Context Navigation

← Previous Change
Next Change →

Changeset 2080 for TI12-security

Timestamp:

31/01/07 10:15:32 (13 years ago)

Author:

pjkersha

Message:

Working unit test: Session Manager Client getAttCert call *

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
ensure AttCert? response is explicitly converted to a string before dispatch. Previously
signature check was failing for client recipient.

python/ndg.security.common/ndg/security/common/CredWallet.py:

fixed - added metaclass declaration to include _MetaCredWallet. This contains some

useful class variables declared as properties.

Major refactor so that AttAuthorityClient? is created when aaURI property is set

rather every time a web service call is made via getAttCert, getAttCert and
getAATrustedHostInfo. Likewise, alternative aaPropFilePath property setting actually
instantiates a local Attribute Authority at the same time. Nb. calls can be made to
an AA web service (aaURI property) or AA running locally (pass the file path for its
properties file aaPropFilePath).

added epydoc headers to more methods.

Location:

TI12-security/trunk/python

Files:

: 2 edited

ndg.security.common/ndg/security/common/CredWallet.py (modified) (19 diffs)
ndg.security.server/ndg/security/server/SessionMgr/server-config.tac (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

-                      r2079
+                      r2080
 aaImportError = True
 try:
+    from ndg.security.common.AttAuthority import AttAuthorityClient, \
+        AttAuthorityClientError
+    # AttAuthority client package resides with CredWallet module in
+    # ndg.security.common
+    from AttAuthority import AttAuthorityClient, AttAuthorityClientError
     aaImportError = False
 …
     """Volatile store of user credentials associated with a user session"""
+    __metaclass__ = _MetaCredWallet
     def __init__(self,
                  proxyCert,
                  proxyPriKey,
                  userCert,
+                 aaURI=None,
+                 aaPropFilePath=None,
                  caCertFilePath=None,
                  credRepos=None,
 …
         @param userCert: X.509 cert for issuer of proxy
+        @type aaURI: string
+        @keyword aaURI: URI of Attribute Authority to make requests to.
+        Setting this ALSO creates an AttAuthorityClient instance
+        self.__aaClnt.  - See aaURI property for details.
+        @type aaPropFilePath: string
+        @keyword aaPropFilePath: properties file path for an Attribute
+        Authority to make requests to.  Setting this ALSO creates an
+        AttAuthority instance self.__aa running locally.   - See aa property
+        for details.  aaURI takes precedence over this keyword i.e. if an
+        aaURI has been set, then calls are made to the AA web service at this
+        location rather to any self.__aa running locally.
         @type caCertFilePath: string
         @keyword caCertFilePath: Certificate Authority's certificate - used in
 …
         self.__setUserCert(userCert)
+        self.__setAAuri(aaURI)
         self.__setCAcertFilePath(caCertFilePath)
 …
     #_________________________________________________________________________
+    def __setAAuri(self, aaURI):
+        """Set property method for Attribute Authority Web Service URI to
+        connect to.  This method ALSO SETS UP THE CLIENT INTERFACE
+        @type aaURI: string
+        @param aaURI: Attribute Authority Web Service URI.  Set to None to
+        initialise.  Set to a URI to instantiate a new AA client"""
+        if aaURI is None:
+            self.__aaClnt = None
+            return
+        self.__aaClnt = AttAuthorityClient(uri=aaURI,
+                                           signingCert=self.__proxyCert,
+                                           signingPriKey=self.__proxyPriKey)
+    aaURI = property(fset=__setAAuri,
+             doc="AA URI - setting also sets up AttAuthorityClient instance!")
+    #_________________________________________________________________________
+    def __getAAclnt(self):
+        """Get property method for Attribute Authority Web Service client
+        instance.  Use aaURI propert to set up aaClnt
+        @type aaClnt: AttAuthorityClient
+        @param aaClnt: Attribute Authority Web Service client instance"""
+        return self.__aaClnt
+    aaClnt = property(fget=__getAAclnt, doc="AA web service client instance")
+    #_________________________________________________________________________
+    def __setAApropFilePath(self, aaPropFilePath):
+        """Set property method for the properties file of a local
+        Attribute Authority.  This method ALSO SETS UP THE LOCAL Attribute
+        Authority object to retrieve ACs from.  the property aaURI takes
+        precedence: if an aaURI is set then it assumed that an Attribute
+        Authority will be connected to via a web service call
+        @type aaPropFilePath: string
+        @param aaPropFilePath: Attribute Authority properties file.  Setting
+        this instantiates a new AA locally"""
+        if aaPropFilePath is None:
+            self.__aa = None
+            return
+        # Make a new attribute authority instance
+        self.__aa = AttAuthority(propFilePath=aaPropFilePath)
+    aaPropFilePath = property(fset=__setAApropFilePath,
+    doc="AA properties file path - setting this also sets up an AA locally!")
+    #_________________________________________________________________________
+    def __getAA(self):
+        """Get property method for Attribute Authority Web Service client
+        instance.  Use aaURI propert to set up aaClnt
+        @type aaClnt: AttAuthorityClient
+        @param aaClnt: Attribute Authority Web Service client instance"""
+        return self.__aaClnt
+    aa = property(fget=__getAA, doc="Attribute Authority instance")
+    #_________________________________________________________________________
