Ignore:
Timestamp:
30/05/07 18:00:10 (13 years ago)
Author:
pjkersha
Message:

Working Session Manager unit tests for connect and disconmect calls and
getAttCert calls. Correct use of proxy certs with WS-Security signature
interface is also configured.

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
removed blank line

ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml:
added setting for signature handler flag and CA cert

ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • fix to soap_disconnect - call SessionMgr?.deleteUserSession
  • fix to soap_getX509Cert - base64 encode DER format cert output
  • added 'useSignatureHandler' flag to enable WS-Security signature handling

to be omitted if required.

ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • ref to CredWalletInvalidUserX509Cert
  • give explicit keyword names in connect2UserSession method signature
  • raise CredWalletInvalidUserX509Cert if Credential Wallet cert is invalid
  • SessionMgr?.deleteUserSession method - added userSess keyword; fixed userDN

setting to ensure its a string

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py,
ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
cosmetic changes

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • added _getCertChainFromProxyCertFile method to enable correct proxy cert

loading

  • added caCertFilePathList, reqBinSecTokValType, setSignatureHandler and

signingCertChain keyword settings to SessionMgrClient? initialisation

  • removed duplicated test6bCookieGetMappedAttCert method

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml:

  • dropped serverCNprefix element setting - not needed for test certs used.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

  • added new params caCertFilePathList, reqBinSecTokValType,

setSignatureHandler and proxycertfilepath

ndg.security.common/ndg/security/common/SessionMgr/init.py:

SignatureHandler? to switched on/off

ndg.security.common/ndg/security/common/AttAuthority/init.py: fix to
pydoc for AttAuthorityClient?.init

ndg.security.common/ndg/security/common/CredWallet.py: major fixes for
SessionMgr? - AA calls -

  • CredWalletInvalidUserX509Cert new exception type raised if user cert is

invalid

  • separate setAAuri into a new method createAAClnt
  • getAttCert method can take an aaClnt keyword. This enables the client

object to the AA to call to be passed in. Default is the target AA,
self.aaClnt.

Location:
TI12-security/trunk/python/ndg.security.test/ndg/security/test
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2515 r2530  
    1212""" 
    1313 
    14 __revision__ = '$Id$' 
     14__revision__ = '$Id:$' 
    1515 
    1616import unittest 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2515 r2530  
    4343#clntprikeyfilepath = ./aa-key.pem 
    4444clntprikeyfilepath = ./proxy-key.pem 
    45  
    4645 
    4746# Space separated list of CA certificate files used to verify certificate used 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2437 r2530  
    2222 
    2323import unittest 
    24 import os, sys, getpass 
     24import os, sys, getpass, re 
    2525from ConfigParser import SafeConfigParser 
    2626 
     
    2929     
    3030from ndg.security.common.SessionCookie import SessionCookie 
     31from ndg.security.common.X509 import X509CertParse 
    3132 
    3233 
    3334class SessionMgrClientTestCase(unittest.TestCase): 
     35    pemPat = "-----BEGIN CERTIFICATE-----[^\-]*-----END CERTIFICATE-----" 
     36 
     37    def _getCertChainFromProxyCertFile(self, proxyCertFilePath): 
     38        '''Read proxy cert and user cert from a single PEM file and put in 
     39        a list ready for input into SignatureHandler'''                
     40        proxyCertFileTxt = open(proxyCertFilePath).read() 
     41         
     42        pemPatRE = re.compile(self.__class__.pemPat, re.S) 
     43        x509CertList = pemPatRE.findall(proxyCertFileTxt) 
     44         
     45        signingCertChain = [X509CertParse(x509Cert) for x509Cert in \ 
     46                            x509CertList] 
    3447     
     48        # Expecting proxy cert first - move this to the end.  This will 
     49        # be the cert used to verify the message signature 
     50        signingCertChain.reverse() 
     51         
     52        return signingCertChain 
     53 
     54 
    3555    def setUp(self): 
    3656         
     
