Changeset 3901
- Timestamp:
- 15/05/08 10:35:33 (13 years ago)
- Location:
- TI05-delivery/ows_framework/trunk/ows_server
- Files:
-
- 1 deleted
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config
r3893 r3901 184 184 sslCACertFilePathList: certs/ndg-test-ca.crt 185 185 186 # Gatekeeper Attribute Certificate check187 # Issuer - should match with the issuer element of the users Attribute188 # Certificate submitted in order to gain access189 #acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC190 acIssuer: /CN=Junk/O=NDG/OU=Gabriel191 192 # verification of X.509 cert back to CA. Currently only the CA of this site193 # is needed because only mapped Attribute Certificates may be accepted.194 acCACertFilePathList: certs/ndg-test-ca.crt195 196 186 197 187 # WS-Security signature handler - set a config file with 'wssCfgFilePath' … … 233 223 applySignatureConfirmation=False 234 224 225 # 226 # Gatekeeper settings 227 # 228 [NDG_SECURITY.gatekeeper] 229 # 230 # Policy Enforcement Point calls a Policy Decision Point interface: 231 232 # File path to Python module containing the PDP class - leave blank if the 233 # module is in PYTHONPATH env var 234 pdpModFilePath: 235 236 # Name of PDP Python module 237 pdpModName: ndg.security.common.authz.pdp.browse 238 239 # Name of PDP class used 240 pdpClassName: BrowsePDP 241 242 # File Path to configuration file used by PDP class (environment variables 243 # can be used in this path e.g. $PDP_CONFIG_DIR/pdp.cfg. Omit this parameter 244 # to make the PEP read the PDP settings from THIS config file 245 #pdpCfgFilePath: 246 247 # Read PDP params from THIS section 248 pdpCfgSection: NDG_SECURITY.gatekeeper 249 250 # 251 # Settings for Policy Decision Point called by the PEP 252 253 # Address of Attribute Authority for Data Provider 254 aaURI: 255 256 # CA certificates used to verify peer certs from Session Manager SSL 257 # connections - space delimited list 258 sslCACertFilePathList: 259 260 # Set to file object to dump SOAP message output for debugging 261 tracefile: 262 263 # CA certificates used to verify the signature of user Attribute Certificates 264 # - space delimited list but note that currently only the CA of this site 265 # is needed because only mapped Attribute Certificates may be accepted. 266 acCACertFilePathList: certs/ndg-test-ca.crt 267 268 # X.509 Distinguished Name for Attribute Certificate issuer - should match with 269 # the issuer element of the users Attribute Certificate submitted in order to 270 # gain access 271 acIssuer: /CN=AttributeAuthority/O=NDG Security Test/OU=Site A 272 #acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 273 274 # WS-Security signature handler - set a config file with 'wssCfgFilePath' 275 # or omit and put the relevant content directly in here under the section name 276 # specified by 'wssCfgSection' below 277 #wssCfgFilePath: wssecurity.cfg 278 279 # Config file section for WS-Security settings - Nb. the gatekeeper shares the 280 # same settings as the Single Sign On Service. 281 wssCfgSection: NDG_SECURITY.wssecurity 235 282 236 283 [RELATED] -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py
r3893 r3901 111 111 self.globals.logout=g.ndg.security.server.ssoservice.cfg.logoutURI 112 112 self.globals.getCredentials=g.ndg.security.server.ssoservice.cfg.getCredentials 113 114 #self.globals.securityCfg = SecurityConfig(cf) 113 114 # Policy Enforcement Point initialisation 115 if securityEnabled: 116 try: 117 from ndg.security.common.authz.pep import PEP 118 except ImportError, e: 119 # If standalone flag is not present security must be enabled 120 raise NDGConfigError('%s: expecting standalone config ' % \ 121 __name__ + 122 'flag set to False for Policy Enforcement Point ' + \ 123 'import: %s' % e) 124 125 self.globals.pep = PEP(cfg=cf.config, 126 cfgSection='NDG_SECURITY.gatekeeper') 127 115 128 self.config=cf 116 129 -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py
r3893 r3901 4 4 5 5 try: 6 from ndg.security.server.sso.sso.controllers.logout import LogoutController as\7 _LogoutController6 from ndg.security.server.sso.sso.controllers.logout \ 7 import LogoutController as _LogoutController 8 8 9 9 class LogoutController(_LogoutController): … … 24 24 log.info("Single Sign On Service is disabled setting 404 error...") 25 25 abort(404) 26 27 #from ows_server.lib.security_util import SecuritySession28 #import logging29 #log = logging.getLogger(__name__)30 #31 #from paste.request import parse_querystring32 #import sys # include in case tracefile is set to sys.stderr33 #import base64 # decode the return to address34 #from urlparse import urlsplit, urlunsplit35 #36 #from ndg.security.common.SessionMgr import SessionMgrClient37 #38 #39 #class LogoutController(BaseController):40 # '''Provides the pylons controller for logging out and killing the cookies41 # '''42 #43 # def __before__(self):44 # """Get return to URL"""45 # c.returnTo = request.params.get('r', '')46 #47 # # Check return to address - getCredentials should NOT be returned to48 # # with its query args intact49 # b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)50 # scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)51 # if 'getCredentials' in pathInfo:52 # # Swap to discovery and remove sensitive creds query args53 # #54 # # TODO: re-write to be more robust and modular. Nb.55 # # BaseController.__call__ should filter out 'getCredentials'56 # # calls from c.requestURL so this code should never need to be57 # # executed.58 # filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','',''))59 # c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)60 #61 #62 # def index(self):63 # ''' Ok, you really want to logout here '''64 #65 # if 'ndgSec' not in session:66 # # There's no handle to a security session67 # log.error("logout called but no 'ndgSec' key in session object")68 # return self.__redirect()69 #70 # # Fixed URI to be equal to the session's security settings 'h' param!71 # # This contains the location of the Session Manager where the users72 # # session is held.73 # #74 # # Removed sslPeerCertCN setting here - the session manager could at75 # # any of a number of different trusted sites where the user logged in76 # # from. There's no way of predicting an alternate SSL cert Common77 # # Name through the config file settings78 # #79 # # P J Kershaw 21/11/200780 # try:81 # smClnt = SessionMgrClient(uri=session['ndgSec']['h'],82 # sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,83 # signingCertFilePath=g.securityCfg.wssCertFilePath,84 # signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,85 # signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,86 # caCertFilePathList=g.securityCfg.wssCACertFilePathList,87 # tracefile=g.securityCfg.tracefile)88 # except Exception, e:89 # log.error("logout - creating Session Manager client: %s" % e)90 # return self.__cleanupAndRedirect()91 #92 # # Disconnect from Session Manager93 # log.info('Calling Session Manager "%s" disconnect for logout...' % \94 # g.securityCfg.smURI)95 # try:96 # smClnt.disconnect(sessID=session['ndgSec']['sid'])97 # except Exception, e:98 # log.error("Error with Session Manager logout: %s" % e)99 # # don't exit here - instead proceed to delete session and100 # # redirect ...101 #102 # return self.__cleanupAndRedirect()103 #104 #105 # def __cleanupAndRedirect(self):106 # """Remove security session and call _redirect"""107 # try:108 # # easy to kill our cookie109 # SecuritySession.delete()110 # if 'ndgCleared' in session: del session['ndgCleared']111 # session.save()112 #113 # except Exception, e:114 # log.error("logout - clearing security session: %s" % e)115 #116 # return self.__redirect()117 #118 #119 # def __redirect(self):120 # """Handle redirect back to previous page"""121 # if c.returnTo:122 # # Decode the return to address123 # try:124 # b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)125 # except Exception, e:126 # log.error("logout - decoding return URL: %s" % e)127 # return render('content')128 #129 # # and now go back to whence we had come130 # h.redirect_to(b64decReturnTo)131 # else:132 # return render('content') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/retrieve.py
r3661 r3901 8 8 from ows_server.lib.ndgInterface import interface 9 9 from xml.parsers.expat import ExpatError 10 11 import logging 12 log = logging.getLogger(__name__) 13 10 14 11 15 class RetrieveController(BaseController): … … 133 137 try: 134 138 return render(r) 139 140 except ExpatError, e: 141 c.xml='XML content is not well formed' 142 c.doc=str(x) 143 response.status_code = 400 144 log.error("Retrieving [%s] - XML content: %s" % (uri, e)) 145 return render('error') 146 135 147 except Exception, e: 136 148 #we may be showing an xml document ... but it could go wrong if 137 149 #we have crap content ... 138 if isinstance(e, ExpatError): 139 c.xml='<p> XML content is not well formed </p>' 140 c.doc=str(x) 141 else: 142 c.xml='<p> Unexpected error [%s] viewing [%s] </p>'%(str(e),uri) 143 c.doc='' 150 c.xml='Unexpected error [%s] viewing [%s]'%(str(e), uri) 151 c.doc='' 144 152 response.status_code = 400 145 153 return render('error') -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py
r3893 r3901 7 7 Base controller providing generic functionality and extended by most other controllers 8 8 """ 9 import urllib10 from urlparse import urlsplit, urlunsplit11 from base64 import urlsafe_b64encode12 9 from pylons import c, g, cache, request, session, response 13 10 from pylons.controllers import WSGIController … … 19 16 import ows_server.models as model 20 17 import ows_server.lib.helpers as h 21 from ows_server.lib.security_util import setSecuritySession, LoginServiceQuery22 18 from ows_common import exceptions as OWS_E 23 19 from ows_common.operations_metadata import OperationsMetadata, Operation, RequestMethod -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/ndgInterface.py
r3833 r3901 18 18 import logging 19 19 logger = logging.getLogger('ndgInterface') 20 from ows_server.models.ndgSecurity import HandleSecurity 21 20 #from ows_server.models.ndgSecurity import HandleSecurity 21 from pylons import g # for handle to access control PEP interface 22 try: 23 from ndg.security.common.authz.pdp import PDPError 24 from ndg.security.common.authz.pep import PEPError 25 except ImportError, e: 26 from warnings import warn 27 warn(__name__ + ": access control is disabled: %s" % e, RuntimeWarning) 28 29 22 30 class CDMSEntry(object): 23 31 """ … … 109 117 #in the retrieve controller! 110 118 111 # Fix call to ndgRetrieve so that it sets the discovery flag explicitly112 # rather than defaulting to 1113 #114 # PJK 01/05/2008115 standaloneDiscovery = \116 request.environ['ndgConfig'].config.getboolean('DISCOVERY',117 'standalone')118 119 119 try: 120 120 ndgO=ndgObject(uri) … … 136 136 logger, 137 137 outputSchema, 138 discovery= standaloneDiscovery)138 discovery=g.standalone) 139 139 else: 140 140 try: … … 151 151 logger, 152 152 outputSchema, 153 discovery= standaloneDiscovery)153 discovery=g.standalone) 154 154 if status: self.XMLHCache[uri]=xmlh 155 155 … … 163 163 # exceptions, status=0, xmlh='Exception(e)' 164 164 165 status,xmlh=self.__ GateKeep(ndgO,xmlh)165 status,xmlh=self.__gatekeep(ndgO,xmlh) 166 166 if status: 167 167 if cleared is None: … … 199 199 return status,d 200 200 201 def __ GateKeep(self,uri,x):201 def __gatekeep(self,uri,x): 202 202 ''' This is the NDG gatekeeper ''' 203 203 if 'ndgSec' in session: … … 205 205 else: 206 206 securityTokens=None 207 208 if uri.schema=='DIF': 209 pass # no access control 210 elif uri.schema =='NDG-B0': 211 #cred=x.find('dgSecurityCondition/simpleCondition') 212 #if cred: 213 # return 0,'<p> Access Control: <br/>[<![CDAT[%s]]> </p>' 214 pass 215 elif uri.schema =='NDG-B1': 216 pass # for the moment 217 elif uri.schema =='NDG-A0': 218 if True: # use this for turning security on and off during testing 219 s=x.tree.find('{http://ndg.nerc.ac.uk/csml}AccessControlPolicy/{http://ndg.nerc.ac.uk/csml}dgSecurityCondition') 220 if s is not None: 221 status,message=HandleSecurity(uri,s,securityTokens) 222 if not status: return 0,'<p> Access Denied for %s </p><p>%s</p>'%(uri,message) 223 return 1,x 207 208 if not hasattr(g, 'pep'): 209 if not g.standalone: 210 raise PEPError(\ 211 "Security is disabled but the standalone flag is set to False") 212 213 log.info("__gatekeep: access control is disabled - standalone " + \ 214 "config flag is set") 215 216 try: 217 # Arguments are: a handle to the resource and a handle to the users 218 # security tokens 219 g.pep(dict(uri=uri, doc=x), securityTokens, None) 220 return True, x 221 222 except PDPError, e: 223 # Caught a known access control condition 224 return False, 'Access Denied for %s %s' % (uri, e) 224 225 225 226 def __getLocal(self,uri): -
TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/stubB.kid
r3544 r3901 79 79 else: 80 80 selected=False 81 ?>81 ?> 82 82 <td width="10%"> 83 83 <span py:if="showSelect and selected"> 84 Selected85 </span>86 <!--span class="selectme" py:if="showSelect and not selected">84 Selected 85 </span> 86 <span class="selectme" py:if="showSelect and not selected"> 87 87 ${XML(h.link_to_remote("Select",dict(update="PageTabs", 88 88 url=h.url_for(controller="tabs", … … 97 97 <a href="$g.server/view/$granule.entryID">$granule.name</a> 98 98 </td> 99 <td><div py:replace="ShortCoverage(granule)"/></td> 99 <td> 100 <div py:replace="ShortCoverage(granule)"/> 101 </td> 100 102 </tr> 101 </tbody-->102 </table>103 </tbody> 104 </table> 103 105 </div> 104 106 <!-- of granules -->
Note: See TracChangeset
for help on using the changeset viewer.