Context Navigation

← Previous Change
Next Change →

Changeset 2178 for TI12-security

Timestamp:

16/02/07 15:51:32 (13 years ago)

Author:

pjkersha

Message:

* Change to AttCert? format and AA WS interface and AttAuthority? class for DEWS *

New userId element in Attribute Certificates + getAttCert call to an AA can specify a

user ID to be set in the returned AC.

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac,
python/ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py,
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py,
python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py,
python/www/html/attAuthority.wsdl:
added userId to WSDL interface.

python/ndg.security.server/ndg/security/server/AttAuthority/init.py:

added userId to getAttCert method.
changed refs to proxyCert to holderCert because cert meay not be a proxy
changed call to AttCert?.getRoles to AttCert?.roles
changed refs to userDN to userId

python/ndg.security.common/ndg/security/common/XMLSec.py: "ns1" is not needed for
reference C14N unsuppressed prefixes.

python/ndg.security.common/ndg/security/common/X509.py: made 'serialize' and 'deserialize'
aliases to serialise and deserialise methods respectively.

python/ndg.security.common/ndg/security/common/AttCert.py:

made AttCert? namespace a configurable class variable
changed all get/set attribute methods to private methods used by new-style class

properties.

updated setitem to use appropriate set* methods.
fix to setIssuerSerialNumber ref to 'issuerSerialNumber' instead of 'serialNumber'

python/ndg.security.common/ndg/security/common/AttAuthority/init.py: AA WS client -
added userId as keyword to getAttCert.

python/ndg.security.common/ndg/security/common/CredWallet.py: replace AttCert?.getRoles()
calls with AttCert?.roles property

python/ndg.security.test/ndg/security/test/AttAuthority/siteAUserRoles.py,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBUserRoles.py:
swap refs to userDN with userId.

python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:
added new test for where an explicit userId is set.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
added userId parameter.

python/ndg.security.test/ndg/security/test/AttCert/AttCertTest.py: added tests for
property get calls.

python/ndg.security.test/ndg/security/test/MyProxy/Makefile: include call to MyProxy?
test to get proxy cert and private key.

Location:

TI12-security/trunk/python

Files:

: 19 edited

ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py (modified) (4 diffs)
ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py (modified) (2 diffs)
ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (2 diffs)
ndg.security.common/ndg/security/common/AttCert.py (modified) (14 diffs)
ndg.security.common/ndg/security/common/CredWallet.py (modified) (2 diffs)
ndg.security.common/ndg/security/common/Gatekeeper/Gatekeeper.py (modified) (1 diff)
ndg.security.common/ndg/security/common/X509.py (modified) (2 diffs)
ndg.security.common/ndg/security/common/XMLSec.py (modified) (2 diffs)
ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py (modified) (2 diffs)
ndg.security.server/ndg/security/server/AttAuthority/__init__.py (modified) (18 diffs)
ndg.security.server/ndg/security/server/AttAuthority/server-config.tac (modified) (1 diff)
ndg.security.server/ndg/security/server/ca/server-config.tac (modified) (1 diff)
ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py (modified) (5 diffs)
ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg (modified) (1 diff)
ndg.security.test/ndg/security/test/AttAuthority/siteAUserRoles.py (modified) (1 diff)
ndg.security.test/ndg/security/test/AttAuthority/siteBUserRoles.py (modified) (1 diff)
ndg.security.test/ndg/security/test/AttCert/AttCertTest.py (modified) (2 diffs)
ndg.security.test/ndg/security/test/MyProxy/Makefile (modified) (1 diff)
www/html/attAuthority.wsdl (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py

-                      r2107
+                      r2178
         # no ws-addressing
     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cf460c>
     def getAttCert(self, userCert,userAttCert):
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cf48ac>
+    def getAttCert(self, userId,userCert,userAttCert):
         request = getAttCertInputMsg()
+        request._userId = userId
         request._userCert = userCert
         request._userAttCert = userAttCert
 …
         return attCert,msg
     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cf492c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cf4bcc>
     def getHostInfo(self):
 …
         return hostname,aaURI,loginURI
     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cfb2ac>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cfb56c>
     def getTrustedHostInfo(self, role):
 …
         return trustedHosts
     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cfb42c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6cfb6ec>
     def getX509Cert(self):

