Changeset 3755

Timestamp:

04/04/08 10:11:44 (12 years ago)

Author:

pjkersha

Message:

 

Location:

TI12-security/trunk/python

Files:

• ndg.security.client/ndg/security/client/ssoclient/README.txt (modified) (2 diffs)
• ndg.security.client/ndg/security/client/ssoclient/__init__.py (added)
• ndg.security.client/ndg/security/client/ssoclient/development.ini (modified) (5 diffs)
• ndg.security.client/ndg/security/client/ssoclient/setup.py (modified) (1 diff)
• ndg.security.client/ndg/security/client/ssoclient/ssoClient.cfg (modified) (1 diff)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/PKG-INFO (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/SOURCES.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/dependency_links.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/entry_points.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/paste_deploy_config.ini_tmpl (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/paster_plugins.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/requires.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient.egg-info/top_level.txt (added)
• ndg.security.client/ndg/security/client/ssoclient/test.ini (modified) (1 diff)
• ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (3 diffs)
• ndg.security.common/ndg/security/common/gatekeeper (added)
• ndg.security.common/ndg/security/common/gatekeeper/__init__.py (added)
• ndg.security.common/ndg/security/common/pylons/__init__.py (added)
• ndg.security.common/ndg/security/common/pylons/security_util.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/wsSecurity.py (modified) (7 diffs)
• ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.cfg (modified) (1 diff)
• ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/wsSecurity/server/wssecurity.cfg (added)

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/README.txt

@@ -1 @@
-This file is for you to describe the ssoClient application. Typically
+This file is for you to describe the ssoclient application. Typically
 you would include information such as the information below:
 
@@ -5 +5 @@
 ======================
 
-Install ``ssoClient`` using easy_install::
+Install ``ssoclient`` using easy_install::
 
-    easy_install ssoClient
+    easy_install ssoclient
 
 Make a config file as follows::
 
-    paster make-config ssoClient config.ini
+    paster make-config ssoclient config.ini
 
 Tweak the config file as appropriate and then setup the application::

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/development.ini

@@ -1 +1 @@
 #
-# ssoClient - Pylons development environment configuration
+# ssoclient - Pylons development environment configuration
 #
 # The %(here)s variable will be replaced with the parent directory of this file
@@ -17 +17 @@
 
 [app:main]
-use = egg:ssoClient
+use = egg:ssoclient
 full_stack = true
 cache_dir = %(here)s/data
@@ -35 +35 @@
 
 configfile = %(here)s/ssoClient.cfg
+
 
 # Logging configuration
@@ -55 +56 @@
 qualname = ssoclient
 
-[logger_routes]
-level = DEBUG
-handlers = console
-qualname = routes
-
 [handler_console]
 class = StreamHandler
@@ -69 +65 @@
 format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
 datefmt = %H:%M:%S
+

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/setup.py

@@ -7 +7 @@
 
 setup(
-    name='ssoClient',
+    name='ssoclient',
     version="",
     #description='',

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoClient.cfg

@@ -1 +1 @@
 # Single Sign On Service Configuration
+# 
+# NERC Data Grid Project
+# 
+# P J Kershaw 01/04/08
+# 
+# Copyright (C) 2008 CCLRC & NERC
+# 
+# This software may be distributed under the terms of the Q Public License,
+# version 1.0 or later.
+#
 
 [DEFAULT]
 # Server address for secure connections
-sslServer: https://localhost/ssoClient
-server:    http://localhost/ssoClient
-wayfURI: https://localhost/sso/wayf
-layout:         %(server)s/layout/
+sslServer:              https://localhost/ssoClient
+server:                 http://localhost/ssoClient
+wayfURI:                https://localhost/sso/wayf
+# Use Client side logout instead
+#logoutURI:             https://localhost/sso/logout
+layout:         %(server)s/layout/
 icondir:        %(server)s/layout/icons/
 disclaimer:
 
