Changeset 2289


Ignore:
Timestamp:
16/03/07 13:47:56 (12 years ago)
Author:
pjkersha
Message:

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
modified soap_getAttCert to allow for unsigned client messages. If the
useSignatureHandler flag is not set, then the certificate passed in to
AttAuthority?.getAttCert is the userCert element of the SOAP message.

This is a useful capability if both client and service are behind a firewall
and message security is not required.

python/ndg.security.server/ndg/security/server/AttAuthority/init.py,
python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.
xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml:
added useSignatureHandler element to list of elements in the properties file.
If this is not set, then the service will not apply signature or signature
verification to messages.

python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py: use dictionary get() rather then [key] for signature keywords. This enables
them to be omitted in the config file so as to switch off the signature handler.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: experimented with omitting signature PKI settings.

python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml:
set serverCNprefix element to host/ for this MyProxy? installations server cert.

python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg:
altered for account on this machine.

python/ndg.security.common/setup.py: slight change to Python 2.5 check for
ElementTree inclusion

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
SignatureHandler? is now optional. It's left as None if none of the signature
keywords are set via init. It can be set later as the signatureHandler
property now has set capability enabled.

Location:
TI12-security/trunk/python
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2178 r2289  
    6363            self.__setURI(uri) 
    6464 
    65         # WS-Security Signature handler 
    66         self.__signatureHandler = SignatureHandler(**signatureHandlerKw) 
     65        # WS-Security Signature handler - set only if any of the keywords were set 
     66        if max(signatureHandlerKw.values()): 
     67            self.__signatureHandler = SignatureHandler(**signatureHandlerKw) 
     68        else: 
     69            self.__signatureHandler = None 
    6770            
    6871        self.__tracefile = tracefile 
     
    8790 
    8891    #_________________________________________________________________________ 
     92    def __setSignatureHandler(self, signatureHandler): 
     93        """Set SignatureHandler object property method - set to None to for no 
     94        digital signature and verification""" 
     95        if signatureHandler is not None and \ 
     96           not isinstance(signatureHandler, signatureHandler): 
     97            raise AttributeError, \ 
     98    "Signature Handler must be %s type or None for no message security" % \ 
     99        "ndg.security.common.wsSecurity.SignatureHandler" 
     100                             
     101        self.__signatureHandler = signatureHandler 
     102     
     103 
     104    #_________________________________________________________________________ 
    89105    def __getSignatureHandler(self): 
    90106        "Get SignatureHandler object property method" 
     
    92108     
    93109    signatureHandler = property(fget=__getSignatureHandler, 
     110                                fset=__setSignatureHandler, 
    94111                                doc="SignatureHandler object") 
    95112 
  • TI12-security/trunk/python/ndg.security.common/setup.py

    r2286 r2289  
    4444 
    4545# Python 2.5 includes ElementTree by default 
    46 if sys.version_info[0:2] <= (2, 4): 
     46if sys.version_info[0:2] < (2, 5): 
    4747    _pkgDependencies += ['ElementTree', 'cElementTree'] 
    4848 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r2270 r2289  
    8888                    'sslKeyFile', 
    8989                    'sslKeyPwd', 
     90                    'useSignatureHandler', 
    9091                    'certFile', 
    9192                    'keyFile', 
     
    348349            if holderCertFilePath is not None: 
    349350                                     
    350                 # Proxy Certificate input as a file  
     351                # Certificate input as a file  
    351352                holderCert = X509Cert() 
    352353                holderCert.read(holderCertFilePath) 
     
    354355            elif isinstance(holderCert, basestring): 
    355356 
    356                 # Proxy Certificate input as string text 
     357                # Certificate input as string text 
    357358                holderCert = X509CertParse(holderCert) 
    358359                 
     
    365366 
    366367 
    367         # Check proxy certificate hasn't expired 
     368        # Check certificate hasn't expired 
    368369        try: 
    369370            holderCert.isValidTime(raiseExcep=True) 
     
