From 7883965d1ddca56520d0219c447821d056ed22d1 Mon Sep 17 00:00:00 2001 From: Christoph Helma Date: Wed, 21 Mar 2012 11:48:04 +0100 Subject: authorization added, tests not yet working --- lib/authorization.rb | 77 +++++++++++++++++----------------- test/authorization.rb | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 38 deletions(-) create mode 100644 test/authorization.rb diff --git a/lib/authorization.rb b/lib/authorization.rb index 1938814..e57eda3 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -1,21 +1,22 @@ module OpenTox + AA ||= "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml #Module for Authorization and Authentication #@example Authentication # require "opentox-client" - # OpenTox::Authorization::AA_SERVER = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml + # OpenTox::Authorization::AA = "https://opensso.in-silico.ch" #if not set in .opentox/conf/[environment].yaml # token = OpenTox::Authorization.authenticate("benutzer", "passwort") #@see http://www.opentox.org/dev/apis/api-1.2/AA OpenTox A&A API 1.2 specification module Authorization - #Helper Class AA to create and send default policies out of xml templates + #Helper Class to create and send default policies out of xml templates #@example Creating a default policy to a URI # aa=OpenTox::Authorization::AA.new(tok) # xml=aa.get_xml('http://uri....') # OpenTox::Authorization.create_policy(xml,tok) - class AA + class Helper attr_accessor :user, :subjectid, :policy #Generates AA object - requires subjectid @@ -41,8 +42,8 @@ module OpenTox xml = get_xml(uri) ret = false ret = Authorization.create_policy(xml, @subjectid) - @@logger.debug "Policy send with subjectid: #{@subjectid}" - @@logger.warn "Not created Policy is: #{xml}" if !ret + $logger.debug "Policy send with subjectid: #{@subjectid}" + $logger.warn "Not created Policy is: #{xml}" if !ret ret end @@ -51,16 +52,16 @@ module OpenTox #Returns the open-sso server set in the config file .opentox/config/[environment].yaml # @return [String, nil] the openSSO server URI or nil def self.server - return AA_SERVER + return AA end #Authentication against OpenSSO. Returns token. Requires Username and Password. # @param [String, String]Username,Password # @return [String, nil] gives subjectid or nil def self.authenticate(user, pw) - return nil if !AA_SERVER + return nil if !AA begin - resource = RestClient::Resource.new("#{AA_SERVER}/auth/authenticate") + resource = RestClient::Resource.new("#{AA}/auth/authenticate") out = resource.post(:username=>user, :password => pw).sub("token.id=","").sub("\n","") return out rescue @@ -73,7 +74,7 @@ module OpenTox # @return [Boolean] true if logout is OK def self.logout(subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/auth/logout") + resource = RestClient::Resource.new("#{AA}/auth/logout") resource.post(:subjectid => subjectid) return true rescue @@ -85,9 +86,9 @@ module OpenTox # @param [String,String,String]uri,action,subjectid # @return [Boolean, nil] returns true, false or nil (if authorization-request fails). def self.authorize(uri, action, subjectid) - return true if !AA_SERVER + return true if !AA begin - resource = RestClient::Resource.new("#{AA_SERVER}/auth/authorize") + resource = RestClient::Resource.new("#{AA}/auth/authorize") return true if resource.post(:uri => uri, :action => action, :subjectid => subjectid) == "boolean=true\n" rescue return nil @@ -98,9 +99,9 @@ module OpenTox # @param [String]subjectid subjectid from openSSO session # @return [Boolean] subjectid is valid or not. def self.is_token_valid(subjectid) - return true if !AA_SERVER + return true if !AA begin - resource = RestClient::Resource.new("#{AA_SERVER}/auth/isTokenValid") + resource = RestClient::Resource.new("#{AA}/auth/isTokenValid") return true if resource.post(:tokenid => subjectid) == "boolean=true\n" rescue return false @@ -112,7 +113,7 @@ module OpenTox # @return [Array, nil] returns an Array of policy names or nil if request fails def self.list_policies(subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/pol") + resource = RestClient::Resource.new("#{AA}/pol") out = resource.get(:subjectid => subjectid) return out.split("\n") rescue RestClient::InternalServerError => e @@ -127,7 +128,7 @@ module OpenTox # @return [String] XML of the policy def self.list_policy(policy, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/pol") + resource = RestClient::Resource.new("#{AA}/pol") return resource.get(:subjectid => subjectid,:id => policy) rescue return nil @@ -160,7 +161,7 @@ module OpenTox # return [String, nil]owner,nil returns owner of the URI def self.get_uri_owner(uri, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/pol") + resource = RestClient::Resource.new("#{AA}/pol") return resource.get(:uri => uri, :subjectid => subjectid).sub("\n","") rescue return nil @@ -181,7 +182,7 @@ module OpenTox # return [Array, nil] returns an Array of policy