    5272        except KeyboardInterrupt: 
    5373            sys.exit(0) 
     74 
     75        # List of CA certificates for use in validation of certs used in 
     76        # signature for server reponse 
     77        try: 
     78            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     79        except: 
     80            caCertFilePathList = [] 
     81           
     82           
     83        reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 
     84 
     85        # Check certificate types proxy or standard 
     86        proxyCertFilePath = self.cfg['setUp'].get('proxycertfilepath') 
     87        if proxyCertFilePath: 
     88            signingCertChain = \ 
     89                        self._getCertChainFromProxyCertFile(proxyCertFilePath) 
     90             
     91        setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 
    5492             
    5593        # Initialise the Session Manager client connection 
    5694        # Omit traceFile keyword to leave out SOAP debug info 
    5795        self.clnt = SessionMgrClient(uri=self.cfg['setUp']['smuri'], 
    58                 verifyingCertFilePath=self.cfg['setUp']['srvcertfilepath'], 
    59                 signingCertFilePath=self.cfg['setUp']['clntcertfilepath'], 
     96                setSignatureHandler=setSignatureHandler, 
     97                reqBinSecTokValType=reqBinSecTokValType, 
     98                signingCertFilePath=self.cfg['setUp'].get('clntcertfilepath'), 
     99                signingCertChain=signingCertChain, 
    60100                signingPriKeyFilePath=self.cfg['setUp']['clntprikeyfilepath'], 
    61101                signingPriKeyPwd=clntPriKeyPwd, 
     102                caCertFilePathList=caCertFilePathList, 
    62103                tracefile=tracefile)  
    63104         
     
    191232    def test6bCookieGetMappedAttCert(self): 
    192233        """test6bCookieGetMappedAttCert: make an attribute request using 
    193         a cookie as authentication credential""" 
    194  
    195         print "\n\t" + self.test6bCookieGetMappedAttCert.__doc__         
    196         self.test2CookieConnect() 
    197          
    198         attCert, extAttCertList = self.clnt.getAttCert(\ 
    199             sessID=self.sessCookie.sessionID,  
    200             encrSessionMgrURI=self.sessCookie.encrSessionMgrURI, 
    201             attAuthorityURI=self.cfg['test6bCookieGetMappedAttCert']['aauri']) 
    202          
    203         print "Attribute Certificate:\n%s" % attCert   
    204         print "External Attribute Certificate List:\n%s" % extAttCertList 
    205  
    206  
    207     def test6bCookieGetMappedAttCert(self): 
    208         """test6CookieGetAttCert: make an attribute request using 
    209234        a cookie as authentication credential""" 
    210235 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

    r2418 r2530  
    1212smuri = https://localhost:5700/SessionManager 
    1313 
     14# Set to False to test service without WS-Security signature 
     15setsignaturehandler = True 
    1416 
    15 # X.509 certificate for Attribute Authority - if commented out, Session  
    16 # Manager will call AA getX509Cert WS method to retrieve it 
    17 #aacertfilepath =  
     17# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     18# 'X509PKIPathv1' for use with proxy certificates 
     19#reqbinsectokvaltype = X509v3 
     20#reqbinsectokvaltype = X509 
     21reqbinsectokvaltype = X509PKIPathv1 
    1822 
    19 # X.509 certificate for session manager.  If not set, it will be retrieved  
    20 # using the getX509Cert WS method 
    21 srvcertfilepath = ./sm-cert.pem 
     23# Test with proxy certificates or with standard certs.  Comment out as  
     24# appropriate 
     25proxycertfilepath = ./proxy-cert.pem 
     26 
     27# Test without proxy certificates - uses AA server side cert/private key for 
     28# client side too (!) 
     29#clntcertfilepath = ./clnt-cert.pem 
     30 
     31#clntprikeyfilepath = ./clnt-key.pem 
     32clntprikeyfilepath = ./proxy-key.pem 
    2233 
    2334# Password protecting client private key - if omitted it will be prompted for 
     
    2536clntprikeypwd =  
    2637 
    27 clntcertfilepath = ./clnt-cert.pem 
    28 clntprikeyfilepath = ./clnt-key.pem 
     38# Space separated list of CA certificate files used to verify certificate used 
     39# in message signature 
     40cacertfilepathlist = ./cacert.pem 
    2941 
    3042[test1AddUser] 
     
    3446  
    3547[test2CookieConnect]          
    36 username = sstljakTestUser 
     48username = raphaelTest 
    3749#username = gabriel 
    3850#passphrase =  
    3951 
    4052[test3ProxyCertConnect]          
    41 username = sstljakTestUser 
     53username = raphaelTest 
    4254#username = gabriel 
    4355#passphrase =  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml

    r2437 r2530  
    55    <sslCertFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</sslCertFile> 
    66    <sslKeyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</sslKeyFile> 
     7    <!-- 
     8    PKI settings for signature of outbound SOAP messages 
     9    --> 
    710    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    811    <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile> 
     
    3942                Set "host/" prefix to host cert CN as is default with globus 
    4043                --> 
    41                 <serverCNprefix>host/</serverCNprefix>   
    4244                <!-- 
    4345                Nb. GRID_SECURITY_DIR environment variable if set, overrides this  
Note: See TracChangeset for help on using the changeset viewer.