source: TI12-security/trunk/python/ndg_security_server/ndg/security/server/zsi/attributeauthority/__init__.py @ 6069

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg_security_server/ndg/security/server/zsi/attributeauthority/__init__.py@6069
Revision 6069, 10.5 KB checked in by pjkersha, 10 years ago (diff)

Re-release as rc1

Line 
1"""ZSI Server side SOAP Binding for Attribute Authority Web Service
2
3NERC DataGrid Project"""
4__author__ = "P J Kershaw"
5__date__ = "11/06/08"
6__copyright__ = "(C) 2009 Science and Technology Facilities Council"
7__license__ = "BSD - see LICENSE file in top-level directory"
8__contact__ = "Philip.Kershaw@stfc.ac.uk"
9__revision__ = '$Id: $'
10import os
11import sys
12import base64
13import logging
14log = logging.getLogger(__name__)
15
16from ndg.security.common.zsi.attributeauthority.AttributeAuthority_services \
17    import getAttCertInputMsg, getAttCertOutputMsg, \
18        getHostInfoInputMsg, getHostInfoOutputMsg, \
19        getTrustedHostInfoInputMsg, getTrustedHostInfoOutputMsg, \
20        getAllHostsInfoInputMsg, getAllHostsInfoOutputMsg
21   
22from \
23ndg.security.server.zsi.attributeauthority.AttributeAuthority_services_server \
24    import AttributeAuthorityService as _AttributeAuthorityService
25
26from ndg.security.server.attributeauthority import AttributeAuthority, \
27    AttributeAuthorityAccessDenied
28   
29from ndg.security.common.wssecurity.signaturehandler.dom import SignatureHandler
30from ndg.security.common.X509 import X509Cert, X509CertRead
31
32
33class AttributeAuthorityWS(_AttributeAuthorityService):
34    '''Attribute Authority ZSI SOAP Service Binding class'''
35   
36    DEBUG_ENVIRON_VARNAME = 'NDGSEC_INT_DEBUG'
37    WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME = \
38                                            'wsseSignatureVerificationFilterID'
39   
40    def __init__(self, **kw):
41        self.__wsseSignatureVerificationFilterID = None
42        self.__debug = None
43       
44        # Stop in debugger at beginning of SOAP stub if environment variable
45        # is set
46        self.debug = bool(os.environ.get(
47                                AttributeAuthorityWS.DEBUG_ENVIRON_VARNAME))
48        if self.debug:
49            import pdb
50            pdb.set_trace()
51           
52        # Extract local WS-Security signature verification filter
53        self.wsseSignatureVerificationFilterID = kw.pop(
54            AttributeAuthorityWS.WSSE_SIGNATURE_VERIFICATION_FILTER_ID_OPTNAME, 
55            None)
56        if self.wsseSignatureVerificationFilterID is None:
57            log.warning('No "wsseSignatureVerificationFilterID" option was '
58                        'set in the input config')
59     
60        # Initialise Attribute Authority class - property file will be
61        # picked up from default location under $NDG_DIR directory
62        if kw:
63            self.aa = AttributeAuthority.fromProperties(**kw)
64
65    def _get_debug(self):
66        return self.__debug
67
68    def _set_debug(self, value):
69        if not isinstance(value, bool):
70            raise TypeError('Expecting %r for "debug"; got %r' %
71                            (bool, type(value)))
72        self.__debug = value
73
74    debug = property(_get_debug, _set_debug, 
75                     doc="Set to True to drop into the debugger for each SOAP "
76                         "callback")
77   
78    def _get_aa(self):
79        return self.__aa
80   
81    def _set_aa(self, val):
82        if not isinstance(val, AttributeAuthority):
83            raise TypeError('Expecting %r for "aa" attribute; got %r' %
84                            (AttributeAuthority, type(val)))
85        self.__aa = val
86           
87    aa = property(fget=_get_aa,
88                  fset=_set_aa,
89                  doc="Attribute Authority instance")
90
91    def _get_wsseSignatureVerificationFilterID(self):
92        return self.__wsseSignatureVerificationFilterID
93
94    def _set_wsseSignatureVerificationFilterID(self, value):
95        if not isinstance(value, (basestring, type(None))):
96            raise TypeError('Expecting string or None type for '
97                            '"wsseSignatureVerificationFilterID"; got %r' %
98                            type(value))
99        self.__wsseSignatureVerificationFilterID = value
100
101    wsseSignatureVerificationFilterID = property(
102                                    _get_wsseSignatureVerificationFilterID, 
103                                    _set_wsseSignatureVerificationFilterID, 
104                                    doc="Reference the Signature Verification "
105                                        "filter upstream in the stack by "
106                                        "the WSGI environ with this keyword.  "
107                                        "The verification middleware must "
108                                        "likewise set a reference to itself "
109                                        "in the environ")
110   
111    def soap_getAttCert(self, ps):
112        '''Retrieve an Attribute Certificate
113       
114        @type ps: ZSI ParsedSoap
115        @param ps: client SOAP message
116        @rtype: ndg.security.common.zsi.attributeauthority.AttributeAuthority_services_types.getAttCertResponse_Holder
117        @return: response'''
118        if self.debug:
119            import pdb
120            pdb.set_trace()
121       
122        request = ps.Parse(getAttCertInputMsg.typecode)   
123        response = _AttributeAuthorityService.soap_getAttCert(self, ps)
124
125        # Derive designated holder cert differently according to whether
126        # a signed message is expected from the client - NB, this is dependent
127        # on whether a reference to the signature filter was set in the
128        # environment
129        signatureFilter = self.referencedWSGIFilters.get(
130                                        self.wsseSignatureVerificationFilterID)
131        if signatureFilter is not None:
132            # Get certificate corresponding to private key that signed the
133            # message - i.e. the user's proxy
134            log.debug("Reading holder certificate from WS-Security signature "
135                      "header")
136            holderX509Cert = signatureFilter.signatureHandler.verifyingCert
137        else:
138            # No signature from client - they must instead provide the
139            # designated holder cert via the UserX509Cert input
140            log.debug('Reading holder certificate from SOAP request '
141                      '"userX509Cert" parameter')
142            holderX509Cert = request.UserX509Cert
143
144        try:
145            attCert = self.aa.getAttCert(userId=request.UserId,
146                                         holderX509Cert=holderX509Cert,
147                                         userAttCert=request.UserAttCert) 
148            response.AttCert = attCert.toString()
149           
150        except AttributeAuthorityAccessDenied, e:
151            response.Msg = str(e)
152           
153        return response
154       
155
156    def soap_getHostInfo(self, ps):
157        '''Get information about this host
158               
159        @type ps: ZSI ParsedSoap
160        @param ps: client SOAP message
161        @rtype: response
162        @return: response'''
163        if self.debug:
164            import pdb
165            pdb.set_trace()
166           
167        response = _AttributeAuthorityService.soap_getHostInfo(self, ps)
168       
169        response.Hostname = self.aa.hostInfo.keys()[0]
170        response.SiteName = self.aa.hostInfo[response.Hostname]['siteName']
171        response.AaURI = self.aa.hostInfo[response.Hostname]['aaURI']
172        response.AaDN = self.aa.hostInfo[response.Hostname]['aaDN']
173        response.LoginURI = self.aa.hostInfo[response.Hostname]['loginURI']
174        response.LoginServerDN = \
175            self.aa.hostInfo[response.Hostname]['loginServerDN']
176        response.LoginRequestServerDN = \
177            self.aa.hostInfo[response.Hostname]['loginRequestServerDN']
178
179        return response
180       
181
182    def soap_getAllHostsInfo(self, ps):
183        '''Get information about all hosts
184               
185        @type ps: ZSI ParsedSoap
186        @param ps: client SOAP message
187        @rtype: tuple
188        @return: response object'''
189        if self.debug:
190            import pdb
191            pdb.set_trace()
192           
193        response = _AttributeAuthorityService.soap_getAllHostsInfo(self, ps)
194       
195
196        trustedHostInfo = self.aa.getTrustedHostInfo()
197
198        # Convert ready for serialization
199       
200        # First get info for THIS Attribute Authority ...
201        # Nb. No role lsit applies here
202        hosts = [response.new_hosts()]
203       
204        hosts[0].Hostname = self.aa.hostInfo.keys()[0]
205       
206        hosts[0].AaURI = self.aa.hostInfo[hosts[0].Hostname]['aaURI']
207        hosts[0].SiteName = self.aa.hostInfo[hosts[0].Hostname]['siteName']
208        hosts[0].AaDN = self.aa.hostInfo[hosts[0].Hostname]['aaDN']
209        hosts[0].LoginURI = self.aa.hostInfo[hosts[0].Hostname]['loginURI']
210        hosts[0].LoginServerDN = \
211            self.aa.hostInfo[hosts[0].Hostname]['loginServerDN']
212        hosts[0].LoginRequestServerDN = \
213            self.aa.hostInfo[hosts[0].Hostname]['loginRequestServerDN']
214       
215        # ... then append info for other trusted attribute authorities...
216        for hostname, hostInfo in trustedHostInfo.items():
217            host = response.new_hosts()
218           
219            host.Hostname = hostname
220            host.SiteName = hostInfo['siteName']
221            host.AaURI = hostInfo['aaURI']
222            host.AaDN = hostInfo['aaDN']
223            host.LoginURI = hostInfo['loginURI']
224            host.LoginServerDN = hostInfo['loginServerDN']
225            host.LoginRequestServerDN = hostInfo['loginRequestServerDN']
226            host.RoleList = hostInfo['role']
227           
228            hosts.append(host)
229           
230        response.Hosts = hosts
231
232        return response
233
234
235    def soap_getTrustedHostInfo(self, ps):
236        '''Get information about other trusted hosts
237               
238        @type ps: ZSI ParsedSoap
239        @param ps: client SOAP message
240        @rtype: tuple
241        @return: response object'''
242        if self.debug:
243            import pdb
244            pdb.set_trace()
245           
246        request = ps.Parse(getTrustedHostInfoInputMsg.typecode)   
247        response = _AttributeAuthorityService.soap_getTrustedHostInfo(self, ps)
248       
249        trustedHostInfo = self.aa.getTrustedHostInfo(role=request.Role)
250
251        # Convert ready for serialization
252        trustedHosts = []
253        for hostname, hostInfo in trustedHostInfo.items():
254            trustedHost = response.new_trustedHosts()
255           
256            trustedHost.Hostname = hostname
257            trustedHost.SiteName = hostInfo['siteName']
258            trustedHost.AaURI = hostInfo['aaURI']
259            trustedHost.AaDN = hostInfo['aaDN']
260            trustedHost.LoginURI = hostInfo['loginURI']
261            trustedHost.LoginServerDN = hostInfo['loginServerDN']
262            trustedHost.LoginRequestServerDN = hostInfo['loginRequestServerDN']
263            trustedHost.RoleList = hostInfo['role']
264           
265            trustedHosts.append(trustedHost)
266           
267        response.TrustedHosts = trustedHosts
268       
269        return response
Note: See TracBrowser for help on using the repository browser.