source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py @ 2079

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py@2079
Revision 2079, 12.0 KB checked in by pjkersha, 13 years ago (diff)

python/www/html/attAuthority.wsdl,
python/ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py,
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py,
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py,
python/www/html/sessionMgr.wsdl,
python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.p
y,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py:
Make separate schema for the two services - urn:ndg:security:attAuthority and
urn:ndg:security:sessionMgr otherwise getAttCert and getAttCertResponse declarations
get mixed up between the two in the ZSI code.

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
replace get_element_* and set_element_* with attributes references instead e.g.
request.get_element_username() -> request.Username

python/ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • rename encrypt and decrypt static UserSession? methods encodeSessionMgrURI and

decodeSessionMgrURI respectively. The encryption key is now optional and isn't applied
if omitted. This means that Session Manager URI in the cookie can be base 64 encoded only
and not encrypted.

  • getAttCert - simplified use of keywords in input and call to CredWallet?.getAttCert
  • fixes to redirectAttCertReq for correct SessionMgrClient? call - needs test

python/ndg.security.common/ndg/security/common/CredWallet.py:

  • fix AttAuthorityClient? import
  • remove clnt* properties - use proxy settings instead for signing requests to AA
  • fixes to getAttCert and getAttCert calls
Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority client - client interface classes to the
3Attribute Authority.  These have been separated from their
4original location in the SecurityClient since they have the
5unusual place of being required by both client and server
6NDG security packages.  For the server side they are required
7as the CredWallet invoked by the Session Manager acts as a
8client to Attribute Authorities when negotiating the required
9Attribute Certificate.
10
11Make requests for Attribute Certificates used for authorisation
12
13NERC Data Grid Project
14
15@author P J Kershaw 17/11/06
16
17@copyright (C) 2006 CCLRC & NERC
18
19@license This software may be distributed under the terms of the Q Public
20License, version 1.0 or later.
21"""
22__all__ = [
23    'AttAuthority_services',
24    'AttAuthority_services_types',
25    ]
26
27# Handling for public key retrieval
28import tempfile
29
30from AttAuthority_services import AttAuthorityServiceLocator
31from ndg.security.common.wsSecurity import SignatureHandler
32from ndg.security.common.AttCert import AttCert, AttCertParse
33
34#_____________________________________________________________________________
35class AttAuthorityClientError(Exception):
36    """Exception handling for AttributeAuthorityClient class"""
37
38
39#_____________________________________________________________________________
40class AttAuthorityClient(object):
41    """Client interface to Attribute Authority web service"""
42   
43    #_________________________________________________________________________
44    def __init__(self, uri=None, tracefile=None, **signatureHandlerKw):
45        """
46        @type uri: string
47        @keyword uri: URI for Attribute Authority WS.  Setting it will also
48        initialise the Service Proxy
49                                         
50        @keyword tracefile: set to file object such as sys.stderr to give
51        extra WS debug information"""
52
53        self.__srv = None
54        self.__uri = None
55        self.__srvCertTempFile = None
56       
57       
58        if uri:
59            self.__setURI(uri)
60
61        # WS-Security Signature handler
62        self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
63           
64        self.__tracefile = tracefile
65
66         
67        # Instantiate Attribute Authority WS proxy
68        if self.__uri:
69            self.initService()
70       
71
72    #_________________________________________________________________________
73    def __setURI(self, uri):
74       
75        if not isinstance(uri, basestring):
76            raise AttAuthorityClientError, \
77                        "Attribute Authority WSDL URI must be a valid string"
78       
79        self.__uri = uri
80       
81    uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI")
82
83
84    #_________________________________________________________________________
85    def __getSignatureHandler(self):
86        "Get SignatureHandler object property method"
87        return self.__signatureHandler
88   
89    signatureHandler = property(fget=__getSignatureHandler,
90                                doc="SignatureHandler object")
91
92
