Changeset 3145 for TI12-security

Timestamp:

13/12/07 17:30:59 (13 years ago)

Author:

pjkersha

Message:

python/www/html/sessionMgr.wsdl,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py,
python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py,
python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py:

• remove refs to proxy certs - using MyProxy? as CA proxy certs aren't generated.
• make issuingCert nillable as it won't be set if calling MyProxy? in Simple CA mode

python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac: removes refs to proxy cert - replace with user cert

python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml: fix MyProxy? cert times - these are in seconds NOT hours

python/ndg.security.server/ndg/security/server/MyProxy.py: remove '\0's from get and info commands

python/ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py: fixed for tests with new MyProxy? config as SimpleCA

python/ndg.security.test/ndg/security/test/sessionMgrClient/server.sh: get rid of --pidfile arg to twistd - not needed.

python/ndg.security.test/ndg/security/test/sessionMgrClient/sm-clnt.crt,
python/ndg.security.test/ndg/security/test/sessionMgrClient/sm-clnt.key,

python/ndg.security.test/ndg/security/test/sessionMgr/sessionMgrProperties.xml,
python/ndg.security.test/ndg/security/test/sessionMgr/sessionMgrTest.cfg,
python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml,
python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrClientTest.cfg: altered for tests with multiple CAs

python/ndg.security.common/ndg/security/common/SessionMgr/init.py:

• removed addUser method - not needed
• switched refs to proxy cert -> user cert

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py (modified) (5 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/__init__.py (modified) (7 diffs)
• ndg.security.server/ndg/security/server/MyProxy.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/conf/sessionMgr.tac (modified) (12 diffs)
• ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml (modified) (1 diff)
• ndg.security.test/ndg/security/test/myProxy/myProxyClientTest.cfg (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionMgr/sessionMgrProperties.xml (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionMgr/sessionMgrTest.cfg (modified) (2 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py (modified) (11 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/server.sh (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrClientTest.cfg (modified) (4 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml (modified) (3 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/sm-clnt.crt (added)
• ndg.security.test/ndg/security/test/sessionMgrClient/sm-clnt.key (added)
• www/html/sessionMgr.wsdl (modified) (1 diff)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py

@@ -29 +29 @@
         # no ws-addressing
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x407737ec>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x407533cc>
     def getSessionStatus(self, userDN,sessID):
 
@@ -44 +44 @@
         return isAlive
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x40773c4c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x4075382c>
     def connect(self, username,passphrase,createServerSess):
 
@@ -57 +57 @@
         # no output wsaction
         response = self.binding.Receive(connectOutputMsg.typecode)
-        proxyCert = response._proxyCert
-        proxyPriKey = response._proxyPriKey
         userCert = response._userCert
+        userPriKey = response._userPriKey
+        issuingCert = response._issuingCert
         sessID = response._sessID
-        return proxyCert,proxyPriKey,userCert,sessID
+        return userCert,userPriKey,issuingCert,sessID
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x40778a8c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x4075a66c>
     def disconnect(self, userCert,sessID):
 
@@ -77 +77 @@
         return 
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x40778c2c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x4075a80c>
     def getAttCert(self, userCert,sessID,attAuthorityURI,attAuthorityCert,reqRole,mapFromTrustedHosts,rtnExtAttCertList,extAttCert,extTrustedHost):
 
@@ -101 +101 @@
         return attCert,msg,extAttCertOut
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x40778dac>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x4075a98c>
     def getX509Cert(self):
 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py

@@ -86 +86 @@
         def __init__(self, **kw):
             ns = ns0.connectResponse_Dec.schema
-            TClist = [ZSI.TC.String(pname="proxyCert", aname="_proxyCert", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="proxyPriKey", aname="_proxyPriKey", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))]
+            TClist = [ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="userPriKey", aname="_userPriKey", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="issuingCert", aname="_issuingCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))]
             kw["pname"] = ("urn:ndg:security:sessionMgr","connectResponse")
             kw["aname"] = "_connectResponse"
@@ -96 +96 @@
                 def __init__(self):
                     # pyclass
-                    self._proxyCert = None
-                    self._proxyPriKey = None
                     self._userCert = None
+                    self._userPriKey = None
+                    self._issuingCert = None
                     self._sessID = None
                     return

