Changeset 3914 for TI12-security/trunk

Timestamp:

20/05/08 17:11:20 (12 years ago)

Author:

pjkersha

Message:

• New ndg.security.common.zsi_util.httpproxy.ProxyHTTPConnection class replaces urllib2client - easier to fit into existing ZSI client framework.
• Further OpenID integration into Single Sign On Service. User now authenticates OK but patches needed to AuthKit? + need to handle return_to URL dynamically according to page visited before WAYF call.

Location:

TI12-security/trunk/python

Files:

• Tests/authtest/development.ini (modified) (4 diffs)
• ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py (modified) (6 diffs)
• ndg.security.common/ndg/security/common/AttAuthority/Makefile (modified) (1 diff)
• ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (6 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/Makefile (modified) (1 diff)
• ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py (modified) (6 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/__init__.py (modified) (6 diffs)
• ndg.security.common/ndg/security/common/zsi_utils/httpproxy.py (added)
• ndg.security.common/ndg/security/common/zsi_utils/urllib2client.py (deleted)
• ndg.security.server/ndg/security/server/sso/development.ini (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso.cfg (modified) (3 diffs)
• ndg.security.server/ndg/security/server/sso/sso/config/environment.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/config/middleware.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py (modified) (4 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (10 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/base.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py (added)
• ndg.security.server/ndg/security/server/sso/sso/public/layout/openid-inputicon.gif (added)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/tests/functional/test_openidsignin.py (added)

TI12-security/trunk/python/Tests/authtest/development.ini

@@ -14 +14 @@
 use = egg:Paste#http
 host = 0.0.0.0
-port = 5000
+port = 5100
 
 [app:main]
@@ -54 +54 @@
 # This is optional - see:
 # http://wiki.pylonshq.com/display/authkitcookbook/OpenID+Passurl
-authkit.openid.baseurl = http://localhost:5000
+authkit.openid.baseurl = http://localhost:5100
 
 # Template for signin
@@ -61 +61 @@
 # Logging configuration
 [loggers]
-keys = root, authtest
+keys = root, authtest, authkit
 
 [handlers]
@@ -78 +78 @@
 qualname = authtest
 
+[logger_authkit]
+level = DEBUG
+handlers =
+qualname = authkit
+
 [handler_console]
 class = StreamHandler

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/AttAuthority_services.py

@@ -8 +8 @@
 import urlparse, types
 from ZSI.TCcompound import ComplexType, Struct
-from ndg.security.common.zsi_utils import urllib2client as client
+from ZSI import client
 import ZSI
 from ZSI.generate.pyclass import pyclass_type
@@ -29 +29 @@
         # no ws-addressing
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a3dec>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x8460c4c>
     def getAttCert(self, userId,userCert,userAttCert):
 
@@ -46 +46 @@
         return attCert,msg
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a812c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x8460f8c>
     def getHostInfo(self):
 
@@ -64 +64 @@
         return hostname,aaURI,aaDN,loginURI,loginServerDN,loginRequestServerDN
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a8d8c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x8466bec>
     def getTrustedHostInfo(self, role):
 
@@ -78 +78 @@
         return trustedHosts
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a8f2c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x8466d8c>
     def getAllHostsInfo(self):
 
@@ -91 +91 @@
         return hosts
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84b20cc>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x8466f0c>
     def getX509Cert(self):
 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/Makefile

@@ -17 +17 @@
 OPTS=-be -f
 
-STUB_FILE=AttAuthority_services.py
-TMP_FILE=AttAuthority_services.tmp
-
-ORIG1=from ZSI import client
-REPL1=from ndg.security.common.zsi_utils import urllib2client as client
-
 generateStubs: ${WSDL_FILE}
         @echo Generate stub ...
         ${CMD} ${OPTS} ${WSDL_FILE}
-        @echo Make substitutions for HTTP Proxy custom Client Binding class fix ...
-        cat ${STUB_FILE}|sed  s/"${ORIG1}"/"${REPL1}"/g > ${TMP_FILE}
-        @mv ${TMP_FILE} ${STUB_FILE}
         @echo Done.
         

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -38 +38 @@
     HostCheck
 
+from ndg.security.common.zsi_utils.httpproxy import ProxyHTTPConnection
+
 import logging
 log = logging.getLogger(__name__)
@@ -73 +75 @@
                  uri=None, 
                  tracefile=None,
+                 httpProxyHost=None,
+                 ignoreHttpProxyEnv=False,
                  sslCACertList=[],
                  sslCACertFilePathList=[],
@@ -111 +115 @@
         self.__uri = None
         self._transdict = {}        
+        self._transport = HTTPProxyConnection
         
         if uri:
             self.__setURI(uri)
 
+        self.__setHTTPProxyHost(httpProxyHost)
+        self.__setIgnoreHttpProxyEnv(ignoreHttpProxyEnv)
+        
         if sslPeerCertCN:
             self.__setSSLPeerCertCN(sslPeerCertCN)
@@ -157 +165 @@
             self._transport = HTTPSConnection
         else:
-            self._transport = None
+            self._transport = ProxyHTTPConnection
 
 
@@ -168 +176 @@
             
     uri = property(fset=__setURI, fget=__getURI,doc="Attribute Authority URI")
+
+
+    #_________________________________________________________________________
+    def __setHTTPProxyHost(self, val):
+        """Set a HTTP Proxy host overriding any http_proxy environment variable
+        setting"""
+        if self._transport != ProxyHTTPConnection:
+            raise AttAuthorityClientError(\
+                "Setting HTTP Proxy Host but transport class is not " + \
+                "ProxyHTTPConnection type")
+        
+        self._transdict['httpProxyHost'] = val
+
+    httpProxyHost = property(fset=__setHTTPProxyHost, 
+        doc="HTTP Proxy hostname - overrides any http_proxy env var setting")
+
+
+    #_________________________________________________________________________
+    def __setIgnoreHttpProxyEnv(self, val):
+        """Set to True to ignore any http_proxy environment variable setting"""
+        if self._transport != ProxyHTTPConnection:
+            raise AttAuthorityClientError(\
+                "Setting ignore HTTP Proxy Host flag but transport class " + \
+                "is not ProxyHTTPConnection type")
+        
+        self._transdict['ignoreHttpProxyEnv'] = val
+
+    ignoreHttpProxyEnv = property(fset=__setIgnoreHttpProxyEnv, 
+    doc="Set to True to ignore any http_proxy environment variable setting")
 
 
@@ -362 +399 @@
         @return: dictionary of host information indexed by hostname derived 
         from the map configuration"""
-            
+
+        hosts = self.__srv.getAllHostsInfo()
         try:
             hosts = self.__srv.getAllHostsInfo()

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/Makefile

@@ -17 +17 @@
 OPTS=-be -f
 
-STUB_FILE=SessionMgr_services.py
-TMP_FILE=SessionMgr_services.tmp
-
-ORIG1=from ZSI import client
-REPL1=from ndg.security.common.zsi_utils import urllib2client as client
-
 generateStubs: ${WSDL_FILE}
         @echo Generate stub ...
         ${CMD} ${OPTS} ${WSDL_FILE}
-        @echo Make substitutions for HTTP Proxy custom Client Binding class fix ...
-        cat ${STUB_FILE}|sed  s/"${ORIG1}"/"${REPL1}"/g > ${TMP_FILE}
-        @mv ${TMP_FILE} ${STUB_FILE}
         @echo Done.
         

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py

@@ -8 +8 @@
 import urlparse, types
 from ZSI.TCcompound import ComplexType, Struct
-from ndg.security.common.zsi_utils import urllib2client as client
+from ZSI import client
 import ZSI
 from ZSI.generate.pyclass import pyclass_type
@@ -29 +29 @@
         # no ws-addressing
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a844c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84652ac>
     def getSessionStatus(self, userDN,sessID):
 
@@ -44 +44 @@
         return isAlive
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84a874c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84655ac>
     def connect(self, username,passphrase,createServerSess):
 
@@ -63 +63 @@
         return userCert,userPriKey,issuingCert,sessID
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84af46c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x846d2cc>
     def disconnect(self, userCert,sessID):
 
@@ -77 +77 @@
         return 
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84af60c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x846d46c>
     def getAttCert(self, userCert,sessID,attAuthorityURI,attAuthorityCert,reqRole,mapFromTrustedHosts,rtnExtAttCertList,extAttCert,extTrustedHost):
 
