Changeset 2418


Ignore:
Timestamp:
18/04/07 09:20:31 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/Log.py: remove ref to 'Logger'

ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
added M2Crypto SSL support

ndg.security.server/ndg/security/server/SessionMgr/start-container.sh:
copy from Attribute Authority version.

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:
fix to test5ProxyCertDisconnect call.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
set clntprikeypwd to null so that it is not prompted for from terminal.

ndg.security.common/ndg/security/common/SessionMgr/init.py: fix to
disconnect SOAP client call so that userCert omit alone is allowed.

ndg.security.common/ndg/security/common/wsSecurity.py: delete debug call.

Location:
TI12-security/trunk/python
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

    r2085 r2418  
    276276            encrSessionMgrURI = sessCookie.encrSessionMgrURI 
    277277             
    278         elif not sessID and not encrSessionMgrURI: 
     278        elif not sessID and not encrSessionMgrURI and not userCert: 
    279279            raise SessionMgrClientError, '"sessCookie or "sessID" and ' + \ 
    280                                 '"encrSessionMgrURI" keywords must be set' 
     280                    '"encrSessionMgrURI or "userCert" keywords must be set' 
    281281 
    282282        # Make connection 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2404 r2418  
    868868            pass  
    869869         
    870         import pdb;pdb.set_trace()         
     870        #import pdb;pdb.set_trace()         
    871871        if binSecTokNode: 
    872872            try: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/Log.py

    r2401 r2418  
    1616from logging.handlers import RotatingFileHandler, SysLogHandler 
    1717 
    18 from logger import Logger, LogContainer 
    1918 
    2019# Inherit directly from Logger 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac

    r2145 r2418  
    1414License, version 1.0 or later. 
    1515""" 
    16 import socket 
    17  
    1816from ZSI.twisted.WSresource import WSResource 
    1917from twisted.application import service, internet 
     
    3331         
    3432    def __init__(self): 
    35         WSResource.__init__(self) 
    36           
    37         # Initialize Session Manager class - encapsulates inner workings  
    38         # including session management and proxy delegation 
     33        '''Initialize Session Manager class - encapsulates inner workings  
     34        including session management and proxy delegation 
     35         
     36        @type ps: ZSI ParsedSoap 
     37        @param ps: client SOAP message 
     38        @rtype: tuple 
     39        @return: request and response objects''' 
     40 
     41        WSResource.__init__(self)  
    3942        self.sm = SessionMgr() 
    40          
     43 
     44 
    4145    def soap_addUser(self, ps, **kw): 
    42         #import pdb;pdb.set_trace() 
     46        '''Add a new user account 
     47         
     48        @type ps: ZSI ParsedSoap 
     49        @param ps: client SOAP message 
     50        @rtype: tuple 
     51        @return: request and response objects''' 
     52 
    4353        request, response = SessionMgrService.soap_addUser(self, ps) 
    4454        return request, response 
    4555 
     56 
    4657    def soap_connect(self, ps, **kw): 
    47         #import pdb;pdb.set_trace() 
     58        '''Connect to Session Manager and create a user session 
     59         
     60        @type ps: ZSI ParsedSoap 
     61        @param ps: client SOAP message 
     62        @rtype: tuple 
     63        @return: request and response objects''' 
     64 
    4865        request, response = SessionMgrService.soap_connect(self, ps) 
    4966 
     
