Changeset 2796


Ignore:
Timestamp:
10/08/07 16:17:43 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/SessionMgr/init.py:

  • Got rid of CredWalletInvalidUserX509Cert pass through more explicit

exceptions direct from X509 module.

  • Added exceptions to enable better discrimination of errors for a client:

InvalidUserSession?, UserSessionExpired?, UserSessionX509CertNotBeforeTimeError,
and SessionNotFound?

ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • new exception types as with above - added a an excepMap dict class var.

This maps SOAP faults to client exception types.

ndg.security.common/ndg/security/common/AttAuthority/init.py:

ndg.security.common/ndg/security/common/X509.py:

  • distinct exception types X509CertInvalidNotBeforeTime, X509CertExpired for

X509Cert.isValidTime

ndg.security.common/ndg/security/common/CredWallet.py:

can be obtained for the required role name

  • removed CredWalletInvalidUserX509Cert exception type - superceeded by

X509.* new exception types.

Location:
TI12-security/trunk/python
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2746 r2796  
    4040    """Exception handling for AttributeAuthorityClient class""" 
    4141 
    42 #_____________________________________________________________________________ 
    4342class AttributeRequestDenied(Exception): 
    4443    """Raise when a getAttCert call to the AA is denied""" 
    4544 
     45class NoTrustedHosts(AttAuthorityClientError): 
     46    """Raise from getTrustedHosts if there are no trusted hosts defined in 
     47    the map configuration""" 
     48 
     49class NoMatchingRoleInTrustedHosts(AttAuthorityClientError): 
     50    """Raise from getTrustedHosts if there is no mapping to any of the  
     51    trusted hosts for the given input role name""" 
    4652 
    4753#_____________________________________________________________________________ 
    4854class AttAuthorityClient(object): 
    49     """Client interface to Attribute Authority web service""" 
     55    """Client interface to Attribute Authority web service 
     56     
     57    @type excepMap: dict 
     58    @cvar excepMap: map exception strings returned from SOAP fault to client 
     59    Exception class to call""" 
     60     
     61    excepMap = { 
     62        'AttAuthorityNoTrustedHosts': NoTrustedHosts, 
     63        'AttAuthorityNoMatchingRoleInTrustedHosts': NoMatchingRoleInTrustedHosts 
     64        } 
    5065     
    5166    #_________________________________________________________________________ 
     
    254269            raise AttAuthorityClientError, "HTTP bad status line: %s" % e 
    255270 
     271        except Exception, e: 
     272            # Try to detect exception type from SOAP fault message 
     273            errMsg = str(e) 
     274            for excep in self.excepMap: 
     275                if excep in errMsg: 
     276                    raise self.excepMap[excep] 
     277                 
     278            # Catch all     
     279            raise e 
     280 
    256281        hostInfo = {} 
    257282        hostInfo[hostname] = {'aaURI': aaURI, 'loginURI': loginURI} 
     
    274299        try: 
    275300            trustedHosts = self.__srv.getTrustedHostInfo(role) 
     301 
    276302        except httplib.BadStatusLine, e: 
    277303            raise AttAuthorityClientError, "HTTP bad status line: %s" % e 
     304 
     305        except Exception, e: 
     306            # Try to detect exception type from SOAP fault message 
     307            errMsg = str(e) 
     308            for excep in self.excepMap: 
     309                if excep in errMsg: 
     310                    raise self.excepMap[excep] 
     311                 
     312            # Catch all     
     313            raise e 
    278314 
    279315        # Convert into dictionary form as used by AttAuthority class 
     
    333369        except httplib.BadStatusLine, e: 
    334370            raise AttAuthorityClientError, "HTTP bad status line: %s" % e 
     371 
     372        except Exception, e: 
     373            # Try to detect exception type from SOAP fault message 
     374            errmsg = str(e) 
     375            for excep in self.excepMap: 
     376                if excep in errMsg: 
     377                    raise self.excepMap[excep] 
     378                 
     379            # Catch all     
     380            raise e 
    335381         
    336382        if sAttCert: 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

    r2746 r2796  
    3030    # ndg.security.common 
    3131    from ndg.security.common.AttAuthority import AttAuthorityClient, \ 
    32         AttAuthorityClientError, AttributeRequestDenied 
     32        AttAuthorityClientError, AttributeRequestDenied, \ 
     33        NoMatchingRoleInTrustedHosts 
    3334    aaImportError = False 
    3435     
     