@@ -101 +101 @@
         return attCert,msg,extAttCertOut
 
-    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84af78c>
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x846d5ec>
     def getX509Cert(self):
 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -28 +28 @@
 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \
     HostCheck
+from ndg.security.common.zsi_utils.httpproxy import ProxyHTTPConnection
 from SessionMgr_services import SessionMgrServiceLocator
 
@@ -119 +120 @@
                  uri=None, 
                  tracefile=None,
+                 httpProxyHost=None,
+                 ignoreHttpProxyEnv=False,
                  sslCACertList=[],
                  sslCACertFilePathList=[],
@@ -159 +162 @@
         self.__uri = None
         self._transdict = {}
-        self._transport = None       
+        self._transport = ProxyHTTPConnection       
         
         if uri:
             self.__setURI(uri)
+
+        self.__setHTTPProxyHost(httpProxyHost)
+        self.__setIgnoreHttpProxyEnv(ignoreHttpProxyEnv)
 
         if sslPeerCertCN:
@@ -195 +201 @@
         
         if not isinstance(uri, basestring):
-            raise SessionMgrClientError, \
-                             "Session Manager WSDL URI must be a valid string"
+            raise SessionMgrClientError(
+                             "Session Manager WSDL URI must be a valid string")
         
         self.__uri = uri
@@ -202 +208 @@
             scheme = urlparse.urlparse(self.__uri)[0]
         except TypeError:
-            raise AttributeAuthorityClientError, \
-                "Error parsing transport type from URI"
+            raise AttributeAuthorityClientError(
+                                    "Error parsing transport type from URI")
                 
         if scheme == "https":
             self._transport = HTTPSConnection
         else:
-            self._transport = None
+            self._transport = ProxyHTTPConnection
             
             # Ensure SSL settings are cancelled
@@ -222 +228 @@
     uri = property(fset=__setURI, fget=__getURI, doc="Session Manager URI")
 
+
+    #_________________________________________________________________________
+    def __setHTTPProxyHost(self, val):
+        """Set a HTTP Proxy host overriding any http_proxy environment variable
+        setting"""
+        if self._transport != ProxyHTTPConnection:
+            raise SessionMgrClientError(\
+                "Setting HTTP Proxy Host - transport class is %s type, " % \
+                self._transport + \
+                "expecting ProxyHTTPConnection type")
+        
+        self._transdict['httpProxyHost']= val
+
+    httpProxyHost = property(fset=__setHTTPProxyHost, 
+        doc="HTTP Proxy hostname - overrides any http_proxy env var setting")
+
+
+    #_________________________________________________________________________
+    def __setIgnoreHttpProxyEnv(self, val):
+        """Set to True to ignore any http_proxy environment variable setting"""
+        if self._transport != ProxyHTTPConnection:
+            raise SessionMgrClientError(\
+                "Setting ignore HTTP Proxy Host flag but transport class " + \
+                "is not ProxyHTTPConnection type")
+        
+        self._transdict['ignoreHttpProxyEnv']= val
+
+    ignoreHttpProxyEnv = property(fset=__setIgnoreHttpProxyEnv, 
+    doc="Set to True to ignore any http_proxy environment variable setting")
+    
 
     #_________________________________________________________________________

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/development.ini

@@ -29 +29 @@
 #beaker.session.data_dir = %(here)s/data/sessions
 
+authkit.setup.method=openid, cookie
+authkit.cookie.secret=secret encryption string
+authkit.cookie.signoutpath = /openidsignout
+authkit.openid.path.signedin=/login
+authkit.openid.store.type=file
+authkit.openid.store.config=%(here)s/data/openid
+#authkit.openid.path.process=/login
+
+# Copied from http://wiki.pylonshq.com/display/authkitcookbook/OpenID+Passurl
+#authkit.openid.session.middleware = beaker.session
+authkit.openid.session.key = authkit_openid
+authkit.openid.session.secret = random string
+
+# This is optional - see:
+# http://wiki.pylonshq.com/display/authkitcookbook/OpenID+Passurl
+authkit.openid.baseurl = http://localhost/sso
+
+# Template for signin
+authkit.openid.template.obj = sso.lib.openid_util:make_template
+
+# Handler for parsing OpenID and creating a session from it
+authkit.openid.urltouser = sso.lib.openid_util:url2user
+
 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
 # Debug mode will enable the interactive debugging tool, allowing ANYONE to
@@ -56 +79 @@
 qualname = sso
 
+[logger_authkit]
+level = DEBUG
+handlers =
+qualname = authkit
 
 [logger_ndg]

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

@@ -11 +11 @@
 disclaimer:
 
-[NDG_SECURITY]
 # Redirect SOAP output to a file e.g. open(<somefile>, 'w')
 tracefile: None
@@ -20 +19 @@
 attAuthorityURI: http://localhost:5000/AttributeAuthority
 
-# WS-Security signature handler
-wssCfgFilePath: ./wssecurity.cfg
+# WS-Security signature handler - set a config file with 'wssCfgFilePath'
+# or omit and put the relevant content directly in here under 
+# 'NDG_SECURITY.wssecurity' section
+#wssCfgFilePath: wssecurity.cfg
 
 # SSL Connections
@@ -30 +31 @@
 sslCACertFilePathList: certs/ndg-test-ca.crt
 
-# Set an alternate CommonName to match with peer cert for SSL
-# Connections.  If the CN=hostname of the peer then this option 
-# can be commented out
-sslPeerCertCN: 
+# Web Services HTTP Proxy fine tuning 
+#
+# For most situations, these settings can be ignored and instead make use of 
+# the http_proxy environment variable.  They allow for the case where specific 
+# settings are needed just for the security web services calls
 
-# Gatekeeper Attribute Certificate check
-# Issuer - should match with the issuer element of the users Attribute
-# Certificate submitted in order to gain access
-acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
-#acIssuer: /CN=Junk/O=NDG/OU=Gabriel
+# Overrides the http_proxy environment variable setting - may be omitted
+#httpProxyHost: wwwcache.rl.ac.uk:8080
 
-# verification of X.509 cert back to CA
-acCACertFilePathList: certs/ndg-test-ca.crt
+# Web service clients pick up the http_proxy environment variable setting by
+# default.  Set this flag to True to ignore http_proxy for web service 
+# connections.  To use the http_proxy setting, set this parameter to False or 
+# remove it completely from this file.
+ignoreHttpProxyEnv: True
+
+
+# Flag to enable OpenID login
+enableOpenID: True
+
+[WSSecurity]
+
+# Settings for signature of an outbound message ...
+
+# Certificate associated with private key used to sign a message.  The sign 
+# method will add this to the BinarySecurityToken element of the WSSE header.  
+# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
+# As an alternative, use 'signingCertChain' parameter
+
+# file path PEM encoded cert 
+signingCertFilePath=certs/clnt.crt
+
+# file path to PEM encoded private key file
+signingPriKeyFilePath=certs/clnt.key
+
+# Password protecting private key.  Leave blank if there is no password.
+signingPriKeyPwd=
+
+# Provide a space separated list of file paths.  CA Certs should be included 
+# for all the sites this installation trusts
+caCertFilePathList=certs/ndg-test-ca.crt
+
+# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
+# signed message.  
+reqBinSecTokValType=X509v3
+
+# Add a timestamp element to an outbound message
+addTimestamp=True
+
+# For WSSE 1.1 - service returns signature confirmation containing signature 
+# value sent by client
+applySignatureConfirmation=False
+
+tracefile=sys.stderr
 
 [layout]

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/environment.py

@@ -32 +32 @@
     # CONFIGURATION OPTIONS HERE (note: all config options will override
     # any Pylons config options)
+    
+    # Make a dedicated alias for SSO Service templates to avoid possible
+    # conflicts when importing SSO Service code into another pylons project
+    kidopts = {'kid.assume_encoding':'utf-8', 'kid.encoding':'utf-8'}
+    config.add_template_engine('kid', 
+                               'ndg.security.server.sso.sso.templates', 
+                               kidopts,
+                               alias='ndg.security.kid')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/middleware.py

@@ -12 +12 @@
 
 from sso.config.environment import load_environment
-
 from sso.config.ssoServiceMiddleware import SSOMiddleware
+import logging
+log = logging.getLogger(__name__)
 
 def make_app(global_conf, full_stack=True, **app_conf):
@@ -41 +42 @@
     # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
     app = SSOMiddleware(app, app_conf['configfile'], app.globals)
-
+    
+    # OpenID Middleware
+    if app.globals.ndg.security.server.ssoservice.cfg.enableOpenID:
+        import authkit.authenticate
+        from beaker.middleware import SessionMiddleware
+        
+        app = authkit.authenticate.middleware(app, app_conf)
+        app = SessionMiddleware(app)#,key='authkit.open_id',secret='some secret')
+        log.info('OpenID is enabled')
 
     if asbool(full_stack):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

@@ -39 +39 @@
             
         appGlobals.ndg = ndg
-          
+        self.globals = appGlobals
+        
     def __call__(self, environ, start_response):
         
@@ -85 +86 @@
               defSection='DEFAULT', 
               layoutSection='layout',
-              wssSection='NDG_SECURITY.wssecurity'):
+              wssSection='WSSecurity'):
         '''Extract content of config file object into self'''
               
@@ -105 +106 @@
                         'No "sslCACertFilePathList" security setting'
 
+
+        # HTTP Proxy setting for web service connections...
+        
+        # Override an http_proxy env setting  
+        if self.cfg.has_option(defSection, 'httpProxyHost'):
+            self.httpProxyHost = self.cfg.get(defSection, 'httpProxyHost')
+        else:
+            self.httpProxyHost = None
+        
+        # Set this to True if the http_proxy environment variable should be
+        # ignored in this case
+        if self.cfg.has_option(defSection, 'ignoreHttpProxyEnv'):
+            self.ignoreHttpProxyEnv = self.cfg.getboolean(defSection, 
+                                                          'ignoreHttpProxyEnv')
+        else:
+            self.ignoreHttpProxyEnv = False
+            
+            
         # If no separate WS-Security config file is set then read these params
         # from the current config file
@@ -136 +155 @@
         self.wayfuri='%s/wayf' % self.server
 
+        # Flag to enable OpenID interface
+        try:
+            self.enableOpenID = self.cfg.getboolean(defSection, 'enableOpenID')
+        except ConfigParser.NoOptionError:
+            self.enableOpenID = False
+            
         self.localLink=self.cfg.get(layoutSection, 'localLink', None)
         self.localImage=self.cfg.get(layoutSection, 'localImage', None)
-        self.localAlt=self.cfg.get(layoutSection, 'localAlt', 'Visit Local Site')
-        self.ndgLink=self.cfg.get(layoutSection, 'ndgLink', 'http://ndg.nerc.ac.uk')
+        self.localAlt=self.cfg.get(layoutSection, 'localAlt', 
+                                   'Visit Local Site')
+        self.ndgLink=self.cfg.get(layoutSection, 'ndgLink', 
+                                  'http://ndg.nerc.ac.uk')
         self.ndgImage=self.cfg.get(layoutSection, 'ndgImage', None)
         self.ndgAlt=self.cfg.get(layoutSection, 'ndgAlt','Visit NDG')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -21 +21 @@
         present login'''
         log.debug("LoginController.index ...")   
+        
+        # Convenience alias
+        cfg = g.ndg.security.server.ssoservice.cfg
 
         # Check the return to URL
@@ -32 +35 @@
         try:    
             smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                    tracefile=g.ndg.security.server.ssoservice.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)
+                                    tracefile=cfg.tracefile,
+                                    httpProxyHost=cfg.httpProxyHost,
+                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
+                                    **cfg.wss)
                                 
         except Exception, e:
@@ -73 +78 @@
         Session Manager following user login"""
         log.debug("LoginController.getCredentials ...")   
+        
+        # Convenience alias
+        cfg = g.ndg.security.server.ssoservice.cfg
 
         # Check the return to URL
@@ -82 +90 @@
         
         try:    
-            smClnt = SessionMgrClient(\
-                    uri=g.ndg.security.server.ssoservice.cfg.smURI,
-                    tracefile=g.ndg.security.server.ssoservice.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)
+            smClnt = SessionMgrClient(uri=cfg.smURI,
+                                     tracefile=cfg.tracefile,
+                                     httpProxyHost=cfg.httpProxyHost,
+                                     ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
+                                     **cfg.wss)
                                 
             username = request.params['username']
@@ -99 +108 @@
         # Connect to Session Manager
         log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \
-                  (g.ndg.security.server.ssoservice.cfg.smURI, username))
+                  (cfg.smURI, username))
         try:
             sessID = smClnt.connect(username, passphrase=passphrase)[-1]
@@ -115 +124 @@
             # Make request for attribute certificate
             attCert = smClnt.getAttCert(sessID=sessID, 
-                    attAuthorityURI=g.ndg.security.server.ssoservice.cfg.aaURI)
+                                        attAuthorityURI=cfg.aaURI)
         except SessionExpired, e:
             log.info("Session expired getting Attribute Certificate: %s" % e)
@@ -139 +148 @@
         
         # Make security session details
-        setSecuritySession(h=g.ndg.security.server.ssoservice.cfg.smURI,
+        setSecuritySession(h=cfg.smURI,
                            u=username,
                            org=attCert.issuerName,
@@ -157 +166 @@
         this is not necessary."""
         log.debug("LoginController._redirect...")
+        
+        # Convenience alias
+        cfg = g.ndg.security.server.ssoservice.cfg
         
         # This is set in index and getCredentials
@@ -188 +200 @@
             
             # Look-up list of Cert DNs for trusted requestors
-            aaClnt = AttAuthorityClient(\
-                    uri=g.ndg.security.server.ssoservice.cfg.aaURI,
-                    tracefile=g.ndg.security.server.ssoservice.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)
+            aaClnt = AttAuthorityClient(uri=cfg.aaURI,
+                                    tracefile=cfg.tracefile,
+                                    httpProxyHost=cfg.httpProxyHost,
+                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
+                                    **cfg.wss)
             
             HostInfo = aaClnt.getAllHostsInfo()
@@ -198 +211 @@
             log.debug(\
             "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \
-                (g.ndg.security.server.ssoservice.cfg.aaURI, requestServerDN))
+                (cfg.aaURI, requestServerDN))
             
             hostCheck = HostCheck(acceptedDNs=requestServerDN,
-                                  caCertFilePathList=\
-                    g.ndg.security.server.ssoservice.cfg.sslCACertFilePathList)
+                                  caCertFilePathList=cfg.sslCACertFilePathList)
             
             testConnection = HTTPSConnection(returnToURLHostname, 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py

@@ -29 +29 @@
         # preserve confidentiality of credentials
         if g.ndg.security.server.ssoservice.cfg.server in c.returnTo:
-            c.returnTo = c.returnTo.replace(g.ndg.security.server.ssoservice.cfg.server, 
-                                            g.ndg.security.server.ssoservice.cfg.sslServer)
+            c.returnTo = c.returnTo.replace(\
+                                g.ndg.security.server.ssoservice.cfg.server, 
+                                g.ndg.security.server.ssoservice.cfg.sslServer)
             c.b64encReturnTo = urlsafe_b64encode(c.returnTo)        
             log.debug(\
@@ -39 +40 @@
     def index(self):
         ''' NDG equivalent to Shibboleth WAYF '''
+        
+        # Convenience alias
+        cfg = g.ndg.security.server.ssoservice.cfg
+        
         log.debug("WayfController.index ...")
+        log.debug("Initialising connection to Attribute Authority [%s]" % \
+                  cfg.aaURI)
+        
+        try:
+            aaClnt = AttAuthorityClient(uri=cfg.aaURI,
+                                    tracefile=cfg.tracefile,
+                                    httpProxyHost=cfg.httpProxyHost,
+                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
+                                    **cfg.wss)
+        except Exception, e:
+            c.xml='Error establishing security context.  Please report ' + \
+                  'the error to your site administrator'
+            log.error("Initialising AttAuthorityClient for " + \
+                      "getAllHostsInfo call: %s" % e)
+            return render('ndg.security.kid', 'ndg.security.error')
+            
+        # Get list of login uris for trusted sites including THIS one
+        log.debug("Calling Attribute Authority getAllHostsInfo for wayf ...")
 
