source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/pep/__init__.py @ 5087

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/pep/__init__.py@5087
Revision 5087, 3.3 KB checked in by pjkersha, 12 years ago (diff)

Moved DemoRenderingInterface? from ndg.security.server.wsgi.openid.provider into it's own module ndg.security.server.wsgi.openid.provider.renderinginterface.demo

Line 
1"""WSGI Policy Enforcement Point Package
2
3NERC DataGrid Project
4"""
5__author__ = "P J Kershaw"
6__date__ = "16/01/2009"
7__copyright__ = "(C) 2009 Science and Technology Facilities Council"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__revision__ = "$Id$"
10__license__ = "BSD - see LICENSE file in top-levle directory"
11import logging
12log = logging.getLogger(__name__)
13import httplib
14
15from ndg.security.server.wsgi import NDGSecurityPathFilter
16from ndg.security.common.X509 import X500DN
17
18
19from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \
20    NDGSecurityMiddlewareConfigError
21
22# TODO: move this class to separate resource constraint module
23from ndg.security.common.authz.pdp.xacml import Resource as XacmlResource
24
25class Resource(XacmlResource):
26    def __init__(self, uri, attributes):
27        self.uri = uri
28        self.attributes = attributes
29
30class PEPMiddleware(NDGSecurityPathFilter):
31    """WSGI Middleware to enforce a security policy for a given request URL
32   
33    B{This class must be run under Apache mod_wsgi}
34
35    - This class uses SSL_SERVER_S_DN environment variable if available.  To
36    set, set Apache SSL with StdEnvVars option for the SSLOptions directive.
37    """ 
38    sslServerDNKeyName = 'SSL_SERVER_S_DN'
39     
40    def __init__(self, app, app_conf, prefix='', **local_conf):
41        log.debug("Initialising PEPMiddleware ...")
42       
43        super(PEPMiddleware, self).__init__(app, app_conf, prefix=prefix, 
44                                            **local_conf)
45        self.charset = '; charset=utf-8'
46
47    @NDGSecurityPathFilter.initCall         
48    def __call__(self, environ, start_response):
49        log.debug("PEPMiddleware.__call__ ...")
50       
51        # Is this requested URL secured?
52        if self.pathMatch:
53            environ['ndg.security.server.wsgi.pep.resource'] = Resource(
54                                                                self.pathInfo,
55                                                                ['someAttribute'])
56            def _start_response(status, header, exc_info=None):
57                '''alter start_response to return unauthorised status
58               
59                @type status: str
60                @param status: HTTP status code and status message
61                @type header: list
62                @param header: list of field, value tuple HTTP header content
63                @type exc_info: Exception
64                @param exc_info: exception info
65                '''
66                log.debug('[%s] is a secured URI: setting 403 status...' % 
67                          self.pathInfo)
68                                       
69                _status = self.getStatusMessage(403)
70                           
71                return start_response(_status, header, exc_info)
72           
73        else:
74            _start_response = start_response
75           
76        return self._setResponse(environ, _start_response)
77   
78
79    def _redirectFromHTTPS2HTTP(self, start_response):
80        sslServerDN = self.environ.get(PEPMiddleware.sslServerDNKeyName)
81
82        if sslServerDN is not None:
83            if self.serverName:
84                serverName = self.serverName
85            else:
86                dn = X500DN.Parse(sslServerDN)
87                serverName = dn['CN']
88            url = 'http://' + serverName + self.mountPath + self.pathInfo
89            return self._redirect(start_response, url)
90
Note: See TracBrowser for help on using the repository browser.