Context Navigation

← Previous Change
Next Change →

Changeset 3765 for TI12-security

Timestamp:

04/04/08 16:16:32 (12 years ago)

Author:

pjkersha

Message:

Refactoring of authorisation (PDP) and gatekeeper (PEP) components.

Location:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz

Files:

: 2 added
: 2 edited

pdp (added)
pdp.py (modified) (5 diffs)
pdp/__init__.py (added)
pep.py (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp.py

-                      r3759
+                      r3765
+#_____________________________________________________________________________
+class PDPInterfaceError(GatekeeperError):
+    """Exception handling for NDG Gatekeeper Resource interface class
+    class."""
+    pass
+#_____________________________________________________________________________
+class PDPInterface:
+    """An abstract base class to define the interface to the Policy Decision
+    Point for the Gatekeeper (PEP).
+    Each NDG resource should implement a derived class which implements
+    the way a resource roles is served from the given resource."""
+    # User defined class may wish to specify a URI or path for a configuration
+    # file
+    def __init__(self, resrcID=None, filePath=None):
+        """Abstract base class - derive from this class to define
+        resource role interface to Gatekeeper"""
+        raise NotImplementedError(\
+            self.__init__.__doc__.replace('\n       ',''))
+    def getPermissions(self, role):
+        """Derived method should return the permissions for the given resource
+        role.  Format is a tuple e.g.
+        ('r', 'w', 'x'): read, write and execute permission granted for this
+                         role
+        ():              access denied
+        ('r',):          read only access
+        ('r', 'x'):      read and execute permission granted
+        This method is needed for the interface to the Gatekeeper class"""
+        raise NotImplementedError(
+            self.__getPermissions.__doc__.replace('\n       ',''))
+    def readAccess(self, role):
+        """Derived method should return the role for read access to the
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.readAccess.__doc__.replace('\n       ',''))
+    def writeAccess(self, role):
+        """Derived method should return the role for write access to the
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.writeAccess.__doc__.replace('\n       ',''))
+    def executeAccess(self, role):
+        """Derived method should return the role for execute access to the
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.executeAccess.__doc__.replace('\n       ',''))
+class tmp:
+    #_________________________________________________________________________
+    def __call__(self, input):
+        """Get the permissions for the input file, list of roles or
+        Attribute Certificate containing roles.  A Dictionary of permissions
+        are returned indexed by role name.  Permissions are expressed as a
+        tuple containing the relevant permissions flags e.g. ('r', 'w', 'x')
+        for read/write/execute permission or e.g. ('x') for exceute only
+        permission"""
+        roleList = self.__formatInput(input)
+        return dict([(role, self.__pdpObj.getPermissions(role)) \
+                     for role in roleList])
+    getPermissions = __call__
+    def __formatInput(self, input):
+        """Convert generic input into a list of roles - use with access
+        routines"""
+        if isinstance(input, list):
+            # Input is list of roles
+            return input
+        elif isinstance(input, basestring):
+            # Input is a role
+            return [input]
+        elif isinstance(input, AttCert):
+            # Input is an Attribute Certificate
+            # Check signature of AttCert
+            try:
+                input.isValid(raiseExcep=True,
+                              certFilePathList=self.__prop['caCertFilePath'])
+            except Exception, e:
+                raise PEPError, "Access denied for input: %s" % str(e)
+            return input.roles
+        else:
+            raise PEPError("Input must be a role, role list or " + \
+                                  "Attribute Certificate type")
+    #_________________________________________________________________________
+    def readAccess(self, input):
+        """Determine read access permitted against the given
+        input role/role list or Attribute Certificate roles
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        roleList = self.__formatInput(input)
+        return dict([(role, self.__pdpObj.readAccess(role)) \
+                     for role in roleList])
+    #_________________________________________________________________________
+    def writeAccess(self, input):
+        """Determine write access permitted against the given
+        input role/role list or Attribute Certificate roles
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        roleList = self.__formatInput(input)
+        return dict([(role, self.__pdpObj.writeAccess(role)) \
+                     for role in roleList])
+    #_________________________________________________________________________
+    def executeAccess(self, input):
+        """Determine execute access permitted against the given
+        input role/role list or Attribute Certificate roles
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        roleList = self.__formatInput(input)
+        return dict([(role, self.__pdpObj.executeAccess(role)) \
+                     for role in roleList])
+"""NDG Policy Decision Point for NDG Browse - access constraints for a
+resource are determined from MOLES access constraints in the data
+NERC Data Grid Project
+"""
+__author__ = "P J Kershaw"
+__date__ = "04/04/08"
+__copyright__ = "(C) 200* STFC & NERC"
+__contact__ = "P.J.Kershaw@rl.ac.uk"
+__license__ = \
+"""This software may be distributed under the terms of the Q Public
+License, version 1.0 or later."""
+__contact__ = "P.J.Kershaw@rl.ac.uk"
+__revision__ = "$Id:gatekeeper.py 3079 2007-11-30 09:39:46Z pjkersha $"
+import logging
+log = logging.getLogger(__name__)
 import sys # tracefile config param may be set to e.g. sys.stderr
 import urllib2
 import socket
+from ndg.security.common.authz.pdp import PDPInterface, PDPError, \
+    PDPUserAccessDenied, PDPUserNotLoggedIn, PDPMissingResourceConstraints
 from ndg.security.common.SessionMgr import SessionMgrClient, SessionNotFound,\
     SessionCertTimeError, SessionExpired, InvalidSession, \
+    AttributeRequestDenied
+def HandleSecurity(*args):
+    return PullModelHandler(*args)()
+class URLCannotBeOpened(Exception):
+    AttributeRequestDenied
+class InvalidAttributeCertificate(PDPError):
+    "The certificate containing authorisation roles is invalid"
+    def __init__(self, msg=InvalidAttributeCertificate.__doc__):
+        PDPError.__init__(msg)
+class SessionExpiredMsg(PDPError):
+    'Session has expired.  Please re-login'
+    def __init__(self, msg=SessionExpiredMsg.__doc__):
+        PDPError.__init__(msg)
+class InvalidSessionMsg(PDPError):
+    'Session is invalid.  Please try re-login'
+    def __init__(self, msg=InvalidSessionMsg.__doc__):
+        PDPError.__init__(msg)
+class InitSessionCtxError(PDPError):
+    'A problem occured initialising a session connection'
+    def __init__(self, msg=InvalidSessionMsg.__doc__):
+        PDPError.__init__(msg)
+class AttributeCertificateRequestError(PDPError):
+    'A problem occured requesting a certificate containing authorisation roles'
+    def __init__(self, msg=InvalidSessionMsg.__doc__):
+        PDPError.__init__(msg)
+class URLCannotBeOpened(PDPError):
     """Raise from canURLBeOpened PullModelHandler class method
     if URL is invalid - this method is used to check the AA
     service"""
+class PullModelHandler(object):
+    """Make access control decision based on CSML constraint and user security
+    token"""
+    AccessAllowedMsg = "Access Allowed"
+    InvalidAttributeCertificate = \
+            "The certificate containing your authorisation roles is invalid"
+    NotLoggedInMsg = 'Not Logged in'
+    SessionExpiredMsg = 'Session has expired.  Please re-login'
+    InvalidSessionMsg = 'Session is invalid.  Please try re-login'
+    InvalidSecurityCondition = 'Invalid Security Condition'
+    def __init__(self, uri, securityElement, securityTokens):
+class MolesPDP(PDPInterface):
+    """Make access control decision based on a MOLES access constraint
+    (applies to CSML too) and user security token"""
+    molesXPathQueryPfx = \
+'{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}'
+    roleXPathQuery = molesXPathQueryPfx + 'attrauthRole'
+    roleXPathQuery = molesXPathQueryPfx + 'dgAttributeAuthority'
+    defParam = {'aaURI': '',
+                'sslCACertFilePathList': [],
+                'tracefile': '',
+                'acCACertFilePathList': [],
+                'acIssuer': ''}
+    def __init__(self, cfgFilePath=None, **cfgKw):
         """Initialise settings for WS-Security and SSL for SOAP
         call to Session Manager
 …
         </moles:simpleCondition>
         NB: xmlns:moles="http://ndg.nerc.ac.uk/moles
+        @type: pylons.session
+        @param securityTokens: dict-like session object containing security
+        tokens"""
+        self.uri = uri
+        self.securityElement = securityElement
+        self.securityTokens = securityTokens
+    def __call__(self, **kw):
+        """Convenience wrapper for checkAccess"""
+        return self.checkAccess(**kw)
+    def checkAccess(self,
+                    uri=None,
+                    securityElement=None,
+                    securityTokens=None):
+        """
+        self.cfgFilePath = cfgFilePath
+        self.resrcURI = None
+        self.securityElement = None
+        self.userHandle = None
+        # Set from config file
+        if cfgFilePath:
+            self._readConfig()
+        # Separate keywords into PDP and WS-Security specific items
+        paramNames = cfgKw.keys()
+        for paramName in paramNames:
+            if paramName in NDGBrowsePDP.defParam:
+                # Keywords are deleted as they are set
+                setattr(self, paramName, cfgKw.pop('paramName'))
+        # Remaining keys must be for WS-Security config
+        self.wssCfg = cfgKw
+    def _readConfig(self, section='DEFAULT'):
+        '''Read PDP configuration file'''
+        cfg = SafeConfigParser()
+        cfg.read(self.cfgFilePath)
+        # Copy directly into attribute of this object
+        for paramName, paramVal in PEP.defParam.items():
+            if isinstance(paramVal, list):
+                paramListVal = expVars(cfg(section, paramName)).split()
+                setattr(self, paramName, paramListVal)
+            else:
+                setattr(self, paramName, expVars(cfg(section, paramName)))
+    def accessPermitted(self, resrcHandle, userHandle, accessType=None):
         """Make an access control decision based on whether the user is
         authenticated and has the required roles
+        @type resrcHandle: dict
+        @param resrcHandle: dict 'uri' = resource URI, 'securityElement' =
+        ElementTree type MOLES security Element
+        @type userHandle: dict
+        @param userHandle: dict with keys 'sid' = user session ID,
+        'h' = Session Manager URI
+        @type accessType: -
+        @param accessType: not implemented - logs a warning if set
+        @rtype: bool
+        @return: True if access permitted; False if denied or else raise
+        an Exception
         @type uri: string
 …
         @type: pylons.session
         @param securityTokens: dict-like session object containing security
+        @param userHandle: dict-like session object containing security
         tokens.  Resets equivalent object attribute."""
+        # tokens and element may be set from __init__ or as args to this
+        # method.  If the latter copy them into self
+        if uri:
+            self.uri = uri
+        if securityTokens:
+            self.securityTokens = securityTokens
+        if securityElement:
+            self.securityElement=securityElement
+        # Check self.securityTokens - if not set then the user mustn't be
+        # logged in.  This situation is possible if a user has been denied
+        # access to data and then tried to logout - after log out they are
+        # redirected back to the page where they tried accessing data but this
+        # time they will have no security credential set
+        if not self.securityTokens:
+            # Try to recover and do something sensible
+            #
+            # TODO: this adds insult to injury if the person has just been
+            # denied access to data.  Instead do a redirect back to the
+            # discovery page?
+            # P J Kershaw 10/08/07
+            log.info("Exiting from PEP: user is not logged in")
+            return False, self.__class__.NotLoggedInMsg
+        xpathr='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}attrauthRole'
+        xpathaa='{http://ndg.nerc.ac.uk/moles}simpleCondition/{http://ndg.nerc.ac.uk/moles}dgAttributeAuthority'
+        roleE,aaE=self.securityElement.find(xpathr),self.securityElement.find(xpathaa)
+        if roleE is None:
+            log.error("PEP: role not found in dataset element: %s" % \
+                      self.securityElement)
+            return False, self.__class__.InvalidSecurityCondition
+        self.reqRole=roleE.text
+        # Check Attribute Authority address
+        try:
+            PullModelHandler.urlCanBeOpened(aaE.text)
+        except (URLCannotBeOpened, AttributeError):
+            # Catch situation where either Attribute Authority address in the
+            # data invalid or none was set.  In this situation verify
+            # against the Attribute Authority set in the config
+            log.info('PEP: Attribute Authority address is invalid ' + \
+                     'in data "%s" - defaulting to config file setting' % \
+                     self.securityElement)
+            self.reqAAURI = g.securityCfg.aaURI
+        # Create Session Manager client
+        self.smClnt = SessionMgrClient(uri=self.securityTokens['h'],
+                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
+                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
+                    signingCertFilePath=g.securityCfg.wssCertFilePath,
+                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
+                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
+                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
+                    tracefile=g.securityCfg.tracefile)
+        return self.__pullSessionAttCert()
+    def __pullSessionAttCert(self):
+        # Resource handle contains URI and ElementTree resource security
+        # element
+        try:
+            self.resrcURI = resrcHandle['uri']
+            self.securityElement = resrcHandle['securityElement']
+        except KeyError, e:
+            log.error("Resource handle missing key %s" % e)
+            raise PDPMissingResourceConstraints()
+        # User handle contains 'h' = Session Manager URI and 'sid' user
+        # Session ID
+        try:
+            self.smURI = userHandle['h']
+            self.userSessID = userHandle['sid']
+        except KeyError, e:
+            log.error("User handle missing key %s" % e)
+            raise PDPUserNotLoggedIn()
+        roleElem = self.securityElement.find(NDGBrowsePDP.roleXPathQuery)
+        if roleElem is None or not roleElem.text:
+            log.error("PDP: role not set in MOLES security " + \
+                      "constraints")
+            raise PDPMissingResourceConstraints()
+        self.reqRole = roleElem.text
+        aaElem = self.securityElement.find(NDGBrowsePDP.aaXPathQuery)
+        # Sanity check on Attribute Authority URI
+        if aaElem and aaElem.text:
+            aaURI = aaElem.text
+            # Check Attribute Authority address
+            try:
+                NDGBrowsePDP.urlCanBeOpened(aaURI)
+            except URLCannotBeOpened, e:
+                # Catch situation where either Attribute Authority address in the
+                # data invalid or none was set.  In this situation verify
+                # against the Attribute Authority set in the config
+                log.warning('PDP: MOLES security constraint ' + \
+                            'Attribute Authority address is invalid - ' + \
+                            'defaulting to config file setting: %s; ' % \
+                            self.aaURI + \
+                            'error message is: %s' % e)
+                aaURI = self.aaURI
+        else:
+            log.warning("PDP: Attribute Authority element not " + \
+                        "set in MOLES security constraints - defaulting " + \
+                        "to config file setting: %s" % self.aaURI)
+            aaURI = self.aaURI
+        # Retrieve Attirbute Certificate from user's session held by
+        # Session Manager
+        attCert = self._pullUserSessionAttCert(aaURI)
+        # Check its validity
+        self._checkAttCert(attCert)
+        log.info('PDP - access granted for user "%s" ' % \
+                 attCert.userId + \
+                 'to "%s" secured with role "%s" ' % \
+                 (self.resrcURI, self.reqRole) + \
+                 'using attribute certificate:\n\n%s' % attCert)
+    def _pullUserSessionAttCert(self, aaURI):
         """Check to see if the Session Manager can deliver an Attribute
         Certificate with the required role to gain access to the resource
+        in question"""
+        in question
+        @type aaURI: string
+        @param aaURI: address of Attribute Authority that the Session Manager
+        will call in order to request an AC on behalf of the user"""
+        try:
+            # Create Session Manager client
+            self.smClnt = SessionMgrClient(uri=self.smURI,
+                            cfgfilePath=self.cfgFilePath,
+                            sslCACertFilePathList=self.sslCACertFilePathList,
+                            tracefile=self.tracefile,
+                            **self.wssCfg)
+        except Exception, e:
+            log.error("PDP: creating Session Manager client: %s"%e)
+            raise InitSessionCtxError()
         try:
             # Make request for attribute certificate
+            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI,
+                                         sessID=self.securityTokens['sid'],
+                                         reqRole=self.reqRole)
+            attCert = self.smClnt.getAttCert(attAuthorityURI=aaURI,
+                                             sessID=self.userSessID,
+                                             reqRole=self.reqRole)
+            return attCert
         except AttributeRequestDenied, e:
             log.info(\
                 "PEP - request for attribute certificate denied: %s"%e)
             return False, str(e)
+            "PDP -request for attribute certificate denied: %s" % e)
+            raise PDPUserAccessDenied()
         except SessionNotFound, e:
             log.info("PEP - no session found: %s" % e)
             return False, self.__class__.NotLoggedInMsg
+            log.info("PDP -no session found: %s" % e)
+            raise PDPUserNotLoggedIn()
         except SessionExpired, e:
             log.info("PEP - session expired: %s" % e)
             return False, self.__class__.SessionExpiredMsg
+            log.info("PDP -session expired: %s" % e)
+            raise InvalidSessionMsg()
         except SessionCertTimeError, e:
             log.info("PEP - session cert. time error: %s" % e)
             return False, self.__class__.InvalidSessionMsg
+            log.info("PDP -session cert. time error: %s" % e)
+            raise InvalidSessionMsg()
         except InvalidSession, e:
             log.info("PEP - invalid user session: %s" % e)
             return False, self.__class__.InvalidSessionMsg
+            log.info("PDP -invalid user session: %s" % e)
+            raise InvalidSessionMsg()
         except Exception, e:
+            raise GateKeeperError, "PEP request for attribute certificate: "+\
+                            str(e)
+        # Check attribute certificate is valid
+        attCert.certFilePathList = g.securityCfg.acCACertFilePathList
+        attCert.isValid(raiseExcep=True)
+            log.error("PDP request for attribute certificate: %s" % e)
+            raise AttributeCertificateRequestError()
+    def _checkAttCert(self, attCert):
+        '''Check attribute certificate is valid
+        @type attCert: ndg.security.common.AttCert.AttCert
+        @param attCert: attribute certificate to be check for validity'''
+        attCert.certFilePathList = self.acCACertFilePathList
+        try:
+            attCert.isValid(raiseExcep=True)
+        except Exception, e:
+            log.error("Attribute Certificate: %s" % e)
+            raise InvalidAttributeCertificate()
         # Check it's issuer is as expected
         if attCert.issuer != g.securityCfg.acIssuer:
             log.info('PEP - access denied: Attribute Certificate ' + \
+            log.info('PDP -access denied: Attribute Certificate ' + \
                 'issuer DN, "%s" ' % attCert.issuer + \
                 'must match this data provider\'s Attribute Authority ' + \
                 'DN: "%s"' % g.securityCfg.acIssuer)
+            return False, self.__class__.InvalidAttributeCertificate
+        log.info('PEP - access granted for user "%s" '%attCert.userId+\
+                 'to "%s" secured with role "%s" ' % (self.uri,self.reqRole)+\
+                 'using attribute certificate:\n\n%s' % attCert)
+        return True, self.__class__.AccessAllowedMsg
+            raise InvalidAttributeCertificate()
     @classmethod
 …
                urllib2.urlopen(url)
            except (urllib2.HTTPError, urllib2.URLError,
                    socket.error, socket.sslerror):
+                   socket.error, socket.sslerror, AttributeError):
                if raiseExcep:
                    raise URLCannotBeOpened
+                   raise URLCannotBeOpened()
            found = True
 …
        return found
+class SecurityConfigError(Exception):
+    """Handle errors from parsing security config items"""
+class SecurityConfig(object):
+    """Get Security related parameters from the Pylons NDG config file"""
+    def parse(self, cfg, section='NDG_SECURITY'):
+        '''Get PKI settings for Attribute Authority and Session Manager from
+        the configuration file
+        @type cfg: ConfigParser object
+        @param cfg: reference to configuration file.'''
+        tracefileExpr = cfg.get(section, 'tracefile')
+        if tracefileExpr:
+            self.tracefile = eval(tracefileExpr)
+        self.smURI = cfg.get(section, 'sessionMgrURI')
+        self.aaURI = cfg.get(section, 'attAuthorityURI')
+        try:
+            self.wssCACertFilePathList = \
+                cfg.get(section, 'wssCACertFilePathList').split()
+        except AttributeError:
+            raise SecurityConfigError, \
+                                'No "wssCACertFilePathList" security setting'
+        # Attribute Certificate Issuer
+        self.acIssuer = cfg.get(section, 'acIssuer')
+        # verification of X.509 cert back to CA
+        try:
+            self.acCACertFilePathList = cfg.get(section,
+                                            'acCACertFilePathList').split()
+        except AttributeError:
+            raise SecurityConfigError, \
+                                'No "acCACertFilePathList" security setting'
+    def __repr__(self):
+        return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \
+                if k[:2] != "__"])
+def makeDecision(resrcHandle, userHandle, accessType=None, **kw):
+    '''One call Wrapper interface to PDP'''
+    return NDGBrowsePDP(**kw)(resrcHandle, userHandle)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pep.py

-                      r3759
+                      r3765
                             'Keyword "%s" is not a valid config parameter"' % \
                             paramName)
             setattr(self, paramName, expVars(self._cfg(section, paramName)))
+            setattr(self, paramName, expVars(prop['paramName']))
         paramFound = [param for paramName in PEP.defParam \
 …
     accessPermitted = __call__
-class PDPInterface(object):
-    """PEP (Gatekeeper) interface to a Policy Decision Point
-    PDPs must adhere to this interface by subclassing from it"""
-    def __init__(self, cfgFilePath):
-        "__init__ should accept a config file path as its arg"
-        raise NotImplementedError("%s\n%s" % (PDPInterface.__doc__,
-                                              PDPInterface.__init__.__doc__))
-    def accessPermitted(selfresrcHandle, userHandle, accessType, *arg, **kw):
-        """Make an Access control decision with this behaviour:
-        @type resrcHandle: any - determined by derived class PDP
-        @param resrcHandle: a handle to the resource to make access decision
-        for.  This could be for example a resource ID string, or a dict or
-        other object to hold resource information required by the PDP
-        @type userHandle: any - determined by derived class PDP
-        @param userHandle: a handle to the user requesting access.
-        e.g. a user ID, an attribute certificate or a handle to a service
-        which can be interrogated to get the required information
-        @type accessType: any - determined by derived class PDP
-        @param accessType: the type of access being requested e.g. read,
-        read/write, put etc.
-        @rtype: bool
-        @return: True if access permitted; False if denied or else raise
-        an Exception
-        Nb.
-        *arg and **kw are included to enable further customisation,
-        resrcHandle, userHandle and accessType are merely indicators.
-        The alias to this method 'accessPermitted'"""
-        raise NotImplementedError("%s\n%s" % (PDPInterface.__doc__,
-                                    PDPInterface.accessPermitted.__doc__))
-        return False

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 3765 for TI12-security

Legend:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pdp.py

TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/pep.py

Download in other formats: