source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py @ 2087

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py@2087
Revision 2087, 12.3 KB checked in by pjkersha, 13 years ago (diff)

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
use AttCert?.toString() to convert userAttCert input to string before dispatch

python/ndg.security.common/ndg/security/common/CredWallet.py: conversion of
extAttCert input to string in getAttCert is not needed - AttAuthorityClient? will do
it automatically - see above.

Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority client - client interface classes to the
3Attribute Authority.  These have been separated from their
4original location in the SecurityClient since they have the
5unusual place of being required by both client and server
6NDG security packages.  For the server side they are required
7as the CredWallet invoked by the Session Manager acts as a
8client to Attribute Authorities when negotiating the required
9Attribute Certificate.
10
11Make requests for Attribute Certificates used for authorisation
12
13NERC Data Grid Project
14
15@author P J Kershaw 17/11/06
16
17@copyright (C) 2006 CCLRC & NERC
18
19@license This software may be distributed under the terms of the Q Public
20License, version 1.0 or later.
21"""
22__all__ = [
23    'AttAuthority_services',
24    'AttAuthority_services_types',
25    ]
26
27# Handling for public key retrieval
28import tempfile
29
30from AttAuthority_services import AttAuthorityServiceLocator
31from ndg.security.common.wsSecurity import SignatureHandler
32from ndg.security.common.AttCert import AttCert, AttCertParse
33
34#_____________________________________________________________________________
35class AttAuthorityClientError(Exception):
36    """Exception handling for AttributeAuthorityClient class"""
37
38#_____________________________________________________________________________
39class AttributeRequestDenied(Exception):
40    """Raise when a getAttCert call to the AA is denied"""
41
42
43#_____________________________________________________________________________
44class AttAuthorityClient(object):
45    """Client interface to Attribute Authority web service"""
46   
47    #_________________________________________________________________________
48    def __init__(self, uri=None, tracefile=None, **signatureHandlerKw):
49        """
50        @type uri: string
51        @keyword uri: URI for Attribute Authority WS.  Setting it will also
52        initialise the Service Proxy
53                                         
54        @keyword tracefile: set to file object such as sys.stderr to give
55        extra WS debug information"""
56
57        self.__srv = None
58        self.__uri = None
59        self.__srvCertTempFile = None
60       
61       
62        if uri:
63            self.__setURI(uri)
64
65        # WS-Security Signature handler
66        self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
67           
68        self.__tracefile = tracefile
69
70         
71        # Instantiate Attribute Authority WS proxy
72        if self.__uri:
73            self.initService()
74       
75
76    #_________________________________________________________________________
77    def __setURI(self, uri):
78       
79        if not isinstance(uri, basestring):
80            raise AttAuthorityClientError, \
81                        "Attribute Authority WSDL URI must be a valid string"
82       
83        self.__uri = uri
84       
85    uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI")
86
87
88    #_________________________________________________________________________
89    def __getSignatureHandler(self):
90        "Get SignatureHandler object property method"
91        return self.__signatureHandler
92   
93    signatureHandler = property(fget=__getSignatureHandler,
94                                doc="SignatureHandler object")
95
96
97    #_________________________________________________________________________
98    def __setSrvCertFilePath(self, srvCertFilePath):
99       
100        if not isinstance(srvCertFilePath, basestring):
101            raise AttAuthorityClientError, \
102                "Attribute Authority public key URI must be a valid string"
103       
104        self.__srvCertFilePath = srvCertFilePath
105       
106    srvCertFilePath = property(fset=__setSrvCertFilePath,
107                              doc="Set Attribute Authority public key URI")
108
109 
110    #_________________________________________________________________________
111    def __setClntCertFilePath(self, clntCertFilePath):
112       
113        if not isinstance(clntCertFilePath, basestring):
114            raise AttAuthorityClientError, \
115                "Client public key file path must be a valid string"
116       
117        self.__clntCertFilePath = clntCertFilePath
118       
119        try:
120            self.__clntCert = open(self.__clntCertFilePath).read()
121           
122        except IOError, (errNo, errMsg):
123            raise AttAuthorityClientError, \
124                    "Reading certificate file \"%s\": %s" % \
125                    (self.__clntCertFilePath, errMsg)
126                               
127        except Exception, e:
128            raise AttAuthorityClientError, \
129                                    "Reading certificate file \"%s\": %s" % \
130                                    (self.__clntCertFilePath, str(e))
131       
132    clntCertFilePath = property(fset=__setClntCertFilePath,
133                                doc="File path for client public key")
134
135 
136    #_________________________________________________________________________
137    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
138       
139        if not isinstance(clntPriKeyFilePath, basestring):
140            raise AttAuthorityClientError(\
141                "Client public key file path must be a valid string")
142       
143        self.__clntPriKeyFilePath = clntPriKeyFilePath
144       
145    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
146                                  doc="File path for client private key")
147
148 
149    #_________________________________________________________________________
150    def __setClntPriKeyPwd(self, clntPriKeyPwd):
151       
152        if not isinstance(clntPriKeyPwd, basestring):
153            raise SessionMgrClientError, \
154                        "Client private key password must be a valid string"
155       
156        self.__clntPriKeyPwd = clntPriKeyPwd
157       
158    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
159                         doc="Password protecting client private key file")
160
161
162    #_________________________________________________________________________
163    def __getSrvCert(self):
164        """Retrieve the public key from the URI"""
165       
166        # Don't proceed unless URI was set - user may have set public key via
