source: TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/zsi/attributeauthority/__init__.py @ 6672

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/zsi/attributeauthority/__init__.py@6672
Revision 6672, 10.6 KB checked in by pjkersha, 10 years ago (diff)

Patched ndg.security.common.AttCert? so that it uses a proxy to ndg.security.common.XMLSec.XMLSecDoc for Python versions >= 2.5.5. This is to allow for PyXML incompatibility with later versions of Python. Disabling XMLSecDoc means that Attribute Certificates are not signed but the NDG Attribute Certificates are no longer used. SAML assertions take their place. NDG AC functionality will be deleted from the trunk.

Line 
1"""ZSI Server side SOAP Binding for Attribute Authority Web Service
2
3NERC DataGrid Project"""
4__author__ = "P J Kershaw"
5__date__ = "11/06/08"
6__copyright__ = "(C) 2009 Science and Technology Facilities Council"
7__license__ = "BSD - see LICENSE file in top-level directory"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__revision__ = '$Id: $'
10import os
11import sys
12import base64
13import logging
14log = logging.getLogger(__name__)
15
16from ndg.security.common.zsi.attributeauthority.AttributeAuthority_services \
17    import getAttCertInputMsg, getAttCertOutputMsg, \
18        getHostInfoInputMsg, getHostInfoOutputMsg, \
19        getTrustedHostInfoInputMsg, getTrustedHostInfoOutputMsg, \
20        getAllHostsInfoInputMsg, getAllHostsInfoOutputMsg
21   
22from \
23ndg.security.server.zsi.attributeauthority.AttributeAuthority_services_server \
24    import AttributeAuthorityService as _AttributeAuthorityService
25
26from ndg.security.server.attributeauthority import AttributeAuthority, \
27    AttributeAuthorityAccessDenied
28   
29from ndg.security.common.wssecurity.signaturehandler.foursuite import \
30                                                            SignatureHandler
31from ndg.security.common.X509 import X509Cert, X509CertRead
32
33
34class AttributeAuthorityWS(_AttributeAuthorityService):
35    '''Attribute Authority ZSI SOAP Service Binding class'''
36   
37    DEBUG_ENVIRON_VARNAME = 'NDGSEC_INT_DEBUG'
38    WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME = \
39                                            'wsseSignatureVerificationFilterID'
40   
41    def __init__(self, **kw):
42        self.__wsseSignatureVerificationFilterID = None
43        self.__debug = None
44       
45        # Stop in debugger at beginning of SOAP stub if environment variable
46        # is set
47        self.debug = bool(os.environ.get(
48                                AttributeAuthorityWS.DEBUG_ENVIRON_VARNAME))
49        if self.debug:
50            import pdb
51            pdb.set_trace()
52           
53        # Extract local WS-Security signature verification filter
54        self.wsseSignatureVerificationFilterID = kw.pop(
55            AttributeAuthorityWS.WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME, 
56            None)
57        if self.wsseSignatureVerificationFilterID is None:
58            log.warning('No "wsseSignatureVerificationFilterID" option was '
59                        'set in the input config')
60     
61        # Initialise Attribute Authority class - property file will be
62        # picked up from default location under $NDG_DIR directory
63        if kw:
64            self.aa = AttributeAuthority.fromProperties(**kw)
65
66    def _get_debug(self):
67        return self.__debug
68
69    def _set_debug(self, value):
70        if not isinstance(value, bool):
71            raise TypeError('Expecting %r for "debug"; got %r' %
72                            (bool, type(value)))
73        self.__debug = value
74
75    debug = property(_get_debug, _set_debug, 
76                     doc="Set to True to drop into the debugger for each SOAP "
77                         "callback")
78   
79    def _get_aa(self):
80        return self.__aa
81   
82    def _set_aa(self, val):
83        if not isinstance(val, AttributeAuthority):
84            raise TypeError('Expecting %r for "aa" attribute; got %r' %
85                            (AttributeAuthority, type(val)))
86        self.__aa = val
87           
88    aa = property(fget=_get_aa,
89                  fset=_set_aa,
90                  doc="Attribute Authority instance")
91
92    def _get_wsseSignatureVerificationFilterID(self):
93        return self.__wsseSignatureVerificationFilterID
94
95    def _set_wsseSignatureVerificationFilterID(self, value):
96        if not isinstance(value, (basestring, type(None))):
97            raise TypeError('Expecting string or None type for '
98                            '"wsseSignatureVerificationFilterID"; got %r' %
99                            type(value))
100        self.__wsseSignatureVerificationFilterID = value
101
102    wsseSignatureVerificationFilterID = property(
103                                    _get_wsseSignatureVerificationFilterID, 
104                                    _set_wsseSignatureVerificationFilterID, 
105                                    doc="Reference the Signature Verification "
106                                        "filter upstream in the stack by "
107                                        "the WSGI environ with this keyword.  "
108                                        "The verification middleware must "
109                                        "likewise set a reference to itself "
110                                        "in the environ")
111   
112    def soap_getAttCert(self, ps):
113        '''Retrieve an Attribute Certificate
114       
115        @type ps: ZSI ParsedSoap
116        @param ps: client SOAP message
117        @rtype: ndg.security.common.zsi.attributeauthority.AttributeAuthority_services_types.getAttCertResponse_Holder
118        @return: response'''
119        if self.debug:
120            import pdb
121            pdb.set_trace()
122       
123        request = ps.Parse(getAttCertInputMsg.typecode)   
124        response = _AttributeAuthorityService.soap_getAttCert(self, ps)
125
126        # Derive designated holder cert differently according to whether
