Changeset 3199 for TI12-security

Timestamp:

11/01/08 10:29:10 (13 years ago)

Author:

pjkersha

Message:

Fixes to unit tests ready for OMII-UK first software drop.

security/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml,
security/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml: include comment about addition of CA certs from other trusted NDG sites.

security/python/ndg.security.test/ndg/security/test/attCert/attCertTest.cfg: fix file paths - ref by $NDGSEC_ATTCERT_UNITTEST_DIR env var

security/python/ndg.security.test/ndg/security/test/attCert/AttCertTest.py: some file paths not having $NDGSEC_ATTCERT_UNITTEST_DIR expanded correctly

security/python/ndg.security.test/ndg/security/test/sessionMgr/README,
security/python/ndg.security.test/ndg/security/test/sessionMgrClient/README: fix instructions for including CA cert from MyProxy? CA.

security/python/ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py:

• fix for some file paths - env var not expanded
• fix test1Connect writing of user.creds - ensure new lines between concatenated certs. and private key content

security/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml: add instructions for adding MyProxy? CA cert into caCertFileList elem.

security/python/ndg.security.test/ndg/security/test/XMLSecDoc/README: missed out before

security/python/ndg.security.test/setup.py: fixes for missing package data for various tests.

Location:

TI12-security/trunk/python

Files:

• ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml (modified) (1 diff)
• ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml (modified) (1 diff)
• ndg.security.test/ndg/security/test/XMLSecDoc/README (added)
• ndg.security.test/ndg/security/test/attCert/AttCertTest.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/attCert/ac.xml (modified) (2 diffs)
• ndg.security.test/ndg/security/test/attCert/attCertTest.cfg (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionMgr/README (modified) (2 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/README (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py (modified) (3 diffs)
• ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml (modified) (1 diff)
• ndg.security.test/setup.py (modified) (3 diffs)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

@@ -25 +25 @@
     <keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem</keyFile>
     <keyPwd></keyPwd>
+    <!-- 
+    CA Certificates used to verify X.509 certs used in peer SOAP messages,
+    and Attribute Certificates.
+    
+    The CA certificates of other NDG trusted sites should go here.
+    -->
     <caCertFileList>
         <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile>

TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml

@@ -28 +28 @@
     <!-- 
     CA Certificates used to verify X.509 certs used in peer SOAP messages,
-    SSL connections and Attribute Certificates
+    and Attribute Certificates.
+    
+    The CA certificates of other NDG trusted sites should go here.
     -->
     <caCertFileList>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attCert/AttCertTest.py

@@ -226 +226 @@
         '''test12IsValid: check signature of XML document'''            
         self.test11Read()
-        self.attCert.certFilePathList = \
-                    self.cfg['test12IsValid']['certfilepathlist'].split()
+        self.attCert.certFilePathList = [xpdVars(file) for file in \
+                    self.cfg['test12IsValid']['certfilepathlist'].split()]
         self.attCert.isValid(raiseExcep=True)
         print 'test12IsValid: passed'
@@ -238 +238 @@
         self.test6aSet()    
         
-        self.attCert.certFilePathList = \
-            self.cfg['test13IsValidStressTest']['certfilepathlist'].split()
+        self.attCert.certFilePathList = [xpdVars(file) for file in \
+            self.cfg['test13IsValidStressTest']['certfilepathlist'].split()]
         self.attCert.signingKeyFilePath = \
                         xpdVars(self.cfg['test13IsValidStressTest']['keyfile'])

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attCert/ac.xml

@@ -9 +9 @@
         <userId>/O=NDG/OU=BADC/CN=pjkershaw</userId>
         <validity>
-            <notBefore>2008 01 04 15 45 58</notBefore> 
-            <notAfter>2008 01 04 23 45 58</notAfter> 
+            <notBefore>2008 01 10 15 26 32</notBefore> 
+            <notAfter>2008 01 10 23 26 32</notAfter> 
         </validity>
         <attributes>
@@ -27 +27 @@
         <provenance>original</provenance> 
     </acInfo>
-<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b9+0xXj/zAUBcFXtai4zryJ2ZZ4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lxaiZbOMjsGwmIPkY2kO6YArGkhWUInJDy/QXRSMTXTioUfSNWqcfmsIME3ZatR5gYAOfjo4rEt+
-sV5YwE9T6Q2T+j7WkTRMez+gLu8kDQwPSZMWHcNAzyf50H2xBTbnOXrf1mS6No25JNMtPrvX7+2+
-hYe+c3o62HyDUwu2rNWGudwTfCaYydBrdv/64jhQYQDInM5cOnJl6Azb8XkH0YwOVn1QQSt+xDVN
-1u2Pws0Bo1piK91hDmqizpmy/fFnSFCT71zrvpB7D6EV6a9SMSogVhcXq/rRMQl2j/lyMZcnoWHC
-2aFcQ0u+0Rg5X9j6nFkmzIom+Gd5S1HAbM0f4g==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>srClFxmtD9f6gOox0fewjJ+5VBg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Djy+IKg94DRZSmzbYD1CIudKzoiOKOVMxOQOF6un5+N1jgormdEUbS0FwiHBgCl2QgF59MuBPNHM
+YtCOyuJX29+mIHlXATcMDZb7i62uXYKsIzBHDkN6wWlVaYlJvGFCmtWpJcSFpKlHigLfeO8GXEEg
+A8iHfaoj9G/YMvxwL9WrxmrFOOq//kBeCPUyRBhwlmFf6ZRAEP/O/wh9BfBQZ0J99G8WETwpEznI
+Ui20MJG7jjHmUD4GnK/h7MsajvrH9m48HHp/f9uVaAjGWJHTnDpVWBH4ueBGnsIsiyZHSgUz37pa
+0FFB01OjNTeuS+OZ/4V/IScIWQrBFcDA6tOVkw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
 MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
 N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD

TI12-security/trunk/python/ndg.security.test/ndg/security/test/attCert/attCertTest.cfg

@@ -10 +10 @@
 
 [test9Sign]
-certFile: ./test.crt
-keyFile: ./test.key
-filePath: ./ac-signed.xml
+certFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.crt
+keyFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
+filePath: $NDGSEC_ATTCERT_UNITTEST_DIR/ac-signed.xml
 keyPwd:
 
 [test10Write]
-filePath: ./ac.xml
+filePath: $NDGSEC_ATTCERT_UNITTEST_DIR/ac.xml
 
 [test11Read]
-filePath: ./ac.xml
+filePath: $NDGSEC_ATTCERT_UNITTEST_DIR/ac.xml
 
 [test12IsValid]
-certFilePathList: ./ndg-test-ca.crt
+certFilePathList: $NDGSEC_ATTCERT_UNITTEST_DIR/ndg-test-ca.crt
 
 [test13IsValidStressTest]
 # First cert is added to the signature, both certs are used in the 
 # verification
-certFilepathlist: ./test.crt ./ndg-test-ca.crt
-keyFile: ./test.key
+certFilepathlist: $NDGSEC_ATTCERT_UNITTEST_DIR/test.crt $NDGSEC_ATTCERT_UNITTEST_DIR/ndg-test-ca.crt
+keyFile: $NDGSEC_ATTCERT_UNITTEST_DIR/test.key
 keyPwd:
 nruns: 10
 
 [test14IsValidSignature]
-certFilePathList: ./ndg-test-ca.crt
-filePath: ./ac.xml
+certFilePathList: $NDGSEC_ATTCERT_UNITTEST_DIR/ndg-test-ca.crt
+filePath: $NDGSEC_ATTCERT_UNITTEST_DIR/ac.xml
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgr/README

@@ -41 +41 @@
 CA certificate in the list of trusted CA files in the respective Attribute 
 Authority configuration files:
+ i) Copy the CA certificate from your MyProxy host computer to the ca/ sub-
+ directory under THIS directory.
+ 
+ The file will be located on the MyProxy server as e.g.
+ 
+ /etc/grid-security/certificates/abcdef01.0
+ 
+ The exact name of the CA certificate file will be unique to your installation.
+ In the above, it is "abcdef01.0".   
+ 
  i) edit 'caCertFileList' element in 
  ../attAuthority/siteAAttAuthorityProperties.xml and add a new entry for the 
@@ -48 +58 @@
     <caCertFileList>
         <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
--->     <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
+-->     <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/abcdef01.0</caCertFile>
     </caCertFileList>
  -8<---------------------------------------------------------------------------
  The exact name of the CA certificate file will be unique to your installation.
  In the above, it is "abcdef01.0".  Ammend to the correct setting.  Edit 
- ../attAuthority/siteAAttAuthorityProperties.xml and in the same way add a new 
+ ../attAuthority/siteBAttAuthorityProperties.xml and in the same way add a new 
  entry for the MyProxy CA certificate.
  

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/README

@@ -47 +47 @@
 directory is ../attAuthority.  
 
-The Attribute Authorities accept requests from this Session Manager 
-authenticated based on the MyProxy user credentials used in the unit test
-test1Connect.  In order to accept these, the Attribute Authorities must be 
-configured to trust the MyProxy CA.  This can be done by including the MyProxy
-CA certificate in the list of trusted CA files in the respective Attribute 
+The Attribute Authorities and Session Manager accept client requests
+authenticated based on the MyProxy user credentials obtained in the unit test
+test1Connect.  In order to accept these, these services must be configured to 
+trust the MyProxy CA.  This can be done by including the MyProxy CA certificate
+in the list of trusted CA files in the respective Session Manager and Attribute
 Authority configuration files:
- i) edit 'caCertFileList' element in 
- ../attAuthority/siteAAttAuthorityProperties.xml and add a new entry for the 
- MyProxy CA:
+ i) Copy the CA certificate from your MyProxy host computer to the ca/ sub-
+ directory under THIS directory.
+ 
+ The file will be located on the MyProxy server as e.g.
+ 
+ /etc/grid-security/certificates/abcdef01.0
+ 
+ The exact name of the CA certificate file will be unique to your installation.
+ In the above, it is "abcdef01.0".   
+ 
+ ii) edit 'caCertFileList' element in sessionManagerProperties.xml and add a 
+ new entry for the MyProxy CA:
 
  -8<---------------------------------------------------------------------------
     <caCertFileList>
         <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
--->     <caCertFile>/etc/grid-security/certificates/abcdef01.0</caCertFile>
+-->     <caCertFile>$NDGSEC_AACLNT_UNITTEST_DIR/ca/abcdef01.0</caCertFile>
     </caCertFileList>
  -8<---------------------------------------------------------------------------
- The exact name of the CA certificate file will be unique to your installation.
- In the above, it is "abcdef01.0".  Ammend to the correct setting.  Edit 
- ../attAuthority/siteAAttAuthorityProperties.xml and in the same way add a new 
+Ammend to the correct setting.  Edit 
+ ../attAuthority/siteAAttAuthorityProperties.xml and 
+ ../attAuthority/siteBAttAuthorityProperties.xml in the same way add a new 
  entry for the MyProxy CA certificate.
  

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/SessionMgrClientTest.py

@@ -154 +154 @@
                                                         (username, self.sessID)
             
-        creds = self.issuingCert or '' + self.userCert + self.userPriKey
+        creds = '\n'.join(self.issuingCert or '',self.userCert,self.userPriKey)
         open(mkPath("user.creds"), "w").write(creds)
             
@@ -253 +253 @@
         print "Attribute Certificate:\n%s" % attCert 
         attCert.filePath = \
-            self.cfg['test6GetAttCertWithSessID']['acoutfilepath'] 
+            xpdVars(self.cfg['test6GetAttCertWithSessID']['acoutfilepath']) 
         attCert.write()
 
@@ -304 +304 @@
         
         # Use output from test6GetAttCertWithSessID!
-        extACFilePath = \
-    self.cfg['test6cGetAttCertWithExtAttCertListWithSessID']['extacfilepath']   
+        extACFilePath = xpdVars(\
+    self.cfg['test6cGetAttCertWithExtAttCertListWithSessID']['extacfilepath'])
         extAttCert = open(extACFilePath).read()
         

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml

@@ -24 +24 @@
     <caCertFileList>
         <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile>
+        <!-- 
+        To also trust certificates issued from your MyProxy CA, replace 
+        "abcdef01.0" with the unique name for your CA certificate and uncomment
+        the following line:
+        <caCertFile>$NDGSEC_SMCLNT_UNITTEST_DIR/ca/abcdef01.0</caCertFile>
+        -->
     </caCertFileList>
     <certFile>$NDGSEC_SMCLNT_UNITTEST_DIR/sm.crt</certFile>

TI12-security/trunk/python/ndg.security.test/setup.py

@@ -31 +31 @@
                                        'siteA-aa.key',
                                        'siteB-aa.crt',
-                                       'siteB-aa.key'
+                                       'siteB-aa.key',
                                        'README'],
     'ndg.security.test.attAuthority.ca': ['*.crt'],
@@ -40 +40 @@
                                   'ndg-test-ca.crt',
                                   'README'],
-    'ndg.security.test.ca': ['*.xml', '*.cfg'],
+    'ndg.security.test.ca': ['*.xml', '*.cfg', 'README'],
+    'ndg.security.test.gatekeeper': ['README'],
+    'ndg.security.test.Log': ['README'],
     'ndg.security.test.myProxy': ['*.xml', 
                                   '*.cfg',
                                   'user.crt',
                                   'user.key',
-                                  'ndg-test-ca.crt',                                  'openssl.conf', 
+                                  'ndg-test-ca.crt',
+                                  'openssl.conf', 
                                   'Makefile',
                                   'README'],
@@ -57 +60 @@
                                      'sm.key',
                                      'user.crt',
-                                     'user.key'],
+                                     'user.key',
+                                     'README'],
     'ndg.security.test.sessionMgr.ca': ['*.crt'],
     'ndg.security.test.sessionMgrClient': ['*.xml',