source: TI07-MOLES/trunk/StubB/XSLT/browse/portal/cgi/secure.py @ 935

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI07-MOLES/trunk/StubB/XSLT/browse/portal/cgi/secure.py@935
Revision 935, 5.5 KB checked in by lawrence, 14 years ago (diff)

Pretty sure this will have broken the browse,
but can't check at the moment. This is the first
commit that has live links to the security code.

Line 
1from Utilities import wrapGetText
2
3class AccessControl:
4       
5        ''' Handle the access control metadata and provide three attributes of the
6        access control: exists (existence), status (modified elsewhere for whether
7        user can access data), and html (a message about the constraints). '''
8       
9        def __init__(self,e):
10                if e is None:
11                        self.status=1
12                        self.exist=0
13                        self.html=''
14                else:
15                        #for now assume everything with a simplecondition is deny
16                        self.html=wrapGetText(e,'dgSecurityCondition/conditionExplanationText')
17                        sc='dgSecurityCondition/simpleCondition/'
18                        self.SimpleCondition=(wrapGetText(e,sc+'attrauthRole'),
19                                              wrapGetText(e,sc+'dgAttributeAuthority'))
20                        if self.SimpleCondition==('',''): self.SimpleCondition=None
21                        self.status=0
22                        self.exist=1
23       
24       
25class AttributeAuthorityClient:
26        ''' placeholder til Phil writes his'''
27        def __init__(self,x):
28                pass
29        def getTrustedHostInfo(self):
30                return ['http://badc.nerc.ac.uk/login']
31       
32def mapAA2loginHosts(x):
33        ''' It's not obvious that the list of trusted hosts (which are attribute authorities)
34        are the same as actual login hosts associated with those attribute authorities,
35        so for now we'll hardcode that mapping in this routine, but it ought to be a simple
36        (restful) web service (restful because it is public) '''
37        return [x]
38       
39class gateway2NDGsession:
40       
41        ''' This class provides a gateway to the NDG session manager and methods upon it '''
42
43        def __init__(self,cookie, url, config, desiredAA=None):
44               
45                ''' Establish gateway by either,
46                       a) using the NDG cookie and passing it to a local session manager instance
47                       to decode and use, or
48                       b) redirecting and receving back a url with the cookie information and then
49                       doing option a).
50                In both cases, we can't assume that we can *Create* the cookie as there
51                may be a pre-existing history component to the cookie.
52                '''
53               
54                #First we have to see if the ndgsecurity info is in the cookie
55                self.cookie=cookie
56                self.url=url
57                if self.__notSecCookie():
58                        self._Establish(desiredAA)
59                else:
60                        self._reEstablish()
61               
62                self.config=config
63       
64        def __notSecCookie(self):
65                ''' Check the current cookie and see if it contains security information, but
66                we (the CGI) don't need to parse it '''
67                # note we don't use isinstance since it is considered harmful.
68                if self.cookie is None:
69                        return 1
70                else:
71                        try:
72                                for i in ('NDG-ID1','NDG-ID2'): 
73                                        if i not in self.cookie: return 1
74                        except: 
75                                return 1
76                return 0
77                                               
78        def _Establish(self,desiredAA):
79                ''' Need to go off and do some prompting etc '''
80                # this should eventually be a redirect, after which we will
81                # get a URI back with the cookie posted as a (hidden) uri argument.
82                AA=AttributeAuthorityClient(desiredAA)
83                trustedHostList=AA.getTrustedHostInfo()
84                loginHostList=mapAA2loginHosts(trustedHostList) 
85                pass
86       
87        def _reEstablish(self,cookie):
88                ''' bind to the existing WSDL '''
89               
90                #
91                self.__loadKeys(smWSDL)
92                try:
93                        #set up session client
94                        # (all these keys to do message level encryption while talking to server,
95                        # see __loadKeys for more details)
96                        smClient = SessionClient(
97                            smWSDL=self.__localSessionManagerProxyWSDL,
98                            smPubKeyFilePath=self.__localSessionManagerPublicKey,
99                                    clntPubKeyFilePath=self.__thisCGIpublicKey,
100                                    clntPriKeyFilePath=self.__thisCGIprivateKey,
101                            traceFile=traceFile)
102
103                except Exception, e:
104                        # Socket error returns tuple - reformat to just give msg
105                        #raise SecurityCGIError("Session client: " + str(e))
106                        pass # for now we don't have the libraries or code attached
107
108        def check(self, parsedSimpleCondition):
109                ''' can the credentials in the wallet support access to the resource requiring
110                the role at wsdlAA - parsedSimpleCondition is a tuple - (role, wsdlAA) '''
111                #connect using cookie
112
113                #first make sure we've got real conditions, if not, deny ...
114                if parsedSimpleCondition is None: return 0
115
116                resp = smClient.reqAuthorisation(sessCookie=cookieObj,
117                                    aaWSDL=wsdlAA,
118                                    aaPubKey=None, # the session client can get that from the WSDL
119                                    reqRole=role,
120                                    rtnExtAttCertList=None, #auto select role map for now
121                                    clntPriKeyPwd=None # not using encrypted yet
122                                    )
123                return 'AccessGranted' in resp #a simple boolean
124               
125       
126        def __loadKeys(self,smWSDL):
127                ''' Load security keys '''
128               
129                # We (potentially) need the public and private keys of this cgi script
130                # and the public key of the session client if our communication goes
131                # out over the public network and we want to deploy message
132                # level encryption.
133                 
134                #However, for the first installation, we will assume both the CGI and
135                #the session manager are running behind the same firewall.
136               
137                self.__thisCGIpublicKey=None
138                self.__thisCGIprivateKey=None
139               
140                #these are the things I need to talk to my local session manager
141                self.__localSessionManagerPublicKey=None
142                self.__localSessionManagerProxyWSDL=self.config.get('Security','localSM',None)
143               
144                #we need to call out to smWSDL to get their public key as a first step?
145                #self.__remoteSessionManagerPublicKey=self.__getKey(smWSDL)
146               
147                return
148       
149        def __getPublicKey(self,smWSDL):
150                ''' Given the WSDL address of a session manager object, get the public key associated
151                with it '''
152                return None
153       
Note: See TracBrowser for help on using the repository browser.