1 | #!/usr/bin/env python |
---|
2 | """Test harness for NDG Session Manager SOAP client interface - makes requests |
---|
3 | for authentication and attribute retrieval. Test Session Manager and Attribute |
---|
4 | Authority services must be running for *AttCert* tests. See README in this |
---|
5 | directory |
---|
6 | |
---|
7 | NERC Data Grid Project |
---|
8 | """ |
---|
9 | __author__ = "P J Kershaw" |
---|
10 | __date__ = "23/02/06" |
---|
11 | __copyright__ = "(C) 2007 STFC" |
---|
12 | __license__ = \ |
---|
13 | """This software may be distributed under the terms of the Q Public |
---|
14 | License, version 1.0 or later.""" |
---|
15 | __contact__ = "Philip.Kershaw@stfc.ac.uk" |
---|
16 | __revision__ = '$Id$' |
---|
17 | import logging |
---|
18 | logging.basicConfig(level=logging.DEBUG) |
---|
19 | log = logging.getLogger(__name__) |
---|
20 | |
---|
21 | import unittest |
---|
22 | import os |
---|
23 | import sys |
---|
24 | import getpass |
---|
25 | import re |
---|
26 | |
---|
27 | from os.path import expandvars as xpdVars |
---|
28 | from os.path import join as jnPath |
---|
29 | mkPath = lambda file: jnPath(os.environ['NDGSEC_SMCLNT_UNITTEST_DIR'], file) |
---|
30 | |
---|
31 | from ndg.security.common.sessionmanager import SessionManagerClient, \ |
---|
32 | AttributeRequestDenied |
---|
33 | |
---|
34 | from ndg.security.common.X509 import X509CertParse, X509CertRead |
---|
35 | from ndg.security.common.wssecurity.dom import SignatureHandler as SigHdlr |
---|
36 | from ndg.security.common.utils.configfileparsers import \ |
---|
37 | CaseSensitiveConfigParser |
---|
38 | |
---|
39 | |
---|
40 | class SessionManagerClientTestCase(unittest.TestCase): |
---|
41 | '''Unit tests for ndg.security.common.sessionmanager.SessionManagerClient |
---|
42 | - SOAP Session Manager client interface |
---|
43 | ''' |
---|
44 | pemPat = "-----BEGIN CERTIFICATE-----[^\-]*-----END CERTIFICATE-----" |
---|
45 | |
---|
46 | test01Passphrase = None |
---|
47 | test03Passphrase = None |
---|
48 | |
---|
49 | def _getCertChainFromProxyCertFile(self, certChainFilePath): |
---|
50 | '''Read user cert and user cert from a single PEM file and put in |
---|
51 | a list ready for input into SignatureHandler''' |
---|
52 | certChainFileTxt = open(certChainFilePath).read() |
---|
53 | |
---|
54 | pemPatRE = re.compile(SessionManagerClientTestCase.pemPat, re.S) |
---|
55 | x509CertList = pemPatRE.findall(certChainFileTxt) |
---|
56 | |
---|
57 | signingCertChain = [X509CertParse(x509Cert) for x509Cert in \ |
---|
58 | x509CertList] |
---|
59 | |
---|
60 | # Expecting user cert first - move this to the end. This will |
---|
61 | # be the cert used to verify the message signature |
---|
62 | signingCertChain.reverse() |
---|
63 | |
---|
64 | return signingCertChain |
---|
65 | |
---|
66 | |
---|
67 | |
---|
68 | def setUp(self): |
---|
69 | |
---|
70 | if 'NDGSEC_INT_DEBUG' in os.environ: |
---|
71 | import pdb |
---|
72 | pdb.set_trace() |
---|
73 | |
---|
74 | if 'NDGSEC_SMCLNT_UNITTEST_DIR' not in os.environ: |
---|
75 | os.environ['NDGSEC_SMCLNT_UNITTEST_DIR'] = \ |
---|
76 | os.path.abspath(os.path.dirname(__file__)) |
---|
77 | |
---|
78 | self.cfgParser = CaseSensitiveConfigParser() |
---|
79 | cfgFilePath = jnPath(os.environ['NDGSEC_SMCLNT_UNITTEST_DIR'], |
---|
80 | 'sessionMgrClientTest.cfg') |
---|
81 | self.cfgParser.read(cfgFilePath) |
---|
82 | |
---|
83 | self.cfg = {} |
---|
84 | for section in self.cfgParser.sections(): |
---|
85 | self.cfg[section] = dict(self.cfgParser.items(section)) |
---|
86 | |
---|
87 | try: |
---|
88 | sslCACertList = [X509CertRead(xpdVars(file)) for file in \ |
---|
