Changeset 2017


Ignore:
Timestamp:
17/01/07 16:37:37 (13 years ago)
Author:
pjkersha
Message:

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • changed default port to 5000
  • added signature handler

python/www/html/attAuthority.wsdl,
python/ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py,
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py:

fixes to getAttCert and getX509Cert operations in WSDL. Re-generated associated code.

python/ndg.security.server/ndg/security/server/AttAuthority/init.py:
AA Server code -

  • user roles module load now in separate method loadUserRolesInterface
  • added setPropFilePath method - this allows default paths for properties file of

$NDGSEC_AA_PROPFILEPATH or $NDG_DIR/conf/attAuthorityProperties.xml

  • fixes to Epydoc strings

python/ndg.security.server/ndg/security/server/AttAuthority/README,
python/ndg.security.server/ndg/security/server/SessionMgr/README: more info about
code generation and mods for use with Twisted.

python/ndg.security.server/ndg/security/server/MyProxy.py:

  • fix to _HostCheck.call - make sure True is returned on success
  • Added cnHostPfx keyword to _HostCheck.init so that 'host/' prefix to host cert Common Name is optional. - Sys Admin may want to set up cert without the 'host/' prefix that Globus adds by default.

python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml and
python/conf/myProxyProperties.xml: added 'serverCNprefix' element - this is passed through
to cnHostPfx keyword explained above.

python/conf/sessionMgrProperties.xml: updated MyProxy? properties.

python/conf/attAuthorityProperties.xml: added some sensible defualts to make initial
configuration easier.

python/ndg.security.test/ndg/security/test/AttAuthority/TestUserRoles.py,
python/ndg.security.test/ndg/security/test/AttAuthority/mapConfig.xml: put a custom copies
of here specifically for AA client unit test. Fixed AttAuthority? import in
TestUserRoles? module.

python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:

  • updated to get settings from config file as with the other unit tests.
  • getAttCert working on client side signing outgoing message with proxy private key.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
config file for AA unit test.

python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg: altered
slightly to test on alternative server.

python/ndg.security.test/ndg/security/test/MyProxy/MyProxyClientTest.py: temp addition
of debug statement - now gone.

python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py: include
SafeConfigParser? in import.

python/ndg.security.common/ndg/security/common/AttAuthority/init.py: AA client code -

  • explict AttCert? class import
  • fixes to Epydoc statements
  • fixed signature handler certFilePath import

python/ndg.security.common/ndg/security/common/wsSecurity.py: include handling for
extracting X.509 cert from binary security token element in WSSE header. ! Make sure
base 64 encoded token is converted from unicode to standard string before parsing as an
M2Crypto.X509.X509 type.

Location:
TI12-security/trunk/python
Files:
3 added
19 edited
1 moved

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/conf/attAuthorityProperties.xml

    r1176 r2017  
    77    <caCertFile></caCertFile> 
    88    <attCertLifeTime></attCertLifeTime> 
    9         <attCertNotBeforeOff></attCertNotBeforeOff> 
    10     <attCertFilePfx></attCertFilePfx> 
    11     <attCertFileSfx></attCertFileSfx> 
     9        <attCertNotBeforeOff>0</attCertNotBeforeOff> 
     10    <attCertFilePfx>ac-</attCertFilePfx> 
     11    <attCertFileSfx>.xml</attCertFileSfx> 
    1212    <mapConfigFile></mapConfigFile> 
    1313    <attCertDir></attCertDir> 
    14     <dnSeparator></dnSeparator> 
     14    <dnSeparator>/</dnSeparator> 
    1515    <usrRolesModFilePath></usrRolesModFilePath> 
    1616    <usrRolesModName></usrRolesModName> 
  • TI12-security/trunk/python/conf/myProxyProperties.xml

    r1881 r2017  
    33        <!--  
    44        Delete this element and take setting from MYPROXY_SERVER environment  
    5         variable ifrequired 
     5        variable if required 
     6        <hostname>localhost</hostname> 
    67        --> 
    7         <hostname>localhost</hostname> 
    88        <!--  
    99        Delete this element to take default setting 7512 or read  
     
    1515        DN is set to "host/<fqdn>".  Delete this element and set from  
    1616        MYPROXY_SERVER_DN environment variable if prefered 
     17        <serverDN></serverDN> 
    1718        --> 
    18         <serverDN></serverDN> 
     19        <!-- 
     20        Set "host/" prefix to host cert CN as is default with globus 
     21        --> 
     22        <serverCNprefix>host/</serverCNprefix>   
    1923        <!-- 
    2024        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting 
  • TI12-security/trunk/python/conf/sessionMgrProperties.xml

    r1549 r2017  
    88    <sessMgrWSDLuri></sessMgrWSDLuri> 
    99    <cookieDomain></cookieDomain> 
    10     <myProxyProp> 
    11         <myProxyServer></myProxyServer> 
    12         <gridSecurityDir></gridSecurityDir> 
    13         <credStorageDir></credStorageDir> 
    14         <openSSLConfFileName></openSSLConfFileName> 
    15         <tmpDir></tmpDir> 
    16         <path></path> 
    17         <proxyCertMaxLifetime></proxyCertMaxLifetime> 
    18         <proxyCertLifetime></proxyCertLifetime> <!-- in hours --> 
    19         <simpleCACltProp> 
    20             <wsdl></wsdl> 
    21             <xmlSigKeyFile></xmlSigKeyFile> 
    22             <xmlSigCertFile></xmlSigCertFile> 
    23             <xmlSigCertPPhrase></xmlSigCertPPhrase> 
    24         </simpleCACltProp 
    25         <!-- 
    26         <simpleCASrvProp> 
    27             <certExpiryDate></certExpiryDate> 
    28             <certLifetimeDays></certLifetimeDays> 
    29             <certTmpDir></certTmpDir> 
    30             <caCertFile></caCertFile> 
    31             <signExe></signExe> 
    32             <path></path> 
    33         </simpleCASrvProp> 
    34         --> 
    35     </myProxyProp> 
     10        <myProxyProp> 
     11                <!--  
     12                Delete this element and take setting from MYPROXY_SERVER environment  
     13                variable if required 
     14                <hostname>localhost</hostname> 
     15                --> 
     16                <!--  
     17                Delete this element to take default setting 7512 or read  
     18                MYPROXY_SERVER_PORT setting 
     19                --> 
     20                <port>7512</port> 
     21                <!-- 
     22                Useful if hostname and certificate CN don't match correctly.  Globus  
     23                host DN is set to "host/<fqdn>".  Delete this element and set from  
     24                MYPROXY_SERVER_DN environment variable if prefered 
     25                <serverDN></serverDN> 
     26                --> 
     27                <!-- 
     28                Set "host/" prefix to host cert CN as is default with globus 
     29                --> 
     30                <serverCNprefix>host/</serverCNprefix>   
     31                <!-- 
     32                Nb. GRID_SECURITY_DIR environment variable if set, overrides this  
     33                setting 
     34                 
     35                This directory path is used to locate the OpenSSL configuration file 
     36                --> 
     37                <gridSecurityDir>$GLOBUS_LOCATION/etc</gridSecurityDir> 
     38                <!-- Open SSL Configuration settings --> 
     39                <openSSLConfFileName>globus-user-ssl.conf</openSSLConfFileName> 
     40                <tmpDir>/tmp</tmpDir> 
     41                <!--  
     42                        Limit on maximum lifetime any proxy certificate can have -  
     43                        specified when a certificate is first created by store() method 
     44                --> 
     45                <proxyCertMaxLifetime></proxyCertMaxLifetime> <!-- in hours --> 
     46                <!--  
     47                        Life time of a proxy certificate when issued from the Proxy Server  
     48                        with getDelegation() method 
     49                        --> 
     50                <proxyCertLifetime></proxyCertLifetime> <!-- in hours --> 
     51                <caCertFile></caCertFile> 
     52        </myProxyProp> 
     53        <simpleCACltProp> 
     54            <wsdl></wsdl> 
     55        <xmlSigKeyFile></xmlSigKeyFile> 
     56        <xmlSigCertFile></xmlSigCertFile> 
     57        <xmlSigCertPPhrase></xmlSigCertPPhrase> 
     58    </simpleCACltProp> 
     59        <!-- 
     60        <simpleCASrvProp> 
     61            <certExpiryDate></certExpiryDate> 
     62            <certLifetimeDays></certLifetimeDays> 
     63            <certTmpDir></certTmpDir> 
     64            <caCertFile></caCertFile> 
     65            <signExe></signExe> 
     66            <path></path> 
     67        </simpleCASrvProp> 
     68        --> 
    3669    <credReposProp> 
    3770            <modFilePath></modFilePath> 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py

