Changeset 2746 for TI12-security/trunk

Timestamp:

26/07/07 16:43:00 (13 years ago)

Author:

pjkersha

Message:

ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml:

• don't comment out hostname instead include by default

ndg.security.server/ndg/security/server/SessionMgr/init.py:

• fixed comment typo

ndg.security.server/ndg/security/server/MyProxy.py:

• put extra checks in MyProxyClient?.init and MyProxyClient?.setProperties

to prevent setting of OpenSSL config file without the required file name and
directory path.

ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg,
ndg.security.test/ndg/security/test/AttCert/AttCertTest.py:

• fixed unit tests for AC signature verification. certFilePathList can now

be set to include CA certs. to verify the X.509 cert. used in the signature

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

• fix: extAttCertList is no longer returned in getAttCert calls to SM client.

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

• tests with services on glue

ndg.security.common/ndg/security/common/XMLSec.py:

• fixed verifyEnvelopedSignature so that it is now possible to verify the

X.509 cert. in the signature against it's issuing CA cert.

ndg.security.common/ndg/security/common/SessionMgr/init.py:

• modified getAttCert call so that extAttCertList is no longer passed back in

the returned tuple but is instead included as an attribute of the
AttributeRequestDenied? exception type.

• updated pydoc for getAttCert method

ndg.security.common/ndg/security/common/AttAuthority/init.py:

• typo fix - doesn't affect execution

ndg.security.common/ndg/security/common/CredWallet.py:

• updates to getAttCert call pydoc
• and getAttCert exception handling

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/CredWallet.py (modified) (4 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/__init__.py (modified) (4 diffs)
• ndg.security.common/ndg/security/common/XMLSec.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/MyProxy.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/SessionMgr/__init__.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml (modified) (1 diff)
• ndg.security.test/ndg/security/test/AttCert/AttCertTest.py (modified) (4 diffs)
• ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg (modified) (1 diff)
• ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py (modified) (5 diffs)
• ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg (modified) (3 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -330 +330 @@
             
         try:
-            sAttCert, msg = self.__srv.getAttCert(userId, userCert, userAttCert)  
+            sAttCert, msg = self.__srv.getAttCert(userId,userCert,userAttCert)  
         except httplib.BadStatusLine, e:
             raise AttAuthorityClientError, "HTTP bad status line: %s" % e

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

@@ -77 +77 @@
     
     def __init__(self, msg=None, extAttCertList=[], trustedHostInfo={}):
-        """Raise exception for authorisation denied with option to give
+        """Raise exception for attribute request denied with option to give
         caller hint to certificates that could used to try to obtain a
         mapped certificate
@@ -788 +788 @@
         The procedure is:
 
-        1) Try authorisation using proxy certificate
+        1) Try attribute request using proxy certificate
         2) If the Attribute Authority (AA) doesn't recognise the certificate,
         find out any other hosts which have a trust relationship to the AA.
@@ -830 +830 @@
 
         @type rtnExtAttCertList: bool / None
-        @keyword rtnExtAttCertList: If authorisation fails, make a list of 
+        @keyword rtnExtAttCertList: If request fails, make a list of 
         candidate certificates from other Attribute Authorities which the user
         could use to retry and get a mapped certificate.
@@ -1076 +1076 @@
                     raise CredWalletAttributeRequestDenied(msg=msg,
                                             extAttCertList=extAttCertList,
-                                            trustedHostInfo=trustedHostInfo)
-                
-            except Exception, authorisationError:
-                # Authorisation request raised an error other than access
-                # denied
-                raise authorisationError
-            
+                                            trustedHostInfo=trustedHostInfo)            
              
         

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -26 +26 @@
 from ndg.security.common.wsSecurity import SignatureHandler
 from ndg.security.common.X509 import *
-from ndg.security.common.AttCert import AttCertParse
+from ndg.security.common.AttCert import AttCert, AttCertParse
 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \
     HostCheck
@@ -39 +39 @@
 class AttributeRequestDenied(Exception):
     """Raise when a getAttCert call to the Attribute Authority is denied"""
+    
+    def __init__(self, msg=None, extAttCertList=[]):
+        """Raise exception for attribute request denied with option to give
+        caller hint to certificates that could used to try to obtain a
+        mapped certificate
+        
+        @type msg: string
+        @keyword msg: error message
+        
+        @type extAttCertList: list
+        @keyword extAttCertList: list of candidate Attribute Certificates that
+        could be used to try to get a mapped certificate from the target 
+        Attribute Authority"""
+
+        self.__msg = msg
+        
+        # Prevent None type setting
+        self.__extAttCertList = []
+        if extAttCertList is not None:
+            for ac in extAttCertList:
+                if isinstance(ac, basestring):
+                    ac = AttCertParse(ac)
+                elif not isinstance(ac, AttCert):
+                    raise SessionMgrClientError, \
+                        "Input external Attribute Cert. must be AttCert type"
+                         
+                self.__extAttCertList += [ac]
+        
+    def __str__(self):
+        return self.__msg
+
+    def __getMsg(self):
+        """Get message text"""
+        return self.__msg
+
+    msg = property(fget=__getMsg, doc="Error message text")
+        
+    def __getExtAttCertList(self):
+        """Return list of candidate Attribute Certificates that could be used
+        to try to get a mapped certificate from the target Attribute Authority
+        """
+        return self.__extAttCertList
+
+    extAttCertList = property(fget=__getExtAttCertList,
+                              doc="list of candidate Attribute " + \
+                              "Certificates that could be used " + \
+                              "to try to get a mapped certificate " + \
+                              "from the target Attribute Authority")
 
