source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py @ 4480

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py@4480
Revision 4480, 7.9 KB checked in by pjkersha, 12 years ago (diff)

Combined Services tests:

  • added capability for Session Manager to call a local Attribute Authority in the WSGI stack of the same Paste instance
  • SOAP client can specify that the Session Manager call a local Attribute Authority by setting AttAuthorityURI to nill in the web service call.
Line 
1"""ZSI Server side SOAP Binding for Session Manager Web Service
2
3NERC Data Grid Project"""
4__author__ = "P J Kershaw"
5__date__ = "01/10/08"
6__copyright__ = "(C) 2008 STFC & NERC"
7__license__ = \
8"""This software may be distributed under the terms of the Q Public
9License, version 1.0 or later."""
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = '$Id$'
12import os, sys
13import base64
14import logging
15log = logging.getLogger(__name__)
16
17
18from ndg.security.server.zsi.sessionmanager.SessionManager_services_server \
19    import SessionManagerService as _SessionManagerService
20from ndg.security.common.zsi.sessionmanager.SessionManager_services import \
21    connectInputMsg, disconnectInputMsg, getSessionStatusInputMsg, \
22    getAttCertInputMsg
23   
24   
25from ndg.security.server.sessionmanager import SessionManager
26   
27from ndg.security.common.wssecurity.dom import SignatureHandler
28from ndg.security.common.X509 import X509Cert, X509CertRead
29
30class SessionManagerWSConfigError(Exception):
31    '''Raise for errors related to the Session Manager Web Service
32    configuration'''
33   
34class SessionManagerWS(_SessionManagerService):
35    '''Session Manager ZSI SOAP Service Binding class'''
36   
37    def __init__(self, **kw):
38       
39        # Stop in debugger at beginning of SOAP stub if environment variable
40        # is set
41        self.__debug = bool(os.environ.get('NDGSEC_INT_DEBUG'))
42        if self.__debug:
43            import pdb
44            pdb.set_trace()
45       
46        # Extract local Attribute Authority environ identifier
47        self.attributeAuthorityFilterID = kw.pop('attributeAuthorityFilterID', 
48                                                 None)
49       
50        # Initialise Attribute Authority class - property file will be
51        # picked up from default location under $NDG_DIR directory
52        self.sm = SessionManager(**kw)
53
54
55    def soap_connect(self, ps, **kw):
56        '''Connect to Session Manager and create a user session
57       
58        @type ps: ZSI ParsedSoap
59        @param ps: client SOAP message
60        @rtype: tuple
61        @return: request and response objects'''
62
63        if self.__debug:
64            import pdb
65            pdb.set_trace()
66           
67        request = ps.Parse(connectInputMsg.typecode)   
68        response = _SessionManagerService.soap_connect(self, ps)
69       
70        result = self.sm.connect(username=request.Username,
71                                 passphrase=request.Passphrase,
72                                 createServerSess=request.CreateServerSess)
73                   
74        response.UserX509Cert, response.UserPriKey, response.issuingCert, \
75            response.SessID = result
76                 
77        return response
78
79
80    def soap_disconnect(self, ps, **kw):
81        '''Disconnect and remove user's session
82       
83        @type ps: ZSI ParsedSoap
84        @param ps: client SOAP message
85        @rtype: tuple
86        @return: request and response objects'''
87        if self.__debug:
88            import pdb
89            pdb.set_trace()
90           
91        request = ps.Parse(disconnectInputMsg.typecode)             
92        response = _SessionManagerService.soap_disconnect(self, ps)
93       
94        # Derive designated user ID differently according to whether
95        # a session ID was passed and the message was signed
96        sessID = request.SessID or None
97           
98        # Derive designated holder X.509 cert differently according to whether
99        # a signed message is expected from the client - NB, this is dependent
100        # on whether a reference to the signature filter was set in the
101        # environment
102        signatureFilter = \
103            self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01')
104        if signatureFilter is not None:
105            # Get certificate corresponding to private key that signed the
106            # message - i.e. the user's certificate
107            userX509Cert = signatureFilter.signatureHandler.verifyingCert
108        else:
109            # No signature from client - they must instead provide the
110            # designated holder cert via the UserX509Cert input
111            userX509Cert = request.UserX509Cert
112           
113        self.sm.deleteUserSession(sessID=sessID, userX509Cert=userX509Cert)
114        return response
115
116
117    def soap_getSessionStatus(self, ps, **kw):
118        '''Check for existence of a session with given session ID or user
119        Distinguished Name
120       
121        @type ps: ZSI ParsedSoap
122        @param ps: client SOAP message
123        @rtype: tuple
124        @return: request and response objects'''
125
126        if self.__debug:
127            import pdb
128            pdb.set_trace()
129           
130        request = ps.Parse(getSessionStatusInputMsg.typecode)             
131        response = _SessionManagerService.soap_getSessionStatus(self, ps)
132       
133        response.IsAlive = self.sm.getSessionStatus(userDN=request.UserDN,
134                                                    sessID=request.SessID)
135                 
136        return response
137
138
139    def soap_getAttCert(self, ps, **kw):
140        '''Get Attribute Certificate from a given Attribute Authority
141        and cache it in user's Credential Wallet
142       
143        @type ps: ZSI ParsedSoap
144        @param ps: client SOAP message
145        @rtype: tuple
146        @return: request and response objects'''
147        if self.__debug:
148            import pdb
149            pdb.set_trace()
150           
151        request = ps.Parse(getAttCertInputMsg.typecode)             
152        response = _SessionManagerService.soap_getAttCert(self, ps)
153
154        # Derive designated holder X.509 cert. differently according to whether
155        # a signed message is expected from the client - NB, this is dependent
156        # on whether a reference to the signature filter was set in the
157        # environment
158        signatureFilter = \
159            self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01')
160        if signatureFilter is not None:
161            # Get certificate corresponding to private key that signed the
162            # message - i.e. the user's proxy
163            userX509Cert = signatureFilter.signatureHandler.verifyingCert
164        else:
165            # No signature from client - they must instead provide the
166            # designated holder cert via the UserX509Cert input
167            userX509Cert = request.UserX509Cert
168
169        # If no Attribute Authority URI is set pick up local Attribute
170        # instance Authority
171        if request.AttAuthorityURI is None:
172            attributeAuthorityFilter = \
173                self.referencedWSGIFilters.get(self.attributeAuthorityFilterID)
174               
175            try:
176                attributeAuthority = \
177                    attributeAuthorityFilter.serviceSOAPBinding.aa
178            except AttributeError, e:
179                raise SessionManagerWSConfigError("No Attribute Authority URI "
180                        "was input and no Attribute Authority instance "
181                        "reference set in environ: %s" % e)
182        else:
183            attributeAuthority = None
184               
185        # X.509 Cert used in signature is preferred over userX509Cert input
186        # element - userX509Cert may have been omitted.
187        result = self.sm.getAttCert(
188                            userX509Cert=userX509Cert or request.UserX509Cert,
189                            sessID=request.SessID,
190                            attributeAuthorityURI=request.AttAuthorityURI,
191                            attributeAuthority=attributeAuthority,
192                            reqRole=request.ReqRole,
193                            mapFromTrustedHosts=request.MapFromTrustedHosts,
194                            rtnExtAttCertList=request.RtnExtAttCertList,
195                            extAttCertList=request.ExtAttCert,
196                            extTrustedHostList=request.ExtTrustedHost)
197        if result[0]:
198            response.AttCert = result[0].toString() 
199           
200        response.Msg, response.ExtAttCertOut = result[1:]
201       
202        return response
Note: See TracBrowser for help on using the repository browser.