    r1725 r2017  
    2929        # no ws-addressing 
    3030 
    31     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb77f2e0c> 
    32     def getAttCert(self, userCert): 
     31    # op: <ZSI.wstools.WSDLTools.Message instance at 0x408b5f6c> 
     32    def getAttCert(self, userCert,userAttCert): 
    3333 
    3434        request = getAttCertInputMsg() 
    3535        request._userCert = userCert 
     36        request._userAttCert = userAttCert 
    3637 
    3738        kw = {} 
     
    4344        return attCert 
    4445 
    45     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb77f72cc> 
     46    # op: <ZSI.wstools.WSDLTools.Message instance at 0x408bc2cc> 
    4647    def getHostInfo(self): 
    4748 
     
    5354        # no output wsaction 
    5455        response = self.binding.Receive(getHostInfoOutputMsg.typecode) 
    55         return  
     56        host = response._host 
     57        return host 
    5658 
    57     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb77f7a6c> 
     59    # op: <ZSI.wstools.WSDLTools.Message instance at 0x408bca0c> 
    5860    def getTrustedHostInfo(self, role): 
    5961 
     
    6971        return trustedHosts 
    7072 
    71     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb77f7bec> 
    72     def getPubKey(self): 
     73    # op: <ZSI.wstools.WSDLTools.Message instance at 0x408bcb8c> 
     74    def getX509Cert(self): 
    7375 
    74         request = getPubKeyInputMsg() 
     76        request = getX509CertInputMsg() 
    7577 
    7678        kw = {} 
    7779        # no input wsaction 
    78         self.binding.Send(None, None, request, soapaction="getPubKey", **kw) 
     80        self.binding.Send(None, None, request, soapaction="getX509Cert", **kw) 
    7981        # no output wsaction 
    80         response = self.binding.Receive(getPubKeyOutputMsg.typecode) 
     82        response = self.binding.Receive(getX509CertOutputMsg.typecode) 
    8183        x509Cert = response._x509Cert 
    8284        return x509Cert 
     
    9496getTrustedHostInfoOutputMsg = ns0.getTrustedHostInfoResponse_Dec().pyclass 
    9597 
    96 getPubKeyInputMsg = ns0.getPubKey_Dec().pyclass 
     98getX509CertInputMsg = ns0.getX509Cert_Dec().pyclass 
    9799 
    98 getPubKeyOutputMsg = ns0.getPubKeyResponse_Dec().pyclass 
     100getX509CertOutputMsg = ns0.getX509CertResponse_Dec().pyclass 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py

    r1725 r2017  
    2323        def __init__(self, **kw): 
    2424            ns = ns0.getAttCert_Dec.schema 
    25             TClist = [ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
     25            TClist = [ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userAttCert", aname="_userAttCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
    2626            kw["pname"] = ("urn:ndg:security","getAttCert") 
    2727            kw["aname"] = "_getAttCert" 
     
    3434                    # pyclass 
    3535                    self._userCert = None 
     36                    self._userAttCert = None 
    3637                    return 
    3738            Holder.__name__ = "getAttCert_Holder" 
     
    8283        def __init__(self, **kw): 
    8384            ns = ns0.getHostInfoResponse_Dec.schema 
    84             TClist = [] 
     85            TClist = [ZSI.TC.String(pname="host", aname="_host", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
    8586            kw["pname"] = ("urn:ndg:security","getHostInfoResponse") 
    8687            kw["aname"] = "_getHostInfoResponse" 
     
    9293                def __init__(self): 
    9394                    # pyclass 
     95                    self._host = None 
    9496                    return 
    9597            Holder.__name__ = "getHostInfoResponse_Holder" 
     
    136138            self.pyclass = Holder 
    137139 
    138     class getPubKey_Dec(ZSI.TCcompound.ComplexType, ElementDeclaration): 
    139         literal = "getPubKey" 
     140    class getX509Cert_Dec(ZSI.TCcompound.ComplexType, ElementDeclaration): 
     141        literal = "getX509Cert" 
    140142        schema = "urn:ndg:security" 
    141143        def __init__(self, **kw): 
    142             ns = ns0.getPubKey_Dec.schema 
     144            ns = ns0.getX509Cert_Dec.schema 
    143145            TClist = [] 
    144             kw["pname"] = ("urn:ndg:security","getPubKey") 
    145             kw["aname"] = "_getPubKey" 
     146            kw["pname"] = ("urn:ndg:security","getX509Cert") 
     147            kw["aname"] = "_getX509Cert" 
    146148            self.attribute_typecode_dict = {} 
    147149            ZSI.TCcompound.ComplexType.__init__(self,None,TClist,inorder=0,**kw) 
     
    152154                    # pyclass 
    153155                    return 
    154             Holder.__name__ = "getPubKey_Holder" 
     156            Holder.__name__ = "getX509Cert_Holder" 
    155157            self.pyclass = Holder 
    156158 
    157     class getPubKeyResponse_Dec(ZSI.TCcompound.ComplexType, ElementDeclaration): 
    158         literal = "getPubKeyResponse" 
     159    class getX509CertResponse_Dec(ZSI.TCcompound.ComplexType, ElementDeclaration): 
     160        literal = "getX509CertResponse" 
    159161        schema = "urn:ndg:security" 
    160162        def __init__(self, **kw): 
    161             ns = ns0.getPubKeyResponse_Dec.schema 
     163            ns = ns0.getX509CertResponse_Dec.schema 
    162164            TClist = [ZSI.TC.String(pname="x509Cert", aname="_x509Cert", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
    163             kw["pname"] = ("urn:ndg:security","getPubKeyResponse") 
    164             kw["aname"] = "_getPubKeyResponse" 
     165            kw["pname"] = ("urn:ndg:security","getX509CertResponse") 
     166            kw["aname"] = "_getX509CertResponse" 
    165167            self.attribute_typecode_dict = {} 
    166168            ZSI.TCcompound.ComplexType.__init__(self,None,TClist,inorder=0,**kw) 
     
    172174                    self._x509Cert = None 
    173175                    return 
    174             Holder.__name__ = "getPubKeyResponse_Holder" 
     176            Holder.__name__ = "getX509CertResponse_Holder" 
    175177            self.pyclass = Holder 
    176178 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/README

    r1725 r2017  
    22AttAuthority_services_types.py generated with, 
    33 
    4 $ wsdl2py -be -f ~/security/python/www/html/attAuthority.wsdl 
     4$ wsdl2py -be -f ../../../../../www/html/attAuthority.wsdl 
    55 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r1999 r2017  
    3030from AttAuthority_services import AttAuthorityServiceLocator 
    3131from ndg.security.common.wsSecurity import SignatureHandler 
    32 from ndg.security.common.AttCert import AttCertParse 
     32from ndg.security.common.AttCert import AttCert, AttCertParse 
    3333 
    3434#_____________________________________________________________________________ 
    3535class AttAuthorityClientError(Exception): 
    3636    """Exception handling for AttributeAuthorityClient class""" 
    37     pass 
    3837 
    3938 
     