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -124 +124 @@
         @type uri: string
         @param uri: URI for Session Manager WS.  Setting it will set the 
-        Service Proxy
+        Service user
                 
         @type tracefile: file stream type
@@ -310 +310 @@
                 "Initialising Service for \"%s\": %s %s" % \
                 (self.__uri, e.status, e.reason)
-
-                                    
-    #_________________________________________________________________________
-    def addUser(self,
-                username,
-                passphrase=None,
-                passphraseFilePath=None,
-                clntPriKeyPwd=None):
-        """Register a new user
-        
-        username:                the username for the new user 
-        passphrase:                 user's pass-phrase
-        passphraseFilePath:         a file containing the user's pass-phrase.  
-                                 Use this as an alternative to passphrase keyword
-        clntPriKeyPwd:           pass-phrase if any for the client's private
-                                 key used to decrypt response from
-                                 Session Manager
-        """
-    
-        if passphrase is None:
-            try:
-                passphrase = open(passphraseFilePath).read().strip()
-            
-            except Exception, e:
-                raise SessionMgrClientError, "Pass-phrase not defined: " + \
-                                            str(e)
-            
-    
-        # Make request for new user
-        try:   
-            self.__srv.addUser(username, passphrase)
-
-        except Exception, e:
-            raise SessionMgrClientError, "Adding new user: " + str(e)
     
         
@@ -371 +337 @@
         
         @rtype: tuple
-        @return proxy cert, proxy private key, user cert and sessID all as
+        @return user cert, user private key, issuing cert and sessID all as
         strings but sessID will be None if the createServerSess keyword is 
         False"""
@@ -438 +404 @@
     #_________________________________________________________________________ 
     def getAttCert(self,
-                   proxyCert=None,
+                   userCert=None,
                    sessID=None,
                    attAuthorityURI=None,
@@ -451 +417 @@
         user's credential wallet held by the session manager.
         
-        ac = getAttCert([sessID=i]|[proxyCert=p][key=arg, ...])
+        ac = getAttCert([sessID=i]|[userCert=p][key=arg, ...])
          
         @raise AttributeRequestDenied: this is raised if the request is 
@@ -460 +426 @@
         extAttCertList attribute
              
-        @type proxyCert: string
-        @param proxyCert: proxy certificate - use as ID instead of session 
-        ID.  This can be omitted if the message is signed with a proxy 
-        certificate.  In this case the proxy certificate is passed in the 
+        @type userCert: string
+        @param userCert: user certificate - use as ID instead of session 
+        ID.  This can be omitted if the message is signed with a user 
+        certificate.  In this case the user certificate is passed in the 
         BinarySecurityToken of the WS-Security header
         
         @type sessID: string
         @param sessID: session ID.  Input this as an alternative to 
-        proxyCert in the case of a browser client.
+        userCert in the case of a browser client.
         
         @type attAuthorityURI: string
@@ -505 +471 @@
         # Make request
         try:
-            attCert, msg, extAttCertList = self.__srv.getAttCert(proxyCert,
+            attCert, msg, extAttCertList = self.__srv.getAttCert(userCert,
                                                        sessID, 
                                                        attAuthorityURI,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py

@@ -143 +143 @@
 USERNAME=%s
 PASSPHRASE=%s
-LIFETIME=%d\0"""
+LIFETIME=%d"""
  
     __infoCmd="""VERSION=MYPROXYv2
@@ -168 +168 @@
 USERNAME=%s
 PASSPHRASE=
-LIFETIME=%d\0"""
+LIFETIME=%d"""
 
     _hostCertSubDirPath = ('etc', 'hostcert.pem')
@@ -864 +864 @@
         server
         
+        @type lifetime: int
+        @param lifetime: lifetime for generated certificate
+        
         @rtype: tuple
         @return credentials as strings in PEM format: the

TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py

@@ -46 +46 @@
         <xsd:complexType>
                   <xsd:sequence>
-                    <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"proxyCert\" type=\"xsd:string\"/>
-                    <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"proxyPriKey\" type=\"xsd:string\"/>
                     <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"userCert\" type=\"xsd:string\"/>
+                    <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"userPriKey\" type=\"xsd:string\"/>
+                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"issuingCert\" type=\"xsd:string\"/>
                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"sessID\" type=\"xsd:string\"/>
                   </xsd:sequence>
@@ -280 +280 @@
         if hasattr(self,'impl'):
             # Should have a tuple of 4 args
-            result._proxyCert = parameters[0]
-            result._proxyPriKey = parameters[1]
-            result._userCert = parameters[2]
+            result._userCert = parameters[0]
+            result._userPriKey = parameters[1]
+            result._issuingCert = parameters[2]
             result._sessID = parameters[3]
         return self.request, result

TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac

@@ -40 +40 @@
 
 from ndg.security.server.SessionMgr.SessionMgr_services_server import \
-        SessionMgrService
+        SessionMgrService as _SessionMgrService
 from ndg.security.server.SessionMgr import SessionMgr
 from ndg.security.common.wsSecurity import SignatureHandler
@@ -50 +50 @@
 
 
-class SessionMgrServiceSub(SessionMgrService, WSResource):
+class SessionMgrService(_SessionMgrService, WSResource):
 
     # Add WS-Security handlers
@@ -87 +87 @@
                 pdb.set_trace()
                 
-        request, response = SessionMgrService.soap_connect(self, ps)
+        request, response = _SessionMgrService.soap_connect(self, ps)
         
         result = self.sm.connect(username=request.Username,
@@ -93 +93 @@
                                                                  createServerSess=request.CreateServerSess)
                                         
-        response.ProxyCert, response.ProxyPriKey, response.UserCert, \
+        response.UserCert, response.UserPriKey, response.issuingCert, \
                 response.SessID = result
                          
@@ -110 +110 @@
                 pdb.set_trace()
                             
-        request, response = SessionMgrService.soap_disconnect(self, ps)
+        request, response = _SessionMgrService.soap_disconnect(self, ps)
         
         # Derive designated user ID differently according to whether
@@ -123 +123 @@
             userCert = request.UserCert
 
-        self.sm.deleteUserSession(sessID=sessID, proxyCert=userCert)
+        self.sm.deleteUserSession(sessID=sessID, userCert=userCert)
         return request, response
 
@@ -140 +140 @@
                 pdb.set_trace()
                 
-        request, response = SessionMgrService.soap_getSessionStatus(self, ps)
+        request, response = _SessionMgrService.soap_getSessionStatus(self, ps)
         
         response.IsAlive = self.sm.getSessionStatus(userDN=request.UserDN,
@@ -160 +160 @@
                 pdb.set_trace()
                 
-        request, response = SessionMgrService.soap_getAttCert(self, ps)
+        request, response = _SessionMgrService.soap_getAttCert(self, ps)
 
         # Get certificate corresponding to private key that signed the
@@ -203 +203 @@
                 pdb.set_trace()
                 
-        request, response = SessionMgrService.soap_getX509Cert(self, ps)
+        request, response = _SessionMgrService.soap_getX509Cert(self, ps)
 
         x509Cert = X509CertRead(srv.sm['certFile'])
@@ -211 +211 @@
 
 # Create Service
-srv = SessionMgrServiceSub()
+srv = SessionMgrService()
 
 if srv.sm['useSignatureHandler']:
@@ -221 +221 @@
                             signingPriKeyFilePath=srv.sm['keyFile'],
                             signingPriKeyPwd=srv.sm['keyPwd'],
-                            caCertFilePathList=srv.aa.get('caCertFileList'))
+                            caCertFilePathList=srv.sm.get('caCertFileList'))
 
 # Add Service to Session Manager branch
@@ -250 +250 @@
         ctx.load_cert(srv.sm['sslCertFile'], 
                           srv.sm['sslKeyFile'],
-                          callback=lambda *args, **kw: srv.aa['sslKeyPwd'])
+                          callback=lambda *args, **kw: srv.sm['sslKeyPwd'])
                           
         ctx.set_allow_unknown_ca(False)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml

@@ -88 +88 @@
                         specified when a certificate is first created by store() method
                 -->
-                <proxyCertMaxLifetime>12</proxyCertMaxLifetime> <!-- in hours -->
+                <proxyCertMaxLifetime>43200</proxyCertMaxLifetime> <!-- in seconds -->
                 <!-- 
                         Life time of a proxy certificate when issued from the Proxy Server 
                         with ndg.security.server.MyProxy.getDelegation() method
                 -->
-                <proxyCertLifetime>8</proxyCertLifetime> <!-- in hours -->
+                <proxyCertLifetime>43200</proxyCertLifetime> <!-- in seconds -->
                 <!-- 
                 CA certificate applied to verify peer certificate against in

TI12-security/trunk/python/ndg.security.test/ndg/security/test/myProxy/myProxyClientTest.cfg

@@ -31 +31 @@
 
 [test2GetDelegation]
-username: raphaelTest
-#username: Junk
-#passphrase: JunkJunk
+username: Junk
+#username: raphaelTest
+passphrase: JunkJunk
 
 [test3Info]
 #username: sstljakTestUser
-username: Junk
 ownerCertFile: ./proxy-cert.pem
 ownerKeyFile: ./proxy-key.pem

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgr/sessionMgrProperties.xml

@@ -70 +70 @@
                         specified when a certificate is first created by store() method
                 -->
-                <proxyCertMaxLifetime>24</proxyCertMaxLifetime> <!-- in hours -->
+                <proxyCertMaxLifetime>43200</proxyCertMaxLifetime> <!-- in seconds -->
                 <!-- 
                         Life time of a proxy certificate when issued from the Proxy Server 
                         with getDelegation() method
                         -->
-                <proxyCertLifetime>8</proxyCertLifetime> <!-- in hours -->
+                <proxyCertLifetime>43200</proxyCertLifetime> <!-- in seconds -->
                 <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile>
         </myProxyProp>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgr/sessionMgrTest.cfg

@@ -14 +14 @@
 
 [test1Connect]         
-username = pjkersha
-#username = raphaelTest
+username = raphaelTest
 #username = gabriel
 #passphrase = testpassword
@@ -22 +21 @@
 
 [test3ConnectNoCreateServerSess]         
-username = pjkersha
-#username = gabriel
+username = gabriel
 #passphrase = testpassword
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py

@@ -32 +32 @@
     test3Passphrase = None
 
-    def _getCertChainFromProxyCertFile(self, proxyCertFilePath):
-        '''Read proxy cert and user cert from a single PEM file and put in
+    def _getCertChainFromProxyCertFile(self, certChainFilePath):
+        '''Read user cert and user cert from a single PEM file and put in
         a list ready for input into SignatureHandler'''               
-        proxyCertFileTxt = open(proxyCertFilePath).read()
+        certChainFileTxt = open(certChainFilePath).read()
         
         pemPatRE = re.compile(self.__class__.pemPat, re.S)
-        x509CertList = pemPatRE.findall(proxyCertFileTxt)
+        x509CertList = pemPatRE.findall(certChainFileTxt)
         
         signingCertChain = [X509CertParse(x509Cert) for x509Cert in \
                             x509CertList]
     
-        # Expecting proxy cert first - move this to the end.  This will
+        # Expecting user cert first - move this to the end.  This will
         # be the cert used to verify the message signature
         signingCertChain.reverse()
@@ -86 +86 @@
         reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype')
 
-        # Check certificate types proxy or standard
-        proxyCertFilePath = self.cfg['setUp'].get('proxycertfilepath')
-        if proxyCertFilePath:
+        # Check certificate types user or standard
+        userCertFilePath = self.cfg['setUp'].get('usercertfilepath')
+        if userCertFilePath:
             signingCertChain = \
-                        self._getCertChainFromProxyCertFile(proxyCertFilePath)
+                        self._getCertChainFromProxyCertFile(userCertFilePath)
         else:
             signingCertChain = None
@@ -111 +111 @@
         
         self.sessID = None
-        self.proxyCert = None
-        self.proxyPriKey = None
         self.userCert = None
-
-# TODO: is addUser part of session manager?
-#    def test1AddUser(self):
-#        """Add a new user ID to the MyProxy repository"""
-#        
-#        passphrase = self.cfg['test1AddUser'].get('passphrase') or \
-#            getpass.getpass(prompt="\ntest1AddUser pass-phrase for new user: ")
-#            
-#        # Note the pass-phrase is read from the file tmp.  To pass
-#        # explicitly as a string use the 'passphrase' keyword instead
-#        self.clnt.addUser(self.cfg['test1AddUser']['username'], 
-#                          passphrase=passphrase)
-#        print "Added user '%s'" % self.cfg['test1AddUser']['username']
+        self.userPriKey = None
+        self.issuingCert = None
         