    5875        return request, response 
    5976 
     77 
    6078    def soap_disconnect(self, ps, **kw): 
    61         import pdb;pdb.set_trace() 
     79        '''Disconnect and remove user's session 
     80         
     81        @type ps: ZSI ParsedSoap 
     82        @param ps: client SOAP message 
     83        @rtype: tuple 
     84        @return: request and response objects''' 
     85 
    6286        request, response = SessionMgrService.soap_disconnect(self, ps) 
    6387        return request, response 
    6488 
     89 
    6590    def soap_getAttCert(self, ps, **kw): 
    66         #import pdb;pdb.set_trace() 
     91        '''Get Attribute Certificate from a given Attribute Authority 
     92        and cache it in user's Credential Wallet 
     93         
     94        @type ps: ZSI ParsedSoap 
     95        @param ps: client SOAP message 
     96        @rtype: tuple 
     97        @return: request and response objects''' 
     98 
    6799        request, response = SessionMgrService.soap_getAttCert(self, ps) 
    68100         
    69101        # Get certificate corresponding to private key that signed the 
    70         # message - i.e. the user's proxy 
    71         proxyCert = WSSecurityHandler.signatureHandler.verifyingCert 
    72          
    73                 # Proxy cert is prefered over userCert - userCert may have been  
    74                 # omitted. 
     102        # message - i.e. the user's 
     103        userCert = WSSecurityHandler.signatureHandler.verifyingCert 
     104         
     105                # Cert used in signature is prefered over userCert input element -  
     106                # userCert may have been omitted. 
    75107        result = self.sm.getAttCert(\ 
    76                                             userCert=proxyCert or request.UserCert, 
     108                                            userCert=userCert or request.UserCert, 
    77109                                                sessID=request.SessID, 
    78110                                                encrSessMgrURI=request.EncrSessionMgrURI, 
     
    92124        return request, response 
    93125 
     126 
    94127    def soap_getX509Cert(self, ps, **kw): 
    95         #import pdb;pdb.set_trace() 
     128        '''Return Session Manager's X.509 certificate 
     129         
     130        @type ps: ZSI ParsedSoap 
     131        @param ps: client SOAP message 
     132        @rtype: tuple 
     133        @return: request and response objects''' 
     134         
    96135        request, response = SessionMgrService.soap_getX509Cert(self, ps) 
    97         response.set_element_x509Cert(open(self.sm['certFile']).read().strip()) 
     136        response.X509Cert = open(self.sm['certFile']).read().strip() 
    98137        return request, response 
    99138 
     
    117156if srv.sm['useSSL']: 
    118157        # Use SSL connection 
    119         from twisted.internet import ssl 
     158#       from twisted.internet import ssl 
     159#        
     160#       # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL 
     161#       ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.sm['sslKeyFile'],  
     162#                                                                                                 srv.sm['sslCertFile']) 
     163#       port = internet.SSLServer(srv.sm['portNum'], siteFactory, ctxFactory) 
     164 
     165    # Using M2Crypto ... 
     166    import os 
     167    os.putenv("OPENSSL_ALLOW_PROXY_CERTS", "1") 
     168 
     169    import twisted.protocols.policies as policies 
     170    from M2Crypto import SSL 
     171    from M2Crypto.SSL import TwistedProtocolWrapper 
     172    from M2Crypto.SSL.TwistedProtocolWrapper import TLSProtocolWrapper 
    120173         
    121         # Nb. ssl.DefaultOpenSSLContextFactory requires pyOpenSSL 
    122         ctxFactory = ssl.DefaultOpenSSLContextFactory(srv.sm['sslKeyFile'],  
    123                                                                                                   srv.sm['sslCertFile']) 
    124         port = internet.SSLServer(srv.sm['portNum'], siteFactory, ctxFactory) 
     174    siteFactory.startTLS = True 
     175    siteFactory.sslChecker = SSL.Checker.Checker() 
     176 
     177        # TODO: Python ssl client seems to require SSL vers 2 is this a security 
     178        # risk? 
     179    ctx = SSL.Context(protocol='sslv23') 
     180    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH") 
     181    ctx.load_cert(srv.sm['sslCertFile'],  
     182                          srv.sm['sslKeyFile'], 
     183                          callback=lambda *args, **kw: srv.aa['sslKeyPwd']) 
     184                           
     185    ctx.set_allow_unknown_ca(False) 
     186 
     187    # TODO: resolve check - verify_peer setting fails with 
     188    # BIOError: 'no certificate returned' error 18 
     189#    ctx.set_verify(SSL.verify_peer, 10) 
     190    ctx.set_verify(SSL.verify_client_once, 1) 
     191 
     192    ctx.load_verify_locations(cafile=os.path.basename(srv.sm['caCertFile']),  
     193                                                  capath=os.path.dirname(srv.sm['caCertFile'])) 
     194 
     195    class ContextFactory: 
     196        def getContext(self): 
     197            return ctx 
     198 
     199    factory = policies.WrappingFactory(siteFactory) 
     200    factory.protocol.TLS = True 
     201    factory.protocol = lambda factory, wrappedProtocol: \ 
     202        TLSProtocolWrapper(factory, 
     203                           wrappedProtocol, 
     204                           startPassThrough=0, 
     205                           client=0, 
     206                           contextFactory=ContextFactory(), 
     207                           postConnectionCheck=None) 
     208 
     209    siteFactory = factory 
     210     
     211    port = internet.TCPServer(srv.sm['portNum'], siteFactory) 
     212    port.CERTFILE = srv.sm['sslCertFile'] 
     213    port.KEYFILE = srv.sm['sslKeyFile'] 
     214    root.__class__.server = port 
    125215else:    
    126216        # Non-SSL 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/start-container.sh

    r2058 r2418  
    1414# $Id:$ 
    1515EXEC=twistd  
    16 OPTIONS=-noy 
    17 CONFIG=server-config.tac 
     16OPTIONS="--pidfile=twistd-$$.pid -noy" 
     17 
     18prefixDir=$(dirname $(dirname $(type -p python))) 
     19srvSubDir=lib/site-packages/ndg/security/server/AttAuthority 
     20 
     21if [ ! -d ${prefixDir} ]; then 
     22        echo "Path to tac file not found" 
     23        exit 1; 
     24fi 
     25 
     26installPath=${HOME}/Development/security/python/ndg.security.server/ndg/security/server/AttAuthority 
     27#installPath=${pythonPrefixDir}/${srvSubDir} 
     28if [ -d ${installPath} ]; then 
     29        CONFIG=${installPath}/server-config.tac 
     30else 
     31        CONFIG=./server-config.tac 
     32fi 
    1833 
    1934set - ${EXEC} ${OPTIONS} ${CONFIG} "$@" 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2270 r2418  
    8484        a cookie is returned""" 
    8585 
    86         passphrase = self.cfg['test2CookieConnect'].get('passphrase') or \ 
    87         getpass.getpass(prompt="\ntest2CookieConnect pass-phrase for user: ") 
     86        passphrase = self.cfg['test2CookieConnect'].get('passphrase') 
     87        if passphrase is None: 
     88            passphrase = getpass.getpass(\ 
     89                     prompt="\ntest2CookieConnect pass-phrase for user: ") 
    8890 
    8991        self.proxyCert, self.proxyPriKey, self.userCert, cookie = \ 
     
    114116 
    115117    def test4CookieDisconnect(self): 
    116         """test4CookieDisconnect: disconnect as if acting as a browser client -  
    117         a cookie is returned""" 
     118        """test4CookieDisconnect: disconnect as if acting as a browser client  
     119        """ 
    118120         
    119121        print "\n\t" + self.test4CookieDisconnect.__doc__ 
     
    132134 
    133135    def test5ProxyCertDisconnect(self): 
    134         """test5ProxyCertDisconnect: Connect as a command line client -  
    135         a proxyCert is returned""" 
     136        """test5ProxyCertDisconnect: Disconnect as a command line client  
     137        """ 
    136138         
    137139        print "\n\t" + self.test5ProxyCertDisconnect.__doc__ 
     
    143145        self.clnt.signingPriKeyPwd = None 
    144146         
    145         self.clnt.disconnect(proxyCert=self.proxyCert) 
     147        self.clnt.disconnect(userCert=self.proxyCert) 
    146148        print "User disconnected from Session Manager:\n%s" % self.proxyCert 
    147149 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

    r2136 r2418  
    2323# Password protecting client private key - if omitted it will be prompted for 
    2424# from tty 
    25 #clntprikeypwd =  
     25clntprikeypwd =  
    2626 
    2727clntcertfilepath = ./clnt-cert.pem 
     
    3939 
    4040[test3ProxyCertConnect]          
    41 #username = sstljakTestUser 
    42 username = gabriel 
     41username = sstljakTestUser 
     42#username = gabriel 
    4343#passphrase =  
    4444 
Note: See TracChangeset for help on using the changeset viewer.