    6465    """Exception handling for NDG CredentialWallet class.""" 
    6566 
    66 #_____________________________________________________________________________ 
    67 class CredWalletInvalidUserX509Cert(CredWalletError):     
    68     """Raise from CredWallet.isValid when user X.509 Certificate is invalid.  This is more likely 
    69     This is most likely to be triggered by the expiry of the user's proxy  
    70     certificates which has a short life time.""" 
    71  
    7267 
    7368#_____________________________________________________________________________ 
     
    7671    Attribute Authority.""" 
    7772     
    78     def __init__(self, msg=None, extAttCertList=[], trustedHostInfo={}): 
     73    def __init__(self, *args, **kw): 
    7974        """Raise exception for attribute request denied with option to give 
    8075        caller hint to certificates that could used to try to obtain a 
    8176        mapped certificate 
    82          
    83         @type msg: string 
    84         @keyword msg: error message 
    8577         
    8678        @type extAttCertList: list 
     
    9284        @keyword trustedHostInfo: dictionary indexed by host name giving  
    9385        details of Attribute Authority URI and roles for trusted hosts""" 
    94  
    95         self.__msg = msg 
    96         self.__trustedHostInfo = trustedHostInfo 
    97          
    98         # Prevent None type setting 
    99         if extAttCertList is None: 
    100             extAttCertList = [] 
    101              
    102         self.__extAttCertList = extAttCertList 
    103  
    104          
    105     def __str__(self): 
    106         return self.__msg 
    107  
    108  
    109     def __getMsg(self): 
    110         """Get message text""" 
    111         return self.__msg 
    112  
    113     msg = property(fget=__getMsg, doc="Error message text") 
    114  
     86         
     87        if 'trustedHostInfo' in kw: 
     88            self.__trustedHostInfo = kw['trustedHostInfo'] 
     89            del kw['trustedHostInfo'] 
     90        else: 
     91            self.__trustedHostInfo = {} 
     92             
     93        if 'extAttCertList' in kw: 
     94            self.__extAttCertList = kw['extAttCertList'] 
     95            del kw['extAttCertList'] 
     96        else:     
     97            self.__extAttCertList = [] 
     98             
     99        Exception.__init__(self, *args, **kw) 
    115100 
    116101    def __getTrustedHostInfo(self): 
     
    120105    trustedHostInfo = property(fget=__getTrustedHostInfo,  
    121106                               doc="URI and roles details for trusted hosts") 
    122      
    123      
     107        
    124108    def __getExtAttCertList(self): 
    125109        """Return list of candidate Attribute Certificates that could be used 
     
    127111        """ 
    128112        return self.__extAttCertList 
    129  
    130113 
    131114    extAttCertList = property(fget=__getExtAttCertList, 
     
    524507        @param **x509CertKeys: keywords applying to  
    525508        ndg.security.common.X509.X509Cert.isValidTime method""" 
    526         try: 
    527             return self.__proxyCert.isValidTime(**x509CertKeys) 
    528  
    529         except Exception, e: 
    530             raise CredWalletInvalidUserX509Cert, "Credential Wallet: %s" % e 
     509        return self.__proxyCert.isValidTime(**x509CertKeys) 
    531510 
    532511     
     
    738717        if self.__aaClnt is not None: 
    739718            # Call Attribute Authority WS 
    740             try: 
     719#            try: 
    741720                return self.__aaClnt.getTrustedHostInfo(role=userRole)                 
    742                             
    743             except Exception, e: 
    744                 raise CredWalletError, \ 
    745                             "Requesting trusted host information: %s" % str(e)                 
     721#                            
     722#            except Exception, e: 
     723#                raise CredWalletError, \ 
     724#                            "Requesting trusted host information: %s" % str(e)                 
    746725 
    747726        elif self.__aa is not None: 
     
    1004983                    trustedHostInfo = self.getAATrustedHostInfo(reqRole, 
    1005984                                            aaPropFilePath=aaPropFilePath) 
     985                except NoMatchingRoleInTrustedHosts, e: 
     986                    raise CredWalletAttributeRequestDenied, \ 
     987                        'Can\'t get a mapped Attribute Certificate for ' + \ 
     988                        'the "%s" role' % reqRole 
     989                 
    1006990                except Exception, e: 
    1007991                    raise CredWalletError, "Getting trusted hosts: %s" % e 
     
    10741058                          "trusted hosts" 
    10751059                           
    1076                     raise CredWalletAttributeRequestDenied(msg=msg, 
     1060                    raise CredWalletAttributeRequestDenied(msg, 
    10771061                                            extAttCertList=extAttCertList, 
    10781062                                            trustedHostInfo=trustedHostInfo)             
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

    r2746 r2796  
    3737 
    3838#_____________________________________________________________________________ 
    39 class AttributeRequestDenied(Exception): 
     39class SessionNotFound(SessionMgrClientError): 
     40    """Raise when a session ID input doesn't match with an active session on 
     41    the Session Manager""" 
     42 
     43#_____________________________________________________________________________ 
     44class SessionCertTimeError(SessionMgrClientError): 
     45    """Session's X.509 Cert. not before time is BEFORE the system time -  
     46    usually caused by server's clocks being out of sync.  Fix by all servers 
     47    running NTP""" 
     48 
     49#_____________________________________________________________________________ 
     50class SessionExpired(SessionMgrClientError): 
     51    """Session's X.509 Cert. has expired""" 
     52 
     53#_____________________________________________________________________________ 
     54class InvalidSession(SessionMgrClientError): 
     55    """Session is invalid""" 
     56   
     57#_____________________________________________________________________________ 
     58class AttributeRequestDenied(SessionMgrClientError): 
    4059    """Raise when a getAttCert call to the Attribute Authority is denied""" 
    4160     
    42     def __init__(self, msg=None, extAttCertList=[]): 
     61    def __init__(self, *args, **kw): 
    4362        """Raise exception for attribute request denied with option to give 
    4463        caller hint to certificates that could used to try to obtain a 
    4564        mapped certificate 
    46          
    47         @type msg: string 
    48         @keyword msg: error message 
    4965         
    5066        @type extAttCertList: list 
     
    5268        could be used to try to get a mapped certificate from the target  
    5369        Attribute Authority""" 
    54  
    55         self.__msg = msg 
    5670         
    5771        # Prevent None type setting 
    5872        self.__extAttCertList = [] 
    59         if extAttCertList is not None: 
    60             for ac in extAttCertList: 
     73        if 'extAttCertList' in kw and kw['extAttCertList'] is not None: 
     74            for ac in kw['extAttCertList']: 
    6175                if isinstance(ac, basestring): 
    6276                    ac = AttCertParse(ac) 
     
    6680                          
    6781                self.__extAttCertList += [ac] 
    68          
    69     def __str__(self): 
    70         return self.__msg 
    71  
    72     def __getMsg(self): 
    73         """Get message text""" 
    74         return self.__msg 
    75  
    76     msg = property(fget=__getMsg, doc="Error message text") 
     82                 
     83            del kw['extAttCertList'] 
     84             
     85        Exception.__init__(self, *args, **kw) 
     86 
    7787         
    7888    def __getExtAttCertList(self): 
     
    90100#_____________________________________________________________________________        
    91101class SessionMgrClient(object): 
    92     """Client interface to Session Manager Web Service""" 
     102    """Client interface to Session Manager Web Service 
     103     
     104    @type excepMap: dict 
     105    @cvar excepMap: map exception strings returned from SOAP fault to client 
     106    Exception class to call""" 
     107 
     108    excepMap = {'SessionNotFound': SessionNotFound, 
     109                'UserSessionX509CertNotBeforeTimeError': SessionCertTimeError, 
     110                'UserSessionExpired': SessionExpired, 
     111                'InvalidUserSession': InvalidSession 
     112                } 
    93113     
    94114    #_________________________________________________________________________ 
     
    452472         
    453473        # Make request 
    454         attCert, msg, extAttCertList = self.__srv.getAttCert(proxyCert, 
     474        try: 
     475            attCert, msg, extAttCertList = self.__srv.getAttCert(proxyCert, 
    455476                                                       sessID,  
    456477                                                       attAuthorityURI, 
     
    461482                                                       extAttCertList, 
    462483                                                       extTrustedHostList) 
     484        except Exception, e: 
     485            # Try to detect exception type from SOAP fault message 
     486            errMsg = str(e) 
     487            for excep in self.excepMap: 
     488                if excep in errMsg: 
     489                    raise self.excepMap[excep] 
     490         
     491            # Catch all in case none of the known types matched 
     492            raise e 
     493         
    463494        if not attCert: 
    464             raise AttributeRequestDenied, msg, extAttCertList 
     495            raise AttributeRequestDenied(msg, extAttCertList=extAttCertList) 
    465496         
    466497        return AttCertParse(attCert) 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

    r2733 r2796  
    2727    """Exception handling for NDG X.509 Certificate handling class.""" 
    2828 
    29  
     29class X509CertInvalidNotBeforeTime(X509CertError): 
     30    """Call from X509Cert.isValidTime if certificates not before time is 
     31    BEFORE the current system time""" 
     32     
     33class X509CertExpired(X509CertError): 
     34    """Call from X509Cert.isValidTime if certificate has expired""" 
     35 
     36    
    3037class X509Cert(object): 
    3138    "NDG X509 Certificate Handling" 
     
