source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac @ 2076

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac@2076
Revision 2076, 4.7 KB checked in by pjkersha, 13 years ago (diff)

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • Added code to soap_getAttCert stub
  • updated WSSecurityHandler.signatureHandler initialisation with new keywords.

python/ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • renamed redirectAuthorisationReq -> redirectAttCertReq
  • createUserSession now takes proxy cert, private key and user cert as inputs

python/www/html/sessionMgr.wsdl,
python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py and
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py:
Modified getAttCert and disconnect operations.

python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • updated call to SessionMgrClient? to use new SignatureHandler? keywords.
  • experimenting with disconnect calls - signature doesn't verify correctly at server side.
  • updated call to getAttcert in test6CookieGetAttCert

python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg: updated
AA URIs.

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
added getSignatureHandler property access method.

python/ndg.security.common/ndg/security/common/XMLSec.py: include more info about error
for when RSA pub key verify fails.

python/ndg.security.common/ndg/security/common/wsSecurity.py:

  • added InvalidSignature? type exception
  • include more info about error for when RSA pub key verify fails.

python/ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • added getSignatureHandler property access method.
  • fix to disconnect keywords input check

python/ndg.security.common/ndg/security/common/CredWallet.py: major refactoring for
prospective beta release of NDG security -

  • attCertRefreshElapse - new attribute used by getAttCert to determine whether to replace

an existing AC in the cache with a fresh one. If the existing one has less than
attCertRefreshElapse time in seconds left before expiry then replace it

  • added epydoc formatting
  • explicit proxy cert, private key and user cert inputs to init. These are also

declared as properties with access methods.

  • proxy cert / private key used in SOAP message signatures.
  • use NullCredRepos? class as default Credential Repository
  • refactoring of WS calls to AA in line with new AttAuthorityClient? interface.
Line 
1#!/usr/bin/env python
2"""NDG Security Attribute Authority .tac file
3
4This file enables the Session Manager web service to be
5called under the Twisted framework
6
7NERC Data Grid Project
8
9@author P J Kershaw 23/11/06
10
11@copyright (C) 2007 CCLRC & NERC
12
13@license This software may be distributed under the terms of the Q Public
14License, version 1.0 or later.
15"""
16import socket
17
18from ZSI.twisted.WSresource import WSResource
19from twisted.application import service, internet
20from twisted.web.server import Site
21from twisted.web.resource import Resource
22
23from SessionMgr_services_server import SessionMgrService
24from ndg.security.server.SessionMgr import SessionMgr
25from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \
26        WSSecurityHandler, SignatureHandler
27
28
29class SessionMgrServiceSub(SessionMgrService, WSResource):
30
31    # Add WS-Security handlers
32    factory = WSSecurityHandlerChainFactory
33       
34    def __init__(self):
35        WSResource.__init__(self)
36         
37        # Initialize Session Manager class - encapsulates inner workings
38        # including session management and proxy delegation
39        self.sm = SessionMgr()
40       
41    def soap_addUser(self, ps, **kw):
42        #import pdb;pdb.set_trace()
43        request, response = SessionMgrService.soap_addUser(self, ps)
44        return request, response
45
46    def soap_connect(self, ps, **kw):
47        import pdb;pdb.set_trace()
48        request, response = SessionMgrService.soap_connect(self, ps)
49
50        proxyCert, proxyPriKey, userCert, sessCookie = self.sm.connect(\
51                                        username=request.get_element_username(),
52                                        passphrase=request.get_element_passphrase(),
53                                        createServerSess=request.get_element_createServerSess(),
54                                        getCookie=request.get_element_getCookie())
55                                       
56        response.set_element_proxyCert(proxyCert)
57        response.set_element_proxyPriKey(proxyPriKey)
58        response.set_element_userCert(userCert)
59        response.set_element_cookie(sessCookie)
60                         
61        return request, response
62
63    def soap_disconnect(self, ps, **kw):
64        import pdb;pdb.set_trace()
65        request, response = SessionMgrService.soap_disconnect(self, ps)
66        return request, response
67
68    def soap_getAttCert(self, ps, **kw):
69        import pdb;pdb.set_trace()
70        request, response = SessionMgrService.soap_getAttCert(self, ps)
71       
72        # Get certificate corresponding to private key that signed the
73        # message - i.e. the user's proxy
74        proxyCert = WSSecurityHandler.signatureHandler.verifyingCert
75        userCert = request.get_element_userCert()
76       
77                # Proxy cert is prefered over userCert - userCert may have been
78                # omitted.
79        attCert, statCode, msg, extAttCertList = self.sm.getAttCert(\
80                    userCert=proxyCert or userCert,
81                        sessID=request.get_element_sessID(),
82                        encrSessMgrURI=request.get_element_encrSessionMgrURI(),
83                        aaURI=request.get_element_attAuthorityURI(),
84                        reqRole=request.get_element_reqRole(),
85                        mapFromTrustedHosts=request.get_element_mapFromTrustedHosts(),
86                        rtnExtAttCertList=request.get_element_rtnExtAttCertList(),
87                        extAttCertList=request.get_element_extAttCert(),
88                        extTrustedHostList=request.get_element_extTrustedHost())
89
90
91        response.set_element_attCert(attCert)
92        response.set_element_statusCode(statCode)
93        response.set_element_statusCode(msg)
94        response.set_element_extAttCert(extAttCertList)
95       
96        return request, response
97
98    def soap_getX509Cert(self, ps, **kw):
99        #import pdb;pdb.set_trace()
100        request, response = SessionMgrService.soap_getX509Cert(self, ps)
101        response.set_element_x509Cert(open(self.sm['certFile']).read().strip())
102        return request, response
103
104
105# Create Service
106smSrv = SessionMgrServiceSub()
107
108# Initialise WS-Security signature handler passing Attribute Authority
109# public and private keys
110WSSecurityHandler.signatureHandler = SignatureHandler(\
111                                    signingCertFilePath=smSrv.sm['certFile'],
112                                    signingPriKeyFilePath=smSrv.sm['keyFile'],
113                                    signingPriKeyPwd=smSrv.sm['keyPwd'])
114
115# Add Service to Session Manager branch
116root = Resource()
117root.putChild('SessionManager', smSrv)
118siteFactory = Site(root)
119application = service.Application("SessionManagerContainer")
120
121if smSrv.sm['useSSL']:
122        # Use SSL connection
123        from twisted.internet import ssl
124       
125        # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL
126        ctxFactory = ssl.DefaultOpenSSLContextFactory(smSrv.sm['sslKeyFile'], 
127                                                                                                  smSrv.sm['sslCertFile'])
128        port = internet.SSLServer(smSrv.sm['portNum'], siteFactory, ctxFactory)
129else:   
130        # Non-SSL
131        port = internet.TCPServer(smSrv.sm['portNum'], siteFactory)
132
133port.setServiceParent(application)
Note: See TracBrowser for help on using the repository browser.