1 | """WSGI Policy Enforcement Point basic result handler - returns a HTML access |
---|
2 | denied message to the client if the client is not authorized. |
---|
3 | |
---|
4 | Functionality in this module moved from original authz package location |
---|
5 | |
---|
6 | NERC DataGrid Project |
---|
7 | """ |
---|
8 | __author__ = "P J Kershaw" |
---|
9 | __date__ = "05/01/10" |
---|
10 | __copyright__ = "(C) 2010 Science and Technology Facilities Council" |
---|
11 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
12 | __revision__ = "$Id: $" |
---|
13 | __license__ = "BSD - see LICENSE file in top-level directory" |
---|
14 | import logging |
---|
15 | log = logging.getLogger(__name__) |
---|
16 | |
---|
17 | from httplib import UNAUTHORIZED, FORBIDDEN |
---|
18 | |
---|
19 | from ndg.security.server.wsgi import NDGSecurityMiddlewareBase |
---|
20 | from ndg.security.server.wsgi.authz.result_handler import ( |
---|
21 | PEPResultHandlerMiddlewareBase) |
---|
22 | |
---|
23 | |
---|
24 | class PEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase): |
---|
25 | """This middleware is invoked if access is denied to a given resource. It |
---|
26 | is incorporated into the call stack by passing it in to a MultiHandler |
---|
27 | instance. The MultiHandler is configured in the AuthorizationMiddlewareBase |
---|
28 | class - see ndg.security.server.wsgi.authz. The MultiHandler is passed a |
---|
29 | checker method which determines whether to allow access, or call this |
---|
30 | interface. The checker is implemented in the PEPFilter. See |
---|
31 | ndg.security.server.wsgi.authz |
---|
32 | |
---|
33 | PEPResultHandlerMiddlewareBase (SessionMiddlewareBase) base class defines |
---|
34 | user session key and isAuthenticated property |
---|
35 | """ |
---|
36 | |
---|
37 | def __init__(self, app, global_conf, prefix='', **app_conf): |
---|
38 | ''' |
---|
39 | @type app: callable following WSGI interface |
---|
40 | @param app: next middleware application in the chain |
---|
41 | @type global_conf: dict |
---|
42 | @param global_conf: PasteDeploy global configuration dictionary |
---|
43 | @type prefix: basestring |
---|
44 | @param prefix: prefix for configuration items |
---|
45 | @type app_conf: dict |
---|
46 | @param app_conf: PasteDeploy application specific configuration |
---|
47 | dictionary |
---|
48 | ''' |
---|
49 | super(PEPResultHandlerMiddleware, self).__init__(app, |
---|
50 | global_conf, |
---|
51 | prefix=prefix, |
---|
52 | **app_conf) |
---|
53 | |
---|
54 | @PEPResultHandlerMiddlewareBase.initCall |
---|
55 | def __call__(self, environ, start_response): |
---|
56 | |
---|
57 | log.debug("PEPResultHandlerMiddleware.__call__ ...") |
---|
58 | |
---|
59 | session = self.environ.get(self.sessionKey) |
---|
60 | if not self.isAuthenticated: |
---|
61 | # This check is included as a precaution: this condition should be |
---|
62 | # caught be the AuthNRedirectHandlerMiddleware or PEPFilter |
---|
63 | log.warning("PEPResultHandlerMiddleware: user is not " |
---|
64 | "authenticated - setting HTTP 401 response") |
---|
65 | return self._setErrorResponse(code=UNAUTHORIZED) |
---|
66 | else: |
---|
67 | # Get response message from PDP recorded by PEP |
---|
68 | pepCtx = session.get( |
---|
69 | PEPResultHandlerMiddleware.PEPCTX_SESSION_KEYNAME, {}) |
---|
70 | pdpResponse = pepCtx.get( |
---|
71 | PEPResultHandlerMiddleware.PEPCTX_RESPONSE_SESSION_KEYNAME) |
---|
72 | msg = getattr(pdpResponse, 'message', '') or '' |
---|
73 | |
---|
74 | response = ("Access is forbidden for this resource:%s" |
---|
75 | "Please check with your site administrator that you " |
---|
76 | "have the required access privileges." % |
---|
77 | msg.join(('\n\n',)*2)) |
---|
78 | |
---|
79 | return self._setErrorResponse(code=FORBIDDEN, msg=response) |
---|