93    #_________________________________________________________________________
94    def __setSrvCertFilePath(self, srvCertFilePath):
95       
96        if not isinstance(srvCertFilePath, basestring):
97            raise AttAuthorityClientError, \
98                "Attribute Authority public key URI must be a valid string"
99       
100        self.__srvCertFilePath = srvCertFilePath
101       
102    srvCertFilePath = property(fset=__setSrvCertFilePath,
103                              doc="Set Attribute Authority public key URI")
104
105 
106    #_________________________________________________________________________
107    def __setClntCertFilePath(self, clntCertFilePath):
108       
109        if not isinstance(clntCertFilePath, basestring):
110            raise AttAuthorityClientError, \
111                "Client public key file path must be a valid string"
112       
113        self.__clntCertFilePath = clntCertFilePath
114       
115        try:
116            self.__clntCert = open(self.__clntCertFilePath).read()
117           
118        except IOError, (errNo, errMsg):
119            raise AttAuthorityClientError, \
120                    "Reading certificate file \"%s\": %s" % \
121                    (self.__clntCertFilePath, errMsg)
122                               
123        except Exception, e:
124            raise AttAuthorityClientError, \
125                                    "Reading certificate file \"%s\": %s" % \
126                                    (self.__clntCertFilePath, str(e))
127       
128    clntCertFilePath = property(fset=__setClntCertFilePath,
129                                doc="File path for client public key")
130
131 
132    #_________________________________________________________________________
133    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
134       
135        if not isinstance(clntPriKeyFilePath, basestring):
136            raise AttAuthorityClientError(\
137                "Client public key file path must be a valid string")
138       
139        self.__clntPriKeyFilePath = clntPriKeyFilePath
140       
141    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
142                                  doc="File path for client private key")
143
144 
145    #_________________________________________________________________________
146    def __setClntPriKeyPwd(self, clntPriKeyPwd):
147       
148        if not isinstance(clntPriKeyPwd, basestring):
149            raise SessionMgrClientError, \
150                        "Client private key password must be a valid string"
151       
152        self.__clntPriKeyPwd = clntPriKeyPwd
153       
154    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
155                         doc="Password protecting client private key file")
156
157
158    #_________________________________________________________________________
159    def __getSrvCert(self):
160        """Retrieve the public key from the URI"""
161       
162        # Don't proceed unless URI was set - user may have set public key via
163        # srvCertFilePath instead
164        if self.__srvCertFilePath is not None:
165            return
166               
167        try:
168            self.__srvCertTempFile = tempfile.NamedTemporaryFile()
169           
170            cert = self.getX509Cert()
171            open(self.__srvCertTempFile.name, "w").write(cert)
172           
173            self.__srvCertFilePath = self.__srvCertTempFile.name
174           
175        except IOError, (errNo, errMsg):
176            raise AttAuthorityClientError, \
177                                "Writing public key to temp \"%s\": %s" % \
178                                (self.__srvCertTempFile.name, errMsg)                                                                     
179        except Exception, e:
180            raise AttAuthorityClientError, "Retrieving Attribute Authority "+\
181                                          "public key: %s" % str(e)
182   
183       
184    #_________________________________________________________________________
185    def initService(self, uri=None):
186        """Set the WS proxy for the Attribute Authority
187       
188        @type uri: string
189        @param uri: URI for service to invoke"""
190       
191        if uri:
192            self.__setURI(uri)
193
194        # WS-Security Signature handler object is passed to binding
195        try:
196            locator = AttAuthorityServiceLocator()
197            self.__srv = locator.getAttAuthority(self.__uri, 
198                                         sig_handler=self.__signatureHandler,
199                                         tracefile=self.__tracefile)
200        except HTTPResponse, e:
201            raise AttAuthorityClientError, \
202                "Error initialising WSDL Service for \"%s\": %s %s" % \
203                (self.__uri, e.status, e.reason)
204           
205        except Exception, e:
