidrelyparty/store/ \ 
     141        openidrelyparty/__init__.* pip-session-cache/ log/ policy.xml \ 
     142        pip-mapping.txt request-filter.xml 
    136143SECUREDAPP_REQUEST_FILTER_FILENAME = request-filter.xml 
    137144SECUREDAPP_REQUEST_FILTER_TMPL_FILENAME = ${SECUREDAPP_REQUEST_FILTER_FILENAME}_tmpl 
     
    155162        touch ${SECUREDAPP_LOG_FILEPATH} 
    156163        @-echo Making substitutions for ini file template variables ... 
    157         sed -e s/'port = .*'/'port = %%\{portNumber}'/ \ 
     164        sed -e s/'portNum = .*'/'portNum = %%\{portNumber}'/ \ 
     165        -e s/'baseURI = .*'/'baseURI = %%\{baseURI}'/ \ 
    158166        -e s/'# Revision:.*'//g \ 
    159167        -e s/'authN.redirectURI = .*'/'authN.redirectURI = %%{authnRedirectURI}'/ \ 
     168        -e s/'resultHandler.heading = .*'/'resultHandler.heading = %%{accessDeniedPageHeading}'/ \ 
    160169        -e s/'pep.authzServiceURI = .*'/'pep.authzServiceURI = %%{authzServiceURI}'/ \ 
    161170    -e s/'pep\.authzDecisionQuery\.issuerName = .*'/'pep\.authzDecisionQuery\.issuerName = %%\{authzDecisionQueryIssuerName}'/ \ 
     
    365374 
    366375         
    367 clean: service_tmpl_clean authorisation_service_tmpl_clean \ 
     376clean: service_tmpl_clean securedapp_tmpl_clean \ 
     377                authorisation_service_tmpl_clean \ 
    368378                attribute_service_tmpl_clean openidprovider_tmpl_clean 
    369379 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/attributeservice/attributeauthorityapp.py

    r7843 r7846  
    99__copyright__ = "(C) 2009 Science and Technology Facilities Council" 
    1010__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    11 __revision__ = "$Id: attributeauthorityapp.py 7842 2011-01-25 09:34:42Z pjkersha $" 
     11__revision__ = "$Id: attributeauthorityapp.py 7844 2011-01-25 11:24:53Z pjkersha $" 
    1212from os import path 
    1313import optparse 
     
    2727                      "--port", 
    2828                      dest="port", 
    29                       default=7443, 
     29                      default=5443, 
    3030                      type='int', 
    3131                      help="port number to run under") 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/openidprovider/service.ini_tmpl

    r7817 r7846  
    187187level=NOTSET 
    188188formatter=generic 
    189 args=(os.path.join('%%{outputDir}', 'log', 'openidprovider.log'), 'a', 100000, 10) 
     189args=(os.path.join('%%{outputDir}', 'log', 'service.log'), 'a', 100000, 10) 
    190190 
    191191[formatter_generic] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/openidprovider/templates/__init__.py

    r7817 r7846  
    88__license__ = "BSD - see LICENSE file in top-level directory" 
    99__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    10 __revision__ = '$Id: __init__.py 7077 2010-06-24 15:38:19Z pjkersha $' 
     10__revision__ = '$Id: __init__.py 7822 2011-01-17 16:26:46Z pjkersha $' 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/openidprovider/templates/serveryadis.xml_tmpl

    r7822 r7846  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     %%{serveryadisExtraXrdEntries} 
    43    <XRD> 
    54        <Service priority="0"> 
     
    76            <URI>$endpoint_url</URI> 
    87        </Service> 
     8        %%{serveryadisExtraServiceEndpoints} 
    99    </XRD> 
    1010</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/openidprovider/templates/yadis.xml_tmpl

    r7822 r7846  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     %%{yadisExtraXrdEntries} 
    43    <XRD> 
    54        <Service priority="0"> 
     
