source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac @ 2418

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac@2418
Revision 2418, 7.1 KB checked in by pjkersha, 13 years ago (diff)

ndg.security.server/ndg/security/server/Log.py: remove ref to 'Logger'

ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
added M2Crypto SSL support

ndg.security.server/ndg/security/server/SessionMgr/start-container.sh:
copy from Attribute Authority version.

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:
fix to test5ProxyCertDisconnect call.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
set clntprikeypwd to null so that it is not prompted for from terminal.

ndg.security.common/ndg/security/common/SessionMgr/init.py: fix to
disconnect SOAP client call so that userCert omit alone is allowed.

ndg.security.common/ndg/security/common/wsSecurity.py: delete debug call.

Line 
1#!/usr/bin/env python
2"""NDG Security Session Manager .tac file
3
4This file enables the Session Manager web service to be
5called under the Twisted framework
6
7NERC Data Grid Project
8
9@author P J Kershaw 23/11/06
10
11@copyright (C) 2007 CCLRC & NERC
12
13@license This software may be distributed under the terms of the Q Public
14License, version 1.0 or later.
15"""
16from ZSI.twisted.WSresource import WSResource
17from twisted.application import service, internet
18from twisted.web.server import Site
19from twisted.web.resource import Resource
20
21from SessionMgr_services_server import SessionMgrService
22from ndg.security.server.SessionMgr import SessionMgr
23from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \
24        WSSecurityHandler, SignatureHandler
25
26
27class SessionMgrServiceSub(SessionMgrService, WSResource):
28
29    # Add WS-Security handlers
30    factory = WSSecurityHandlerChainFactory
31       
32    def __init__(self):
33        '''Initialize Session Manager class - encapsulates inner workings
34        including session management and proxy delegation
35       
36        @type ps: ZSI ParsedSoap
37        @param ps: client SOAP message
38        @rtype: tuple
39        @return: request and response objects'''
40
41        WSResource.__init__(self) 
42        self.sm = SessionMgr()
43
44
45    def soap_addUser(self, ps, **kw):
46        '''Add a new user account
47       
48        @type ps: ZSI ParsedSoap
49        @param ps: client SOAP message
50        @rtype: tuple
51        @return: request and response objects'''
52
53        request, response = SessionMgrService.soap_addUser(self, ps)
54        return request, response
55
56
57    def soap_connect(self, ps, **kw):
58        '''Connect to Session Manager and create a user session
59       
60        @type ps: ZSI ParsedSoap
61        @param ps: client SOAP message
62        @rtype: tuple
63        @return: request and response objects'''
64
65        request, response = SessionMgrService.soap_connect(self, ps)
66
67        result = self.sm.connect(username=request.Username,
68                                                                 passphrase=request.Passphrase,
69                                                                 createServerSess=request.CreateServerSess,
70                                                                 getCookie=request.GetCookie)
71                                       
72        response.ProxyCert, response.ProxyPriKey, response.UserCert, \
73                response.Cookie = result
74                         
75        return request, response
76
77
78    def soap_disconnect(self, ps, **kw):
79        '''Disconnect and remove user's session
80       
81        @type ps: ZSI ParsedSoap
82        @param ps: client SOAP message
83        @rtype: tuple
84        @return: request and response objects'''
85
86        request, response = SessionMgrService.soap_disconnect(self, ps)
87        return request, response
88
89
90    def soap_getAttCert(self, ps, **kw):
91        '''Get Attribute Certificate from a given Attribute Authority
92        and cache it in user's Credential Wallet
93       
94        @type ps: ZSI ParsedSoap
95        @param ps: client SOAP message
96        @rtype: tuple
97        @return: request and response objects'''
98
99        request, response = SessionMgrService.soap_getAttCert(self, ps)
100       
101        # Get certificate corresponding to private key that signed the
102        # message - i.e. the user's
103        userCert = WSSecurityHandler.signatureHandler.verifyingCert
104       
105                # Cert used in signature is prefered over userCert input element -
106                # userCert may have been omitted.
107        result = self.sm.getAttCert(\
108                                            userCert=userCert or request.UserCert,
109                                                sessID=request.SessID,
