source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py @ 4520

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py@4520
Revision 4520, 8.2 KB checked in by pjkersha, 12 years ago (diff)

ndg.security.server.wsgi.utils.sessionmanagerclient.WSGISessionManagerClient: completed this class and tested in combinedservices unit tests. This class enables WSGI apps to access another Session Manager WSGI app running in the same stack or else make a callout to a remote SOAP service.

Line 
1"""ZSI Server side SOAP Binding for Session Manager Web Service
2
3NERC Data Grid Project"""
4__author__ = "P J Kershaw"
5__date__ = "01/10/08"
6__copyright__ = "(C) 2008 STFC & NERC"
7__license__ = \
8"""This software may be distributed under the terms of the Q Public
9License, version 1.0 or later."""
10__contact__ = "Philip.Kershaw@stfc.ac.uk"
11__revision__ = '$Id$'
12import os, sys
13import base64
14import logging
15log = logging.getLogger(__name__)
16
17
18from ndg.security.server.zsi.sessionmanager.SessionManager_services_server \
19    import SessionManagerService as _SessionManagerService
20from ndg.security.common.zsi.sessionmanager.SessionManager_services import \
21    connectInputMsg, disconnectInputMsg, getSessionStatusInputMsg, \
22    getAttCertInputMsg
23   
24   
25from ndg.security.server.sessionmanager import SessionManager
26from ndg.security.common.credentialwallet import \
27                                        CredentialWalletAttributeRequestDenied 
28from ndg.security.common.wssecurity.dom import SignatureHandler
29from ndg.security.common.X509 import X509Cert, X509CertRead
30
31class SessionManagerWSConfigError(Exception):
32    '''Raise for errors related to the Session Manager Web Service
33    configuration'''
34   
35class SessionManagerWS(_SessionManagerService):
36    '''Session Manager ZSI SOAP Service Binding class'''
37   
38    def __init__(self, **kw):
39       
40        # Stop in debugger at beginning of SOAP stub if environment variable
41        # is set
42        self.__debug = bool(os.environ.get('NDGSEC_INT_DEBUG'))
43        if self.__debug:
44            import pdb
45            pdb.set_trace()
46       
47        # Extract local Attribute Authority environ identifier
48        self.attributeAuthorityFilterID = kw.pop('attributeAuthorityFilterID', 
49                                                 None)
50       
51        # Initialise Attribute Authority class - property file will be
52        # picked up from default location under $NDG_DIR directory
53        self.sm = SessionManager(**kw)
54
55
56    def soap_connect(self, ps, **kw):
57        '''Connect to Session Manager and create a user session
58       
59        @type ps: ZSI ParsedSoap
60        @param ps: client SOAP message
61        @rtype: tuple
62        @return: request and response objects'''
63
64        if self.__debug:
65            import pdb
66            pdb.set_trace()
67           
68        request = ps.Parse(connectInputMsg.typecode)   
69        response = _SessionManagerService.soap_connect(self, ps)
70       
71        result = self.sm.connect(username=request.Username,
72                                 passphrase=request.Passphrase,
73                                 createServerSess=request.CreateServerSess)
74                   
75        response.UserX509Cert, response.UserPriKey, response.issuingCert, \
76            response.SessID = result
77                 
78        return response
79
80
81    def soap_disconnect(self, ps, **kw):
82        '''Disconnect and remove user's session
83       
84        @type ps: ZSI ParsedSoap
85        @param ps: client SOAP message
86        @rtype: tuple
87        @return: request and response objects'''
88        if self.__debug:
89            import pdb
90            pdb.set_trace()
91           
92        request = ps.Parse(disconnectInputMsg.typecode)             
93        response = _SessionManagerService.soap_disconnect(self, ps)
94       
95        # Derive designated user ID differently according to whether
96        # a session ID was passed and the message was signed
97        sessID = request.SessID or None
98           
99        # Derive designated holder X.509 cert differently according to whether
100        # a signed message is expected from the client - NB, this is dependent
101        # on whether a reference to the signature filter was set in the
102        # environment
103        signatureFilter = \
104            self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01')
105        if signatureFilter is not None:
106            # Get certificate corresponding to private key that signed the
107            # message - i.e. the user's certificate
108            userX509Cert = signatureFilter.signatureHandler.verifyingCert
109        else:
110            # No signature from client - they must instead provide the
111            # designated holder cert via the UserX509Cert input
112            userX509Cert = request.UserX509Cert
113           
114        self.sm.deleteUserSession(sessID=sessID, userX509Cert=userX509Cert)
115        return response
116
117
118    def soap_getSessionStatus(self, ps, **kw):
119        '''Check for existence of a session with given session ID or user
120        Distinguished Name
121       
122        @type ps: ZSI ParsedSoap
123        @param ps: client SOAP message
124        @rtype: tuple
125        @return: request and response objects'''
126
127        if self.__debug:
128            import pdb
129            pdb.set_trace()
130           
131        request = ps.Parse(getSessionStatusInputMsg.typecode)             
132        response = _SessionManagerService.soap_getSessionStatus(self, ps)
133       
134        response.IsAlive = self.sm.getSessionStatus(userDN=request.UserDN,
135                                                    sessID=request.SessID)
136                 
137        return response
138
139
140    def soap_getAttCert(self, ps, **kw):
141        '''Get Attribute Certificate from a given Attribute Authority
142        and cache it in user's Credential Wallet
143       
144        @type ps: ZSI ParsedSoap
145        @param ps: client SOAP message
146        @rtype: tuple
147        @return: request and response objects'''
148        if self.__debug:
149            import pdb
150            pdb.set_trace()
151           
152        request = ps.Parse(getAttCertInputMsg.typecode)             
153        response = _SessionManagerService.soap_getAttCert(self, ps)
154
155        # Derive designated holder X.509 cert. differently according to whether
156        # a signed message is expected from the client - NB, this is dependent
157        # on whether a reference to the signature filter was set in the
158        # environment
159        signatureFilter = \
160            self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01')
161        if signatureFilter is not None:
162            # Get certificate corresponding to private key that signed the
163            # message - i.e. the user's proxy
164            userX509Cert = signatureFilter.signatureHandler.verifyingCert
165        else:
166            # No signature from client - they must instead provide the
167            # designated holder cert via the UserX509Cert input
168            userX509Cert = request.UserX509Cert
169
170        # If no Attribute Authority URI is set pick up local Attribute
171        # instance Authority
172        if request.AttAuthorityURI is None:
173            attributeAuthorityFilter = \
174                self.referencedWSGIFilters.get(self.attributeAuthorityFilterID)
175               
176            try:
177                attributeAuthority = \
178                    attributeAuthorityFilter.serviceSOAPBinding.aa
179            except AttributeError, e:
180                raise SessionManagerWSConfigError("No Attribute Authority URI "
181                        "was input and no Attribute Authority instance "
182                        "reference set in environ: %s" % e)
183        else:
184            attributeAuthority = None
185               
186        # X.509 Cert used in signature is preferred over userX509Cert input
187        # element - userX509Cert may have been omitted.
188        try:
189            attCert = self.sm.getAttCert(
190                            userX509Cert=userX509Cert or request.UserX509Cert,
191                            sessID=request.SessID,
192                            attributeAuthorityURI=request.AttAuthorityURI,
193                            attributeAuthority=attributeAuthority,
194                            reqRole=request.ReqRole,
195                            mapFromTrustedHosts=request.MapFromTrustedHosts,
196                            rtnExtAttCertList=request.RtnExtAttCertList,
197                            extAttCertList=request.ExtAttCert,
198                            extTrustedHostList=request.ExtTrustedHost)
199            response.AttCert = attCert.toString() 
200           
201        except CredentialWalletAttributeRequestDenied, e:
202            # Exception object contains a list of attribute certificates
203            # which could be used to re-try to get authorisation via a mapped
204            # certificate
205            response.Msg = str(e)
206            response.ExtAttCertOut = e.extAttCertList
207       
208        return response
Note: See TracBrowser for help on using the repository browser.