source: TI12-security/trunk/python/NDG/AttAuthority.py @ 712

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/NDG/AttAuthority.py@712
Revision 712, 28.9 KB checked in by pjkersha, 14 years ago (diff)

ndgSessionClient.py: fixed client private key password file read.

AttAuthority?.py: changed X509Cert.isValidTime() calls to give more error info.

XMLSecDoc.py: metaclass for XMLSec initialisation didn't work - do initialisation in class
init as before.

SessionClient?.py: removed test code - this is kept in a separate file in Tests/.

Session.py: modified SessionMgr?.reqAuthorisation() to create a fresh AuthorisationResp? object
from the return from redirectAuthorisationReq() to avoid confusion with encrypted output
message.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1"""NDG Attribute Authority handles security authentication and authorization
2
3NERC Data Grid Project
4
5P J Kershaw 15/04/05
6
7Copyright (C) 2005 CCLRC & NERC
8
9This software may be distributed under the terms of the Q Public License,
10version 1.0 or later.
11"""
12
13cvsID = '$Id$'
14
15import types
16
17
18# Create unique names for attribute certificates
19import tempfile
20import os
21
22# Alter system path for dynamic import of user roles class
23import sys
24
25# For parsing of properties file
26import cElementTree as ElementTree
27
28# X509 Certificate handling
29from X509 import *
30
31# NDG Attribute Certificate
32from AttCert import *
33
34# Format for XML messages passed over WS
35from AttAuthorityIO import *
36
37
38#_____________________________________________________________________________
39class AttAuthorityError(Exception):
40    """Exception handling for NDG Attribute Authority class."""
41   
42    def __init__(self, msg):
43        self.__msg = msg
44         
45    def __str__(self):
46        return self.__msg
47
48
49
50
51#_____________________________________________________________________________
52class AttAuthorityAccessDenied(AttAuthorityError):
53    """NDG Attribute Authority - access denied exception.
54
55    Raise from authorise method where no roles are available for the user
56    but that the request is otherwise valid.  In all other error cases raise
57    AttAuthorityError"""   
58    pass
59
60
61
62#_____________________________________________________________________________
63class AttAuthority:
64
65    """NDG Attribute Authority - server for user authentication/authorization.
66    """
67
68    # Code designed from NERC Data Grid Enterprise and Information Viewpoint
69    # documents.
70    #
71    # Also, draws from Neil Bennett's ACServer class used in the Java
72    # implementation of NDG Security
73
74    # valid configuration property keywords
75    __validKeys = [ 'name',
76                    'keyFile',
77                    'keyPwd',
78                    'certFile',
79                    'caCertFile',
80                    'attCertLifeTime',
81                    'attCertNotBeforeOff',
82                    'attCertFilePfx',
83                    'attCertFileSfx',
84                    'mapConfigFile',
85                    'attCertDir',
86                    'dnSeparator',
87                    'usrRolesModFilePath',
88                    'usrRolesModName',
89                    'usrRolesClassName',
90                    'usrRolesPropFile']
91   
92    def __init__(self, propFilePath, bReadMapConfig=True):
93        """Create new NDG Attribute Authority instance
94
95        propFilePath:   path to file containing Attribute Authority
96                        configuration parameters.
97        bReadMapConfig: by default the Map Configuration file is read.  Set
98                        this flag to False to override.
99        """
100       
101        if not isinstance(propFilePath, basestring):
102            raise AttAuthorityError("Input Properties file path " + \
103                                    "must be a valid string.")