names or nil if request fails def self.list_uri_policies(uri, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/pol") + resource = RestClient::Resource.new("#{AA}/pol") out = resource.get(:uri => uri, :polnames => true, :subjectid => subjectid) policies = []; notfirstline = false out.split("\n").each do |line| @@ -199,8 +200,8 @@ module OpenTox # return [Boolean] returns true if policy is created def self.create_policy(policy, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/Pol/opensso-pol") - @@logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s + resource = RestClient::Resource.new("#{AA}/Pol/opensso-pol") + $logger.debug "OpenTox::Authorization.create_policy policy: #{policy[168,43]} with token:" + subjectid.to_s + " length: " + subjectid.length.to_s return true if resource.post(policy, :subjectid => subjectid, :content_type => "application/xml") rescue return false @@ -212,8 +213,8 @@ module OpenTox # @return [Boolean,nil] def self.delete_policy(policy, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/pol") - @@logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}" + resource = RestClient::Resource.new("#{AA}/pol") + $logger.debug "OpenTox::Authorization.delete_policy policy: #{policy} with token: #{subjectid}" return true if resource.delete(:subjectid => subjectid, :id => policy) rescue return nil @@ -225,7 +226,7 @@ module OpenTox # @return [Array] def self.list_groups(subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/search") + resource = RestClient::Resource.new("#{AA}/opensso/identity/search") grps = resource.post(:admin => subjectid, :attributes_names => "objecttype", :attributes_values_objecttype => "group") grps = grps.split("\n").collect{|x| x.sub("string=","")} grps.delete_if{|g|g=="MemberManagement"||g=="Webmasters"} @@ -240,7 +241,7 @@ module OpenTox # @return [Array] gives array of LDAP groups of a user def self.list_user_groups(user, subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/read") + resource = RestClient::Resource.new("#{AA}/opensso/identity/read") out = resource.post(:name => user, :admin => subjectid, :attributes_names => "group") grps = [] out.split("\n").each do |line| @@ -257,7 +258,7 @@ module OpenTox # @return [String]user def self.get_user(subjectid) begin - resource = RestClient::Resource.new("#{AA_SERVER}/opensso/identity/attributes") + resource = RestClient::Resource.new("#{AA}/opensso/identity/attributes") out = resource.post(:subjectid => subjectid, :attributes_names => "uid") user = ""; check = false out.split("\n").each do |line| @@ -273,13 +274,13 @@ module OpenTox end end - #Send default policy with Authorization::AA class + #Send default policy with Authorization::Helper class # @param [String, String]URI,subjectid def self.send_policy(uri, subjectid) - return true if !AA_SERVER - aa = Authorization::AA.new(subjectid) + return true if !AA + aa = Authorization::Helper.new(subjectid) ret = aa.send(uri) - @@logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}" + $logger.debug "OpenTox::Authorization send policy for URI: #{uri} | subjectid: #{subjectid} - policy created: #{ret}" ret end @@ -291,7 +292,7 @@ module OpenTox if policies policies.each do |policy| ret = delete_policy(policy, subjectid) - @@logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}" + $logger.debug "OpenTox::Authorization delete policy: #{policy} - with result: #{ret}" end end return true @@ -304,11 +305,11 @@ module OpenTox def self.check_policy(uri, subjectid) return true unless uri and subjectid token_valid = OpenTox::Authorization.is_token_valid(subjectid) - @@logger.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}" + $logger.debug "OpenTox::Authorization.check_policy with uri: #{uri}, subjectid: #{subjectid} is valid: #{token_valid}" # check if subjectid is valid unless token_valid # abort if invalid - @@logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" + $logger.error "OpenTox::Authorization.check_policy, subjectid NOT valid: #{subjectid}" return false end @@ -320,7 +321,7 @@ module OpenTox if authorize(uri, "POST", subjectid) true else - @@logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}" + $logger.error "OpenTox::Authorization.check_policy, already exists, but no POST-authorization with subjectid: #{subjectid}" false end end @@ -338,25 +339,25 @@ module OpenTox # @return [Boolean] true if access granted, else otherwise def self.authorized?(uri, request_method, subjectid) if CONFIG[:authorization][:free_request].include?(request_method) - #@@logger.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + #$logger.debug "authorized? >>true<< (request is free), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" true elsif OpenTox::Authorization.free_uri?(uri, request_method) - #@@logger.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + #$logger.debug "authorized? >>true<< (uris is free_uri), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" true elsif CONFIG[:authorization][:authenticate_request].include?