Changeset 2878 for TI05-delivery


Ignore:
Timestamp:
05/09/07 10:21:59 (12 years ago)
Author:
pjkersha
Message:

ows_server/ndgDiscovery.config: switched password.txt from local settings

ows_server/ows_server/models/ndgSecurity.py:

  • replaced hack that deals with case where AA address in the data is not set or is invalid - default to config AA URI setting instead.
  • added urlCanBeOpened class method and URLCannotBeOpened exception type for the above

ows_server/ows_server/lib/base.py:

  • fix problems with absolute paths being exposed from behind the firewall. c.requestURL is now set based on config file server setting.
  • added c.b64EncRequestURL - moved from ndgPage.kid

ows_server/ows_server/templates/ndgPage.kid:

  • moved base 64 encoding of 'r' query arg URL to base.py - see above.
Location:
TI05-delivery/ows_framework/trunk/ows_server
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

    r2861 r2878  
    108108ndg.noc.soton.ac.uk: ndg.noc.soton.ac.uk 
    109109www.npm.ac.uk: pgsql.npm.ac.uk 
    110 passwordFile: /home/bnl/sandboxes/ndg/TI05-delivery/ows_framework/trunk/ows_server/passwords.txt 
     110#passwordFile: /home/bnl/sandboxes/ndg/TI05-delivery/ows_framework/trunk/ows_server/passwords.txt 
     111passwordFile: ./passwords.txt 
    111112 
    112113[NDG_SECURITY] 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

    r2867 r2878  
    6565        if 'ndgSec' not in session: 
    6666            # There's no handle to a security session 
    67             log.info("logout called but no 'ndgSec' key in session object") 
     67            log.error("logout called but no 'ndgSec' key in session object") 
    6868            return render_response('content') 
    6969         
     
    7474        # 
    7575        # tracefile could be removed for production use 
    76         smClnt = SessionMgrClient(uri=smURI, 
     76        try: 
     77            smClnt = SessionMgrClient(uri=smURI, 
    7778                            sslCACertFilePathList=self.sslCACertFilePathList, 
    7879                            sslPeerCertCN=self.sslPeerCertCN, 
     
    8283                            caCertFilePathList=self.wssCACertFilePathList, 
    8384                            tracefile=self.tracefile)        
    84              
     85        except Exception, e: 
     86            log.error("logout - creating Session Manager client: %s" % e) 
     87                
    8588        # Disconnect from Session Manager 
    8689        log.info("Calling Session Manager disconnect for logout") 
    8790        try: 
    88             try: 
    89                 smClnt.disconnect(sessID=session['ndgSec']['sid']) 
    90             except Exception, e: 
    91                 log.error("Error with Session Manager logout: %s" % e) 
    92         finally: 
     91            smClnt.disconnect(sessID=session['ndgSec']['sid']) 
     92        except Exception, e: 
     93            log.error("Error with Session Manager logout: %s" % e) 
     94 
     95        try: 
    9396            # easy to kill our cookie 
    9497            SecuritySession.delete() 
    9598            if 'ndgCleared' in session: del session['ndgCleared'] 
     99            session.save() 
    96100             
    97             session.save() 
    98      
    99             if c.returnTo: 
    100                 # Decode the return to address 
    101                 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    102                 
    103                 # and now go back to whence we had come 
    104                 h.redirect_to(b64decReturnTo) 
    105             else: 
    106                 return render_response('content') 
     101        except Exception, e:    
     102            log.error("logout - clearing security session: %s" % e) 
     103             
     104        try: 
     105            try: 
     106                if c.returnTo: 
     107                    # Decode the return to address 
     108                    b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     109                    
     110                    # and now go back to whence we had come 
     111                    h.redirect_to(b64decReturnTo) 
     112            except Exception, e: 
     113                log.error("logout - decoding return URL: %s" % e)  
     114        finally: 
     115            return render_response('content') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

    r2861 r2878  
     1import urllib 
     2from base64 import urlsafe_b64encode 
    13from pylons import Response, c, g, cache, request, session 
    24from pylons.controllers import WSGIController 
     
    3436        # is under environ['pylons.routes_dict'] should you want to check 
    3537        # the action or route vars here 
    36         c.requestURL=construct_url(environ) 
     38         
     39        # construct URL picking up setting of server name from config to  
     40        # avoid exposing absolute URL hidden behind mod_proxy see #857             
     41        baseURL = request.environ['ndgConfig'].get('DEFAULT', 'server') 
     42        c.requestURL = baseURL + urllib.quote(environ.get('PATH_INFO', '')) 
     43 
     44        query = '&'.join(["%s=%s" % item for item in request.params.items()]) 
     45        if query: 
     46            c.requestURL += '?' + query 
     47 
     48        # Base 64 encode to enable passing around in 'r' argument of query 
     49        # string for use with login/logout 
     50        c.b64encRequestURL = urlsafe_b64encode(c.requestURL) 
     51 
    3752        if 'h' in request.params: 
    3853            setSecuritySession() 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

    r2867 r2878  
    11import sys # tracefile config param may be set to e.g. sys.stderr 
     2import urllib2 
     3import socket 
    24 
    35from pylons import request 
     