    5150        """ 
    5251        @type uri: string 
    53         @param uri: URI for Attribute Authority WS.  Setting it will also 
     52        @keyword uri: URI for Attribute Authority WS.  Setting it will also 
    5453        initialise the Service Proxy 
    5554         
    5655        @type srvCertFilePath: string 
    57         @param srvCertFilePath: X.509 certificate of Attribute Authority use to  
    58         verify the signatures of responses. This is unnecessary if the  
    59         response includes the certificate. 
    60          
    61         @type clntCertFilePath:string 
    62         @param clntCertFilePath: X.509 certificate of client.  Passed in  
     56        @keyword srvCertFilePath: X.509 certificate of Attribute Authority use  
     57        to verify the signatures of responses. This may be omitted if the  
     58        the certificate is include in the WSSE header of the repsonse. 
     59         
     60        @type clntCertFilePath: string 
     61        @keyword clntCertFilePath: X.509 certificate of client.  Passed in  
    6362        SOAP WS-Security header to enable the AA to verify the signature of 
    64         this client's requests. 
    65          
    66         clntPriKeyFilePath:      Private key of client.  If clntCertFilePath 
    67                                  is set, the private key is needed to decrypt  
    68                                  the response from the Attribute Authority 
    69         tracefile:               set to file object such as sys.stderr to  
    70                                  give extra WS debug information""" 
     63        this client's request and identify the client ID. 
     64         
     65        @type clntPriKeyFilePath: string 
     66        @keyword clntPriKeyFilePath: Private key of client used to sign 
     67        outbound messages to the Attribute Authority. 
     68                                  
     69        @keyword tracefile: set to file object such as sys.stderr to give  
     70        extra WS debug information""" 
    7171 
    7272        self.__srv = None 
     
    216216        @type uri: string 
    217217        @param uri: URI for service to invoke""" 
     218         
    218219        if uri: 
    219220            self.__setURI(uri) 
     
    221222        # WS-Security Signature handler object is passed to binding 
    222223        signatureHandler = SignatureHandler(\ 
    223                                     certFilePath=self.__smCertFilePath, 
     224                                    certFilePath=self.__clntCertFilePath, 
    224225                                    priKeyFilePath=self.__clntPriKeyFilePath, 
    225226                                    priKeyPwd=self.__clntPriKeyPwd) 
     
    228229            locator = AttAuthorityServiceLocator() 
    229230            self.__srv = locator.getAttAuthority(self.__uri,  
     231                                                 sig_handler=signatureHandler, 
    230232                                                 tracefile=self.__tracefile) 
    231233        except HTTPResponse, e: 
     
    245247        Attribute Authority represents 
    246248         
    247         @rtype dict 
    248         @return dictionary of host information for the target attribute 
    249         authority 
     249        @rtype: dict 
     250        @return: dictionary of host information derived from the Attribute 
     251        Authority's map configuration 
    250252        """ 
    251253 
    252         # If Public key was not set, retrieve from server 
    253         self.__getSrvX509Cert() 
    254              
    255254        try:    
    256255            resp = self.__srv.getHostInfo() 
     
    270269        this role 
    271270         
    272         @rtype dict 
    273         @return dictionary of trusted hosts indexed by hostname 
    274         """ 
    275  
    276         # If Public key was not set, retrieve from server 
    277         self.__getSrvX509Cert() 
     271        @rtype: dict 
     272        @return: dictionary of host information indexed by hostname derived  
     273        from the map configuration""" 
    278274             
    279275        try:    
     
    288284 
    289285    #_________________________________________________________________________ 
    290     def getAttCert(self, proxyCert, userAttCert=None): 
     286    def getAttCert(self, userCert=None, userAttCert=None): 
    291287        """Request attribute certificate from NDG Attribute Authority Web  
    292288        Service. 
    293289         
     290        @type userCert: string 
     291        @keyword userCert: certificate corresponding to proxy private key and 
     292        proxy cert used to sign the request.  Enables server to establish 
     293        chain of trust proxy -> user cert -> CA cert.  If a standard  
     294        private key is used to sign the request, this argument is not  
     295        needed. 
     296                 
    294297        @type proxyCert: string 
    295298        @param proxyCert: certificate containing Distinguished Name of user 
     
    297300         
    298301        @type userAttCert: string / AttCert 
    299         @param userAttCert: user attribute certificate from which to make a  
     302        @keyword userAttCert: user attribute certificate from which to make a  
    300303        mapped certificate at the target attribute authority.  userAttCert 
    301         must have been issued from a trusted host to the target 
     304        must have been issued from a trusted host to the target.  This is not  
     305        necessary if the user is registered at the target Attribute Authority. 
    302306         
    303307        @rtype AttCert 
    304308        @return attribute certificate for user""" 
    305  
    306  
    307         # If Public key was not set, retrieve from server 
    308         self.__getSrvX509Cert() 
    309309 
    310310        # Ensure cert is serialized before passing over web service interface 
     
    313313             
    314314        try:    
    315             attCert = AttCertParse(self.__srv.getAttCert(proxyCert,  
     315            attCert = AttCertParse(self.__srv.getAttCert(userCert,  
    316316                                                         userAttCert)) 
    317                                        
    318         except Exception, e: 
    319             raise AttAuthorityClientError, \ 
    320                                 "requesting attribute certificate: " + str(e) 
     317        except Exception, e: 
     318            raise AttAuthorityClientError, \ 
     319                                "Requesting attribute certificate: " + str(e) 
    321320             
    322321        return attCert 
     
    331330         
    332331        try:    
    333             cert = self.__srv.getX509Cert()                 
    334             return cert 
     332            return self.__srv.getX509Cert()                 
    335333         
    336334        except Exception, e: 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r1973 r2017  
    7777         
    7878class SignatureHandler(object): 
     79    """class to handle signature and verification of signature with  
     80    WS-Security 
     81     
     82    @type __beginCert: string 
     83    @param __beginCert: delimiter for beginning of base64 encoded portion of 
     84    a PEM encoded X.509 certificate 
     85    @type __endCert: string 
     86    @cvar: __endCert: equivalent end delimiter 
     87     
     88    @type __x509CertPat: regular expression pattern object 
     89    @cvar __x509CertPat: regular expression for extracting the base64 encoded  
     90    portion of a PEM encoded X.509 certificate""" 
     91     
     92    __beginCert = '-----BEGIN CERTIFICATE-----\n' 
     93    __endCert = '\n-----END CERTIFICATE-----' 
     94    __x509CertPat = re.compile(__beginCert + \ 
     95                               '?(.*?)\n?-----END CERTIFICATE-----', 
     96                               re.S) 
    7997     
    8098    def __init__(self, 
     
    93111        # Add X.509 cert as binary security token 
    94112        x509Cert = X509.load_cert(self.__certFilePath) 
    95          
    96         x509CertPat = re.compile(\ 
    97             '-----BEGIN CERTIFICATE-----\n?(.*?)\n?-----END CERTIFICATE-----', 
    98             re.S) 
    99         x509CertStr = x509CertPat.findall(x509Cert.as_pem())[0] 
     113        x509CertStr=self.__class__.__x509CertPat.findall(x509Cert.as_pem())[0] 
    100114 
    101115        soapWriter._header.setNamespaceAttribute('wsse', OASIS.WSSE) 
     
