def _createAuthzDecisionQuery(
self,
issuer="/O=Site A/CN=PEP",
subject="https://openid.localhost/philip.kershaw",
resource=None,
action=Action.HTTP_GET_ACTION,
actionNs=Action.GHPP_NS_URI):
query = AuthzDecisionQuery()
query.version = SAMLVersion(SAMLVersion.VERSION_20)
query.id = str(uuid4())
query.issueInstant = datetime.utcnow()
query.issuer = Issuer()
query.issuer.format = Issuer.X509_SUBJECT
query.issuer.value = issuer
query.subject = Subject()
query.subject.nameID = NameID()
query.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
query.subject.nameID.value = subject
if resource is None:
query.resource = self.__class__.RESOURCE_URI
else:
query.resource = resource
query.actions.append(Action())
query.actions[0].namespace = actionNs
query.actions[0].value = action
return query
def create_authz_decision_query(self):
"""Convenience utility to make an Authorisation decision query"""
authz_decision_query = AuthzDecisionQuery()
self._set_query_common_attrs(authz_decision_query)
authz_decision_query.resource = self.resource_id
authz_decision_query.actions.append(Action())
authz_decision_query.actions[-1].namespace = self.action_namespace
authz_decision_query.actions[-1].value = self.action
return authz_decision_query
def _createAuthzDecisionQuery(self,
issuer="/O=Site A/CN=PEP",
subject="https://openid.localhost/philip.kershaw",
resource=None,
action=Action.HTTP_GET_ACTION,
actionNs=Action.GHPP_NS_URI):
query = AuthzDecisionQuery()
query.version = SAMLVersion(SAMLVersion.VERSION_20)
query.id = str(uuid4())
query.issueInstant = datetime.utcnow()
query.issuer = Issuer()
query.issuer.format = Issuer.X509_SUBJECT
query.issuer.value = issuer
query.subject = Subject()
query.subject.nameID = NameID()
query.subject.nameID.format = ESGFSamlNamespaces.NAMEID_FORMAT
query.subject.nameID.value = subject
if resource is None:
query.resource = self.__class__.RESOURCE_URI
else:
query.resource = resource
query.actions.append(Action())
query.actions[0].namespace = actionNs
query.actions[0].value = action
return query
def buildAuthzDecisionQuery(self,
issuer=ISSUER_DN,
issuerFormat=Issuer.X509_SUBJECT,
subjectNameID=NAMEID_VALUE,
subjectNameIdFormat=NAMEID_FORMAT,
resource=UNCORRECTED_RESOURCE_URI,
actions=((Action.HTTP_GET_ACTION,
Action.GHPP_NS_URI),)):
"""Convenience utility to make an Authorisation decision query"""
authzDecisionQuery = AuthzDecisionQuery()
authzDecisionQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
authzDecisionQuery.id = str(uuid4())
authzDecisionQuery.issueInstant = datetime.utcnow()
authzDecisionQuery.issuer = Issuer()
authzDecisionQuery.issuer.format = issuerFormat
authzDecisionQuery.issuer.value = issuer
authzDecisionQuery.subject = Subject()
authzDecisionQuery.subject.nameID = NameID()
authzDecisionQuery.subject.nameID.format = subjectNameIdFormat
authzDecisionQuery.subject.nameID.value = subjectNameID
authzDecisionQuery.resource = resource
for action, namespace in actions:
authzDecisionQuery.actions.append(Action())
authzDecisionQuery.actions[-1].namespace = namespace
authzDecisionQuery.actions[-1].value = action
return authzDecisionQuery
def check_access(openid, url=None):
query = AuthzDecisionQuery()
query.id = str(uuid4())
query.version = SAMLVersion(SAMLVersion.VERSION_20)
query.issueInstant = datetime.utcnow()
query.issuer = Issuer()
query.issuer.format = Issuer.X509_SUBJECT
query.issuer.value = "/O=Site A/CN=PEP"
query.subject = Subject()
query.subject.nameID = NameID()
query.subject.nameID.format = "urn:esgf:openid"
query.subject.nameID.value = openid
if url is None:
query.resource = request.url
else:
query.resource = url
query.actions.append(Action())
query.actions[-1].namespace = Action.RWEDC_NS_URI
query.actions[-1].value = "Read"
binding = AuthzDecisionQuerySslSOAPBinding()
binding.clockSkewTolerance = 1.
if __auth_url__ is None:
raise ValueError("No AUTHORIZATION_SERVICE_ENDPOINT provided.")
try:
response = binding.send(query, uri=__auth_url__)
for assertion in response.assertions:
for statement in assertion.authzDecisionStatements:
if statement.resource == query.resource:
if statement.decision == "Permit":
return True
else:
return False
except:
raise ValueError("Unable to send authorization query")
return False
def _createAuthzDecisionQuery(self):
authzDecisionQuery = AuthzDecisionQuery()
authzDecisionQuery.version = SAMLVersion(SAMLVersion.VERSION_20)
authzDecisionQuery.id = str(uuid4())
authzDecisionQuery.issueInstant = datetime.utcnow()
authzDecisionQuery.issuer = Issuer()
authzDecisionQuery.issuer.format = Issuer.X509_SUBJECT
authzDecisionQuery.issuer.value = SAMLTestCase.ISSUER_DN
authzDecisionQuery.subject = Subject()
authzDecisionQuery.subject.nameID = NameID()
authzDecisionQuery.subject.nameID.format = SAMLTestCase.NAMEID_FORMAT
authzDecisionQuery.subject.nameID.value = SAMLTestCase.NAMEID_VALUE
authzDecisionQuery.resource = "http://LOCALHOST:80/My Secured URI"
return authzDecisionQuery