    271278        if raiseExcep: 
    272279            if dtNow < self.__dtNotBefore: 
    273                 raise X509CertError("Current time is before the " + \ 
    274                                     "certificate's Not Before Time") 
     280                raise X509CertInvalidNotBeforeTime, \ 
     281                    "Current time is before the certificate's Not Before Time" 
    275282             
    276283            elif dtNow > self.__dtNotAfter: 
    277                 raise X509CertError("Certificate has expired") 
     284                raise X509CertExpired, \ 
     285                    "Certificate has expired: the time now is %s " % dtNow + \ 
     286                    " and the certificate expiry is %s" % self.__dtNotAfter 
    278287        else: 
    279288            return dtNow > self.__dtNotBefore and dtNow < self.__dtNotAfter 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

    r2746 r2796  
    4040# Credential Wallet 
    4141from ndg.security.common.CredWallet import CredWallet, CredRepos, \ 
    42     CredWalletError, CredWalletInvalidUserX509Cert, \ 
    43     CredWalletAttributeRequestDenied 
    44  
    45 from ndg.security.common.X509 import X509Cert, X509CertParse 
     42    CredWalletError, CredWalletAttributeRequestDenied 
     43 
     44from ndg.security.common.X509 import X509Cert, X509CertParse, \ 
     45                                X509CertExpired, X509CertInvalidNotBeforeTime  
    4646 
    4747# MyProxy server interface 
     
    6363class UserSessionError(Exception):     
    6464    """Exception handling for NDG User Session class.""" 
    65      
     65 
     66#_____________________________________________________________________________ 
     67class InvalidUserSession(UserSessionError):     
     68    """Problem with a session's validity""" 
     69 
     70#_____________________________________________________________________________ 
     71class UserSessionExpired(UserSessionError):     
     72    """Raise when session's X.509 cert. has expired""" 
     73 
     74#_____________________________________________________________________________ 
     75class UserSessionX509CertNotBeforeTimeError(UserSessionError):     
     76    """Raise when session's X.509 cert. not before time is before the current 
     77    system time""" 
     78    
    6679 
    6780#_____________________________________________________________________________ 
     
    284297    """Exception handling for NDG Session Manager class.""" 
    285298 
     299class SessionNotFound(SessionMgrError): 
     300    """Raise from SessionMgr.__connect2UserSession when session ID is not  
     301    found in the Session dictionary""" 
     302     
    286303# Find the missing elements in targ referenced in ref 
    287304getMissingElem = lambda targ, ref: [e for e in targ if e not in ref] 
     
    862879            except KeyError: 
    863880                # User session not found with given ID 
    864                 raise SessionMgrError, \ 
     881                raise SessionNotFound, \ 
    865882                        "No user session found matching input session ID" 
    866883                                
     
    878895            except KeyError: 
    879896                # User session not found with given proxy cert 
    880                 raise SessionMgrError, \ 
     897                raise SessionNotFound, \ 
    881898                    "No user session found matching input proxy certificate" 
    882899                     
     
    894911            except KeyError: 
    895912                # User session not found with given proxy cert 
    896                 raise SessionMgrError, \ 
     913                raise SessionNotFound, \ 
    897914                    "No user session found matching input proxy certificate"             
    898915        else: 
     
    904921            return userSess 
    905922         
    906         except CredWalletInvalidUserX509Cert, e: 
     923        except X509CertInvalidNotBeforeTime, e: 
    907924            # ! Delete user session since it's user certificate is invalid 
    908925            self.deleteUserSession(userSess=userSess) 
    909             raise SessionMgrError, "Invalid user session: " + str(e)             
    910  
     926            raise UserSessionX509CertNotBeforeTimeError, \ 
     927                                    "User session is invalid: %s" % e           
     928     
     929        except X509CertExpired, e: 
     930            # ! Delete user session since it's user certificate is invalid 
     931            self.deleteUserSession(userSess=userSess) 
     932            raise UserSessionExpired, "User session is invalid: %s" % e           
     933         
    911934        except Exception, e: 
    912             raise SessionMgrError, \ 
    913                     "Matching session ID to existing user session: %s" % e 
     935            raise InvalidUserSession, "User session is invalid: %s" % e 
    914936                 
    915937 
Note: See TracChangeset for help on using the changeset viewer.