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services_types.py

-                      r2085
+                      r2178
         def __init__(self, **kw):
             ns = ns0.getAttCert_Dec.schema
             TClist = [ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userAttCert", aname="_userAttCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))]
+            TClist = [ZSI.TC.String(pname="userId", aname="_userId", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userAttCert", aname="_userAttCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))]
             kw["pname"] = ("urn:ndg:security:attAuthority","getAttCert")
             kw["aname"] = "_getAttCert"
 …
                 def __init__(self):
                     # pyclass
+                    self._userId = None
                     self._userCert = None
                     self._userAttCert = None

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/init.py

-                      r2136
+                      r2178
     #_________________________________________________________________________
     def getAttCert(self, userCert=None, userAttCert=None):
+    def getAttCert(self, userId=None, userCert=None, userAttCert=None):
         """Request attribute certificate from NDG Attribute Authority Web
         Service.
+        @type userId: string
+        @keyword userId: DN of the X.509 certificate used in SOAP digital
+        signature corresponds to the *holder* of the Attribute Certificate
+        that is issued.  Set this additional field to specify an alternate
+        user ID to associate with the AC.  This is useful in the case where,
+        as in the DEWS project, the holder will be a server cert. rather than
+        a user proxy cert.
+        If this keword is omitted, userId in the AC will default to the same
+        value as the holder DN.
         @type userCert: string
 …
         try:
             sAttCert, msg = self.__srv.getAttCert(userCert, userAttCert)
+            sAttCert, msg = self.__srv.getAttCert(userId,userCert,userAttCert)
         except Exception, e:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py

