source: TI12-security/trunk/python/ndg.security.client/ndg/security/client/ndgSessionClient.py @ 2058

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.client/ndg/security/client/ndgSessionClient.py@2058
Revision 2058, 14.7 KB checked in by pjkersha, 13 years ago (diff)

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
update to file header.

python/ndg.security.server/ndg/security/server/AttAuthority/init.py:

  • setPropFilePath val input is now a keyword
  • readProperties - removed propFilePath keyword - set from propFilePath property /

setPropFilePath method instead.

python/ndg.security.server/ndg/security/server/AttAuthority/start-container.sh:
added standard header

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • updated header
  • removed hard coded cert file paths
  • set port number from properties file instead.

python/ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • change all refs to sessMgrWSDLuri -> sessMgrURI and encrSessMgrWSDLuri -> encrSessMgrURI. For ZSI 2.0, it's the URI of the service that is important. The URI of the WSDL is not required.
  • changed keyPPhrase property to keyPwd
  • added setPropFilePath and propFilePath property, added class variable to make up properties file path from $NDG_DIR.
  • removed propFilePath keyword from readProperties method - use setPropFilePath() / propFilePath property instead.
  • renamed reqAuthorisation method getAttCert to avoid confusion with authorisation function performed by Gatekeeper.

python/ndg.security.server/ndg/security/server/SessionMgr/start-container.sh: added
standard header

python/ndg.security.server/ndg/security/server/SessionMgr/Makefile: create server side
stubs calling wsdl2dispatch and sed to convert to correct imports and stub methods
return types for Twisted.

python/www/html/sessionMgr.wsdl,
python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py:

  • renamed reqAuthorisation operations to getAttCert to avoid confusion with authorisation performed by the Gatekeeper.

python/conf/sessionMgrProperties.xml: renamed property keyPPhrase -> keyPwd

python/ndg.security.client/ndg/security/client/ndgSessionClient.py: changed refs from
WSDL URI and URI for Session Manager address. For ZSI 2.0, the URI of service is needed
alone, not the WSLD address.

python/ndg.security.test/ndg/security/test/AttAuthority/siteAServer.sh,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBServer.sh: updates to headers

python/ndg.security.test/ndg/security/test/AttAuthority/README and
python/ndg.security.test/ndg/security/test/SessionMgr/README: added to explain setup for
running services for clients to connect to.

python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py and
python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
refs to 'ReqAuthorisation?' changed to 'getAttCert' - see above.

python/ndg.security.test/ndg/security/test/SessionMgr/server.sh: script to start
Session Manager for client unit tests.

python/ndg.security.common/ndg/security/common/AttAuthority/README,
python/ndg.security.common/ndg/security/common/SessionMgr/README: include instruction to
use Makefile.

python/ndg.security.common/ndg/security/common/Log
python/ndg.security.common/ndg/security/common/Log/log_services_server.py
python/ndg.security.common/ndg/security/common/Log/log_services.py
python/ndg.security.common/ndg/security/common/ca/init.py
python/ndg.security.common/ndg/security/common/ca/simpleCA_services.py
python/ndg.security.common/ndg/security/common/ca/CertReq.py
python/ndg.security.common/ndg/security/common/Gatekeeper
python/ndg.security.common/ndg/security/common/Gatekeeper/TestGatekeeperResrc.py
python/ndg.security.common/ndg/security/common/Gatekeeper/Gatekeeper.py
python/ndg.security.common/ndg/security/common/Gatekeeper/gatekeeper_services.py
python/ndg.security.common/ndg/security/common/Gatekeeper/gatekeeper_services_server.py:
rearranged old Log and Gatekeeper service code into their own packages. Moved
CertReq?.py and simpleCA_services.py into ca package.

  • Property svn:executable set to *
Line 
1#!/usr/bin/env python
2
3"""NDG Session client script - makes requests for authentication and
4authorisation
5
6NERC Data Grid Project
7
8P J Kershaw 08/03/06
9
10Copyright (C) 2006 CCLRC & NERC
11
12This software may be distributed under the terms of the Q Public License,
13version 1.0 or later.
14"""
15# Command line processing
16import sys
17import os
18import optparse
19import re
20import getpass
21
22from Cookie import SimpleCookie
23
24from ndg.security.client.SecurityClient import *
25
26
27#_____________________________________________________________________________
28def setSoapDebug(option, optStr, value, parser):
29    """Parser Callback function for enabling SOAP debug output"""
30    parser.values.soapDebug = sys.stderr
31
32   
33#_____________________________________________________________________________
34def setSessCookie(option, optStr, value, parser):
35    """Parser Callback function for reading session cookie from command line
36    """
37    try:
38        parser.values.sessCookie = SimpleCookie(open(value).read().strip())
39       
40    except IOError, (errNo, errMsg):
41        raise optparse.OptionValueError(\
42                    "Reading cookie from file \"%s\": %s" % (value, errMsg))
43                           
44    except Exception, e:
45        raise optparse.OptionValueError(\
46                    "Reading cookie from file \"%s\": %s" % (value, str(e)))
47
48
49#_____________________________________________________________________________
50def setSessCookieFromStdin(option, optStr, value, parser):
51    """Parser Callback function for reading cookie from stdin"""
52    try:
53        # Read from standard input
54        parser.values.sessCookie = SimpleCookie(sys.stdin.read().strip())
55
56    except KeyboardInterrupt:
57        raise optparse.OptionValueError(\
58                    "option \"%s\": expecting cookie set from stdin" % optStr)
59         
60    except Exception, e:
61        raise optparse.OptionValueError(\
62                    "option %s: Reading cookie from file \"%s\": %s" % \
63                    (optStr, value, str(e)))
64                   
65
66#_____________________________________________________________________________
67def setClntPriKeyPwd(option, optStr, value, parser):
68    """Parser Callback function for reading client private key password"""
69
70    try:
71        parser.values.clntPriKeyPwd = open(value).read().strip()
72       
73    except IOError, (errNo, errMsg):
74        raise optparse.OptionValueError(\
75                    "Reading password from file \"%s\": %s" % (value, errMsg))
76                           
77    except Exception, e:
78        raise optparse.OptionValueError(\
79                    "Reading password from file \"%s\": %s" % (value, str(e)))
80       
81
82#_____________________________________________________________________________
83def setAAcert(option, optStr, value, parser):
84    """Parser callback function for reading Attribute Authority Public key"""
85   
86    try:
87        parser.values.aaCert = open(value).read().strip()
88       
89    except IOError, (errNo, errMsg):
90        raise optparse.OptionValueError(\
91                "Reading Attribute Authority Public key file \"%s\": %s" % \
92                (value, errMsg))
93                           
94    except Exception, e:
95        raise optparse.OptionValueError(\
96                "Reading Attribute Authority Public key file \"%s\": %s" % \
97                (value, str(e)))
98               
99                     
100#_____________________________________________________________________________
101def main():
102
103    usage = os.path.basename(sys.argv[0]) + " [--add-user=<username> ...]|"+\
104            "[--connect=<username> ...]|[--req-autho ...]|" + \
105            "[--connect=<username> ... --req-autho ...]"
106           
107    parser = optparse.OptionParser(usage=usage)
108    parser.add_option("-n", 
109                      "--add-user", 
110                      dest="newUserName",
111                      help="add a new user, see also: -p and -s options")
112
113    parser.add_option("-c", 
114                      "--connect",
115                      dest="userName",
116                      help="""login in to a Session Manager with username.""")
117   
118    parser.add_option("-r", 
119                      "--req-autho", 
120                      dest="attAuthorityURI", 
121                      help=\
122"""Get a Session Manager to request authorisation from an Attribute Authority
123with the given address.""")
124   
125    parser.add_option("-a", 
126                      "--att-authority-pubkey-file",
127                      action="callback",
128                      callback=setAAcert,
129                      dest="aaCert",
130                      type="string", 
131                      help=\
132"""File Path of Public key of Attribute Authority used by the Session Manager
133to encrypt requests to it.  WARNING: If this is not set, requests will be sent
134in clear text.""")
135
136    parser.add_option("-x",
137                      "--clnt-pubkey-file",
138                      dest="clntCertFilePath",
139                      help=\
140"""X.509 Certificate of client.  This is used by the Session Manager to
141encrypt responses.  WARNING: If this is not set, the response will be sent
142back in clear text""")
143
144    parser.add_option("-k",
145                      "--clnt-prikey-file",
146                      dest="clntPriKeyFilePath",
147                      help=\
148"""Private key file of client.  This is used by the client to decrypt
149responses.  This must be set if -x/--clnt-pubkey-file is set.""")
150
151    parser.add_option("-w",
152                      "--clnt-prikey-pwd-file",
153                      dest="clntPriKeyPwd",
154                      action="callback",
155                      callback=setClntPriKeyPwd,
156                      type="string",
157                      help=\
158"""Pass a file containing the password for the client private key.  If not
159set, it is prompted for from tty.""")
160
161    parser.add_option("-y",
162                      "--session-mgr-pubkey-file",
163                      dest="smCertFilePath",
164                      help=\
165"""X.509 Certificate of Session Manager.  This is used to encrypt the request
166to the Session Manager.  WARNING: if this is not set, the request will be sent
167in clear text""")
168
169    parser.add_option("-s",
170                      "--session-mgr-uri",
171                      dest="sessMgrURI",
172                      help="Address of Session Manager to connect to")
173
174    parser.add_option("-d",
175                      "--soap-debug",
176                      dest="soapDebug",
177                      action="callback",
178                      callback=setSoapDebug,
179                      help="Print SOAP message output")
180
181    parser.add_option("-p",
182                      "--pass-phrase-from-stdin",
183                      action="store_true",
184                      dest="bPassPhraseFromStdin",
185                      default=False,
186                      help="""\
187Take user's pass-phrase from stdin.  If this flag is omitted, pass-phrase is
188prompted for from tty""")
189
190    parser.add_option("-i",
191                      "--cookie-file",
192                      action="callback",
193                      callback=setSessCookie,
194                      type="string",
195                      dest="sessCookie",
196                      help=\
197"""Session cookie for --req-autho/-r call.  This is returned from a previous
198connect call (-c USERNAME/--connect=USERNAME).  Note that connect and request
199authoirsation calls can be combined.  In this case, this arg is not needed as
200the cookie is passed directly from the connect call output to the
201authorisation request e.g. ... -c username -r -s "http://..." -a
202"http://...""")
203
204    parser.add_option("-e",
205                      "--cookie-from-stdin",
206                      action="callback",
207                      callback=setSessCookieFromStdin,
208                      dest="sessCookie",
209                      help="Read session cookie from stdin.")
210
211    parser.add_option("-m",
212                      "--map-from-trusted-hosts",
213                      action="store_true",
214                      dest="mapFromTrustedHosts",
215                      default=False,
216                      help=\
217"""For use with --req-autho/-r flag.  Set to allow the Session Manager to
218automatically use Attribute Certificates from the user's wallet or, if no
219suitable ones are found, to contact other trusted hosts in order to get
220Attribute Certificates for mapping""")
221
222    parser.add_option("-q",
223                      "--req-role",
224                      dest="reqRole",
225                      help="""\
226For use with --req-autho/-r flag.  Making certifcate mapping more efficient
227by specifying to the Session Manager what role is needed for attribute
228certificates from trusted hosts in order to get a mapped Attribute Certificate
229back from the Attribute Authority""")
230
231    parser.add_option("-l",
232                      "--rtn-ext-att-cert-list",
233                      action="store_true",
234                      dest="rtnExtAttCertList",
235                      default=False,
236                      help=\
237"""For use with --req-autho/-r flag.  Determines behaviour in the case where
238authorisation is denied by an Attribute Authority.  If set, a list of
239candidate Attribute Certificates from trusted hosts will be returned.  Any one
240of these could be re-input in a subsequent authorisation request by setting
241the --ext-att-cert-list-file option.  The certificates can be used to obtain a
242mapped Attribute Certificate from the import target Attribute Authority""")
243
244    parser.add_option("-f",
245                      "--ext-att-cert-list-file",
246                      dest="extAttCertListFile",
247                      help=\
248"""For use with --req-autho/-r flag.  A file of concatenated Attribute
249Certificates.  These are certificates from other import hosts trusted by the
250Attribute Authority.  The Session Manager tries each in turn until the
251Attribute Authority accepts one and uses it to create and return a mapped
252Attribute Certificate""")
253   
254    parser.add_option("-t",
255                      "--ext-trusted-hosts-file",
256                      dest="extTrustedHostsFile",
257                      help=\
258"""For use with --req-autho/-r flag.  Pass a file containing a comma
259separarated list of hosts that are trusted by the Attribute Authority.  The
260Session Manager will contact these hosts in turn, stopping when one of them
261grants it an Attribute Certificate that it can present to the target Attribute
262Authority in order to get a mapped Attribute Certificate in return.""")
263
264    (options, args) = parser.parse_args()
265
266#    import pdb
267#    pdb.set_trace()
268    if not options.sessMgrURI:       
269        sys.stderr.write("Error, No Session Manager WSDL URI set.\n\n")
270        parser.print_help()
271        return(1)
272       
273    passPhrase = None
274   
275    # For connect/addUser a pass-phrase is needed
276    if options.newUserName or options.userName:
277       
278        if options.bPassPhraseFromStdin:
279            # Read from standard input
280            passPhrase = sys.stdin.read().strip()           
281        else:
282            # Obtain from prompt
283            try:
284                passPhrase = getpass.getpass(prompt="Login pass-phrase: ") 
285            except KeyboardInterrupt:
286                return(1)
287
288    if options.clntPriKeyPwd is None and options.clntPriKeyFilePath:
289        # Obtain from prompt
290        try:
291            options.clntPriKeyPwd = getpass.getpass(\
292                                    prompt="Client private key pass-phrase: ") 
293        except KeyboardInterrupt:
294            return(1)
295
296                 
297    extAttCertList = None
298               
299    if options.extAttCertListFile:
300        try:
301            # Open and read file removing any <?xml ... ?> headers
302            sExtAttCertListFile = open(options.extAttCertListFile).read()
303            sAttCertTmp = re.sub("\s*<\?xml.*\?>\s*", "", sExtAttCertListFile)
304           
305            # Convert into a list
306            extAttCertList = ['<attributeCertificate>' + ac for ac in \
307                            sAttCertTmp.split('<attributeCertificate>')[1:]]
308        except Exception, e:
309            sys.stderr.write(\
310                "Error parsing file \%s\" for option \"%s\": %s" % \
311                (arg, "--ext-att-cert-list-file\"/\"-f", str(e)))
312
313       
314    extTrustedHostList = None
315
316    if options.extTrustedHostsFile:
317        try:
318            extTrustedHostList = \
319                re.split("\s*,\s*", open(options.extTrustedHostsFile).read())
320           
321        except Exception, e:
322            sys.stderr.write(\
323                "Error parsing file \%s\" for option \"%s\": %s" % \
324                (arg, "--ext-trusted-host-file\"/\"-t", str(e)))
325
326
327    # Initialise session client
328    try:
329        sessClnt = SessionClient(smWSDL=options.sessMgrURI,
330                             smCertFilePath=options.smCertFilePath,
331                             clntCertFilePath=options.clntCertFilePath,
332                             clntPriKeyFilePath=options.clntPriKeyFilePath,
333                             traceFile=options.soapDebug)
334    except Exception, e:
335        sys.stderr.write("Initialising client: %s\n" % str(e))
336        return(1)
337   
338    methodCall = False   
339    try:
340        if options.newUserName:
341            methodCall = True
342           
343            sessClnt.addUser(userName=options.newUserName, 
344                             pPhrase=passPhrase,
345                             clntPriKeyPwd=options.clntPriKeyPwd)
346            return(0)
347                           
348        if options.userName:
349            methodCall = True
350           
351            sSessCookie = sessClnt.connect(userName=options.userName, 
352                                       pPhrase=passPhrase,
353                                       clntPriKeyPwd=options.clntPriKeyPwd)           
354            print sSessCookie
355            # Don't exit here - req-autho may have been set too
356           
357        if options.attAuthorityURI:
358            methodCall = True
359
360            if options.userName:
361                # Connect was set also - parse cookie in order to session ID
362                # and WSDL address
363                options.sessCookie = SimpleCookie(sSessCookie)
364               
365            authResp = sessClnt.reqAuthorisation(\
366                            sessCookie=options.sessCookie,
367                            aaWSDL=options.attAuthorityURI,
368                            aaCert=options.aaCert,
369                            mapFromTrustedHosts=options.mapFromTrustedHosts,
370                            reqRole=options.reqRole,
371                            rtnExtAttCertList=options.rtnExtAttCertList,
372                            extAttCertList=extAttCertList,
373                            extTrustedHostList=extTrustedHostList,
374                            clntPriKeyPwd=options.clntPriKeyPwd)
375            print authResp
376       
377        if not methodCall:   
378            sys.stderr.write("Set a flag to specify the web-service call " + \
379                             "e.g. --connect=USERNAME\n\n")
380            parser.print_help()
381            return(1)
382           
383    except Exception, e:
384        sys.stderr.write(str(e) + os.linesep)
385     
386    return(0)
Note: See TracBrowser for help on using the repository browser.