    116130        # Change value and encoding types to suite WebSphere 
    117131#        binSecTokElem.node.setAttribute('ValueType', "wsse:X509v3") 
    118         valueType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509" 
     132        valueType = \ 
     133"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509" 
    119134        binSecTokElem.node.setAttribute('ValueType', valueType) 
    120135#        binSecTokElem.node.setAttribute('EncodingType', "wsse:Base64Binary") 
    121         encodingType = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
     136        encodingType = \ 
     137"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
    122138        binSecTokElem.node.setAttribute('EncodingType', encodingType) 
    123139         
     
    434450 
    435451        # Look for X.509 Cert in wsse:BinarySecurityToken node 
     452        import pdb;pdb.set_trace() 
    436453        try: 
    437454            binSecTokNode = xpath.Evaluate('//wsse:BinarySecurityToken', 
    438455                                           contextNode=parsedSOAP.dom, 
    439456                                           context=ctxt)[0] 
    440             x509str = binSecTokNode.childNodes[0]._get_nodeValue() 
    441             x509strAlt = '' 
    442             i = 0 
    443             while i < len(x509str): 
    444                 x509strAlt += "%s\n" % x509str[i:i+64] 
    445                 i += 64 
    446      
    447             raise Exception, "Try reading from file" 
    448             x509Cert = X509.load_cert_string(x509strAlt) 
     457                                            
     458            b64EncX509Cert = str(self.__class__.__beginCert + \ 
     459                             binSecTokNode.childNodes[0]._get_nodeValue() + \ 
     460                             self.__class__.__endCert) 
     461             
     462            x509Cert = X509.load_cert_string(b64EncX509Cert) 
    449463        except: 
    450464            # If not, check cert file     
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py

    r1724 r2017  
    55################################################## 
    66 
    7 from AttAuthority_services import * 
     7from ndg.security.common.AttAuthority.AttAuthority_services import * 
    88from ZSI.ServiceContainer import ServiceSOAPBinding 
    99 
     
    1919        <xsd:complexType> 
    2020          <xsd:sequence> 
    21             <xsd:element name=\"userCert\" type=\"xsd:string\"/> 
     21            <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userCert\" type=\"xsd:string\"/> 
     22            <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userAttCert\" type=\"xsd:string\"/> 
    2223          </xsd:sequence> 
    2324        </xsd:complexType> 
     
    3637 
    3738      <xsd:element name=\"getHostInfoResponse\"> 
    38         <xsd:complexType/> 
     39        <xsd:complexType> 
     40              <xsd:sequence> 
     41                <xsd:element name=\"host\" type=\"xsd:string\"/> 
     42              </xsd:sequence> 
     43            </xsd:complexType> 
    3944      </xsd:element> 
    4045 
     
    4853      <xsd:element name=\"getTrustedHostInfoResponse\"> 
    4954        <xsd:complexType> 
    50           <xsd:sequence> 
    51             <xsd:element name=\"trustedHosts\" type=\"xsd:string\"/> 
    52           </xsd:sequence> 
    53         </xsd:complexType> 
    54       </xsd:element> 
    55  
    56       <xsd:element name=\"getPubKey\"> 
     55              <xsd:sequence> 
     56                <xsd:element name=\"trustedHosts\" type=\"xsd:string\"/> 
     57              </xsd:sequence> 
     58            </xsd:complexType> 
     59      </xsd:element> 
     60 
     61      <xsd:element name=\"getX509Cert\"> 
    5762        <xsd:complexType/> 
    5863      </xsd:element> 
    59       <xsd:element name=\"getPubKeyResponse\"> 
    60         <xsd:complexType> 
    61           <xsd:sequence> 
    62             <xsd:element name=\"x509Cert\" type=\"xsd:string\"/> 
    63           </xsd:sequence> 
    64         </xsd:complexType> 
     64      <xsd:element name=\"getX509CertResponse\"> 
     65        <xsd:complexType> 
     66                  <xsd:sequence> 
     67                    <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"x509Cert\" type=\"xsd:string\"/> 
     68                  </xsd:sequence> 
     69                </xsd:complexType> 
    6570      </xsd:element> 
    6671 
     
    9297  </message> 
    9398 
    94   <message name=\"getPubKeyInputMsg\"> 
    95     <part element=\"tns:getPubKey\" name=\"parameters\"/> 
    96   </message> 
    97  
    98   <message name=\"getPubKeyOutputMsg\"> 
    99     <part element=\"tns:getPubKeyResponse\" name=\"parameters\"/> 
     99  <message name=\"getX509CertInputMsg\"> 
     100    <part element=\"tns:getX509Cert\" name=\"parameters\"/> 
     101  </message> 
     102 
     103  <message name=\"getX509CertOutputMsg\"> 
     104    <part element=\"tns:getX509CertResponse\" name=\"parameters\"/> 
    100105  </message> 
    101106 
     
    116121    </operation> 
    117122 
    118     <operation name=\"getPubKey\"> 
    119       <wsdl:input message=\"tns:getPubKeyInputMsg\"/> 
    120       <output message=\"tns:getPubKeyOutputMsg\"/> 
     123    <operation name=\"getX509Cert\"> 
     124      <wsdl:input message=\"tns:getX509CertInputMsg\"/> 
     125      <output message=\"tns:getX509CertOutputMsg\"/> 
    121126    </operation> 
    122127  </wsdl:portType> 
     
    155160    </operation> 
    156161 
    157     <operation name=\"getPubKey\"> 
    158       <soap:operation soapAction=\"getPubKey\"/> 
     162    <operation name=\"getX509Cert\"> 
     163      <soap:operation soapAction=\"getX509Cert\"/> 
    159164      <wsdl:input> 
    160165        <soap:body use=\"literal\"/> 
     
    169174  <wsdl:service name=\"AttAuthorityService\"> 
    170175    <wsdl:documentation>NERC Data Grid Attribute Authority web service</wsdl:documentation> 
    171     <wsdl:port binding=\"tns:AttAuthorityBinding\" name=\"SimpleCA\"> 
     176    <wsdl:port binding=\"tns:AttAuthorityBinding\" name=\"AttAuthority\"> 
    172177      <soap:address location=\"http://localhost:5700\"/> 
    173178    </wsdl:port> 
     
    190195    def soap_getAttCert(self, ps): 
    191196        self.request = ps.Parse(getAttCertInputMsg.typecode) 
    192         parameters = self.request._userCert 
    193  
    194         # If we have an implementation object use it 
    195         if hasattr(self,'impl'): 
    196             parameters = self.impl.getAttCert(parameters) 
     197        parameters = (self.request._userCert, self.request._userAttCert) 
     198 
     199        # If we have an implementation object use it 
     200        if hasattr(self,'impl'): 
     201            parameters = self.impl.getAttCert(parameters[0],parameters[1]) 
    197202 
    198203        result = getAttCertOutputMsg() 
     
    213218 
    214219        result = getHostInfoOutputMsg() 
     220        # If we have an implementation object, copy the result  
     221        if hasattr(self,'impl'): 
     222            result._host = parameters 
    215223        return self.request, result 
    216224 
     
    235243    root[(getTrustedHostInfoInputMsg.typecode.nspname,getTrustedHostInfoInputMsg.typecode.pname)] = 'soap_getTrustedHostInfo' 
    236244 
    237     def soap_getPubKey(self, ps): 
    238         self.request = ps.Parse(getPubKeyInputMsg.typecode) 
    239  
    240         # If we have an implementation object use it 
    241         if hasattr(self,'impl'): 
    242             parameters = self.impl.getPubKey() 
    243  
    244         result = getPubKeyOutputMsg() 
     245    def soap_getX509Cert(self, ps): 
     246        self.request = ps.Parse(getX509CertInputMsg.typecode) 
     247 
     248        # If we have an implementation object use it 
     249        if hasattr(self,'impl'): 
     250            parameters = self.impl.getX509Cert() 
     251 
     252        result = getX509CertOutputMsg() 
    245253        # If we have an implementation object, copy the result  
    246254        if hasattr(self,'impl'): 
     
