Changeset 3901

Timestamp:

15/05/08 10:35:33 (11 years ago)

Author:

pjkersha

Message:

Working version with Gatekeeper code moved into it's own package in ndg.security.

All security code now decoupled from ows_server - Single Sign On and Gatekeeper.

ows_server/ndgDiscovery.config: moved Gatekeeper settings into its own NDG_SECURITY.gatekeeper section

ows_server/ows_server/config/ndgMiddleware.py:

• now initialises PEP class (Policy Enforcement Point aka Gatekeeper) from ndg.security.common.authz.pep and adds as a g var attr.

Index: ows_server/ows_server/controllers/logout.py: remove old commented out code

ows_server/ows_server/controllers/retrieve.py:

• added logging
• output ExpatError? message into log

ows_server/ows_server/lib/ndgInterface.py: replaced old ndgInterface gatekeeper code with PEP class.

ows_server/ows_server/lib/security_util.py: moved out of ows_server into ndg.security.common

ows_server/ows_server/lib/base.py: tidied up imports

ows_server/ows_server/templates/stubB.kid: code to comment out the CSML entries caused an error for render(). Re-instated commented out section.

Location:

TI05-delivery/ows_framework/trunk/ows_server

Files:

• ndgDiscovery.config (modified) (2 diffs)
• ows_server/config/ndgMiddleware.py (modified) (1 diff)
• ows_server/controllers/logout.py (modified) (2 diffs)
• ows_server/controllers/retrieve.py (modified) (2 diffs)
• ows_server/lib/base.py (modified) (2 diffs)
• ows_server/lib/ndgInterface.py (modified) (7 diffs)
• ows_server/lib/security_util.py (deleted)
• ows_server/templates/stubB.kid (modified) (2 diffs)

TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

@@ -184 +184 @@
 sslCACertFilePathList: certs/ndg-test-ca.crt
 
-# Gatekeeper Attribute Certificate check
-# Issuer - should match with the issuer element of the users Attribute
-# Certificate submitted in order to gain access
-#acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
-acIssuer: /CN=Junk/O=NDG/OU=Gabriel
-
-# verification of X.509 cert back to CA.  Currently only the CA of this site
-# is needed because only mapped Attribute Certificates may be accepted.
-acCACertFilePathList: certs/ndg-test-ca.crt
-
 
 # WS-Security signature handler - set a config file with 'wssCfgFilePath'
@@ -233 +223 @@
 applySignatureConfirmation=False
 
+#
+# Gatekeeper settings
+#
+[NDG_SECURITY.gatekeeper]
+#
+# Policy Enforcement Point calls a Policy Decision Point interface:
+
+# File path to Python module containing the PDP class - leave blank if the 
+# module is in PYTHONPATH env var
+pdpModFilePath: 
+
+# Name of PDP Python module
+pdpModName: ndg.security.common.authz.pdp.browse
+
+# Name of PDP class used
+pdpClassName: BrowsePDP
+
+# File Path to configuration file used by PDP class (environment variables
+# can be used in this path e.g. $PDP_CONFIG_DIR/pdp.cfg.  Omit this parameter
+# to make the PEP read the PDP settings from THIS config file
+#pdpCfgFilePath:
+
+# Read PDP params from THIS section
+pdpCfgSection: NDG_SECURITY.gatekeeper
+
+#
+# Settings for Policy Decision Point called by the PEP 
+
+# Address of Attribute Authority for Data Provider
+aaURI:
+
+# CA certificates used to verify peer certs from Session Manager SSL 
+# connections - space delimited list
+sslCACertFilePathList:
+
+# Set to file object to dump SOAP message output for debugging
+tracefile:
+
+# CA certificates used to verify the signature of user Attribute Certificates
+# - space delimited list but note that currently only the CA of this site
+# is needed because only mapped Attribute Certificates may be accepted.
+acCACertFilePathList: certs/ndg-test-ca.crt
+
+# X.509 Distinguished Name for Attribute Certificate issuer - should match with
+# the issuer element of the users Attribute Certificate submitted in order to 
+# gain access
+acIssuer: /CN=AttributeAuthority/O=NDG Security Test/OU=Site A
+#acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
+
+# WS-Security signature handler - set a config file with 'wssCfgFilePath'
+# or omit and put the relevant content directly in here under the section name
+# specified by 'wssCfgSection' below
+#wssCfgFilePath: wssecurity.cfg
+
+# Config file section for WS-Security settings - Nb. the gatekeeper shares the
+# same settings as the Single Sign On Service.
+wssCfgSection: NDG_SECURITY.wssecurity
 
