Changeset 2420


Ignore:
Timestamp:
18/04/07 16:26:43 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/AttAuthority/init.py:

  • improve error messages to include 'X.509' to differentiate with AC errors
  • fixed bug with getAttCert when creating a mapped AC. It now copies over any userId setting from

the original AC input.

was put in to force authors of derived classes to implement an init but it's not necessary.
getRoles and isUserRegistered remain as virtual methods. i.e. they'll raise not NotImplementedError?
if the derived class doesn't overload them.

ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml: include a default
attCertLifetime as an aid when making settings following an installation.

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py: enable separate
caCertFilePath setting for test7GetMappedAttCert test. This allows one of the unit test AAs to
run without WS-Security settings and one with.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: custom settings for
DEWS tests but also important some additions:

  • include 'issuingusercertfilepath' for test6GetAttCertWithUserIdSet test otherwise it will fail

on the server side in the case when WS-Security signature settings are not made.

  • include 'cacertfilepathlist' setting for test7GetMappedAttCert test.
  • 'mappedAttCertFilePath' enables issued mapped AC to be saved to file for test7GetMappedAttCert

test.

Location:
TI12-security/trunk/python
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2289 r2420  
    6363            self.__setURI(uri) 
    6464 
    65         # WS-Security Signature handler - set only if any of the keywords were set 
     65        # WS-Security Signature handler - set only if any of the keywords were 
     66        # set 
    6667        if max(signatureHandlerKw.values()): 
    6768            self.__signatureHandler = SignatureHandler(**signatureHandlerKw) 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r2354 r2420  
    360360            elif not isinstance(holderCert, X509Cert): 
    361361                raise AttAuthorityError, \ 
    362                 "No input X.509 certificate file path or cert text/object set" 
    363              
    364         except Exception, e: 
    365             raise AttAuthorityError, "User certificate: %s" % e 
     362                                "No input file path or cert text/object set" 
     363             
     364        except Exception, e: 
     365            raise AttAuthorityError, "User X.509 certificate: %s" % e 
    366366 
    367367 
     
    371371             
    372372        except Exception, e: 
    373             raise AttAuthorityError, "User certificate is invalid: " + str(e) 
     373            raise AttAuthorityError, "User X.509 certificate is invalid: " + \ 
     374                                    str(e) 
    374375 
    375376             
     
    532533            attCert.provenance = AttCert.mappedProvenance 
    533534 
     535            # Copy the user Id from the external AC 
     536            attCert.userId = userAttCert.userId 
     537             
    534538            # End set mapped certificate block 
    535539 
     
    971975    # path for a user roles configuration file 
    972976    def __init__(self, dbURI=None, filePath=None): 
    973         """User Roles abstract base class - derive from this class to define 
     977        """User Roles base class - derive from this class to define 
    974978        roles interface to Attribute Authority 
    975979         
     
    979983        @keyword filePath: file path for properties file containing settings 
    980984        """ 
    981         raise NotImplementedError, \ 
    982             self.__init__.__doc__.replace('\n       ','') 
     985        pass 
    983986 
    984987 
    985988    def userIsRegistered(self, userId): 
    986         """Derived method should return True if user is known otherwise 
    987         False 
     989        """Virtual method - Derived method should return True if user is known 
     990        otherwise False 
    988991         
    989992        Nb. this method is not used by AttAuthority class and so does NOT need  
     
    9991002 
    10001003    def getRoles(self, userId): 
    1001         """Derived method should return the roles for the given user's 
    1002         Id or else raise an exception 
     1004        """Virtual method - Derived method should return the roles for the  
     1005        given user's Id or else raise an exception 
    10031006         
    10041007        @type userId: string  
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