     def isValid(self, **x509CertKeys):
+        """Check wallet's proxy cert.  If expired return False"""
+        """Check wallet's proxy cert.  If expired return False
+        @type **x509CertKeys: dict
+        @param **x509CertKeys: keywords applying to
+        ndg.security.common.X509.X509Cert.isValid method"""
         try:
             return self.__proxyCert.isValidTime(**x509CertKeys)
         except Exception, e:
             raise CredWalletError("Credential Wallet: %s" % e)
+            raise CredWalletError, "Credential Wallet: %s" % e
 …
     def addCredential(self, attCert, bUpdateCredRepos=True):
         """Add a new attribute certificate to the list of credentials held.
+        Return True if certificate was added otherwise False.  - If an
+        @type attCert:
+        @param attCert: new attribute Certificate to be added
+        @type bUpdateCredRepos: bool
+        @keyword bUpdateCredRepos: if set to True, and a repository exists it
+        will be updated with the new credentials also
+        @rtype: bool
+        @return: True if certificate was added otherwise False.  - If an
         existing certificate from the same issuer has a later expiry it will
+        take precence and the new input certificate is ignored.
+        attCert:            new attribute Certificate to be added
+        bUpdateCredRepos:   if set to True, and a repository exisits it will
+                            be updated with the new credentials also"""
+        take precence and the new input certificate is ignored."""
         # Check input
+        try:
+            if not isinstance(attCert, AttCert):
+                raise CredWalletError(\
+                    "Attribute Certificate must be an AttCert type object")
+        except Exception, e:
+            raise CredWalletError, "Attribute Certificate input: %s" % e
+        if not isinstance(attCert, AttCert):
+            raise CredWalletError,\
+                "Attribute Certificate must be an AttCert type object"
         # Check certificate validity
 …
         except AttCertError, e:
             raise CredWalletError("Adding Credential: %s" % e)
+            raise CredWalletError, "Adding Credential: %s" % e
 …
     def updateCredRepos(self, auditCred=True):
         """Copy over non-persistent credentials held by wallet into the
+        perminent repository."""
+        perminent repository.
+        @type auditCred: bool
+        @keyword auditCred: filter existing credentials in the repository
+        removing invalid ones"""
         if not self.__credRepos:
             raise CredWalletError(
                   "No Credential Repository has been created for this wallet")
+            raise CredWalletError, \
+                  "No Credential Repository has been created for this wallet"
         # Filter out invalid certs unless auditCred flag is explicitly set to
 …
         self.__credRepos.addCredentials(self.__dn, attCertList)
     #_________________________________________________________________________
+    def __getAttCert(self,
+                     aaPropFilePath=None,
+                     aaURI=None,
+                     extAttCert=None,
+                     bDebug=False):
+    def __getAttCert(self, extAttCert=None):
         """Wrapper to Attribute Authority attribute certificate request.  See
 …
         and added into the wallet
-        @type aaURI: string
-        @keyword aaURI: to call as a web service, specify the URI for the
-        Attribute Authority.
-        @type aaPropFilePath: string
-        @keyword aaPropFilePath: Altenrative to aaURI - to run on the local
-        machine, specify the local Attribute Authority configuration file.
+        :
         @type extAttCert: ndg.security.common.AttCert.AttCert
         @keyword extAttCert: an existing Attribute Certificate which can
 …
         Attribute Authority"""
+        if aaURI is not None:
+            try:
+                aaClnt = AttAuthorityClient(uri=aaURI,
+                                            signingCert=self.__proxyCert,
+                                            signingPriKey=self.__proxyPriKey)
+            except Exception, e:
+                raise CredWalletError, "Attribute certificate request: %s" % e
+        if self.__aaClnt is not None:
             try:
                 attCert = aaClnt.getAttCert(self.__userCert.toString(),
                                               userAttCert=extAttCert)
+                attCert = self.__aaClnt.getAttCert(self.__userCert.toString(),
+                                                   userAttCert=extAttCert)
             except Exception, e:
                 raise CredWalletAuthorisationDenied, str(e)
 …
                 raise CredWalletError, "Attribute Authority Configuration " +\
                                       "file path must be a valid string"
-            try:
-                # Make a new attribute authority instance
-                aa = AttAuthority(propFilePath=aaPropFilePath)
-            except Exception, e:
-                raise CredWalletError, "Attribute certificate request: %s" % e
             try:
                 # Request a new attribute certificate from the Attribute
                 # Authority
                 attCert = aa.getAttCert(userCert=self.__proxyCert,
                                         userAttCert=extAttCert)
+                attCert = self.__aa.getAttCert(userCert=self.__proxyCert,
+                                               userAttCert=extAttCert)
             except AttAuthorityAccessDenied, e:
 …
     #_________________________________________________________________________
     def getAATrustedHostInfo(self,
+    def getAATrustedHostInfo(self,
                              userRole=None,
-                             aaURI=None,
                              aaPropFilePath=None,
                              bDebug=False):