127        # a signed message is expected from the client - NB, this is dependent
128        # on whether a reference to the signature filter was set in the
129        # environment
130        signatureFilter = self.referencedWSGIFilters.get(
131                                        self.wsseSignatureVerificationFilterID)
132        if signatureFilter is not None:
133            # Get certificate corresponding to private key that signed the
134            # message - i.e. the user's proxy
135            log.debug("Reading holder certificate from WS-Security signature "
136                      "header")
137            holderX509Cert = signatureFilter.signatureHandler.verifyingCert
138        else:
139            # No signature from client - they must instead provide the
140            # designated holder cert via the UserX509Cert input
141            log.debug('Reading holder certificate from SOAP request '
142                      '"userX509Cert" parameter')
143            holderX509Cert = request.UserX509Cert
144
145        try:
146            attCert = self.aa.getAttCert(userId=request.UserId,
147                                         holderX509Cert=holderX509Cert,
148                                         userAttCert=request.UserAttCert) 
149            response.AttCert = attCert.toString()
150           
151        except AttributeAuthorityAccessDenied, e:
152            response.Msg = str(e)
153           
154        return response
155       
156
157    def soap_getHostInfo(self, ps):
158        '''Get information about this host
159               
160        @type ps: ZSI ParsedSoap
161        @param ps: client SOAP message
162        @rtype: response
163        @return: response'''
164        if self.debug:
165            import pdb
166            pdb.set_trace()
167           
168        response = _AttributeAuthorityService.soap_getHostInfo(self, ps)
169       
170        response.Hostname = self.aa.hostInfo.keys()[0]
171        response.SiteName = self.aa.hostInfo[response.Hostname]['siteName']
172        response.AaURI = self.aa.hostInfo[response.Hostname]['aaURI']
173        response.AaDN = self.aa.hostInfo[response.Hostname]['aaDN']
174        response.LoginURI = self.aa.hostInfo[response.Hostname]['loginURI']
175        response.LoginServerDN = \
176            self.aa.hostInfo[response.Hostname]['loginServerDN']
177        response.LoginRequestServerDN = \
178            self.aa.hostInfo[response.Hostname]['loginRequestServerDN']
179
180        return response
181       
182
183    def soap_getAllHostsInfo(self, ps):
184        '''Get information about all hosts
185               
186        @type ps: ZSI ParsedSoap
187        @param ps: client SOAP message
188        @rtype: tuple
189        @return: response object'''
190        if self.debug:
191            import pdb
192            pdb.set_trace()
193           
194        response = _AttributeAuthorityService.soap_getAllHostsInfo(self, ps)
195       
196
197        trustedHostInfo = self.aa.getTrustedHostInfo()
198
199        # Convert ready for serialization
200       
201        # First get info for THIS Attribute Authority ...
202        # Nb. No role lsit applies here
203        hosts = [response.new_hosts()]
204       
205        hosts[0].Hostname = self.aa.hostInfo.keys()[0]
206       
207        hosts[0].AaURI = self.aa.hostInfo[hosts[0].Hostname]['aaURI']
208        hosts[0].SiteName = self.aa.hostInfo[hosts[0].Hostname]['siteName']
209        hosts[0].AaDN = self.aa.hostInfo[hosts[0].Hostname]['aaDN']
210        hosts[0].LoginURI = self.aa.hostInfo[hosts[0].Hostname]['loginURI']
211        hosts[0].LoginServerDN = \
212            self.aa.hostInfo[hosts[0].Hostname]['loginServerDN']
213        hosts[0].LoginRequestServerDN = \
214            self.aa.hostInfo[hosts[0].Hostname]['loginRequestServerDN']
215       
216        # ... then append info for other trusted attribute authorities...
217        for hostname, hostInfo in trustedHostInfo.items():
218            host = response.new_hosts()
219           
220            host.Hostname = hostname
221            host.SiteName = hostInfo['siteName']
222            host.AaURI = hostInfo['aaURI']
223            host.AaDN = hostInfo['aaDN']
224            host.LoginURI = hostInfo['loginURI']
225            host.LoginServerDN = hostInfo['loginServerDN']
226            host.LoginRequestServerDN = hostInfo['loginRequestServerDN']
227            host.RoleList = hostInfo['role']
228           
229            hosts.append(host)
230           
231        response.Hosts = hosts
232
233        return response
234
235
236    def soap_getTrustedHostInfo(self, ps):
237        '''Get information about other trusted hosts
238               
239        @type ps: ZSI ParsedSoap
240        @param ps: client SOAP message
241        @rtype: tuple
242        @return: response object'''
243        if self.debug:
244            import pdb
245            pdb.set_trace()
246           
247        request = ps.Parse(getTrustedHostInfoInputMsg.typecode)   
248        response = _AttributeAuthorityService.soap_getTrustedHostInfo(self, ps)
249       
250        trustedHostInfo = self.aa.getTrustedHostInfo(role=request.Role)
251
252        # Convert ready for serialization
253        trustedHosts = []
254        for hostname, hostInfo in trustedHostInfo.items():
255            trustedHost = response.new_trustedHosts()
256           
257            trustedHost.Hostname = hostname
258            trustedHost.SiteName = hostInfo['siteName']
259            trustedHost.AaURI = hostInfo['aaURI']
260            trustedHost.AaDN = hostInfo['aaDN']
261            trustedHost.LoginURI = hostInfo['loginURI']
262            trustedHost.LoginServerDN = hostInfo['loginServerDN']
263            trustedHost.LoginRequestServerDN = hostInfo['loginRequestServerDN']
264            trustedHost.RoleList = hostInfo['role']
265           
266            trustedHosts.append(trustedHost)
267           
268        response.TrustedHosts = trustedHosts
269       
270        return response
Note: See TracBrowser for help on using the repository browser.