 [RELATED]

TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py

@@ -111 +111 @@
             self.globals.logout=g.ndg.security.server.ssoservice.cfg.logoutURI
             self.globals.getCredentials=g.ndg.security.server.ssoservice.cfg.getCredentials
-          
-        #self.globals.securityCfg = SecurityConfig(cf)
+
+        # Policy Enforcement Point initialisation
+        if securityEnabled:
+            try:
+                from ndg.security.common.authz.pep import PEP
+            except ImportError, e:
+                # If standalone flag is not present security must be enabled
+                raise NDGConfigError('%s: expecting standalone config ' % \
+                        __name__ + 
+                        'flag set to False for Policy Enforcement Point ' + \
+                        'import: %s' % e)
+            
+            self.globals.pep = PEP(cfg=cf.config, 
+                                   cfgSection='NDG_SECURITY.gatekeeper')
+            
         self.config=cf
         

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

@@ -4 +4 @@
 
 try:
-    from ndg.security.server.sso.sso.controllers.logout import LogoutController as\
-        _LogoutController
+    from ndg.security.server.sso.sso.controllers.logout \
+        import LogoutController as _LogoutController
         
     class LogoutController(_LogoutController):
@@ -24 +24 @@
             log.info("Single Sign On Service is disabled setting 404 error...")
             abort(404)
-
-#from ows_server.lib.security_util import SecuritySession
-#import logging
-#log = logging.getLogger(__name__)
-#
-#from paste.request import parse_querystring
-#import sys # include in case tracefile is set to sys.stderr 
-#import base64 # decode the return to address
-#from urlparse import urlsplit, urlunsplit
-#
-#from ndg.security.common.SessionMgr import SessionMgrClient
-#
-#
-#class LogoutController(BaseController):
-#    '''Provides the pylons controller for logging out and killing the cookies
-#    '''
-#    
-#    def __before__(self):
-#        """Get return to URL"""
-#        c.returnTo = request.params.get('r', '')
-#        
-#        # Check return to address - getCredentials should NOT be returned to
-#        # with its query args intact
-#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)
-#        if 'getCredentials' in pathInfo:
-#            # Swap to discovery and remove sensitive creds query args
-#            #
-#            # TODO: re-write to be more robust and modular.  Nb. 
-#            # BaseController.__call__ should filter out 'getCredentials'
-#            # calls from c.requestURL so this code should never need to be 
-#            # executed.
-#            filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','',''))
-#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)
-#
-#    
-#    def index(self):
-#        ''' Ok, you really want to logout here '''
-#
-#        if 'ndgSec' not in session:
-#            # There's no handle to a security session
-#            log.error("logout called but no 'ndgSec' key in session object")
-#            return self.__redirect()
-#        
-#        # Fixed URI to be equal to the session's security settings 'h' param!
-#        # This contains the location of the Session Manager where the users
-#        # session is held.
-#        #
-#        # Removed sslPeerCertCN setting here - the session manager could at 
-#        # any of a number of different trusted sites where the user logged in
-#        # from.  There's no way of predicting an alternate SSL cert Common
-#        # Name through the config file settings
-#        #
-#        # P J Kershaw 21/11/2007
-#        try:
-#            smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-#                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
-#                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-#                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-#                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-#                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-#                    tracefile=g.securityCfg.tracefile)       
-#        except Exception, e:
-#            log.error("logout - creating Session Manager client: %s" % e)
-#            return self.__cleanupAndRedirect()  
-#        
-#        # Disconnect from Session Manager
-#        log.info('Calling Session Manager "%s" disconnect for logout...' % \
-#                 g.securityCfg.smURI)
-#        try:
-#            smClnt.disconnect(sessID=session['ndgSec']['sid'])
-#        except Exception, e:
-#            log.error("Error with Session Manager logout: %s" % e)
-#            # don't exit here - instead proceed to delete session and 
-#            # redirect ...
-#
-#        return self.__cleanupAndRedirect()
-#
-#
-#    def __cleanupAndRedirect(self):
-#        """Remove security session and call _redirect"""
-#        try:
-#            # easy to kill our cookie
-#            SecuritySession.delete()
-#            if 'ndgCleared' in session: del session['ndgCleared']
-#            session.save()
-#            
-#        except Exception, e:   
-#            log.error("logout - clearing security session: %s" % e)
-#
-#        return self.__redirect()
-#    
-#    
-#    def __redirect(self):
-#        """Handle redirect back to previous page"""
-#        if c.returnTo:
-#            # Decode the return to address
-#            try:
-#                b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-#            except Exception, e:
-#                log.error("logout - decoding return URL: %s" % e) 
-#                return render('content')
-#            
-#            # and now go back to whence we had come
-#            h.redirect_to(b64decReturnTo)
-#        else:
-#            return render('content')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/retrieve.py

@@ -8 +8 @@
 from ows_server.lib.ndgInterface import interface 
 from xml.parsers.expat import ExpatError
+
+import logging
+log = logging.getLogger(__name__)
+
 
 class RetrieveController(BaseController):
@@ -133 +137 @@
         try:
             return render(r)
+        
+        except ExpatError, e:
+            c.xml='XML content is not well formed'
+            c.doc=str(x)
+            response.status_code = 400
+            log.error("Retrieving [%s] - XML content: %s" % (uri, e))
+            return render('error')
+
         except Exception, e:
             #we may be showing an xml document ... but it could go wrong if
             #we have crap content ...
-            if isinstance(e, ExpatError):
-                c.xml='<p> XML content is not well formed </p>'
-                c.doc=str(x)
-            else:
-                c.xml='<p> Unexpected error [%s] viewing [%s] </p>'%(str(e),uri)
-                c.doc=''
+            c.xml='Unexpected error [%s] viewing [%s]'%(str(e), uri)
+            c.doc=''
             response.status_code = 400
             return render('error')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

@@ -7 +7 @@
  Base controller providing generic functionality and extended by most other controllers
 """
-import urllib
-from urlparse import urlsplit, urlunsplit
-from base64 import urlsafe_b64encode
 from pylons import c, g, cache, request, session, response
 from pylons.controllers import WSGIController
@@ -19 +16 @@
 import ows_server.models as model
 import ows_server.lib.helpers as h
-from ows_server.lib.security_util import setSecuritySession, LoginServiceQuery
 from ows_common import exceptions as OWS_E
 from ows_common.operations_metadata import OperationsMetadata, Operation, RequestMethod

TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/ndgInterface.py

@@ -18 +18 @@
 import logging
 logger = logging.getLogger('ndgInterface')
-from ows_server.models.ndgSecurity import HandleSecurity
-
+#from ows_server.models.ndgSecurity import HandleSecurity
+from pylons import g # for handle to access control PEP interface
+try:
+    from ndg.security.common.authz.pdp import PDPError
+    from ndg.security.common.authz.pep import PEPError
+except ImportError, e:
+    from warnings import warn
+    warn(__name__ + ": access control is disabled: %s" % e, RuntimeWarning)
+    
+    
 class CDMSEntry(object):
     """
@@ -109 +117 @@
         #in the retrieve controller!
 
-        # Fix call to ndgRetrieve so that it sets the discovery flag explicitly
-        # rather than defaulting to 1
-        # 
-        # PJK 01/05/2008
-        standaloneDiscovery = \
-                request.environ['ndgConfig'].config.getboolean('DISCOVERY',
-                                                               'standalone')
-        
         try:
             ndgO=ndgObject(uri)
@@ -136 +136 @@
                                     logger,
                                     outputSchema,
-                                    discovery=standaloneDiscovery)
+                                    discovery=g.standalone)
         else:
             try:
@@ -151 +151 @@
                                             logger,
                                             outputSchema,
-                                            discovery=standaloneDiscovery)
+                                            discovery=g.standalone)
                 if status: self.XMLHCache[uri]=xmlh
             
@@ -163 +163 @@
         #   exceptions, status=0, xmlh='Exception(e)'
         
-        status,xmlh=self.__GateKeep(ndgO,xmlh)
+        status,xmlh=self.__gatekeep(ndgO,xmlh)
         if status:
             if cleared is None:
@@ -199 +199 @@
         return status,d
         
-    def __GateKeep(self,uri,x):
+    def __gatekeep(self,uri,x):
         ''' This is the NDG gatekeeper '''
         if 'ndgSec' in session:
@@ -205 +205 @@
         else:
             securityTokens=None
-        
-        if uri.schema=='DIF':
-            pass # no access control
-        elif uri.schema =='NDG-B0':
-            #cred=x.find('dgSecurityCondition/simpleCondition')
-            #if cred:
-            #    return 0,'<p> Access Control: <br/>[<![CDAT[%s]]> </p>'
-            pass
-        elif uri.schema =='NDG-B1':
-            pass # for the moment
-        elif uri.schema =='NDG-A0':
-            if True:  # use this for turning security on and off during testing
-                s=x.tree.find('{http://ndg.nerc.ac.uk/csml}AccessControlPolicy/{http://ndg.nerc.ac.uk/csml}dgSecurityCondition')
-                if s is not None:
-                    status,message=HandleSecurity(uri,s,securityTokens)
-                    if not status: return 0,'<p> Access Denied for %s </p><p>%s</p>'%(uri,message)
-        return 1,x
+
+        if not hasattr(g, 'pep'):
+            if not g.standalone:
+                raise PEPError(\
+                "Security is disabled but the standalone flag is set to False")
+                
+            log.info("__gatekeep: access control is disabled - standalone " + \
+                     "config flag is set")
+            
+        try:
+            # Arguments are: a handle to the resource and a handle to the users
+            # security tokens
+            g.pep(dict(uri=uri, doc=x), securityTokens, None)
+            return True, x
+        
+        except PDPError, e:
+            # Caught a known access control condition
+            return False, 'Access Denied for %s %s' % (uri, e)
                 
     def __getLocal(self,uri):

TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/stubB.kid

@@ -79 +79 @@
                                         else:
                                             selected=False
-                                    ?>
+                                                    ?>
                                     <td width="10%">
                                         <span py:if="showSelect and selected">
-                                          Selected
-                                        </span>
-                                        <!--span class="selectme" py:if="showSelect and not selected">
+                                                                 Selected
+                                                            </span>
+                                                            <span class="selectme" py:if="showSelect and not selected">
                                             ${XML(h.link_to_remote("Select",dict(update="PageTabs",
                                             url=h.url_for(controller="tabs",
@@ -97 +97 @@
                                         <a href="$g.server/view/$granule.entryID">$granule.name</a>
                                     </td>
-                                    <td><div py:replace="ShortCoverage(granule)"/></td>
+                                    <td>
+                                        <div py:replace="ShortCoverage(granule)"/>
+                                    </td>
                                 </tr>
-                            </tbody-->
-                        </table>
+                                    </tbody>
+                                            </table>
                     </div>
                     <!-- of granules -->