summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristoph Helma <helma@in-silico.ch>2012-03-21 11:48:04 +0100
committerChristoph Helma <helma@in-silico.ch>2012-03-21 11:48:04 +0100
commit7883965d1ddca56520d0219c447821d056ed22d1 (patch)
treedbf4a02103046dbe50f0d5a852ea4b7b8a6db535
parentfc990e6dae8af7cfdf7d12b4e1d9ccd3b557418a (diff)
authorization added, tests not yet working
-rw-r--r--lib/authorization.rb77
-rw-r--r--test/authorization.rb112
2 files changed, 151 insertions, 38 deletions
diff --git a/lib/authorization.rb b/lib/authorization.rb
index 1938814..e57eda3 100644
--- a/lib/authorization.rb
+++ b/lib/authorization.rb
@@ -1,21 +1,22 @@
module OpenTox
+ AA ||= "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml
#Module for Authorization and Authentication
#@example Authentication
# require "opentox-client"
- # OpenTox::Authorization::AA_SERVER = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml
+ # OpenTox::Authorization::AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml
# token = OpenTox::Authorization.authenticate("benutzer", "passwort")
#@see http://www.opentox.org/dev/apis/api-1.2/AA OpenTox A&A API 1.2 specification
module Authorization
- #Helper Class AA to create and send default policies out of xml templates
+ #Helper Class to create and send default policies out of xml templates
#@example Creating a default policy to a URI
# aa=OpenTox::Authorization::AA.new(tok)
# xml=aa.get_xml('http://uri....')
# OpenTox::Authorization.create_policy(xml,tok)
- class AA
+ class Helper
attr_accessor :user, :subjectid, :policy
#Generates AA object - requires subjectid
@@ -41,8 +42,8 @@ module OpenTox
xml = get_xml(uri)
ret = false
ret = Authorization.create_policy(xml, @subjectid)
- @@logger.debug "Policy send with subjectid: #{@subjectid}"
- @@logger.warn "Not created Policy is: #{xml}" if !ret
+ $logger.debug "Policy send with subjectid: #{@subjectid}"
+ $logger.warn "Not created Policy is: #{xml}" if !ret
ret
end
@@ -51,16 +52,16 @@ module OpenTox
#Returns the open-sso server set in the config file .opentox/config/[environment].yaml
# @return [String, nil] the openSSO server URI or nil
def self.server
- return AA_SERVER
+ return AA
end
#Authentication against OpenSSO. Returns token. Requires Username and Password.
# @param [String, String]Username,Password
# @return [String, nil] gives subjectid or nil
def self.authenticate(user, pw)
- return nil if !AA_SERVER
+ return nil if !AA
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate")
+ resource = RestClient::Resource.new("#{AA}/auth/authenticate")
out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","")
return out
rescue
@@ -73,7 +74,7 @@ module OpenTox
# @return [Boolean] true if logout is OK
def self.logout(subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/auth/logout")
+ resource = RestClient::Resource.new("#{AA}/auth/logout")
resource.post(:subjectid => subjectid)
return true
rescue
@@ -85,9 +86,9 @@ module OpenTox
# @param [String,String,String]uri,action,subjectid
# @return [Boolean, nil] returns true, false or nil (if authorization-request fails).
def self.authorize(uri, action, subjectid)
- return true if !AA_SERVER
+ return true if !AA
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/auth/authorize")
+ resource = RestClient::Resource.new("#{AA}/auth/authorize")
return true if resource.post(:uri => uri, :action => action, :subjectid => subjectid) == "boolean=true\n"
