Changeset 2746


Ignore:
Timestamp:
26/07/07 16:43:00 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml:

  • don't comment out hostname instead include by default

ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • fixed comment typo

ndg.security.server/ndg/security/server/MyProxy.py:

to prevent setting of OpenSSL config file without the required file name and
directory path.

ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg,
ndg.security.test/ndg/security/test/AttCert/AttCertTest.py:

  • fixed unit tests for AC signature verification. certFilePathList can now

be set to include CA certs. to verify the X.509 cert. used in the signature

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • fix: extAttCertList is no longer returned in getAttCert calls to SM client.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

  • tests with services on glue

ndg.security.common/ndg/security/common/XMLSec.py:

  • fixed verifyEnvelopedSignature so that it is now possible to verify the

X.509 cert. in the signature against it's issuing CA cert.

ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • modified getAttCert call so that extAttCertList is no longer passed back in

the returned tuple but is instead included as an attribute of the
AttributeRequestDenied? exception type.

  • updated pydoc for getAttCert method

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • typo fix - doesn't affect execution

ndg.security.common/ndg/security/common/CredWallet.py:

  • updates to getAttCert call pydoc
  • and getAttCert exception handling
Location:
TI12-security/trunk/python
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2739 r2746  
    330330             
    331331        try: 
    332             sAttCert, msg = self.__srv.getAttCert(userId, userCert, userAttCert)   
     332            sAttCert, msg = self.__srv.getAttCert(userId,userCert,userAttCert)   
    333333        except httplib.BadStatusLine, e: 
    334334            raise AttAuthorityClientError, "HTTP bad status line: %s" % e 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

    r2686 r2746  
    7777     
    7878    def __init__(self, msg=None, extAttCertList=[], trustedHostInfo={}): 
    79         """Raise exception for authorisation denied with option to give 
     79        """Raise exception for attribute request denied with option to give 
    8080        caller hint to certificates that could used to try to obtain a 
    8181        mapped certificate 
     
    788788        The procedure is: 
    789789 
    790         1) Try authorisation using proxy certificate 
     790        1) Try attribute request using proxy certificate 
    791791        2) If the Attribute Authority (AA) doesn't recognise the certificate, 
    792792        find out any other hosts which have a trust relationship to the AA. 
     
    830830 
    831831        @type rtnExtAttCertList: bool / None 
    832         @keyword rtnExtAttCertList: If authorisation fails, make a list of  
     832        @keyword rtnExtAttCertList: If request fails, make a list of  
    833833        candidate certificates from other Attribute Authorities which the user 
    834834        could use to retry and get a mapped certificate. 
     
    10761076                    raise CredWalletAttributeRequestDenied(msg=msg, 
    10771077                                            extAttCertList=extAttCertList, 
    1078                                             trustedHostInfo=trustedHostInfo) 
    1079                  
    1080             except Exception, authorisationError: 
    1081                 # Authorisation request raised an error other than access 
    1082                 # denied 
    1083                 raise authorisationError 
    1084              
     1078                                            trustedHostInfo=trustedHostInfo)             
    10851079              
    10861080         
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

    r2739 r2746  
    2626from ndg.security.common.wsSecurity import SignatureHandler 
    2727from ndg.security.common.X509 import * 
    28 from ndg.security.common.AttCert import AttCertParse 
     28from ndg.security.common.AttCert import AttCert, AttCertParse 
    2929from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 
    3030    HostCheck 
     