-                      r2175
+                      r2178
 #_____________________________________________________________________________
 class AttCert(dict, XMLSecDoc):
+    """NDG Attribute Certificate (Authorisation or Access Token)."""
+    """NDG Attribute Certificate (Authorisation or Access Token).
+    @type __validProvenanceSettings: tuple
+    @cvar: string constants for allowable certificate provenance settings
+    @type namespace: string
+    @cvar namespace: namespace for Attribute Certificate"""
     __metaclass__ = _MetaAttCert
 …
     # certificate
     __validProvenanceSettings = ('original', 'mapped')
+    namespace = "urn:ndg.security"
     #_________________________________________________________________________
 …
         self.__holderDN = None
         self.setProvenance(provenance)
+        self.__setProvenance(provenance)
         # Certificate life time interval in seconds
 …
     #_________________________________________________________________________
     def __setitem__(self, key, item):
+        """Set an item from the __dat, __dat['validity'] or
+        __dat['attributes'] dictionaries.  This class behaves as data
+        """Set an item from the __dat dictionary.  This class behaves as data
         dictionary of Attribute Certificate properties
+        @type key: string
         @param key: name of key - key can be specified belonging to validity
         or the attributes sub dictionaries
+        @type item: string / int
         @param item: value to set dictionary item to
         """
 …
             # key recognised - check if setting provenance
             if key is "provenance":
                 self.setProvenance(item)
+            if key == "provenance":
+                self.__setProvenance(item)
+            elif key == "version":
+                self.__setVersion(item)
+            elif key == "holder":
+                self.__setHolder(item)
+            elif key == "issuer":
+                self.__setIssuer(item)
+            elif key == "issuerName":
+                self.__setIssuerName(item)
+            elif key == "issuerSerialNumber":
+                self.__setIssuerSerialNumber(item)
+            elif key == "userId":
+                self.__setUserId(item)
             elif key == "validity":
                 raise KeyError, "'%s': use setValidityTime method " % \
 …
                     key + "set list of role attributes"
             else:
+                self.__dat[key] = item
+                raise KeyError, "Key '%s' not recognised for %s'" % \
+                               (key, self.__class__.__name__)
         elif key in self.__dat['attributes'] or \
 …
     #_________________________________________________________________________
+    def __setIssuerName(self, issuerName):
+        """Set the name of the issuer"""
+        if not isinstance(issuerName, basestring):
+            raise AttributeError, "issuerName must be a string"
+        self.__dat['issuerName'] = issuerName
+    #_________________________________________________________________________
+    def __getIssuerName(self):
+        """@return the name of the issuer"""
+        return self.__dat['issuerName']
+    issuerName = property(fget=__getIssuerName,
+                          fset=__setIssuerName,
+                          doc="Certificate Issuer name")
+    #_________________________________________________________________________
+    def __setIssuerSerialNumber(self, serialNumber):
+        """@param serialNumber: the issuer serial number"""
+        if not isinstance(serialNumber, int):
+            raise AttributeError, "issuerSerialNumber must be an integer"
+        self.__dat['issuerSerialNumber'] = serialNumber
+    #_________________________________________________________________________
+    def __getIssuerSerialNumber(self):
+        """@return the issuer serial number"""
+        return self.__dat['issuerSerialNumber']
+    issuerSerialNumber = property(fget=__getIssuerSerialNumber,
+                                  fset=__setIssuerSerialNumber,
+                                  doc="Certificate Issuer Serial Number")
+    #_________________________________________________________________________
     def __setUserId(self, userId):
         """Set the name of the userId
 …
             raise AttributeError, "userId must be a string"
         self.__dat['userId'] = issuerName
+        self.__dat['userId'] = userId
     #_________________________________________________________________________
 …
     userId = property(fget=__getUserId,
                       fset=__setUserId,
+                      doc="Certificate Issuer DN")
+    #_________________________________________________________________________
+    def __setIssuerName(self, issuerName):
+        """Set the name of the issuer"""
+        if not isinstance(issuerName, basestring):
+            raise AttributeError, "issuerName must be a string"
+        self.__dat['issuerName'] = issuerName
+    #_________________________________________________________________________
+    def __getIssuerName(self):
+        """@return the name of the issuer"""
+        return self.__dat['issuerName']
+    issuerName = property(fget=__getIssuerName,
+                          fset=__setIssuerName,
+                          doc="Certificate Issuer name")
+    #_________________________________________________________________________
+    def __setIssuerSerialNumber(self, serialNumber):
+        """@param serialNumber: the issuer serial number"""
+        if not isinstance(issuerSerialNumber, int):
+            raise AttributeError, "issuerSerialNumber must be an integer"
+        self.__dat['issuerSerialNumber'] = serialNumber
+    #_________________________________________________________________________
+    def __getIssuerSerialNumber(self):
+        """@return the issuer serial number"""
+        return self.__dat['issuerSerialNumber']
+    issuerSerialNumber = property(fget=__getIssuerSerialNumber,
+                                  fset=__setIssuerSerialNumber,
+                                  doc="Certificate Issuer Serial Number")
+                      doc="Certificate user identifier")
     # Nb. no setValidityNotBefore/setValidityNotAfter methods - use
 …
             return self.__dat['validity']['notBefore']
+    validityNotBefore = property(fget=getValidityNotBefore,
+                                  doc="Validity not before time as a string")
     #_________________________________________________________________________
 …
             return self.__dat['validity']['notAfter']
+    #_________________________________________________________________________
+    def getRoleSet(self):
+        """@return the roleSet as a list of role dictionaries."""
+    validityNotAfter = property(fget=getValidityNotAfter,
+                                doc="Validity not after time as a string")
+    #_________________________________________________________________________
+    def __getRoleSet(self):
+        """@rtype: list of dict type
+        @return the roleSet as a list of role dictionaries."""
         return self.__dat['attributes']['roleSet']
+    #_________________________________________________________________________
+    def getRoles(self):
+    roleSet = property(fget=__getRoleSet,
+                       doc="Role set dictionary")
+    #_________________________________________________________________________
+    def __getRoles(self):
         """Return roles as a list
 …
         except:
             return []
+    #_________________________________________________________________________
+    def setProvenance(self, provenance):
+    roles = property(fget=__getRoles,
+                     doc="List of roles in Attribute Certificate")
+    #_________________________________________________________________________
+    def __setProvenance(self, provenance):
         """Set the provenance for the certificate: 'original' or 'mapped'.
 …
     #_________________________________________________________________________
     def getProvenance(self):
+    def __getProvenance(self):
         """Get the provenance for the certificate.
         @return provenance of certificate mapped or original"""
         return self.__dat['provenance']
+    provenance = property(fget=__getProvenance,
+                          fset=__setProvenance,
+                          doc="Provenance of the cert. - original or mapped")
     #_________________________________________________________________________
 …
         # Create string of all XML content
+        xmlTxt = """<attributeCertificate targetNamespace="urn:ndg:security">
+        xmlTxt = '<attributeCertificate targetNamespace="%s">' % \
+                                                self.__class__.namespace + \
+"""
     <acInfo>
         <version>""" + self.__dat['version'] + """</version>