    248256        return self.request, result 
    249257 
    250     soapAction['getPubKey'] = 'soap_getPubKey' 
    251     root[(getPubKeyInputMsg.typecode.nspname,getPubKeyInputMsg.typecode.pname)] = 'soap_getPubKey' 
    252  
     258    soapAction['getX509Cert'] = 'soap_getX509Cert' 
     259    root[(getX509CertInputMsg.typecode.nspname,getX509CertInputMsg.typecode.pname)] = 'soap_getX509Cert' 
     260 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/README

    r1747 r2017  
    55 
    66AttAuthorityService soap_* methods modified to return request 
    7 and result to fit with interface to Twisted. 
     7and result to fit with interface to Twisted: replace  
     8 
     9return result -> return self.request, result 
     10 
     11Import AttAuthority_services from ndg.security.common.AttAuthority 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r1990 r2017  
    55@author P J Kershaw 15/04/05 
    66 
    7 @copyright (C) 2006 CCLRC & NERC 
     7@copyright (C) 2007 CCLRC & NERC 
    88 
    99@license This software may be distributed under the terms of the Q Public  
     
    5454    """NDG Attribute Authority - server for allocation of user authorization 
    5555    tokens - attribute certificates. 
     56     
     57    @type __validKeys: list 
     58    @cvar __validKeys: valid configuration property keywords - properties file 
     59    must contain these 
     60     
     61    @type __confDir: string 
     62    @cvar __confDir: configuration directory under $NDG_DIR - default location 
     63    for properties file  
     64     
     65    @type __propFileName: string 
     66    @cvar __propFileName: default file name for properties file under  
     67    __confDir 
    5668    """ 
    5769 
     
    6274    # implementation of NDG Security 
    6375 
     76    __confDir = "conf" 
     77    __propFileName = "attAuthorityProperties.xml" 
     78     
    6479    # valid configuration property keywords 
    6580    __validKeys = [ 'name', 
     
    8196     
    8297    def __init__(self,  
    83                  propFilePath=os.path.join(os.environ.get('NDG_DIR') or '!',  
    84                                            "conf", 
    85                                            "attAuthorityProperties.xml"),  
     98                 propFilePath=None,  
    8699                 bReadMapConfig=True): 
    87100        """Create new NDG Attribute Authority instance 
    88101 
    89102        @type propFilePath: string 
    90         @param propFilePath: path to file containing Attribute Authority 
    91         configuration parameters.  It defaults to  
    92         $NDG_DIR/conf/attAuthorityProperties.xml 
     103        @keyword propFilePath: path to file containing Attribute Authority 
     104        configuration parameters.  It defaults to $NDGSEC_AA_PROPFILEPATH or 
     105        if not set, $NDG_DIR/conf/attAuthorityProperties.xml 
    93106        @type bReadMapConfig: boolean 
    94         @param bReadMapConfig: by default the Map Configuration file is read.  
    95         Set this flag to False to override. 
     107        @keyword bReadMapConfig: by default the Map Configuration file is  
     108        read.  Set this flag to False to override. 
    96109        """ 
    97110 
     
    99112        dict.__init__(self) 
    100113 
    101         if not isinstance(propFilePath, basestring): 
    102             raise AttAuthorityError, "Input Properties file path " + \ 
    103                                      "must be a valid string." 
    104         elif propFilePath[0] == '!': 
    105             raise AttAuthorityError, '"NDG_DIR" environment variable must ' +\ 
    106                 'be set in order to use default Properties file path setting' 
     114        # Set from input or use defaults based or environment variables 
     115        self.setPropFilePath(propFilePath) 
    107116 
    108117        # Initialise role mapping look-ups - These are set in readMapConfig() 
     
    150159 
    151160        self.__issuerSerialNumber = self.__cert.serialNumber 
    152  
    153          
    154         # Set-up user roles interface 
     161         
     162         
     163        # Load host sites custom user roles interface to enable the AA to 
     164        # assign roles in an attribute certificate on a getAttCert request 
     165        self.loadUserRolesInterface() 
     166         
     167 
     168    #_________________________________________________________________________ 
     169    def loadUserRolesInterface(self): 
     170        """Set-up user roles interface - load host sites custom AAUserRoles 
     171        derived class.  This class interfaces with the sites mechanism for 
     172        mapping user ID to the roles to which they are entitled.  This 
     173        could be via a user database""" 
     174 
    155175        try: 
    156176            try: 
     
    225245        return key in self.__prop 
    226246 
    227          
     247 
     248    def setPropFilePath(self, val): 
     249        """Set properties file from input or based on environment variable 
     250        settings""" 
     251        if not val: 
     252            if 'NDGSEC_AA_PROPFILEPATH' in os.environ: 
     253                val = os.environ['NDGSEC_AA_PROPFILEPATH'] 
     254                 
     255            elif 'NDG_DIR' in os.environ: 
     256                val = os.path.join(os.environ['NDG_DIR'],  
     257                                   self.__class__.__confDir, 
     258                                   self.__class__.__propFileName) 
     259            else: 
     260                raise AttributeError, 'Unable to set default Attribute ' + \ 
     261                    'Authority properties file path: neither ' + \ 
     262                    '"NDGSEC_AA_PROPFILEPATH" or "NDG_DIR" environment ' + \ 
     263                    'variables are set' 
     264                 
     265        if not isinstance(val, basestring): 
     266            raise AttributeError, "Input Properties file path " + \ 
     267                                  "must be a valid string." 
     268       
     269        self.__propFilePath = val 
     270         
     271    # Also set up as a property 
     272    propFilePath = property(fset=setPropFilePath, 
     273                            doc="Set the path to the properties file")    
     274     
     275     
    228276    #_________________________________________________________________________ 
    229277    def getAttCert(self, 
     
    239287                    
    240288        @type proxyCert: string 
    241         @param proxyCert: base64 encoded string containing user proxy cert. 
    242          
    243         @type proxyCertFilePath: string 
     289        @keyword proxyCert: base64 encoded string containing user proxy cert. 
     290         
     291        @keyword proxyCertFilePath: string 
    244292        @param proxyCertFilePath: file path to proxy certificate. 
    245293       
    246294        @type userAttCert: string or AttCert type 
    247         @param userAttCert: externally provided attribute certificate from  
     295        @keyword userAttCert: externally provided attribute certificate from  
    248296        another data centre.  This is only necessary if the user is not  
    249297        registered with this attribute authority.  
    250298                        
    251299        @type userAttCertFilePath: string  
    252         @param userAttCertFilePath: alternative to userAttCert except pass in  
    253         as a file path to an attribute certificate instead. 
    254          
    255         @return attCert: new attribute certificate""" 
     300        @keyword userAttCertFilePath: alternative to userAttCert except pass  
     301        in as a file path to an attribute certificate instead. 
     302         
     303        @rtype: AttCert 
     304        @return: new attribute certificate""" 
    256305 
    257306 
     
    466515    def readProperties(self, propFilePath=None): 
    467516 
    468         """Read the configuration properties for the Attribute Authority 
     517        """Read the configuration properties for the Attribute Authority. 
     518        Nb. if parameters for the user roles interface change  
     519        loadUserRolesInterface() must be called explicitly in order for the 
     520        changes to take effect 
    469521 
    470522        @type propFilePath: string 
    471         @param propFilePath: file path to properties file 
     523        @keyword propFilePath: file path to properties file 
    472524        """ 
    473525         
    474         if propFilePath is not None: 
    475             if not isinstance(propFilePath, basestring): 
    476                 raise AttAuthorityError, "Input Properties file path " + \ 
    477                                         "must be a valid string." 
    478              
    479             self.__propFilePath = propFilePath 
     526        self.setPropFilePath(propFilePath) 
    480527 
    481528 
     
