Changeset 3893
- Timestamp:
- 13/05/08 09:34:07 (13 years ago)
- Location:
- TI05-delivery/ows_framework/trunk/ows_server
- Files:
-
- 1 added
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
TI05-delivery/ows_framework/trunk/ows_server/development.ini
r3027 r3893 57 57 # execute malicious code after an exception is raised. 58 58 #set debug = false 59 60 # Logging configuration 61 [loggers] 62 keys = root, ows_server, ndg 63 64 [handlers] 65 keys = console 66 67 [formatters] 68 keys = generic 69 70 [logger_root] 71 level = INFO 72 handlers = console 73 74 [logger_ows_server] 75 level = DEBUG 76 handlers = 77 qualname = ows_server 78 79 [logger_ndg] 80 level = DEBUG 81 handlers = 82 qualname = ndg 83 84 85 [handler_console] 86 class = StreamHandler 87 args = (sys.stderr,) 88 #level = NOTSET 89 level = DEBUG 90 formatter = generic 91 92 [formatter_generic] 93 format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s 94 datefmt = %H:%M:%S 95 -
TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config
r3842 r3893 10 10 # 11 11 # the following is the server on which this browse/discovery instance runs! 12 #server: http://localhost12 server: http://localhost 13 13 #server: http://superglue.badc.rl.ac.uk:8083 14 14 ## This is the proxied server root 15 server: http://superglue.badc.rl.ac.uk/ndg-test15 #server: http://superglue.badc.rl.ac.uk/ndg-test 16 16 17 17 # 18 18 # the following is the server on which the NDG discovery service is running! (Not to be confused with 19 19 # the server on which the NDG discovery web service is running). This can and probably should be the local 20 # server (i.e. don t change it!)20 # server (i.e. don't change it!) 21 21 # 22 22 ndgServer: %(server)s … … 24 24 # this is the physical file location of the layout directory on this machine 25 25 # 26 layoutdir: /usr/local/ows_server_deployment/layout26 layoutdir: 27 27 # 28 28 # this should never be changed 29 29 # 30 30 ##!NOTE: These are changed to reflect the proxy prefix 31 layout: /ndg-test/layout/ 32 icondir: /ndg-test/layout/icons/ 31 #layout: /ndg-test/layout/ 32 #icondir: /ndg-test/layout/icons/ 33 layout: /layout/ 34 icondir: /layout/icons/ 35 33 36 # 34 37 mailserver: xxxoutbox.rl.ac.uk … … 51 54 [layout] 52 55 ###### user customisable: 53 localLink: http://superglue.badc.rl.ac.uk/ndg-test/56 localLink: %(ndgServer)s/layout/ 54 57 localImage: %(layout)sndg_logo_circle.gif 55 58 localAlt: visit badc 56 59 ###### ought to be the end of the customisations 57 ndgLink: http:// superglue.badc.rl.ac.uk/ndg-test/60 ndgLink: http://ndg.nerc.ac.uk/ 58 61 ndgImage: %(layout)sndg_logo_circle.gif 59 62 ndgAlt: visit ndg … … 67 70 printer: %(icondir)sprinter.png 68 71 helpIcon: %(icondir)shelp.png 69 HdrLeftAlt: %(layout)s Natural Environment Research Council72 HdrLeftAlt: %(layout)s Natural Environment Research Council 70 73 HdrLeftLogo: %(layout)sNERC_Logo.gif 71 74 … … 121 124 passwordFile: ./passwords.txt 122 125 123 [NDG_SECURITY] 124 # Server address for secure connections 126 # 127 # NDG Security 128 # 129 130 # Security settings for configuration as a client to a Single Sign On Service 131 # i.e. Where Are You From, login and logout operations are handled by a 132 # separate standalone paster instance 133 #[NDG_SECURITY.ssoClient] 134 ## THIS service's address for secure connections - the Single Sign On service 135 ## returns security parameters to this service along this channel 125 136 #sslServer: https://localhost 126 sslServer: https://ndgbeta.badc.rl.ac.uk 137 ##sslServer: https://ndgbeta.badc.rl.ac.uk 138 # 139 ## THIS service's address for unencrypted connections - when login is complete, 140 ## the BaseController redirects to an equivalent address under this host name. 141 ## sslServer and server settings must match for the sharing of cookies. 142 #server: http://localhost 143 # 144 ## WAYF running on Single Sign On Service - omit to default to WAYF running on 145 ## THIS paster instance 146 #wayfURI: https://localhost/sso/wayf 147 # 148 ## Logout URI running on Single Sign On Service - omit to default to WAYF running on 149 ## THIS paster instance 150 #logoutURI: https://localhost/sso/logout 151 152 # Security settings for running a Single Sign On Service from this paster 153 # instance. Either NDG_SECURITY.ssoClient or NDG_SECURITY.ssoService sections 154 # should be set but NOT both 155 156 # Single Sign On Service Settings 157 [NDG_SECURITY.ssoService] 158 159 # THIS service's address for secure connections - the Single Sign On service 160 # returns security parameters to this service along this channel 161 sslServer: https://localhost 162 #sslServer: https://ndgbeta.badc.rl.ac.uk 163 164 # THIS service's address for unencrypted connections - when login is complete, 165 # the BaseController redirects to an equivalent address under this host name. 166 # sslServer and server settings must match for the sharing of cookies. 