 
@@ -139 +126 @@
         if not self.__class__.test2Passphrase:
             self.__class__.test2Passphrase = getpass.getpass(\
-                               prompt="\ntest2Connect pass-phrase for user: ")
-
-        self.proxyCert, self.proxyPriKey, self.userCert, self.sessID = \
+                               prompt="\ntest1Connect pass-phrase for user: ")
+
+        self.userCert, self.userPriKey, self.issuingCert, self.sessID = \
             self.clnt.connect(self.cfg['test1Connect']['username'], 
                               passphrase=self.__class__.test2Passphrase)
@@ -177 +164 @@
             prompt="\ntest3ConnectNoCreateServerSess pass-phrase for user: ")
 
-        self.proxyCert, self.proxyPriKey, self.userCert, sessID = \
+        self.userCert, self.userPriKey, self.issuingCert, sessID = \
             self.clnt.connect(\
                       self.cfg['test3ConnectNoCreateServerSess']['username'], 
@@ -188 +175 @@
         print "User '%s' connected to Session Manager:\n%s" % \
                     (self.cfg['test3ConnectNoCreateServerSess']['username'], 
-                     self.proxyCert)
-            
-
-    def test4DisconnectUsingSessID(self):
-        """test4DisconnectUsingSessID: disconnect as if acting as a browser client 
+                     self.userCert)
+            
+
+    def test4DisconnectWithSessID(self):
+        """test4DisconnectWithSessID: disconnect as if acting as a browser client 
         """
         
-        print "\n\t" + self.test4DisconnectUsingSessID.__doc__
+        print "\n\t" + self.test4DisconnectWithSessID.__doc__
         self.test1Connect()
         
@@ -203 +190 @@
             
 
-    def test5DisconnectUsingProxyCert(self):
-        """test5DisconnectUsingProxyCert: Disconnect as a command line client 
+    def test5DisconnectWithUserCert(self):
+        """test5DisconnectWithUserCert: Disconnect as a command line client 
         """
         
-        print "\n\t" + self.test5DisconnectUsingProxyCert.__doc__
-        self.test1Connect()
-        
-        # Use proxy cert / private key just obtained from connect call for
-        # signature generation         
-        self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
-        self.clnt.signatureHandler.signingPriKey = self.proxyPriKey        
-        self.clnt.signatureHandler.signingCertChain = (self.userCert,
-                                                       self.proxyCert)
-        
+        print "\n\t" + self.test5DisconnectWithUserCert.__doc__
+        self.test1Connect()
+        
+        # Use user cert / private key just obtained from connect call for
+        # signature generation
+        if self.issuingCert:
+            self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
+            self.clnt.signatureHandler.signingPriKey = self.userPriKey        
+            self.clnt.signatureHandler.signingCertChain = (self.issuingCert,
+                                                           self.userCert)
+            self.clnt.signatureHandler.signingCert = None
+        else:
+            self.clnt.signatureHandler.reqBinSecTokValType = 'X509v3'
+            self.clnt.signatureHandler.signingPriKey = self.userPriKey        
+            self.clnt.signatureHandler.signingCertChain = ()
+            self.clnt.signatureHandler.signingCert = self.userCert
+            
         # Proxy cert in signature determines ID of session to
         # delete
         self.clnt.disconnect()
-        print "User disconnected from Session Manager:\n%s" % self.proxyCert
-
-
-    def test6GetAttCertUsingSessID(self):
-        """test6GetAttCertUsingSessID: make an attribute request using
+        print "User disconnected from Session Manager:\n%s" % self.userCert
+
+
+    def test6GetAttCertWithSessID(self):
+        """test6GetAttCertWithSessID: make an attribute request using
         a session ID as authentication credential"""
 
