Changeset 2867

Timestamp:

31/08/07 17:27:51 (12 years ago)

Author:

pjkersha

Message:

ows_server/ows_server/models/ndgSecurity.py:

• added logging for access decisions
• updated hack for temporary AA address. This is in place until a permanent

address is allocated for the AA for CEDA and the Moles and CSML records
updated accordingly.

ows_server/ows_server/controllers/login.py:

• fix in setup to the way c.returnTo is set - now uses request.paramsr?. - Previously 'r' was ignored if submitted as hidden filed in a form.
• refactored code - simplified calls to SM connect and getAttCert in

getCredentials, added log debug messages to methods

ows_server/ows_server/controllers/logout.py:

• added log messages.
• check for 'ndgSec' is session object

ows_server/ows_server/templates/login.kid:

• set 'r' as hidden field instead of query argument in form action string.

This to try as fix to #862 but suspect this may not be the root of the
problem.

Location:

TI05-delivery/ows_framework/trunk/ows_server/ows_server

Files:

• controllers/login.py (modified) (8 diffs)
• controllers/logout.py (modified) (3 diffs)
• models/ndgSecurity.py (modified) (13 diffs)
• templates/login.kid (modified) (1 diff)

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

@@ -7 +7 @@
 from ows_common.exception_report import OwsError
 from paste.request import parse_querystring
+import logging
+log = logging.getLogger(__name__)
 
 from ndg.security.common.AttAuthority import AttAuthorityClient
-from ndg.security.common.SessionMgr import SessionMgrClient, \
+from ndg.security.common.SessionMgr import SessionMgrClient, SessionExpired, \
     AttributeRequestDenied
 
@@ -17 +19 @@
     
     def __setup(self):
+        """Get 'r' return to URL argument from current URL query string"""
         #where are we going back to?
-        self.inputs=dict(parse_querystring(request.environ))
-        if 'r' in self.inputs:
-            c.returnTo=self.inputs['r']
-        elif 'HTTP_REFERER' in request.environ:
-            #Added by Dom, 06/07/07
-            #http redirect  based on parse_querystring wasn't working so added this condition
-            #NOTE:  Not been able to test whether this has broken discovery/browse due to missing templates.
-            c.returnTo=request.environ['HTTP_REFERER']
+#        self.inputs=dict(parse_querystring(request.environ))
+#        if 'r' in self.inputs:
+#            c.returnTo=self.inputs['r']
+#        elif 'HTTP_REFERER' in request.environ:
+#            #Added by Dom, 06/07/07
+#            #http redirect  based on parse_querystring wasn't working so added this condition
+#            #NOTE:  Not been able to test whether this has broken discovery/browse due to missing templates.
+#            c.returnTo=request.environ['HTTP_REFERER']
+        # Try request.params - above method skips 'r' when passed in a hidden
+        # field in a HTTP POST
+        if 'r' in request.params:
+            c.returnTo = request.params['r']
         else:
             c.returnTo=''
+            
 
     def __securitySetup(self):
@@ -76 +84 @@
         self.__setup()
         self.__securitySetup()
-        
-        if not hasattr(self, "smClnt"):
-            smURI = self.ndgCfg.get('NDG_SECURITY', 'sessionMgrURI')
-
-            # May be better as a 'g' global set-up at start-up?
-            #
-            # tracefile could be removed for production use
-            self.smClnt = SessionMgrClient(uri=smURI,
+
+        smURI = self.ndgCfg.get('NDG_SECURITY', 'sessionMgrURI')
+
+        # May be better as a 'g' global set-up at start-up?
+        #
+        # tracefile could be removed for production use
+        smClnt = SessionMgrClient(uri=smURI,
                             sslCACertFilePathList=self.sslCACertFilePathList,
                             sslPeerCertCN=self.sslPeerCertCN,
@@ -96 +103 @@
         
         # Connect to Session Manager
-        try:
-            proxyCert, proxyPriKey, userCert, sessID = \
-                        self.smClnt.connect(username, passphrase=passphrase)
+        log.debug("Calling Session Manager connect for user ")
+        try:
+            sessID = smClnt.connect(username, passphrase=passphrase)[-1]
         except Exception, e:
-            c.xml = "Error logging in: %s" % e
+            c.xml = \
+    "Error logging in.  Please check your username/pass-phrase and try again."
+            log.error("Session Manager connect returned: %s" % e)
             return render_response('login')
         
         # Cache user attributes in Session Manager
+        log.debug("Calling Session Manager getAttCert for user ")
         try:
             # Set the Attribute Authority address for the Session Manager to
@@ -109 +119 @@
             aaURI = self.ndgCfg.get('NDG_SECURITY', 'attAuthorityURI')
 
-            # Reset signature handler to authenticate client using user
-            # proxy cert returned from connect call
-            self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
-            self.smClnt.signatureHandler.signingPriKey = proxyPriKey               
-            wssCertChain = (userCert, proxyCert)    
-            self.smClnt.signatureHandler.signingCertChain = wssCertChain
-
             # Make request for attribute certificate
-            attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI)
-
+            attCert = smClnt.getAttCert(sessID=sessID, attAuthorityURI=aaURI)
+        except SessionExpired, e:
+            log.info("Session expired getting Attribute Certificate: %s" % e)
+            c.xml = "Session has expired, please re-login"
+            render_response('login')
+            
         except AttributeRequestDenied, e:
-            c.xml = "No roles available: %s" % e
+            log.error("Login: attribute Certificate request denied: %s" % e)
+            c.xml = "No authorisation roles are available for your " + \
+                    "account.  Please check with your site administrator."
             return render_response('login')
             
         except Exception, e:
-            c.xml = "Error getting roles: %s" % e
+            log.error("Login: attribute Certificate request: %s" % e)
+            c.xml = "An internal error occured.  Please report this to " + \
+                    "your site administrator."
             return render_response('login')
 
@@ -139 +150 @@
         self.__doRedirect()
             
+            
     def wayf(self):
         ''' NDG equivalent to Shibboleth WAYF '''
@@ -144 +156 @@
         self.__setup()
         self.__securitySetup()
-
-        # TODO: check with Bryan what this is for
-        # P J Kershaw 09/08/07
-        if 'roleNeeded' in self.inputs:
-            
-            # should ask the attribute authority what hosts to put up for login
-            # but meanwhile we'll fudge it
-            pass
-        
-        if not hasattr(self, "aaClnt"):
-            aaURI = self.ndgCfg.get('NDG_SECURITY', 'attAuthorityURI')
-
-            # May be better as a 'g' global set-up at start-up?
-            #
-            # tracefile could be removed for production use
-            self.aaClnt = AttAuthorityClient(uri=aaURI,
+        
+        aaURI = self.ndgCfg.get('NDG_SECURITY', 'attAuthorityURI')
+
+        # May be better as a 'g' global set-up at start-up?
+        #
+        # tracefile could be removed for production use
+        aaClnt = AttAuthorityClient(uri=aaURI,
                                 signingCertFilePath=self.wssCertFilePath,
                                 signingPriKeyFilePath=self.wssPriKeyFilePath,
@@ -167 +170 @@
 
         # Get list of login uris for trusted sites including THIS one
-        trustedHosts = self.aaClnt.getTrustedHostInfo()
-        thisHost = self.aaClnt.getHostInfo()
+        log.debug("Calling Attribute Authority getTrustedHostInfo and " + \
+                  "getHostInfo for wayf")
+        trustedHosts = aaClnt.getTrustedHostInfo()
+        thisHost = aaClnt.getHostInfo()
         
         try:

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

@@ -1 +1 @@
 from ows_server.lib.base import *
 from ows_server.lib.security_util import SecuritySession
+import logging
+log = logging.getLogger(__name__)
 
 from paste.request import parse_querystring
@@ -61 +63 @@
         self.__setup()
 
+        if 'ndgSec' not in session:
+            # There's no handle to a security session
+            log.info("logout called but no 'ndgSec' key in session object")
+            return render_response('content')
+        
         # Look into the session and go kill the wallet
-        if not hasattr(self, "smClnt"):
-            smURI = self.ndgCfg.get('NDG_SECURITY', 'sessionMgrURI')
+        smURI = self.ndgCfg.get('NDG_SECURITY', 'sessionMgrURI')
 