 #_____________________________________________________________________________       
@@ -351 +399 @@
         user's credential wallet held by the session manager.
         
-        getAttCert([sessID=i]|[proxyCert=p][key=arg, ...])
-                   
-        proxyCert:             proxy certificate - use as ID instead of 
-                               session ID.  This can be omitted if the 
-                               message is signed with a proxy certificate.
-                               In this case the proxy certificate is passed
-                               in the BinarySecurityToken of the WS-Security
-                               header
-        sessID:                session ID.  Input this as an alternative to 
-                               proxyCert in the case of a browser client.
-        attAuthorityURI:       URI for Attribute Authority WS.
-        attAuthorityCert:      The Session Manager uses the Public key of the
-                               Attribute Authority to encrypt requests to it.
-        reqRole:               The required role for access to a data set.
-                               This can be left out in which case the 
-                               Attribute Authority just returns whatever
-                               Attribute Certificate it has for the user
-        mapFromTrustedHosts:   Allow a mapped Attribute Certificate to be
-                               created from a user certificate from another
-                               trusted host.
-        rtnExtAttCertList:     Set this flag True so that if authorisation is 
-                               denied, a list of potential attribute 
-                               certificates for mapping may be returned. 
-        extAttCertList:        A list of Attribute Certificates from other
-                               trusted hosts from which the target Attribute
-                               Authority can make a mapped certificate
-        extTrustedHostList:    A list of trusted hosts that can be used to
-                               get Attribute Certificates for making a mapped
-                               AC.
-        """
+        ac = getAttCert([sessID=i]|[proxyCert=p][key=arg, ...])
+         
+        @raise AttributeRequestDenied: this is raised if the request is 
+        denied because the user is not registered with the Attribute 
+        Authority.  In this case, a list of candidate attribute certificates
+        may be returned which could be used to retry with a request for a
+        mapped AC.  These are assigned to the raised exception's 
+        extAttCertList attribute
+             
+        @type proxyCert: string
+        @keyword proxyCert: proxy certificate - use as ID instead of session 
+        ID.  This can be omitted if the message is signed with a proxy 
+        certificate.  In this case the proxy certificate is passed in the 
+        BinarySecurityToken of the WS-Security header
+        
+        @type sessID: string
+        @keyword sessID: session ID.  Input this as an alternative to 
+        proxyCert in the case of a browser client.
+        
+        @type attAuthorityURI: string
+        @keyword attAuthorityURI: URI for Attribute Authority WS.
+        
+        @type attAuthorityCert: string
+        @keyword attAuthorityCert: The Session Manager uses the Public key of 
+        the Attribute Authority to encrypt requests to it.
+        
+        @type reqRole: string
+        @keyword reqRole: The required role for access to a data set.  This 
+        can be left out in which case the Attribute Authority just returns 
+        whatever Attribute Certificate it has for the user
+        
+        @type mapFromTrustedHosts: bool
+        @keyword mapFromTrustedHosts: Allow a mapped Attribute Certificate to 
+        be created from a user certificate from another trusted host.
+        
+        @type rtnExtAttCertList: bool
+        @keyword rtnExtAttCertList: Set this flag True so that if the 
+        attribute request is denied, a list of potential attribute 
+        certificates for mapping may be returned. 
+        
+        @type extAttCertList: list
+        @keyword extAttCertList: A list of Attribute Certificates from other
+        trusted hosts from which the target Attribute Authority can make a 
+        mapped certificate
+        
+        @type extTrustedHostList: list
+        @keyword extTrustedHostList: A list of trusted hosts that can be used 
+        to get Attribute Certificates for making a mapped AC.
+        
+        @rtype: ndg.security.common.AttCert.AttCert
+        @return: if successful, an attribute certificate."""
         
         # Make request
@@ -393 +462 @@
                                                        extTrustedHostList)
         if not attCert:
-            raise AttributeRequestDenied, msg
-        
-        return attCert, extAttCertList
+            raise AttributeRequestDenied, msg, extAttCertList
+        
+        return AttCertParse(attCert)
     
                                     

TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

@@ -39 +39 @@
 from sha import sha
 from M2Crypto import X509, BIO, RSA
+from ndg.security.common.X509 import X509CertRead, X509Stack
 import base64
 
@@ -548 +549 @@
         InvalidSignature exception if the signature is invalid
 
-        @param xmlTxt: string buffer containing the text from the XML file to
-        be checked.  If omitted, the filePath argument is used instead.
-
-        @param filePath: file path to XML file to be checked.  This
-        argument is used if no xmlTxt was provided.  If filePath itself is 
-        omitted the file set by self.__filePath is read instead.
-
-        @param certFilePathList: Certificate used to sign the document."""
-
-        
+        @type xmlTxt: string
+        @keyword xmlTxt: text from the XML file to be checked.  If omitted, the
+        the existing parse document is used instead."""
+       
         if xmlTxt:
             self.parse(xmlTxt)
@@ -774 +769 @@
         if not verify:
             raise InvalidSignature, "Invalid signature"
+        
+        # Verify chain of trust if list cert list is present
+        if self.__certFilePathList:
+            # Make a stack object for CA certs 
+            caX509Stack = X509Stack()
+            for cert in self.__certFilePathList:
+                caX509Stack.push(X509CertRead(cert))
+             
+            # Make a stack object for certs to be verified   
+            x509Stack = X509Stack()
+            x509Stack.push(x509Cert)
+            x509Stack.verifyCertChain(caX509Stack=caX509Stack)
 
 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py

@@ -226 +226 @@
             self.__prop['gridSecurityDir'] = os.environ['GRID_SECURITY_DIR']            
 
-            self.__openSSLConf.filePath = \
+            if 'openSSLConfFileName' in self.__prop:
+                self.__openSSLConf.filePath = \
                             os.path.join(self.__prop['gridSecurityDir'],
                                          self.__prop['openSSLConfFileName'])
-            self.__openSSLConf.read()
+                self.__openSSLConf.read()
 
 
@@ -245 +246 @@
 
         # Update openssl conf file path
-        if 'gridSecurityDir' in prop or 'openSSLConfFileName' in prop:            
+        #
+        # Check 'prop' to see if they've been in THIS update
+        # Check 'self.__prop' to ensure both are present in
+        # order to construct a file path
+        if 'gridSecurityDir' in prop or \
+           'openSSLConfFileName' in prop and \
+           'gridSecurityDir' in self.__prop and \
+           'openSSLConfFileName' in self.__prop:            
             self.__openSSLConf.filePath = \
                             os.path.join(self.__prop['gridSecurityDir'],

TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

@@ -1052 +1052 @@
             
         except CredWalletAttributeRequestDenied, e:
-            # Exception object containa a list of attribute certificates
+            # Exception object contains a list of attribute certificates
             # which could be used to re-try to get authorisation via a mapped
             # certificate

TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml

@@ -26 +26 @@
                 Delete this element and take setting from MYPROXY_SERVER environment 
                 variable if required
+                -->
                 <hostname>localhost</hostname>
-                -->
                 <!-- 
                 Delete this element to take default setting 7512 or read 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/AttCertTest.py

@@ -204 +204 @@
         '''test12IsValid: check signature of XML document'''            
         self.test11Read()
-        self.attCert.certFilePathList=self.cfg['test12IsValid']['certfile']
+        self.attCert.certFilePathList = \
+                    self.cfg['test12IsValid']['certfilepathlist'].split()
         self.attCert.isValid(raiseExcep=True)
+        print 'test12IsValid: passed'
         
 
@@ -215 +217 @@
         
         self.attCert.certFilePathList = \
-                            self.cfg['test13IsValidStressTest']['certfile']
+            self.cfg['test13IsValidStressTest']['certfilepathlist'].split()
         self.attCert.signingKeyFilePath = \
                             self.cfg['test13IsValidStressTest']['keyfile']
@@ -237 +239 @@
             
             # Write AC file names by index
-            self.attCert.filePath = "%03d.xml" % i
+            self.attCert.filePath = "stress-test-ac-%03d.xml" % i
             
             self.attCert.applyEnvelopedSignature()
             self.attCert.write()
-
-            self.attCert.certFilePathList = \
-                            self.cfg['test13IsValidStressTest']['certfile']
 
             try:
@@ -258 +257 @@
         self.attCert.read()
         
-        self.attCert.certFilePathList=self.cfg['test14IsValidSignature']['certfile']
+        self.attCert.certFilePathList = \
+                self.cfg['test14IsValidSignature']['certfilepathlist'].split()
         self.attCert.verifyEnvelopedSignature()
         

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg

@@ -18 +18 @@
 filePath: ./ac.xml
 
-[test11Read]]]]
+[test11Read]
 filePath: ./ac.xml
 
 [test12IsValid]
-certFile: ./cert.pem
+certFilePathList: ./cacert.pem
 
 [test13IsValidStressTest]
-certFile: ./cert.pem
+# First cert is added to the signature, both certs are used in the 
+# verification
+certFilepathlist: ./cert.pem ./cacert.pem
 keyFile: ./key.pem
 #keyPwd:
-nruns: 100
+nruns: 30
 
 [test14IsValidSignature]
-certFile: ./cert.pem
-filePath: ./badSignature.xml
+certFilePathList: ./cacert.pem
+filePath: ./ac.xml
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

@@ -220 +220 @@
         self.test2Connect()
         
-        attCert, extAttCertList = self.clnt.getAttCert(\
+        attCert = self.clnt.getAttCert(\
             sessID=self.sessID, 
             attAuthorityURI=self.cfg['test6GetAttCertUsingSessID']['aauri'])
         
         print "Attribute Certificate:\n%s" % attCert  
-        print "External Attribute Certificate List:\n%s" % extAttCertList
 
 
@@ -239 +238 @@
         
         try:
-            attCert, extAttCertList = self.clnt.getAttCert(\
-                                                    sessID=self.sessID, 
-                                                    attAuthorityURI=aaURI,
-                                                    mapFromTrustedHosts=False)
+            attCert = self.clnt.getAttCert(sessID=self.sessID, 
+                                           attAuthorityURI=aaURI,
+                                           mapFromTrustedHosts=False)
         except AttributeRequestDenied, e:
             print "SUCCESS - obtained expected result: %s" % e
@@ -259 +257 @@
         aaURI = self.cfg['test6bGetMappedAttCertUsingSessID']['aauri']
         
-        attCert, extAttCertList = self.clnt.getAttCert(sessID=self.sessID, 
-                                                       attAuthorityURI=aaURI)
+        attCert=self.clnt.getAttCert(sessID=self.sessID,attAuthorityURI=aaURI)
         
         print "Attribute Certificate:\n%s" % attCert  
-        print "External Attribute Certificate List:\n%s" % extAttCertList
 
 
@@ -277 +273 @@
             self.cfg['test6cGetAttCertWithExtAttCertListUsingSessID']['aauri']
             
-        attCert, extAttCertList = self.clnt.getAttCert(\
-                                        sessID=self.sessID, 
-                                        attAuthorityURI=aaURI,
-                                        extAttCertList=['AC1', 'AC2', 'AC3'])
+        attCert = self.clnt.getAttCert(sessID=self.sessID, 
+                                       attAuthorityURI=aaURI,
+                                       extAttCertList=['AC1', 'AC2', 'AC3'])
           
         print "Attribute Certificate:\n%s" % attCert  
-        print "External Attribute Certificate List:\n%s" % extAttCertList
 
 
@@ -301 +295 @@
         
         aaURI = self.cfg['test7GetAttCertUsingProxyCert']['aauri']
-        attCert, extAttCertList = self.clnt.getAttCert(attAuthorityURI=aaURI)
+        attCert = self.clnt.getAttCert(attAuthorityURI=aaURI)
           
         print "Attribute Certificate:\n%s" % attCert  
-        print "External Attribute Certificate List:\n%s" % extAttCertList
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

@@ -10 +10 @@
 # $Id:$
 [setUp]
-smuri = https://localhost:5700/SessionManager
+#smuri = https://localhost:5700/SessionManager
+smuri = https://glue.badc.rl.ac.uk:50000/SessionManager
 
 # For https connections only.  !Omit ssl* settings if using http!
 # sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the 
 # same as peer hostname. 
-sslpeercertcn = webSphereTest
+#sslpeercertcn = webSphereTest
 sslcacertfilepathlist = cacert.pem
 
@@ -52 +53 @@
  
 [test2Connect]         
-username = raphaelTest
+username = lawrence
+#username = raphaelTest
 #username = gabriel
 #passphrase = 
@@ -74 +76 @@
 
 [test7GetAttCertUsingProxyCert]
-aaURI = https://localhost:5000/AttributeAuthority
-
-
-
+#aaURI = https://localhost:5000/AttributeAuthority
+aaURI = http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority