Changeset 3133 for TI12-security
- Timestamp:
- 11/12/07 17:41:51 (13 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py
r3040 r3133 81 81 class CredWalletAttributeRequestDenied(CredWalletError): 82 82 """Handling exception where CredWallet is denied authorisation by an 83 Attribute Authority.""" 83 Attribute Authority. 84 85 @type __extAttCertList: list 86 @ivar __extAttCertList: list of candidate Attribute Certificates that 87 could be used to try to get a mapped certificate from the target 88 Attribute Authority 89 90 @type __trustedHostInfo: dict 91 @ivar __trustedHostInfo: dictionary indexed by host name giving 92 details of Attribute Authority URI and roles for trusted hosts""" 84 93 85 94 def __init__(self, *args, **kw): … … 159 168 # of new Get/Set methods for hiding of attributes 160 169 class CredWallet(object): 161 """Volatile store of user credentials associated with a user session""" 170 """Volatile store of user credentials associated with a user session 171 172 @type __credRepos: ndg.security.common.CredRepos or derivative 173 @ivar __credRepos: reference to Credential Repository object. An optional 174 non-volatile cache for storage of wallet info when 175 176 @type __mapFromTrustedHosts: bool 177 @ivar __mapFromTrustedHosts: if true, allow a mapped attribute certificate 178 to obtained in a getAttCert call. Set false to prevent mappings. 179 180 @type __rtnExtAttCertList: bool 181 @ivar __rtnExtAttCertList: if true, return a list of external attribute 182 certificates from getAttCert call 183 184 @type __dn: ndg.security.common.X509.X500DN 185 @ivar __dn: distinguished name from user certificate 186 187 @type __credentials: dict 188 @ivar __credentials: Credentials are stored as a dictionary one element per attribute 189 certicate held and indexed by certificate issuer name 190 191 @type __caCertFilePathList: basestring, list, tuple or None 192 @ivar __caCertFilePathList: file path(s) to CA certificates. If None 193 then the input is quietly ignored. See caCertFilePathList property 194 195 @type __userCert: ndg.security.common.X509.X509Cert 196 @ivar __userCert: X.509 user certificate instance 197 198 @type __issuingCert: ndg.security.common.X509.X509Cert 199 @ivar __issuingCert: X.509 user certificate instance 200 201 @type __userPriKey: M2Crypto.RSA.RSA 202 @ivar __userPriKey: Private key used to sign outbound message 203 """ 162 204 163 205 __metaclass__ = _MetaCredWallet 164 206 165 207 def __init__(self, 166 proxyCert,167 proxyPriKey,168 208 userCert, 209 userPriKey, 210 issuingCert=None, 211 caCertFilePathList=None, 169 212 aaURI=None, 170 213 aaPropFilePath=None, 171 caCertFilePath=None,172 214 credRepos=None, 173 215 mapFromTrustedHosts=False, … … 176 218 """Create store of user credentials for their current session 177 219 178 @type proxyCert: string / M2Crypto.X509.X509 /220 @type userCert: string / M2Crypto.X509.X509 / 179 221 ndg.security.common.X509.X509Cert 180 @param proxyCert: X.509 proxycertificate for user181 182 @type proxyPriKey: string / M2Crypto.RSA.RSA183 @param proxyPriKey: private key for proxy184 185 @type userCert: string / ndg.security.common.X509.X509Cert186 @param userCert: X.509 cert for issuer of proxy222 @param userCert: X.509 certificate for user 223 224 @type userPriKey: string / M2Crypto.RSA.RSA 225 @param userPriKey: private key for user cert 226 227 @type issuingCert: string / ndg.security.common.X509.X509Cert 228 @param issuingCert: X.509 cert for issuer of user cert 187 229 188 230 @type aaURI: string … … 199 241 location rather to any self.__aa running locally. 200 242 201 @type caCertFilePath: string 202 @param caCertFilePath: Certificate Authority's certificate - used in 203 validation of signed Attribute Certificates. If not set here, it must 243 @type caCertFilePathList: string (for single file), list or tuple 244 @param caCertFilePathList: Certificate Authority's certificates - used 245 in validation of signed Attribute Certificates and WS-Security 246 signatures of incoming messages. If not set here, it must 204 247 be input in call to getAttCert. 205 248 … … 225 268 whether to replace an existing AC in the cache with a fresh one. If 226 269 the existing one has less than attCertRefreshElapse time in seconds 227 left before expiry then replace it.""" 270 left before expiry then replace it. 271 """ 228 272 229 273 log.debug("Calling CredWallet.__init__ ...") … … 231 275 self.attCertRefreshElapse = attCertRefreshElapse 232 276 233 self.__setProxyCert(proxyCert)234 self.__setProxyPriKey(proxyPriKey)235 277 self.__setUserCert(userCert) 278 self.__setUserPriKey(userPriKey) 279 self.__setIssuingCert(issuingCert) 236 280 237 281 self.__setAAuri(aaURI) 238 self.__setCAcertFilePath (caCertFilePath)282 self.__setCAcertFilePathList(caCertFilePathList) 239 283 240 284 self.__credRepos = credRepos or NullCredRepos() … … 245 289 246 290 247 # Get the distinguished name from the proxycertificate248 self.__dn = self.__ proxyCert.dn.serialise()291 # Get the distinguished name from the user certificate 292 self.__dn = self.__userCert.dn.serialise() 249 293 250 294 … … 338 382 339 383 #_________________________________________________________________________ 340 def __setProxyCert(self, proxyCert):341 "Set property method for X.509 proxy cert."342 self.__proxyCert = self.__setCert(proxyCert)343 344 345 def __getProxyCert(self):346 """Get proxy cert X509Cert instance"""347 return self.__proxyCert348 349 350 # Proxy Cert instance is read-only - to set it, set proxyCertTxt351 proxyCert = property(fget=__getProxyCert,352 fset=__setProxyCert,353 doc="X.509 proxy certificate instance")354 355 356 #_________________________________________________________________________357 384 def __setUserCert(self, userCert): 358 385 "Set property method for X.509 user cert." … … 364 391 return self.__userCert 365 392 366 367 # User Cert instance is read-only - to set it, set proxyCertTxt368 393 userCert = property(fget=__getUserCert, 369 fset=__setUserCert, 394 fset=__setUserCert, 395 doc="X.509 user certificate instance") 396 397 398 #_________________________________________________________________________ 399 def __setIssuingCert(self, issuingCert): 400 "Set property method for X.509 user cert." 401 self.__issuingCert = self.__setCert(issuingCert) 402 403 404 def __getIssuingCert(self): 405 """Get user cert X509Cert instance""" 406 return self.__issuingCert 407 408 issuingCert = property(fget=__getIssuingCert, 409 fset=__setIssuingCert, 370 410 doc="X.509 user certificate instance") 371 411 372 412 373 413 #_________________________________________________________________________ 374 def __set ProxyPriKey(self, proxyPriKey):414 def __setUserPriKey(self, userPriKey): 375 415 """Set method for client private key 376 416 377 Nb. if input is a string, proxyPriKeyPwd will need to be set if417 Nb. if input is a string, userPriKeyPwd will need to be set if 378 418 the key is password protected. 379 419 380 @type proxyPriKey: M2Crypto.RSA.RSA / string381 @param proxyPriKey: private key used to sign message"""382 383 if isinstance( proxyPriKey, basestring):384 self.__ proxyPriKey = RSA.load_key_string(proxyPriKey,420 @type userPriKey: M2Crypto.RSA.RSA / string 421 @param userPriKey: private key used to sign message""" 422 423 if isinstance(userPriKey, basestring): 424 self.__userPriKey = RSA.load_key_string(userPriKey, 385 425 callback=lambda *ar, **kw: None) 386 387 elif isinstance(proxyPriKey, RSA.RSA): 388 self.__proxyPriKey = proxyPriKey 389 426 elif isinstance(userPriKey, RSA.RSA): 427 self.__userPriKey = userPriKey 390 428 else: 391 raise AttributeError, " Proxyprivate key must be a valid " + \429 raise AttributeError, "user private key must be a valid " + \ 392 430 "M2Crypto.RSA.RSA type or a string" 393 431 394 proxyPriKey = property(fset=__setProxyPriKey, 395 doc="Private key used to sign outbound message") 396 397 398 #_________________________________________________________________________ 399 # Credentials are read-only 432 userPriKey = property(fset=__setUserPriKey, 433 doc="Private key used to sign outbound message") 434 435 400 436 def __getCredentials(self): 437 """Get Property method. Credentials are read-only 438 439 @rtype: dict 440 @return: cached ACs indesed by issuing organisation name""" 401 441 return self.__credentials 402 442 … … 407 447 408 448 #_________________________________________________________________________ 409 def __setCAcertFilePath(self, caCertFilePath): 410 411 if not isinstance(caCertFilePath, basestring) and \ 412 caCertFilePath is not None: 449 def __getCAcertFilePathList(self): 450 """Get CA cert or certs used to validate AC signatures and signatures 451 of peer SOAP messages. 