-            # May be better as a 'g' global set-up at start-up?
-            #
-            # tracefile could be removed for production use
-            self.smClnt = SessionMgrClient(uri=smURI,
+        # May be better as a 'g' global set-up at start-up?
+        #
+        # tracefile could be removed for production use
+        smClnt = SessionMgrClient(uri=smURI,
                             sslCACertFilePathList=self.sslCACertFilePathList,
                             sslPeerCertCN=self.sslPeerCertCN,
@@ -78 +84 @@
             
         # Disconnect from Session Manager
+        log.info("Calling Session Manager disconnect for logout")
         try:
-            self.smClnt.disconnect(sessID=session['ndgSec']['sid'])
-        except Exception, e:
-            c.xml = "Error disconnecting: %s" % e
-        
-        # easy to kill our cookie
-        SecuritySession.delete()
-        if 'ndgCleared' in session: del session['ndgCleared']
-        
-        session.save()
-
-        # Decode the return to address
-        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-       
-        # and now go back to whence we had come
-        h.redirect_to(b64decReturnTo)
+            try:
+                smClnt.disconnect(sessID=session['ndgSec']['sid'])
+            except Exception, e:
+                log.error("Error with Session Manager logout: %s" % e)
+        finally:
+            # easy to kill our cookie
+            SecuritySession.delete()
+            if 'ndgCleared' in session: del session['ndgCleared']
+            
+            session.save()
+    
+            if c.returnTo:
+                # Decode the return to address
+                b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
+               
+                # and now go back to whence we had come
+                h.redirect_to(b64decReturnTo)
+            else:
+                return render_response('content')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

@@ -2 +2 @@
 
 from pylons import request
+import logging
+log = logging.getLogger(__name__)
 
 from ows_common.exception_report import OwsError
@@ -12 +14 @@
     return SecurityHandler(securityElement, securityTokens)()
 
-# This is an initial implementation and is untested.  See TODOs
-# for more info
-#
-# P J Kershaw 26/07/07
+
 class SecurityHandler(object):
     """Make access control decision based on CSML constraint and user security
@@ -21 +20 @@
     
     AccessAllowedMsg = "Access Allowed"
-    AccessDeniedMsg = "Access Denied"
+    InvalidAttributeCertificate = \
+            "The certificate containing your authorisation roles is invalid"
     NotLoggedInMsg = 'Not Logged in'
     SessionExpiredMsg = 'Session has expired.  Please re-login'
     InvalidSessionMsg = 'Session is invalid.  Please try re-login'
+    InvalidSecurityCondition = 'Invalid Security Condition'
 
     def __init__(self, securityElement, securityTokens):
@@ -70 +71 @@
             self.wssPriKeyPwd = self.ndgCfg.get('NDG_SECURITY',m)    
             m='wssCACertFilePathList'
-            self.wssCACertFilePathList =self.ndgCfg.get('NDG_SECURITY',m).split()
+            self.wssCACertFilePathList=self.ndgCfg.get('NDG_SECURITY',m).split()
             
             # Attribute Certificate verification of X.509 cert chain back to CA
@@ -106 +107 @@
         @keyword securityTokens: dict-like session object containing security 
         tokens.  Resets equivalent object attribute."""
+          
+        # tokens and element may be set from __init__ or as args to this 
+        # method.  If the latter copy them into self  
+        if securityTokens:
+            self.securityTokens = securityTokens
+                            
+        if securityElement:
+            self.securityElement=securityElement
      
