Changeset 3892

Timestamp:

13/05/08 09:14:41 (11 years ago)

Author:

pjkersha

Message:

• Big changes enabling modularised security from Discovery/Browse? Pylons code stack. Changes are for login only and don't include the Gatekeeper yet.
• Updates to OpenID AuthKit? test code to enable kid templates.

ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

• include client in ndg.security.client.cfg class for globals - needed for server/sslServer config settings for SSO Client BaseController?
• read WS-Security settings using ndg.security.common.wssecurity.WSSecurityConfig

ndg.security.server/ndg/security/server/sso/sso/controllers/login.py,
ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py:

• Give specific alias for kid templates to enable a separate security templates dir to ows_server

ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py:

• ditto to above
• fix to URL input into base 64 encode - convert from unicode to regular string as otherwise b64 code will fail

ndg.security.server/ndg/security/server/sso/sso/lib/base.py:

• Provide full path to sso.* imports so that controllers can be imported across into ows_server or any other pylons code stack.
• LoginServiceQuery? -> SSOServiceQuery

ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid:

• got rid of login status info - it's confusing to the user

ndg.security.client/ndg/security/client/ssoclient/ssoClient.cfg:

• added tracefile option for ZSI SOAP i/o display

ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.py:

• SSOMiddleware interface changed to enable reading direct from an existing config object as well as from file

ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.py:

• fixes for full path import statements + correct g config attr settings

ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.py:

• enable processing of logout response from a separate SSO Service - logout flag in URL arg tells base controller to delete the security details from the cookie.

ndg.security.client/ndg/security/client/ssoclient/ssoclient/templates/ndg/security/ndgPage.kid: typo fix

Tests/authtest/development.ini,
Tests/authtest/authtest/config/environment.py,
Tests/authtest/authtest/controllers/auth.py:

• enable kid template for OpenID signin

Tests/authtest/authtest/tests/functional/test_test2.py,
Tests/authtest/authtest/controllers/test2.py: test controller

ndg.security.common/ndg/security/common/wssecurity/init.py:

• enable initialisation from an existing config file object

ndg.security.common/ndg/security/common/pylons/security_util.py:

• rename LoginServiceQuery? -> SSOServiceQuery

ndg.security.common/ndg/security/common/init.py: fix to imports

ndg.security.common/ndg/security/common/wsSecurity.py: fix for altered WSSecurityConfig interface

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py:

• fix to HostCheck?.call - check for peerCert is None when peer tries http instead of https

Location:

TI12-security/trunk/python

Files:

• Tests/authtest/authtest/config/environment.py (modified) (2 diffs)
• Tests/authtest/authtest/controllers/auth.py (modified) (1 diff)
• Tests/authtest/authtest/controllers/test2.py (added)
• Tests/authtest/authtest/tests/functional/test_test2.py (added)
• Tests/authtest/development.ini (modified) (1 diff)
• ndg.security.client/ndg/security/client/ssoclient/ssoClient.cfg (modified) (1 diff)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/__init__.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/__init__.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.py (modified) (3 diffs)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/__init__.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.py (modified) (4 diffs)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/__init__.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.py (modified) (5 diffs)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/helpers.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/templates/ndg/security/ndgPage.kid (modified) (1 diff)
• ndg.security.common/ndg/security/common/__init__.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py (modified) (5 diffs)
• ndg.security.common/ndg/security/common/pylons/security_util.py (modified) (3 diffs)
• ndg.security.common/ndg/security/common/wsSecurity.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/wssecurity/__init__.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py (modified) (5 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (16 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py (modified) (5 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/base.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/error.kid (added)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid (modified) (1 diff)

TI12-security/trunk/python/Tests/authtest/authtest/config/environment.py

@@ -21 +21 @@
     # Initialize config with the basic options
     config.init_app(global_conf, app_conf, package='authtest',
-                    template_engine='mako', paths=paths)
+                    #template_engine='mako', 
+                    template_engine='kid', 
+                    paths=paths)
 
     config['routes.map'] = make_map()
@@ -32 +34 @@
     # CONFIGURATION OPTIONS HERE (note: all config options will override
     # any Pylons config options)
+#    kidopts = {'kid.assume_encoding':'utf-8', 'kid.encoding':'utf-8'}
+#    config.add_template_engine('kid', 'authtest.templates', kidopts)
+

TI12-security/trunk/python/Tests/authtest/authtest/controllers/auth.py

@@ -36 +36 @@
     def signout(self):
         return Response("Successfully signed out!")
+    
+    def testkid(self):
+        return render('signin')

TI12-security/trunk/python/Tests/authtest/development.ini

@@ -56 +56 @@
 authkit.openid.baseurl = http://localhost:5000
 
+# Template for signin
+authkit.openid.template.obj = authtest.lib.template:make_template
+
 # Logging configuration
 [loggers]