    98            <LocalID>$user_url</LocalID> 
    109        </Service> 
     10        %%{yadisExtraServiceEndpoints} 
    1111    </XRD> 
    1212</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/request-filter.xml_tmpl

    r7637 r7846  
    2121                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2222                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    23                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(?!layout).*$</AttributeValue> 
     23                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^%%{baseURI}/(?!layout).*$</AttributeValue> 
    2424                </ResourceMatch> 
    2525            </Resource> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/openidprovider/templates/__init__.py

    r7777 r7846  
    88__license__ = "BSD - see LICENSE file in top-level directory" 
    99__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    10 __revision__ = '$Id: __init__.py 7077 2010-06-24 15:38:19Z pjkersha $' 
     10__revision__ = '$Id: __init__.py 7822 2011-01-17 16:26:46Z pjkersha $' 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/openidprovider/templates/serveryadis.xml_tmpl

    r7822 r7846  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     %%{serveryadisExtraXrdEntries} 
    43    <XRD> 
    54        <Service priority="0"> 
     
    76            <URI>$endpoint_url</URI> 
    87        </Service> 
     8        %%{serveryadisExtraServiceEndpoints} 
    99    </XRD> 
    1010</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/openidprovider/templates/yadis.xml_tmpl

    r7822 r7846  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     %%{yadisExtraXrdEntries} 
    43    <XRD> 
    54        <Service priority="0"> 
     
    98            <LocalID>$user_url</LocalID> 
    109        </Service> 
     10        %%{yadisExtraServiceEndpoints} 
    1111    </XRD> 
    1212</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/pip-mapping.txt

    r7777 r7846  
    1616# Licence: BSD - See top-level LICENCE file for licence details 
    1717# 
    18 # $Id$ 
     18# $Id: pip-mapping.txt 7822 2011-01-17 16:26:46Z pjkersha $ 
    1919 
    2020# Entries are whitespace delimited <attribute id> <attribute authority> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/service.ini_tmpl

    r7817 r7846  
    1 # 
    2 # Title:        NERC DataGrid Security Paste INI file template for all services 
    31# 
    42# Description:  Paste configuration for combined SAML Attribute Authority and  
     
    2422scheme = https 
    2523baseURI = %%{baseURI} 
    26 openIDProviderIDBase = openid/ 
     24openIDProviderIDBase = /openid/ 
    2725 
    2826# The default OpenID set in the Relying Party form text field.  As shown it is 
     
    406404# based one.  The database connection string is the global setting - see the  
    407405# DEFAULT section.  
     406attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface 
    408407attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s 
    409 attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface 
    410408 
    411409# This does a sanity check to ensure the subject of the query is known to this 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/template.py

    r7845 r7846  
    5252        return tmpl.substitute(**vars) 
    5353 
     54    def pre(self, command, output_dir, vars): 
     55        '''Extend to fix log file path setting in ini file 
     56         
     57        @param command: command to create template 
     58        @type command:  
     59        @param output_dir: output directory for template file(s) 
     60        @type output_dir: string 
     61        @param vars: variables to be substituted into template 
     62        @type vars: dict 
     63        '''   
     64        vars['outputDir'] = os.path.abspath(output_dir) 
     65         
     66         
    5467"""@var _MYPROXY_SERVER_LOCALID_XRD_ENTRY_TMPL: Yadis XRDS entry for a MyProxy 
    5568server endpoint.  This entry also include a localID $user_url which the OpenID 
     
    190203        @type vars: dict 
    191204        '''   
    192          
    193         # This sets the log file path 
    194         vars['outputDir'] = os.path.abspath(output_dir) 
    195205 
    196206        # Cut out port number from base URI 
     
    234244        del vars['myproxyServerURI']    
    235245         
     246        # This sets the log file path 
    236247        super(ServicesTemplate, self).pre(command, output_dir, vars) 
    237248 
     