rescue
return nil
@@ -98,9 +99,9 @@ module OpenTox
# @param [String]subjectid subjectid from openSSO session
# @return [Boolean] subjectid is valid or not.
def self.is_token_valid(subjectid)
- return true if !AA_SERVER
+ return true if !AA
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/auth/isTokenValid")
+ resource = RestClient::Resource.new("#{AA}/auth/isTokenValid")
return true if resource.post(:tokenid => subjectid) == "boolean=true\n"
rescue
return false
@@ -112,7 +113,7 @@ module OpenTox
# @return [Array, nil] returns an Array of policy names or nil if request fails
def self.list_policies(subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/pol")
+ resource = RestClient::Resource.new("#{AA}/pol")
out = resource.get(:subjectid => subjectid)
return out.split("\n")
rescue RestClient::InternalServerError => e
@@ -127,7 +128,7 @@ module OpenTox
# @return [String] XML of the policy
def self.list_policy(policy, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/pol")
+ resource = RestClient::Resource.new("#{AA}/pol")
return resource.get(:subjectid => subjectid,:id => policy)
rescue
return nil
@@ -160,7 +161,7 @@ module OpenTox
# return [String, nil]owner,nil returns owner of the URI
def self.get_uri_owner(uri, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/pol")
+ resource = RestClient::Resource.new("#{AA}/pol")
return resource.get(:uri => uri, :subjectid => subjectid).sub("\n","")
rescue
return nil
@@ -181,7 +182,7 @@ module OpenTox
# return [Array, nil] returns an Array of policy names or nil if request fails
def self.list_uri_policies(uri, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/pol")
+ resource = RestClient::Resource.new("#{AA}/pol")
out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid)
policies = []; notfirstline = false
out.split("\n").each do |line|
@@ -199,8 +200,8 @@ module OpenTox
# return [Boolean] returns true if policy is created
def self.create_policy(policy, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol")
- @@logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s
+ resource = RestClient::Resource.new("#{AA}/Pol/opensso-pol")
+ $logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s
return true if resource.post(policy, :subjectid => subjectid, :content_type => "application/xml")
rescue
return false
@@ -212,8 +213,8 @@ module OpenTox
# @return [Boolean,nil]
def self.delete_policy(policy, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/pol")
- @@logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}"
+ resource = RestClient::Resource.new("#{AA}/pol")
+ $logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}"
return true if resource.delete(:subjectid => subjectid, :id => policy)
rescue
return nil
@@ -225,7 +226,7 @@ module OpenTox
# @return [Array]
def self.list_groups(subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/search")
+ resource = RestClient::Resource.new("#{AA}/opensso/identity/search")
grps = resource.post(:admin => subjectid, :attributes_names => "objecttype", :attributes_values_objecttype => "group")
grps = grps.split("\n").collect{|x| x.sub("string=","")}
grps.delete_if{|g|g=="MemberManagement"||g=="Webmasters"}
@@ -240,7 +241,7 @@ module OpenTox
# @return [Array] gives array of LDAP groups of a user
def self.list_user_groups(user, subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/read")
+ resource = RestClient::Resource.new("#{AA}/opensso/identity/read")
out = resource.post(:name => user, :admin => subjectid, :attributes_names => "group")
grps = []
out.split("\n").each do |line|
@@ -257,7 +258,7 @@ module OpenTox
# @return [String]user
def self.get_user(subjectid)
begin
- resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/attributes")
+ resource = RestClient::Resource.new("#{AA}/opensso/identity/attributes")
out = resource.post(:subjectid => subjectid, :attributes_names => "uid")
user = ""; check = false
out.split("\n").each do |line|
@@ -273,13 +274,13 @@ module OpenTox
end
end
- #Send default policy with Authorization::AA class
+ #Send default policy with Authorization::Helper class
# @param [String, String]URI,subjectid
def self.send_policy(uri, subjectid)
- return true if !AA_SERVER
- aa = Authorization::AA.new(subjectid)
+ return true if !AA
+ aa = Authorization::Helper.new(subjectid)
ret = aa.send(uri)
- @@logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}"
+ $logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}"
ret
end
@@ -291,7 +292,7 @@ module OpenTox
if policies
policies.each do |policy|
ret = delete_policy(policy, subjectid)
- @@logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
+ $logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}"
end
end
return true
@@ -304,11 +305,11 @@ module OpenTox
def self.check_policy(uri, subjectid)
return true unless uri and subjectid
token_valid = OpenTox::Authorization.is_token_valid(subjectid)
- @@logger.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}"
+ $logger.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}"
# check if subjectid is valid
unless token_valid
# abort if invalid
- @@logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}"
+ $logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}"
return false
end
@@ -320,7 +321,7 @@ module OpenTox
if authorize(uri, "POST", subjectid)
true
else