104
105
106        # Initialise role mapping look-ups - These are set in readMapConfig()
107        self.__mapConfig = None
108        self.__localRole2Trusted = None
109        self.__trusted2LocalRole = None
110
111
112        # Configuration file properties are held together in a dictionary
113        self.__prop = {}
114
115        # Read Attribute Authority Properties file
116        self.readProperties(propFilePath)
117
118        # Read the Map Configuration file
119        if bReadMapConfig:
120            self.readMapConfig()
121
122        # Instantiate Certificate object
123        self.__cert = X509Cert(self.__prop['certFile'])
124        self.__cert.read()
125
126        # Check it's valid
127        try:
128            self.__cert.isValidTime(raiseExcep=True)
129           
130        except Exception, e:
131            raise AttAuthorityError(\
132                    "Attribute Authority's certificate is invalid: " + str(e))
133       
134        # Check CA certificate
135        caCert = X509Cert(self.__prop['caCertFile'])
136        caCert.read()
137       
138        try:
139            caCert.isValidTime(raiseExcep=True)
140           
141        except Exception, e:
142            raise AttAuthorityError("CA certificate is invalid: " + str(e))
143       
144        # Issuer details - serialise using the separator string set in the
145        # properties file
146        self.__issuer = \
147            self.__cert.dn.serialise(separator=self.__prop['dnSeparator'])
148
149        self.__issuerSerialNumber = self.__cert.serialNumber
150
151       
152        # Set-up user roles interface
153        try:
154            # Temporarily extend system path ready for import
155            sysPathBak = sys.path
156            sys.path.append(self.__prop['usrRolesModFilePath'])
157           
158            # Import module name specified in properties file
159            usrRolesMod = __import__(self.__prop['usrRolesModName'],
160                                     globals(),
161                                     locals(),
162                                     [self.__prop['usrRolesClassName']])
163
164            sys.path = sysPathBak
165           
166            usrRolesClass = eval('usrRolesMod.' + \
167                                 self.__prop['usrRolesClassName'])
168
169        except Exception, e:
170            raise AttAuthorityError('Importing User Roles module: %s' % e)
171
172        # Check class inherits from AAUserRoles abstract base class
173        if not issubclass(usrRolesClass, AAUserRoles):
174            raise AttAuthorityError(\
175                "User Roles class %s must be derived from AAUserRoles" % \
176                self.__prop['usrRolesClassName'])
177
178
179        # Instantiate custom class
180        try:
181            self.__usrRoles = usrRolesClass(self.__prop['usrRolesPropFile'])
182           
183        except Exception, e:
184            raise AttAuthorityError(\
185                "Error instantiating User Roles interface: " + str(e))
186
187       
188    #_________________________________________________________________________
189    def authorise(self,
190                  reqXMLtxt=None, 
191                  proxyCertFilePath=None,
192                  userAttCertFilePath=None,
193                  **reqKeys):
194
195        """Request a new Attribute Certificate for authorisation
196
197        reqXMLtxt:              input keywords as tags in formatted XML string
198                                String must follow format for
199                                AttAuthorityIO.AuthorisationReq class to
200                                parse.
201                               
202        proxyCertFilePath|proxyCert:
203
204                                user's proxy certificate use appropriate
205                                keyword for input as a file path or as the
206                                text content respectively.
207                               
208                                Nb. proxyCert is set via reqKeys
209                               
210        userAttCertFilePath|userAttCert:
211       
212                                externally provided attribute certificate
213                                from another data centre.  This is only
214                                necessary if the user is not registered with
215                                this attribute authority.
216
217                                Pass in either the file path or a string
218                                containing the certificate XML content.
219                               
220                                Nb. userAttCert is set via reqKeys
221                                """
222
223        if reqXMLtxt is not None:
224            # Parse XML text into keywords corresponding to the input
225            # parameters
226            if not isinstance(reqXMLtxt, basestring):
227                raise AttAuthorityError(\
228                            "XML Authorisation request must be a string")
229                                       
230            # Parse and decrypt as necessary
231            try:
232                # 1st assume that the request was encrypted
233                reqKeys = AuthorisationReq(encrXMLtxt=reqXMLtxt,
234                                    encrPriKeyFilePath=self.__prop['keyFile'],
235                                    encrPriKeyPwd=self.__prop['keyPwd'])
236            except Exception, e:
237               
238                # Error occured decrypting - Trying parsing again, but this
239                # time assuming non-encrypted
240                try:
241                    reqKeys = AuthorisationReq(xmlTxt=reqXMLtxt)