         # Check self.securityTokens - if not set then the user mustn't be 
@@ -119 +128 @@
             # discovery page?
             # P J Kershaw 10/08/07
+            log.info("Exiting from Gatekeeper: user is not logged in")
             return False, self.__class__.NotLoggedInMsg
-
+            
+        xpathr='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}attrauthRole'
+        xpathaa='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}dgAttributeAuthority'
+        roleE,aaE=self.securityElement.find(xpathr),self.securityElement.find(xpathaa)
+        if None in (roleE,aaE):
+            log.info("Gatekeeper: Role and/or Attribute Authority URI " + \
+                     "not found in dataset element: %s" % securityElement)
+            return False, self.__class__.InvalidSecurityCondition
+        
+        self.reqRole=roleE.text
+        self.reqAAURI=aaE.text
+
+        # TODO: get rid of this horrible hack when permanent BADC Attribute
+        # Authority address is established.
+        # P J Kershaw 31/08/07
+        badcTestAAURI = \
+        "http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority"
+        try:
+            # Dumb test to see if URI is correct
+            import urllib
+            fp=urllib.urlopen(self.reqAAURI)
+            if "404 Not Found" in fp.read():
+                self.reqAAURI = badcTestAAURI
+        except:
+            self.reqAAURI = badcTestAAURI
+    
         # Create Session Manager client
         self.smClnt = SessionMgrClient(uri=self.securityTokens['h'],
@@ -130 +165 @@
                             caCertFilePathList=self.wssCACertFilePathList,
                             tracefile=self.tracefile)       
-                            
-        if securityElement:
-            self.securityElement=securityElement
-            
-        xpathr='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}attrauthRole'
-        xpathaa='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}dgAttributeAuthority'
-        roleE,aaE=self.securityElement.find(xpathr),self.securityElement.find(xpathaa)
-        if None in (roleE,aaE):
-            return True,'Invalid Security Condition'
-        self.reqRole=roleE.text
-        self.reqAAURI=aaE.text
-            
-        if securityTokens:
-            self.securityTokens = securityTokens
-        
-        if not self.securityTokens:
-            return False, self.__class__.NotLoggedInMsg
-        else:
-            return self.__checkAttCert()
+        
+        return self.__checkAttCert()
             
 
@@ -158 +176 @@
             
         try:
-
             # Make request for attribute certificate
             #
@@ -167 +184 @@
             self.reqAAURI="http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority"
             attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI,
-                                     sessID=self.securityTokens['sid'],
-                                     reqRole=self.reqRole)
-
+                                         sessID=self.securityTokens['sid'],
+                                         reqRole=self.reqRole)
         except AttributeRequestDenied, e:
-            # TODO: write exception to log
+            log.info("Gatekeeper - access denied: %s" % e)
             return False, str(e)
         
@@ -177 +193 @@
             # Clear the security details from the session object
             SecuritySession.delete()
+            log.info("Gatekeeper - access denied: %s" % e)
             return False, self.__class__.NotLoggedInMsg
 
@@ -182 +199 @@
             # Clear the security details from the session object
             SecuritySession.delete()
+            log.info("Gatekeeper - access denied: %s" % e)
             return False, self.__class__.SessionExpiredMsg
 
@@ -187 +205 @@
             # Clear the security details from the session object
             SecuritySession.delete()
+            log.info("Gatekeeper - access denied: %s" % e)
             return False, self.__class__.InvalidSessionMsg
             
         except InvalidSession, e:
             SecuritySession.delete()
+            log.info("Gatekeeper - access denied: %s" % e)
             return False, self.__class__.InvalidSessionMsg
 
@@ -203 +223 @@
         # Check it's issuer is as expected
         if attCert.issuer != self.acIssuer:
-            raise OwsError, \
-                'Attribute Certificate issuer DN, "%s"' % attCert.issuer + \
+            log.info('Gatekeeper - access denied: Attribute Certificate ' + \
+                'issuer DN, "%s"' % attCert.issuer + \
                 'must match this data provider\'s Attribute Authority ' + \
-                'DN: "%s"' % self.acIssuer
-                       
+                'DN: "%s"' % self.acIssuer)
+            return False, self.__class__.InvalidAttributeCertificate
+        
+        log.info('Gatekeeper: access granted for user "%s" to "%s" ' % \
+                 (attCert.userId, self.securityElement) + \
+                 'with attribute certificate:\n\n%s' % attCert)  
+                     
         return True, self.__class__.AccessAllowedMsg
         

TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/login.kid

@@ -18 +18 @@
     
     <span py:def="loginForm()" class="loginForm">
-                <form action="$g.getCredentials?r=${c.returnTo}" method="POST">    
+                <form action="$g.getCredentials" method="POST">
+                <input type="hidden" name="r" value="${c.returnTo}"/>
                 <table cellspacing="0" border="0" cellpadding="5">
                 <tbody>