167 server: http://localhost 127 168 128 169 # Redirect SOAP output to a file e.g. open(<somefile>, 'w') … … 131 172 132 173 # Service addresses 133 #sessionMgrURI: https://localhost:5700/SessionManager 134 sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager 135 #attAuthorityURI: http://localhost:5000/AttributeAuthority 136 attAuthorityURI: http://aa.ceda.rl.ac.uk 137 138 # WS-Security signature handler 139 # This is an application certificate ... (which may be a machine certificate) 140 # X.509 certificate sent with outbound signed messages 141 wssCertFilePath: ./certs/Junk-cert.pem 142 143 # Private key used to sign messages 144 # This is an application certificate ... (which may be a machine certificate) 145 wssKeyFilePath: ./certs/Junk-key.pem 146 147 # Password for private key - comment out if the file is not password protected 148 wssKeyPwd: Junk 149 150 # Space separated list of CA cert. files to validate certs against when 151 # verifying responses 152 wssCACertFilePathList: ./certs/cacert.pem 174 sessionMgrURI: https://localhost/SessionManager 175 #sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager 176 attAuthorityURI: http://localhost:5000/AttributeAuthority 177 #attAuthorityURI: http://aa.ceda.rl.ac.uk 153 178 154 179 # SSL Connections … … 156 181 # Space separated list of CA cert. files. The peer cert. 157 182 # must verify against at least one of these otherwise the connection is 158 # dropped. 159 sslCACertFilePathList: ./certs/cacert.pem 160 161 # Set an alternate CommonName to match with peer cert for SSL 162 # Connections. If the CN=hostname of the peer then this option 163 # can be commented out 164 #sslPeerCertCN: 183 # dropped. Include CA certs for all the sites trusted 184 sslCACertFilePathList: certs/ndg-test-ca.crt 165 185 166 186 # Gatekeeper Attribute Certificate check 167 187 # Issuer - should match with the issuer element of the users Attribute 168 188 # Certificate submitted in order to gain access 169 acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 170 #acIssuer: /CN=Junk/O=NDG/OU=Gabriel 171 172 # verification of X.509 cert back to CA 173 acCACertFilePathList: ./secpem/cacert.pem 189 #acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 190 acIssuer: /CN=Junk/O=NDG/OU=Gabriel 191 192 # verification of X.509 cert back to CA. Currently only the CA of this site 193 # is needed because only mapped Attribute Certificates may be accepted. 194 acCACertFilePathList: certs/ndg-test-ca.crt 195 196 197 # WS-Security signature handler - set a config file with 'wssCfgFilePath' 198 # or omit and put the relevant content directly in here under 199 # 'NDG_SECURITY.wssecurity' section 200 #wssCfgFilePath: wssecurity.cfg 201 202 [NDG_SECURITY.wssecurity] 203 204 # Settings for signature of an outbound message ... 205 206 # Certificate associated with private key used to sign a message. The sign 207 # method will add this to the BinarySecurityToken element of the WSSE header. 208 # binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 209 # As an alternative, use 'signingCertChain' parameter 210 211 # file path PEM encoded cert 212 signingCertFilePath=certs/clnt.crt 213 214 # file path to PEM encoded private key file 215 signingPriKeyFilePath=certs/clnt.key 216 217 # Password protecting private key. Leave blank if there is no password. 218 signingPriKeyPwd= 219 220 # Provide a space separated list of file paths. CA Certs should be included 221 # for all the sites this installation trusts 222 caCertFilePathList=certs/ndg-test-ca.crt 223 224 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a 225 # signed message. 226 reqBinSecTokValType=X509v3 227 228 # Add a timestamp element to an outbound message 229 addTimestamp=True 230 231 # For WSSE 1.1 - service returns signature confirmation containing signature 232 # value sent by client 233 applySignatureConfirmation=False 234 174 235 175 236 [RELATED] … … 187 248 formatDefault=DIF 188 249 icon_title: Links to the DISCOVERY RECORD for this dataset 189 standalone: True 250 #standalone: True 251 standalone: False 190 252 191 253 [OWS_SERVER] -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/environment.py
r3536 r3893 8 8 import ows_server.lib.helpers 9 9 from ows_server.config.routing import make_map 10 11 # Set-up tools package import for locating NDG Security SSO Service 12 import pkg_resources 13 14 import logging 15 log = logging.getLogger(__name__) 16 10 17 11 18 def load_environment(global_conf={}, app_conf={}): … … 19 26 } 20 27 28 21 29 # Initialize config with the basic options 22 30 config.init_app(global_conf, app_conf, package='ows_server', … … 33 41 34 42 # Add your own template options config options here, note that all config options will override 35 # any Pylons config options 43 # any Pylons config options 44 45 # Add templates for NDG Security Single Sign On Service making sure to 46 # provide an alias to avoid overwriting the default templates dir 47 kidopts = {'kid.assume_encoding':'utf-8', 'kid.encoding':'utf-8'} 48 config.add_template_engine('kid', 49 'ndg.security.server.sso.sso.templates', 50 kidopts, 51 alias='ndg.security.kid') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py
r3418 r3893 2 2 from paste.deploy import CONFIG 3 3 from ows_server.models.Utilities import myConfig 4 from ows_server.lib.security_util import SecurityConfig5 4 5 6 class NDGConfigError(Exception): 7 '''Errors related to reading from ndg config file''' 8 6 9 class ndgMiddleware: 7 10 … … 21 24 self.globals.htdocs=cf.get('DEFAULT','htdocs',None) 22 25 self.globals.localLink=cf.get('layout','localLink',None) 23 24 25 26 27 26 self.globals.localImage=cf.get('layout','localImage',None) 27 self.globals.localAlt=cf.get('layout','localAlt','Visit Local Site') 28 self.globals.ndgLink=cf.get('layout','ndgLink','http://ndg.nerc.ac.uk') 29 self.globals.ndgImage=cf.get('layout','ndgImage',None) 30 self.globals.ndgAlt=cf.get('layout','ndgAlt','Visit NDG') 28 31 self.globals.stfcLink=cf.get('layout','stfcLink') 29 32 self.globals.stfcImage=cf.get('layout','stfcImage') … … 47 50 self.globals.server=cf.get('DEFAULT','server','') 48 51 49 # Security Related50 self.globals.wayfuri='%s/wayf'%self.globals.server51 52 # Use secure connection53 self.globals.sslServer=cf.get('NDG_SECURITY','sslServer','')54 self.globals.getCredentials='%s/getCredentials'%self.globals.sslServer55 self.globals.logout='%s/logout'%self.globals.server56 self.globals.securityCfg = SecurityConfig(cf)57 52 58 53 # for standalone discovery 59 standalone={'True':1,'False':0}[cf.get('DISCOVERY','standalone')] 60 self.globals.standalone= standalone 61 54 self.globals.standalone=cf.config.getboolean('DISCOVERY','standalone') 55 62 56 57 # Security Related 58 59 # Single Sign On settings - check for mode of operation: 60 # 1) act as a client to a separate Single Sign On Service 61 # or 62 # 2) Single Sign On service is integrated into THIS service 63 securityEnabled = not self.globals.standalone 64 isSSOClient = cf.config.has_section('NDG_SECURITY.ssoClient') and \ 65 securityEnabled 66 67 isSSOService = cf.config.has_section('NDG_SECURITY.ssoService') and \ 68 securityEnabled 69 70 if isSSOClient and isSSOService: 71 raise NDGConfigError(\ 72 "NDG_SECURITY.ssoClient and NDG_SECURITY.ssoService " + \ 73 "sections are present in the NDG Config file: " + \ 74 "only one or the other may be set") 75 76 if isSSOClient: 77 try: 78 from \ 79 ndg.security.client.ssoclient.ssoclient.config.ssoClientMiddleware\ 80 import SSOMiddleware 81 except ImportError, e: 82 # If standalone flag is not present security must be enabled 83 raise NDGConfigError(\ 84 '%s: importing Single Sign On Client SSOMiddleware: %s' % \ 85 (__name__, e)) 86 87 88 SSOMiddleware(app, cf.config, g, 89 defSection='NDG_SECURITY.ssoClient') 90 91 self.globals.sslServer = g.ndg.security.client.ssoclient.cfg.sslServer 92 self.globals.wayfuri=g.ndg.security.client.ssoclient.cfg.wayfuri 93 self.globals.logout=g.ndg.security.client.ssoclient.cfg.logoutURI 94 95 elif isSSOService: 96 try: 97 from ndg.security.server.sso.sso.config.ssoServiceMiddleware \ 98 import SSOMiddleware 99 except ImportError, e: 100 # If standalone flag is not present security must be enabled 101 raise NDGConfigError(\ 102 '%s: importing Single Sign On Service SSOMiddleware: %s' %\ 103 (__name__, e)) 104 105 106 SSOMiddleware(app, cf.config, g, 107 defSection='NDG_SECURITY.ssoService') 108 109 self.globals.sslServer=g.ndg.security.server.ssoservice.cfg.sslServer 110 self.globals.wayfuri=g.ndg.security.server.ssoservice.cfg.wayfuri 111 self.globals.logout=g.ndg.security.server.ssoservice.cfg.logoutURI 112 self.globals.getCredentials=g.ndg.security.server.ssoservice.cfg.getCredentials 113 114 #self.globals.securityCfg = SecurityConfig(cf) 63 115 self.config=cf 64 116 -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/routing.py
r3842 r3893 37 37 map.connect('login', controller='login') 38 38 map.connect('getCredentials', controller='login', action='getCredentials') 39 map.connect('wayf', controller=' login', action='wayf')39 map.connect('wayf', controller='wayf') 40 40 map.connect('logout', controller='logout') 41 41 map.connect('semantic',controller='discovery', action='semantic') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py
r3536 r3893 4 4 5 5 from ows_server.lib.base import * 6 from ows_server.lib.security_util import setSecuritySession, SecuritySession,\ 7 LoginServiceQuery 8 from ows_common.exception_report import OwsError 9 from paste.request import parse_querystring 6 10 7 import logging 11 8 log = logging.getLogger(__name__) 12 9 13 from ndg.security.common.AttAuthority import AttAuthorityClient 14 from ndg.security.common.SessionMgr import SessionMgrClient, SessionExpired, \ 15 AttributeRequestDenied 16 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 17 HostCheck, InvalidCertSignature, InvalidCertDN 18 19 20 class LoginController(BaseController): 21 ''' Provides the pylons controller for local login ''' 10 try: 11 from ndg.security.server.sso.sso.controllers.login \ 12 import LoginController as _LoginController 13 14 class LoginController(_LoginController): 15 '''Provides the pylons controller for Login. This is a wrapper class. 16 - All functionality is provided from ndg.security.server.sso.sso 17 the NDG Security Single Sign On Service package''' 18 19 except ImportError, e: 20 from warnings import warn 21 warn("Importing LoginController for Single Sign On Service: %s" % e, 22 RuntimeWarning) 22 23 23 def __before__(self, action): 24 """For each action, get 'r' return to URL argument from current URL 25 query string. c.returnTo is used in some of the .kid files""" 26 c.returnTo = request.params.get('r', '') 24 class LoginController(BaseController): 25 '''Raise a 404 error for case where Single Sign ON Service is disabled 26 ''' 27 27 28 # Check return to address - getCredentials should NOT be returned to 29 # with its query args intact 30 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 31 scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 32 if 'getCredentials' in pathInfo: 33 # Swap to discovery and remove sensitive creds query args 34 # 35 # TODO: re-write to be more robust and modular. Nb. 36 # BaseController.__call__ should filter out 'getCredentials' 37 # calls from c.requestURL so this code should never need to be 38 # executed. 39 filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 40 c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 41 42 # Check return to address - getCredentials should NOT be returned to 43 # with its query args intact 44 log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 45 base64.urlsafe_b64decode(c.returnTo)) 46 47 48 def index(self): 49 ''' Ok, you really want to login here ''' 50 log.debug("LoginController.index ...") 51 52 if 'ndgSec' not in session: 53 log.debug('No security session details found - offering login...') 54 return render('login') 55 56 # Session is set in this domain - check it 57 try: 58 smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 59 sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 60 sslPeerCertCN=g.securityCfg.sslPeerCertCN, 61 signingCertFilePath=g.securityCfg.wssCertFilePath, 62 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 63 signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 64 caCertFilePathList=g.securityCfg.wssCACertFilePathList, 65 tracefile=g.securityCfg.tracefile) 66 67 except Exception, e: 68 c.xml='Error establishing security context. Please report ' + \ 69 'the error to your site administrator' 70 log.error("Initialising SessionMgrClient for " + \ 71 "getSessionStatus call: %s" % e) 72 SecuritySession.delete() 73 response.status_code = 400 74 return render('content') 75 76 # Check session status 77 log.debug('Calling Session Manager "%s" getSessionStatus ' % \ 78 session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\ 79 (session['ndgSec']['u'], session['ndgSec']['sid'])) 80 try: 81 bSessOK = smClnt.getSessionStatus(sessID=session['ndgSec']['sid']) 82 except Exception, e: 83 c.xml = "Error checking your session details. Please re-login" 84 log.error("Session Manager getSessionStatus returned: %s" % e) 85 SecuritySession.delete() 86 response.status_code = 400 87 return render('login') 88 89 if bSessOK: 90 log.debug("Session found - redirect back to site requesting " + \ 91 "credentials ...") 92 # ... Return across http GET passing security parameters... 93 return self.__doRedirect() 94 else: 95 log.debug("Session wasn't found - removing security details " + \ 96 "from cookie and re-displaying login...") 97 SecuritySession.delete() 98 return render('login') 99 100 101 def getCredentials(self): 102 """Authenticate user and cache user credentials in 103 Session Manager following user login""" 104 log.debug("LoginController.getCredentials ...") 105 106 try: 107 smClnt = SessionMgrClient(uri=g.securityCfg.smURI, 108 sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 109 sslPeerCertCN=g.securityCfg.sslPeerCertCN, 110 signingCertFilePath=g.securityCfg.wssCertFilePath, 111 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 112 signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 113 caCertFilePathList=g.securityCfg.wssCACertFilePathList, 114 tracefile=g.securityCfg.tracefile) 115 116 username = request.params['username'] 117 passphrase = request.params['passphrase'] 118 119 except Exception, e: 120 c.xml='Error establishing security context. Please report ' + \ 121 'the error to your site administrator' 122 log.error("Login: initialising SessionMgrClient: %s" % e) 123 response.status_code = 400 124 return render('content') 125 126 # Connect to Session Manager 127 log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \ 128 (g.securityCfg.smURI, username)) 129 try: 130 sessID = smClnt.connect(username, passphrase=passphrase)[-1] 131 except Exception, e: 132 c.xml = "Error logging in. Please check your username/" + \ 133 "pass-phrase and try again." 134 log.error("Session Manager connect returned: %s" % e) 135 response.status_code = 401 136 return render('login') 137 138 # Cache user attributes in Session Manager 139 log.debug("Calling Session Manager getAttCert for user ") 140 try: 141 # Make request for attribute certificate 142 attCert = smClnt.getAttCert(sessID=sessID, 143 attAuthorityURI=g.securityCfg.aaURI) 144 except SessionExpired, e: 145 log.info("Session expired getting Attribute Certificate: %s" % e) 146 c.xml = "Session has expired, please re-login" 147 response.status_code = 401 148 return render('login') 28 def index(self): 29 ''' Ok, you really want to login here ''' 30 log.info("Single Sign On Service is disabled setting 404 error...") 31 abort(404) 149 32 150 except AttributeRequestDenied, e:151 log.error("Login: attribute Certificate request denied: %s" % e)152 c.xml = "No authorisation roles are available for your " + \153 "account. Please check with your site administrator."154 response.status_code = 401155 return render('login')156 157 except Exception, e:158 log.error("Login: attribute Certificate request: %s" % e)159 c.xml = "An internal error occured. Please report this to " + \160 "your site administrator."161 response.status_code = 400162 return render('login')163 164 log.debug('Completing login...')165 166 # Make security session details167 setSecuritySession(h=g.securityCfg.smURI,168 u=username,169 org=attCert.issuerName,170 roles=attCert.roles,171 sid=sessID)172 session.save()173 174 log.info("user %s logged in with roles %s" % (session['ndgSec']['u'],175 session['ndgSec']['roles']))176 return self.__doRedirect()177 178 179 def wayf(self):180 ''' NDG equivalent to Shibboleth WAYF '''181 log.debug("LoginController.wayf ...")182 183 # May be better as a 'g' global set-up at start-up?184 #185 # tracefile could be removed for production use186 aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI,187 signingCertFilePath=g.securityCfg.wssCertFilePath,188 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,189 signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,190 caCertFilePathList=g.securityCfg.wssCACertFilePathList,191 tracefile=g.securityCfg.tracefile)192 193 # Get list of login uris for trusted sites including THIS one194 log.debug("Calling Attribute Authority getTrustedHostInfo and " + \195 "getHostInfo for wayf")196 197 hosts = aaClnt.getAllHostsInfo()198 c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()])199 200 session.save()201 202 return render('wayf')203 204 205 def __doRedirect(self):206 """Pass security creds back to requestor so that they can make207 a cookie. If the requestor is in the same domain as the login then208 this is not necessary."""209 210 # and now go back to whence we had come211 if c.returnTo!='':212 # is there a keyword on redirect_to that can make this https? See:213 # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69214 215 # Only add token if return URI is in a different domain216 thisHostname = request.host.split(':')[0]217 218 # Decode return to address219 cc = base64.urlsafe_b64decode(c.returnTo)220 log.debug('Login redirect to [%s]' % cc)221 222 returnToHostname = urlsplit(cc)[1]223 # returnToHostname = 'localhost'224 # if thisHostname not in returnToHostname:225 if True:226 # Returning to a different domain - copy the security session227 # details into the URL query string228 if '?' in cc:229 cc+='&%s' % LoginServiceQuery()230 else:231 cc+='?%s' % LoginServiceQuery()232 233 # Check return-to address by examining peer cert234 log.debug("Checking return-to URL for valid SSL peer cert. ...")235 236 # Look-up list of Cert DNs for trusted requestors237 aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI,238 signingCertFilePath=g.securityCfg.wssCertFilePath,239 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,240 signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,241 caCertFilePathList=g.securityCfg.wssCACertFilePathList,242 tracefile=g.securityCfg.tracefile)243 244 HostInfo = aaClnt.getAllHostsInfo()245 requestServerDN = [val['loginRequestServerDN'] \246 for val in HostInfo.values()]247 log.debug("Expecting DN for SSL peer one of: %s"%requestServerDN)248 hostCheck=HostCheck(acceptedDNs=requestServerDN,249 caCertFilePathList=g.securityCfg.sslCACertFilePathList)250 testConnection = HTTPSConnection(returnToHostname,251 None,252 postConnectionCheck=hostCheck)253 254 log.debug('Testing connection to "%s"' % returnToHostname)255 try:256 try:257 testConnection.connect()258 except (InvalidCertSignature, InvalidCertDN), e:259 log.error("Login: requestor SSL certificate: %s" % e)260 c.xml = """Request to redirect back to %s with your261 credentials refused: there is a problem with the SSL certificate of this site.262 Please report this to your site administrator.""" % returnToHostname263 response.status_code = 400264 return render('login')265 finally:266 testConnection.close()267 268 log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % cc)269 h.redirect_to(cc)270 else:271 c.xml='<p> Logged in </p>'272 return render('content') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py
r3536 r3893 1 1 from ows_server.lib.base import * 2 from ows_server.lib.security_util import SecuritySession3 2 import logging 4 3 log = logging.getLogger(__name__) 5 4 6 from paste.request import parse_querystring 7 import sys # include in case tracefile is set to sys.stderr 8 import base64 # decode the return to address 9 from urlparse import urlsplit, urlunsplit 5 try: 6 from ndg.security.server.sso.sso.controllers.logout import LogoutController as\ 7 _LogoutController 8 9 class LogoutController(_LogoutController): 10 '''Provides the pylons controller for logout. This is a wrapper class. 11 - All functionality is provided from ndg.security.server.sso.sso the 12 NDG Security Single Sign On Service package''' 13 14 except ImportError, e: 15 from warnings import warn 16 warn("Importing LogoutController for Single Sign On Service: %s" % e, 17 RuntimeWarning) 18 19 # Default to base version to avoid an exception if 'Logout' is invoked 20 class LogoutController(BaseController): 21 '''Raise a 404 error for case where Single Sign ON Service is disabled 22 ''' 23 def index(self): 24 log.info("Single Sign On Service is disabled setting 404 error...") 25 abort(404) 10 26 11 from ndg.security.common.SessionMgr import SessionMgrClient 12 13 14 class LogoutController(BaseController): 15 '''Provides the pylons controller for logging out and killing the cookies 16 ''' 17 18 def __before__(self): 19 """Get return to URL""" 20 c.returnTo = request.params.get('r', '') 21 22 # Check return to address - getCredentials should NOT be returned to 23 # with its query args intact 24 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 25 scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 26 if 'getCredentials' in pathInfo: 27 # Swap to discovery and remove sensitive creds query args 28 # 29 # TODO: re-write to be more robust and modular. Nb. 30 # BaseController.__call__ should filter out 'getCredentials' 31 # calls from c.requestURL so this code should never need to be 32 # executed. 33 filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 34 c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 35 36 37 def index(self): 38 ''' Ok, you really want to logout here ''' 39 40 if 'ndgSec' not in session: 41 # There's no handle to a security session 42 log.error("logout called but no 'ndgSec' key in session object") 43 return self.__redirect() 44 45 # Fixed URI to be equal to the session's security settings 'h' param! 46 # This contains the location of the Session Manager where the users 47 # session is held. 48 # 49 # Removed sslPeerCertCN setting here - the session manager could at 50 # any of a number of different trusted sites where the user logged in 51 # from. There's no way of predicting an alternate SSL cert Common 52 # Name through the config file settings 53 # 54 # P J Kershaw 21/11/2007 55 try: 56 smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 57 sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 58 signingCertFilePath=g.securityCfg.wssCertFilePath, 59 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 60 signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 61 caCertFilePathList=g.securityCfg.wssCACertFilePathList, 62 tracefile=g.securityCfg.tracefile) 63 except Exception, e: 64 log.error("logout - creating Session Manager client: %s" % e) 65 return self.__cleanupAndRedirect() 66 67 # Disconnect from Session Manager 68 log.info('Calling Session Manager "%s" disconnect for logout...' % \ 69 g.securityCfg.smURI) 70 try: 71 smClnt.disconnect(sessID=session['ndgSec']['sid']) 72 except Exception, e: 73 log.error("Error with Session Manager logout: %s" % e) 74 # don't exit here - instead proceed to delete session and 75 # redirect ... 76 77 return self.__cleanupAndRedirect() 78 79 80 def __cleanupAndRedirect(self): 81 """Remove security session and call _redirect""" 82 try: 83 # easy to kill our cookie 84 SecuritySession.delete() 85 if 'ndgCleared' in session: del session['ndgCleared'] 86 session.save() 87 88 except Exception, e: 89 log.error("logout - clearing security session: %s" % e) 90 91 return self.__redirect() 92 93 94 def __redirect(self): 95 """Handle redirect back to previous page""" 96 if c.returnTo: 97 # Decode the return to address 98 try: 99 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 100 except Exception, e: 101 log.error("logout - decoding return URL: %s" % e) 102 return render('content') 103 104 # and now go back to whence we had come 105 h.redirect_to(b64decReturnTo) 106 else: 107 return render('content') 27 #from ows_server.lib.security_util import SecuritySession 28 #import logging 29 #log = logging.getLogger(__name__) 30 # 31 #from paste.request import parse_querystring 32 #import sys # include in case tracefile is set to sys.stderr 33 #import base64 # decode the return to address 34 #from urlparse import urlsplit, urlunsplit 35 # 36 #from ndg.security.common.SessionMgr import SessionMgrClient 37 # 38 # 39 #class LogoutController(BaseController): 40 # '''Provides the pylons controller for logging out and killing the cookies 41 # ''' 42 # 43 # def __before__(self): 44 # """Get return to URL""" 45 # c.returnTo = request.params.get('r', '') 46 # 47 # # Check return to address - getCredentials should NOT be returned to 48 # # with its query args intact 49 # b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 50 # scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 51 # if 'getCredentials' in pathInfo: 52 # # Swap to discovery and remove sensitive creds query args 53 # # 54 # # TODO: re-write to be more robust and modular. Nb. 55 # # BaseController.__call__ should filter out 'getCredentials' 56 # # calls from c.requestURL so this code should never need to be 57 # # executed. 58 # filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 59 # c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 60 # 61 # 62 # def index(self): 63 # ''' Ok, you really want to logout here ''' 64 # 65 # if 'ndgSec' not in session: 66 # # There's no handle to a security session 67 # log.error("logout called but no 'ndgSec' key in session object") 68 # return self.__redirect() 69 # 70 # # Fixed URI to be equal to the session's security settings 'h' param! 71 # # This contains the location of the Session Manager where the users 72 # # session is held. 73 # # 74 # # Removed sslPeerCertCN setting here - the session manager could at 75 # # any of a number of different trusted sites where the user logged in 76 # # from. There's no way of predicting an alternate SSL cert Common 77 # # Name through the config file settings 78 # # 79 # # P J Kershaw 21/11/2007 80 # try: 81 # smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 82 # sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 83 # signingCertFilePath=g.securityCfg.wssCertFilePath, 84 # signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 85 # signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 86 # caCertFilePathList=g.securityCfg.wssCACertFilePathList, 87 # tracefile=g.securityCfg.tracefile) 88 # except Exception, e: 89 # log.error("logout - creating Session Manager client: %s" % e) 90 # return self.__cleanupAndRedirect() 91 # 92 # # Disconnect from Session Manager 93 # log.info('Calling Session Manager "%s" disconnect for logout...' % \ 94 # g.securityCfg.smURI) 95 # try: 96 # smClnt.disconnect(sessID=session['ndgSec']['sid']) 97 # except Exception, e: 98 # log.error("Error with Session Manager logout: %s" % e) 99 # # don't exit here - instead proceed to delete session and 100 # # redirect ... 101 # 102 # return self.__cleanupAndRedirect() 103 # 104 # 105 # def __cleanupAndRedirect(self): 106 # """Remove security session and call _redirect""" 107 # try: 108 # # easy to kill our cookie 109 # SecuritySession.delete() 110 # if 'ndgCleared' in session: del session['ndgCleared'] 111 # session.save() 112 # 113 # except Exception, e: 114 # log.error("logout - clearing security session: %s" % e) 115 # 116 # return self.__redirect() 117 # 118 # 119 # def __redirect(self): 120 # """Handle redirect back to previous page""" 121 # if c.returnTo: 122 # # Decode the return to address 123 # try: 124 # b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 125 # except Exception, e: 126 # log.error("logout - decoding return URL: %s" % e) 127 # return render('content') 128 # 129 # # and now go back to whence we had come 130 # h.redirect_to(b64decReturnTo) 131 # else: 132 # return render('content') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py
r3661 r3893 25 25 import ows_common.xml 26 26 27 # NDG Security import enables Single Sign On capability but note this is not 28 # required for a standalone discovery service deployment 29 try: 30 from ndg.security.client.ssoclient.ssoclient.lib.base import \ 31 BaseController as _BaseController 32 except ImportError, e: 33 from warnings import warn 34 warn('%s: ndg.security.client unavailable - ' % __name__ + \ 35 'Single Sign on functionality disabled: %s' % e, 36 RuntimeWarning) 27 37 38 # Extend BaseController from WSGIController instead 39 _BaseController = WSGIController 40 41 28 42 try: 29 43 from xml.etree import ElementTree as ET … … 37 51 EXCEPTION_TYPE = request.environ['ndgConfig'].get('OWS_SERVER', 'exception_type', 'ogc').lower() 38 52 39 class BaseController( WSGIController):53 class BaseController(_BaseController): 40 54 41 55 def __call__(self, environ, start_response): … … 44 58 # the action or route vars here 45 59 46 logger.debug("BaseController.__call__ ...") 47 48 # construct URL picking up setting of server name from config to 49 # avoid exposing absolute URL hidden behind mod_proxy see #857 50 # Also, avoid returning to getCredentials and potentially exposing 51 # username/pass-phrase on URL. 52 # TODO: rework getCredentials get-out for more modular solution 53 pathInfo = urllib.quote(environ.get('PATH_INFO', '')) 54 if 'getCredentials' in pathInfo: 55 logger.debug(\ 56 "Reverting request URL from getCredentials to discovery...") 57 c.requestURL = g.server + '/discovery' 58 else: 59 c.requestURL = g.server + pathInfo 60 query='&'.join(["%s=%s"%item for item in request.params.items()]) 61 if query: 62 c.requestURL += '?' + query 63 64 # Base 64 encode to enable passing around in 'r' argument of query 65 # string for use with login/logout 66 c.b64encRequestURL = urlsafe_b64encode(c.requestURL) 67 68 if 'h' in request.params: 69 # 'h' corresponds to the setting of a session manager host i.e. 70 # the request has come from a completed login from the login 71 # service 72 logger.debug("Setting security session from URL query args ...") 73 74 # Copy the query arguments into security session keys 75 setSecuritySession() 76 77 session.save() 78 79 # Re-construct the URL removing the security related arguments 80 qs = LoginServiceQuery.stripFromURI() 81 82 logger.debug('Switching from https to http...') 83 cc = g.server + urllib.quote(environ.get('PATH_INFO','')) 84 if qs: 85 cc += "?" + qs 86 87 logger.debug('URL transport switched to http: "%s"' % cc) 88 h.redirect_to(cc) 89 60 logger.debug("BaseController.__call__ ...") 90 61 91 62 #organise the information needed by pagetabs ... … … 101 72 if 'viewItems' in session: c.pageTabs.append(('View', h.url_for(controller='viewItems',action='index'))) 102 73 103 return WSGIController.__call__(self, environ, start_response)74 return _BaseController.__call__(self, environ, start_response) 104 75 105 76 class OwsController(BaseController): -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/security_util.py
r3084 r3893 124 124 @return: URL query string with security args removed""" 125 125 keys = params or cls.keys 126 return cls.argSep.join(['%s=%s' % (i, request.params[i]) \127 for i in request.params if i not in keys]) 126 return str(cls.argSep.join(['%s=%s' % (i, request.params[i]) \ 127 for i in request.params if i not in keys])) 128 128 129 129 @classmethod … … 182 182 import sys 183 183 184 class SecurityConfigError(Exception): 185 """Handle errors from parsing security config items""" 186 187 class SecurityConfig(object): 188 """Get Security related parameters from the Pylons NDG config file""" 189 190 def __init__(self, cfg=None): 191 '''Get PKI settings for Attribute Authority and Session Manager from 192 the configuration file 193 194 @type param: pylons config file object 195 @param cfg: reference to NDG configuration file. If omitted defaults 196 to request.environ['ndgConfig']''' 197 198 if cfg is None: 199 cfg = request.environ['ndgConfig'] 200 201 tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile') 202 if tracefileExpr: 203 self.tracefile = eval(tracefileExpr) 204 205 self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI') 206 self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI') 207 208 # ... for SSL connections to security web services 209 try: 210 self.sslCACertFilePathList = \ 211 cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split() 212 213 except AttributeError: 214 raise SecurityConfigError, \ 215 'No "sslCACertFilePathList" security setting' 216 217 self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN') 218 219 # ...and for WS-Security digital signature 220 self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath') 221 self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath') 222 self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd') 223 224 try: 225 self.wssCACertFilePathList = \ 226 cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split() 227 228 except AttributeError: 229 raise SecurityConfigError, \ 230 'No "wssCACertFilePathList" security setting' 231 232 # Gatekeeper params 233 234 # Attribute Certificate Issuer 235 self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer') 236 237 # verification of X.509 cert back to CA 238 try: 239 self.acCACertFilePathList = cfg.get('NDG_SECURITY', 240 'acCACertFilePathList').split() 241 except AttributeError: 242 raise SecurityConfigError, \ 243 'No "acCACertFilePathList" security setting' 244 245 246 def __repr__(self): 247 return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \ 248 if k[:2] != "__"]) 184 # Replaced by ndg.security package equivalent 185 #class SecurityConfigError(Exception): 186 # """Handle errors from parsing security config items""" 187 # 188 #class SecurityConfig(object): 189 # """Get Security related parameters from the Pylons NDG config file""" 190 # 191 # def __init__(self, cfg=None): 192 # '''Get PKI settings for Attribute Authority and Session Manager from 193 # the configuration file 194 # 195 # @type param: pylons config file object 196 # @param cfg: reference to NDG configuration file. If omitted defaults 197 # to request.environ['ndgConfig']''' 198 # 199 # if cfg is None: 200 # cfg = request.environ['ndgConfig'] 201 # 202 # tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile') 203 # if tracefileExpr: 204 # self.tracefile = eval(tracefileExpr) 205 # 206 # self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI') 207 # self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI') 208 # 209 # # ... for SSL connections to security web services 210 # try: 211 # self.sslCACertFilePathList = \ 212 # cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split() 213 # 214 # except AttributeError: 215 # raise SecurityConfigError, \ 216 # 'No "sslCACertFilePathList" security setting' 217 # 218 # self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN') 219 # 220 # # ...and for WS-Security digital signature 221 # self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath') 222 # self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath') 223 # self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd') 224 # 225 # try: 226 # self.wssCACertFilePathList = \ 227 # cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split() 228 # 229 # except AttributeError: 230 # raise SecurityConfigError, \ 231 # 'No "wssCACertFilePathList" security setting' 232 # 233 # # Gatekeeper params 234 # 235 # # Attribute Certificate Issuer 236 # self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer') 237 # 238 # # verification of X.509 cert back to CA 239 # try: 240 # self.acCACertFilePathList = cfg.get('NDG_SECURITY', 241 # 'acCACertFilePathList').split() 242 # except AttributeError: 243 # raise SecurityConfigError, \ 244 # 'No "acCACertFilePathList" security setting' 245 # 246 # 247 # def __repr__(self): 248 # return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \ 249 # if k[:2] != "__"]) -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py
r3134 r3893 145 145 self.smClnt = SessionMgrClient(uri=self.securityTokens['h'], 146 146 sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 147 sslPeerCertCN=g.securityCfg.sslPeerCertCN,147 # sslPeerCertCN=g.securityCfg.sslPeerCertCN, 148 148 signingCertFilePath=g.securityCfg.wssCertFilePath, 149 149 signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/public/layout/ndg2.css
r3842 r3893 31 31 border: solid #333333; 32 32 border-width: 0 0 2px 0; 33 background-image:url(/ ndg-test/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;}33 background-image:url(/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;} 34 34 35 35 #logo{ -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/__init__.py
r2484 r3893 1 -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/ndgPage.kid
r3646 r3893 133 133 </span> 134 134 135 <!-- Login and out buttons --> 135 <!-- Login and out buttons --> 136 136 <span py:def="logOut()" class="logOut"> 137 <?python 138 from base64 import urlsafe_b64encode 139 140 # Base 64 encode to enable passing around in 'r' argument of query 141 # string for use with login/logout 142 c.returnTo = c.requestURL 143 c.b64encReturnTo = urlsafe_b64encode(c.requestURL) 144 ?> 137 145 <form action="$g.logout"> 138 <input type="hidden" name="r" value="${c.b64encRe questURL}"/>146 <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 139 147 <input type="submit" value="Logout"/> 140 148 </form> … … 142 150 143 151 <span py:def="logIn()" class="logIn"> 152 <?python 153 from base64 import urlsafe_b64encode 154 155 # Base 64 encode to enable passing around in 'r' argument of query 156 # string for use with login/logout 157 c.returnTo = c.requestURL 158 c.b64encReturnTo = urlsafe_b64encode(c.requestURL) 159 ?> 144 160 <form action="$g.wayfuri"> 145 <input type="hidden" name="r" value="${c.b64encRe questURL}"/>161 <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 146 162 <input type="submit" value="Login"/> 147 163 </form>
Note: See TracChangeset
for help on using the changeset viewer.