242                   
243                except Exception, e:
244                    raise AttAuthorityError(\
245                        "Error parsing authorisation request: %s" % e)
246
247
248        # Read proxy certificate
249        try:
250            usrProxyCert = X509Cert()
251           
252            if proxyCertFilePath is not None and \
253               isinstance(proxyCertFilePath, basestring):
254
255                # Proxy Certificate input as a file
256                usrProxyCert.read(proxyCertFilePath)
257               
258            elif reqKeys['proxyCert'] is not None:
259
260                # Proxy Certificate input as string text
261                usrProxyCert.parse(reqKeys['proxyCert'])
262
263            else:
264                raise AttAuthorityError(\
265                    "no input proxy certificate file path or file text")
266           
267        except Exception, e:
268            raise AttAuthorityError("User Proxy Certificate: %s" % e)
269
270
271        # Check proxy certificate hasn't expired
272        try:
273            usrProxyCert.isValidTime(raiseExcep=True)
274           
275        except Exception, e:
276            raise AttAuthorityError("User Proxy Certificate is invalid: " + \
277                                    str(e))
278
279           
280        # Get Distinguished name from certificate as an X500DN type
281        usrDN = usrProxyCert.dn
282       
283       
284        # Make a new Attribute Certificate instance passing in certificate
285        # details for later signing
286        #
287        # Nb. new attribute certificate file path is created from the
288        # Credentials Repository
289        certFilePathList = [self.__prop['certFile'],self.__prop['caCertFile']]
290        attCert = AttCert(self.__newAttCertFilePath(),
291                          signingKeyFilePath=self.__prop['keyFile'],
292                          certFilePathList=certFilePathList)
293
294
295        # Set holder's (user's) Distinguished Name
296        try:
297            attCert['holder'] = \
298                        usrDN.serialise(separator=self.__prop['dnSeparator'])
299           
300        except Exception, e:
301            raise AttAuthorityError("User DN: %s" % e)
302
303       
304        # Set Issuer details from Attribute Authority
305        issuerDN = self.__cert.dn
306        try:
307            attCert['issuer'] = \
308                    issuerDN.serialise(separator=self.__prop['dnSeparator'])
309           
310        except Exception, e:
311            raise AttAuthorityError("Issuer DN: %s" % e)
312       
313        attCert['issuerName'] = self.__prop['name']
314        attCert['issuerSerialNumber'] = self.__issuerSerialNumber
315
316
317        # Set validity time
318        try:
319            attCert.setValidityTime(\
320                        lifeTime=self.__prop['attCertLifeTime'],
321                        notBeforeOffset=self.__prop['attCertNotBeforeOff'])
322
323            # Check against the proxy certificate's expiry
324            dtUsrProxyNotAfter = usrProxyCert.notAfter
325           
326            if attCert.getValidityNotAfter(asDatetime=True) > \
327               dtUsrProxyNotAfter:
328
329                # Adjust the attribute certificate's expiry date time
330                # so that it agrees with that of the proxy certificate
331                attCert.setValidityTime(dtNotAfter=dtUsrProxyNotAfter)
332           
333        except Exception, e:
334            raise AttAuthorityError("Error setting validity time: %s" % e)
335       
336
337        # Check name is registered with this Attribute Authority - if no
338        # user roles are found, the user is not registered
339        usrRoles = self.getRoles(str(usrDN))
340        if usrRoles:           
341            # Set as an Original Certificate
342            #
343            # User roles found - user is registered with this data centre
344            # Add roles for this user for this data centre
345            attCert.addRoles(usrRoles)
346
347            # Mark new Attribute Certificate as an original
348            attCert['provenance'] = 'original'
349
350        else:           
351            # Set as a Mapped Certificate
352            #
353            # No roles found - user is not registered with this data centre
354            # Check for an externally provided certificate from another
355            # trusted data centre
356            if userAttCertFilePath:
357               
358                # Read externally provided certificate
359                try:
360                    extAttCert = AttCertRead(userAttCertFilePath)
361                   
362                except Exception, e:
363                    raise AttAuthorityError(\
364                            "Reading external Attribute Certificate: %s" + e)
365                               
366            elif 'userAttCert' in reqKeys and reqKeys['userAttCert']:
367                extAttCert = reqKeys['userAttCert']
368               
369            else:
370                raise AttAuthorityAccessDenied(\
371                    "User \"%s\" is not registered " % attCert['holder'] + \
372                    "and no external attribute certificate is available " + \
373                    "to make a mapping.")
374
375
376            # Check it's an original certificate - mapped certificates can't
377            # be used to make further mappings
378            if extAttCert.isMapped():
379                raise AttAuthorityError(\
380                    "External Attribute Certificate must have an " + \
381                    "original provenance in order to make further mappings.")
