source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac @ 2251

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac@2251
Revision 2251, 5.8 KB checked in by pjkersha, 13 years ago (diff)

ndg.security.server/setup.py:

ndg.security.server/setup.cfg:

  • removed EasyInstall? and build sections
  • reinstated tag_build - set to '_dews' - and tag_svn_revision

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • removed socket import and added os
  • added M2Crypto SSL support - works with Python client unit tests (required setting SSL v2 and 3 support)

but problems with WebSphere? client

ndg.security.server/ndg/security/server/AttAuthority/init.py,
ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml,
ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml:

  • added sslKeyPwd setting for properties

ndg.security.server/ndg/security/server/MyProxy.py:

  • ensure cnHostPfx is reinitialised to if equal to None

ndg.security.common/setup.py:

  • added M2Crypto, ZSI and 4Suite to dependencies
  • revised dependency links to use NDG site, http://ndg.nerc.ac.uk/dist and ZSI sourceforge link taken

from pyGridWare settings. Latter won't work for PyXML but does work from command line ??

ndg.security.common/ndg/security/common/wsSecurity.py:

  • IMPORTANT FIX * - removed strip() from signed info digest calc - NOT needed and caused some problems

with verify.

Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority .tac file
3
4This file enables the Attribute Authority web service to be
5called under the Twisted framework
6
7NERC Data Grid Project
8
9@author P J Kershaw 17/11/06
10
11@copyright (C) 2007 CCLRC & NERC
12
13@license This software may be distributed under the terms of the Q Public
14License, version 1.0 or later.
15"""
16import os
17
18from ZSI.twisted.WSresource import WSResource
19from twisted.application import service, internet
20from twisted.web.server import Site
21from twisted.web.resource import Resource
22
23from ndg.security.server.AttAuthority.AttAuthority_services_server import \
24        AttAuthorityService
25
26from ndg.security.server.AttAuthority import AttAuthority, \
27        AttAuthorityAccessDenied
28       
29from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \
30        WSSecurityHandler, SignatureHandler
31
32from ndg.security.common.X509 import X509Cert, X509CertRead
33
34
35class AttAuthorityServiceSub(AttAuthorityService, WSResource):
36
37    # Add WS-Security handlers
38    factory = WSSecurityHandlerChainFactory
39
40    def __init__(self):
41        WSResource.__init__(self)
42         
43        # Initialize Attribute Authority class - property file will be
44        # picked up from default location under $NDG_DIR directory
45        self.aa = AttAuthority()
46
47
48    def soap_getAttCert(self, ps, **kw):
49        request, response = AttAuthorityService.soap_getAttCert(self, ps)
50       
51        # Get certificate corresponding to private key that signed the
52        # message - i.e. the user's proxy
53        holderCert = WSSecurityHandler.signatureHandler.verifyingCert
54       
55        try:   
56                attCert = self.aa.getAttCert(userId=request.UserId,
57                                                                         holderCert=holderCert,
58                                                                         userAttCert=request.UserAttCert)                                                         
59                response.AttCert = attCert.toString()
60               
61        except AttAuthorityAccessDenied, e:
62                        response.Msg = str(e)
63                       
64        return request, response
65
66
67    def soap_getHostInfo(self, ps, **kw):
68        request, response = AttAuthorityService.soap_getHostInfo(self, ps)
69       
70        response.Hostname = srv.aa.hostInfo.keys()[0]
71        response.LoginURI = srv.aa.hostInfo[response.Hostname]['loginURI']
72        response.AaURI = srv.aa.hostInfo[response.Hostname]['aaURI']
73
74        return request, response
75
76
77    def soap_getTrustedHostInfo(self, ps, **kw):
78        request, response = \
79                                        AttAuthorityService.soap_getTrustedHostInfo(self, ps)
80       
81        trustedHostInfo = srv.aa.getTrustedHostInfo(role=request.Role)
82
83                # Convert ready for serialization
84        trustedHosts = []
85        for hostname, hostInfo in trustedHostInfo.items():
86                        trustedHost = response.new_trustedHosts()
87                       
88                        trustedHost.Hostname = hostname
89                        trustedHost.AaURI = hostInfo['aaURI']
90                        trustedHost.LoginURI = hostInfo['loginURI']
91                        trustedHost.RoleList = hostInfo['role']
92                       
93                        trustedHosts.append(trustedHost)
94                       
95        response.TrustedHosts = trustedHosts
96               
97        return request, response
98
99
100    def soap_getX509Cert(self, ps, **kw):
101        request, response = AttAuthorityService.soap_getX509Cert(self, ps)
102       
103        x509Cert = X509CertRead(srv.aa['certFile'])
104        response.X509Cert = x509Cert.toString()
105        return request, response
106
107
108root = Resource()
109
110# Create Service
111srv = AttAuthorityServiceSub()
112
113
114# Initialise WS-Security signature handler passing Attribute Authority
115# public and private keys
116WSSecurityHandler.signatureHandler = SignatureHandler(\
117                                                                verifyingCertFilePath=srv.aa['clntCertFile'],
118                                signingCertFilePath=srv.aa['certFile'],
119                                signingPriKeyFilePath=srv.aa['keyFile'],
120                                signingPriKeyPwd=srv.aa['keyPwd'])
121
122# Add Service to Attribute Authority branch
123root.putChild('AttributeAuthority', srv)
124siteFactory = Site(root)
125
126if srv.aa['useSSL']:
127        # Use SSL connection
128#       from twisted.internet import ssl
129#       
130#       # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL
131#       ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.aa['sslKeyFile'],
132#                                                                                                 srv.aa['sslCertFile'])
133#       port = internet.SSLServer(srv.aa['portNum'], siteFactory, ctxFactory)
134
135        # Using M2Crypto ...
136    os.putenv("OPENSSL_ALLOW_PROXY_CERTS", "1")
137
138    import twisted.protocols.policies as policies
139    from M2Crypto import SSL
140    from M2Crypto.SSL import TwistedProtocolWrapper
141    from M2Crypto.SSL.TwistedProtocolWrapper import TLSProtocolWrapper
142
143    siteFactory.startTLS = True
144    siteFactory.sslChecker = SSL.Checker.Checker()
145
146        # TODO: Python ssl client seems to require SSL vers 2 is this a security
147        # risk?
148    ctx = SSL.Context(protocol='sslv23')
149    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH")
150    ctx.load_cert(srv.aa['sslCertFile'], 
151                          srv.aa['sslKeyFile'],
152                          callback=lambda *args, **kw: srv.aa['sslKeyPwd'])
153                         
154    ctx.set_allow_unknown_ca(False)
155    ctx.set_verify(SSL.verify_peer, 10)
156
157    ctx.load_verify_locations(cafile=os.path.basename(srv.aa['caCertFile']), 
158                                                  capath=os.path.dirname(srv.aa['caCertFile']))
159
160    class ContextFactory:
161        def getContext(self):
162            return ctx
163
164    factory = policies.WrappingFactory(siteFactory)
165    factory.protocol.TLS = True
166    factory.protocol = lambda factory, wrappedProtocol: \
167        TLSProtocolWrapper(factory,
168                           wrappedProtocol,
169                           startPassThrough=0,
170                           client=0,
171                           contextFactory=ContextFactory(),
172                           postConnectionCheck=None)
173
174    siteFactory = factory
175   
176    port = internet.TCPServer(srv.aa['portNum'], siteFactory)
177    port.CERTFILE = srv.aa['sslCertFile']
178    port.KEYFILE = srv.aa['sslKeyFile']
179    root.__class__.server = port
180else:   
181        # Non-SSL
182        port = internet.TCPServer(srv.aa['portNum'], siteFactory)
183
184application = service.Application("AttributeAuthorityContainer")
185port.setServiceParent(application)
186       
Note: See TracBrowser for help on using the repository browser.