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

-                      r2165
+                      r2178
                     if hostName in trustedHostInfo and attCert.isOriginal():
                         for role in attCert.getRoles():
+                        for role in attCert.roles:
                             if role in trustedHostInfo[hostName]['role']:
                                 extAttCertList.append(attCert)
 …
                             # Check the certificate contains at least one of
                             # the required roles
                             roles = extAttCert.getRoles()
                             if [True for r in roles if r in info['role']]:
+                            if [True for r in extAttCert.roles \
+                                if r in info['role']]:
                                extAttCertList.append(extAttCert)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/Gatekeeper/Gatekeeper.py

-                      r2058
+                      r2178
             try:
                 input.isValid(raiseExcep=True,
                             certFilePathList=self.__prop['caCertFilePath'])
+                              certFilePathList=self.__prop['caCertFilePath'])
             except Exception, e:
                 raise GatekeeperError, "Access denied for input: %s" % str(e)
             return input.getRoles()
+            return input.roles
         else:
             raise GatekeeperError("Input must be a role, role list or " + \

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

-                      r2072
+                      r2178
         return sDN
+    serialize = serialise
     def deserialise(self, dn, separator=None):
 …
                               (dn, str(excep)))
+    deserialize = deserialise
     def parseSeparator(self, dn):

TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

-                      r2136
+                      r2178
                         xmlTxt=None,
                         inclX509Cert=True,
                         refC14nKw={'unsuppressedPrefixes': ['xmlns', 'ns1']},
+                        refC14nKw={'unsuppressedPrefixes': ['xmlns']},
                         signedInfoC14nKw={'unsuppressedPrefixes': ['ds']}):
 …
         parentNode.setAttributeNS(XMLNS.BASE, 'xmlns:%s' % 'ds', DSIG.BASE)
+        parentNode.setAttributeNS(XMLNS.BASE, 'xmlns:%s'%'ec', DSIG.C14N_EXCL)
+        # Serialize and re-parse prior to reference generation - calculating
+        # canonicalization based on soapWriter.dom.node seems to give an
+        # error: the order of wsu:Id attribute is not correct
+        #docNode = Reader().fromString(str(soapWriter))
+        parentNode.setAttributeNS(XMLNS.BASE,'xmlns:%s' % 'ec',DSIG.C14N_EXCL)
         # Namespaces for XPath searches

TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/AttAuthority_services_server.py

-                      r2107
+                      r2178
         <xsd:complexType>
           <xsd:sequence>
+            <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userId\" type=\"xsd:string\"/>
             <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userCert\" type=\"xsd:string\"/>
             <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userAttCert\" type=\"xsd:string\"/>
 …
     def soap_getAttCert(self, ps):
         self.request = ps.Parse(getAttCertInputMsg.typecode)
         parameters = (self.request._userCert, self.request._userAttCert)
         # If we have an implementation object use it
         if hasattr(self,'impl'):
             parameters = self.impl.getAttCert(parameters[0],parameters[1])
+        parameters = (self.request._userId, self.request._userCert, self.request._userAttCert)
+        # If we have an implementation object use it
+        if hasattr(self,'impl'):
+            parameters = self.impl.getAttCert(parameters[0],parameters[1],parameters[2])
         result = getAttCertOutputMsg()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/init.py

