source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac @ 2730

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac@2730
Revision 2730, 8.3 KB checked in by pjkersha, 12 years ago (diff)

ndg.security.server/ndg/security/server/share/ndg-sm,
ndg.security.server/ndg/security/server/share/ndg-aa,
ndg.security.server/ndg/security/server/share/ndg-gk,
ndg.security.server/ndg/security/server/share/ndg-log,
ndg.security.server/ndg/security/server/share/ndg-ca:

  • removed refs to NDG in python paths. Use /usr/local as default instead
  • fixed refs to NDGSEC_*_PROPFILEPATH env variables to correct setting

ndg.security.server/ndg/security/server/share/Makefile: changed so that
env var default names are set correctly

ndg.security.server/ndg/security/server/ca/server-config.tac,
ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • fixed import for ndg.security.server.*.*_services_server to include

complete path.

Line 
1#!/usr/bin/env python
2"""NDG Security Session Manager .tac file
3
4This file enables the Session Manager web service to be
5called under the Twisted framework
6
7NERC Data Grid Project
8
9@author P J Kershaw 23/11/06
10
11@copyright (C) 2007 CCLRC & NERC
12
13@license This software may be distributed under the terms of the Q Public
14License, version 1.0 or later.
15"""
16import base64
17
18from ZSI.twisted.WSresource import WSResource
19from twisted.application import service, internet
20from twisted.web.server import Site
21from twisted.web.resource import Resource
22
23from ndg.security.server.SessionMgr.SessionMgr_services_server import \
24        SessionMgrService
25from ndg.security.server.SessionMgr import SessionMgr
26from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \
27        WSSecurityHandler, SignatureHandler
28from ndg.security.common.X509 import X509CertRead
29
30
31class SessionMgrServiceSub(SessionMgrService, WSResource):
32
33    # Add WS-Security handlers
34    factory = WSSecurityHandlerChainFactory
35       
36    def __init__(self):
37        '''Initialize Session Manager class - encapsulates inner workings
38        including session management and proxy delegation
39       
40        @type ps: ZSI ParsedSoap
41        @param ps: client SOAP message
42        @rtype: tuple
43        @return: request and response objects'''
44
45        WSResource.__init__(self) 
46        self.sm = SessionMgr()
47
48
49    def soap_addUser(self, ps, **kw):
50        '''Add a new user account
51       
52        @type ps: ZSI ParsedSoap
53        @param ps: client SOAP message
54        @rtype: tuple
55        @return: request and response objects'''
56
57        request, response = SessionMgrService.soap_addUser(self, ps)
58        return request, response
59
60
61    def soap_connect(self, ps, **kw):
62        '''Connect to Session Manager and create a user session
63       
64        @type ps: ZSI ParsedSoap
65        @param ps: client SOAP message
66        @rtype: tuple
67        @return: request and response objects'''
68
69        request, response = SessionMgrService.soap_connect(self, ps)
70       
71        result = self.sm.connect(username=request.Username,
72                                                                 passphrase=request.Passphrase,
73                                                                 createServerSess=request.CreateServerSess)
74                                       
75        response.ProxyCert, response.ProxyPriKey, response.UserCert, \
76                response.SessID = result
77                         
78        return request, response
79
80
81    def soap_disconnect(self, ps, **kw):
82        '''Disconnect and remove user's session
83       
84        @type ps: ZSI ParsedSoap
85        @param ps: client SOAP message
86        @rtype: tuple
87        @return: request and response objects'''
88           
89        request, response = SessionMgrService.soap_disconnect(self, ps)
90       
91        # Derive designated user ID differently according to whether
92        # a session ID was passed and the message was signed
93        sessID = request.SessID or None
94               
95        if srv.sm['useSignatureHandler']:
96            # Get certificate corresponding to private key that signed the
97            # message - i.e. the user's proxy
98            userCert = WSSecurityHandler.signatureHandler.verifyingCert
99        else:
100            userCert = request.UserCert
101
102        self.sm.deleteUserSession(sessID=sessID, proxyCert=userCert)
103        return request, response
104
105
106    def soap_getAttCert(self, ps, **kw):
107        '''Get Attribute Certificate from a given Attribute Authority
108        and cache it in user's Credential Wallet
109       
110        @type ps: ZSI ParsedSoap
111        @param ps: client SOAP message
112        @rtype: tuple
113        @return: request and response objects'''
114
115        request, response = SessionMgrService.soap_getAttCert(self, ps)
116
117        # Get certificate corresponding to private key that signed the
118        # message - i.e. the user's             
119        if srv.sm['useSignatureHandler']:
120            # Get certificate corresponding to private key that signed the
121            # message - i.e. the user's proxy
122            userCert = WSSecurityHandler.signatureHandler.verifyingCert
123        else:
124            userCert = None
125       
126                # Cert used in signature is prefered over userCert input element -