    240251    """Create a template for a secured application with authentication and 
    241252    authorisation filters""" 
    242     DEFAULT_PORT = 7080 
     253    DEFAULT_URI = 'http://localhost:7080/' 
    243254    DEFAULT_AUTHN_REDIRECT_URI = 'https://localhost:7443/verify' 
    244255    DEFAULT_AUTHZ_SERVICE_URI = 'https://localhost:7443/AuthorisationService' 
    245256    DEFAULT_ISSUER_NAME = 'O=NDG, OU=Security, CN=localhost' 
    246257    DEFAULT_ISSUER_FORMAT = Issuer.X509_SUBJECT 
    247      
    248     _template_dir = 'secured_application' 
     258    DEFAULT_ACCESS_DENIED_HEADING = 'Access is denied for this resource' 
     259     
     260    _template_dir = 'securedapp' 
    249261    summary = ( 
    250262        'NDG Security template for securing an application with ' 
    251         'authentication and authorisation filters') 
     263        'authentication and authorisation filters.  Use in conjunction with ' 
     264        'the ndgsecurity_services template') 
     265     
    252266    vars = [ 
    253         var('portNumber', 
    254             'Port number for service to listen on [applies to running with ' 
    255             'paster ONLY]', 
    256             default=DEFAULT_PORT), 
     267        var('baseURI', 
     268            'Base URI for the service [sets default return to address ' 
     269            'following logout]', 
     270            default=DEFAULT_URI), 
    257271 
    258272        var('authkitCookieSecret',  
    259             ('Cookie secret for AuthKit authentication middleware (if using a ' 
    260              'separate SSL based OpenID Relying Party then this value MUST ' 
    261              'agree with the one used for that ini file'), 
     273            ('Cookie secret for AuthKit authentication middleware [this value ' 
     274             '*MUST* agree with the one set in the authentication service\'s ' 
     275             'ini file]'), 
    262276            default=base64.b64encode(os.urandom(32))[:32]), 
    263277 
    264         var('beakerSessionSecret',  
     278        var('beakerSessionCookieSecret',  
    265279            'Cookie secret for keeping security session state', 
    266280            default=base64.b64encode(os.urandom(32))[:32]), 
     
    271285            default=DEFAULT_AUTHN_REDIRECT_URI), 
    272286 
     287        var('accessDeniedPageHeading', 
     288            'Heading for access denied HTML page', 
     289            default=DEFAULT_ACCESS_DENIED_HEADING), 
     290             
    273291        var('authzServiceURI',  
    274292            ('endpoint authorisation service which this app is secured with'), 
     
    286304    ] 
    287305 
     306    def pre(self, command, output_dir, vars): 
     307        '''Extend to enable substitutions for port number and fix log file path  
     308        setting 
     309         
     310        @param command: command to create template 
     311        @type command:  
     312        @param output_dir: output directory for template file(s) 
     313        @type output_dir: string 
     314        @param vars: variables to be substituted into template 
     315        @type vars: dict 
     316        '''   
     317        # Cut out port number from base URI 
     318        uriParts = urlparse(vars['baseURI']) 
     319        netlocLastElem = uriParts.netloc.split(':')[-1] 
     320        if netlocLastElem.isdigit(): 
     321            vars['portNumber'] = netlocLastElem 
     322        else: 
     323            vars['portNumber'] = '' 
     324             
     325        # This sets the log file path 
     326        super(SecuredAppTemplate, self).pre(command, output_dir, vars) 
     327             
    288328 
    289329class AttributeServiceTemplate(TemplateBase): 
     
    330370        @type vars: dict 
    331371        '''   
    332         vars['outputDir'] = os.path.abspath(output_dir) 
    333          
    334372        # Fix for mount point in case leading slash was omitted. 
    335373        if not vars['mountPath'].startswith('/'): 
    336374            vars['mountPath'] = '/' + vars['mountPath'] 
     375             
     376        super(AttributeServiceTemplate, self).pre(command, output_dir, vars) 
    337377             
    338378 
     
    427467        @type vars: dict 
    428468        '''   
    429          
    430         # This sets the log file path 
    431         vars['outputDir'] = os.path.abspath(output_dir) 
    432  
    433469        # Cut out port number from base URI 
    434470        uriParts = urlparse(vars['baseURI']) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7845 r7846  
    11# 
    2 # Description: NDG Security AuthZ WSGI Testing environment configuration.  This  
    3 # ini file defines the configuration for a an application to be secured.   
     2# Description: NDG Security configuration to secure a given WSGI application.   
    43# Security filters placed in front of the application in the WSGI pipeline act  
    54# as client to security services running on a separate application stack.  - See 
    6 # securityservices.ini / ndgsecurity_services template 
     5# ndg.security.test.integration.full_system or the ndgsecurity_services  
     6# template. 
    77# 
    88# NERC DataGrid 
     
