source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py @ 2136

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py@2136
Revision 2136, 12.3 KB checked in by pjkersha, 12 years ago (diff)

python/ndg.security.server/setup.py:

  • comment out Twisted from install - won't do egg install
  • updated long description

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • added verifyingCertFilePath keyword to SignatureHandler? initialisation
  • added SSL capability

python/conf/attAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml,
python/ndg.security.server/ndg/security/server/AttAuthority/init.py:
added element names for reading SSL settings from properties file.

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
added verifyingCertFilePath keyword to SignatureHandler? initialisation

python/conf/sessionMgrProperties.xml,
python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml,
python/ndg.security.server/ndg/security/server/SessionMgr/init.py:
added clntCertFile properties file element name for setting certificate for
verifying incoming SOAP messages.

python/ndg.security.server/ndg/security/server/SessionMgr/Makefile:
corrected typo.

python/ndg.security.server/ndg/security/server/MyProxy.py:
Put OpenSSLConfig and OpenSSLConfigError classes into their own package
'openssl' so that they can also be used by the Certificate Authority client.

python/www/html/certificateAuthority.wsdl,
python/ndg.security.server/ndg/security/server/ca/CertificateAuthority_services_server.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services_types.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services.py: updated operations to issueCert, revokeCert and getCRL.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: changed address of service to connect to.

python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
alternative username connection settings

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
fixed typos in error message and comments.

ython/ndg.security.common/ndg/security/common/XMLSec.py: changed call to
getAttributeNodeNS to getAttributeNode for retrieving reference element URI
attribute.

python/ndg.security.common/ndg/security/common/ca/init.py: code for
Certificate Authority client

python/ndg.security.common/ndg/security/common/wsSecurity.py:

  • tidied up imports
  • added properties for setting keywords to reference and SignedInfo? C14N
  • changed sign method so that it is truely configurable allow use of inclusive or exclusive C14N based on the keywords set for reference and SignedInfo? C14N calls.
  • swapped calls to getAttributeNodeNS with getAttributeNode where appropriate.

java/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/AttAuthority/build/classes/META-INF/ibm-webservicesclient-bnd.xmi:
updated to that request generator correctly places X.509 cert in
BinarySecurityToken? element.

java/DEWS/AttAuthority/appClientModule/Main.java,
java/DEWS/AttAuthority/appClientjava/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmiModule/Main.java:
include calls to getX509Cert and getAttCert methods.

java/DEWS/SessionMgr/build/classes/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/SessionMgr/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi:
updates for testing Session MAnager client

java/DEWS/SessionMgr/appClientModule/Main.java: switched username setting.

Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority client - client interface classes to the
3Attribute Authority.  These have been separated from their
4original location in the SecurityClient since they have the
5unusual place of being required by both client and server
6NDG security packages.  For the server side they are required
7as the CredWallet invoked by the Session Manager acts as a
8client to Attribute Authorities when negotiating the required
9Attribute Certificate.
10
11Make requests for Attribute Certificates used for authorisation
12
13NERC Data Grid Project
14
15@author P J Kershaw 17/11/06
16
17@copyright (C) 2006 CCLRC & NERC
18
19@license This software may be distributed under the terms of the Q Public
20License, version 1.0 or later.
21"""
22__all__ = [
23    'AttAuthority_services',
24    'AttAuthority_services_types',
25    ]
26
27# Handling for public key retrieval
28import tempfile
29
30from AttAuthority_services import AttAuthorityServiceLocator
31from ndg.security.common.wsSecurity import SignatureHandler
32from ndg.security.common.AttCert import AttCert, AttCertParse
33
34#_____________________________________________________________________________
35class AttAuthorityClientError(Exception):
36    """Exception handling for AttributeAuthorityClient class"""
37
38#_____________________________________________________________________________
39class AttributeRequestDenied(Exception):
40    """Raise when a getAttCert call to the AA is denied"""
41
42
43#_____________________________________________________________________________
44class AttAuthorityClient(object):
45    """Client interface to Attribute Authority web service"""
46   
47    #_________________________________________________________________________
48    def __init__(self, uri=None, tracefile=None, **signatureHandlerKw):
49        """
50        @type uri: string
51        @keyword uri: URI for Attribute Authority WS.  Setting it will also
52        initialise the Service Proxy
53                                         
54        @keyword tracefile: set to file object such as sys.stderr to give
55        extra WS debug information"""
56
57        self.__srv = None
58        self.__uri = None
59        self.__srvCertTempFile = None
60       
61       
62        if uri:
63            self.__setURI(uri)
64
65        # WS-Security Signature handler
66        self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
67           
68        self.__tracefile = tracefile
69
70         
71        # Instantiate Attribute Authority WS proxy
72        if self.__uri:
73            self.initService()
74       
75
76    #_________________________________________________________________________
77    def __setURI(self, uri):
78       
79        if not isinstance(uri, basestring):
80            raise AttAuthorityClientError, \
81                        "Attribute Authority WSDL URI must be a valid string"
82       
83        self.__uri = uri
84       
85    uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI")
86
87
88    #_________________________________________________________________________
89    def __getSignatureHandler(self):
90        "Get SignatureHandler object property method"
91        return self.__signatureHandler
92   
93    signatureHandler = property(fget=__getSignatureHandler,
94                                doc="SignatureHandler object")
95
96
97    #_________________________________________________________________________
98    def __setSrvCertFilePath(self, srvCertFilePath):
99       
100        if not isinstance(srvCertFilePath, basestring):
101            raise AttAuthorityClientError, \
102                "Attribute Authority public key URI must be a valid string"
103       
104        self.__srvCertFilePath = srvCertFilePath
105       
106    srvCertFilePath = property(fset=__setSrvCertFilePath,
107                              doc="Set Attribute Authority public key URI")
108
109 
110    #_________________________________________________________________________
111    def __setClntCertFilePath(self, clntCertFilePath):
112       
113        if not isinstance(clntCertFilePath, basestring):
114            raise AttAuthorityClientError, \
115                "Client public key file path must be a valid string"
116       
117        self.__clntCertFilePath = clntCertFilePath
118       
119        try:
120            self.__clntCert = open(self.__clntCertFilePath).read()
121           
122        except IOError, (errNo, errMsg):
123            raise AttAuthorityClientError, \
124                    "Reading certificate file \"%s\": %s" % \
125                    (self.__clntCertFilePath, errMsg)
126                               
127        except Exception, e:
128            raise AttAuthorityClientError, \
129                                    "Reading certificate file \"%s\": %s" % \
130                                    (self.__clntCertFilePath, str(e))
131       
132    clntCertFilePath = property(fset=__setClntCertFilePath,
133                                doc="File path for client public key")
134
135 
136    #_________________________________________________________________________
137    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
138       
139        if not isinstance(clntPriKeyFilePath, basestring):
140            raise AttAuthorityClientError(\
141                "Client public key file path must be a valid string")
142       
143        self.__clntPriKeyFilePath = clntPriKeyFilePath
144       
145    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
146                                  doc="File path for client private key")
147
148 
149    #_________________________________________________________________________
150    def __setClntPriKeyPwd(self, clntPriKeyPwd):
151       
152        if not isinstance(clntPriKeyPwd, basestring):
153            raise SessionMgrClientError, \
154                        "Client private key password must be a valid string"
155       
156        self.__clntPriKeyPwd = clntPriKeyPwd
157       
158    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
159                         doc="Password protecting client private key file")
160
161
162    #_________________________________________________________________________
163    def __getSrvCert(self):
164        """Retrieve the public key from the URI"""
165       
166        # Don't proceed unless URI was set - user may have set public key via
167        # srvCertFilePath instead
168        if self.__srvCertFilePath is not None:
169            return
170               
171        try:
172            self.__srvCertTempFile = tempfile.NamedTemporaryFile()
173           