    563564        @keyword propFilePath: file path to properties file 
    564565        """ 
    565  
    566566 
    567567        try: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

    r2251 r2289  
    4949        request, response = AttAuthorityService.soap_getAttCert(self, ps) 
    5050         
    51         # Get certificate corresponding to private key that signed the 
    52         # message - i.e. the user's proxy 
    53         holderCert = WSSecurityHandler.signatureHandler.verifyingCert 
    54          
     51        # Derive designated holder cert differently according to whether 
     52        # a signed message is expected from the client 
     53        if srv.aa['useSignatureHandler']: 
     54            # Get certificate corresponding to private key that signed the 
     55            # message - i.e. the user's proxy 
     56            holderCert = WSSecurityHandler.signatureHandler.verifyingCert 
     57        else: 
     58            # No signature from client - they must instead provide the 
     59            # designated holder cert via the UserCert input 
     60            holderCert = request.UserCert 
     61             
    5562        try:     
    5663                attCert = self.aa.getAttCert(userId=request.UserId, 
    57                                                                         holderCert=holderCert, 
    58                                                                          userAttCert=request.UserAttCert)                                                           
     64                                            holderCert=holderCert, 
     65                                             userAttCert=request.UserAttCert)   
    5966                response.AttCert = attCert.toString() 
    6067                 
    6168        except AttAuthorityAccessDenied, e: 
    62                         response.Msg = str(e) 
     69            response.Msg = str(e) 
    6370                         
    6471        return request, response 
     
    7784    def soap_getTrustedHostInfo(self, ps, **kw): 
    7885        request, response = \ 
    79                                         AttAuthorityService.soap_getTrustedHostInfo(self, ps) 
     86                    AttAuthorityService.soap_getTrustedHostInfo(self, ps) 
    8087         
    8188        trustedHostInfo = srv.aa.getTrustedHostInfo(role=request.Role) 
     
    8491        trustedHosts = [] 
    8592        for hostname, hostInfo in trustedHostInfo.items(): 
    86                         trustedHost = response.new_trustedHosts() 
     93            trustedHost = response.new_trustedHosts() 
    8794                         
    88                         trustedHost.Hostname = hostname 
    89                         trustedHost.AaURI = hostInfo['aaURI'] 
    90                         trustedHost.LoginURI = hostInfo['loginURI'] 
    91                         trustedHost.RoleList = hostInfo['role'] 
     95            trustedHost.Hostname = hostname 
     96            trustedHost.AaURI = hostInfo['aaURI'] 
     97            trustedHost.LoginURI = hostInfo['loginURI'] 
     98            trustedHost.RoleList = hostInfo['role'] 
    9299                         
    93                         trustedHosts.append(trustedHost) 
     100            trustedHosts.append(trustedHost) 
    94101                         
    95102        response.TrustedHosts = trustedHosts 
     
    111118srv = AttAuthorityServiceSub() 
    112119 
    113  
    114 # Initialise WS-Security signature handler passing Attribute Authority 
    115 # public and private keys 
    116 WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    117                                                                 verifyingCertFilePath=srv.aa['clntCertFile'], 
    118                                 signingCertFilePath=srv.aa['certFile'], 
    119                                 signingPriKeyFilePath=srv.aa['keyFile'], 
    120                                 signingPriKeyPwd=srv.aa['keyPwd']) 
     120if srv.aa['useSignatureHandler']: 
     121    # Initialise WS-Security signature handler passing Attribute Authority 
     122    # public and private keys 
     123    WSSecurityHandler.signatureHandler = SignatureHandler(\ 
     124                                    verifyingCertFilePath=srv.aa['clntCertFile'], 
     125                                    signingCertFilePath=srv.aa['certFile'], 
     126                                    signingPriKeyFilePath=srv.aa['keyFile'], 
     127                                    signingPriKeyPwd=srv.aa['keyPwd']) 
    121128 
    122129# Add Service to Attribute Authority branch 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

    r2251 r2289  
    1717    PKI settings for signature of outbound SOAP messages 
    1818    --> 
     19    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    1920    <certFile></certFile> 
    2021    <keyFile></keyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2287 r2289  
    4848        # Instantiate WS proxy 
    4949        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
    50                signingCertFilePath=self.cfg['setUp']['usercertfilepath'], 
    51                signingPriKeyFilePath=self.cfg['setUp']['userprikeyfilepath'], 
     50               signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 
     51               signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 
    5252               signingPriKeyPwd=self.userPriKeyPwd, 
    5353               tracefile=sys.stderr) 
     
    9797            raise "Error reading certificate file \"%s\": %s" % \ 
    9898                                    (ioErr.filename, ioErr.strerror) 
     99        import pdb;pdb.set_trace() 
    99100 
    100101        # Make attribute certificate request 
     
    168169                            prompt="\nsetUp - client private key password: ") 
    169170            else: 
    170                 userPriKeyPwd = self.cfg['setUp'].get('userprikeypwd') 
     171                userPriKeyPwd = \ 
     172                        self.cfg['test7GetMappedAttCert'].get('userprikeypwd') 
    171173        except KeyboardInterrupt: 
    172174            sys.exit(0) 
    173175        
    174         # Make client to site B Attribute Authority     
     176        # Make client to site B Attribute Authority 
    175177        clnt = AttAuthorityClient( 
    176178uri=self.cfg['test7GetMappedAttCert']['uri'],  
    177 signingCertFilePath=self.cfg['test7GetMappedAttCert']['usercertfilepath'], 
    178 signingPriKeyFilePath=self.cfg['test7GetMappedAttCert']['userprikeyfilepath'], 
     179signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('usercertfilepath'), 
     180signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('userprikeyfilepath'), 
    179181signingPriKeyPwd=userPriKeyPwd, 
    180182tracefile=sys.stderr) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2287 r2289  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 #uri = http://localhost:5000/AttributeAuthority 
     12uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    14 uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
     14#uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
     15#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
    1516 
    1617# X.509 certificate for Attribute Authority - to verify the signature of 
     
    2021# Password protecting client private key - if omitted it will be prompted for 
    2122# from tty 
    22 userprikeypwd =  
    23 usercertfilepath = ./proxy-cert.pem 
    24 userprikeyfilepath = ./proxy-key.pem 
     23#userprikeypwd =  
     24#usercertfilepath = ./proxy-cert.pem 
     25#userprikeyfilepath = ./proxy-key.pem 
    2526 
    2627[test3GetTrustedHostInfo] 
     
    3334# proxy.  Comment out if usercertfilepath is a standard X.509 cert. 
    3435#issuingusercertfilepath = ./user-cert.pem 
     36 
     37# Test with no digital signature applied 
     38issuingusercertfilepath = ./proxy-cert.pem 
    3539# Setup for use by testGetMappedAttCert test 
    3640attCertFilePath = ./ac.xml 
     
    4044 
    4145[test7GetMappedAttCert] 
     46# Comment out to set for no signature handling 
    4247userprikeypwd =  
    4348usercertfilepath = ./proxy-cert.pem 
     
    4550 
    4651uri = http://localhost:5100/AttributeAuthority 
     52# Heath Data Server 
     53#uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
     54# Marine Data Server 
     55#uri = http://glue.badc.rl.ac.uk:43000/AttributeAuthority 
    4756userAttCertFilePath = ./ac.xml 
    4857 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r2251 r2289  
    33    <name>Site A</name> 
    44    <portNum>5000</portNum> 
    5     <useSSL>True</useSSL> <!-- leave blank to use http --> 
     5    <useSSL></useSSL> <!-- leave blank to use http --> 
    66    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    77    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
    88    <sslKeyPwd>Junk</sslKeyPwd> 
     9    <useSignatureHandler></useSignatureHandler> <!-- leave blank for no signature --> 
    910    <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    1011    <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml

    r2251 r2289  
    77    <sslKeyFile></sslKeyFile> 
    88    <sslKeyPwd>Junk</sslKeyPwd> 
     9    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    910    <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    1011    <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg

    r2085 r2289  
    2121 
    2222[test2GetDelegation] 
    23 #username: sstljakTestUser 
    24 username: gabriel 
     23username: sstljakTestUser 
     24#username: gabriel 
    2525passphrase: 
    2626 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml

    r2251 r2289  
    2020        Set "host/" prefix to host cert CN as is default with globus 
    2121        --> 
    22         <serverCNprefix></serverCNprefix>        
     22        <serverCNprefix>host/</serverCNprefix>   
    2323        <!-- 
    2424        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting 
Note: See TracChangeset for help on using the changeset viewer.