+                             aaURI=None):
         """Wrapper to Attribute Authority getTrustedHostInfo
+        userRole:               get hosts which have a mapping to this role
+        aaURI|aaPropFilePath:  to call as a web service, specify the file
+                                path or URI for the Attribute Authority's
+                                WSDL.  Otherwise, to run on the local machine,
+                                specify a local Attribute Authority
+                                configuration file."""
+        if aaURI is not None:
+        getAATrustedHostInfo([userRole=r, ][aaPropFilePath=f|aaURI=u])
+        @type userRole: string
+        @keyword userRole: get hosts which have a mapping to this role
+        @type aaURI: string
+        @keyword aaURI: to call as a web service, specify the URI for the
+        Attribute Authority.
+        @type aaPropFilePath: string
+        @keyword aaPropFilePath: Altenrative to aaURI - to run on the local
+        machine, specify the local Attribute Authority configuration file.
+        """
+        if aaURI:
+            self.__setAAuri(aaURI)
+        elif aaPropFilePath:
+            self.__setAAPropFilePath
+        if self.__aaClnt is not None:
             # Call Attribute Authority WS
             try:
+                aaClnt = AttAuthorityClient(uri=aaURI,
+                                        signingCert=self.__proxyCertFilePath,
+                                        signingPriKey=self.__clntPriKey)
+                trustedHostInfo = aaClnt.getTrustedHostInfo(role=userRole)
+                return trustedHostInfo
+                return self.__aaClnt.getTrustedHostInfo(role=userRole)
             except Exception, e:
 …
                             "Requesting trusted host information: %s" % str(e)
         elif aaPropFilePath is not None:
+        elif self.__aa is not None:
             # Call local based Attribute Authority with settings from the
             # configuration file aaPropFilePath
-            if not instance(aaURI, basestring):
-                raise CredWalletError, "Attribute Authority Configuration " +\
-                                      "file path must be a valid string"
             try:
-                # Make a new attribute authority instance
-                aa = AttAuthority(aaPropFilePath)
                 # Request a new attribute certificate from the Attribute
                 # Authority
                 return aa.getTrustedHostInfo(role=userRole)
+                return self.__aa.getTrustedHostInfo(role=userRole)
             except Exception, e:
 …
         replace it."""
+        if aaURI:
+            self.__setAAuri(aaURI)
+        elif aaPropFilePath:
+            self.__setAAPropFilePath
         if not refreshAttCert and self.__credentials:
             # Refresh flag is not set so it's OK to check for any existing
 …
             # Find out the site ID for the target AA by calling AA's host
             # info WS method
+            aaClnt = AttAuthorityClient(uri=aaURI,
+                                        signingCert=self.__proxyCert,
+                                        signingPriKey=self.__proxyPriKey)
+            hostInfo = aaClnt.getHostInfo()
+            aaName = hostInfo.keys()[0]
+            try:
+                hostInfo = self.__aaClnt.getHostInfo()
+                aaName = hostInfo.keys()[0]
+            except Exception, e:
+                raise CredWalletError, "Getting host info: %s" % e
             # Look in the wallet for an AC with the same issuer name
 …
             # Request Authorisation from Attribute Authority
             try:
+                attCert = self.__getAttCert(aaURI=aaURI,
+                                            aaPropFilePath=aaPropFilePath,
+                                            extAttCert=extAttCert)
+                attCert = self.__getAttCert(extAttCert=extAttCert)
                 # Access granted
                 return attCert
 …
                 try:
                     trustedHostInfo = self.getAATrustedHostInfo(reqRole,
-                                            aaURI=aaURI,
                                             aaPropFilePath=aaPropFilePath)
                 except Exception, e:
 …
                 raise authorisationError
+    #_________________________________________________________________________
+    def __retrieveURI(self, uri):
+        """Retrieve content from a URI - use to get public key from a
+        remote Attribute Authority
+        Nb. If tempFile goes out of scope the temporary file containing the
+        URI content will be deleted also"""
+        try:
+            tempFile = tempfile.NamedTemporaryFile()
+            (fileName, httpResp) = urllib.urlretrieve(uri, tempFile.name)
+        except Exception, e:
+            raise CredWalletError, "Error retrieving from URI " + \
+                                  "\"%s\": %s" % (uri, str(e))
+        # Expecting plain text format for returned public key file
+        # 404 error would come back as 'text/html'
+        if 'text/plain' not in httpResp['Content-type']:
+            raise CredWalletError, "Error retrieving from URI " + \
+                                   "\"%s\": expecting \"plain/text\"" % uri
+        return tempFile
 #_____________________________________________________________________________

TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac

-                      r2079
+                      r2080
         response.AttCert, response.StatusCode, response.Msg, \
                 response.ExtAttCert = result
+        response.AttCert = result[0].toString()
+        response.StatusCode, response.Msg, response.ExtAttCert = result[1:]
         return request, response

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2080 for TI12-security

Legend:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac

Download in other formats: