source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac @ 2530

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac@2530
Revision 2530, 6.7 KB checked in by pjkersha, 12 years ago (diff)

Working Session Manager unit tests for connect and disconmect calls and
getAttCert calls. Correct use of proxy certs with WS-Security signature
interface is also configured.

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
removed blank line

ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml:
added setting for signature handler flag and CA cert

ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • fix to soap_disconnect - call SessionMgr?.deleteUserSession
  • fix to soap_getX509Cert - base64 encode DER format cert output
  • added 'useSignatureHandler' flag to enable WS-Security signature handling

to be omitted if required.

ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • ref to CredWalletInvalidUserX509Cert
  • give explicit keyword names in connect2UserSession method signature
  • raise CredWalletInvalidUserX509Cert if Credential Wallet cert is invalid
  • SessionMgr?.deleteUserSession method - added userSess keyword; fixed userDN

setting to ensure its a string

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py,
ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
cosmetic changes

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • added _getCertChainFromProxyCertFile method to enable correct proxy cert

loading

  • added caCertFilePathList, reqBinSecTokValType, setSignatureHandler and

signingCertChain keyword settings to SessionMgrClient? initialisation

  • removed duplicated test6bCookieGetMappedAttCert method

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml:

  • dropped serverCNprefix element setting - not needed for test certs used.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

  • added new params caCertFilePathList, reqBinSecTokValType,

setSignatureHandler and proxycertfilepath

ndg.security.common/ndg/security/common/SessionMgr/init.py:

SignatureHandler? to switched on/off

ndg.security.common/ndg/security/common/AttAuthority/init.py: fix to
pydoc for AttAuthorityClient?.init

ndg.security.common/ndg/security/common/CredWallet.py: major fixes for
SessionMgr? - AA calls -

  • CredWalletInvalidUserX509Cert new exception type raised if user cert is

invalid

  • separate setAAuri into a new method createAAClnt
  • getAttCert method can take an aaClnt keyword. This enables the client

object to the AA to call to be passed in. Default is the target AA,
self.aaClnt.

Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority .tac file
3
4This file enables the Attribute Authority web service to be
5called under the Twisted framework
6
7NERC Data Grid Project
8
9@author P J Kershaw 17/11/06
10
11@copyright (C) 2007 CCLRC & NERC
12
13@license This software may be distributed under the terms of the Q Public
14License, version 1.0 or later.
15"""
16import os, base64
17
18from ZSI.twisted.WSresource import WSResource
19from twisted.application import service, internet
20from twisted.web.server import Site
21from twisted.web.resource import Resource
22
23from ndg.security.server.AttAuthority.AttAuthority_services_server import \
24        AttAuthorityService
25
26from ndg.security.server.AttAuthority import AttAuthority, \
27        AttAuthorityAccessDenied
28       
29from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \
30        WSSecurityHandler, SignatureHandler
31
32from ndg.security.common.X509 import X509Cert, X509CertRead
33
34
35class AttAuthorityServiceSub(AttAuthorityService, WSResource):
36
37    # Add WS-Security handlers
38    factory = WSSecurityHandlerChainFactory
39
40    def __init__(self):
41        WSResource.__init__(self)
42         
43        # Initialize Attribute Authority class - property file will be
44        # picked up from default location under $NDG_DIR directory
45        self.aa = AttAuthority()
46
47
48    def soap_getAttCert(self, ps, **kw):
49        request, response = AttAuthorityService.soap_getAttCert(self, ps)
50
51        # Derive designated holder cert differently according to whether
52        # a signed message is expected from the client
53        if srv.aa['useSignatureHandler']:
54            # Get certificate corresponding to private key that signed the
55            # message - i.e. the user's proxy
56            holderCert = WSSecurityHandler.signatureHandler.verifyingCert
57        else:
58            # No signature from client - they must instead provide the
59            # designated holder cert via the UserCert input
60            holderCert = request.UserCert
61
62        try:   
63                attCert = self.aa.getAttCert(userId=request.UserId,
64                                         holderCert=holderCert,
65                                         userAttCert=request.UserAttCert) 
66                response.AttCert = attCert.toString()
67               
68        except AttAuthorityAccessDenied, e:
69            response.Msg = str(e)
70                       
71        return request, response
72
73
74    def soap_getHostInfo(self, ps, **kw):
75        request, response = AttAuthorityService.soap_getHostInfo(self, ps)
76       
77        response.Hostname = srv.aa.hostInfo.keys()[0]
78        response.LoginURI = srv.aa.hostInfo[response.Hostname]['loginURI']
79        response.AaURI = srv.aa.hostInfo[response.Hostname]['aaURI']
80
81        return request, response
82
83
84    def soap_getTrustedHostInfo(self, ps, **kw):
85        request, response = \
86                        AttAuthorityService.soap_getTrustedHostInfo(self, ps)
87       
88        trustedHostInfo = srv.aa.getTrustedHostInfo(role=request.Role)
89
90                # Convert ready for serialization
91        trustedHosts = []
92        for hostname, hostInfo in trustedHostInfo.items():
93            trustedHost = response.new_trustedHosts()
94                       
95            trustedHost.Hostname = hostname
96            trustedHost.AaURI = hostInfo['aaURI']
97            trustedHost.LoginURI = hostInfo['loginURI']
98            trustedHost.RoleList = hostInfo['role']
99                       
100            trustedHosts.append(trustedHost)
101                       
102        response.TrustedHosts = trustedHosts
103               
104        return request, response
105
106
107    def soap_getX509Cert(self, ps, **kw):
108        '''Retrieve Attribute Authority's X.509 certificate'''
109        request, response = AttAuthorityService.soap_getX509Cert(self, ps)
110       
111        x509Cert = X509CertRead(srv.aa['certFile'])
112        response.X509Cert = base64.encodestring(x509Cert.asDER())
113        return request, response
114
115
116root = Resource()
117
118# Create Service
119srv = AttAuthorityServiceSub()
120
121if srv.aa['useSignatureHandler']:
122    # Initialise WS-Security signature handler passing Attribute Authority
123    # public and private keys
124    caCertFile = srv.aa.get('caCertFile')
125    if caCertFile:
126        caCertFilePathList = (caCertFile,) 
127    else:
128                caCertFilePathList = None
129   
130    WSSecurityHandler.signatureHandler = SignatureHandler(\
131                                verifyingCertFilePath=srv.aa['clntCertFile'],
132                                signingCertFilePath=srv.aa['certFile'],
133                                signingPriKeyFilePath=srv.aa['keyFile'],
134                                signingPriKeyPwd=srv.aa['keyPwd'],
135                                caCertFilePathList=caCertFilePathList)
136
137# Add Service to Attribute Authority branch
138root.putChild('AttributeAuthority', srv)
139siteFactory = Site(root)
140
141if srv.aa['useSSL']:
142        # Use SSL connection
143#       from twisted.internet import ssl
144#       
145#       # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL
146#       ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.aa['sslKeyFile'],
147#                                                                                                 srv.aa['sslCertFile'])
148#       port = internet.SSLServer(srv.aa['portNum'], siteFactory, ctxFactory)
149
150        # Using M2Crypto ...
151    os.putenv("OPENSSL_ALLOW_PROXY_CERTS", "1")
152
153    import twisted.protocols.policies as policies
154    from M2Crypto import SSL
155    from M2Crypto.SSL import TwistedProtocolWrapper
156    from M2Crypto.SSL.TwistedProtocolWrapper import TLSProtocolWrapper
157
158    siteFactory.startTLS = True
159    siteFactory.sslChecker = SSL.Checker.Checker()
160
161        # TODO: Python ssl client seems to require SSL vers 2 is this a security
162        # risk?
163    ctx = SSL.Context(protocol='sslv23')
164    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH")
165    ctx.load_cert(srv.aa['sslCertFile'], 
166                          srv.aa['sslKeyFile'],
167                          callback=lambda *args, **kw: srv.aa['sslKeyPwd'])
168                         
169    ctx.set_allow_unknown_ca(False)
170
171    # TODO: resolve check - verify_peer setting fails with
172    # BIOError: 'no certificate returned' error 18
173#    ctx.set_verify(SSL.verify_peer, 10)
174    ctx.set_verify(SSL.verify_client_once, 1)
175
176    ctx.load_verify_locations(cafile=os.path.basename(srv.aa['caCertFile']), 
177                                                  capath=os.path.dirname(srv.aa['caCertFile']))
178
179    class ContextFactory:
180        def getContext(self):
181            return ctx
182
183    factory = policies.WrappingFactory(siteFactory)
184    factory.protocol.TLS = True
185    factory.protocol = lambda factory, wrappedProtocol: \
186        TLSProtocolWrapper(factory,
187                           wrappedProtocol,
188                           startPassThrough=0,
189                           client=0,
190                           contextFactory=ContextFactory(),
191                           postConnectionCheck=None)
192
193    siteFactory = factory
194   
195    port = internet.TCPServer(srv.aa['portNum'], siteFactory)
196    port.CERTFILE = srv.aa['sslCertFile']
197    port.KEYFILE = srv.aa['sslKeyFile']
198    root.__class__.server = port
199else:   
200        # Non-SSL
201        port = internet.TCPServer(srv.aa['portNum'], siteFactory)
202
203application = service.Application("AttributeAuthorityContainer")
204port.setServiceParent(application)
205       
Note: See TracBrowser for help on using the repository browser.