Ignore:
Timestamp:
09/08/07 16:29:39 (13 years ago)
Author:
pjkersha
Message:

ows_server/ndgDiscovery.config:

  • swapped saturn host for localhost
  • acIssuerName becomes acIssuer - the expected DN of cert used with AC

signature

ows_server/ows_server/models/ndgSecurity.py: changes to Gatekeeper ...

  • fixed setting of tracefile config item
  • added acIssuer read which was missing
  • user application based certs for SM authentication rather than user proxy

cert - is much more straightforward

  • Nb. TODO fix hard-wired setting of AA address. This is in place because

the current AA address in the data is wrong.

  • put in place check of AC's issuer DN - should match acIssuer in config file

ows_server/ows_server/controllers/login.py:

makes query string for HTTP GET back to service provider

  • removed wss* keys from session security items - not needed

ows_server/ows_server/lib/security_util.py: new module to bring together all
code for handling of args over LoginService? interface together into one
place.

provider

session object.

ows_server/ows_server/lib/base.py:

args from login's HTTP GET setting them in the session object.

before redirect

ows_server/ows_server/templates/login.kid:

consistency with other code.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

    r2785 r2794  
     1import sys # tracefile config param may be set to e.g. sys.stderr 
     2 
    13from ows_common.exception_report import OwsError 
    24from pylons import request 
     
    3941        try: 
    4042            self.ndgCfg = request.environ['ndgConfig'] 
    41             self.tracefile = self.ndgCfg.get('NDG_SECURITY','tracefile',None) 
     43            self.tracefile = eval(self.ndgCfg.get('NDG_SECURITY', 
     44                                                  'tracefile', 
     45                                                  None)) 
    4246        except: 
    4347            raise OwsError('NDG Security not enabled') 
     
    6670            m='acCACertFilePathList' 
    6771            self.acCACertFilePathList = self.ndgCfg.get('NDG_SECURITY',m).split() 
    68                  
     72           
     73            m='acIssuer' 
     74            self.acIssuer = self.ndgCfg.get('NDG_SECURITY',m) 
     75             
    6976        except AttributeError: 
    7077            raise OwsError, 'NDG Security Error: No %s'%m 
     
    7279        # Create Session Manager client 
    7380        self.smClnt = SessionMgrClient(uri=self.securityTokens['h'], 
    74                         sslCACertFilePathList=self.sslCACertFilePathList, 
    75                         sslPeerCertCN=self.sslPeerCertCN, 
    76                         signingCertChain=securityTokens.get('wssCertChain'), 
    77                         signingCertFilePath=self.wssCertFilePath, 
    78                         signingPriKeyFilePath=self.wssPriKeyFilePath, 
    79                         signingPriKeyPwd=self.wssPriKeyPwd, 
    80                         caCertFilePathList=self.wssCACertFilePathList, 
    81                         tracefile=self.tracefile)        
    82  
    83         # Fix WS-Security BinarySecurityToken Value Type for the passing of a  
    84         # cert chain - required for use with proxy cert. 
    85         #if wssCertChain: 
    86         #    self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1' 
     81                            sslCACertFilePathList=self.sslCACertFilePathList, 
     82                            sslPeerCertCN=self.sslPeerCertCN, 
     83                            signingCertFilePath=self.wssCertFilePath, 
     84                            signingPriKeyFilePath=self.wssPriKeyFilePath, 
     85                            signingPriKeyPwd=self.wssPriKeyPwd, 
     86                            caCertFilePathList=self.wssCACertFilePathList, 
     87                            tracefile=self.tracefile)        
    8788 
    8889 
     
    140141            # Make request for attribute certificate 
    141142            # 
    142             # sessID is needed if proxy cert is unavailable as ID 
    143  
     143            # TODO: correct hard-wired setting of AA address.  This is in  
     144            # place until the final AA URI in the dataset is agreed. 
     145            # 
     146            # P J Kershaw 08/08/07 
     147            self.reqAAURI="http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority" 
    144148            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI, 
    145                                      sessID=self.securityTokens.get('sessID'), 
     149                                     sessID=self.securityTokens['sessID'], 
    146150                                     reqRole=self.reqRole) 
    147151 
     
    149153            # TODO: write exception to log 
    150154            return False, self.__class__.AccessDeniedMsg 
    151          
     155        except Exception, e: 
     156            raise OwsError, "Gatekeeper request for attribute certificate: "+\ 
     157                            str(e) 
     158                             
    152159        # Check attribute certificate is valid 
    153160        attCert.certFilePathList = self.acCACertFilePathList 
     
    155162             
    156163        # Check it's issuer is as expected 
    157         if attCert.issuerName != self.acIssuerName: 
    158             raise OwsError, "Attribute Certificate issuer must match " + \ 
    159                 "this data provider's Attribute Authority name id" 
     164        if attCert.issuer != self.acIssuer: 
     165            raise OwsError, \ 
     166                'Attribute Certificate issuer DN, "%s"' % attCert.issuer + \ 
     167                'must match this data provider\'s Attribute Authority ' + \ 
     168                'DN: "%s"' % self.acIssuer 
    160169                        
    161170        return True, self.__class__.AccessAllowedMsg 
Note: See TracChangeset for help on using the changeset viewer.