    2121beakerSessionKeyName = beaker.session.ndg.security 
    2222testConfigDir = %(here)s/../../config 
     23portNum = 7080 
     24baseURI = http://localhost:%(portNum)s/ 
    2325 
    2426[server:main] 
    2527use = egg:Paste#http 
    2628host = 0.0.0.0 
    27 port = 7080 
     29port = %(portNum)s 
    2830 
     31# Security filters are arranged in serial ahead of the application to be  
     32# secured 
    2933[pipeline:main] 
    30 pipeline = BeakerSessionFilter  
    31                    AuthenticationFilter  
    32                    AuthorisationFilter  
    33                    AuthZTestApp 
     34pipeline = BeakerSessionFilter AuthenticationFilter AuthorisationFilter App 
    3435 
    35 [app:AuthZTestApp] 
     36# This is the application to be secured.  In this case it's a test harness for 
     37# checking the various aspects of the security filters' functionality.  Replace 
     38# this with the required application for a production system 
     39[app:App] 
    3640paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory 
    3741 
    38  
     42# 
     43# This filter sets up a server side session linked to a cookie.  The session 
     44# caches authentication and authorisation state information 
    3945[filter:BeakerSessionFilter] 
    4046paste.filter_app_factory = beaker.middleware:SessionMiddleware 
     
    5157#beaker.session.cookie_domain = .localhost 
    5258 
     59# 
     60# This filter redirects unauthenticated requests to a separate authentication 
     61# service listening on another port - typically 443 so that it can host an 
     62# SSL client authentication filter 
    5363[filter:AuthenticationFilter] 
    5464paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthenticationMiddleware 
     
    6070# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or 
    6171# passed return to query argument 
    62 authN.sessionHandler.defaultLogoutReturnToURI = https://localhost:7443/ 
     72authN.sessionHandler.defaultLogoutReturnToURI = %(baseURI)s 
    6373 
    6474# AuthKit Set-up 
     
    8393# 
    8494# Authorisation filter contains a Policy Enforcement Point which enforces access 
    85 # control decisions made by the Authorisation Service  
     95# control decisions made by a separate Authorisation Service  
    8696[filter:AuthorisationFilter] 
    8797paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/paster_templates/test_paster_templates.py

    r7827 r7846  
    5858 
    5959        shutil.rmtree(self.__class__.SERVICE_CONF_DIRPATH, True) 
    60             
     60     
     61 
     62class SecuredAppTemplateTestCase(unittest.TestCase): 
     63    """Test create configuration for an application secured with NDG Security 
     64    filters 
     65    """ 
     66    HERE_DIR = _HERE_DIR 
     67    SERVICE_TMPL_NAME = 'ndgsecurity_securedapp' 
     68    SERVICE_CONF_DIR = 'securedapp' 
     69    SERVICE_CONF_DIRPATH = path.join(HERE_DIR, SERVICE_CONF_DIR) 
     70    SERVICE_CONF_DIR_FILES = ( 
     71        'pki', 'request-filter.xml', 'service.ini', 'pep_result_handler',  
     72        'securedapp.py' 
     73    ) 
     74     
     75    def test01Run(self): 
     76        log.debug("_"*80) 
     77        log.debug("Creating Secured application template ...") 
     78        log.debug("_"*80) 
     79        cmd = CreateDistroCommand(None) 
     80        cmd.default_interactive = False 
     81        cmd.run([self.__class__.SERVICE_CONF_DIR,  
     82                 '-t',  
     83                 self.__class__.SERVICE_TMPL_NAME, 
     84                 '-o', 
     85                 self.__class__.HERE_DIR]) 
     86         
     87        createdFiles = listdir(self.__class__.SERVICE_CONF_DIRPATH) 
     88         
     89        for _file in self.__class__.SERVICE_CONF_DIR_FILES: 
     90            self.assert_(_file in createdFiles, "Missing file %r" % _file) 
     91 
     92    def tearDown(self): 
     93        if _NDGSEC_UNITTEST_KEEP_PASTER_CONF_DIRS: 
     94            return 
     95 
     96        shutil.rmtree(self.__class__.SERVICE_CONF_DIRPATH, True) 
     97                    
    6198 
    6299class AttributeServiceTemplateTestCase(unittest.TestCase): 
Note: See TracChangeset for help on using the changeset viewer.