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoClient.cfg

@@ -16 +16 @@
 server:                 http://localhost/ssoClient
 wayfURI:                https://localhost/sso/wayf
-# Use Client side logout instead
-#logoutURI:             https://localhost/sso/logout
+
+# File object to direct SOAP trace to.  Leave blank or set to None for no trace
+tracefile:              sys.stderr
 layout:         %(server)s/layout/
 icondir:        %(server)s/layout/icons/

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.py

@@ -18 +18 @@
 class SSOMiddleware(object):
     
-    def __init__(self, app, cfgFilePath, appGlobals):
+    def __init__(self, app, cfg, appGlobals, **kw):
         
         log.debug("SSOMiddleware.__init__ ...")
         self.app = app
-        ndg.security.client.ssoclient.cfg = SSOClientConfig(cfgFilePath)
-        ndg.security.client.ssoclient.cfg.read()
+
+        ndg.security.client.ssoclient.cfg = SSOClientConfig(cfg, **kw)
         appGlobals.ndg = ndg
 
@@ -40 +40 @@
     """Get Security related parameters from the Pylons NDG config file"""
 
-    def __init__(self, cfgFilePath=None):
-        '''Get PKI settings for Attribute Authority and Session Manager from
-        the configuration file
+    def __init__(self, cfg=None, **parseKw):
+        '''Get settings for Single Sign On client'''
+        
+        if isinstance(cfg, basestring):
+            # Assume file path to be read
+            self.read(cfg)
+        else:
+            # Assume existing config type object
+            self.cfg = cfg
+
+        if self.cfg:
+            self.parse(**parseKw)
+            
+    def read(self, cfgFilePath):
+        '''Read config file into SafeConfigParser instance
         
         @type cfgFilePath: pylons config file object
-        @param cfgFilePath: reference to NDG configuration file.  If omitted 
-        defaults to request.environ['ndgConfig']'''
-        
-        self.cfgFilePath = cfgFilePath
-
-    def read(self):
-        '''Read content of config file into object'''
-        cfg = ConfigParser()
-        cfg.read(self.cfgFilePath)
+        @param cfgFilePath: reference to NDG configuration file.'''
+        self.cfg = ConfigParser()
+        self.cfg.read(cfgFilePath)
+ 
+    def parse(self, defSection='DEFAULT', layoutSection='layout'):
+        '''Extract content of config file object into self'''
+       
         # Hostname
-        self.server=cfg.get('DEFAULT', 'server', '')
+        self.server=self.cfg.get(defSection, 'server')
 
         # For secure connections
-        self.sslServer = cfg.get('DEFAULT', 'sslServer', '')
+        self.sslServer = self.cfg.get(defSection, 'sslServer')
                       
         # Where Are You From URI - defaults to server root if not set in
         # config - i.e. assumes same host as client 
-        if cfg.has_option('DEFAULT', 'wayfURI'):        
-            self.wayfuri = cfg.get('DEFAULT','wayfURI','')
+        if self.cfg.has_option(defSection, 'wayfURI'):        
+            self.wayfuri = self.cfg.get(defSection, 'wayfURI')
         else:
             self.wayfuri = '%s/wayf' % self.server
@@ -69 +79 @@
         # Logout URI can reside on this server or somewhere else determined by
         # the logout config file setting
-        if cfg.has_option('DEFAULT', 'logoutURI'):        
-            self.logoutURI = cfg.get('DEFAULT','logoutURI','')
+        if self.cfg.has_option(defSection, 'logoutURI'):        
+            self.logoutURI = self.cfg.get(defSection, 'logoutURI')
         else:
             self.logoutURI = '%s/logout' % self.server
-
-        self.localLink=cfg.get('layout', 'localLink', None)
-        self.localImage=cfg.get('layout', 'localImage', None)
-        self.localAlt=cfg.get('layout', 'localAlt', 'Visit Local Site')
-        self.ndgLink=cfg.get('layout', 'ndgLink', 'http://ndg.nerc.ac.uk')
-        self.ndgImage=cfg.get('layout', 'ndgImage', None)
-        self.ndgAlt=cfg.get('layout', 'ndgAlt','Visit NDG')
-        self.stfcLink=cfg.get('layout', 'stfcLink')
-        self.stfcImage=cfg.get('layout', 'stfcImage')
-        self.helpIcon=cfg.get('layout', 'helpIcon')
-        self.LeftAlt=cfg.get('layout', 'HdrLeftAlt')
-        self.LeftLogo=cfg.get('layout', 'HdrLeftLogo')
+            
+        self.localLink=self.cfg.get(layoutSection, 'localLink', None)
+        self.localImage=self.cfg.get(layoutSection, 'localImage', None)
+        self.localAlt=self.cfg.get(layoutSection, 'localAlt', 'Visit Local Site')
+        self.ndgLink=self.cfg.get(layoutSection, 'ndgLink', 'http://ndg.nerc.ac.uk')
+        self.ndgImage=self.cfg.get(layoutSection, 'ndgImage', None)
+        self.ndgAlt=self.cfg.get(layoutSection, 'ndgAlt','Visit NDG')
+        self.stfcLink=self.cfg.get(layoutSection, 'stfcLink')
+        self.stfcImage=self.cfg.get(layoutSection, 'stfcImage')
+        self.helpIcon=self.cfg.get(layoutSection, 'helpIcon')
+        self.LeftAlt=self.cfg.get(layoutSection, 'HdrLeftAlt')
+        self.LeftLogo=self.cfg.get(layoutSection, 'HdrLeftLogo')
         self.pageLogo="bodcHdr"
-        self.icons_xml=cfg.get('layout','Xicon')
-        self.icons_plot=cfg.get('layout','plot')
-        self.icons_prn=cfg.get('layout', 'printer')
+        self.icons_xml=self.cfg.get(layoutSection,'Xicon')
+        self.icons_plot=self.cfg.get(layoutSection,'plot')
+        self.icons_prn=self.cfg.get(layoutSection, 'printer')
         
-        self.disclaimer = cfg.get('DEFAULT', 'disclaimer')
+        self.disclaimer = self.cfg.get(defSection, 'disclaimer')
    
         # TODO: re-include security settings to enable logout via Session

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.py

@@ -1 @@
-from ssoclient.lib.base import *
+from ndg.security.client.ssoclient.ssoclient.lib.base import *
 
 log = logging.getLogger(__name__)
@@ -22 +22 @@
         '''Logout - remove session from Session Manager tidy up cookie'''
 
-        log.info("LogoutController.index ...")
+        log.debug("LogoutController.index ...")
         
 
@@ -33 +33 @@
             smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
                     tracefile=g.ndg.security.client.ssoclient.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)       
+                    **g.ndg.security.client.ssoclient.cfg.wss)       
         except Exception, e:
             log.error("logout - creating Session Manager client: %s" % e)
@@ -53 +53 @@
     def _cleanupAndRedirect(self):
         """Remove security session and call _redirect"""
+        log.debug("LogoutController._cleanupAndRedirect...")
+        
         try:
             # easy to kill our cookie

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.py

@@ -11 +11 @@
 from pylons.templating import render
 
-import ssoclient.lib.helpers as h
-import ssoclient.model as model
+import ndg.security.client.ssoclient.ssoclient.lib.helpers as h
+import ndg.security.client.ssoclient.ssoclient.model as model
 
 import urllib
@@ -19 +19 @@
 
 from ndg.security.common.pylons.security_util import setSecuritySession, \
-    LoginServiceQuery
+    SSOServiceQuery, SecuritySession
 
 import logging
@@ -51 +51 @@
             
             log.debug('Switching from https to http...')
-            returnToURL = g.ndg.security.client.ssoclient.cfg.server + self.pathInfo
+            returnToURL = g.ndg.security.client.ssoclient.cfg.server + \
+                self.pathInfo
 
-            # Re-construct the URL removing the security related arguments
-            qs = LoginServiceQuery.stripFromURI()
+            # Reconstruct the URL removing the security related arguments
+            qs = SSOServiceQuery.stripFromURI()
             if qs:
                 returnToURL += "?" + qs
-                
+               
             log.debug('URL transport switched to http: "%s"' % returnToURL)
             h.redirect_to(returnToURL)
-                        
+            
+        elif 'logout' in request.params:
+            # Request comes from a successful logout call.  Clean up any
+            # security cookies in this domain
+            log.debug("Removing security details following logout ...")
+
+            returnToURL = g.ndg.security.client.ssoclient.cfg.server + \
+                self.pathInfo
+                
+            # Reconstruct the URL removing the logout flag argument
+            qs = SSOServiceQuery.stripFromURI('logout')
+            if qs:
+                returnToURL += "?" + qs
+            
+            # Delete security session cookie details
+            SecuritySession.delete()
+            
+            # Redirect to cleaned up URL
+            h.redirect_to(returnToURL)
+                         
+                         
     def __call__(self, environ, start_response):        
         # Insert any code to be run per request here. The Routes match
@@ -71 +92 @@
         log.debug("environ = %s" % environ)
         log.debug("_"*80)
-        log.debug("start_response = %s" % start_response)
-        log.debug("_"*80)
         
         self.pathInfo = urllib.quote(environ.get('PATH_INFO', '')) 
@@ -78 +97 @@
         # construct URL picking up setting of server name from config to 
         # avoid exposing absolute URL hidden behind mod_proxy see #857 
-        c.requestURL = g.ndg.security.client.ssoclient.cfg.server + self.pathInfo
+        c.requestURL = g.ndg.security.client.ssoclient.cfg.server + \
+            self.pathInfo
         qs = '&'.join(["%s=%s" % item for item in request.params.items()])
         if qs:
             c.requestURL += '?' + qs
 
+        self._environ = environ
+        
         return WSGIController.__call__(self, environ, start_response)
     

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/templates/ndg/security/ndgPage.kid

@@ -97 +97 @@
             c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
             ?>
-        <form action="$g.ndg.security.client.ssoclie6nt.cfg.logoutURI">
+        <form action="$g.ndg.security.client.ssoclient.cfg.logoutURI">
             <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
             <input type="submit" value="Logout"/>

TI12-security/trunk/python/ndg.security.common/ndg/security/common/__init__.py

@@ -18 +18 @@
 # installation of SQLObject
 __all__ = [
+    'authz',
     'AttAuthority',
     'AttCert',
@@ -23 +24 @@
     'm2CryptoSSLUtility',
     'openssl',
-    'SessionCookie',
+    'sessionCookie',
     'SessionMgr',
     'wsSecurity',
     'X509',
-    'XMLSec'
+    'XMLSec',
+    'zsi_utils'
     ]

TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py

@@ -80 +80 @@
         @param host: name of host to check
         """
+        if peerCert is None:
+            raise SSL.Checker.NoCertificate(\
+                                        'SSL Peer did not return certificate')
+
         peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ', '/')
         try:
@@ -100 +104 @@
                            x509Cert2Verify=X509Cert(m2CryptoX509=peerCert))
             except Exception, e:
-                raise InvalidCertSignature, \
-                "Peer certificate verification against CA cert failed: %s" % e
+                raise InvalidCertSignature(
+                "Peer certificate verification against CA cert failed: %s" % e)
               
         # They match - drop the exception and return all OK instead          
@@ -129 +133 @@
         if not isinstance(caCertFilePathList, list) and \
            not isinstance(caCertFilePathList, tuple):
-            raise AttributeError, \
-                        'Expecting a list or tuple for "caCertFilePathList"'
+            raise AttributeError(
+                        'Expecting a list or tuple for "caCertFilePathList"')
 
         self.__caCertStack = X509Stack()
@@ -175 +179 @@
         if 'readTimeout' in kw:
             if not isinstance(readTimeout, SSL.timeout):
-                raise AttributeError, "readTimeout must be of type " + \
-                                      "M2Crypto.SSL.timeout" 
+                raise AttributeError("readTimeout must be of type " + \
+                                     "M2Crypto.SSL.timeout")
             self.readTimeout = readTimeout
             del kw['readTimeout']
@@ -184 +188 @@
         if 'writeTimeout' in kw:
             if not isinstance(writeTimeout, SSL.timeout):
-                raise AttributeError, "writeTimeout must be of type " + \
-                                      "M2Crypto.SSL.timeout" 
+                raise AttributeError("writeTimeout must be of type " + \
+                                     "M2Crypto.SSL.timeout") 
             self.writeTimeout = writeTimeout
             del kw['writeTimeout']

TI12-security/trunk/python/ndg.security.common/ndg/security/common/pylons/security_util.py

@@ -71 +71 @@
            
 class LoginServiceQueryError(Exception):
-    """Error handling for LoginServiceQuery - a class which handles the 
+    """Error handling for SSOServiceQuery - a class which handles the 
     parsing of security args in a HTTP GET request for the LoginService"""
     
-class LoginServiceQuery(object):
+class SSOServiceQuery(object):
     """Create query string containing security credentials.  This is used by
     the Identity Provider pass the credentials over a HTTP GET back to the 
@@ -124 +124 @@
         @return: URL query string with security args removed"""
         keys = params or cls.keys
-        return cls.argSep.join(['%s=%s' % (i, request.params[i]) \
-                                for i in request.params if i not in keys])
+        return str(cls.argSep.join(['%s=%s' % (i, request.params[i]) \
+                                for i in request.params if i not in keys]))
 
     @classmethod
@@ -151 +151 @@
 
         return keys
+
+# Backwards compatibility
+LoginServiceQuery = SSOServiceQuery
 
 # TODO: this could be used in the future to replace parts of BaseController.

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

@@ -254 +254 @@
         if cfgFilePath:
             log.debug("SignatureHandler.__init__: Processing config file...")
-            self.cfg.read(cfgFilePath, section=cfgFileSection)
+            self.cfg.read(cfgFilePath)
+            self.cfg.parse(section=cfgFileSection)
         
         # Also update config from keywords set 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

@@ -45 +45 @@
     
     def __init__(self, cfg=SafeConfigParser()):
+        '''Initialise settings from an existing config file object or the
+        given path to config file
+        
+        @type cfg: SafeConfigParser or string
+        @param cfg: config object instance or file path to config file to be
+        parsed'''
+        
         dict.__init__(self)
-        self._cfg = cfg
         
         # Initialise parameters from ref in class var
         self._param = WSSecurityConfig.defParam.copy()
         
-
-    def read(self, *arg, **kw):
-        '''Read ConfigParser object but also set _param dict'''
+        if isinstance(cfg, basestring):
+            # Assume file path to be read
+            self.read(cfg)
+        else:
+            # Assume existing config type object
+            self._cfg = cfg
+        
+
+    def read(self, *arg):
+        '''Read ConfigParser object'''
+        self._cfg = SafeConfigParser()
         self._cfg.read(*arg)
-        
-        # This enables WS-Security params to be set in a config file with
-        # other sections e.g. params could be under the section 'wssecurity'
+
+
+    def parse(self, **kw):
+        '''Extract items from config file and place in dict
+        @type **kw: dict
+        @param **kw: this enables WS-Security params to be set in a config file
+        with other sections e.g. params could be under the section 'wssecurity'
+        '''
         if 'section' in kw:
             section = kw['section']

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

@@ -4 +4 @@
 P J Kershaw 18/03/08
 '''
+from os.path import expandvars as xpdvars
+import logging
+log = logging.getLogger(__name__)
 
 class ndg:
@@ -13 +16 @@
             class ssoservice:
                 cfg = None
+        class client:
+            '''Client class is also needed for BaseController handler to handle
+            responses from Single Sign On IdP'''
+            class ssoclient:
+                class cfg:
+                    '''Placeholder for server and sslServer attributes'''
 
 class SSOMiddleware:
-    
-    def __init__(self, app, cfgFilePath, appGlobals):
+            
+    def __init__(self, app, cfg, appGlobals, **kw):
+        log.debug("SSOMiddleware.__init__ ...")
         self.app = app
-        ndg.security.server.ssoservice.cfg = SecurityConfig(cfgFilePath)
-        ndg.security.server.ssoservice.cfg.read()
+        ndg.security.server.ssoservice.cfg = SSOServiceConfig(cfg, **kw)
+        
+        # Copy into client for the benefit of
+        # ndg.security.client.ssoclient.ssoclient.lib.base.BaseController
+        # used to process responses back from SSO IdP
+        ndg.security.client.ssoclient.cfg.server = \
+            ndg.security.server.ssoservice.cfg.server
+        ndg.security.client.ssoclient.cfg.sslServer = \
+            ndg.security.server.ssoservice.cfg.sslServer
+            
         appGlobals.ndg = ndg
           
     def __call__(self, environ, start_response):
         
-#        environ['securityConfig'] = self.config
         return self.app(environ, start_response)
 
@@ -32 +49 @@
 from ndg.security.common.wssecurity import WSSecurityConfig
 
-class SecurityConfigError(Exception):
+class SSOServiceConfigError(Exception):
     """Handle errors from parsing security config items"""
        
-class SecurityConfig(object):
+class SSOServiceConfig(object):
     """Get Security related parameters from the Pylons NDG config file"""
 
-    def __init__(self, cfgFilePath=None):
+    def __init__(self, cfg=None, **parseKw):
         '''Get PKI settings for Attribute Authority and Session Manager from
         the configuration file
         
-        @type cfgFilePath: pylons config file object
-        @param cfgFilePath: reference to NDG configuration file.  If omitted 
-        defaults to request.environ['ndgConfig']'''
+        @type cfg: config file object or string
+        @param cfg: reference to NDG configuration file or config file object
+        '''
         
-        self.cfgFilePath = cfgFilePath
-        self.gk = None
         self.wss = {}
         
-    def read(self):
+        if isinstance(cfg, basestring):
+            # Assume file path to be read
+            self.read(cfg)
+        else:
+            # Assume existing config type object
+            self.cfg = cfg
+
+        if self.cfg:
+            self.parse(**parseKw)
+
+        
+    def read(self, cfgFilePath):
         '''Read content of config file into object'''
-        cfg = ConfigParser()
-        cfg.read(self.cfgFilePath)
-       
-        tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile')
-        if tracefileExpr:
-            self.tracefile = eval(tracefileExpr)
+        self.cfg = ConfigParser()
+        self.cfg.read(cfgFilePath)
+ 
 
-        self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')        
-        self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI')
+    def parse(self, 
+              defSection='DEFAULT', 
+              layoutSection='layout',
+              wssSection='NDG_SECURITY.wssecurity'):
+        '''Extract content of config file object into self'''
+              
+        if self.cfg.has_option(defSection, 'tracefile'):        
+            self.tracefile = eval(self.cfg.get(defSection,'tracefile'))    
+        else:
+            self.tracefile = None
+            
+        self.smURI = self.cfg.get(defSection, 'sessionMgrURI')        
+        self.aaURI = self.cfg.get(defSection, 'attAuthorityURI')
         
         # ... for SSL connections to security web services
         try:
             self.sslCACertFilePathList = \
-            cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split()
+            xpdvars(self.cfg.get(defSection, 'sslCACertFilePathList')).split()
                 
         except AttributeError:
-            raise SecurityConfigError, \
+            raise SSOServiceConfigError, \
                         'No "sslCACertFilePathList" security setting'
 
-        self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN', None)
+        # If no separate WS-Security config file is set then read these params
+        # from the current config file
+        if self.cfg.has_option(defSection, 'wssCfgFilePath'):
+            path = self.cfg.get(defSection,'wssCfgFilePath', None) 
+            wssCfgFilePath = xpdvars(path)
+        else:
+            wssCfgFilePath = None
+            
+        wss = WSSecurityConfig(cfg=wssCfgFilePath or self.cfg)
+        wss.parse(section=wssSection)
 
-        wssCfgFilePath = cfg.get('NDG_SECURITY', 'wssCfgFilePath', None)
-        wss = WSSecurityConfig()
-        wss.read(wssCfgFilePath)
         
         # Cast to standard dict because WSSecurityConfig object can't be
@@ -81 +121 @@
         # TODO: check for cleaner solution - dict(wss)
         self.wss = dict(wss.items())
-        
-#        # ...and for WS-Security digital signature
-#        self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath')
-#        self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath')
-#        self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd')
-#
-#        try:
-#            self.wssCACertFilePathList = \
-#                cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
-#                
-#        except AttributeError:
-#            raise SecurityConfigError, \
-#                                'No "wssCACertFilePathList" security setting'
-#
-#        # Inclusive namespace prefixes for Exclusive C14N
-#        try:
-#            self.wssRefInclNS = cfg.get('NDG_SECURITY', 'wssRefInclNS').split()
-#                
-#        except AttributeError:
-#            raise SecurityConfigError, 'No "wssRefInclNS" security setting'
-#
-#        try:
-#            self.wssSignedInfoInclNS = cfg.get('NDG_SECURITY', 
-#                                               'wssSignedInfoInclNS').split()           
-#        except AttributeError:
-#            raise SecurityConfigError, \
-#                                    'No "wssSignedInfoInclNS" security setting'
 
         
@@ -113 +126 @@
         
         # Attribute Certificate Issuer
-        self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer')
+        self.acIssuer = self.cfg.get(defSection, 'acIssuer')
         
         # verification of X.509 cert back to CA
         try:
-            self.acCACertFilePathList = cfg.get('NDG_SECURITY', 
-                                            'acCACertFilePathList').split()          
+            self.acCACertFilePathList = xpdvars(self.cfg.get(defSection, 
+                                            'acCACertFilePathList')).split()          
         except AttributeError:
-            raise SecurityConfigError, \
-                                'No "acCACertFilePathList" security setting'
+            raise SSOServiceConfigError(
+                                'No "acCACertFilePathList" security setting')
 
         # Hostname
-        self.server=cfg.get('NDG_SECURITY', 'server', '')
+        self.server=self.cfg.get(defSection, 'server', '')
 
         # For secure connections
-        self.sslServer = cfg.get('NDG_SECURITY', 'sslServer', '')
+        self.sslServer = self.cfg.get(defSection, 'sslServer', '')
         
         # These URLs are referred from template files
         self.getCredentials = '%s/getCredentials' % self.sslServer       
-        self.logout = '%s/logout' % self.server
+        self.logoutURI = '%s/logout' % self.server
                       
         # Where Are You From URI          
         self.wayfuri='%s/wayf' % self.server
 
-        self.localLink=cfg.get('layout', 'localLink', None)
-        self.localImage=cfg.get('layout', 'localImage', None)
-        self.localAlt=cfg.get('layout', 'localAlt', 'Visit Local Site')
-        self.ndgLink=cfg.get('layout', 'ndgLink', 'http://ndg.nerc.ac.uk')
-        self.ndgImage=cfg.get('layout', 'ndgImage', None)
-        self.ndgAlt=cfg.get('layout', 'ndgAlt','Visit NDG')
-        self.stfcLink=cfg.get('layout', 'stfcLink')
-        self.stfcImage=cfg.get('layout', 'stfcImage')
-        self.helpIcon=cfg.get('layout', 'helpIcon')
-        self.LeftAlt=cfg.get('layout', 'HdrLeftAlt')
-        self.LeftLogo=cfg.get('layout', 'HdrLeftLogo')
+        self.localLink=self.cfg.get(layoutSection, 'localLink', None)
+        self.localImage=self.cfg.get(layoutSection, 'localImage', None)
+        self.localAlt=self.cfg.get(layoutSection, 'localAlt', 'Visit Local Site')
+        self.ndgLink=self.cfg.get(layoutSection, 'ndgLink', 'http://ndg.nerc.ac.uk')
+        self.ndgImage=self.cfg.get(layoutSection, 'ndgImage', None)
+        self.ndgAlt=self.cfg.get(layoutSection, 'ndgAlt','Visit NDG')
+        self.stfcLink=self.cfg.get(layoutSection, 'stfcLink')
+        self.stfcImage=self.cfg.get(layoutSection, 'stfcImage')
+        self.helpIcon=self.cfg.get(layoutSection, 'helpIcon')
+        self.LeftAlt=self.cfg.get(layoutSection, 'HdrLeftAlt')
+        self.LeftLogo=self.cfg.get(layoutSection, 'HdrLeftLogo')
         self.pageLogo="bodcHdr"
-        self.icons_xml=cfg.get('layout','Xicon')
-        self.icons_plot=cfg.get('layout','plot')
-        self.icons_prn=cfg.get('layout', 'printer')
+        self.icons_xml=self.cfg.get(layoutSection,'Xicon')
+        self.icons_plot=self.cfg.get(layoutSection,'plot')
+        self.icons_prn=self.cfg.get(layoutSection, 'printer')
         
-        self.disclaimer = cfg.get('DEFAULT', 'disclaimer')
+        self.disclaimer = self.cfg.get('DEFAULT', 'disclaimer')
             
             

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -1 +1 @@
 import logging
 
-from sso.lib.base import *
-from ndg.security.common.pylons.security_util import setSecuritySession, SecuritySession, \
-    LoginServiceQuery
+from ndg.security.server.sso.sso.lib.base import *
+from ndg.security.common.pylons.security_util import setSecuritySession, \
+    SecuritySession, SSOServiceQuery
 from ndg.security.common.AttAuthority import AttAuthorityClient
 from ndg.security.common.SessionMgr import SessionMgrClient, SessionExpired, \
@@ -27 +27 @@
         if 'ndgSec' not in session: 
             log.debug('No security session details found - offering login...')
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
         
         # Session is set in this domain - check it 
@@ -42 +42 @@
             SecuritySession.delete()
             response.status_code = 400
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
         
         # Check session status
@@ -55 +55 @@
             SecuritySession.delete()
             response.status_code = 400
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
    
         if bSessOK:
@@ -66 +66 @@
                       "from cookie and re-displaying login...")
             SecuritySession.delete()
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
 
 
@@ -79 +79 @@
         if 'username' not in request.params:
             log.debug("No username set - rendering login...")
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
         
         try:    
@@ -95 +95 @@
             log.error("Login: initialising SessionMgrClient: %s" % e)
             response.status_code = 400
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
         
         # Connect to Session Manager
@@ -107 +107 @@
             log.error("Session Manager connect returned: %s" % e)
             response.status_code = 401
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
         
         # Cache user attributes in Session Manager
@@ -119 +119 @@
             c.xml = "Session has expired, please re-login"
             response.status_code = 401
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
             
         except AttributeRequestDenied, e:
@@ -126 +126 @@
                     "account.  Please check with your site administrator."
             response.status_code = 401
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
             
         except Exception, e:
@@ -133 +133 @@
                     "your site administrator."
             response.status_code = 400
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')
 
         log.debug('Completing login...')
@@ -145 +145 @@
         session.save()
 
+        log.debug("session = %s" % session)
         log.info("user %s logged in with roles %s" % (session['ndgSec']['u'],
                                                   session['ndgSec']['roles']))
@@ -177 +178 @@
                 # details into the URL query string
                 if '?' in returnToURL:
-                    returnToURL += '&%s' % LoginServiceQuery()
+                    returnToURL += '&%s' % SSOServiceQuery()
                 else:
-                    returnToURL += '?%s' % LoginServiceQuery()
+                    returnToURL += '?%s' % SSOServiceQuery()
             
             # Check return-to address by examining peer cert
@@ -197 +198 @@
             "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \
                 (g.ndg.security.server.ssoservice.cfg.aaURI, requestServerDN))
-            hostCheck=HostCheck(acceptedDNs=requestServerDN,
-                    caCertFilePathList=g.ndg.security.server.ssoservice.cfg.sslCACertFilePathList)            
+            
+            hostCheck = HostCheck(acceptedDNs=requestServerDN,
+                                  caCertFilePathList=\
+                    g.ndg.security.server.ssoservice.cfg.sslCACertFilePathList)
+            
             testConnection = HTTPSConnection(returnToURLHostname, 
                                              None, 
@@ -213 +217 @@
   Please report this to your site administrator.""" % returnToURLHostname
                     response.status_code = 400
-                    return render('ndg.security.login')
+                    return render('ndg.security.kid', 'ndg.security.login')
             finally:    
                 testConnection.close()
@@ -225 +229 @@
         "LoginController._redirect: no redirect URL set - render login page")
             c.xml='Logged in'
-            return render('ndg.security.login')
+            return render('ndg.security.kid', 'ndg.security.login')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py

@@ -1 @@
-from sso.lib.base import *
+from ndg.security.server.sso.sso.lib.base import *
 from ndg.security.common.pylons.security_util import SecuritySession
 import logging
@@ -16 +16 @@
     '''
 
-    
     def index(self):
         '''Logout - remove session from Session Manager tidy up cookie'''
@@ -76 +75 @@
                 log.error("logout - decoding return URL: %s" % e) 
                 c.xml = "Error carrying out browser redirect following logout"
-                return render('ndg.security.error')
+                return render('ndg.security.kid', 'ndg.security.error')
             
             # Check for 'getCredentials' - avoid in case username/password
@@ -86 +85 @@
                 b64decReturnTo = b64decReturnTo[:getCredentialsIdx] + '/login'
             
+            # Add flag indicating to caller that logout succeeded.  The caller
+            # can use this to remove any security cookie present in their
+            # domain - See:
+            # ndg.security.client.ssoclient.ssoclient.lib.base.BaseController
+            if '?' in b64decReturnTo:
+                b64decReturnTo += '&logout=1'
+            else:
+                b64decReturnTo += '?logout=1'
+
             # and now go back to whence we had come
             log.debug("LogoutController._redirect: redirect to %s" % \
@@ -92 +100 @@
         else:
             log.debug("LogoutController._redirect: no redirect URL set.")
-            return render('ndg.security.error')
+            return render('ndg.security.kid', 'ndg.security.error')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py

@@ -1 +1 @@
 import logging
 
-from sso.lib.base import *
+from ndg.security.server.sso.sso.lib.base import *
 from ndg.security.common.AttAuthority import AttAuthorityClient
 import base64
@@ -15 +15 @@
         """For each action, get 'r' return to URL argument from current URL 
         query string.  c.b64encReturnTo is used in some of the .kid files"""
-        c.b64encReturnTo = request.params.get('r', '') 
+        c.b64encReturnTo = str(request.params.get('r', ''))
         log.debug("WayfController.__before__: c.b64encReturnTo = %s" % \
                                                               c.b64encReturnTo)
@@ -55 +55 @@
         session.save()
         
-        return render('ndg.security.wayf')
+        # Use an alias 'ndg.security.kid' to integration with another pylons
+        # code stack.  The alias tells render to pick up the template from a
+        # separate SSO templates directory to whatever is the default
+        return render('ndg.security.kid', 'ndg.security.wayf')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/base.py

@@ -11 +11 @@
 from pylons.templating import render
 
-import sso.lib.helpers as h
-import sso.model as model
+import ndg.security.server.sso.sso.lib.helpers as h
+import ndg.security.server.sso.sso.model as model
 
 import urllib
@@ -19 +19 @@
 
 from ndg.security.common.pylons.security_util import setSecuritySession, \
-    LoginServiceQuery
+    SSOServiceQuery
 
 import logging

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid

@@ -21 +21 @@
         redirected back to the URL: <a href="${c.returnTo}">${c.returnTo}</a></p>
                 </div>
-        <div py:replace="footer()"/>
+        <div py:replace="footer(showLoginStatus=False)"/>
     </body>
-    
-        <div py:def="footer(showLoginStatus=False)" id="Footer">
-        <center><table><tbody>
-            <tr>
-                <td align="center" width="60%">
-                    <table><tbody>
-                    <tr><td><span py:replace="linkimage(g.ndg.security.server.ssoservice.cfg.ndgLink,g.ndg.security.server.ssoservice.cfg.ndgImage,'NDG')"/></td>
-                    <td> This portal is a product of the <a href="http://ndg.nerc.ac.uk"> NERC DataGrid</a>
-                    Not all functionality is completely implemented, bugs and problems are expected </td>
-                    </tr>
-                    </tbody></table>
-                </td>
-                <td width="40%" align="center">
-                    <div id="loginStatus">
-                        <!--! now we choose one of the next two (logged in or not) -->
-                        <div py:if="'ndgSec' in session"><table><tbody><tr><td> User [${session['ndgSec']['u']}] logged in
-                        at [${session['ndgSec']['h']}] with roles [${session['ndgSec']['roles']}]</td><td>
-                        &nbsp;<span py:replace="logOut()"/></td></tr></tbody></table></div>
-                        <div py:if="'ndgSec' not in session"></div>
-                    </div>
-                </td>
-                <td><span py:replace="linkimage(g.ndg.security.server.ssoservice.cfg.stfcLink,g.ndg.security.server.ssoservice.cfg.stfcImage,'Hosted by the STFC CEDA')"/></td>
-            </tr>
-        </tbody></table></center>
-    </div>
 </html>