127                # userCert may have been omitted.
128        result = self.sm.getAttCert(\
129                                            userCert=userCert or request.UserCert,
130                                                sessID=request.SessID,
131                                                aaURI=request.AttAuthorityURI,
132                                                reqRole=request.ReqRole,
133                                                mapFromTrustedHosts=request.MapFromTrustedHosts,
134                                                rtnExtAttCertList=request.RtnExtAttCertList,
135                                                extAttCertList=request.ExtAttCert,
136                                                extTrustedHostList=request.ExtTrustedHost)
137
138
139        if result[0]:
140                response.AttCert = result[0].toString() 
141               
142        response.Msg, response.ExtAttCertOut = result[1:]
143       
144        return request, response
145
146
147    def soap_getX509Cert(self, ps, **kw):
148        '''Return Session Manager's X.509 certificate
149       
150        @type ps: ZSI ParsedSoap
151        @param ps: client SOAP message
152        @rtype: tuple
153        @return: request and response objects'''
154       
155        request, response = SessionMgrService.soap_getX509Cert(self, ps)
156
157        x509Cert = X509CertRead(srv.sm['certFile'])
158        response.X509Cert = base64.encodestring(x509Cert.asDER())
159        return request, response
160
161
162# Create Service
163srv = SessionMgrServiceSub()
164
165if srv.sm['useSignatureHandler']:
166        # Initialise WS-Security signature handler passing Attribute Authority
167        # public and private keys
168        caCertFile = srv.sm.get('caCertFile')
169        if caCertFile:
170                caCertFilePathList = (caCertFile,) 
171        else:
172                caCertFilePathList = None
173       
174        # Initialise WS-Security signature handler passing Session Manager
175        # public and private keys
176        WSSecurityHandler.signatureHandler = SignatureHandler(\
177                                                                verifyingCertFilePath=srv.sm['clntCertFile'],
178                                    signingCertFilePath=srv.sm['certFile'],
179                                    signingPriKeyFilePath=srv.sm['keyFile'],
180                                    signingPriKeyPwd=srv.sm['keyPwd'],
181                                    caCertFilePathList=caCertFilePathList)
182
183# Add Service to Session Manager branch
184root = Resource()
185root.putChild('SessionManager', srv)
186siteFactory = Site(root)
187
188if srv.sm['useSSL']:
189        # Use SSL connection
190#       from twisted.internet import ssl
191#       
192#       # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL
193#       ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.sm['sslKeyFile'],
194#                                                                                                 srv.sm['sslCertFile'])
195#       port = internet.SSLServer(srv.sm['portNum'], siteFactory, ctxFactory)
196
197    # Using M2Crypto ...
198    import os
199    os.putenv("OPENSSL_ALLOW_PROXY_CERTS", "1")
200
201    import twisted.protocols.policies as policies
202    from M2Crypto import SSL
203    from M2Crypto.SSL import TwistedProtocolWrapper
204    from M2Crypto.SSL.TwistedProtocolWrapper import TLSProtocolWrapper
205       
206    siteFactory.startTLS = True
207    siteFactory.sslChecker = SSL.Checker.Checker()
208
209        # TODO: Python ssl client seems to require SSL vers 2 is this a security
210        # risk?
211    ctx = SSL.Context(protocol='sslv23')
212    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH")
213    ctx.load_cert(srv.sm['sslCertFile'], 
214                          srv.sm['sslKeyFile'],
215                          callback=lambda *args, **kw: srv.aa['sslKeyPwd'])
216                         
217    ctx.set_allow_unknown_ca(False)
218
219    # TODO: resolve check - verify_peer setting fails with
220    # BIOError: 'no certificate returned' error 18
221#    ctx.set_verify(SSL.verify_peer, 10)
222    ctx.set_verify(SSL.verify_client_once, 1)
223
224    ctx.load_verify_locations(cafile=os.path.basename(srv.sm['caCertFile']), 
225                                                  capath=os.path.dirname(srv.sm['caCertFile']))
226
227    class ContextFactory:
228        def getContext(self):
229            return ctx
230
231    factory = policies.WrappingFactory(siteFactory)
232    factory.protocol.TLS = True
233    factory.protocol = lambda factory, wrappedProtocol: \
234        TLSProtocolWrapper(factory,
235                           wrappedProtocol,
236                           startPassThrough=0,
237                           client=0,
238                           contextFactory=ContextFactory(),
239                           postConnectionCheck=None)
240
241    siteFactory = factory
242   
243    port = internet.TCPServer(srv.sm['portNum'], siteFactory)
244    port.CERTFILE = srv.sm['sslCertFile']
245    port.KEYFILE = srv.sm['sslKeyFile']
246    root.__class__.server = port
247else:   
248        # Non-SSL
249        port = internet.TCPServer(srv.sm['portNum'], siteFactory)
250
251application = service.Application("SessionManagerContainer")
252port.setServiceParent(application)
Note: See TracBrowser for help on using the repository browser.