 [layout]
-localLink:      http://ndg.nerc.ac.uk/
-localImage:     %(layout)sndg_logo_circle.gif
-localAlt:       visit badc
-###### ought to be the end of the customisations
-ndgLink:        http://ndg.nerc.ac.uk/
-ndgImage:       %(layout)sndg_logo_circle.gif
-ndgAlt:         visit ndg
-stfcLink:       http://ceda.stfc.ac.uk/
-stfcImage:      %(layout)sstfc-circle-sm.gif
-key:            %(icondir)spadlock.png
-keyGrey:        %(layout)skeyG.gif
+localLink:              http://ndg.nerc.ac.uk/
+localImage:             %(layout)sndg_logo_circle.gif
+localAlt:               Visit the BADC
+ndgLink:                http://ndg.nerc.ac.uk/
+ndgImage:               %(layout)sndg_logo_circle.gif
+ndgAlt:                 visit ndg
+stfcLink:       http://ceda.stfc.ac.uk/
+stfcImage:      %(layout)sstfc-circle-sm.gif
+key:                    %(icondir)spadlock.png
+keyGrey:                %(layout)skeyG.gif
 selectI:        %(layout)stick.png
 Xicon:          %(icondir)sxml.png

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/test.ini

@@ -1 +1 @@
 #
-# ssoClient - Pylons testing environment configuration
+# ssoclient - Pylons testing environment configuration
 #
 # The %(here)s variable will be replaced with the parent directory of this file

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -38 +38 @@
     HostCheck
 
+import logging
+log = logging.getLogger(__name__)
 
 #_____________________________________________________________________________
@@ -105 +107 @@
         @param signatureHandlerKw: keywords to configure signature handler"""
 
+        log.debug("AttAuthorityClient.__init__ ...")
         self.__srv = None
         self.__uri = None
@@ -123 +126 @@
         # set
         if setSignatureHandler:
+            log.debug('signatureHandlerKw = %s' % signatureHandlerKw)
             self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
         else:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/pylons/security_util.py

@@ -178 +178 @@
             
     return requestURL
-
-
-import sys
-from ConfigParser import SafeConfigParser as ConfigParser
-
-class SecurityConfigError(Exception):
-    """Handle errors from parsing security config items"""
-       
-class SecurityConfig(object):
-    """Get Security related parameters from the Pylons NDG config file"""
-
-    def __init__(self, cfgFilePath=None):
-        '''Get PKI settings for Attribute Authority and Session Manager from
-        the configuration file
-        
-        @type cfgFilePath: pylons config file object
-        @param cfgFilePath: reference to NDG configuration file.  If omitted 
-        defaults to request.environ['ndgConfig']'''
-        
-        self.cfgFilePath = cfgFilePath
-
-    def read(self):
-        '''Read content of config file into object'''
-        cfg = ConfigParser()
-        cfg.read(self.cfgFilePath)
-       
-        tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile')
-        if tracefileExpr:
-            self.tracefile = eval(tracefileExpr)
-
-        self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')        
-        self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI')
-        
-        # ... for SSL connections to security web services
-        try:
-            self.sslCACertFilePathList = \
-            cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split()
-                
-        except AttributeError:
-            raise SecurityConfigError, \
-                        'No "sslCACertFilePathList" security setting'
-
-        self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN', None)
-
-        # ...and for WS-Security digital signature
-        self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath')
-        self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath')
-        self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd')
-
-        try:
-            self.wssCACertFilePathList = \
-                cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
-                
-        except AttributeError:
-            raise SecurityConfigError, \
-                                'No "wssCACertFilePathList" security setting'
-
-        # Inclusive namespace prefixes for Exclusive C14N
-        try:
-            self.wssRefInclNS = cfg.get('NDG_SECURITY', 'wssRefInclNS').split()
-                
-        except AttributeError:
-            raise SecurityConfigError, 'No "wssRefInclNS" security setting'
-
-        try:
-            self.wssSignedInfoInclNS = cfg.get('NDG_SECURITY', 
-                                               'wssSignedInfoInclNS').split()           
-        except AttributeError:
-            raise SecurityConfigError, \
-                                    'No "wssSignedInfoInclNS" security setting'
-
-        
-        # Gatekeeper params
-        
-        # Attribute Certificate Issuer
-        self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer')
-        
-        # verification of X.509 cert back to CA
-        try:
-            self.acCACertFilePathList = cfg.get('NDG_SECURITY', 
-                                            'acCACertFilePathList').split()          
-        except AttributeError:
-            raise SecurityConfigError, \
-                                'No "acCACertFilePathList" security setting'
-
-        # Hostname
-        self.server=cfg.get('NDG_SECURITY', 'server', '')
-
-        # For secure connections
-        self.sslServer = cfg.get('NDG_SECURITY', 'sslServer', '')
-        
-        # These URLs are referred from template files
-        self.getCredentials = '%s/getCredentials' % self.sslServer       
-        self.logout = '%s/logout' % self.server
-                      
-        # Where Are You From URI          
-        self.wayfuri='%s/wayf' % self.server
-
-        self.localLink=cfg.get('layout', 'localLink', None)
-        self.localImage=cfg.get('layout', 'localImage', None)
-        self.localAlt=cfg.get('layout', 'localAlt', 'Visit Local Site')
-        self.ndgLink=cfg.get('layout', 'ndgLink', 'http://ndg.nerc.ac.uk')
-        self.ndgImage=cfg.get('layout', 'ndgImage', None)
-        self.ndgAlt=cfg.get('layout', 'ndgAlt','Visit NDG')
-        self.stfcLink=cfg.get('layout', 'stfcLink')
-        self.stfcImage=cfg.get('layout', 'stfcImage')
-        self.helpIcon=cfg.get('layout', 'helpIcon')
-        self.LeftAlt=cfg.get('layout', 'HdrLeftAlt')
-        self.LeftLogo=cfg.get('layout', 'HdrLeftLogo')
-        self.pageLogo="bodcHdr"
-        self.icons_xml=cfg.get('layout','Xicon')
-        self.icons_plot=cfg.get('layout','plot')
-        self.icons_prn=cfg.get('layout', 'printer')
-        
-        self.disclaimer = cfg.get('DEFAULT', 'disclaimer')
-            
-            
-    def __repr__(self):
-        return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \
-                if k[:2] != "__"])

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

@@ -25 +25 @@
     from Crypto.Cipher import AES, DES3
 except:
-    pass
+    from warnings import warn
+    warn('Crypto.Cipher not available: EncryptionHandler disabled!',
+         RuntimeWarning)
+    class AES:
+        MODE_ECB = None
+        MODE_CBC = None
+        
+    class DES3: 
+        MODE_CBC = None
 
 import os
@@ -52 +60 @@
 from xml.dom.ext.reader.PyExpat import Reader
 
+# Enable settings from a config file
+from ndg.security.common.wssecurity import WSSecurityConfig
 
 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \
@@ -145 +155 @@
     
     binSecTokValType = {
-        "X509PKIPathv1": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1",
-        "X509":          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509",
-        "X509v3":        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
+        "X509PKIPathv1": OASIS.X509TOKEN.X509PKIPathv1,
+        "X509":          OASIS.X509TOKEN.X509,
+        "X509v3":        OASIS.X509TOKEN.X509+"v3"
     }
 
 
     #_________________________________________________________________________
-    def __init__(self,
-                 reqBinSecTokValType="X509v3",
-                 verifyingCert=None,
-                 verifyingCertFilePath=None,
-                 signingCert=None,
-                 signingCertFilePath=None, 
-                 signingCertChain=None,
-                 signingPriKey=None,
-                 signingPriKeyFilePath=None, 
-                 signingPriKeyPwd=None,
-                 caCertDirPath=None,
-                 caCertFilePathList=[],
-                 addTimestamp=True,
-                 applySignatureConfirmation=False,
-                 refC14nKw={'unsuppressedPrefixes': ['xmlns', 
-                                                     'xsi', 
-                                                     'xsd', 
-                                                     'SOAP-ENV', 
-                                                     'wsu', 
-                                                     'wsse', 
-                                                     'ns1']},
-                # Added 'ec' to list P J Kershaw 01/02/07
-                signedInfoC14nKw = {'unsuppressedPrefixes': ['xsi', 
-                                                             'xsd', 
-                                                             'SOAP-ENV', 
-                                                             'ds', 
-                                                             'wsse', 
-                                                             'ec']}):
+    def __init__(self, cfgFilePath=None, configClass=WSSecurityConfig, **kw):
         '''
         @reqBinSecTokValType: set the ValueType for the BinarySecurityToken
@@ -259 +242 @@
         '''
         
