source: TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py @ 2748

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py@2748
Revision 2748, 6.0 KB checked in by pjkersha, 13 years ago (diff)

called by HandleSecurity? function. Needs testing and fixes - see TODOs

ows_server/ows_server/config/ndgDiscovery.config:

  • added a section for security including WS-Security and SSL PKI settings.

ows_server/ows_server/config/routing.py:

  • added entry for login handling

ws_server/ows_server/controllers/login.py:

  • security web services integrated. TODO: credentials passing across http

redirect

ows_server/ows_server/controllers/logout.py:

  • security WS calls integrated

ows_server/ows_server/templates/ndgPage.kid:

  • fix to display of roles

ows_server/ows_server/templates/login.kid:

  • new page for login
Line 
1from ows_common.exception_report import OwsError
2from ndg.security.common.SessionMgr import SessionMgrClient, \
3    AttributeRequestDenied
4
5def HandleSecurity(securityElement, securityTokens):
6    return SecurityHandler(securityElement, securityTokens)()
7
8# This is an initial implementation and is untested.  See TODOs
9# for more info
10#
11# P J Kershaw 26/07/07
12class SecurityHandler(object):
13    """Make access control decision based on CSML constraint and user security
14    token"""
15   
16    AccessAllowedMsg = "Access Allowed"
17    AccessDeniedMsg = "Access Denied"
18    NotLoggedInMsg = 'Not Logged in'
19   
20    def __init__(self, securityElement, securityTokens):
21        """Initialise settings for WS-Security and SSL for SOAP
22        call to Session Manager
23       
24        @type: ? TODO: set type
25        @param securityElement: CSML security constraint containing role and
26        Attribute Authority URI
27       
28        @type: pylons.session
29        @param securityTokens: dict-like session object containing security
30        tokens"""
31       
32        self.securityElement = securityElement
33        self.securityTokens = securityTokens
34       
35        # TODO: fix this ref.
36        self.ndgCfg = request.environ['ndgConfig']
37
38        self.tracefile = eval(self.ndgCfg.get('NDG_SECURITY','tracefile'))
39       
40        # ... for SSL connections to security web services
41        try:
42            self.sslCACertFilePathList = \
43            self.ndgCfg.get('NDG_SECURITY','sslCACertFilePathList').split()
44               
45        except AttributeError:
46            raise OwsError, 'No "sslCACertFilePathList" security setting'
47
48        self.sslPeerCertCN = self.ndgCfg.get('NDG_SECURITY', 'sslPeerCertCN')
49
50        # ...and for WS-Security digital signature
51        self.wssCertFilePath = self.ndgCfg.get('NDG_SECURITY', 
52                                               'wssCertFilePath')
53        self.wssPriKeyFilePath = self.ndgCfg.get('NDG_SECURITY', 
54                                                 'wssKeyFilePath')
55        self.wssPriKeyPwd = self.ndgCfg.get('NDG_SECURITY', 'wssKeyPwd')
56
57        try:
58            self.wssCACertFilePathList = \
59            self.ndgCfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
60               
61        except AttributeError:
62            raise OwsError, 'No "wssCACertFilePathList" security setting'
63
64        # Attribute Certificate verification of X.509 cert chain back to CA
65        try:
66            self.acCACertFilePathList = \
67            self.ndgCfg.get('NDG_SECURITY', 'acCACertFilePathList').split()
68               
69        except AttributeError:
70            raise OwsError, 'No "wssCACertFilePathList" security setting'
71
72        # Create Session Manager client
73        self.smClnt = SessionMgrClient(uri=self.securityTokens['smURI'],
74                        sslCACertFilePathList=self.sslCACertFilePathList,
75                        sslPeerCertCN=self.sslPeerCertCN,
76                        signingCertChain=securityTokens.get('wssCertChain'),
77                        signingCertFilePath=self.wssCertFilePath,
78                        signingPriKeyFilePath=self.wssPriKeyFilePath,
79                        signingPriKeyPwd=self.wssPriKeyPwd,
80                        caCertFilePathList=self.wssCACertFilePathList,
81                        tracefile=self.tracefile)       
82
83        # Fix WS-Security BinarySecurityToken Value Type for the passing of a
84        # cert chain - required for use with proxy cert.
85        if wssCertChain:
86            self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
87
88
89    def __call__(self, **kw):
90        """Convenience wrapper for checAccess"""
91        return self.checkAccess(**kw)
92
93
94    def checkAccess(self, securityElement=None, securityTokens=None):
95        """Make an access control decision based on whether the user is
96        authenticated and has the required roles
97       
98        @type: ? TODO: set type
99        @keyword securityElement: CSML security constraint containing role and
100        Attribute Authority URI.  Resets equivalent object attribute.
101       
102        @type: pylons.session
103        @keyword securityTokens: dict-like session object containing security
104        tokens.  Resets equivalent object attribute."""
105     
106        if securityElement:
107            self.securityElement = securityElement
108           
109        if securityTokens:
110            self.securityTokens = securityTokens
111             
112        if self.securityTokens is not None:
113            return self.__checkAccess()
114        else:
115            return False, self.__class__.NotLoggedInMsg
116
117   
118    def __checkAttCert(self):
119        """Check to see if the Session Manager can deliver an Attribute
120        Certificate with the required role to gain access to the resource
121        in question"""
122       
123        try:
124            # Get the Attribute Authority address for the Session Manager to
125            # send its attribute request to
126            #
127            # # TODO: get the correct AA URI attribute name
128            aaURI = self.securityElement.aaURI
129
130            # Make request for attribute certificate
131            #
132            # sessID is needed if proxy cert is unavailable as ID
133            #
134            # TODO: get correct role name attribute from securityElement var
135            attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI,
136                                     sessID=self.securityToken.get('sessID'),
137                                     reqRole=self.securityElement.roleName)
138
139        except AttributeRequestDenied, e:
140            return False, self.__class__.AccessDeniedMsg
141       
142        # Check attribute certificate is valid
143        attCert.certFilePathList = self.acCACertFilePathList
144        attCert.isValid(raiseExcep=True)
145           
146        # Check it's issuer is as expected
147        if attCert.issuerName != self.acIssuerName:
148            raise OwsError, "Attribute Certificate issuer must match " + \
149                "this data provider's Attribute Authority name id"
150                       
151        return True, self.__class__.AccessAllowedMsg
152       
Note: See TracBrowser for help on using the repository browser.