source: TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py @ 2754

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py@2754
Revision 2754, 7.8 KB checked in by lawrence, 12 years ago (diff)

Turning of security in ndgInterface for now ...

Line 
1import sys
2from ows_server.lib.base import *
3from ows_common.exception_report import OwsError
4from paste.request import parse_querystring
5
6from ndg.security.common.AttAuthority import AttAuthorityClient
7from ndg.security.common.SessionMgr import SessionMgrClient, \
8    AttributeRequestDenied
9
10
11class LoginController(BaseController):
12    ''' Provides the pylons controller for local login '''
13   
14    def __setup(self):
15        #where are we going back to?
16        self.inputs=dict(parse_querystring(request.environ))
17        if 'r' in self.inputs:
18            c.returnTo=self.inputs['r']
19        elif 'HTTP_REFERER' in request.environ:
20            #Added by Dom, 06/07/07
21            #http redirect  based on parse_querystring wasn't working so added this condition
22            #NOTE:  Not been able to test whether this has broken discovery/browse due to missing templates.
23            c.returnTo=request.environ['HTTP_REFERER']
24        else:
25            c.returnTo=''
26
27    def __securitySetup(self):
28        '''PKI settings for Attribute Authority and Session Manager'''
29       
30        self.ndgCfg = request.environ['ndgConfig']
31
32        tracefileExpr = self.ndgCfg.get('NDG_SECURITY', 'tracefile')
33        if tracefileExpr:
34            self.tracefile = eval(tracefileExpr)
35       
36        # ... for SSL connections to security web services
37        try:
38            self.sslCACertFilePathList = \
39            self.ndgCfg.get('NDG_SECURITY', 'sslCACertFilePathList').split()
40               
41        except AttributeError:
42            raise OwsError, 'No "sslCACertFilePathList" security setting'
43
44        self.sslPeerCertCN = self.ndgCfg.get('NDG_SECURITY', 'sslPeerCertCN')
45
46        # ...and for WS-Security digital signature
47        self.wssCertFilePath = self.ndgCfg.get('NDG_SECURITY', 
48                                               'wssCertFilePath')
49        self.wssPriKeyFilePath = self.ndgCfg.get('NDG_SECURITY', 
50                                                 'wssKeyFilePath')
51        self.wssPriKeyPwd = self.ndgCfg.get('NDG_SECURITY', 'wssKeyPwd')
52
53        try:
54            self.wssCACertFilePathList = \
55            self.ndgCfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
56               
57        except AttributeError:
58            raise OwsError, 'No "wssCACertFilePathList" security setting'
59
60   
61    def index(self):
62        ''' Ok, you really want to login here '''
63        self.__setup()
64
65        return render_response('login')
66
67
68    def getCredentials(self):
69        """Authenticate user and cache user credentials in
70        Session Manager following user login"""
71       
72        self.__setup()
73        self.__securitySetup()
74       
75        if not hasattr(self, "smClnt"):
76            smURI = self.ndgCfg.get('NDG_SECURITY', 'sessionMgrURI')
77
78            # May be better as a 'g' global set-up at start-up?
79            #
80            # tracefile could be removed for production use
81            self.smClnt = SessionMgrClient(uri=smURI,
82                            sslCACertFilePathList=self.sslCACertFilePathList,
83                            sslPeerCertCN=self.sslPeerCertCN,
84                            signingCertFilePath=self.wssCertFilePath,
85                            signingPriKeyFilePath=self.wssPriKeyFilePath,
86                            signingPriKeyPwd=self.wssPriKeyPwd,
87                            caCertFilePathList=self.wssCACertFilePathList,
88                            tracefile=self.tracefile)       
89       
90        username = request.params['username']
91        passphrase = request.params['passphrase']
92       
93        # Connect to Session Manager
94        try:
95            proxyCert, proxyPriKey, userCert, sessID = \
96                        self.smClnt.connect(username, passphrase=passphrase)
97        except Exception, e:
98            c.xml = "Error logging in: %s" % e
99            return render_response('login')
100       
101        # Cache user attributes in Session Manager
102        try:
103            # Set the Attribute Authority address for the Session Manager to
104            # send its attribute request to
105            aaURI = self.ndgCfg.get('NDG_SECURITY', 'attAuthorityURI')
106
107            # Reset signature handler to authenticate client using user
108            # proxy cert returned from connect call
109            self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
110            self.smClnt.signatureHandler.signingPriKey = proxyPriKey               
111            wssCertChain = (userCert, proxyCert)   
112            self.smClnt.signatureHandler.signingCertChain = wssCertChain
113
114            # Make request for attribute certificate
115            attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI)
116
117        except AttributeRequestDenied, e:
118            c.xml = "No roles available: %s" % e
119            return render_response('login')
120           
121        except Exception, e:
122            c.xml = "Error getting roles: %s" % e
123            return render_response('login')
124
125        # Make session
126        #
127        # Security credentials - proxyCert, userCert, ProxyPriKey and sessID
128        # could be held in the session but how secure is
129        # the session - where is it visible?
130        #
131        # P J Kershaw 25/07/07
132        session['ndgSec']={'h':'badc.nerc.ac.uk',
133                           'u':username,
134                           'r':attCert.roles,
135                           'sessID':sessID,
136                           'wssCertChain':wssCertChain,
137                           'wssPriKey':proxyPriKey,
138                           'smURI':smURI}
139        session['panelView']='History'
140        session.save()
141       
142        # Make a security cookie here ...
143       
144        # Need to pass security creds back to requestor so that they can make
145        # a cookie.  If the requestor is in the same domain as the login then
146        # this is not necessary.
147       
148        # and now go back to whence we had come
149        if c.returnTo!='':
150            # is there a keyword on redirect_to that can make this https? See:
151            # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69
152            h.redirect_to(c.returnTo)
153        else:
154            c.xml='Login Successful'
155            return render_response('content')
156           
157    def wayf(self):
158        ''' NDG equivalent to Shibboleth WAYF '''
159       
160        self.__setup()
161        self.__securitySetup()
162       
163        #currently fudge this
164        #c.providers={'badc.nerc.ac.uk':g.server+'/login',
165        #                  'bodc.nerc.a.cuk':'NotImplemented'}
166       
167       
168        if 'roleNeeded' in self.inputs:
169           
170            # should ask the attribute authority what hosts to put up for login
171            # but meanwhile we'll fudge it
172            pass
173       
174        if not hasattr(self, "aaClnt"):
175            aaURI = self.ndgCfg.get('NDG_SECURITY', 'attAuthorityURI')
176
177            # May be better as a 'g' global set-up at start-up?
178            #
179            # tracefile could be removed for production use
180            self.aaClnt = AttAuthorityClient(uri=aaURI,
181                                signingCertFilePath=self.wssCertFilePath,
182                                signingPriKeyFilePath=self.wssPriKeyFilePath,
183                                signingPriKeyPwd=self.wssPriKeyPwd,
184                                caCertFilePathList=self.wssCACertFilePathList,
185                                tracefile=self.tracefile)
186
187        # Get list of login uris for trusted sites including THIS one
188        trustedHosts = self.aaClnt.getTrustedHostInfo()
189        thisHost = self.aaClnt.getHostInfo()
190       
191        try:
192            trustedHosts[thisHost.keys()[0]] = thisHost.values()[0]
193        except TypeError:
194            raise OwsError, \
195                        "thisHost returned from Attribute Authority is empty" 
196           
197        c.providers=dict([(k,v['loginURI']) for k,v in trustedHosts.items()])
198       
199        return render_response('wayf')
200       
Note: See TracBrowser for help on using the repository browser.