-                      r2136
+                      r2178
     #_________________________________________________________________________
     def getAttCert(self,
+                   proxyCert=None,
+                   proxyCertFilePath=None,
+                   userId=None,
+                   holderCert=None,
+                   holderCertFilePath=None,
                    userAttCert=None,
                    userAttCertFilePath=None):
 …
         """Request a new Attribute Certificate for use in authorisation
         getAttCert([proxyCert=px|proxyCertFilePath=pxFile, ]
+        getAttCert([userId=uid][holderCert=px|holderCertFilePath=pxFile, ]
                    [userAttCert=cert|userAttCertFilePath=certFile])
+        @type proxyCert: string / ndg.security.common.X509.X509Cert type
+        @keyword proxyCert: base64 encoded string containing user proxy cert./
+        X.509 cert object
+        @keyword proxyCertFilePath: string
+        @param proxyCertFilePath: file path to proxy certificate.
+        @type userId: string
+        @keyword userId: identifier for the user who is entitled to the roles
+        in the certificate that is issued.  If this keyword is omitted, then
+        the userId will be set to the DN of the holder.
+        holder = the holder of the certificate - an inidividual user or an
+        organisation to which the user belongs who vouches for that user's ID
+        userId = the identifier for the user who is entitled to the roles
+        specified in the Attribute Certificate that is issued.
+        @type holderCert: string / ndg.security.common.X509.X509Cert type
+        @keyword holderCert: base64 encoded string containing proxy cert./
+        X.509 cert object corresponding to the ID who will be the HOLDER of
+        the Attribute Certificate that will be issued.  - Normally, using
+        proxy certificates, the holder and user ID are the same but there
+        may be cases where the holder will be an organisation ID.  This is the
+        case for NDG security with the DEWS project
+        @keyword holderCertFilePath: string
+        @param holderCertFilePath: file path to proxy/X.509 certificate of
+        candidate holder
         @type userAttCert: string or AttCert type
 …
         # Read proxy certificate
+        # Read X.509 certificate
         try:
             if proxyCertFilePath is not None:
+            if holderCertFilePath is not None:
                 # Proxy Certificate input as a file
                 userProxyCert = X509Cert()
                 userProxyCert.read(proxyCertFilePath)
             elif isinstance(proxyCert, basestring):
+                holderCert = X509Cert()
+                holderCert.read(holderCertFilePath)
+            elif isinstance(holderCert, basestring):
                 # Proxy Certificate input as string text
+                userProxyCert = X509Cert()
+                userProxyCert.parse(proxyCert)
+            elif isinstance(proxyCert, X509Cert):
+                # Proxy is an NDG X509Cert type
+                userProxyCert = proxyCert
+            else:
+                holderCert = X509CertParse(holderCert)
+            elif not isinstance(holderCert, X509Cert):
                 raise AttAuthorityError, \
                 "No input proxy certificate file path or cert text/object set"
+                "No input X.509 certificate file path or cert text/object set"
         except Exception, e:
 …
         # Check proxy certificate hasn't expired
         try:
             userProxyCert.isValidTime(raiseExcep=True)
+            holderCert.isValidTime(raiseExcep=True)
         except Exception, e:
 …
         # Get Distinguished name from certificate as an X500DN type
+        userDN = userProxyCert.dn
+        if userId is None:
+            try:
+                userId = holderCert.dn.serialise(\
+                                         separator=self.__prop['dnSeparator'])
+            except Exception, e:
+                raise AttAuthorityError, \
+                    "Setting user Id from holder certificate DN: %s" % e
         # Make a new Attribute Certificate instance passing in certificate
 …
         try:
             attCert['holder'] = \
+                        userDN.serialise(separator=self.__prop['dnSeparator'])
+        except Exception, e:
+            raise AttAuthorityError, "User DN: %s" % e
+                holderCert.dn.serialise(separator=self.__prop['dnSeparator'])
+        except Exception, e:
+            raise AttAuthorityError, "Holder DN: %s" % e
 …
         try:
             attCert['issuer'] = \
+                    issuerDN.serialise(separator=self.__prop['dnSeparator'])
+                    issuerDN.serialise(separator=self.__prop['dnSeparator'])
         except Exception, e:
             raise AttAuthorityError, "Issuer DN: %s" % e
 …
         attCert['issuerSerialNumber'] = self.__issuerSerialNumber
+        attCert['userId'] = userId
         # Set validity time
         try:
 …
             # Check against the proxy certificate's expiry
