source: TI07-MOLES/trunk/StubB/XSLT/browse/portal/cgi/secure.py @ 980

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI07-MOLES/trunk/StubB/XSLT/browse/portal/cgi/secure.py@980
Revision 980, 6.2 KB checked in by lawrence, 13 years ago (diff)

Modifications in browse to get security going
(currently deliberately crashing in session
establishment - but after successfully obtaining
trusted host list).

Line 
1from Utilities import wrapGetText
2from NDG.SecurityClient import *
3
4class AccessControl:
5       
6        ''' Handle the access control metadata and provide three attributes of the
7        access control: exists (existence), status (modified elsewhere for whether
8        user can access data), and html (a message about the constraints). '''
9       
10        def __init__(self,e):
11                if e is None:
12                        self.status=1
13                        self.exist=0
14                        self.html=''
15                else:
16                        #for now assume everything with a simplecondition is deny
17                        self.html=wrapGetText(e,'dgSecurityCondition/conditionExplanationText')
18                        sc='dgSecurityCondition/simpleCondition/'
19                        self.SimpleCondition=(wrapGetText(e,sc+'attrauthRole'),
20                                              wrapGetText(e,sc+'dgAttributeAuthority'))
21                        if self.SimpleCondition==('',''): self.SimpleCondition=None
22                        self.status=0
23                        self.exist=1
24       
25       
26class AttributeAuthorityClient:
27        ''' placeholder til Phil writes his'''
28        def __init__(self,x):
29                pass
30        def getTrustedHostInfo(self):
31                return ['http://badc.nerc.ac.uk/login']
32       
33def mapAA2loginHosts(x):
34        ''' It's not obvious that the list of trusted hosts (which are attribute authorities)
35        are the same as actual login hosts associated with those attribute authorities,
36        so for now we'll hardcode that mapping in this routine, but it ought to be a simple
37        (restful) web service (restful because it is public) '''
38        return x
39       
40class gateway2NDGsession:
41       
42        ''' This class provides a gateway to the NDG session manager and methods upon it '''
43
44        def __init__(self,cookie, url, config, desiredAA=None):
45               
46                ''' The use case is that we attempt to establish a gateway to an
47                existing NDG session. If it exists, fine, if it doesn't, then we
48                don't do anything, but wait til a check call before attempting
49                to establish a connection ... that way we can prompt with an appropriate
50                set of hosts.
51               
52                If an NDG cookie exists, we use it by reEstablishing to the existing session.
53                '''
54               
55                #First we have to see if the ndgsecurity info is in the cookie
56                self.cookie=cookie
57                self.url=url
58                self.connected=0
59                self.config=config
60                if self.__SecCookie(): self._reEstablish(cookie)
61               
62        def __SecCookie(self):
63                ''' Check the current cookie and see if it contains security information, but
64                we (the CGI) don't need to parse it '''
65                # note we don't use isinstance since it is considered harmful.
66                if self.cookie is None:
67                    return 0
68                else:
69                    try:
70                        for i in ('NDG-ID1','NDG-ID2'): 
71                            if i not in self.cookie: return 0
72                    except: 
73                        return 0
74                return 1
75                                               
76        def __Establish(self,parsedSimpleCondition):
77                ''' Establish an NDG security session. We work out who to login
78                with by getting the list of trusted hosts from the parsedSimpleCondition
79                (which is just a tuple - role, attribute authority). This results in
80                a redirect to a user chosen host, after which we get back a URI with
81                the cookie posted as a (hidden) uri argument '''
82               
83                AA=AttAuthorityClient(aaWSDL=parsedSimpleCondition[1])
84                trustedHostList=AA.getTrustedHostInfo(role=parsedSimpleCondition[0])
85                loginHostList=mapAA2loginHosts(trustedHostList) 
86                print trustedHostList,1/0
87                #PHIL AT THIS POINT WE NEED TO CALL YOUR LOGIN CODE WHICH OUGHT
88                #TO PROMPT THE USER FOR ONE OF THESE HOSTS ...
89       
90        def _reEstablish(self,cookie):
91                ''' bind to the existing WSDL '''
92               
93                self.__loadKeys(smWSDL)
94                try:
95                        #set up session client
96                        # (all these keys to do message level encryption while talking to server,
97                        # see __loadKeys for more details)
98                        self.smClient = SessionClient(
99                            smWSDL=self.__localSessionManagerProxyWSDL,
100                            smPubKeyFilePath=self.__localSessionManagerPublicKey,
101                                    clntPubKeyFilePath=self.__thisCGIpublicKey,
102                                    clntPriKeyFilePath=self.__thisCGIprivateKey,
103                            traceFile=traceFile)
104                        self.connected=1
105                except Exception, e:
106                        # Socket error returns tuple - reformat to just give msg
107                        #raise SecurityCGIError("Session client: " + str(e))
108                        pass # for now we don't have the libraries or code attached
109
110        def check(self, parsedSimpleCondition):
111                ''' can the credentials in the wallet support access to the resource requiring
112                the role at wsdlAA - parsedSimpleCondition is a tuple - (role, wsdlAA) '''
113                #connect using cookie
114
115                #first make sure we've got real conditions, if not, deny ...
116                if parsedSimpleCondition is None: return 0
117
118                #if not connected, get connected
119                self.__Establish(parsedSimpleCondition)
120
121                resp = self.smClient.reqAuthorisation(sessCookie=cookieObj,
122                                    aaWSDL=wsdlAA,
123                                    aaPubKey=None, # the session client can get that from the WSDL
124                                    reqRole=role,
125                                    rtnExtAttCertList=None, #auto select role map for now
126                                    clntPriKeyPwd=None # not using encrypted yet
127                                    )
128                return 'AccessGranted' in resp #a simple boolean
129               
130       
131        def __loadKeys(self,smWSDL):
132                ''' Load security keys '''
133               
134                # We (potentially) need the public and private keys of this cgi script
135                # and the public key of the session client if our communication goes
136                # out over the public network and we want to deploy message
137                # level encryption.
138                 
139                #However, for the first installation, we will assume both the CGI and
140                #the session manager are running behind the same firewall.
141               
142                self.__thisCGIpublicKey=None
143                self.__thisCGIprivateKey=None
144               
145                #these are the things I need to talk to my local session manager
146                self.__localSessionManagerPublicKey=None
147                self.__localSessionManagerProxyWSDL=self.config.get('Security','localSM',None)
148               
149                #we need to call out to smWSDL to get their public key as a first step?
150                #self.__remoteSessionManagerPublicKey=self.__getKey(smWSDL)
151               
152                return
153       
154        def __getPublicKey(self,smWSDL):
155                ''' Given the WSDL address of a session manager object, get the public key associated
156                with it '''
157                return None
158       
Note: See TracBrowser for help on using the repository browser.