382
383
384            # Check it's valid and signed
385            try:
386                # Give path to CA cert to allow check
387                extAttCert.isValid(raiseExcep=True,
388                                   certFilePathList=self.__prop['caCertFile'])
389               
390            except Exception, e:
391                raise AttAuthorityError(\
392                            "Invalid Remote Attribute Certificate: %s" + e)       
393
394
395            # Check that's it's holder matches the user certificate DN
396            try:
397                holderDN = X500DN(dn=extAttCert['holder'])
398               
399            except Exception, e:
400                raise AttAuthorityError(\
401                    "Error creating X500DN for holder: %s" + e)
402           
403            if holderDN != usrDN:
404                raise AttAuthorityError(\
405                    "User certificate and Attribute Certificate DNs " + \
406                    "don't match: " + str(usrDN) + " and " + str(holderDN))
407           
408 
409            # Get roles from external Attribute Certificate
410            trustedHostRoles = extAttCert.getRoles()
411
412
413            # Map external roles to local ones
414            localRoles = self.mapTrusted2LocalRoles(extAttCert['issuerName'],
415                                                    trustedHostRoles)
416            if not localRoles:
417                raise AttAuthorityAccessDenied(\
418                    "No local roles mapped to the %s roles: %s" % \
419                    (extAttCert['issuerName'], str(trustedHostRoles)))
420
421            attCert.addRoles(localRoles)
422           
423           
424            # Mark new Attribute Certificate as mapped
425            attCert['provenance'] = 'mapped'
426
427            # End set mapped certificate block
428           
429
430        try:
431            # Digitally sign certificate using Attribute Authority's
432            # certificate and private key
433            attCert.sign(signingKeyPwd=self.__prop['keyPwd'])
434           
435            # Check the certificate is valid
436            attCert.isValid(raiseExcep=True)
437           
438            # Write out certificate to keep a record of it for auditing
439            attCert.write()
440
441            # Return the cert to caller
442            return attCert
443       
444        except Exception, e:
445            raise AttAuthorityError("New Attribute Certificate \"%s\": %s" % \
446                                    (attCert.filePath, e))
447
448   
449
450
451    def readProperties(self, propFilePath=None):
452
453        """Read the configuration properties for the Attribute Authority
454
455        propFilePath: file path to properties file
456        """
457       
458        if propFilePath is not None:
459            if not isinstance(propFilePath, basestring):
460                raise AttAuthorityError("Input Properties file path " + \
461                                        "must be a valid string.")
462           
463            self.__propFilePath = propFilePath
464
465
466        try:
467            tree = ElementTree.parse(self.__propFilePath)
468           
469        except IOError, ioErr:
470            raise AttAuthorityError(\
471                                "Error parsing properties file \"%s\": %s" % \
472                                (ioErr.filename, ioErr.strerror))
473
474       
475        aaProp = tree.getroot()
476
477        # Copy properties from file as member variables
478        prop = dict([(elem.tag, elem.text) for elem in aaProp])
479
480
481        # Check for missing properties
482        propKeys = prop.keys()
483        missingKeys = [key for key in AttAuthority.__validKeys \
484                       if key not in propKeys]
485        if missingKeys != []:
486            raise AttAuthorityError("The following properties are " + \
487                                    "missing from the properties file: " + \
488                                    ', '.join(missingKeys))
489
490        # Strip white space - apart from fields where may be required
491        for key in prop:
492            if key != 'keyPwd' and prop[key]: 
493                prop[key] = prop[key].strip()
494               
495            # Check for environment variables in file paths
496            tagCaps = key.upper()
497            if 'FILE' in tagCaps or 'PATH' in tagCaps or 'DIR' in tagCaps:
498                prop[key] = os.path.expandvars(prop[key])
499 
500 
501        # Ensure Certificate time parameters are converted to numeric type
502        prop['attCertLifeTime'] = float(prop['attCertLifeTime'])
503        prop['attCertNotBeforeOff'] = float(prop['attCertNotBeforeOff'])
504         
505        self.__prop = prop
506
507       
508        # Check directory path
509        try:
510            dirList = os.listdir(self.__prop['attCertDir'])
511
512        except OSError, osError:
513            raise AttAuthorityError(\
514                "Invalid directory path Attribute Certificates store: " + \
515                osError.strerror)
516
517       
518       
519       
520    def readMapConfig(self, mapConfigFilePath=None):
521        """Parse Map Configuration file.
522
523        mapConfigFilePath:  file path for map configuration file.  If omitted,
524                            use member variable __mapConfigFilePath.
525        """
526       
527        if mapConfigFilePath is not None:
528            if not isinstance(mapConfigFilePath, basestring):
529                raise AttAuthorityError("Input Map Configuration file path "+\
530                                        "must be a valid string.")
531           
532            self.__prop['mapConfigFile'] = mapConfigFilePath
533
534       
535        tree = ElementTree.parse(self.__prop['mapConfigFile'])
536        rootElem = tree.getroot()
537
538        trustedElem = rootElem.findall('trusted')
539
540        # Dictionaries:
541        # 1) to hold all the data
542        self.__mapConfig = {}
543
544        # ... look-up
545        # 2) hosts corresponding to a given role and
546        # 3) roles of external data centre to this data centre
547        self.__localRole2TrustedHost = {}
548        self.__localRole2Trusted = {}
549        self.__trusted2LocalRole = {}
550       
551        for elem in trustedElem:
552
553            roleElem = elem.findall('role')
554            if not roleElem:
555                raise AttAuthorityError("\"role\" tag not found in \"%s\"" % \
556                                        self.__prop['mapConfigFile'])
557
558            try:
559                trustedHost = elem.attrib.values()[0]
560               
561            except Exception, e:
562                raise AttAuthorityError(\
563                                    "Error setting trusted host name: %s" % e)
564
565           
566            # Add signatureFile and list of roles
567            self.__mapConfig[trustedHost] = \
568            {
569                'wsdl': elem.findtext('wsdl'),
570                'role': [dict(i.items()) for i in roleElem]
571            }
572
573                   
574            self.__localRole2Trusted[trustedHost] = {}
575            self.__trusted2LocalRole[trustedHost] = {}
576           
577            for role in self.__mapConfig[trustedHost]['role']:
578
579                localRole = role['local']
580                remoteRole = role['remote']
581               
582                # Role to host look-up
583                if localRole in self.__localRole2TrustedHost:
584                   
585                    if trustedHost not in \
586                       self.__localRole2TrustedHost[localRole]:
587                        self.__localRole2TrustedHost[localRole].\
588                                                        append(trustedHost)                       
589                else:
590                    self.__localRole2TrustedHost[localRole] = [trustedHost]
591
592
593                # Trusted Host to local role and trusted host to trusted role
594                # map look-ups
595                try:
596                    self.__trusted2LocalRole[trustedHost][remoteRole].append(\
597                                                                localRole)                 
598                except KeyError:
599                    self.__trusted2LocalRole[trustedHost][remoteRole] = \
600                                                                [localRole]
601                   
602                try:
603                    self.__localRole2Trusted[trustedHost][localRole].append(\
604                                                                remoteRole)                 
605                except KeyError:
606                    self.__localRole2Trusted[trustedHost][localRole] = \
607                                                                [remoteRole]                 
608 
609
610           
611    def usrIsRegistered(self, usrDN):
612        """Check a particular user is registered with the Data Centre that the
613        Attribute Authority represents"""
614        return self.__usrRoles.usrIsRegistered(usrDN)
615       
616
617
618
619
620    def getRoles(self, dn):
621        """Get the roles available to the registered user identified usrDN.
622        """
623
624        # Call to AAUserRoles derived class.  Each Attribute Authority
625        # should define it's own roles class derived from AAUserRoles to
626        # define how roles are accessed
627        try:
628            return self.__usrRoles.getRoles(dn)
629
630        except Exception, e:
631            raise AttAuthorityError("Getting user roles: %s" % e)
632
633
634
635   
636    def getTrustedHostInfo(self, reqXMLtxt=None, **reqKeys):
637        """Return a dictionary of the hosts that have trust relationships
638        with this AA.  The dictionary is indexed by the trusted host name
639        and contains WSDL URIs and the roles that map to the
640        given input local role.
641
642        If no role is input, return all the AA's trusted hosts with all
643        their possible roles
644
645        Returns None if role isn't recognised
646       
647        reqXMLtxt:              input keywords as tags in formatted XML string
648                                String must follow format for
649                                AttAuthorityIO.TrustedHostInfoReq class to
650                                parse.
651                                """
652
653        if reqXMLtxt is not None:
654            # Parse XML text into keywords corresponding to the input
655            # parameters
656            if not isinstance(reqXMLtxt, basestring):
657                raise AttAuthorityError(\
658                            "XML Authorisation request must be a string")
659                                       
660            # Parse and decrypt as necessary
661            try:
662                # 1st assume that the request was encrypted
663                reqKeys = TrustedHostInfoReq(encrXMLtxt=reqXMLtxt,
664                                    encrPriKeyFilePath=self.__prop['keyFile'],
665                                    encrPriKeyPwd=self.__prop['keyPwd'])
666            except Exception, e:
667               
668                # Error occured decrypting - Trying parsing again, but this
669                # time assuming non-encrypted
670                try:
671                    reqKeys = TrustedHostInfoReq(xmlTxt=reqXMLtxt)
672                   
673                except Exception, e:
674                    raise AttAuthorityError(\
675                        "Error parsing authorisation request: %s" % e)
676                                         
677                                         
678        if not self.__localRole2Trusted:
679            raise AttAuthorityError("Roles to host look-up is not set - " + \
680                                    "ensure readMapConfig() has been called.")