110                                                encrSessMgrURI=request.EncrSessionMgrURI,
111                                                aaURI=request.AttAuthorityURI,
112                                                reqRole=request.ReqRole,
113                                                mapFromTrustedHosts=request.MapFromTrustedHosts,
114                                                rtnExtAttCertList=request.RtnExtAttCertList,
115                                                extAttCertList=request.ExtAttCert,
116                                                extTrustedHostList=request.ExtTrustedHost)
117
118
119        if result[0]:
120                response.AttCert = result[0].toString() 
121               
122        response.Msg, response.ExtAttCertOut = result[1:]
123       
124        return request, response
125
126
127    def soap_getX509Cert(self, ps, **kw):
128        '''Return Session Manager's X.509 certificate
129       
130        @type ps: ZSI ParsedSoap
131        @param ps: client SOAP message
132        @rtype: tuple
133        @return: request and response objects'''
134       
135        request, response = SessionMgrService.soap_getX509Cert(self, ps)
136        response.X509Cert = open(self.sm['certFile']).read().strip()
137        return request, response
138
139
140# Create Service
141srv = SessionMgrServiceSub()
142
143# Initialise WS-Security signature handler passing Session Manager
144# public and private keys
145WSSecurityHandler.signatureHandler = SignatureHandler(\
146                                                                verifyingCertFilePath=srv.sm['clntCertFile'],
147                                    signingCertFilePath=srv.sm['certFile'],
148                                    signingPriKeyFilePath=srv.sm['keyFile'],
149                                    signingPriKeyPwd=srv.sm['keyPwd'])
150
151# Add Service to Session Manager branch
152root = Resource()
153root.putChild('SessionManager', srv)
154siteFactory = Site(root)
155
156if srv.sm['useSSL']:
157        # Use SSL connection
158#       from twisted.internet import ssl
159#       
160#       # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL
161#       ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.sm['sslKeyFile'],
162#                                                                                                 srv.sm['sslCertFile'])
163#       port = internet.SSLServer(srv.sm['portNum'], siteFactory, ctxFactory)
164
165    # Using M2Crypto ...
166    import os
167    os.putenv("OPENSSL_ALLOW_PROXY_CERTS", "1")
168
169    import twisted.protocols.policies as policies
170    from M2Crypto import SSL
171    from M2Crypto.SSL import TwistedProtocolWrapper
172    from M2Crypto.SSL.TwistedProtocolWrapper import TLSProtocolWrapper
173       
174    siteFactory.startTLS = True
175    siteFactory.sslChecker = SSL.Checker.Checker()
176
177        # TODO: Python ssl client seems to require SSL vers 2 is this a security
178        # risk?
179    ctx = SSL.Context(protocol='sslv23')
180    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH")
181    ctx.load_cert(srv.sm['sslCertFile'], 
182                          srv.sm['sslKeyFile'],
183                          callback=lambda *args, **kw: srv.aa['sslKeyPwd'])
184                         
185    ctx.set_allow_unknown_ca(False)
186
187    # TODO: resolve check - verify_peer setting fails with
188    # BIOError: 'no certificate returned' error 18
189#    ctx.set_verify(SSL.verify_peer, 10)
190    ctx.set_verify(SSL.verify_client_once, 1)
191
192    ctx.load_verify_locations(cafile=os.path.basename(srv.sm['caCertFile']), 
193                                                  capath=os.path.dirname(srv.sm['caCertFile']))
194
195    class ContextFactory:
196        def getContext(self):
197            return ctx
198
199    factory = policies.WrappingFactory(siteFactory)
200    factory.protocol.TLS = True
201    factory.protocol = lambda factory, wrappedProtocol: \
202        TLSProtocolWrapper(factory,
203                           wrappedProtocol,
204                           startPassThrough=0,
205                           client=0,
206                           contextFactory=ContextFactory(),
207                           postConnectionCheck=None)
208
209    siteFactory = factory
210   
211    port = internet.TCPServer(srv.sm['portNum'], siteFactory)
212    port.CERTFILE = srv.sm['sslCertFile']
213    port.KEYFILE = srv.sm['sslKeyFile']
214    root.__class__.server = port
215else:   
216        # Non-SSL
217        port = internet.TCPServer(srv.sm['portNum'], siteFactory)
218
219application = service.Application("SessionManagerContainer")
220port.setServiceParent(application)
Note: See TracBrowser for help on using the repository browser.