-        print "\n\t" + self.test6GetAttCertUsingSessID.__doc__        
+        print "\n\t" + self.test6GetAttCertWithSessID.__doc__        
         self.test1Connect()
         
         attCert = self.clnt.getAttCert(\
             sessID=self.sessID, 
-            attAuthorityURI=self.cfg['test6GetAttCertUsingSessID']['aauri'])
+            attAuthorityURI=self.cfg['test6GetAttCertWithSessID']['aauri'])
         
         print "Attribute Certificate:\n%s" % attCert 
         attCert.filePath = \
-            self.cfg['test6GetAttCertUsingSessID']['acoutfilepath'] 
+            self.cfg['test6GetAttCertWithSessID']['acoutfilepath'] 
         attCert.write()
 
 
-    def test6aGetAttCertRefusedUsingSessID(self):
-        """test6aGetAttCertRefusedUsingSessID: make an attribute request using
+    def test6aGetAttCertRefusedWithSessID(self):
+        """test6aGetAttCertRefusedWithSessID: make an attribute request using
         a sessID as authentication credential requesting an AC from an
         Attribute Authority where the user is NOT registered"""
 
-        print "\n\t" + self.test6aGetAttCertRefusedUsingSessID.__doc__        
-        self.test1Connect()
-        
-        aaURI = self.cfg['test6aGetAttCertRefusedUsingSessID']['aauri']
+        print "\n\t" + self.test6aGetAttCertRefusedWithSessID.__doc__        
+        self.test1Connect()
+        
+        aaURI = self.cfg['test6aGetAttCertRefusedWithSessID']['aauri']
         
         try:
@@ -261 +255 @@
 
 
-    def test6bGetMappedAttCertUsingSessID(self):
-        """test6bGetMappedAttCertUsingSessID: make an attribute request using
+    def test6bGetMappedAttCertWithSessID(self):
+        """test6bGetMappedAttCertWithSessID: make an attribute request using
         a session ID as authentication credential"""
 
-        print "\n\t" + self.test6bGetMappedAttCertUsingSessID.__doc__        
-        self.test1Connect()
-        
-        aaURI = self.cfg['test6bGetMappedAttCertUsingSessID']['aauri']
+        print "\n\t" + self.test6bGetMappedAttCertWithSessID.__doc__        
+        self.test1Connect()
+        
+        aaURI = self.cfg['test6bGetMappedAttCertWithSessID']['aauri']
         
         attCert=self.clnt.getAttCert(sessID=self.sessID,attAuthorityURI=aaURI)
@@ -275 +269 @@
 
 
-    def test6cGetAttCertWithExtAttCertListUsingSessID(self):
-        """test6cGetAttCertUsingSessID: make an attribute request using
+    def test6cGetAttCertWithExtAttCertListWithSessID(self):
+        """test6cGetAttCertWithSessID: make an attribute request using
         a session ID as authentication credential"""
         
         print "\n\t" + \
-            self.test6cGetAttCertWithExtAttCertListUsingSessID.__doc__        
+            self.test6cGetAttCertWithExtAttCertListWithSessID.__doc__        
         self.test1Connect()
         
         aaURI = \
-            self.cfg['test6cGetAttCertWithExtAttCertListUsingSessID']['aauri']
-        
-        # Use output from test6GetAttCertUsingSessID!
+            self.cfg['test6cGetAttCertWithExtAttCertListWithSessID']['aauri']
+        
+        # Use output from test6GetAttCertWithSessID!
         extACFilePath = \
-    self.cfg['test6cGetAttCertWithExtAttCertListUsingSessID']['extacfilepath']   
+    self.cfg['test6cGetAttCertWithExtAttCertListWithSessID']['extacfilepath']   
         extAttCert = open(extACFilePath).read()
         
@@ -298 +292 @@
 
 
-    def test7GetAttCertUsingProxyCert(self):
-        """test7GetAttCertUsingProxyCert: make an attribute request using
-        a proxy cert as authentication credential"""
-        print "\n\t" + self.test7GetAttCertUsingProxyCert.__doc__
-        self.test1Connect()
-
-        self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
-        self.clnt.signatureHandler.signingPriKey = self.proxyPriKey        
-        self.clnt.signatureHandler.signingCertChain = (self.userCert,
-                                                       self.proxyCert)
+    def test7GetAttCertWithUserCert(self):
+        """test7GetAttCertWithUserCert: make an attribute request using
+        a user cert as authentication credential"""
+        print "\n\t" + self.test7GetAttCertWithUserCert.__doc__
+        self.test1Connect()
+
+        if self.issuingCert:
+            self.clnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1'
+            self.clnt.signatureHandler.signingPriKey = self.userPriKey        
+            self.clnt.signatureHandler.signingCertChain = (self.issuingCert,
+                                                           self.userCert)
+            self.clnt.signatureHandler.signingCert = None
+        else:
+            self.clnt.signatureHandler.reqBinSecTokValType = 'X509v3'
+            self.clnt.signatureHandler.signingPriKey = self.userPriKey        
+            self.clnt.signatureHandler.signingCertChain = ()
+            self.clnt.signatureHandler.signingCert = self.userCert
         
         # Request an attribute certificate from an Attribute Authority 
-        # using the proxyCert returned from connect()
-        
-        aaURI = self.cfg['test7GetAttCertUsingProxyCert']['aauri']
+        # using the userCert returned from connect()
+        
+        aaURI = self.cfg['test7GetAttCertWithUserCert']['aauri']
         attCert = self.clnt.getAttCert(attAuthorityURI=aaURI)
           
@@ -334 +335 @@
                     "test2GetSessionStatus",
                     "test3ConnectNoCreateServerSess",
-                    "test4DisconnectUsingSessID",
-                    "test5DisconnectUsingProxyCert",
-                    "test6GetAttCertUsingSessID",
-                    "test6bGetMappedAttCertUsingSessID",
-                    "test6cGetAttCertWithExtAttCertListUsingSessID",
-                    "test7GetAttCertUsingProxyCert",
+                    "test4DisconnectWithSessID",
+                    "test5DisconnectWithUserCert",
+                    "test6GetAttCertWithSessID",
+                    "test6bGetMappedAttCertWithSessID",
+                    "test6cGetAttCertWithExtAttCertListWithSessID",
+                    "test7GetAttCertWithUserCert",
                     "test8GetX509Cert",
                   ))

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/server.sh

@@ -17 +17 @@
 
 EXEC=twistd 
-OPTIONS="--pidfile=twistd-$$.pid -noy"
+OPTIONS="-noy"
 TACFILE=sessionMgr.tac
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrClientTest.cfg

@@ -12 +12 @@
 #smuri = https://localhost/SessionManager
 smuri = https://localhost:5700/SessionManager
-#smuri = https://glue.badc.rl.ac.uk:50000/SessionManager
 
 # For https connections only.  !Omit ssl* settings if using http!
@@ -18 +17 @@
 # same as peer hostname. 
 #sslpeercertcn = webSphereTest
-sslcacertfilepathlist = cacert.pem
+sslcacertfilepathlist = ./ca/ndg-test-ca.crt ./ca/cacert.pem
 
 # Set to False to test service without WS-Security signature
@@ -24 +23 @@
 
 # ValueType for BinarySecurityToken element of WSSE header.  Specify
-# 'X509PKIPathv1' for use with proxy certificates
+# 'X509PKIPathv1' for use with user certificates
 reqbinsectokvaltype = X509v3
 #reqbinsectokvaltype = X509
 #reqbinsectokvaltype = X509PKIPathv1
 
-# Test with proxy certificates or with standard certs.  Comment out as 
-# appropriate
-#proxycertfilepath = ./proxy-cert.pem
+# Test with chain of certificates (as with a proxy cert.) or with standard 
+# certs.  Comment out as appropriate
+#certchainfilepath = ./user-cert.pem
 
-# Test without proxy certificates - uses AA server side cert/private key for
-# client side too (!)
-clntcertfilepath = ./clnt-cert.pem
-
-clntprikeyfilepath = ./clnt-key.pem
-#clntprikeyfilepath = ./proxy-key.pem
+# Test without cert. chain
+clntcertfilepath = ./sm-clnt.crt
+clntprikeyfilepath = ./sm-clnt.key
 