89 | self.cfg['setUp']['sslCACertFilePathList'].split()] |
---|
90 | except KeyError: |
---|
91 | sslCACertList = [] |
---|
92 | |
---|
93 | # Instantiate WS proxy |
---|
94 | self.clnt = SessionManagerClient(uri=self.cfg['setUp']['uri'], |
---|
95 | sslPeerCertCN=self.cfg['setUp'].get('sslPeerCertCN'), |
---|
96 | sslCACertList=sslCACertList, |
---|
97 | cfgFileSection='wsse', |
---|
98 | cfg=self.cfgParser) |
---|
99 | |
---|
100 | self.sessID = None |
---|
101 | self.userX509Cert = None |
---|
102 | self.userPriKey = None |
---|
103 | self.issuingCert = None |
---|
104 | |
---|
105 | |
---|
106 | def test01Connect(self): |
---|
107 | """test01Connect: Connect as if acting as a browser client - |
---|
108 | a session ID is returned""" |
---|
109 | |
---|
110 | username = self.cfg['test01Connect']['username'] |
---|
111 | |
---|
112 | if SessionManagerClientTestCase.test01Passphrase is None: |
---|
113 | SessionManagerClientTestCase.test01Passphrase = \ |
---|
114 | self.cfg['test01Connect'].get('passphrase') |
---|
115 | |
---|
116 | if not SessionManagerClientTestCase.test01Passphrase: |
---|
117 | SessionManagerClientTestCase.test01Passphrase = getpass.getpass(\ |
---|
118 | prompt="\ntest01Connect pass-phrase for user %s: " % username) |
---|
119 | |
---|
120 | self.userX509Cert, self.userPriKey, self.issuingCert, self.sessID = \ |
---|
121 | self.clnt.connect(self.cfg['test01Connect']['username'], |
---|
122 | passphrase=SessionManagerClientTestCase.test01Passphrase) |
---|
123 | |
---|
124 | print("User '%s' connected to Session Manager:\n%s" % (username, |
---|
125 | self.sessID)) |
---|
126 | |
---|
127 | |
---|
128 | def test02GetSessionStatus(self): |
---|
129 | """test02GetSessionStatus: check a session is alive""" |
---|
130 | print "\n\t" + self.test02GetSessionStatus.__doc__ |
---|
131 | |
---|
132 | self.test01Connect() |
---|
133 | assert self.clnt.getSessionStatus(sessID=self.sessID),"Session is dead" |
---|
134 | |
---|
135 | print("User connected to Session Manager with sessID=%s" % self.sessID) |
---|
136 | |
---|
137 | assert not self.clnt.getSessionStatus(sessID='abc'), \ |
---|
138 | "sessID=abc shouldn't exist!" |
---|
139 | |
---|
140 | print "CORRECT: sessID=abc doesn't exist" |
---|
141 | |
---|
142 | |
---|
143 | def test03ConnectNoCreateServerSess(self): |
---|
144 | """test03ConnectNoCreateServerSess: Connect without creating a session - |
---|
145 | sessID should be None. This only indicates that the username/password |
---|
146 | are correct. To be of practical use the AuthNService plugin at |
---|
147 | the Session Manager needs to return X.509 credentials e.g. |
---|
148 | with MyProxy plugin.""" |
---|
149 | |
---|
150 | username = self.cfg['test03ConnectNoCreateServerSess']['username'] |
---|
151 | |
---|
152 | if SessionManagerClientTestCase.test03Passphrase is None: |
---|
153 | SessionManagerClientTestCase.test03Passphrase = \ |
---|
154 | self.cfg['test03ConnectNoCreateServerSess'].get('passphrase') |
---|
155 | |
---|
156 | if not SessionManagerClientTestCase.test03Passphrase: |
---|
157 | prompt="\ntest03ConnectNoCreateServerSess pass-phrase for user %s: " |
---|
158 | SessionManagerClientTestCase.test03Passphrase = getpass.getpass(\ |
---|
159 | prompt=prompt % username) |
---|
160 | |
---|
161 | userX509Cert, userPriKey,issuingCert, sessID = \ |
---|
162 | self.clnt.connect(username, |
---|
163 | passphrase=SessionManagerClientTestCase.test03Passphrase, |
---|
164 | createServerSess=False) |
---|
165 | |
---|
166 | # Expect null session ID |
---|
167 | assert(not sessID) |
---|
168 | |
---|
169 | print("Successfully authenticated") |
---|
170 | |
---|
171 | |
---|
172 | def test04DisconnectWithSessID(self): |
---|
173 | """test04DisconnectWithSessID: disconnect as if acting as a browser |
---|
174 | client |
---|
175 | """ |
---|
176 | |
---|
177 | print "\n\t" + self.test04DisconnectWithSessID.__doc__ |
---|
178 | self.test01Connect() |
---|
179 | |
---|
180 | self.clnt.disconnect(sessID=self.sessID) |
---|
181 | |
---|
182 | print("User disconnected from Session Manager:\n%s" % self.sessID) |
---|
183 | |
---|
184 | |
---|
185 | def test05DisconnectWithUserX509Cert(self): |
---|
186 | """test05DisconnectWithUserX509Cert: Disconnect as a command line client |
---|
187 | """ |
---|
188 | |
---|
189 | print "\n\t" + self.test05DisconnectWithUserX509Cert.__doc__ |
---|
190 | self.test01Connect() |
---|
191 | |
---|
192 | # Use user cert / private key just obtained from connect call for |
---|
193 | # signature generation |
---|
194 | if self.issuingCert: |
---|
195 | self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1' |
---|
196 | self.clnt.signatureHandler.signingPriKey = self.userPriKey |
---|
197 | self.clnt.signatureHandler.signingCertChain = (self.issuingCert, |
---|
198 | self.userX509Cert) |
---|
199 | self.clnt.signatureHandler.signingCert = None |
---|
200 | else: |
---|
201 | self.clnt.signatureHandler.reqBinSecTokValType = 'X509v3' |
---|
202 | self.clnt.signatureHandler.signingPriKeyPwd = \ |
---|
203 | SessionManagerClientTestCase.test01Passphrase |
---|
204 | self.clnt.signatureHandler.signingPriKey = self.userPriKey |
---|
205 | self.clnt.signatureHandler.signingCertChain = () |
---|
206 | self.clnt.signatureHandler.signingCert = self.userX509Cert |
---|
207 | |
---|
208 | # user X.509 cert in signature determines ID of session to delete |
---|
209 | self.clnt.disconnect() |
---|
210 | print("User disconnected from Session Manager:\n%s"%self.userX509Cert) |
---|
211 | |
---|
212 | |
---|
213 | def test06GetAttCertWithSessID(self): |
---|
214 | """test06GetAttCertWithSessID: make an attribute request using |
---|
215 | a session ID as authentication credential""" |
---|
216 | |
---|
217 | print "\n\t" + self.test06GetAttCertWithSessID.__doc__ |
---|
218 | thisSection = self.cfg['test06GetAttCertWithSessID'] |
---|
219 | self.test01Connect() |
---|
220 | |
---|
221 | attCert = self.clnt.getAttCert(sessID=self.sessID, |
---|
222 | attributeAuthorityURI=thisSection['aaURI']) |
---|
223 | |
---|
224 | print "Attribute Certificate:\n%s" % attCert |
---|
225 | attCert.filePath = xpdVars(thisSection['acOutFilePath']) |
---|
226 | attCert.write() |
---|
227 | |
---|
228 | |
---|
229 | def test07GetAttCertRefusedWithSessID(self): |
---|
230 | """test07GetAttCertRefusedWithSessID: make an attribute request using |
---|
231 | a sessID as authentication credential requesting an AC from an |
---|
232 | Attribute Authority where the user is NOT registered""" |
---|
233 | |
---|
234 | print "\n\t" + self.test07GetAttCertRefusedWithSessID.__doc__ |
---|
235 | self.test01Connect() |
---|
236 | |
---|
237 | aaURI = self.cfg['test07GetAttCertRefusedWithSessID']['aaURI'] |
---|
238 | |
---|
239 | try: |
---|
240 | attCert = self.clnt.getAttCert(sessID=self.sessID, |
---|
241 | attributeAuthorityURI=aaURI, |
---|
242 | mapFromTrustedHosts=False) |
---|
243 | except AttributeRequestDenied, e: |
---|
244 | print "SUCCESS - obtained expected result: %s" % e |
---|
245 | return |
---|
246 | |
---|
247 | self.fail("Request allowed from AA where user is NOT registered!") |
---|
248 | |
---|
249 | |
---|
250 | def test08GetMappedAttCertWithSessID(self): |
---|
251 | """test08GetMappedAttCertWithSessID: make an attribute request using |
---|
252 | a session ID as authentication credential""" |
---|
253 | |
---|
254 | print "\n\t" + self.test08GetMappedAttCertWithSessID.__doc__ |
---|
255 | self.test01Connect() |
---|
256 | |
---|
257 | aaURI = self.cfg['test08GetMappedAttCertWithSessID']['aaURI'] |
---|
258 | |
---|
259 | attCert=self.clnt.getAttCert(sessID=self.sessID, attributeAuthorityURI=aaURI) |
---|
260 | |
---|
261 | print "Attribute Certificate:\n%s" % attCert |
---|
262 | |
---|
263 | |
---|
264 | def test09GetAttCertWithExtAttCertListWithSessID(self): |
---|
265 | """test09GetAttCertWithExtAttCertListWithSessID: make an attribute |
---|
266 | request usinga session ID as authentication credential""" |
---|
267 | |
---|
268 | print "\n\t"+self.test09GetAttCertWithExtAttCertListWithSessID.__doc__ |
---|
269 | self.test01Connect() |
---|
270 | thisSection = self.cfg['test09GetAttCertWithExtAttCertListWithSessID'] |
---|
271 | |
---|
272 | aaURI = thisSection['aaURI'] |
---|
273 | |
---|
274 | # Use output from test06GetAttCertWithSessID! |
---|
275 | extACFilePath = xpdVars(thisSection['extACFilePath']) |
---|
276 | extAttCert = open(extACFilePath).read() |
---|
277 | |
---|
278 | attCert = self.clnt.getAttCert(sessID=self.sessID, |
---|
279 | attributeAuthorityURI=aaURI, |
---|
280 | extAttCertList=[extAttCert]) |
---|
281 | |
---|
282 | print("Attribute Certificate:\n%s" % attCert) |
---|
283 | |
---|
284 | |
---|
285 | def test10GetAttCertWithUserX509Cert(self): |
---|
286 | """test10GetAttCertWithUserX509Cert: make an attribute request using |
---|
287 | a user cert as authentication credential""" |
---|
288 | print "\n\t" + self.test10GetAttCertWithUserX509Cert.__doc__ |
---|
289 | self.test01Connect() |
---|
290 | |
---|
291 | if self.issuingCert: |
---|
292 | self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1' |
---|
293 | self.clnt.signatureHandler.signingPriKeyPwd = \ |
---|
294 | SessionManagerClientTestCase.test01Passphrase |
---|
295 | self.clnt.signatureHandler.signingPriKey = self.userPriKey |
---|
296 | self.clnt.signatureHandler.signingCertChain = (self.issuingCert, |
---|
297 | self.userX509Cert) |
---|
298 | self.clnt.signatureHandler.signingCert = None |
---|
299 | else: |
---|
300 | self.clnt.signatureHandler.reqBinSecTokValType = 'X509v3' |
---|
301 | self.clnt.signatureHandler.signingPriKeyPwd = \ |
---|
302 | SessionManagerClientTestCase.test01Passphrase |
---|
303 | self.clnt.signatureHandler.signingPriKey = self.userPriKey |
---|
304 | self.clnt.signatureHandler.signingCertChain = () |
---|
305 | self.clnt.signatureHandler.signingCert = self.userX509Cert |
---|
306 | |
---|
307 | # Request an attribute certificate from an Attribute Authority |
---|
308 | # using the userX509Cert returned from connect() |
---|
309 | |
---|
310 | aaURI = self.cfg['test10GetAttCertWithUserX509Cert']['aaURI'] |
---|
311 | attCert = self.clnt.getAttCert(attributeAuthorityURI=aaURI) |
---|
312 | |
---|
313 | print("Attribute Certificate:\n%s" % attCert) |
---|
314 | |
---|
315 | |
---|
316 | class SessionManagerClientTestSuite(unittest.TestSuite): |
---|
317 | |
---|
318 | def __init__(self): |
---|
319 | map = map(SessionManagerClientTestCase, |
---|
320 | ( |
---|
321 | "test01Connect", |
---|
322 | "test02GetSessionStatus", |
---|
323 | "test03ConnectNoCreateServerSess", |
---|
324 | "test04DisconnectWithSessID", |
---|
325 | "test05DisconnectWithUserX509Cert", |
---|
326 | "test06GetAttCertWithSessID", |
---|
327 | "test08GetMappedAttCertWithSessID", |
---|
328 | "test09GetAttCertWithExtAttCertListWithSessID", |
---|
329 | "test10GetAttCertWithUserX509Cert", |
---|
330 | )) |
---|
331 | unittest.TestSuite.__init__(self, map) |
---|
332 | |
---|
333 | |
---|
334 | if __name__ == "__main__": |
---|
335 | unittest.main() |
---|