681
682
683        if 'role' not in reqKeys:
684            # No role input - return all trusted hosts with their WSDL URIs
685            # and roles
686            trustedHostInfo = dict([\
687               (k, \
688                {'wsdl': v['wsdl'], \
689                 'role': [role['remote'] for role in v['role']]}) \
690                for k, v in self.__mapConfig.items()])
691        else:           
692            # Get trusted hosts for given input local role       
693            try:
694                trustedHosts = self.__localRole2TrustedHost[reqKeys['role']]
695            except:
696                return None
697   
698   
699            # Get associated WSDL URI and roles for the trusted hosts
700            # identified and return as a dictionary indexed by host name
701            trustedHostInfo = dict([(host, \
702                {'wsdl': self.__mapConfig[host]['wsdl'], \
703                 'role': self.__localRole2Trusted[host][reqKeys['role']]}) \
704                 for host in trustedHosts])
705                         
706        return trustedHostInfo
707
708
709
710
711    def mapTrusted2LocalRoles(self, trustedHost, trustedHostRoles):
712        """Map roles of trusted hosts to roles for this data centre
713
714        trustedHost:        name of external trusted data centre
715        trustedHostRoles:   list of external roles to map"""
716
717        if not self.__trusted2LocalRole:
718            raise AttAuthorityError("Roles map is not set - ensure " + \
719                                    "readMapConfig() has been called.")
720
721
722        # Check the host name is a trusted one recorded in the map
723        # configuration
724        if not self.__trusted2LocalRole.has_key(trustedHost):
725            return []
726
727        # Add local roles, skipping if no mapping is found
728        localRoles = []
729        for trustedRole in trustedHostRoles:
730            if trustedRole in self.__trusted2LocalRole[trustedHost]:
731                localRoles.extend(\
732                        self.__trusted2LocalRole[trustedHost][trustedRole])
733               
734        return localRoles
735
736
737
738
739    def __newAttCertFilePath(self):
740        """Create a new unique attribute certificate file path"""
741       
742        attCertFd, attCertFilePath = \
743                   tempfile.mkstemp(suffix=self.__prop['attCertFileSfx'],
744                                    prefix=self.__prop['attCertFilePfx'],
745                                    dir=self.__prop['attCertDir'],
746                                    text=True)
747
748        # The file is opened - close using the file descriptor returned in the
749        # first element of the tuple
750        os.close(attCertFd)
751
752        # The file path is the 2nd element
753        return attCertFilePath
754
755
756
757
758#_____________________________________________________________________________
759class AAUserRolesError(Exception):
760
761    """Exception handling for NDG Attribute Authority User Roles interface
762    class."""
763   
764    def __init__(self, msg):
765        self.__msg = msg
766         
767    def __str__(self):
768        return self.__msg
769
770
771
772#_____________________________________________________________________________
773class AAUserRoles:
774
775    """An abstract base class to define the user roles interface to an
776    Attribute Authority.
777
778    Each NDG data centre should implement a derived class which implements
779    the way user roles are provided to its representative Attribute Authority.
780   
781    Roles are expected to indexed by user Distinguished Name (DN).  They
782    could be stored in a database or file."""
783
784    # User defined class may wish to specify a URI for a database interface or
785    # path for a user roles configuration file
786    def __init__(self, dbURI=None, filePath=None):
787        """User Roles abstract base class - derive from this class to define
788        roles interface to Attribute Authority"""
789        raise NotImplementedError(\
790            self.__init__.__doc__.replace('\n       ',''))
791
792
793    def usrIsRegistered(self, dn):
794        """Derived method should return True if user is known otherwise
795        False"""
796        raise NotImplementedError(
797            self.UserIsRegistered.__doc__.replace('\n       ',''))
798
799
800    def getRoles(self, dn):
801        """Derived method should return the roles for the given user's
802        DN or else raise an exception"""
803        raise NotImplementedError(
804            self.getRoles.__doc__.replace('\n       ',''))
805
806
807#_____________________________________________________________________________
808# Test routines
809def testGetTrustedHostInfo(role=None,
810                           propFilePath='./attAuthorityProperties.xml'):
811    "Test getTrustedHosts AttAuthority method"
812    import pdb
813    pdb.set_trace()
814   
815    try:
816        aa = AttAuthority(propFilePath)
817        return aa.getTrustedHostInfo(role)
818   
819    except Exception, e:
820        print e
Note: See TracBrowser for help on using the repository browser.