             dtUsrProxyNotAfter = userProxyCert.notAfter
+            dtHolderCertNotAfter = holderCert.notAfter
             if attCert.getValidityNotAfter(asDatetime=True) > \
                dtUsrProxyNotAfter:
+               dtHolderCertNotAfter:
                 # Adjust the attribute certificate's expiry date time
 …
                 # ... but also make ensure that the not before skew is still
                 # applied
                 attCert.setValidityTime(dtNotAfter=dtUsrProxyNotAfter,
+                attCert.setValidityTime(dtNotAfter=dtHolderCertNotAfter,
                         notBeforeOffset=self.__prop['attCertNotBeforeOff'])
 …
         # Check name is registered with this Attribute Authority - if no
         # user roles are found, the user is not registered
         userRoles = self.getRoles(str(userDN))
+        userRoles = self.getRoles(userId)
         if userRoles:
             # Set as an Original Certificate
 …
+            # Check that's it's holder matches the user certificate DN
+            try:
+                holderDN = X500DN(dn=userAttCert['holder'])
+            except Exception, e:
+                raise AttAuthorityError, \
+                                    "Error creating X500DN for holder: %s" + e
+            if holderDN != userDN:
+            # Check that's it's holder matches the candidate holder
+            # certificate DN
+            if userAttCert.holderDN != holderCert.dn:
                 raise AttAuthorityError, \
                     "User certificate and Attribute Certificate DNs " + \
+                    "don't match: %s and %s" % (userDN, holderDN)
+                    'don\'t match: "%s" and "%s"' % (holderCert.dn,
+                                                     userAttCert.holderDN)
             # Get roles from external Attribute Certificate
             trustedHostRoles = userAttCert.getRoles()
+            trustedHostRoles = userAttCert.roles
 …
             # Mark new Attribute Certificate as mapped
             attCert['provenance'] = AttCert.mappedProvenance
+            attCert.provenance = AttCert.mappedProvenance
             # End set mapped certificate block
 …
     #_________________________________________________________________________
     def userIsRegistered(self, userDN):
+    def userIsRegistered(self, userId):
         """Check a particular user is registered with the Data Centre that the
         Attribute Authority represents
 …
         Nb. this method is not used internally by AttAuthority class
         @type userDN: string
         @param userDN: user Distinguished Name
+        @type userId: string
+        @param userId: user identity - could be a X500 Distinguished Name
         @rtype: bool
         @return: True if user is registered, False otherwise"""
         return self.__userRoles.userIsRegistered(userDN)
+        return self.__userRoles.userIsRegistered(userId)
     #_________________________________________________________________________
     def getRoles(self, dn):
         """Get the roles available to the registered user identified userDN.
+    def getRoles(self, userId):
+        """Get the roles available to the registered user identified userId.
         @type dn: string
         @param dn: user Distinguished Name
         @return: list of roles for the given user DN"""
+        @param dn: user identifier - could be a X500 Distinguished Name
+        @return: list of roles for the given user ID"""
         # Call to AAUserRoles derived class.  Each Attribute Authority
 …
         # define how roles are accessed
         try:
             return self.__userRoles.getRoles(dn)
+            return self.__userRoles.getRoles(userId)
         except Exception, e:
 …
     def userIsRegistered(self, dn):
+    def userIsRegistered(self, userId):
         """Derived method should return True if user is known otherwise
         False
 …
         to be implemented in a derived class.
         @type dn: string
         @param dn: user Distinguished Name to look up.
+        @type userId: string
+        @param userId: user Distinguished Name to look up.
         @rtype: bool
         @return: True if user is registered, False otherwise"""
         raise NotImplementedError, \
             self.UserIsRegistered.__doc__.replace('\n       ','')
     def getRoles(self, dn):
+            self.userIsRegistered.__doc__.replace('\n       ','')
+    def getRoles(self, userId):
         """Derived method should return the roles for the given user's
         DN or else raise an exception
         @type dn: string
         @param dn: user Distinguished Name
+        Id or else raise an exception
+        @type userId: string
+        @param userId: user identity e.g. user Distinguished Name
         @rtype: list
         @return: list of roles for the given user DN"""
+        @return: list of roles for the given user ID"""
         raise NotImplementedError, \
             self.getRoles.__doc__.replace('\n       ','')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

