def get_user_details(environ, openid):
"""
Return a dictionary containing a user's
first name, last name and email address
"""
attribute_names = [('first_name', ATTRIBUTE_FIRST_NAME),
('last_name', ATTRIBUTE_LAST_NAME),
('email_address', ATTRIBUTE_EMAIL_ADDRESS)]
attributes = []
for _, name in attribute_names:
attribute = Attribute()
attribute.name = name
attribute.nameFormat = 'http://www.w3.org/2001/XMLSchema#string'
attributes.append(attribute)
result = attribute_query(environ, attributes, openid)
if result:
user_details = {}
for attribute_name in attribute_names:
index, name = attribute_name
values = result.get(name)
value = values
if values and len(values) == 1:
value = values[0]
user_details[index] = value
return user_details
def test03InvalidAttributesRequested(self):
attributeQuery = self._createAttributeQuery()
# Add an unsupported Attribute name
attribute = Attribute()
attribute.name = "urn:my:attribute"
attribute.nameFormat = XMLConstants.XSD_NS+"#"+\
XSStringAttributeValue.TYPE_LOCAL_NAME
attribute.friendlyName = "myAttribute"
attributeQuery.attributes.append(attribute)
request = self._makeRequest(attributeQuery=attributeQuery)
header = {
'soapAction': "http://www.oasis-open.org/committees/security",
'Content-length': str(len(request)),
'Content-type': 'text/xml'
}
response = self.app.post('/attributeauthority/saml',
params=request,
headers=header,
status=200)
print("Response status=%d" % response.status)
samlResponse = self._getSAMLResponse(response.body)
self.assert_(samlResponse.status.statusCode.value == \
StatusCode.INVALID_ATTR_NAME_VALUE_URI)
def _createAttributeQuery(
self,
issuer="/O=Site A/CN=Authorisation Service",
subject="https://openid.localhost/philip.kershaw"):
attributeQuery = AttributeQuery()
attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
attributeQuery.id = str(uuid4())
attributeQuery.issueInstant = datetime.utcnow()
attributeQuery.issuer = Issuer()
attributeQuery.issuer.format = Issuer.X509_SUBJECT
attributeQuery.issuer.value = issuer
attributeQuery.subject = Subject()
attributeQuery.subject.nameID = NameID()
attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
attributeQuery.subject.nameID.value = subject
# special case handling for 'FirstName' attribute
fnAttribute = Attribute()
fnAttribute.name = ESGFSamlNamespaces.FIRSTNAME_ATTRNAME
fnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
fnAttribute.friendlyName = "FirstName"
attributeQuery.attributes.append(fnAttribute)
# special case handling for 'LastName' attribute
lnAttribute = Attribute()
lnAttribute.name = ESGFSamlNamespaces.LASTNAME_ATTRNAME
lnAttribute.nameFormat = "http://www.w3.org/2001/XMLSchema#string"
lnAttribute.friendlyName = "LastName"
attributeQuery.attributes.append(lnAttribute)
# special case handling for 'LastName' attribute
emailAddressAttribute = Attribute()
emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
emailAddressAttribute.nameFormat = XMLConstants.XSD_NS+"#"+\
XSStringAttributeValue.TYPE_LOCAL_NAME
emailAddressAttribute.friendlyName = "emailAddress"
attributeQuery.attributes.append(emailAddressAttribute)
return attributeQuery
def test05SamlAttributeQuery(self):
if self.skipTests:
return
# Prepare a client query
attributeQuery = AttributeQuery()
attributeQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
attributeQuery.id = str(uuid4())
attributeQuery.issueInstant = datetime.utcnow()
attributeQuery.issuer = Issuer()
attributeQuery.issuer.format = Issuer.X509_SUBJECT
attributeQuery.issuer.value = '/O=ESG/OU=NCAR/CN=Gateway'
attributeQuery.subject = Subject()
attributeQuery.subject.nameID = NameID()
attributeQuery.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
attributeQuery.subject.nameID.value = TestUserDatabase.OPENID_URI
emailAddressAttribute = Attribute()
emailAddressAttribute.name = ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME
emailAddressAttribute.nameFormat = "InvalidFormat"
emailAddressAttribute.friendlyName = "EmailAddress"
attributeQuery.attributes.append(emailAddressAttribute)
authzAttribute = Attribute()
authzAttribute.name = TestUserDatabase.ATTRIBUTE_NAMES[0]
authzAttribute.nameFormat = XSStringAttributeValue.DEFAULT_FORMAT
authzAttribute.friendlyName = "authz"
attributeQuery.attributes.append(authzAttribute)
# Add the response - the interface will populate with an assertion as
# appropriate
samlResponse = Response()
samlResponse.issueInstant = datetime.utcnow()
samlResponse.id = str(uuid4())
samlResponse.issuer = Issuer()
# Initialise to success status but reset on error
samlResponse.status = Status()
samlResponse.status.statusCode = StatusCode()
samlResponse.status.statusMessage = StatusMessage()
samlResponse.status.statusCode.value = StatusCode.SUCCESS_URI
# Nb. SAML 2.0 spec says issuer format must be omitted
samlResponse.issuer.value = "CEDA"
samlResponse.inResponseTo = attributeQuery.id
# Set up the interface object
# Define queries for SAML attribute names
samlAttribute2SqlQuery = {
ESGFSamlNamespaces.FIRSTNAME_ATTRNAME:
self.__class__.SAML_FIRSTNAME_SQLQUERY,
ESGFSamlNamespaces.LASTNAME_ATTRNAME:
self.__class__.SAML_LASTNAME_SQLQUERY,
ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME:
self.__class__.SAML_EMAILADDRESS_SQLQUERY,
TestUserDatabase.ATTRIBUTE_NAMES[0]:
self.__class__.SAML_ATTRIBUTES_SQLQUERY
}
attributeInterface = SQLAlchemyAttributeInterface(
samlAttribute2SqlQuery=samlAttribute2SqlQuery)
attributeInterface.connectionString = TestUserDatabase.DB_CONNECTION_STR
attributeInterface.samlValidRequestorDNs = (
'/O=STFC/OU=CEDA/CN=AuthorisationService',
'/O=ESG/OU=NCAR/CN=Gateway')
attributeInterface.setProperties(samlAssertionLifetime=28800.)
attributeInterface.samlSubjectSqlQuery = (
SQLAlchemyAttributeInterfaceTestCase.SAML_SUBJECT_SQLQUERY)
# Make the query
attributeInterface.getAttributes(attributeQuery, samlResponse)
class TestUserRoles(AttributeInterface):
"""Test User Roles class dynamic import for Attribute Authority"""
ATTRIBUTE_NAMES = ()
ATTRIBUTE_VALUES = ()
SAML_ATTRIBUTE_NAMES = ATTRIBUTE_NAMES + (
ESGFSamlNamespaces.EMAILADDRESS_ATTRNAME,
ESGFSamlNamespaces.FIRSTNAME_ATTRNAME,
ESGFSamlNamespaces.LASTNAME_ATTRNAME, 'urn:esg:sitea:grouprole')
SAML_ATTRIBUTE_VALUES = (ATTRIBUTE_VALUES, ('*****@*****.**', ),
('Philip', ), ('Kershaw', ), (('siteagroup',
'default'), ))
SAML_ATTRIBUTE_FRIENDLY_NAMES = ('', ) * len(ATTRIBUTE_NAMES) + (
"EmailAddress", "FirstName", "LastName", "groupRole")
SAML_ATTRIBUTE_FORMATS = (
SAMLConstants.XSD_NS+"#"+XSStringAttributeValue.TYPE_LOCAL_NAME,) * (
len(SAML_ATTRIBUTE_NAMES)-1) + \
(ESGFGroupRoleAttributeValue.TYPE_LOCAL_NAME, )
SAML_ATTRIBUTES = []
name, val, vals, format, friendlyName = (None, None, None, None, None)
for name, vals, format, friendlyName in zip(SAML_ATTRIBUTE_NAMES,
SAML_ATTRIBUTE_VALUES,
SAML_ATTRIBUTE_FORMATS,
SAML_ATTRIBUTE_FRIENDLY_NAMES):