(request_method) ret = OpenTox::Authorization.is_token_valid(subjectid) - @@logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret + $logger.debug "authorized? >>#{ret}<< (token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret elsif OpenTox::Authorization.authorize_exception?(uri, request_method) ret = OpenTox::Authorization.is_token_valid(subjectid) - @@logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret + $logger.debug "authorized? >>#{ret}<< (uris is authorize exception, token is in/valid), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret elsif CONFIG[:authorization][:authorize_request].include?(request_method) ret = OpenTox::Authorization.authorize(uri, request_method, subjectid) - @@logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret + $logger.debug "authorized? >>#{ret}<< (uri (not) authorized), method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" unless ret ret else - @@logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" + $logger.error "invalid request/uri method: #{request_method}, URI: #{uri}, subjectid: #{subjectid}" false end end diff --git a/test/authorization.rb b/test/authorization.rb new file mode 100644 index 0000000..ffb2d65 --- /dev/null +++ b/test/authorization.rb @@ -0,0 +1,112 @@ +require 'test/unit' +$LOAD_PATH << File.join(File.dirname(__FILE__),'..','lib') +require File.expand_path(File.join(File.dirname(__FILE__),'..','lib','opentox-client.rb')) +TEST_URI = "http://only_a_test/test/" + rand(1000000).to_s +#AA = "https://opensso.in-silico.ch" +AA_USER = "guest" +AA_PASS = "guest" +#unless defined? AA #overwrite turned off A&A server for testing + @@subjectid = OpenTox::Authorization.authenticate(AA_USER,AA_PASS) +#end + +class TestOpenToxAuthorizationBasic < Test::Unit::TestCase + + def test_01_server + assert_equal(AA, OpenTox::Authorization.server) + end + + def test_02_get_token + assert_not_nil @@subjectid + end + + def test_03_is_valid_token + tok = login + assert_not_nil tok + assert OpenTox::Authorization.is_token_valid(tok) + logout(tok) + end + + def test_04_logout + tok = login + assert logout(tok) + end + + def test_05_list_policies + assert_kind_of Array, OpenTox::Authorization.list_policies(@@subjectid) + end + +end + +class TestOpenToxAuthorizationLDAP < Test::Unit::TestCase + + def test_01_list_groups + assert_kind_of Array, OpenTox::Authorization.list_groups(@@subjectid) + end + + def test_02_list_user_groups + assert_kind_of Array, OpenTox::Authorization.list_user_groups(AA_USER, @@subjectid) + end + + def test_03_get_user + assert_equal AA_USER, OpenTox::Authorization.get_user(@@subjectid) + end + +end + +class TestOpenToxAuthorizationLDAP < Test::Unit::TestCase + + def test_01_create_check_delete_default_policies + res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid) + assert res + assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid) + policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid) + assert_kind_of Array, policies + policies.each do |policy| + assert OpenTox::Authorization.delete_policy(policy, @@subjectid) + end + assert_equal false, OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid) + end + + def test_02_check_policy_rules + tok_anonymous = OpenTox::Authorization.authenticate("anonymous","anonymous") + assert_not_nil tok_anonymous + res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid) + assert res + assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid) + owner_rights = {"GET" => true, "POST" => true, "PUT" => true, "DELETE" => true} + groupmember_rights = {"GET" => true, "POST" => nil, "PUT" => nil, "DELETE" => nil} + owner_rights.each do |request, right| + assert_equal right, OpenTox::Authorization.authorize(TEST_URI, request, @@subjectid), "#{AA_USER} requests #{request} to #{TEST_URI}" + end + groupmember_rights.each do |request, r| + assert_equal r, OpenTox::Authorization.authorize(TEST_URI, request, tok_anonymous), "anonymous requests #{request} to #{TEST_URI}" + end + + policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid) + assert_kind_of Array, policies + policies.each do |policy| + assert OpenTox::Authorization.delete_policy(policy, @@subjectid) + end + logout(tok_anonymous) + end + + def test_03_check_different_uris + res = OpenTox::Authorization.send_policy(TEST_URI, @@subjectid) + assert OpenTox::Authorization.uri_has_policy(TEST_URI, @@subjectid) + assert OpenTox::Authorization.authorize(TEST_URI, "GET", @@subjectid), "GET request" + policies = OpenTox::Authorization.list_uri_policies(TEST_URI, @@subjectid) + policies.each do |policy| + assert OpenTox::Authorization.delete_policy(policy, @@subjectid) + end + + end +end + + +def logout (token) + OpenTox::Authorization.logout(token) +end + +def login + OpenTox::Authorization.authenticate(AA_USER,AA_PASS) +end -- cgit v1.2.3