 # Password protecting client private key - if omitted it will be prompted for
@@ -46 +42 @@
 # Space separated list of CA certificate files used to verify certificate used
 # in message signature
-cacertfilepathlist = ./cacert.pem
+cacertfilepathlist = ./ca/ndg-test-ca.crt ./ca/cacert.pem
 
 [test1Connect]         
-#username = lawrence
 username = raphaelTest
 #username = gabriel
-passphrase = testpassword
+#passphrase = testpassword
 
 [test3ConnectNoCreateServerSess]         
 username = raphaelTest
 #username = gabriel
-passphrase = testpassword
+#passphrase = testpassword
 
-[test6GetAttCertUsingSessID]
+[test6GetAttCertWithSessID]
 aaURI = http://localhost:5000/AttributeAuthority
 acOutFilePath = ac-out.xml
 
-[test6aGetAttCertRefusedUsingSessID]
+[test6aGetAttCertRefusedWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
 
-[test6bGetMappedAttCertUsingSessID]
+[test6bGetMappedAttCertWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
 
-[test6cGetAttCertWithExtAttCertListUsingSessID]
+[test6cGetAttCertWithExtAttCertListWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
-# Use output from test6GetAttCertUsingSessID!
+# Use output from test6GetAttCertWithSessID!
 extACFilePath = ac-out.xml
 
-[test7GetAttCertUsingProxyCert]
+[test7GetAttCertWithUserCert]
 aaURI = http://localhost:5000/AttributeAuthority
-#aaURI = http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml

@@ -4 +4 @@
     <useSSL>Yes</useSSL> <!-- leave blank to use http -->
     <!--<useSSL>Yes</useSSL>  leave blank to use http -->
-    <sslCertFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</sslCertFile>
-    <sslKeyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</sslKeyFile>
+    <sslCertFile>$NDGSEC_SM_UNITTEST_DIR/sm.crt</sslCertFile>
+    <sslKeyFile>$NDGSEC_SM_UNITTEST_DIR/sm.key</sslKeyFile>
     <!-- 
     Directory containing CA cert.s to verify SSL peer cert against 
@@ -23 +23 @@
     -->
     <caCertFileList>
-        <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile>
+        <caCertFile>$NDGSEC_SM_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+        <caCertFile>$NDGSEC_SM_UNITTEST_DIR/ca/cacert.pem</caCertFile>
     </caCertFileList>
-    <certFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</certFile>
-    <keyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</keyFile>
+    <certFile>$NDGSEC_SM_UNITTEST_DIR/sm.crt</certFile>
+    <keyFile>$NDGSEC_SM_UNITTEST_DIR/sm.key</keyFile>
     <keyPwd/>
     <!-- 
@@ -72 +73 @@
                         specified when a certificate is first created by store() method
                 -->
-                <proxyCertMaxLifetime>24</proxyCertMaxLifetime> <!-- in hours -->
+                <proxyCertMaxLifetime>43200</proxyCertMaxLifetime> <!-- in seconds -->
                 <!-- 
                         Life time of a proxy certificate when issued from the Proxy Server 
                         with getDelegation() method
-                        -->
-                <proxyCertLifetime>8</proxyCertLifetime> <!-- in hours -->
-                <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile>
+                -->
+                <proxyCertLifetime>43200</proxyCertLifetime> <!-- in seconds -->
+                <caCertFile>$NDGSEC_SM_UNITTEST_DIR/ca/cacert.pem</caCertFile>
         </myProxyProp>
         <simpleCACltProp>

TI12-security/trunk/python/www/html/sessionMgr.wsdl

@@ -42 +42 @@
         <xsd:complexType>
                   <xsd:sequence>
-                    <xsd:element name="proxyCert" type="xsd:string" minOccurs="1" maxOccurs="1"/>
-                    <xsd:element name="proxyPriKey" type="xsd:string" minOccurs="1" maxOccurs="1"/>
                     <xsd:element name="userCert" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+                    <xsd:element name="userPriKey" type="xsd:string" minOccurs="1" maxOccurs="1"/>
+                    <xsd:element name="issuingCert" type="xsd:string" minOccurs="0" maxOccurs="1"/>
                     <xsd:element name="sessID" type="xsd:string" minOccurs="0" maxOccurs="1"/>
                   </xsd:sequence>