SAML_ATTRIBUTES.append(Attribute())
SAML_ATTRIBUTES[-1].name = name
SAML_ATTRIBUTES[-1].nameFormat = format
SAML_ATTRIBUTES[-1].friendlyName = friendlyName
for val in vals:
if isinstance(val, tuple):
SAML_ATTRIBUTES[-1].attributeValues.append(
ESGFGroupRoleAttributeValue())
SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
else:
SAML_ATTRIBUTES[-1].attributeValues.append(
XSStringAttributeValue())
SAML_ATTRIBUTES[-1].attributeValues[-1].value = val
del name, val, vals, format, friendlyName
# 8 hours validity for issued assertions
SAML_ASSERTION_LIFETIME = 8 * 60 * 60
VALID_USER_IDS = ("https://openid.localhost/philip.kershaw",
TestUserDatabase.OPENID_URI)
VALID_REQUESTOR_IDS = BaseTestCase.VALID_REQUESTOR_IDS
INSUFFICIENT_PRIVILEGES_REQUESTOR_ID = X500DN.from_string(
"/O=Site B/CN=Authorisation Service")
def __init__(self, propertiesFilePath=None):
pass
def getRoles(self, userId):
return TestUserRoles.ATTRIBUTE_VALUES
def getAttributes(self, attributeQuery, response):
'''Test Attribute Authority SAML Attribute Query interface'''
userId = attributeQuery.subject.nameID.value
requestedAttributeNames = [
attribute.name for attribute in attributeQuery.attributes
]
if attributeQuery.issuer.format != Issuer.X509_SUBJECT:
raise InvalidRequestorId(
'Requestor issuer format "%s" is invalid' %
attributeQuery.issuerFormat.value)
requestorId = X500DN.fromString(attributeQuery.issuer.value)
if userId not in TestUserRoles.VALID_USER_IDS:
raise UserIdNotKnown('Subject Id "%s" is not known to this '
'authority' % userId)
if requestorId not in TestUserRoles.VALID_REQUESTOR_IDS:
raise InvalidRequestorId('Requestor identity "%s" is invalid' %
requestorId)
unknownAttrNames = [
attrName for attrName in requestedAttributeNames
if attrName not in TestUserRoles.SAML_ATTRIBUTE_NAMES
]
if len(unknownAttrNames) > 0:
raise AttributeNotKnownError("Unknown attributes requested: %r" %
unknownAttrNames)
if requestorId == TestUserRoles.INSUFFICIENT_PRIVILEGES_REQUESTOR_ID:
raise AttributeReleaseDenied("Attribute release denied for the "
'requestor "%s"' % requestorId)
# Create a new assertion to hold the attributes to be returned
assertion = Assertion()
assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
assertion.id = str(uuid4())
assertion.issueInstant = response.issueInstant
assertion.issuer = Issuer()
assertion.issuer.value = response.issuer.value
assertion.issuer.format = Issuer.X509_SUBJECT
assertion.conditions = Conditions()
assertion.conditions.notBefore = assertion.issueInstant
assertion.conditions.notOnOrAfter = assertion.conditions.notBefore + \
timedelta(seconds=TestUserRoles.SAML_ASSERTION_LIFETIME)
assertion.subject = Subject()
assertion.subject.nameID = NameID()
assertion.subject.nameID.format = attributeQuery.subject.nameID.format
assertion.subject.nameID.value = attributeQuery.subject.nameID.value
attributeStatement = AttributeStatement()
# Add test set of attributes
for name in requestedAttributeNames:
attributeFound = False
for attribute in TestUserRoles.SAML_ATTRIBUTES:
if attribute.name == name:
attributeFound = True
break
if attributeFound:
attributeStatement.attributes.append(attribute)
else:
raise AttributeNotKnownError(
"Unknown attribute requested: %s" % name)
assertion.attributeStatements.append(attributeStatement)
response.assertions.append(assertion)
def getAttributes(self, attributeQuery, response):
"""Attribute Authority SAML AttributeQuery
@type attributeQuery: saml.saml2.core.AttributeQuery
@param userId: query containing requested attributes
@type response: saml.saml2.core.Response
@param response: add an assertion with the list of attributes
for the given subject ID in the query or set an error Status code and
message
@raise AttributeInterfaceError: an error occured requesting
attributes
@raise AttributeReleaseDeniedError: Requestor was denied release of the
requested attributes
@raise AttributeNotKnownError: Requested attribute names are not known
to this authority
"""
userId = attributeQuery.subject.nameID.value
requestedAttributeNames = [
attribute.name for attribute in attributeQuery.attributes
]
requestorDN = X500DN.from_string(attributeQuery.issuer.value)
if not self._queryDbForSamlSubject(userId):
raise UserIdNotKnown('Subject Id "%s" is not known to this '
'authority' % userId)
if (len(self.samlValidRequestorDNs) > 0
and requestorDN not in self.samlValidRequestorDNs):
raise InvalidRequestorId('Requester identity "%s" is invalid' %
requestorDN)
unknownAttrNames = [
attrName for attrName in requestedAttributeNames
if attrName not in self.__samlAttribute2SqlQuery
]
if len(unknownAttrNames) > 0:
raise AttributeNotKnownError("Unknown attributes requested: %r" %
unknownAttrNames)
# Create a new assertion to hold the attributes to be returned
assertion = Assertion()
assertion.version = SAMLVersion(SAMLVersion.VERSION_20)
assertion.id = str(uuid4())
assertion.issueInstant = response.issueInstant
# Assumes SAML response issuer details as set by -
# ndg.security.server.wsgi.saml.SOAPQueryInterfaceMiddleware
assertion.issuer = Issuer()
assertion.issuer.value = response.issuer.value
if response.issuer.format:
assertion.issuer.format = response.issuer.format
assertion.conditions = Conditions()
assertion.conditions.notBefore = assertion.issueInstant
assertion.conditions.notOnOrAfter = (assertion.conditions.notBefore +
self.samlAssertionLifetime)
assertion.subject = Subject()
assertion.subject.nameID = NameID()
assertion.subject.nameID.format = attributeQuery.subject.nameID.format
assertion.subject.nameID.value = attributeQuery.subject.nameID.value
attributeStatement = AttributeStatement()
# Query the database for the requested attributes and return them
# mapped to their attribute names as specified by the attributeNames
# property
for requestedAttribute in attributeQuery.attributes:
attributeVals = self._queryDbForSamlAttributes(
requestedAttribute.name, userId)
# Make a new SAML attribute object to hold the values obtained
attribute = Attribute()
attribute.name = requestedAttribute.name
attribute.nameFormat = requestedAttribute.nameFormat
if requestedAttribute.friendlyName is not None:
attribute.friendlyName = requestedAttribute.friendlyName
# Call specific conversion utility to convert the retrieved field
# to the correct SAML attribute value type
try:
field2SamlAttributeVal = self.__samlAttribute2SqlQuery[
requestedAttribute.name][-1]
except (IndexError, TypeError) as e:
raise AttributeInterfaceConfigError(
'Bad format for SAML '
'attribute to SQL query '
'look-up for attribute '
'name %r: %s' % (requestedAttribute.name, e))
for val in attributeVals:
attributeValue = field2SamlAttributeVal(val)
attribute.attributeValues.append(attributeValue)
attributeStatement.attributes.append(attribute)
assertion.attributeStatements.append(attributeStatement)
response.assertions.append(assertion)