452 453 @rtype caCertFilePathList: basestring, list or tuple 454 @return caCertFilePathList: file path(s) to CA certificates.""" 455 return self.__caCertFilePathList 456 457 #_________________________________________________________________________ 458 def __setCAcertFilePathList(self, caCertFilePathList): 459 """Set CA cert or certs to validate AC signatures, signatures 460 of Attribute Authority SOAP responses and SSL connections where 461 AA SOAP service is run over SSL. 462 463 @type caCertFilePathList: basestring, list, tuple or None 464 @param caCertFilePathList: file path(s) to CA certificates. If None 465 then the input is quietly ignored.""" 466 467 if isinstance(caCertFilePathList, basestring): 468 self.__caCertFilePathList = [caCertFilePathList] 469 470 elif isinstance(caCertFilePathList, list): 471 self.__caCertFilePathList = caCertFilePathList 472 473 elif isinstance(caCertFilePathList, tuple): 474 self.__caCertFilePathList = list(caCertFilePathList) 475 476 elif caCertFilePathList is not None: 413 477 raise CredWalletError, \ 414 "Input CA Certificate file path is not a valid string" 415 416 self.__caCertFilePath = caCertFilePath 417 418 419 caCertFilePath = property(fset=__setCAcertFilePath, 420 doc="CA Certificate - use to check AC XML Sig") 478 "Input CA Certificate file path is not a valid string" 479 480 caCertFilePathList = property(fget=__getCAcertFilePathList, 481 fset=__setCAcertFilePathList, 482 doc="CA Certificates - used for " + \ 483 "verification of AC and SOAP " + \ 484 "message signatures and SSL " + \ 485 "connections") 421 486 422 487 … … 433 498 log.debug('CredWallet.__createAAClnt for service: "%s"' % aaURI) 434 499 435 # Initialise WS-Security signature handling to pass 436 # BinarySecurityToken containing proxy cert and user cert that issued 437 # the proxy 438 439 reqBinSecTokValType=SignatureHandler.binSecTokValType["X509PKIPathv1"] 440 certChain = (self.__userCert, self.__proxyCert) 441 caCertFilePathList = (self.__caCertFilePath,) 500 if self.__issuingCert is not None: 501 # Initialise WS-Security signature handling to pass 502 # BinarySecurityToken containing user cert and cert for user cert 503 # issuer 504 reqBinSecTokValType=SignatureHandler.binSecTokValType["X509PKIPathv1"] 505 certChain = (self.__issuingCert, self.__userCert) 506 signingCert = None 507 else: 508 # Pass user cert only - no need to pass a cert chain. This type 509 # of token is more likely to be supported by the various 510 # WS-Security toolkits 511 reqBinSecTokValType=SignatureHandler.binSecTokValType["X509v3"] 512 certChain = None 513 signingCert = self.__userCert 442 514 443 515 aaClnt = AttAuthorityClient(uri=aaURI, 444 reqBinSecTokValType=reqBinSecTokValType, 445 signingCertChain=certChain, 446 signingPriKey=self.__proxyPriKey, 447 caCertFilePathList=caCertFilePathList, 448 sslCACertFilePathList=caCertFilePathList) 516 reqBinSecTokValType=reqBinSecTokValType, 517 signingCertChain=certChain, 518 signingCert=self.__userCert, 519 signingPriKey=self.__userPriKey, 520 caCertFilePathList=self.__caCertFilePathList, 521 sslCACertFilePathList=caCertFilePathList) 449 522 return aaClnt 450 523 … … 516 589 #_________________________________________________________________________ 517 590 def isValid(self, **x509CertKeys): 518 """Check wallet's proxycert. If expired return False591 """Check wallet's user cert. If expired return False 519 592 520 593 @type **x509CertKeys: dict 521 594 @param **x509CertKeys: keywords applying to 522 595 ndg.security.common.X509.X509Cert.isValidTime method""" 523 return self.__ proxyCert.isValidTime(**x509CertKeys)596 return self.__userCert.isValidTime(**x509CertKeys) 524 597 525 598 … … 699 772 # Update attribute Certificate instance with CA's certificate ready 700 773 # for signature check in addCredential() 701 if self.__caCertFilePath is None:774 if self.__caCertFilePathList is None: 702 775 raise CredWalletError, "No CA certificate has been set" 703 776 704 attCert.certFilePathList = self.__caCertFilePath 777 attCert.certFilePathList = self.__caCertFilePathList 705 778 706 779 … … 783 856 784 857 """For a given role, get an Attribute Certificate from an Attribute 785 Authority using a user's proxycertificate. If this fails try to make858 Authority using a user's X.509 certificate. If this fails try to make 786 859 a mapped Attribute Certificate by using a certificate from another 787 860 host which has a trust relationship to the Attribute Authority in … … 795 868 The procedure is: 796 869 797 1) Try attribute request using proxycertificate870 1) Try attribute request using user certificate 798 871 2) If the Attribute Authority (AA) doesn't recognise the certificate, 799 872 find out any other hosts which have a trust relationship to the AA. … … 818 891 819 892 @type mapFromTrustedHosts: bool / None 820 @param mapFromTrustedHosts: if request fails via the user's proxy893 @param mapFromTrustedHosts: if request fails via the user's cert 821 894 ID, then it is possible to get a mapped certificate by using 822 895 certificates from other AA's. Set this flag to True, to allow this … … 853 926 @param extAttCertList: Attribute Certificate or list of certificates 854 927 from other Attribute Authorities. These can be used to get a mapped 855 certificate if access fails based on the user's proxycertificate928 certificate if access fails based on the user's certificate 856 929 credentials. They are tried out in turn until access is granted so 857 930 the order of the list decides the order in which they will be tried -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py
r3001 r3133 71 71 tokens - attribute certificates. 72 72 73 @type __validKeys: list73 @type __validKeys: dict 74 74 @cvar __validKeys: valid configuration property keywords - properties file 75 75 must contain these … … 94 94 95 95 # valid configuration property keywords 96 __validKeys = ( 'name',97 'portNum' ,98 'useSSL' ,99 'sslCertFile' ,100 'sslKeyFile' ,101 'sslKeyPwd' ,102 'useSignatureHandler' ,103 'certFile' ,104 'keyFile' ,105 'keyPwd' ,106 'caCertFile ',107 'clntCertFile' ,108 'attCertLifetime' ,109 'attCertNotBeforeOff' ,110 'attCertFileName' ,111 'attCertFileLogCnt' ,112 'mapConfigFile' ,113 'attCertDir' ,114 'dnSeparator' ,115 'userRolesModFilePath' ,116 'userRolesModName' ,117 'userRolesClassName' ,118 'userRolesPropFile' )96 __validKeys = { 'name': '', 97 'portNum': -1, 98 'useSSL': False, 99 'sslCertFile': '', 100 'sslKeyFile': '', 101 'sslKeyPwd': '', 102 'useSignatureHandler': True, 103 'certFile': '', 104 'keyFile': '', 105 'keyPwd': '', 106 'caCertFileList': [], 107 'clntCertFile': '', 108 'attCertLifetime': -1, 109 'attCertNotBeforeOff': 0, 110 'attCertFileName': '', 111 'attCertFileLogCnt': 0, 112 'mapConfigFile': '', 113 'attCertDir': '', 114 'dnSeparator': '', 115 'userRolesModFilePath':'', 116 'userRolesModName': '', 117 'userRolesClassName': '', 118 'userRolesPropFile': ''} 119 119 120 120 def __init__(self, propFilePath=None, bReadMapConfig=True): … … 168 168 # Check CA certificate 169 169 log.debug("Reading and checking X.509 CA certificate ...") 170 caCert = X509Cert(self.__prop['caCertFile']) 171 caCert.read() 172 173 try: 174 caCert.isValidTime(raiseExcep=True) 175 176 except Exception, e: 177 raise AttAuthorityError, "CA certificate is invalid: " + str(e) 170 for caCertFile in self.__prop['caCertFileList']: 171 caCert = X509Cert(caCertFile) 172 caCert.read() 173 174 try: 175 caCert.isValidTime(raiseExcep=True) 176 177 except Exception, e: 178 raise AttAuthorityError,'CA certificate "%s" is invalid: %s'%\ 179 (caCert.dn, e) 178 180 179 181 # Issuer details - serialise using the separator string set in the … … 426 428 attCert = AttCert() 427 429 428 attCert.certFilePathList = [self.__prop['certFile'] ,429 self.__prop['caCertFile ']]430 attCert.certFilePathList = [self.__prop['certFile']] + \ 431 self.__prop['caCertFileList'] 430 432 431 433 attCert.signingKeyFilePath = self.__prop['keyFile'] … … 531 533 try: 532 534 # Give path to CA cert to allow check 533 userAttCert.certFilePathList = self.__prop['caCertFile ']535 userAttCert.certFilePathList = self.__prop['caCertFileList'] 534 536 userAttCert.isValid(raiseExcep=True) 535 537 … … 630 632 try: 631 633 for elem in aaProp: 632 if elem.tag in self.__class__.__validKeys:634 if elem.tag in AttAuthority.__validKeys: 633 635 634 636 # Make sure to leave password element contents unchanged 635 if 'eyPwd' not in elem.tag and elem.text: 637 if isinstance(AttAuthority.__validKeys[elem.tag], list): 638 self.__prop[elem.tag] = \ 639 [os.path.expandvars(subElem.text.strip()) \ 640 for subElem in elem] 641 642 elif 'eyPwd' not in elem.tag and elem.text: 636 643 self.__prop[elem.tag] = \ 637 644 os.path.expandvars(elem.text.strip()) -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py
r3047 r3133 113 113 http://grid.ncsa.uiuc.edu/myproxy/protocol/ 114 114 115 @type __getCmd: string 115 116 @cvar __getCmd: get command string 117 118 @type __infoCmd: string 116 119 @cvar __infoCmd: info command string 120 121 @type __destroyCmd: string 117 122 @cvar __destroyCmd: destroy command string 123 124 @type __changePassphrase: string 118 125 @cvar __changePassphrase: command string to change cred pass-phrase 126 127 @type __storeCmd: string 119 128 @cvar __storeCmd: store command string 129 130 @type _hostCertSubDirPath: string 120 131 @cvar _hostCertSubDirPath: sub-directory path host certificate (as tuple) 132 133 @type _hostKeySubDirPath: string 121 134 @cvar _hostKeySubDirPath: sub-directory path to host key (as tuple) 122 @cvar _certReqDNparamName: names of parameters needed to generate a123 certificate request e.g. CN, OU etc.135 136 @type __validKeys: tuple 124 137 @cvar __validKeys: sets permissable element names for MyProxy XML config 125 138 file … … 347 360 raise SessionMgrError, \ 348 361 "Error parsing tag \"%s\" in properties file" % elem.tag 349 362 350 363 self.setProperties(**prop) 351 364 … … 523 536 pemCerts = [] 524 537 dat = inputDat 525 538 526 539 while dat: 527 540 # find start of cert, get length … … 844 857 Exceptions: GetError, RetrieveError 845 858 859 @type username: basestring 846 860 @param username: username of credential 861 862 @type passphrase: basestring 847 863 @param passphrase: pass-phrase for private key of credential held on 848 864 server 849 @return list containing the credentials as strings in PEM format: the 850 proxy certificate, it's private key and the signing certificate. 865 866 @rtype: tuple 867 @return credentials as strings in PEM format: the 868 user certificate, it's private key and the issuing certificate. The 869 issuing certificate is only set if the user certificate is a proxy 851 870 """ 852 871 -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py
r3041 r3133 158 158 try: 159 159 # Proxy certificate's not after time determines the expiry 160 dtNotAfter = self.credWallet. proxyCert.notAfter160 dtNotAfter = self.credWallet.userCert.notAfter 161 161 162 162 return dtNotAfter.strftime(self.__sessCookieExpiryFmt) … … 289 289 290 290 encrSessMgrURI = self.encodeSessionMgrURI(sessMgrURI, encrKey) 291 dtExpiry = self.credWallet. proxyCert.notAfter291 dtExpiry = self.credWallet.userCert.notAfter 292 292 293 293 # Call class method … … 347 347 'sslCertFile': None, 348 348 'sslKeyFile': None, 349 'sslCACertDir': None, 349 350 'useSignatureHandler': None, 350 'caCertFile ': None,351 'caCertFileList': [], 351 352 'certFile': None, 352 353 'keyFile': None, … … 626 627 raise SessionMgrError, \ 627 628 "Parsing properties: root element is not defined" 628 629 630 629 631 630 missingElem = [] 632 631 invalidElem = [] … … 658 657 # field as password might contain leading or 659 658 # trailing white space 660 if elem.text is not None and elem.tag != 'keyPwd': 659 if isinstance(self.__validElem[elem.tag], list): 660 self.__prop[elem.tag] = [filtElemTxt(subElem) \ 661 for subElem in elem] 662 663 elif elem.text is not None and elem.tag != 'keyPwd': 661 664 if elem.text.isdigit(): 662 665 self.__prop[elem.tag] = int(elem.text) 663 666 else: 664 667 # Check for environment variables in file paths 665 self.__prop[elem.tag] = filtElemTxt(elem) 668 self.__prop[elem.tag] = filtElemTxt(elem) 666 669 else: 667 670 self.__prop[elem.tag] = elem.text … … 711 714 # Only update other keys if they are not None or "" 712 715 if value: 713 self.__prop[key] = value 716 if isinstance(value, basestring): 717 self.__prop[key] = os.path.expandvars(value).strip() 718 else: 719 self.__prop[key] = value 714 720 else: 715 721 raise SessionMgrError, \ 716 "Key \"%s\" is not a valid Session Manager property" % key717 718 722 "Key \"%s\" is not a valid Session Manager property" % key 723 724 719 725 #_________________________________________________________________________ 720 726 def addUser(self, username, passphrase=None): … … 812 818 username=None, 813 819 passphrase=None, 814 proxyCert=None,820 userCert=None, 815 821 sessID=None): 816 822 """Create a new user session or connect to an existing one: 817 823 818 824 connect([createServerSess=True/False, ]|[, username=u, passphrase=p]| 819 [, proxyCert=px]|[, sessID=id])825 [, userCert=px]|[, sessID=id]) 820 826 821 827 @type createUserSess: bool … … 831 837 @param passphrase: pass-phrase - user with username arg 832 838 833 @type proxyCert: string834 @param proxyCert: connect to existing session with proxy certificate839 @type userCert: string 840 @param userCert: connect to existing session with proxy certificate 835 841 corresponding to user. username/pass-phrase not required 836 842 … … 840 846 841 847 @rtype: tuple 842 @return proxy certificate, proxy private key, user certificate and 843 session ID respectively. Proxy cert. will be None if 'proxyCert' was 844 set as an input. Session ID will be none if createUserSess keyword is 845 set to False 848 @return user certificate, private key, issuing certificate and 849 session ID respectively. Session ID will be none if createUserSess 850 keyword is set to False 846 851 """ 847 852 … … 849 854 850 855 # Initialise proxy cert to be returned 851 proxyCert = None856 userCert = None 852 857 853 858 if sessID is not None: … … 855 860 # return equivalent proxy cert 856 861 userSess = self.__connect2UserSession(sessID=sessID) 857 proxyCert = userSess.credWallet.proxyCertTxt858 859 elif proxyCert is not None:862 userCert = userSess.credWallet.userCert 863 864 elif userCert is not None: 860 865 # Connect to an existing session identified by a proxy 861 866 # certificate 862 userSess = self.__connect2UserSession( proxyCert=proxyCert)867 userSess = self.__connect2UserSession(userCert=userCert) 863 868 sessID = userSess.latestSessID 864 869 … … 868 873 # Get a proxy certificate to represent users ID for the new 869 874 # session 870 proxyCert, proxyPriKey, userCert = self.__myPx.logon(username, 871 passphrase) 875 userCreds = self.__myPx.logon(username, passphrase) 876 877 # unpack 878 userCert = userCreds[0] 879 userPriKey = userCreds[1] 880 881 # Issuing cert is needed only if userCert is a proxy 882 issuingCert = len(userCreds) > 2 and userCreds[2] or None 883 872 884 except Exception, e: 873 885 raise SessionMgrError, "Delegating from MyProxy: %s" % e … … 875 887 if createServerSess: 876 888 # Session Manager creates and manages user's session 877 userSess = self.__createUserSession( proxyCert,878 proxyPriKey,879 userCert)889 userSess = self.__createUserSession(userCert, 890 userPriKey, 891 issuingCert) 880 892 sessID = userSess.latestSessID 881 893 else: … … 883 895 884 896 # Return proxy details and cookie 885 return proxyCert, proxyPriKey, userCert, sessID897 return userCert, userPriKey, issuingCert, sessID 886 898 887 899 888 900 #_________________________________________________________________________ 889 def __createUserSession(self, * proxy):901 def __createUserSession(self, *creds): 890 902 """Create a new user session from input user credentials 891 903 and return 892 904 893 @type proxy: tuple 894 @param proxy: tuple containing proxy certificate, private key 895 and issuing certificate.""" 905 @type creds: tuple 906 @param creds: tuple containing user certificate, private key 907 and optionally an issuing certificate. An issuing certificate is 908 present if user certificate is a proxy and therefore it's issuer is 909 other than the CA.""" 896 910 897 911 log.debug("Calling SessionMgr.__createUserSession ...") … … 899 913 # Check for an existing session for the same user 900 914 try: 901 userDN = str(X509CertParse( proxy[0]).dn)915 userDN = str(X509CertParse(creds[0]).dn) 902 916 903 917 except Exception, e: 904 918 raise SessionMgrError, \ 905 "Parsing input proxycertificate DN for session create: %s" % \919 "Parsing input certificate DN for session create: %s" % \ 906 920 str(e) 907 921 908 922 if userDN in self.__dnDict: 909 # Update existing session with proxycert and add a new923 # Update existing session with user cert and add a new 910 924 # session ID to access it - a single session can be accessed 911 925 # via multiple session IDs e.g. a user may wish to access the … … 915 929 userSess.addNewSessID() 916 930 else: 917 # Create a new user session using the new proxycertificate931 # Create a new user session using the new user certificate 918 932 # and session ID 919 933 # … … 921 935 # encryption for responses from Attribute Authority WS 922 936 try: 923 userSess =UserSession(caCertFilePath=self.__prop['caCertFile'],924 credRepos=self.__credRepos,925 *proxy)937 userSess = UserSession(credRepos=self.__credRepos, 938 caCertFilePathList=self.__prop['caCertFileList'], 939 *creds) 926 940 except Exception, e: 927 941 raise SessionMgrError, "Creating User Session: %s" % e … … 930 944 self.__dnDict[userDN] = userSess 931 945 932 946 933 947 newSessID = userSess.latestSessID 934 948 … … 950 964 proxy certificate 951 965 952 __connect2UserSession([ proxyCert]|[sessID])966 __connect2UserSession([userCert]|[sessID]) 953 967 954 968 @type userCert: string … … 974 988 975 989 log.info("Connecting to session user DN = %s using ID = %s" % \ 976 (userSess.credWallet. proxyCert.dn, sessID))990 (userSess.credWallet.userCert.dn, sessID)) 977 991 978 992 elif isinstance(userCert, basestring): … … 1038 1052 1039 1053 #_________________________________________________________________________ 1040 def deleteUserSession(self, sessID=None, proxyCert=None, userSess=None):1054 def deleteUserSession(self, sessID=None, userCert=None, userSess=None): 1041 1055 """Delete an existing session by providing a valid session ID or 1042 1056 proxy certificate - use for user logout 1043 1057 1044 deleteUserSession([ proxyCert]|[sessID]|[userSess])1045 1046 @type proxyCert: ndg.security.common.X509.X509Cert1047 @param proxyCert: proxy certificate corresponding to an existing1058 deleteUserSession([userCert]|[sessID]|[userSess]) 1059 1060 @type userCert: ndg.security.common.X509.X509Cert 1061 @param userCert: proxy certificate corresponding to an existing 1048 1062 session to connect to. 1049 1063 … … 1068 1082 1069 1083 # Get associated user Distinguished Name 1070 userDN = str(userSess.credWallet. proxyCert.dn)1071 1072 elif proxyCert:1073 try: 1074 userDN = str( proxyCert.dn)1084 userDN = str(userSess.credWallet.userCert.dn) 1085 1086 elif userCert: 1087 try: 1088 userDN = str(userCert.dn) 1075 1089 1076 1090 except Exception, e: … … 1087 1101 1088 1102 if userSess: 1089 userDN = str(userSess.credWallet. proxyCert.dn)1103 userDN = str(userSess.credWallet.userCert.dn) 1090 1104 else: 1091 1105 # User session not found with given ID 1092 1106 raise SessionMgrError, \ 1093 '"sessID", " proxyCert" or "userSess" keywords must be set'1107 '"sessID", "userCert" or "userSess" keywords must be set' 1094 1108 1095 1109 # Delete associated sessions -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml
r2942 r3133 11 11 --> 12 12 <useSSL></useSSL> <!-- leave blank to use http --> 13 <sslCertFile>$NDGSEC_DIR/conf/certs/ssl-cert.pem</sslCertFile> 13 <<sslCertFileList> 14 <sslCertFile>$NDGSEC_DIR/conf/certs/ssl-cert.pem</sslCertFile> 15 </sslCertFileList> 14 16 <sslKeyFile>$NDGSEC_DIR/conf/certs/ssl-key.pem</sslKeyFile> 15 17 <sslKeyPwd></sslKeyPwd> … … 21 23 <keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem</keyFile> 22 24 <keyPwd></keyPwd> 23 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile> 25 <caCertFileList> 26 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile> 27 </caCertFileList> 24 28 <!-- 25 29 Set the certificate used to verify the signature of messages from the -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac
r3044 r3133 267 267 ctx.set_verify(SSL.verify_client_once, 1) 268 268 269 ctx.load_verify_locations(cafile=os.path.basename(srv.sm['caCertFile']), 270 capath=os.path.dirname(srv.sm['caCertFile'])) 269 ctx.load_verify_locations(capath=srv.sm['sslCACertDir'])) 271 270 272 271 class ContextFactory: -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml
r3052 r3133 8 8 --> 9 9 <useSSL>Yes</useSSL> 10 <!-- X.509 certificate for SSL connections - ->10 <!-- X.509 certificate for SSL connections - ignored if useSSL is blank--> 11 11 <sslCertFile>$NDGSEC_DIR/conf/certs/hostcert.pem</sslCertFile> 12 <!-- Private key file for SSL -->12 <!-- Private key file for SSL - ignored if useSSL is blank --> 13 13 <sslKeyFile>$NDGSEC_DIR/conf/certs/hostkey.pem</sslKeyFile> 14 <!-- 15 Directory containing CA cert.s to verify SSL peer cert against 16 - ignored if useSSL is blank --> 17 <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir> 14 18 <!-- 15 19 PKI settings for WS-Security signature of outbound SOAP messages … … 23 27 <keyPwd></keyPwd> 24 28 <!-- 25 X.509 certificates included in inbound messages must validate26 against this CA Certificate29 CA Certificates used to verify X.509 certs used in peer SOAP messages, 30 SSL connections and Attribute Certificates 27 31 --> 28 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile> 32 <caCertFileList> 33 <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile> 34 </caCertFileList> 29 35 <!-- 30 36 Set the certificate used to verify the signature of messages from the -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml
r2900 r3133 4 4 <portNum>5000</portNum> 5 5 <useSSL></useSSL> <!-- leave blank to use http --> 6 <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 6 <sslCertFileList> 7 <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 8 </sslCertFileList> 7 9 <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 8 10 <sslKeyPwd></sslKeyPwd> … … 11 13 <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 12 14 <keyPwd></keyPwd> 13 <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 15 <caCertFileList> 16 <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 17 </caCertFileList> 14 18 <!-- 15 19 Set the certificate used to verify the signature of messages from the -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml
r2900 r3133 5 5 <useSSL></useSSL> <!-- leave blank to use http --> 6 6 <sslCertFile></sslCertFile> 7 <sslKeyFile></sslKeyFile> 7 <sslCertFileList> 8 <sslKeyFile></sslKeyFile> 9 <sslCertFileList> 8 10 <sslKeyPwd></sslKeyPwd> 9 11 <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 10 12 <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 11 <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 13 <caCertFileList> 14 <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 15 </caCertFileList> 12 16 <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 13 17 <keyPwd></keyPwd> -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg
r2893 r3133 31 31 32 32 [test2GetDelegation] 33 #username: raphaelTest34 username: Junk35 passphrase: JunkJunk33 username: raphaelTest 34 #username: Junk 35 #passphrase: JunkJunk 36 36 37 37 [test3Info] -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgr/test.py
r3044 r3133 28 28 This class manages server side sessions""" 29 29 30 test 2Passphrase = None30 test1Passphrase = None 31 31 test3Passphrase = None 32 32 … … 53 53 print "\n\t" + self.test1Connect.__doc__ 54 54 55 if SessionMgrTestCase.test2Passphrase is None: 56 SessionMgrTestCase.test2Passphrase = \ 55 if SessionMgrTestCase.test1Passphrase is None and \ 56 self.cfg.has_option('test1Connect', 'passphrase'): 57 SessionMgrTestCase.test1Passphrase = \ 57 58 self.cfg.get('test1Connect', 'passphrase') 58 59 59 if not SessionMgrTestCase.test 2Passphrase:60 SessionMgrTestCase.test 2Passphrase = getpass.getpass(\60 if not SessionMgrTestCase.test1Passphrase: 61 SessionMgrTestCase.test1Passphrase = getpass.getpass(\ 61 62 prompt="\ntest1Connect pass-phrase for user: ") 62 63 63 64 proxyCert, self.proxyPriKey, self.userCert, self.sessID = \ 64 65 self.sm.connect(username=self.cfg.get('test1Connect', 'username'), 65 passphrase=SessionMgrTestCase.test 2Passphrase)66 passphrase=SessionMgrTestCase.test1Passphrase) 66 67 self.proxyCert = X509CertParse(proxyCert) 67 68 -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml
r3044 r3133 10 10 --> 11 11 <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 12 <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile> 12 <!-- 13 CA Certificates used to verify X.509 certs used in peer SOAP messages, 14 SSL connections and Attribute Certificates 15 --> 16 <caCertFileList> 17 <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile> 18 </caCertFileList> 13 19 <certFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</certFile> 14 20 <keyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</keyFile>
Note: See TracChangeset
for help on using the changeset viewer.