    1012    SessionCertTimeError, SessionExpired, InvalidSession, \ 
    1113    AttributeRequestDenied 
    12  
     14     
    1315def HandleSecurity(securityElement, securityTokens): 
    1416    return SecurityHandler(securityElement, securityTokens)() 
    1517 
     18class URLCannotBeOpened(Exception): 
     19    """Raise from canURLBeOpened SecurityHandler class method 
     20    if URL is invalid - this method is used to check the AA 
     21    service""" 
    1622 
    1723class SecurityHandler(object): 
     
    134140        xpathaa='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}dgAttributeAuthority' 
    135141        roleE,aaE=self.securityElement.find(xpathr),self.securityElement.find(xpathaa) 
    136         if None in (roleE,aaE): 
    137             log.info("Gatekeeper: Role and/or Attribute Authority URI " + \ 
    138                      "not found in dataset element: %s" % securityElement) 
     142        if roleE is None: 
     143            log.error("Gatekeeper: role not found in dataset element: %s" % \ 
     144                      self.securityElement) 
    139145            return False, self.__class__.InvalidSecurityCondition 
    140146         
    141147        self.reqRole=roleE.text 
    142         self.reqAAURI=aaE.text 
    143  
    144         # TODO: get rid of this horrible hack when permanent BADC Attribute 
    145         # Authority address is established. 
    146         # P J Kershaw 31/08/07 
    147         badcTestAAURI = \ 
    148         "http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority" 
     148         
     149        # Check Attribute Authority address 
    149150        try: 
    150             # Dumb test to see if URI is correct 
    151             import urllib 
    152             fp=urllib.urlopen(self.reqAAURI) 
    153             if "404 Not Found" in fp.read(): 
    154                 self.reqAAURI = badcTestAAURI 
    155         except: 
    156             self.reqAAURI = badcTestAAURI 
     151            SecurityHandler.urlCanBeOpened(aaE.text) 
     152        except (URLCannotBeOpened, AttributeError): 
     153            # Catch situation where either Attribute Authority address in the 
     154            # data invalid or none was set.  In this situation verify 
     155            # against the Attribute Authority set in the config 
     156            log.info('Gatekeeper: Attribute Authority address is invalid ' + \ 
     157                     'in data "%s" - defaulting to config file setting' % \ 
     158                     self.securityElement) 
     159            self.reqAAURI=request.environ['ndgConfig'].get('NDG_SECURITY',  
     160                                                           'attAuthorityURI') 
    157161     
    158162        # Create Session Manager client 
     
    177181        try: 
    178182            # Make request for attribute certificate 
    179             # 
    180             # TODO: correct hard-wired setting of AA address.  This is in  
    181             # place until the final AA URI in the dataset is agreed. 
    182             # 
    183             # P J Kershaw 08/08/07 
    184             self.reqAAURI="http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority" 
    185183            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI, 
    186184                                         sessID=self.securityTokens['sid'], 
     
    234232                      
    235233        return True, self.__class__.AccessAllowedMsg 
    236          
     234 
     235    @classmethod 
     236    def urlCanBeOpened(cls, url, timeout=5, raiseExcep=True): 
     237       """Check url can be opened - adapted from  
     238       http://mail.python.org/pipermail/python-list/2004-October/289601.html 
     239       """ 
     240     
     241       found = False 
     242       defTimeOut = socket.getdefaulttimeout() 
     243       try: 
     244           socket.setdefaulttimeout(timeout) 
     245 
     246           try: 
     247               urllib2.urlopen(url) 
     248           except (urllib2.HTTPError, urllib2.URLError, 
     249                   socket.error, socket.sslerror): 
     250               if raiseExcep: 
     251                   raise URLCannotBeOpened 
     252            
     253           found = True 
     254          
     255       finally: 
     256           socket.setdefaulttimeout(defTimeOut) 
     257            
     258       return found         
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/ndgPage.kid

    r2865 r2878  
    197197    <!-- Login and out buttons -->     
    198198    <span py:def="logOut()" class="logOut"> 
    199             <?python 
    200             # Encode the return URL to avoid problems parsing URLs with multiple 
    201             # ?'s - for example one in the URL and one in the value for 'r' 
    202             from base64 import urlsafe_b64encode 
    203             b64encRequestURL = urlsafe_b64encode(c.requestURL) 
    204             ?> 
    205199        <form action="$g.logout"> 
    206             <input type="hidden" name="r" value="${b64encRequestURL}"/> 
     200            <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
    207201            <input type="submit" value="Logout"/> 
    208202        </form> 
     
    210204     
    211205    <span py:def="logIn()" class="logIn"> 
    212             <?python 
    213             # Encode the return URL to avoid problems parsing URLs with multiple 
    214             # ?'s - for example one in the URL and one in the value for 'r' 
    215             from base64 import urlsafe_b64encode 
    216             b64encRequestURL = urlsafe_b64encode(c.requestURL) 
    217             ?> 
    218206        <form action="$g.wayfuri"> 
    219             <input type="hidden" name="r" value="${b64encRequestURL}"/> 
     207            <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
    220208            <input type="submit" value="Login"/> 
    221209        </form> 
Note: See TracChangeset for help on using the changeset viewer.