source: TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py @ 3134

import sys # tracefile config param may be set to e.g. sys.stderr
import urllib2
import socket

from ows_server.lib.base import *
from pylons import request
import logging
log = logging.getLogger(__name__)

from ows_common.exception_report import OwsError
from ows_server.lib.security_util import SecuritySession

try: 
    from ndg.security.common.SessionMgr import SessionMgrClient, SessionNotFound,\
        SessionCertTimeError, SessionExpired, InvalidSession, \
        AttributeRequestDenied
    
    def HandleSecurity(*args):
        return SecurityHandler(*args)()
except:
    def HandleSecurity(*args):
        return 0,'Access Control System Not Installed'

class URLCannotBeOpened(Exception):
    """Raise from canURLBeOpened SecurityHandler class method
    if URL is invalid - this method is used to check the AA
    service"""

class SecurityHandler(object):
    """Make access control decision based on CSML constraint and user security
    token"""
    
    AccessAllowedMsg = "Access Allowed"
    InvalidAttributeCertificate = \
            "The certificate containing your authorisation roles is invalid"
    NotLoggedInMsg = 'Not Logged in'
    SessionExpiredMsg = 'Session has expired.  Please re-login'
    InvalidSessionMsg = 'Session is invalid.  Please try re-login'
    InvalidSecurityCondition = 'Invalid Security Condition'

    def __init__(self, uri, securityElement, securityTokens):
        """Initialise settings for WS-Security and SSL for SOAP
        call to Session Manager
        
        @type uri: string
        @param uri: URI corresponding to data granule ID
        
        @type securityElement: ElementTree Element
        @param securityElement: MOLES security constraint containing role and
        Attribute Authority URI. In xml, could look like:
        <moles:effect>allow</moles:effect>
            <moles:simpleCondition>
            <moles:dgAttributeAuthority>https://glue.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority>
            <moles:attrauthRole>coapec</moles:attrauthRole>
        </moles:simpleCondition>
        NB: xmlns:moles="http://ndg.nerc.ac.uk/moles
        
        @type: pylons.session
        @param securityTokens: dict-like session object containing security 
        tokens"""
        
        self.uri = uri
        self.securityElement = securityElement
        self.securityTokens = securityTokens


    def __call__(self, **kw):
        """Convenience wrapper for checkAccess"""
        return self.checkAccess(**kw)


    def checkAccess(self, 
                    uri=None, 
                    securityElement=None, 
                    securityTokens=None):
        """Make an access control decision based on whether the user is
        authenticated and has the required roles
        
        @type uri: string
        @param uri: URI corresponding to data granule ID
        
        @type: ElementTree Element
        @param securityElement: MOES security constraint containing role and
        Attribute Authority URI. In xml, could look like:
        <moles:effect>allow</moles:effect>
            <moles:simpleCondition>
            <moles:dgAttributeAuthority>https://glue.badc.rl.ac.uk/AttributeAuthority</moles:dgAttributeAuthority>
            <moles:attrauthRole>coapec</moles:attrauthRole>
        </moles:simpleCondition>
        NB: xmlns:moles="http://ndg.nerc.ac.uk/moles"
        
        @type: pylons.session
        @param securityTokens: dict-like session object containing security 
        tokens.  Resets equivalent object attribute."""
          
        # tokens and element may be set from __init__ or as args to this 
        # method.  If the latter copy them into self  
        if uri:
            self.uri = uri
            
        if securityTokens:
            self.securityTokens = securityTokens
                            
        if securityElement:
            self.securityElement=securityElement
     
        # Check self.securityTokens - if not set then the user mustn't be 
        # logged in.  This situation is possible if a user has been denied
        # access to data and then tried to logout - after log out they are
        # redirected back to the page where they tried accessing data but this
        # time they will have no security credential set
        if not self.securityTokens:
            # Try to recover and do something sensible
            #
            # TODO: this adds insult to injury if the person has just been
            # denied access to data.  Instead do a redirect back to the 
            # discovery page?
            # P J Kershaw 10/08/07
            log.info("Exiting from Gatekeeper: user is not logged in")
            return False, self.__class__.NotLoggedInMsg
            
        xpathr='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}attrauthRole'
        xpathaa='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}dgAttributeAuthority'
        roleE,aaE=self.securityElement.find(xpathr),self.securityElement.find(xpathaa)
        if roleE is None:
            log.error("Gatekeeper: role not found in dataset element: %s" % \
                      self.securityElement)
            return False, self.__class__.InvalidSecurityCondition
        
        self.reqRole=roleE.text
        
        # Check Attribute Authority address
        try:
            SecurityHandler.urlCanBeOpened(aaE.text)
        except (URLCannotBeOpened, AttributeError):
            # Catch situation where either Attribute Authority address in the
            # data invalid or none was set.  In this situation verify
            # against the Attribute Authority set in the config
            log.info('Gatekeeper: Attribute Authority address is invalid ' + \
                     'in data "%s" - defaulting to config file setting' % \
                     self.securityElement)
            self.reqAAURI = g.securityCfg.aaURI
    
        # Create Session Manager client
        self.smClnt = SessionMgrClient(uri=self.securityTokens['h'],
                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
                    signingCertFilePath=g.securityCfg.wssCertFilePath,
                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
                    tracefile=g.securityCfg.tracefile)       
        
        return self.__checkAttCert()
            

   
    def __checkAttCert(self):
        """Check to see if the Session Manager can deliver an Attribute 
        Certificate with the required role to gain access to the resource
        in question"""
            
        try:
            # Make request for attribute certificate
            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI,
                                         sessID=self.securityTokens['sid'],
                                         reqRole=self.reqRole)
        except AttributeRequestDenied, e:
            log.info(\
                "Gatekeeper - request for attribute certificate denied: %s"%e)
            return False, str(e)
        
        except SessionNotFound, e:
            # Clear the security details from the session object
            SecuritySession.delete()
            log.info("Gatekeeper - no session found: %s" % e)
            return False, self.__class__.NotLoggedInMsg

        except SessionExpired, e:
            # Clear the security details from the session object
            SecuritySession.delete()
            log.info("Gatekeeper - session expired: %s" % e)
            return False, self.__class__.SessionExpiredMsg

        except SessionCertTimeError, e:
            # Clear the security details from the session object
            SecuritySession.delete()
            log.info("Gatekeeper - session cert. time error: %s" % e)
            return False, self.__class__.InvalidSessionMsg
            
        except InvalidSession, e:
            SecuritySession.delete()
            log.info("Gatekeeper - invalid user session: %s" % e)
            return False, self.__class__.InvalidSessionMsg

        except Exception, e:
            raise OwsError, "Gatekeeper request for attribute certificate: "+\
                            str(e)
                            
        # Check attribute certificate is valid
        attCert.certFilePathList = g.securityCfg.acCACertFilePathList
        attCert.isValid(raiseExcep=True)
            
        # Check it's issuer is as expected
        if attCert.issuer != g.securityCfg.acIssuer:
            log.info('Gatekeeper - access denied: Attribute Certificate ' + \
                'issuer DN, "%s" ' % attCert.issuer + \
                'must match this data provider\'s Attribute Authority ' + \
                'DN: "%s"' % g.securityCfg.acIssuer)
            return False, self.__class__.InvalidAttributeCertificate
        
        log.info('Gatekeeper - access granted for user "%s" '%attCert.userId+\
                 'to "%s" secured with role "%s" ' % (self.uri,self.reqRole)+\
                 'using attribute certificate:\n\n%s' % attCert)
                     
        return True, self.__class__.AccessAllowedMsg

    @classmethod
    def urlCanBeOpened(cls, url, timeout=5, raiseExcep=True):
       """Check url can be opened - adapted from 
       http://mail.python.org/pipermail/python-list/2004-October/289601.html
       """
    
       found = False
       defTimeOut = socket.getdefaulttimeout()
       try:
           socket.setdefaulttimeout(timeout)

           try:
               urllib2.urlopen(url)
           except (urllib2.HTTPError, urllib2.URLError,
                   socket.error, socket.sslerror):
               if raiseExcep:
                   raise URLCannotBeOpened
           
           found = True
         
       finally:
           socket.setdefaulttimeout(defTimeOut)
           
       return found