    3939class AttributeRequestDenied(Exception): 
    4040    """Raise when a getAttCert call to the Attribute Authority is denied""" 
     41     
     42    def __init__(self, msg=None, extAttCertList=[]): 
     43        """Raise exception for attribute request denied with option to give 
     44        caller hint to certificates that could used to try to obtain a 
     45        mapped certificate 
     46         
     47        @type msg: string 
     48        @keyword msg: error message 
     49         
     50        @type extAttCertList: list 
     51        @keyword extAttCertList: list of candidate Attribute Certificates that 
     52        could be used to try to get a mapped certificate from the target  
     53        Attribute Authority""" 
     54 
     55        self.__msg = msg 
     56         
     57        # Prevent None type setting 
     58        self.__extAttCertList = [] 
     59        if extAttCertList is not None: 
     60            for ac in extAttCertList: 
     61                if isinstance(ac, basestring): 
     62                    ac = AttCertParse(ac) 
     63                elif not isinstance(ac, AttCert): 
     64                    raise SessionMgrClientError, \ 
     65                        "Input external Attribute Cert. must be AttCert type" 
     66                          
     67                self.__extAttCertList += [ac] 
     68         
     69    def __str__(self): 
     70        return self.__msg 
     71 
     72    def __getMsg(self): 
     73        """Get message text""" 
     74        return self.__msg 
     75 
     76    msg = property(fget=__getMsg, doc="Error message text") 
     77         
     78    def __getExtAttCertList(self): 
     79        """Return list of candidate Attribute Certificates that could be used 
     80        to try to get a mapped certificate from the target Attribute Authority 
     81        """ 
     82        return self.__extAttCertList 
     83 
     84    extAttCertList = property(fget=__getExtAttCertList, 
     85                              doc="list of candidate Attribute " + \ 
     86                              "Certificates that could be used " + \ 
     87                              "to try to get a mapped certificate " + \ 
     88                              "from the target Attribute Authority") 
    4189 
    4290#_____________________________________________________________________________        
     
    351399        user's credential wallet held by the session manager. 
    352400         
    353         getAttCert([sessID=i]|[proxyCert=p][key=arg, ...]) 
    354                     
    355         proxyCert:             proxy certificate - use as ID instead of  
    356                                session ID.  This can be omitted if the  
    357                                message is signed with a proxy certificate. 
    358                                In this case the proxy certificate is passed 
    359                                in the BinarySecurityToken of the WS-Security 
    360                                header 
    361         sessID:                session ID.  Input this as an alternative to  
    362                                proxyCert in the case of a browser client. 
    363         attAuthorityURI:       URI for Attribute Authority WS. 
    364         attAuthorityCert:      The Session Manager uses the Public key of the 
    365                                Attribute Authority to encrypt requests to it. 
    366         reqRole:               The required role for access to a data set. 
    367                                This can be left out in which case the  
    368                                Attribute Authority just returns whatever 
    369                                Attribute Certificate it has for the user 
    370         mapFromTrustedHosts:   Allow a mapped Attribute Certificate to be 
    371                                created from a user certificate from another 
    372                                trusted host. 
    373         rtnExtAttCertList:     Set this flag True so that if authorisation is  
    374                                denied, a list of potential attribute  
    375                                certificates for mapping may be returned.  
    376         extAttCertList:        A list of Attribute Certificates from other 
    377                                trusted hosts from which the target Attribute 
    378                                Authority can make a mapped certificate 
    379         extTrustedHostList:    A list of trusted hosts that can be used to 
    380                                get Attribute Certificates for making a mapped 
    381                                AC. 
    382         """ 
     401        ac = getAttCert([sessID=i]|[proxyCert=p][key=arg, ...]) 
     402          
     403        @raise AttributeRequestDenied: this is raised if the request is  
     404        denied because the user is not registered with the Attribute  
     405        Authority.  In this case, a list of candidate attribute certificates 
     406        may be returned which could be used to retry with a request for a 
     407        mapped AC.  These are assigned to the raised exception's  
     408        extAttCertList attribute 
     409              
     410        @type proxyCert: string 
     411        @keyword proxyCert: proxy certificate - use as ID instead of session  
     412        ID.  This can be omitted if the message is signed with a proxy  
     413        certificate.  In this case the proxy certificate is passed in the  
     414        BinarySecurityToken of the WS-Security header 
     415         
     416        @type sessID: string 
     417        @keyword sessID: session ID.  Input this as an alternative to  
     418        proxyCert in the case of a browser client. 
     419         
     420        @type attAuthorityURI: string 
     421        @keyword attAuthorityURI: URI for Attribute Authority WS. 
     422         
     423        @type attAuthorityCert: string 
     424        @keyword attAuthorityCert: The Session Manager uses the Public key of  
     425        the Attribute Authority to encrypt requests to it. 
     426         
     427        @type reqRole: string 
     428        @keyword reqRole: The required role for access to a data set.  This  
     429        can be left out in which case the Attribute Authority just returns  
     430        whatever Attribute Certificate it has for the user 
     431         
     432        @type mapFromTrustedHosts: bool 
     433        @keyword mapFromTrustedHosts: Allow a mapped Attribute Certificate to  
     434        be created from a user certificate from another trusted host. 
     435         
     436        @type rtnExtAttCertList: bool 
     437        @keyword rtnExtAttCertList: Set this flag True so that if the  
     438        attribute request is denied, a list of potential attribute  
     439        certificates for mapping may be returned.  
     440         
     441        @type extAttCertList: list 
     442        @keyword extAttCertList: A list of Attribute Certificates from other 
     443        trusted hosts from which the target Attribute Authority can make a  
     444        mapped certificate 
     445         
     446        @type extTrustedHostList: list 
     447        @keyword extTrustedHostList: A list of trusted hosts that can be used  
     448        to get Attribute Certificates for making a mapped AC. 
     449         
     450        @rtype: ndg.security.common.AttCert.AttCert 
     451        @return: if successful, an attribute certificate.""" 
    383452         
    384453        # Make request 
     
    393462                                                       extTrustedHostList) 
    394463        if not attCert: 
    395             raise AttributeRequestDenied, msg 
    396          
    397         return attCert, extAttCertList 
     464            raise AttributeRequestDenied, msg, extAttCertList 
     465         
     466        return AttCertParse(attCert) 
    398467     
    399468                                     
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

    r2437 r2746  
    3939from sha import sha 
    4040from M2Crypto import X509, BIO, RSA 
     41from ndg.security.common.X509 import X509CertRead, X509Stack 
    4142import base64 
    4243 
     
    548549        InvalidSignature exception if the signature is invalid 
    549550 
    550         @param xmlTxt: string buffer containing the text from the XML file to 
    551         be checked.  If omitted, the filePath argument is used instead. 
    552  
    553         @param filePath: file path to XML file to be checked.  This 
    554         argument is used if no xmlTxt was provided.  If filePath itself is  
    555         omitted the file set by self.__filePath is read instead. 
    556  
    557         @param certFilePathList: Certificate used to sign the document.""" 
    558  
    559          
     551        @type xmlTxt: string 
     552        @keyword xmlTxt: text from the XML file to be checked.  If omitted, the 
     553        the existing parse document is used instead.""" 
     554        
    560555        if xmlTxt: 
    561556            self.parse(xmlTxt) 
     
    774769        if not verify: 
    775770            raise InvalidSignature, "Invalid signature" 
     771         
     772        # Verify chain of trust if list cert list is present 
     773        if self.__certFilePathList: 
     774            # Make a stack object for CA certs  
     775            caX509Stack = X509Stack() 
     776            for cert in self.__certFilePathList: 
     777                caX509Stack.push(X509CertRead(cert)) 
     778              
     779            # Make a stack object for certs to be verified    
     780            x509Stack = X509Stack() 
     781            x509Stack.push(x509Cert) 
     782            x509Stack.verifyCertChain(caX509Stack=caX509Stack) 
    776783 
    777784 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py

    r2715 r2746  
    226226            self.__prop['gridSecurityDir'] = os.environ['GRID_SECURITY_DIR']             
    227227 
    228             self.__openSSLConf.filePath = \ 
     228            if 'openSSLConfFileName' in self.__prop: 
     229                self.__openSSLConf.filePath = \ 
    229230                            os.path.join(self.__prop['gridSecurityDir'], 
    230231                                         self.__prop['openSSLConfFileName']) 
    231             self.__openSSLConf.read() 
     232                self.__openSSLConf.read() 
    232233 
    233234 
     