-        self.__setReqBinSecTokValType(reqBinSecTokValType)
+        # WSSecurityConfig is the default class for reading config params but
+        # alternative derivative class may be passed in instead.
+        if not issubclass(configClass, WSSecurityConfig):
+            raise TypeError("%s is not a sub-class of WSSecurityConfig" % \
+                            configClass)
+        self.cfg = configClass()
+        
+        # Read parameters from config file if set
+        if cfgFilePath:
+            self.cfg.read(cfgFilePath)
+        
+        # Also update config from keywords set 
+        self.cfg.update(kw)
+        
+        
+        self.__setReqBinSecTokValType(self.cfg['reqBinSecTokValType'])
         
         # Set keywords for canonicalization of SignedInfo and reference 
         # elements
-        self.__setRefC14nKw(refC14nKw)
-        self.__setSignedInfoC14nKw(signedInfoC14nKw)
-            
-
-        self.__setVerifyingCert(verifyingCert)
-        self.__setVerifyingCertFilePath(verifyingCertFilePath)
-        
-        self.__setSigningCert(signingCert)
-        self.__setSigningCertFilePath(signingCertFilePath)
-
-        if signingCertChain:
-            self.__setSigningCertChain(signingCertChain)
+        # TODO: get rid of refC14nKw and signedInfoC14nKw options
+        if len(self.cfg.get('refC14nInclNS', [])):
+            self.__setRefC14nKw({'unsuppressedPrefixes':
+                                 self.cfg['refC14nInclNS']})
+        else:
+            self.__setRefC14nKw(self.cfg['refC14nKw'])
+
+   
+        if len(self.cfg.get('signedInfoC14nNS', [])):
+            self.__setSignedInfoC14nKw({'unsuppressedPrefixes':
+                                        self.cfg['signedInfoC14nNS']})
+        else:
+            self.__setSignedInfoC14nKw(self.cfg['signedInfoC14nKw'])
+            
+
+        self.__setVerifyingCert(self.cfg['verifyingCert'])
+        self.__setVerifyingCertFilePath(self.cfg['verifyingCertFilePath'])
+        
+        self.__setSigningCert(self.cfg['signingCert'])
+        self.__setSigningCertFilePath(self.cfg['signingCertFilePath'])
+
+        if self.cfg.get('signingCertChain'):
+            self.__setSigningCertChain(self.cfg['signingCertChain'])
         else:
             self.__signingCertChain = None   
@@ -280 +289 @@
         # MUST be set before __setSigningPriKeyFilePath / __setSigningPriKey
         # are called
-        self.__setSigningPriKeyPwd(signingPriKeyPwd)
-        
-        if signingPriKey is not None:
+        self.__setSigningPriKeyPwd(self.cfg['signingPriKeyPwd'])
+        
+        if self.cfg.get('signingPriKey'):
             # Don't allow None for private key setting
-            self.__setSigningPriKey(signingPriKey)
-            
-        self.__setSigningPriKeyFilePath(signingPriKeyFilePath)
+            self.__setSigningPriKey(self.cfg['signingPriKey'])
+            
+        self.__setSigningPriKeyFilePath(self.cfg['signingPriKeyFilePath'])
         
         # CA certificate(s) for verification of X.509 certificate used with
         # signature.
-        if caCertDirPath:
-            self.caCertDirPath = caCertDirPath
-            
-        elif caCertFilePathList:
-            self.caCertFilePathList = caCertFilePathList
-            
-        self.addTimestamp = addTimestamp
-        self.applySignatureConfirmation = applySignatureConfirmation
+        if self.cfg.get('caCertDirPath'):
+            self.caCertDirPath = self.cfg['caCertDirPath']
+            
+        elif self.cfg.get('caCertFilePathList'):
+            self.caCertFilePathList = self.cfg['caCertFilePathList']
+            
+        self.addTimestamp = self.cfg['addTimestamp']
+        self.applySignatureConfirmation=self.cfg['applySignatureConfirmation']
         self.b64EncSignatureValue = None
+        
+        log.debug("WSSE Config = %s" % self.cfg)
+
                 
     #_________________________________________________________________________
@@ -465 +477 @@
                     doc="file path of X.509 Cert. for verifying signature")
 
+    
+    #_________________________________________________________________________
+    def __getSigningCert(self):
+        '''Return X.509 cert object corresponding to cert used with
+        signature
+        
+        @rtype: M2Crypto.X509.X509
+        @return: certificate object
+        '''
+        return self.__signingCert
+
 
     #_________________________________________________________________________
@@ -474 +497 @@
         self.__signingCertFilePath = None
         
-    signingCert = property(fset=__setSigningCert,
-                             doc="Set X.509 Cert. to include signature")
+    signingCert = property(fget=__getSigningCert,
+                           fset=__setSigningCert,
+                           doc="X.509 Cert. to include signature")
 
  

TI12-security/trunk/python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.cfg

@@ -12 +12 @@
 port = 7100
 path = /Echo
-signingPriKeyFilePath = $NDGSEC_WSSESRV_UNITTEST_DIR/server.key
-signingPriKeyPwd = 
-signingCertFilePath = $NDGSEC_WSSESRV_UNITTEST_DIR/server.crt
-caCertFilePathList = $NDGSEC_WSSESRV_UNITTEST_DIR/ndg-test-ca.crt
+wsseCfgFilePath = $NDGSEC_WSSESRV_UNITTEST_DIR/wssecurity.cfg

TI12-security/trunk/python/ndg.security.test/ndg/security/test/wsSecurity/server/echoServer.py

@@ -93 +93 @@
     path = cfg.get('setUp', 'path')
     
-    signingPriKeyFilePath = xpdVars(cfg.get('setUp', 'signingPriKeyFilePath'))
-    signingPriKeyPwd = xpdVars(cfg.get('setUp', 'signingPriKeyPwd'))
-    signingCertFilePath = xpdVars(cfg.get('setUp', 'signingCertFilePath'))
-    caCertFilePathList = [xpdVars(file) for file in \
-                          cfg.get('setUp', 'caCertFilePathList').split()]
+    wsseCfgFilePath = xpdVars(cfg.get('setUp', 'wsseCfgFilePath'))
 
     serviceContainer = ServiceContainer((hostname, port))   
@@ -104 +100 @@
     echo = EchoService()
     echo.signatureHandler = wsSecurity.SignatureHandler(\
-                                signingCertFilePath=signingCertFilePath,
-                                signingPriKeyFilePath=signingPriKeyFilePath,
-                                signingPriKeyPwd=signingPriKeyPwd,
-                                caCertFilePathList=caCertFilePathList,
-                                applySignatureConfirmation=True,
-                                refC14nKw={'unsuppressedPrefixes':[]},
-                                signedInfoC14nKw={'unsuppressedPrefixes':[]})
-#                                refC14nKw={'unsuppressedPrefixes': 
-#                                           ['xmlns', 
-#                                            'xsi', 
-#                                            'xsd', 
-#                                            'SOAP-ENV',
-#                                            'soapenv', 
-#                                            'wsu', 
-#                                            'wsse', 
-#                                            'ns1']},
-#                                signedInfoC14nKw={'unsuppressedPrefixes': 
-#                                                  ['xsi', 
-#                                                   'xsd', 
-#                                                   'SOAP-ENV',
-#                                                   'soapenv', 
-#                                                   'ds', 
-#                                                   'wsse', 
-#                                                   'ec']})
+                                                cfgFilePath=wsseCfgFilePath)
 
     serviceContainer.setNode(echo, url=path)