source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py @ 6284

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py@6284
Revision 6284, 3.6 KB checked in by pjkersha, 10 years ago (diff)

Preparing 1.4 release.

Line 
1"""WSGI Policy Enforcement Point basic result handler - returns a HTML access
2denied message to the client if the client is not authorized.
3
4Functionality in this module moved from original authz package location
5
6NERC DataGrid Project
7"""
8__author__ = "P J Kershaw"
9__date__ = "05/01/10"
10__copyright__ = "(C) 2010 Science and Technology Facilities Council"
11__contact__ = "Philip.Kershaw@stfc.ac.uk"
12__revision__ = "$Id: $"
13__license__ = "BSD - see LICENSE file in top-level directory"
14import logging
15log = logging.getLogger(__name__)
16
17from httplib import UNAUTHORIZED, FORBIDDEN
18
19from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
20from ndg.security.server.wsgi.authz.result_handler import (
21                                                PEPResultHandlerMiddlewareBase)
22
23
24class PEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase):
25    """This middleware is invoked if access is denied to a given resource.  It
26    is incorporated into the call stack by passing it in to a MultiHandler
27    instance.  The MultiHandler is configured in the AuthorizationMiddlewareBase
28    class - see ndg.security.server.wsgi.authz.  The MultiHandler is passed a
29    checker method which determines whether to allow access, or call this
30    interface.   The checker is implemented in the PEPFilter.  See
31    ndg.security.server.wsgi.authz
32   
33    PEPResultHandlerMiddlewareBase (SessionMiddlewareBase) base class defines
34    user session key and isAuthenticated property
35    """
36   
37    def __init__(self, app, global_conf, prefix='', **app_conf):
38        '''
39        @type app: callable following WSGI interface
40        @param app: next middleware application in the chain     
41        @type global_conf: dict       
42        @param global_conf: PasteDeploy global configuration dictionary
43        @type prefix: basestring
44        @param prefix: prefix for configuration items
45        @type app_conf: dict       
46        @param app_conf: PasteDeploy application specific configuration
47        dictionary
48        '''
49        super(PEPResultHandlerMiddleware, self).__init__(app,
50                                                         global_conf,
51                                                         prefix=prefix,
52                                                         **app_conf)
53               
54    @PEPResultHandlerMiddlewareBase.initCall
55    def __call__(self, environ, start_response):
56       
57        log.debug("PEPResultHandlerMiddleware.__call__ ...")
58       
59        session = self.environ.get(self.sessionKey)
60        if not self.isAuthenticated:
61            # This check is included as a precaution: this condition should be
62            # caught be the AuthNRedirectHandlerMiddleware or PEPFilter
63            log.warning("PEPResultHandlerMiddleware: user is not "
64                        "authenticated - setting HTTP 401 response")
65            return self._setErrorResponse(code=UNAUTHORIZED)
66        else:
67            # Get response message from PDP recorded by PEP
68            pepCtx = session.get(
69                    PEPResultHandlerMiddleware.PEPCTX_SESSION_KEYNAME, {})
70            pdpResponse = pepCtx.get(
71                    PEPResultHandlerMiddleware.PEPCTX_RESPONSE_SESSION_KEYNAME)
72            msg = getattr(pdpResponse, 'message', '') or ''
73               
74            response = ("Access is forbidden for this resource:%s"
75                        "Please check with your site administrator that you "
76                        "have the required access privileges." % 
77                        msg.join(('\n\n',)*2))
78
79            return self._setErrorResponse(code=FORBIDDEN, msg=response)
Note: See TracBrowser for help on using the repository browser.