    245246 
    246247        # Update openssl conf file path 
    247         if 'gridSecurityDir' in prop or 'openSSLConfFileName' in prop:             
     248        # 
     249        # Check 'prop' to see if they've been in THIS update 
     250        # Check 'self.__prop' to ensure both are present in 
     251        # order to construct a file path 
     252        if 'gridSecurityDir' in prop or \ 
     253           'openSSLConfFileName' in prop and \ 
     254           'gridSecurityDir' in self.__prop and \ 
     255           'openSSLConfFileName' in self.__prop:             
    248256            self.__openSSLConf.filePath = \ 
    249257                            os.path.join(self.__prop['gridSecurityDir'], 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

    r2732 r2746  
    10521052             
    10531053        except CredWalletAttributeRequestDenied, e: 
    1054             # Exception object containa a list of attribute certificates 
     1054            # Exception object contains a list of attribute certificates 
    10551055            # which could be used to re-try to get authorisation via a mapped 
    10561056            # certificate 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml

    r2733 r2746  
    2626                Delete this element and take setting from MYPROXY_SERVER environment  
    2727                variable if required 
     28                --> 
    2829                <hostname>localhost</hostname> 
    29                 --> 
    3030                <!--  
    3131                Delete this element to take default setting 7512 or read  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/AttCertTest.py

    r2686 r2746  
    204204        '''test12IsValid: check signature of XML document'''             
    205205        self.test11Read() 
    206         self.attCert.certFilePathList=self.cfg['test12IsValid']['certfile'] 
     206        self.attCert.certFilePathList = \ 
     207                    self.cfg['test12IsValid']['certfilepathlist'].split() 
    207208        self.attCert.isValid(raiseExcep=True) 
     209        print 'test12IsValid: passed' 
    208210         
    209211 
     
    215217         
    216218        self.attCert.certFilePathList = \ 
    217                             self.cfg['test13IsValidStressTest']['certfile'] 
     219            self.cfg['test13IsValidStressTest']['certfilepathlist'].split() 
    218220        self.attCert.signingKeyFilePath = \ 
    219221                            self.cfg['test13IsValidStressTest']['keyfile'] 
     
    237239             
    238240            # Write AC file names by index 
    239             self.attCert.filePath = "%03d.xml" % i 
     241            self.attCert.filePath = "stress-test-ac-%03d.xml" % i 
    240242             
    241243            self.attCert.applyEnvelopedSignature() 
    242244            self.attCert.write() 
    243  
    244             self.attCert.certFilePathList = \ 
    245                             self.cfg['test13IsValidStressTest']['certfile'] 
    246245 
    247246            try: 
     
    258257        self.attCert.read() 
    259258         
    260         self.attCert.certFilePathList=self.cfg['test14IsValidSignature']['certfile'] 
     259        self.attCert.certFilePathList = \ 
     260                self.cfg['test14IsValidSignature']['certfilepathlist'].split() 
    261261        self.attCert.verifyEnvelopedSignature() 
    262262         
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg

    r2437 r2746  
    1818filePath: ./ac.xml 
    1919 
    20 [test11Read]]]] 
     20[test11Read] 
    2121filePath: ./ac.xml 
    2222 
    2323[test12IsValid] 
    24 certFile: ./cert.pem 
     24certFilePathList: ./cacert.pem 
    2525 
    2626[test13IsValidStressTest] 
    27 certFile: ./cert.pem 
     27# First cert is added to the signature, both certs are used in the  
     28# verification 
     29certFilepathlist: ./cert.pem ./cacert.pem 
    2830keyFile: ./key.pem 
    2931#keyPwd: 
    30 nruns: 100 
     32nruns: 30 
    3133 
    3234[test14IsValidSignature] 
    33 certFile: ./cert.pem 
    34 filePath: ./badSignature.xml 
     35certFilePathList: ./cacert.pem 
     36filePath: ./ac.xml 
    3537 
    3638 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2685 r2746  
    220220        self.test2Connect() 
    221221         
    222         attCert, extAttCertList = self.clnt.getAttCert(\ 
     222        attCert = self.clnt.getAttCert(\ 
    223223            sessID=self.sessID,  
    224224            attAuthorityURI=self.cfg['test6GetAttCertUsingSessID']['aauri']) 
    225225         
    226226        print "Attribute Certificate:\n%s" % attCert   
    227         print "External Attribute Certificate List:\n%s" % extAttCertList 
    228227 
    229228 
     
    239238         
    240239        try: 
    241             attCert, extAttCertList = self.clnt.getAttCert(\ 
    242                                                     sessID=self.sessID,  
    243                                                     attAuthorityURI=aaURI, 
    244                                                     mapFromTrustedHosts=False) 
     240            attCert = self.clnt.getAttCert(sessID=self.sessID,  
     241                                           attAuthorityURI=aaURI, 
     242                                           mapFromTrustedHosts=False) 
    245243        except AttributeRequestDenied, e: 
    246244            print "SUCCESS - obtained expected result: %s" % e 
     
    259257        aaURI = self.cfg['test6bGetMappedAttCertUsingSessID']['aauri'] 
    260258         
    261         attCert, extAttCertList = self.clnt.getAttCert(sessID=self.sessID,  
    262                                                        attAuthorityURI=aaURI) 
     259        attCert=self.clnt.getAttCert(sessID=self.sessID,attAuthorityURI=aaURI) 
    263260         
    264261        print "Attribute Certificate:\n%s" % attCert   
    265         print "External Attribute Certificate List:\n%s" % extAttCertList 
    266262 
    267263 
     
    277273            self.cfg['test6cGetAttCertWithExtAttCertListUsingSessID']['aauri'] 
    278274             
    279         attCert, extAttCertList = self.clnt.getAttCert(\ 
    280                                         sessID=self.sessID,  
    281                                         attAuthorityURI=aaURI, 
    282                                         extAttCertList=['AC1', 'AC2', 'AC3']) 
     275        attCert = self.clnt.getAttCert(sessID=self.sessID,  
     276                                       attAuthorityURI=aaURI, 
     277                                       extAttCertList=['AC1', 'AC2', 'AC3']) 
    283278           
    284279        print "Attribute Certificate:\n%s" % attCert   
    285         print "External Attribute Certificate List:\n%s" % extAttCertList 
    286280 
    287281 
     
    301295         
    302296        aaURI = self.cfg['test7GetAttCertUsingProxyCert']['aauri'] 
    303         attCert, extAttCertList = self.clnt.getAttCert(attAuthorityURI=aaURI) 
     297        attCert = self.clnt.getAttCert(attAuthorityURI=aaURI) 
    304298           
    305299        print "Attribute Certificate:\n%s" % attCert   
    306         print "External Attribute Certificate List:\n%s" % extAttCertList 
    307300 
    308301 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

    r2685 r2746  
    1010# $Id:$ 
    1111[setUp] 
    12 smuri = https://localhost:5700/SessionManager 
     12#smuri = https://localhost:5700/SessionManager 
     13smuri = https://glue.badc.rl.ac.uk:50000/SessionManager 
    1314 
    1415# For https connections only.  !Omit ssl* settings if using http! 
    1516# sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the  
    1617# same as peer hostname.  
    17 sslpeercertcn = webSphereTest 
     18#sslpeercertcn = webSphereTest 
    1819sslcacertfilepathlist = cacert.pem 
    1920 
     
    5253  
    5354[test2Connect]          
    54 username = raphaelTest 
     55username = lawrence 
     56#username = raphaelTest 
    5557#username = gabriel 
    5658#passphrase =  
     
    7476 
    7577[test7GetAttCertUsingProxyCert] 
    76 aaURI = https://localhost:5000/AttributeAuthority 
    77  
    78  
    79  
     78#aaURI = https://localhost:5000/AttributeAuthority 
     79aaURI = http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority 
Note: See TracChangeset for help on using the changeset viewer.