167        # srvCertFilePath instead
168        if self.__srvCertFilePath is not None:
169            return
170               
171        try:
172            self.__srvCertTempFile = tempfile.NamedTemporaryFile()
173           
174            cert = self.getX509Cert()
175            open(self.__srvCertTempFile.name, "w").write(cert)
176           
177            self.__srvCertFilePath = self.__srvCertTempFile.name
178           
179        except IOError, (errNo, errMsg):
180            raise AttAuthorityClientError, \
181                                "Writing public key to temp \"%s\": %s" % \
182                                (self.__srvCertTempFile.name, errMsg)                                                                     
183        except Exception, e:
184            raise AttAuthorityClientError, "Retrieving Attribute Authority "+\
185                                          "public key: %s" % str(e)
186   
187       
188    #_________________________________________________________________________
189    def initService(self, uri=None):
190        """Set the WS proxy for the Attribute Authority
191       
192        @type uri: string
193        @param uri: URI for service to invoke"""
194       
195        if uri:
196            self.__setURI(uri)
197
198        # WS-Security Signature handler object is passed to binding
199        try:
200            locator = AttAuthorityServiceLocator()
201            self.__srv = locator.getAttAuthority(self.__uri, 
202                                         sig_handler=self.__signatureHandler,
203                                         tracefile=self.__tracefile)
204        except HTTPResponse, e:
205            raise AttAuthorityClientError, \
206                "Error initialising WSDL Service for \"%s\": %s %s" % \
207                (self.__uri, e.status, e.reason)
208           
209        except Exception, e:
210            raise AttAuthorityClientError, \
211                "Initialising WSDL Service for \"%s\": %s" % \
212                 (self.__uri, str(e))
213
214                                   
215    #_________________________________________________________________________
216    def getHostInfo(self):
217        """Get host information for the data provider which the
218        Attribute Authority represents
219       
220        @rtype: dict
221        @return: dictionary of host information derived from the Attribute
222        Authority's map configuration
223        """
224
225        try:   
226            hostname, aaURI, loginURI = self.__srv.getHostInfo()
227
228        except Exception, e:
229            raise AttAuthorityClientError, \
230                                    "Rerieving host information: " + str(e)
231       
232        hostInfo = {}
233       
234        hostInfo[hostname] = {}       
235        hostInfo[hostname]['aaURI'] = aaURI
236        hostInfo[hostname]['loginURI'] = loginURI
237
238        return hostInfo
239
240                                   
241    #_________________________________________________________________________
242    def getTrustedHostInfo(self, role=None):
243        """Get list of trusted hosts for an Attribute Authority
244       
245        @type role: string
246        @param role: get information for trusted hosts that have a mapping to
247        this role
248       
249        @rtype: dict
250        @return: dictionary of host information indexed by hostname derived
251        from the map configuration"""
252           
253        try:   
254            # Pass encrypted request
255            trustedHosts = self.__srv.getTrustedHostInfo(role)
256
257        except Exception, e:
258            raise AttAuthorityClientError, \
259                                "Getting trusted host information: " + str(e)
260
261        # Convert into dictionary form as used by AttAuthority class
262        trustedHostInfo = {}
263        for trustedHost in trustedHosts:
264            hostname = trustedHost.get_element_hostname()
265           
266            trustedHostInfo[hostname] = {}
267           
268            trustedHostInfo[hostname]['aaURI'] = \
269                                            trustedHost.get_element_aaURI()
270            trustedHostInfo[hostname]['loginURI'] = \
271                                            trustedHost.get_element_loginURI()
272            trustedHostInfo[hostname]['role'] = \
273                                            trustedHost.get_element_roleList()
274           
275        return trustedHostInfo
276   
277
278    #_________________________________________________________________________
279    def getAttCert(self, userCert=None, userAttCert=None):
280        """Request attribute certificate from NDG Attribute Authority Web
281        Service.
282       
283        @type userCert: string
284        @keyword userCert: certificate corresponding to proxy private key and
285        proxy cert used to sign the request.  Enables server to establish
286        chain of trust proxy -> user cert -> CA cert.  If a standard
287        private key is used to sign the request, this argument is not
288        needed.
289       
290        @type userAttCert: string / AttCert
291        @keyword userAttCert: user attribute certificate from which to make a
292        mapped certificate at the target attribute authority.  userAttCert
293        must have been issued from a trusted host to the target.  This is not
294        necessary if the user is registered at the target Attribute Authority.
295       
296        @rtype ndg.security.common.AttCert.AttCert
297        @return attribute certificate for user.  iIf access is refused,
298        AttributeRequestDenied is raised"""
299
300        # Ensure cert is serialized before passing over web service interface
301        if isinstance(userAttCert, AttCert):
302            userAttCert = userAttCert.toString()
303           
304        try: 
305            sAttCert, msg = self.__srv.getAttCert(userCert, userAttCert) 
306           
307        except Exception, e:
308            raise AttAuthorityClientError, \
309                                "Requesting attribute certificate: " + str(e)
310
311        if sAttCert:
312            return AttCertParse(sAttCert)
313        else:
314            raise AttributeRequestDenied, msg
315
316                                   
317    #_________________________________________________________________________
318    def getX509Cert(self):
319        """Retrieve the X.509 certificate of the Attribute Authority
320       
321        @rtype: string
322        @return X.509 certificate for Attribute Authority"""
323       
324        try:   
325            return self.__srv.getX509Cert()               
326       
327        except Exception, e:
328            raise AttAuthorityClientError, \
329                                    "Error retrieving public key: " + str(e) 
Note: See TracBrowser for help on using the repository browser.