-                      r2136
+                      r2178
         # Get certificate corresponding to private key that signed the
         # message - i.e. the user's proxy
         proxyCert = WSSecurityHandler.signatureHandler.verifyingCert
+        holderCert = WSSecurityHandler.signatureHandler.verifyingCert
         try:
+                attCert = self.aa.getAttCert(proxyCert=proxyCert,
+                attCert = self.aa.getAttCert(userId=request.UserId,
+                                                                         holderCert=holderCert,
                                                                          userAttCert=request.UserAttCert)
                 response.AttCert = attCert.toString()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/ca/server-config.tac

r2153	r2178
1	1	#!/usr/bin/env python
2		"""NDG Security ~~Session Manager~~ .tac file
	2	"""NDG Security Certificate Authority .tac file
3	3
4	4	This file enables the Session Manager web service to be

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

-                      r2085
+                      r2178
         attCert.filePath = self.cfg['test5GetAttCert']['attcertfilepath']
         attCert.write()
+    def test6GetAttCertWithUserIdSet(self):
+        """test6GetAttCertWithUserIdSet: Request attribute certificate from
+        NDG Attribute Authority Web Service setting a specific user Id
+        independent of the signer of the SOAP request."""
+        # Read user Certificate into a string ready for passing via WS
+        try:
+            userCertFilePath = \
+    self.cfg['test6GetAttCertWithUserIdSet'].get('issuingusercertfilepath')
+            userCertTxt = open(userCertFilePath, 'r').read()
+        except TypeError:
+            # No issuing cert set
+            userCertTxt = None
+        except IOError, ioErr:
+            raise "Error reading certificate file \"%s\": %s" % \
+                                    (ioErr.filename, ioErr.strerror)
+        # Make attribute certificate request
+        userId = self.cfg['test6GetAttCertWithUserIdSet']['userid']
+        attCert = self.clnt.getAttCert(userId=userId,
+                                       userCert=userCertTxt)
+        print "Attribute Certificate: \n\n:" + str(attCert)
+        attCert.filePath = self.cfg['test5GetAttCert']['attcertfilepath']
+        attCert.write()
     def test6GetMappedAttCert(self):
         """test6GetMappedAttCert: Request mapped attribute certificate from
+    def test7GetMappedAttCert(self):
+        """test7GetMappedAttCert: Request mapped attribute certificate from
         NDG Attribute Authority Web Service."""
 …
         try:
             userCertFilePath = \
             self.cfg['test6GetMappedAttCert'].get('issuingusercertfilepath')
+            self.cfg['test7GetMappedAttCert'].get('issuingusercertfilepath')
             userCertTxt = open(userCertFilePath, 'r').read()
 …
         try:
             userAttCert = AttCertRead(\
                 self.cfg['test6GetMappedAttCert']['userattcertfilepath'])
+                self.cfg['test7GetMappedAttCert']['userattcertfilepath'])
         except IOError, ioErr:
 …
         # Make client to site B Attribute Authority
         clnt = AttAuthorityClient(
 uri=self.cfg['test6GetMappedAttCert']['uri'],
 signingCertFilePath=self.cfg['test6GetMappedAttCert']['usercertfilepath'],
 signingPriKeyFilePath=self.cfg['test6GetMappedAttCert']['userprikeyfilepath'],
+uri=self.cfg['test7GetMappedAttCert']['uri'],
+signingCertFilePath=self.cfg['test7GetMappedAttCert']['usercertfilepath'],
+signingPriKeyFilePath=self.cfg['test7GetMappedAttCert']['userprikeyfilepath'],
 tracefile=sys.stderr)
 …
                     "test4GetTrustedHostInfoWithNoRole",
                     "test5GetAttCert",
+                    "test6GetMappedAttCert",
+                    "test6GetAttCertWithUserIdSet",
+                    "test7GetMappedAttCert",
                   ))
         unittest.TestSuite.__init__(self, map)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

-                      r2170
+                      r2178
 attCertFilePath = ./ac.xml
+[test6GetMappedAttCert]
+[test6GetAttCertWithUserIdSet]
+userId = userWhoIsEntitledToTheRolesInThisCert
+[test7GetMappedAttCert]
 userprikeypwd =
 usercertfilepath = ./proxy-cert.pem

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAUserRoles.py

-                      r2051
+                      r2178
     def userIsRegistered(self, dn):
+    def userIsRegistered(self, userId):
         return True
     def getRoles(self, dn):
+    def getRoles(self, userId):
         return ['staff', 'postdoc', 'undergrad']

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteBUserRoles.py

-                      r2051
+                      r2178
     def userIsRegistered(self, dn):
+    def userIsRegistered(self, userId):
         return False
     def getRoles(self, dn):
+    def getRoles(self, userId):
         # Make so that Site B never returns any roles - the only way to
         # get an Attribute Certificate is then through the role mapping