    542589 
    543590        @type mapConfigFilePath: string 
    544         @param mapConfigFilePath: file path for map configuration file.  If  
     591        @keyword mapConfigFilePath: file path for map configuration file.  If  
    545592        omitted, it uses member variable __prop['mapConfigFile']. 
    546593        """ 
     
    615662        if hostName != self.__prop['name']: 
    616663            raise AttAuthorityError, "\"name\" attribute of \"thisHost\" " + \ 
    617                 "tag in Map Configuration file doesn't match config file " + \ 
    618                 "\"name\" tag" 
     664                "element in Map Configuration file doesn't match " + \ 
     665                "\"name\" element in properties file." 
    619666         
    620667        self.__mapConfig['thisHost'][hostName] = \ 
     
    703750        @type usrDN: string  
    704751        @param usrDN: user Distinguished Name 
    705         @return boolean True if user is registered, False otherwise""" 
     752        @rtype: bool 
     753        @return: True if user is registered, False otherwise""" 
    706754        return self.__usrRoles.usrIsRegistered(usrDN) 
    707755        
     
    713761        @type dn: string  
    714762        @param dn: user Distinguished Name 
    715         @return list of roles for the given user DN""" 
     763        @return: list of roles for the given user DN""" 
    716764 
    717765        # Call to AAUserRoles derived class.  Each Attribute Authority 
     
    731779        'hostInfo' property 
    732780         
    733         @return dictionary of host information derived from the map  
     781        @rtype: dict 
     782        @return: dictionary of host information derived from the map  
    734783        configuration""" 
    735784         
     
    748797 
    749798        @type role: string 
    750         @param role: if set, return trusted hosts that having a mapping set  
     799        @keyword role: if set, return trusted hosts that having a mapping set  
    751800        for this role.  If no role is input, return all the AA's trusted hosts  
    752801        with all their possible roles 
    753802 
    754         @return dictionary of the hosts that have trust relationships 
     803        @rtype: dict 
     804        @return: dictionary of the hosts that have trust relationships 
    755805        with this AA.  It returns an empty dictionary if role isn't  
    756806        recognised""" 
     
    815865        @type trustedHostRoles: list 
    816866        @param trustedHostRoles:   list of external roles to map 
    817         @return list of mapped roles""" 
     867        @return: list of mapped roles""" 
    818868 
    819869        if not self.__remoteRole2LocalRole: 
     
    841891        """Create a new unique attribute certificate file path 
    842892         
    843         @return string file path""" 
     893        @return: string file path""" 
    844894         
    845895        attCertFd, attCertFilePath = \ 
     
    881931         
    882932        @type dbURI: string 
    883         @param dbURI: database connection URI 
     933        @keyword dbURI: database connection URI 
    884934        @type filePath: string 
    885         @param filePath: file path for properties file containing settings""" 
     935        @keyword filePath: file path for properties file containing settings 
     936        """ 
    886937        raise NotImplementedError, \ 
    887938            self.__init__.__doc__.replace('\n       ','') 
     
    897948        @type dn: string  
    898949        @param dn: user Distinguished Name to look up. 
    899         @return boolean True if user is registered, False otherwise""" 
     950        @rtype: bool 
     951        @return: True if user is registered, False otherwise""" 
    900952        raise NotImplementedError, \ 
    901953            self.UserIsRegistered.__doc__.replace('\n       ','') 
     
    908960        @type dn: string  
    909961        @param dn: user Distinguished Name 
    910         @return list of roles for the given user DN""" 
     962        @rtype: list 
     963        @return: list of roles for the given user DN""" 
    911964        raise NotImplementedError, \ 
    912965            self.getRoles.__doc__.replace('\n       ','') 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

    r1990 r2017  
    2222 
    2323from AttAuthority_services_server import AttAuthorityService 
    24 import AttAuthority 
     24from ndg.security.server.AttAuthority import AttAuthority 
     25from ndg.security.common.wsSecurity import WSSecurityHandlerChainFactory, \ 
     26        WSSecurityHandler, SignatureHandler 
     27 
    2528 
    2629class AttAuthorityServiceSub(AttAuthorityService, WSResource): 
    27      def __init__(self): 
    28          WSResource.__init__(self) 
     30 
     31    # Add WS-Security handlers 
     32    factory = WSSecurityHandlerChainFactory 
     33 
     34    def __init__(self): 
     35        WSResource.__init__(self) 
    2936          
    30          # Initialize Attribute Authority class - property file will be 
    31          # picked up from default location under $NDG_DIR directory 
    32          self.__aa = AttAuthority() 
     37        # Initialize Attribute Authority class - property file will be 
     38        # picked up from default location under $NDG_DIR directory 
     39        self.aa = AttAuthority() 
    3340 
    34      def soap_getAttCert(self, ps, **kw): 
    35          #import pdb;pdb.set_trace() 
    36          request, response = AttAuthorityService.soap_getAttCert(self, ps) 
     41    def soap_getAttCert(self, ps, **kw): 
     42        #import pdb;pdb.set_trace() 
     43        request, response = AttAuthorityService.soap_getAttCert(self, ps) 
    3744          
    38          attCert = self.__aa.getAttCert(\ 
     45        attCert = self.aa.getAttCert(\ 
    3946                                                  proxyCert=request.get_element_userCert(), 
    4047                                                  userAttCert=request.get_element_userAttCert()) 
    41          response.set_element_attCert(attCert) 
    42          return request, response 
     48        response.set_element_attCert(attCert) 
     49        return request, response 
    4350 
    44      def soap_getHostInfo(self, ps, **kw): 
    45          import pdb;pdb.set_trace() 
    46          request, response = AttAuthorityService.soap_getHostInfo(self, ps) 
    47          response.set_element_hostInfo('HOST INFO') 
    48          return request, response 
     51    def soap_getHostInfo(self, ps, **kw): 
     52        import pdb;pdb.set_trace() 
     53        request, response = AttAuthorityService.soap_getHostInfo(self, ps) 
     54        response.set_element_hostInfo('HOST INFO') 
     55        return request, response 
    4956 
    50      def soap_getTrustedHostInfo(self, ps, **kw): 
    51          #import pdb;pdb.set_trace() 
    52          request, response = \ 
     57    def soap_getTrustedHostInfo(self, ps, **kw): 
     58        #import pdb;pdb.set_trace() 
     59        request, response = \ 
    5360                AttAuthorityService.soap_getTrustedHostInfo(self, ps) 
    54          response.set_element_trustedHosts('TRUSTED HOST INFO') 
    55          return request, response 
     61        response.set_element_trustedHosts('TRUSTED HOST INFO') 
     62        return request, response 
    5663 
    57      def soap_getPubKey(self, ps, **kw): 
    58          #import pdb;pdb.set_trace() 
    59          request, response = AttAuthorityService.soap_getPubKey(self, ps) 
    60          response.set_element_x509Cert('X.509 Cert.') 
    61          return request, response 
     64    def soap_getPubKey(self, ps, **kw): 
     65        #import pdb;pdb.set_trace() 
     66        request, response = AttAuthorityService.soap_getPubKey(self, ps) 
     67        response.set_element_x509Cert('X.509 Cert.') 
     68        return request, response 
    6269 
    63 portNum = 5700 
     70portNum = 5000 
    6471hostname = socket.gethostname() 
    6572 
    6673root = Resource() 
    67 root.putChild('AttributeAuthority', AttAuthorityServiceSub()) 
     74 
     75# Create Service 
     76aaSrv = AttAuthorityServiceSub() 
     77 
     78 
     79# Initialise WS-Security signature handler passing Attribute Authority 
     80# public and private keys 
     81WSSecurityHandler.signatureHandler = SignatureHandler(\ 
     82                                            certFilePath=aaSrv.aa['certFile'], 
     83                                            priKeyFilePath=aaSrv.aa['keyFile'], 
     84                                            priKeyPwd=aaSrv.aa['keyPwd']) 
     85 
     86# Add Service to Attribute Authority branch 
     87root.putChild('AttributeAuthority', aaSrv) 
    6888siteFactory = Site(root) 
    69 application = service.Application("WSRF-Container") 
    70 port = internet.TCPServer(portNum, siteFactory)#, interface=hostname) 
     89application = service.Application("AttributeAuthorityContainer") 
     90port = internet.TCPServer(portNum, siteFactory) 
    7191port.setServiceParent(application) 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py

    r1945 r2017  
    4848 
    4949    def __init__(self,  
    50                  myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN'),  
     50                 myProxyServerDN=os.environ.get('MYPROXY_SERVER_DN'), 
     51                 cnHostPfx='host/', 
    5152                 **kw): 
    5253        """Override parent class __init__ to enable setting of myProxyServerDN 
    5354        setting 
    5455         
    55         @param myProxyServerDN: Set the expected Distinguished Name of the 
     56        @type myProxyServerDN: string 
     57        @keyword myProxyServerDN: Set the expected Distinguished Name of the 
    5658        MyProxy server to avoid errors matching hostnames.  This is useful 
    57         where the hostname is not fully qualified""" 
     59        where the hostname is not fully qualified 
     60         
     61        @type cnHostPfx: string 
     62        @keyword cnHostPfx: globus host certificates are  
     63        generated by default with a 'host/' prefix to the host name.  Set 
     64        this keyword to '' or None to override and omit the prefix""" 
     65         
    5866        SSL.Checker.Checker.__init__(self, **kw) 
     67         
    5968        self.myProxyServerDN = myProxyServerDN 
     69        self.cnHostPfx = cnHostPfx 
    6070         
    6171         
     
    6474        @param peerCert: MyProxy server host certificate as M2Crypto.X509.X509 
    6575        instance 
    66         @param **kw: forward keywords to parent class method 
    67         """ 
    68          
    69         # Globus host certificate has a "host/" prefix 
    70         host = 'host/' + self.host 
     76        @keyword host: name of host to check 
     77        """ 
     78         
     79        # Globus host certificate has a "host/" prefix - see explanation in 
     80        # __init__.__doc__ 
     81        host = None or self.cnHostPfx + self.host 
    7182         
    7283        try: 
     
    7889            peerCertDN = '/' + \ 
    7990                    peerCert.get_subject().as_text().replace(', ', '/') 
    80             if peerCertDN == self.myProxyServerDN: 
     91            if peerCertDN != self.myProxyServerDN: 
    8192                # They match - drop the exception and return all OK instead 
    82                 return True 
    83             else: 
    8493                raise e 
     94             
     95        return True 
    8596             
    8697         
     
    145156                   'port', 
    146157                   'serverDN', 
     158                   'serverCNprefix', 
    147159                   'gridSecurityDir', 
    148160                   'openSSLConfFileName', 
     
    346358        # host/<hostname> one 
    347359        hostCheck = _HostCheck(host=self.__prop['hostname'], 
    348                                myProxyServerDN=self.__prop.get('serverDN')) 
     360                               myProxyServerDN=self.__prop.get('serverDN'), 
     361                               cnHostPfx=self.__prop.get('serverCNprefix')) 
    349362        conn.set_post_connection_check_callback(hostCheck) 
    350363         
     
    428441        for e in errorlines: 
    429442            etext = e.split('=', 1)[1] 
    430             errorTxt += etext 
     443            errorTxt += os.linesep + etext 
    431444         
    432445        if fieldNames: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/README

    r1773 r2017  
    55 
    66SessionMgrService soap_* methods modified to return request 
    7 and result to fit with interface to Twisted: 
     7and result to fit with interface to Twisted: replace  
    88 
    9 return self.request, result 
     9return result -> return self.request, result 
    1010 
    11 Import SessionMgr_services from ndg.security.common. 
     11Import SessionMgr_services from ndg.security.common.SessionMgr 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r1999 r2017  
    44NERC Data Grid Project 
    55 
    6 @author P J Kershaw 05/05/05 
     6@author P J Kershaw 05/05/05, major update 16/01/07 
    77 
    8 @copyright (C) 2006 CCLRC & NERC 
     8@copyright (C) 2007 CCLRC & NERC 
    99 
    1010@license This software may be distributed under the terms of the Q Public  
     
    1818from ConfigParser import SafeConfigParser 
    1919 
     20from ConfigParser import SafeConfigParser 
     21 
    2022from ndg.security.common.AttAuthority import AttAuthorityClient 
    2123 
     
    2325     
    2426    def setUp(self): 
    25          
     27 
    2628        configParser = SafeConfigParser() 
    2729        configParser.read("./attAuthorityClientTest.cfg") 
     
    3133            self.cfg[section] = dict(configParser.items(section)) 
    3234 
     35        tracefile = sys.stderr 
     36 
    3337        # Instantiate WS proxy 
    34         self.clnt = AttAuthorityClient(self.cfg['setUp']['uri'],  
    35                                        tracefile=sys.stderr) 
     38        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'],  
     39                   clntCertFilePath=self.cfg['setUp']['usercertfilepath'], 
     40                   clntPriKeyFilePath=self.cfg['setUp']['userprikeyfilepath'], 
     41                   tracefile=sys.stderr) 
    3642    
    3743     
    38     def testGetPubKey(self): 
    39         '''testGetPubKey: retrieve Attribute Authority's X.509 cert.''' 
     44    def testGetX509Cert(self): 
     45        '''testGetX509Cert: retrieve Attribute Authority's X.509 cert.''' 
    4046        #import pdb;pdb.set_trace() 
    41         resp = self.clnt.getPubKey() 
    42         print "Attribute Authority public key:\n" + resp 
     47        resp = self.clnt.getX509Cert() 
     48        print "Attribute Authority X.509 cert.:\n" + resp 
    4349         
    4450 
     
    4652        """testGetTrustedHostInfo: retrieve trusted host info matching a 
    4753        given role""" 
    48         role = 'role' 
    49         self.clnt.getTrustedHostInfo(role) 
     54        self.clnt.getTrustedHostInfo(\ 
     55                                 self.cfg['testGetTrustedHostInfo']['role']) 
    5056 
    5157 
     
    6470        Authority Web Service.""" 
    6571     
    66         # User's proxy certificate 
    67         userCertFilePath = "/tmp/x509up_u1001" 
     72        # Read user Certificate into a string ready for passing via WS 
     73        try: 
     74            userCertFilePath = \ 
     75                self.cfg['testGetAttCert'].get('issuingusercertfilepath') 
     76            userCertTxt = open(userCertFilePath, 'r').read() 
     77         
     78        except TypeError: 
     79            # No issuing cert set 
     80            userCertTxt = None 
     81                 
     82        except IOError, ioErr: 
     83            raise "Error reading certificate file \"%s\": %s" % \ 
     84                                    (ioErr.filename, ioErr.strerror) 
     85        import pdb;pdb.set_trace() 
     86        # Make attribute certificate request 
     87        attCert = self.clnt.getAttCert(userCert=userCertTxt) 
     88        return attCert 
     89 
     90 
     91    def testGetMappedAttCert(self):         
     92        """testGetAttCert: Request mapped attribute certificate from NDG  
     93        Attribute Authority Web Service.""" 
    6894     
    69         # Existing Attribute Certificate held in user's CredentialWallet.   
    70         # This is available for use with trusted data centres to make new  
    71         # mapped Attribute Certificates 
    72         userAttCertFilePath = None 
    73      
    74         # Read user Proxy Certificate into a string ready for passing via WS 
     95        # Read user Certificate into a string ready for passing via WS 
    7596        try: 
    76             userCertFileTxt = open(userCertFilePath, 'r').read() 
    77              
     97            userCertFilePath = \ 
     98            self.cfg['testGetMappedAttCert'].get('issuingusercertfilepath') 
     99            userCertTxt = open(userCertFilePath, 'r').read() 
     100         
     101        except TypeError: 
     102            # No issuing cert set 
     103            userCertTxt = None 
     104                 
    78105        except IOError, ioErr: 
    79             raise "Error reading proxy certificate file \"%s\": %s" % \ 
     106            raise "Error reading certificate file \"%s\": %s" % \ 
    80107                                    (ioErr.filename, ioErr.strerror) 
    81108     
    82109     
    83         # Simlarly for Attribute Certificate if present ... 
    84         if userAttCertFilePath is not None: 
     110        # Simlarly for Attribute Certificate  
     111        try: 
     112            userAttCertFileTxt = open(\ 
     113        self.cfg['testGetMappedAttCert']['userattcertfilepath'], 'r').read() 
    85114             
    86             try: 
    87                 userAttCertFileTxt = open(userAttCertFilePath, 'r').read() 
    88                  
    89             except IOError, ioErr: 
    90                 raise "Error reading attribute certificate file \"%s\": %s" %\ 
    91                                         (ioErr.filename, ioErr.strerror) 
    92         else: 
    93             userAttCertFileTxt = None 
     115        except IOError, ioErr: 
     116            raise "Error reading attribute certificate file \"%s\": %s" %\ 
     117                                    (ioErr.filename, ioErr.strerror) 
    94118             
    95119     
    96120        # Make attribute certificate request 
    97         resp = self.clnt.getAttCert(userCertFileTxt) 
    98         return resp 
    99          
     121        attCert = self.clnt.getAttCert(userCert=userCertTxt, 
     122                                       userAttCert=userAttCertTxt) 
     123        return attCert        
     124  
    100125  
    101126#_____________________________________________________________________________        
     
    108133                    "testGetTrustedHostInfoWithNoRole", 
    109134                    "testGetAttCert", 
    110                     "testGetPubKey", 
     135                    "testGetMappedAttCert", 
     136                    "testGetX509Cert", 
    111137                  )) 
    112138        unittest.TestSuite.__init__(self, map) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/TestUserRoles.py

    r1642 r2017  
    44NERC Data Grid Project 
    55                                                                                 
    6 P J Kershaw 29/07/05 
     6@author P J Kershaw 29/07/05 
    77                                                                                 
    8 Copyright (C) 2006 CCLRC & NERC 
     8@copyright (C) 2006 CCLRC & NERC 
    99                                                                                 
    10 This software may be distributed under the terms of the Q Public License, 
    11 version 1.0 or later. 
     10@licence: This software may be distributed under the terms of the Q Public  
     11License, version 1.0 or later. 
    1212""" 
    13 reposID = '$Id' 
     13reposID = '$Id:$' 
    1414 
    1515 
    16 from AttAuthority import AAUserRoles 
     16from ndg.security.server.AttAuthority import AAUserRoles 
    1717 
    1818 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/MyProxyClientTest.py

    r1967 r2017  
    6767            getpass.getpass(prompt="\ntest2GetDelegation pass-phrase: ") 
    6868          
    69         try:    
     69        try: 
    7070            creds = self.clnt.getDelegation(\ 
    7171                                  self.cfg['test2GetDelegation']['username'],  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg

    r1945 r2017  
    1111 
    1212[test1Store] 
    13 username: sstljakTestUser 
     13username: gabriel 
    1414passphrase: 
    1515certFile: ./userCert.pem 
     
    2020 
    2121[test2GetDelegation] 
    22 username: sstljakTestUser 
     22username: gabriel 
    2323passphrase: 
    2424 
    2525[test3Info] 
    26 username: sstljakTestUser 
     26username: gabriel 
    2727ownerCertFile: ./proxy-cert.pem 
    2828ownerKeyFile: ./proxy-key.pem 
     
    3030 
    3131[test4ChangePassphrase] 
    32 username: sstljakTestUser 
     32username: gabriel 
    3333ownerCertFile: ./proxy-cert.pem 
    3434ownerKeyFile: ./proxy-key.pem 
     
    3838 
    3939[test5Destroy] 
    40 username: sstljakTestUser 
     40username: gabriel 
    4141ownerCertFile: ./proxy-cert.pem 
    4242ownerKeyFile: ./proxy-key.pem 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml

    r1881 r2017  
    33        <!--  
    44        Delete this element and take setting from MYPROXY_SERVER environment  
    5         variable ifrequired 
     5        variable if required 
     6        <hostname>localhost</hostname> 
    67        --> 
    7         <hostname>localhost</hostname> 
    88        <!--  
    99        Delete this element to take default setting 7512 or read  
     
    1313        <!-- 
    1414        Useful if hostname and certificate CN don't match correctly.  Globus host 
    15         DN is set to "host/<fqdn>".  Delete this element and set from  
     15        CN is usually set to "host/<fqdn>".  Delete this element and set from  
    1616        MYPROXY_SERVER_DN environment variable if prefered 
     17        <serverDN>/O=NDG/OU=sstljak/CN=host/sstljak</serverDN> 
    1718        --> 
    18         <serverDN>/O=NDG/OU=sstljak/CN=host/sstljak</serverDN> 
     19        <!-- 
     20        Set "host/" prefix to host cert CN as is default with globus 
     21        --> 
     22        <serverCNprefix>host/</serverCNprefix>   
    1923        <!-- 
    2024        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting 
  • TI12-security/trunk/python/www/html/attAuthority.wsdl

    r1773 r2017  
    1616        <xsd:complexType> 
    1717          <xsd:sequence> 
    18             <xsd:element name="userCert" type="xsd:string" minOccurs="1" maxOccurs="1"/> 
     18            <xsd:element name="userCert" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    1919            <xsd:element name="userAttCert" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    2020          </xsd:sequence> 
     
    2323      <xsd:element name="getAttCertResponse"> 
    2424        <xsd:complexType> 
    25           <xsd:sequence> 
    26             <xsd:element name="attCert" type="xsd:string"/> 
    27           </xsd:sequence> 
    28         </xsd:complexType> 
     25              <xsd:sequence> 
     26                <xsd:element name="attCert" type="xsd:string"/> 
     27              </xsd:sequence> 
     28            </xsd:complexType> 
    2929      </xsd:element> 
    3030 
     
    9494  </message> 
    9595 
    96   <message name="getPubKeyInputMsg"> 
    97     <part name="parameters" element="tns:getPubKey"/> 
     96  <message name="getX509CertInputMsg"> 
     97    <part name="parameters" element="tns:getX509Cert"/> 
    9898  </message> 
    9999 
    100   <message name="getPubKeyOutputMsg"> 
    101     <part name="parameters" element="tns:getPubKeyResponse"/> 
     100  <message name="getX509CertOutputMsg"> 
     101    <part name="parameters" element="tns:getX509CertResponse"/> 
    102102  </message> 
    103103 
     
    159159    </operation> 
    160160 
    161     <operation name="getPubKey"> 
    162       <soap:operation soapAction="getPubKey"/> 
     161    <operation name="getX509Cert"> 
     162      <soap:operation soapAction="getX509Cert"/> 
    163163      <wsdl:input> 
    164164        <soap:body use="literal"/> 
Note: See TracChangeset for help on using the changeset viewer.