174            cert = self.getX509Cert()
175            open(self.__srvCertTempFile.name, "w").write(cert)
176           
177            self.__srvCertFilePath = self.__srvCertTempFile.name
178           
179        except IOError, (errNo, errMsg):
180            raise AttAuthorityClientError, \
181                                "Writing public key to temp \"%s\": %s" % \
182                                (self.__srvCertTempFile.name, errMsg)                                                                     
183        except Exception, e:
184            raise AttAuthorityClientError, "Retrieving Attribute Authority "+\
185                                          "public key: %s" % str(e)
186   
187       
188    #_________________________________________________________________________
189    def initService(self, uri=None):
190        """Set the WS proxy for the Attribute Authority
191       
192        @type uri: string
193        @param uri: URI for service to invoke"""
194       
195        if uri:
196            self.__setURI(uri)
197
198        # WS-Security Signature handler object is passed to binding
199        try:
200            locator = AttAuthorityServiceLocator()
201            self.__srv = locator.getAttAuthority(self.__uri, 
202                                         sig_handler=self.__signatureHandler,
203                                         tracefile=self.__tracefile)
204        except HTTPResponse, e:
205            raise AttAuthorityClientError, \
206                "Error initialising WSDL Service for \"%s\": %s %s" % \
207                (self.__uri, e.status, e.reason)
208           
209        except Exception, e:
210            raise AttAuthorityClientError, \
211                "Initialising WSDL Service for \"%s\": %s" % \
212                 (self.__uri, str(e))
213
214                                   
215    #_________________________________________________________________________
216    def getHostInfo(self):
217        """Get host information for the data provider which the
218        Attribute Authority represents
219       
220        @rtype: dict
221        @return: dictionary of host information derived from the Attribute
222        Authority's map configuration
223        """
224
225        try:   
226            hostname, aaURI, loginURI = self.__srv.getHostInfo()
227
228        except Exception, e:
229            raise AttAuthorityClientError, \
230                                    "Retrieving host information: " + str(e)
231       
232        hostInfo = {}
233       
234        hostInfo[hostname] = {}       
235        hostInfo[hostname]['aaURI'] = aaURI
236        hostInfo[hostname]['loginURI'] = loginURI
237
238        return hostInfo
239
240                                   
241    #_________________________________________________________________________
242    def getTrustedHostInfo(self, role=None):
243        """Get list of trusted hosts for an Attribute Authority
244       
245        @type role: string
246        @param role: get information for trusted hosts that have a mapping to
247        this role
248       
249        @rtype: dict
250        @return: dictionary of host information indexed by hostname derived
251        from the map configuration"""
252           
253        try:   
254            trustedHosts = self.__srv.getTrustedHostInfo(role)
255
256        except Exception, e:
257            raise AttAuthorityClientError, \
258                                "Getting trusted host information: " + str(e)
259
260        # Convert into dictionary form as used by AttAuthority class
261        trustedHostInfo = {}
262        for trustedHost in trustedHosts:
263            hostname = trustedHost.get_element_hostname()
264           
265            trustedHostInfo[hostname] = {}
266           
267            trustedHostInfo[hostname]['aaURI'] = \
268                                            trustedHost.get_element_aaURI()
269            trustedHostInfo[hostname]['loginURI'] = \
270                                            trustedHost.get_element_loginURI()
271            trustedHostInfo[hostname]['role'] = \
272                                            trustedHost.get_element_roleList()
273           
274        return trustedHostInfo
275   
276
277    #_________________________________________________________________________
278    def getAttCert(self, userCert=None, userAttCert=None):
279        """Request attribute certificate from NDG Attribute Authority Web
280        Service.
281       
282        @type userCert: string
283        @keyword userCert: certificate corresponding to proxy private key and
284        proxy cert used to sign the request.  Enables server to establish
285        chain of trust proxy -> user cert -> CA cert.  If a standard
286        private key is used to sign the request, this argument is not
287        needed.
288       
289        @type userAttCert: string / AttCert
290        @keyword userAttCert: user attribute certificate from which to make a
291        mapped certificate at the target attribute authority.  userAttCert
292        must have been issued from a trusted host to the target.  This is not
293        necessary if the user is registered at the target Attribute Authority.
294       
295        @rtype ndg.security.common.AttCert.AttCert
296        @return attribute certificate for user.  iIf access is refused,
297        AttributeRequestDenied is raised"""
298
299        # Ensure cert is serialized before passing over web service interface
300        if isinstance(userAttCert, AttCert):
301            userAttCert = userAttCert.toString()
302           
303        try: 
304            sAttCert, msg = self.__srv.getAttCert(userCert, userAttCert) 
305           
306        except Exception, e:
307            raise AttAuthorityClientError, \
308                                "Requesting attribute certificate: " + str(e)
309
310        if sAttCert:
311            return AttCertParse(sAttCert)
312        else:
313            raise AttributeRequestDenied, msg
314
315                                   
316    #_________________________________________________________________________
317    def getX509Cert(self):
318        """Retrieve the X.509 certificate of the Attribute Authority
319       
320        @rtype: string
321        @return X.509 certificate for Attribute Authority"""
322       
323        try:   
324            return self.__srv.getX509Cert()               
325       
326        except Exception, e:
327            raise AttAuthorityClientError, \
328                                    "Error retrieving public key: " + str(e) 
Note: See TracBrowser for help on using the repository browser.