    r2289 r2420  
    2828    --> 
    2929    <clntCertFile></clntCertFile>     
    30     <attCertLifetime></attCertLifetime> <!-- Measured in seconds --> 
     30    <attCertLifetime>86400</attCertLifetime> <!-- Measured in seconds --> 
    3131        <!--  
    3232        Allow an offset for clock skew between servers running  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2401 r2420  
    180180        except KeyboardInterrupt: 
    181181            sys.exit(0) 
     182 
     183        # List of CA certificates for use in validation of certs used in 
     184        # signature for server reponse 
     185        try: 
     186            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     187        except: 
     188            caCertFilePathList = [] 
    182189        
    183190        # Make client to site B Attribute Authority 
    184         clnt = AttAuthorityClient( 
     191        clnt = AttAuthorityClient(\ 
    185192uri=self.cfg['test7GetMappedAttCert']['uri'],  
    186193signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('usercertfilepath'), 
    187194signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('userprikeyfilepath'), 
    188195signingPriKeyPwd=userPriKeyPwd, 
     196caCertFilePathList=caCertFilePathList, 
    189197tracefile=sys.stderr) 
    190198     
     
    193201                                  userAttCert=userAttCert) 
    194202        print "Attribute Certificate: \n\n:" + str(attCert) 
     203         
     204        attCert.filePath = \ 
     205                    self.cfg['test7GetMappedAttCert']['mappedattcertfilepath'] 
     206        attCert.write() 
    195207  
    196208  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2401 r2420  
    1313#uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    15 #uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
     15uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    1616#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
    1717 
     
    2323# from tty 
    2424userprikeypwd =  
     25 
     26# All commented out to test service without WS-Security 
    2527#usercertfilepath = ./proxy-cert.pem 
    2628#userprikeyfilepath = ./proxy-key.pem 
     
    2830# the user cert as well as proxy is needed to complete the chain of trust 
    2931# with the CA 
    30 usercertfilepath = ./aa-cert.pem 
    31 userprikeyfilepath = ./aa-key.pem 
     32#usercertfilepath = ./aa-cert.pem 
     33#userprikeyfilepath = ./aa-key.pem 
    3234 
    3335# Space separated list of CA certificate files used to verify certificate used 
    3436# in message signature 
    35 cacertfilepathlist = ./cacert.pem 
     37#cacertfilepathlist = ./cacert.pem 
    3638 
    3739[test3GetTrustedHostInfo] 
     
    5153 
    5254[test6GetAttCertWithUserIdSet] 
    53 userId = userWhoIsEntitledToTheRolesInThisCert 
     55userId = dewsPortalUser 
     56issuingusercertfilepath = ./aa-cert.pem 
    5457 
    5558[test7GetMappedAttCert] 
    5659# Comment out to set for no signature handling 
    5760userprikeypwd =  
    58 usercertfilepath = ./proxy-cert.pem 
    59 userprikeyfilepath = ./proxy-key.pem 
     61#usercertfilepath = ./proxy-cert.pem 
     62#userprikeyfilepath = ./proxy-key.pem 
     63usercertfilepath = ./aa-cert.pem 
     64userprikeyfilepath = ./aa-key.pem 
    6065 
    61 uri = http://localhost:5100/AttributeAuthority 
     66# Space separated list of CA certificate files used to verify certificate used 
     67# in message signature 
     68cacertfilepathlist = ./cacert.pem 
     69 
     70#uri = http://localhost:5100/AttributeAuthority 
    6271# Heath Data Server 
    6372#uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
    6473# Marine Data Server 
    65 #uri = http://glue.badc.rl.ac.uk:43000/AttributeAuthority 
     74uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    6675userAttCertFilePath = ./ac.xml 
     76mappedAttCertFilePath = ./mapped-ac.xml 
    6777 
    6878 
    69  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r2397 r2420  
    33    <name>Site A</name> 
    44    <portNum>5000</portNum> 
    5     <useSSL>Yes</useSSL> <!-- leave blank to use http --> 
     5    <useSSL></useSSL> <!-- leave blank to use http --> 
    66    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    77    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg

    r2397 r2420  
    2121 
    2222[test2GetDelegation] 
    23 username: sstljakTestUser 
    24 #username: gabriel 
     23#username: sstljakTestUser 
     24username: gabriel 
    2525passphrase: 
    2626 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml

    r2397 r2420  
    2020        Set "host/" prefix to host cert CN as is default with globus 
    2121        --> 
    22         <serverCNprefix>host/</serverCNprefix>   
     22        <serverCNprefix></serverCNprefix>        
    2323        <!-- 
    2424        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting 
Note: See TracChangeset for help on using the changeset viewer.