- @@logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}"
+ $logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}"
false
end
end
@@ -338,25 +339,25 @@ module OpenTox
# @return [Boolean] true if access granted, else otherwise
def self.authorized?(uri, request_method, subjectid)
if CONFIG[:authorization][:free_request].include?(request_method)
- #@@logger.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
+ #$logger.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
true
elsif OpenTox::Authorization.free_uri?(uri, request_method)
- #@@logger.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
+ #$logger.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
true
elsif CONFIG[:authorization][:authenticate_request].include?(request_method)
ret = OpenTox::Authorization.is_token_valid(subjectid)
- @@logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
+ $logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
ret
elsif OpenTox::Authorization.authorize_exception?(uri, request_method)
ret = OpenTox::Authorization.is_token_valid(subjectid)
- @@logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
+ $logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
ret
elsif CONFIG[:authorization][:authorize_request].include?(request_method)
ret = OpenTox::Authorization.authorize(uri, request_method, subjectid)
- @@logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
+ $logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret
ret
else
- @@logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
+ $logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}"
false
end
end
diff --git a/test/authorization.rb b/test/authorization.rb
new file mode 100644
index 0000000..ffb2d65
--- /dev/null
+++ b/test/authorization.rb
@@ -0,0 +1,112 @@
+require 'test/unit'
+$LOAD_PATH << File.join(File.dirname(__FILE__),'..','lib')
+require File.expand_path(File.join(File.dirname(__FILE__),'..','lib','opentox-client.rb'))
+TEST_URI = "http://only_a_test/test/" + rand(1000000).to_s
+#AA = "https://opensso.in-silico.ch"
+AA_USER = "guest"
+AA_PASS = "guest"
+#unless defined? AA #overwrite turned off A&A server for testing
+ @@subjectid = OpenTox::Authorization.authenticate(AA_USER,AA_PASS)
+#end
+
+class TestOpenToxAuthorizationBasic < Test::Unit::TestCase
+
+ def test_01_server
+ assert_equal(AA, OpenTox::Authorization.server)
+ end
+
+ def test_02_get_token
+ assert_not_nil @@subjectid
+ end
+
+ def test_03_is_valid_token
+ tok = login
+ assert_not_nil tok
+ assert OpenTox::Authorization.is_token_valid(tok)
+ logout(tok)
+ end
+
+ def test_04_logout
+ tok = login
+ assert logout(tok)
+ end
+
+ def test_05_list_policies
+ assert_kind_of Array, OpenTox::Authorization.list_policies(@@subjectid)
+ end
+
+end
+
+class TestOpenToxAuthorizationLDAP < Test::Unit::TestCase
+
+ def test_01_list_groups
+ assert_kind_of Array, OpenTox::Authorization.list_groups(@@subjectid)
+ end
+
+ def test_02_list_user_groups
+ assert_kind_of Array, OpenTox::Authorization.list_user_groups(AA_USER, @@subjectid)
+ end
+
+ def test_03_get_user
+ assert_equal AA_USER, OpenTox::Authorization.get_user(@@subjectid)
+ end
+
+end
+
+class TestOpenToxAuthorizationLDAP < Test::Unit::TestCase
+
+ def test_01_create_check_delete_default_policies
+ res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid)
+ assert res
+ assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid)
+ policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid)
+ assert_kind_of Array, policies
+ policies.each do |policy|
+ assert OpenTox::Authorization.delete_policy(policy, @@subjectid)
+ end
+ assert_equal false, OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid)
+ end
+
+ def test_02_check_policy_rules
+ tok_anonymous = OpenTox::Authorization.authenticate("anonymous","anonymous")
+ assert_not_nil tok_anonymous
+ res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid)
+ assert res
+ assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid)
+ owner_rights = {"GET" => true, "POST" => true, "PUT" => true, "DELETE" => true}
+ groupmember_rights = {"GET" => true, "POST" => nil, "PUT" => nil, "DELETE" => nil}
+ owner_rights.each do |request, right|
+ assert_equal right, OpenTox::Authorization.authorize(TEST_URI, request, @@subjectid), "#{AA_USER} requests #{request} to #{TEST_URI}"
+ end
+ groupmember_rights.each do |request, r|
+ assert_equal r, OpenTox::Authorization.authorize(TEST_URI, request, tok_anonymous), "anonymous requests #{request} to #{TEST_URI}"
+ end
+
+ policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid)
+ assert_kind_of Array, policies
+ policies.each do |policy|
+ assert OpenTox::Authorization.delete_policy(policy, @@subjectid)
+ end
+ logout(tok_anonymous)
+ end
+
+ def test_03_check_different_uris
+ res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid)
+ assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid)
+ assert OpenTox::Authorization.authorize(TEST_URI, "GET", @@subjectid), "GET request"
+ policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid)
+ policies.each do |policy|
+ assert OpenTox::Authorization.delete_policy(policy, @@subjectid)
+ end
+
+ end
+end
+
+
+def logout (token)
+ OpenTox::Authorization.logout(token)
+end
+
+def login
+ OpenTox::Authorization.authenticate(AA_USER,AA_PASS)
+end