206            raise AttAuthorityClientError, \
207                "Initialising WSDL Service for \"%s\": %s" % \
208                 (self.__uri, str(e))
209
210                                   
211    #_________________________________________________________________________
212    def getHostInfo(self):
213        """Get host information for the data provider which the
214        Attribute Authority represents
215       
216        @rtype: dict
217        @return: dictionary of host information derived from the Attribute
218        Authority's map configuration
219        """
220
221        try:   
222            hostname, aaURI, loginURI = self.__srv.getHostInfo()
223
224        except Exception, e:
225            raise AttAuthorityClientError, \
226                                    "Rerieving host information: " + str(e)
227       
228        hostInfo = {}
229       
230        hostInfo[hostname] = {}       
231        hostInfo[hostname]['aaURI'] = aaURI
232        hostInfo[hostname]['loginURI'] = loginURI
233
234        return hostInfo
235
236                                   
237    #_________________________________________________________________________
238    def getTrustedHostInfo(self, role=None):
239        """Get list of trusted hosts for an Attribute Authority
240       
241        @type role: string
242        @param role: get information for trusted hosts that have a mapping to
243        this role
244       
245        @rtype: dict
246        @return: dictionary of host information indexed by hostname derived
247        from the map configuration"""
248           
249        try:   
250            # Pass encrypted request
251            trustedHosts = self.__srv.getTrustedHostInfo(role)
252
253        except Exception, e:
254            raise AttAuthorityClientError, \
255                                "Getting trusted host information: " + str(e)
256
257        # Convert into dictionary form as used by AttAuthority class
258        trustedHostInfo = {}
259        for trustedHost in trustedHosts:
260            hostname = trustedHost.get_element_hostname()
261           
262            trustedHostInfo[hostname] = {}
263           
264            trustedHostInfo[hostname]['aaURI'] = \
265                                            trustedHost.get_element_aaURI()
266            trustedHostInfo[hostname]['loginURI'] = \
267                                            trustedHost.get_element_loginURI()
268            trustedHostInfo[hostname]['role'] = \
269                                            trustedHost.get_element_roleList()
270           
271        return trustedHostInfo
272   
273
274    #_________________________________________________________________________
275    def getAttCert(self, userCert=None, userAttCert=None):
276        """Request attribute certificate from NDG Attribute Authority Web
277        Service.
278       
279        @type userCert: string
280        @keyword userCert: certificate corresponding to proxy private key and
281        proxy cert used to sign the request.  Enables server to establish
282        chain of trust proxy -> user cert -> CA cert.  If a standard
283        private key is used to sign the request, this argument is not
284        needed.
285       
286        @type userAttCert: string / AttCert
287        @keyword userAttCert: user attribute certificate from which to make a
288        mapped certificate at the target attribute authority.  userAttCert
289        must have been issued from a trusted host to the target.  This is not
290        necessary if the user is registered at the target Attribute Authority.
291       
292        @rtype AttCert
293        @return attribute certificate for user"""
294
295        # Ensure cert is serialized before passing over web service interface
296        if isinstance(userAttCert, AttCert):
297            userAttCert = str(userAttCert)
298           
299        try: 
300            resp = self.__srv.getAttCert(userCert, userAttCert) 
301            attCert = AttCertParse(resp)
302           
303        except Exception, e:
304            raise AttAuthorityClientError, \
305                                "Requesting attribute certificate: " + str(e)
306           
307        return attCert
308
309                                   
310    #_________________________________________________________________________
311    def getX509Cert(self):
312        """Retrieve the X.509 certificate of the Attribute Authority
313       
314        @rtype: string
315        @return X.509 certificate for Attribute Authority"""
316       
317        try:   
318            return self.__srv.getX509Cert()               
319       
320        except Exception, e:
321            raise AttAuthorityClientError, \
322                                    "Error retrieving public key: " + str(e) 
Note: See TracBrowser for help on using the repository browser.