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/AttCertTest.py

-                      r1970
+                      r2178
         self.attCert.addRoles('atsr')
         print "test6AddRoles: " + ', '.join(self.attCert.getRoles())
+        print "test6AddRoles: " + ', '.join(self.attCert.roles)
+    def test6aDictSet(self):
+        'test6aDictSet: test __setitem__'
+    def test6aSet(self):
+        'test6aSet: test __setitem__ and property methods'
+        self.attCert.version = "1.0"
         self.attCert['issuer'] = '/O=NDG/OU=BADC/CN=Attribute Authority'
         self.attCert['issuerName'] = 'BADC'
+        self.attCert['holder'] = '/O=NDG/OU=BADC/CN=pjkershaw'
+        self.attCert.issuerSerialNumber = 1234
+        self.attCert['holder'] = '/O=NDG/OU=BADC/CN=server.cert.ac.uk'
+        self.attCert.userId = '/O=NDG/OU=BADC/CN=pjkershaw'
         try:
             self.attCert['validity'] = 'invalid'
         except KeyError, e:
             print "test6aDictSet: PASSED - %s" % e
+            print "test6aSet: PASSED - %s" % e
         try:
             self.attCert['attributes'] = 'roleSet'
         except KeyError, e:
             print "test6aDictSet: PASSED - %s" % e
+            print "test6aSet: PASSED - %s" % e
         try:
             self.attCert['attributes']['roleSet'] = ['role1', 'role2']
         except KeyError, e:
+            print "test6aDictSet: PASSED - %s" % e
+    def test6bDictGet(self):
+        'test6bDictGet: test __getitem__'
+        print "test6bDictGet ..."
+        print self.test2SetProvenance()
+        print self.test4SetValidityTime()
+        print self.test6AddRoles()
+        print self.test6aDictSet()
+        print self.attCert['issuer']
+        print self.attCert['holder']
+        print self.attCert['validity']
+        print self.attCert['attributes']
+        print self.attCert['attributes']['roleSet']
+            print "test6aSet: PASSED - %s" % e
+    def test6bGet(self):
+        'test6bGet: test __getitem__ and property methods'
+        print "test6bGet ..."
+        self.test2SetProvenance()
+        self.test4SetValidityTime()
+        self.test6AddRoles()
+        self.test6aSet()
+        print "self.attCert['version'] = %s" % self.attCert['version']
+        print "self.attCert.version = %s" % self.attCert.version
+        print "self.attCert['issuer'] = %s" % self.attCert['issuer']
+        print "self.attCert.issuer = %s" % self.attCert.issuer
+        print "self.attCert.issuerDN = %s" % self.attCert.issuerDN
+        print "self.attCert['issuerName'] = %s" % self.attCert['issuerName']
+        print "self.attCert.issuerName = %s" % self.attCert.issuerName
+        print "self.attCert['issuerSerialNumber'] = %s" % \
+                                            self.attCert['issuerSerialNumber']
+        print "self.attCert.issuerSerialNumber = %s" % \
+                                            self.attCert.issuerSerialNumber
+        print "self.attCert['holder'] = %s" % self.attCert['holder']
+        print "self.attCert.holder = %s" % self.attCert.holder
+        print "self.attCert.holderDN = %s" % self.attCert.holderDN
+        print "self.attCert['userId'] = %s" % self.attCert['userId']
+        print "self.attCert.userId = %s" % self.attCert.userId
+        print "self.attCert['validity'] = %s" % self.attCert['validity']
+        print "self.attCert.validityNotBefore = %s" % \
+                                                self.attCert.validityNotBefore
+        print "self.attCert.validityNotAfter = %s" % \
+                                                self.attCert.validityNotAfter
+        print "self.attCert.getValidityNotBefore(asDatetime=True) = %s" % \
+                            self.attCert.getValidityNotBefore(asDatetime=True)
+        print "self.attCert.getValidityNotAfter(asDatetime=True) = %s" % \
+                            self.attCert.getValidityNotAfter(asDatetime=True)
+        print "self.attCert['attributes'] = %s" % self.attCert['attributes']
+        print "self.attCert['attributes']['roleSet'] %s: " % \
+                                        self.attCert['attributes']['roleSet']
+        print "self.attCert.roleSet = %s" % self.attCert.roleSet
+        print "self.attCert.roles = %s" % self.attCert.roles
     def test7CreateXML(self):
 …
         self.test5SetDefaultValidityTime()
         self.test6AddRoles()
         self.test6aDictSet()
+        self.test6aSet()
         self.attCert.filePath = self.cfg['test9Sign']['filepath']

TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/Makefile

r2085	r2178
16	16	initAttAuthorityClientUnittest: ${PROXYFILES}
17	17	@echo Set-up AttAuthority unit test by copying proxy file output from this test...
	18	./MyProxyClientTest.py MyProxyClientTestCase.test2GetDelegation
18	19	cp ${PROXYFILES} ../AttAuthority

TI12-security/trunk/python/www/html/attAuthority.wsdl

r2107	r2178
25	25	<xsd:complexType>
26	26	<xsd:sequence>
	27	<xsd:element name="userId" type="xsd:string" minOccurs="0" maxOccurs="1"/>
27	28	<xsd:element name="userCert" type="xsd:string" minOccurs="0" maxOccurs="1"/>
28	29	<xsd:element name="userAttCert" type="xsd:string" minOccurs="0" maxOccurs="1"/>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2178 for TI12-security

Legend:

Download in other formats: