source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py @ 2136

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py@2136
Revision 2136, 12.3 KB checked in by pjkersha, 13 years ago (diff)

python/ndg.security.server/setup.py:

  • comment out Twisted from install - won't do egg install
  • updated long description

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • added verifyingCertFilePath keyword to SignatureHandler? initialisation
  • added SSL capability

python/conf/attAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml,
python/ndg.security.server/ndg/security/server/AttAuthority/init.py:
added element names for reading SSL settings from properties file.

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
added verifyingCertFilePath keyword to SignatureHandler? initialisation

python/conf/sessionMgrProperties.xml,
python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml,
python/ndg.security.server/ndg/security/server/SessionMgr/init.py:
added clntCertFile properties file element name for setting certificate for
verifying incoming SOAP messages.

python/ndg.security.server/ndg/security/server/SessionMgr/Makefile:
corrected typo.

python/ndg.security.server/ndg/security/server/MyProxy.py:
Put OpenSSLConfig and OpenSSLConfigError classes into their own package
'openssl' so that they can also be used by the Certificate Authority client.

python/www/html/certificateAuthority.wsdl,
python/ndg.security.server/ndg/security/server/ca/CertificateAuthority_services_server.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services_types.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services.py: updated operations to issueCert, revokeCert and getCRL.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: changed address of service to connect to.

python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
alternative username connection settings

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
fixed typos in error message and comments.

ython/ndg.security.common/ndg/security/common/XMLSec.py: changed call to
getAttributeNodeNS to getAttributeNode for retrieving reference element URI
attribute.

python/ndg.security.common/ndg/security/common/ca/init.py: code for
Certificate Authority client

python/ndg.security.common/ndg/security/common/wsSecurity.py:

  • tidied up imports
  • added properties for setting keywords to reference and SignedInfo? C14N
  • changed sign method so that it is truely configurable allow use of inclusive or exclusive C14N based on the keywords set for reference and SignedInfo? C14N calls.
  • swapped calls to getAttributeNodeNS with getAttributeNode where appropriate.

java/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/AttAuthority/build/classes/META-INF/ibm-webservicesclient-bnd.xmi:
updated to that request generator correctly places X.509 cert in
BinarySecurityToken? element.

java/DEWS/AttAuthority/appClientModule/Main.java,
java/DEWS/AttAuthority/appClientjava/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmiModule/Main.java:
include calls to getX509Cert and getAttCert methods.

java/DEWS/SessionMgr/build/classes/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/SessionMgr/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi:
updates for testing Session MAnager client

java/DEWS/SessionMgr/appClientModule/Main.java: switched username setting.

RevLine 
[1711]1#!/usr/bin/env python
2"""NDG Security Attribute Authority client - client interface classes to the
3Attribute Authority.  These have been separated from their
4original location in the SecurityClient since they have the
5unusual place of being required by both client and server
6NDG security packages.  For the server side they are required
7as the CredWallet invoked by the Session Manager acts as a
8client to Attribute Authorities when negotiating the required
9Attribute Certificate.
10
11Make requests for Attribute Certificates used for authorisation
12
13NERC Data Grid Project
14
[1990]15@author P J Kershaw 17/11/06
[1711]16
[1990]17@copyright (C) 2006 CCLRC & NERC
[1711]18
[1990]19@license This software may be distributed under the terms of the Q Public
20License, version 1.0 or later.
[1711]21"""
[1749]22__all__ = [
23    'AttAuthority_services',
24    'AttAuthority_services_types',
25    ]
26
[1730]27# Handling for public key retrieval
28import tempfile
29
[1724]30from AttAuthority_services import AttAuthorityServiceLocator
[1990]31from ndg.security.common.wsSecurity import SignatureHandler
[2017]32from ndg.security.common.AttCert import AttCert, AttCertParse
[1724]33
[1711]34#_____________________________________________________________________________
35class AttAuthorityClientError(Exception):
[1990]36    """Exception handling for AttributeAuthorityClient class"""
[1711]37
[2085]38#_____________________________________________________________________________
39class AttributeRequestDenied(Exception):
40    """Raise when a getAttCert call to the AA is denied"""
[1711]41
[2085]42
[1711]43#_____________________________________________________________________________
44class AttAuthorityClient(object):
[1990]45    """Client interface to Attribute Authority web service"""
[1711]46   
47    #_________________________________________________________________________
[2072]48    def __init__(self, uri=None, tracefile=None, **signatureHandlerKw):
[1711]49        """
[1990]50        @type uri: string
[2017]51        @keyword uri: URI for Attribute Authority WS.  Setting it will also
[1990]52        initialise the Service Proxy
[2072]53                                         
[2017]54        @keyword tracefile: set to file object such as sys.stderr to give
55        extra WS debug information"""
[1711]56
[1724]57        self.__srv = None
[1770]58        self.__uri = None
[1990]59        self.__srvCertTempFile = None
[1711]60       
61       
[1770]62        if uri:
63            self.__setURI(uri)
[1711]64
[2072]65        # WS-Security Signature handler
66        self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
[1711]67           
[1730]68        self.__tracefile = tracefile
[1711]69
70         
71        # Instantiate Attribute Authority WS proxy
[1770]72        if self.__uri:
[1724]73            self.initService()
[1711]74       
75
76    #_________________________________________________________________________
[1770]77    def __setURI(self, uri):
[1711]78       
[1770]79        if not isinstance(uri, basestring):
[1711]80            raise AttAuthorityClientError, \
81                        "Attribute Authority WSDL URI must be a valid string"
82       
[1770]83        self.__uri = uri
[1711]84       
[1770]85    uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI")
[1711]86
87
88    #_________________________________________________________________________
[2076]89    def __getSignatureHandler(self):
[2072]90        "Get SignatureHandler object property method"
91        return self.__signatureHandler
92   
93    signatureHandler = property(fget=__getSignatureHandler,
94                                doc="SignatureHandler object")
95
96
97    #_________________________________________________________________________
[1990]98    def __setSrvCertFilePath(self, srvCertFilePath):
[1711]99       
[1990]100        if not isinstance(srvCertFilePath, basestring):
[1711]101            raise AttAuthorityClientError, \
102                "Attribute Authority public key URI must be a valid string"
103       
[1990]104        self.__srvCertFilePath = srvCertFilePath
[1711]105       
[1990]106    srvCertFilePath = property(fset=__setSrvCertFilePath,
107                              doc="Set Attribute Authority public key URI")
[1711]108
109 
110    #_________________________________________________________________________
[1771]111    def __setClntCertFilePath(self, clntCertFilePath):
[1711]112       
[1771]113        if not isinstance(clntCertFilePath, basestring):
[1990]114            raise AttAuthorityClientError, \
115                "Client public key file path must be a valid string"
[1711]116       
[1771]117        self.__clntCertFilePath = clntCertFilePath
[1990]118       
[1711]119        try:
[1771]120            self.__clntCert = open(self.__clntCertFilePath).read()
[1711]121           
122        except IOError, (errNo, errMsg):
[1990]123            raise AttAuthorityClientError, \
[1711]124                    "Reading certificate file \"%s\": %s" % \
[1990]125                    (self.__clntCertFilePath, errMsg)
[1711]126                               
127        except Exception, e:
128            raise AttAuthorityClientError, \
129                                    "Reading certificate file \"%s\": %s" % \
[1771]130                                    (self.__clntCertFilePath, str(e))
[1711]131       
[1771]132    clntCertFilePath = property(fset=__setClntCertFilePath,
[1990]133                                doc="File path for client public key")
[1711]134
135 
136    #_________________________________________________________________________
137    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
138       
139        if not isinstance(clntPriKeyFilePath, basestring):
140            raise AttAuthorityClientError(\
141                "Client public key file path must be a valid string")
142       
143        self.__clntPriKeyFilePath = clntPriKeyFilePath
144       
145    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
146                                  doc="File path for client private key")
147
[1990]148 
149    #_________________________________________________________________________
150    def __setClntPriKeyPwd(self, clntPriKeyPwd):
151       
152        if not isinstance(clntPriKeyPwd, basestring):
153            raise SessionMgrClientError, \
154                        "Client private key password must be a valid string"
155       
156        self.__clntPriKeyPwd = clntPriKeyPwd
157       
158    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
159                         doc="Password protecting client private key file")
[1711]160
[1999]161
[1711]162    #_________________________________________________________________________
[1990]163    def __getSrvCert(self):
[1711]164        """Retrieve the public key from the URI"""
165       
166        # Don't proceed unless URI was set - user may have set public key via
[1990]167        # srvCertFilePath instead
168        if self.__srvCertFilePath is not None:
[1711]169            return
170               
171        try:
[1990]172            self.__srvCertTempFile = tempfile.NamedTemporaryFile()
[1711]173           
[1990]174            cert = self.getX509Cert()
175            open(self.__srvCertTempFile.name, "w").write(cert)
[1711]176           
[1990]177            self.__srvCertFilePath = self.__srvCertTempFile.name
[1711]178           
179        except IOError, (errNo, errMsg):
180            raise AttAuthorityClientError, \
181                                "Writing public key to temp \"%s\": %s" % \
[1990]182                                (self.__srvCertTempFile.name, errMsg)                                                                     
[1711]183        except Exception, e:
184            raise AttAuthorityClientError, "Retrieving Attribute Authority "+\
185                                          "public key: %s" % str(e)
186   
187       
188    #_________________________________________________________________________
[1770]189    def initService(self, uri=None):
[1999]190        """Set the WS proxy for the Attribute Authority
191       
192        @type uri: string
193        @param uri: URI for service to invoke"""
[2017]194       
[1770]195        if uri:
196            self.__setURI(uri)
[1711]197
[1990]198        # WS-Security Signature handler object is passed to binding
[1711]199        try:
[1724]200            locator = AttAuthorityServiceLocator()
[1770]201            self.__srv = locator.getAttAuthority(self.__uri, 
[2072]202                                         sig_handler=self.__signatureHandler,
203                                         tracefile=self.__tracefile)
[1711]204        except HTTPResponse, e:
205            raise AttAuthorityClientError, \
[1990]206                "Error initialising WSDL Service for \"%s\": %s %s" % \
[1770]207                (self.__uri, e.status, e.reason)
[1711]208           
209        except Exception, e:
210            raise AttAuthorityClientError, \
[1724]211                "Initialising WSDL Service for \"%s\": %s" % \
[1770]212                 (self.__uri, str(e))
[1711]213
214                                   
215    #_________________________________________________________________________
[1999]216    def getHostInfo(self):
[1711]217        """Get host information for the data provider which the
218        Attribute Authority represents
219       
[2017]220        @rtype: dict
221        @return: dictionary of host information derived from the Attribute
222        Authority's map configuration
[1711]223        """
224
225        try:   
[2051]226            hostname, aaURI, loginURI = self.__srv.getHostInfo()
[1711]227
228        except Exception, e:
[2051]229            raise AttAuthorityClientError, \
[2136]230                                    "Retrieving host information: " + str(e)
[2051]231       
232        hostInfo = {}
233       
234        hostInfo[hostname] = {}       
235        hostInfo[hostname]['aaURI'] = aaURI
236        hostInfo[hostname]['loginURI'] = loginURI
[1711]237
[2051]238        return hostInfo
[1711]239
240                                   
241    #_________________________________________________________________________
[1999]242    def getTrustedHostInfo(self, role=None):
[1711]243        """Get list of trusted hosts for an Attribute Authority
244       
[1999]245        @type role: string
246        @param role: get information for trusted hosts that have a mapping to
247        this role
248       
[2017]249        @rtype: dict
250        @return: dictionary of host information indexed by hostname derived
251        from the map configuration"""
[1711]252           
253        try:   
[2051]254            trustedHosts = self.__srv.getTrustedHostInfo(role)
[1711]255
256        except Exception, e:
[2051]257            raise AttAuthorityClientError, \
258                                "Getting trusted host information: " + str(e)
[1711]259
[2051]260        # Convert into dictionary form as used by AttAuthority class
261        trustedHostInfo = {}
262        for trustedHost in trustedHosts:
263            hostname = trustedHost.get_element_hostname()
264           
265            trustedHostInfo[hostname] = {}
266           
267            trustedHostInfo[hostname]['aaURI'] = \
268                                            trustedHost.get_element_aaURI()
269            trustedHostInfo[hostname]['loginURI'] = \
270                                            trustedHost.get_element_loginURI()
271            trustedHostInfo[hostname]['role'] = \
272                                            trustedHost.get_element_roleList()
273           
274        return trustedHostInfo
[1711]275   
276
277    #_________________________________________________________________________
[2017]278    def getAttCert(self, userCert=None, userAttCert=None):
[1724]279        """Request attribute certificate from NDG Attribute Authority Web
[1999]280        Service.
281       
[2017]282        @type userCert: string
283        @keyword userCert: certificate corresponding to proxy private key and
284        proxy cert used to sign the request.  Enables server to establish
285        chain of trust proxy -> user cert -> CA cert.  If a standard
286        private key is used to sign the request, this argument is not
287        needed.
[1999]288       
289        @type userAttCert: string / AttCert
[2017]290        @keyword userAttCert: user attribute certificate from which to make a
[1999]291        mapped certificate at the target attribute authority.  userAttCert
[2017]292        must have been issued from a trusted host to the target.  This is not
293        necessary if the user is registered at the target Attribute Authority.
[1999]294       
[2085]295        @rtype ndg.security.common.AttCert.AttCert
296        @return attribute certificate for user.  iIf access is refused,
297        AttributeRequestDenied is raised"""
[1711]298
[1999]299        # Ensure cert is serialized before passing over web service interface
300        if isinstance(userAttCert, AttCert):
[2087]301            userAttCert = userAttCert.toString()
[1999]302           
[2079]303        try: 
[2085]304            sAttCert, msg = self.__srv.getAttCert(userCert, userAttCert) 
[2079]305           
[1711]306        except Exception, e:
[1999]307            raise AttAuthorityClientError, \
[2017]308                                "Requesting attribute certificate: " + str(e)
[1711]309
[2085]310        if sAttCert:
311            return AttCertParse(sAttCert)
312        else:
313            raise AttributeRequestDenied, msg
314
[1711]315                                   
316    #_________________________________________________________________________
[1990]317    def getX509Cert(self):
[1999]318        """Retrieve the X.509 certificate of the Attribute Authority
[1711]319       
[1999]320        @rtype: string
321        @return X.509 certificate for Attribute Authority"""
322       
[1711]323        try:   
[2017]324            return self.__srv.getX509Cert()               
[1711]325       
326        except Exception, e:
327            raise AttAuthorityClientError, \
328                                    "Error retrieving public key: " + str(e) 
Note: See TracBrowser for help on using the repository browser.