-        aaClnt = AttAuthorityClient(\
-                    uri=g.ndg.security.server.ssoservice.cfg.aaURI,
-                    tracefile=g.ndg.security.server.ssoservice.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)
-
-        # Get list of login uris for trusted sites including THIS one
-        log.debug("Calling Attribute Authority getTrustedHostInfo and " + \
-                  "getHostInfo for wayf")
-
-        hosts = aaClnt.getAllHostsInfo()    
-        c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()])
+        hosts = aaClnt.getAllHostsInfo() 
+        try:
+            hosts = aaClnt.getAllHostsInfo() 
+        except Exception, e:
+            c.xml='Error getting a list of trusted sites for login.  ' + \
+                'Please report the error to your site administrator.'
+            log.error("AttAuthorityClient getAllHostsInfo call: %s" % e)  
+            return render('ndg.security.kid', 'ndg.security.error')
+            
+        c.providers = dict([(k, v['loginURI']) for k, v in hosts.items()])
         
         session.save()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/base.py

@@ -13 +13 @@
 import ndg.security.server.sso.sso.lib.helpers as h
 import ndg.security.server.sso.sso.model as model
+from ndg.security.common.pylons.security_util import setSecuritySession, \
+    session
 
 import urllib
-from urlparse import urlsplit, urlunsplit
-from base64 import urlsafe_b64encode
-
-from ndg.security.common.pylons.security_util import setSecuritySession, \
-    SSOServiceQuery
-
 import logging
 log = logging.getLogger(__name__)
@@ -32 +28 @@
         # is under environ['pylons.routes_dict'] should you want to check
         # the action or route vars here
-        log.debug("BaseController.__call__ ...")
+        #log.debug("BaseController.__call__ ...")
 
         # construct URL picking up setting of server name from config to 
@@ -48 +44 @@
                 c.requestURL += '?' + query
 
-        log.debug("BaseController.__call__: c.requestURL = %s" % c.requestURL)
-
+        #log.debug("BaseController.__call__: c.requestURL = %s" % c.requestURL)
+        self._openidHandler(environ)
         
         return WSGIController.__call__(self, environ, start_response)
     
+    def _openidHandler(self, environ):
+        if 'REMOTE_USER' not in environ:
+            return
+        
+        if 'ndgSec' in session and \
+           environ['REMOTE_USER'] == session['ndgSec']['u']:
+            return
+        
+        setSecuritySession(h=None,
+                           u=environ['REMOTE_USER'],
+                           org=environ['REMOTE_USER'],
+                           roles=[],
+                           sid=None)
+        session.save()
+      
 # Include the '_' function in the public names
 __all__ = [__name for __name in locals().keys() if not __name.startswith('_') \

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid

@@ -1 +1 @@
 <html py:extends="'ndgPage.kid'" xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#">
-    <head>
-    <replace py:replace="pagehead()"/>
-    </head>
-    <body>
-        <div py:replace="header()"/>
-        <div class="wayfContent" style="text-indent:5px">        
+    <div py:def="trustedSitesList()" class="trustedSitesList" style="text-indent:5px">        
         <h4> Where are you from? </h4>
-        <p> You can login in at:
-        <?python
-        # Sort alphabetically
-        providerNames = c.providers.keys()
-        providerNames.sort()
-        ?>
-        <ul py:for="h in providerNames">
-            <li> <a href="${c.providers[h]}?r=${c.b64encReturnTo}">${h}</a></li>
-        </ul></p>
+        <p> You can login in at a trusted partner site:
+                <?python
+                # Sort alphabetically
+                providerNames = c.providers.keys()
+                providerNames.sort()
+                ?>
+                <ul py:for="h in providerNames">
+                    <li> <a href="${c.providers[h]}?r=${c.b64encReturnTo}">${h}</a></li>
+                </ul>
+            </p>
+        <!--
         <p>Before clicking on these links, please check that the links redirect to a site
         you trust with your security credentials.</p>
         <p> How can I tell?  For any of the above, following login you will be 
         redirected back to the URL: <a href="${c.returnTo}">${c.returnTo}</a></p>
-                </div>
+        -->
+        </div>
+        
+    <div py:def="openIDSignin()" class="openIDSignin" style="text-indent:5px">
+                <p>Alternatively, sign in with OpenID:</p>
+                <form action="$g.ndg.security.server.ssoservice.cfg.server/verify" method="post">
+                  <table cellspacing="0" border="0" cellpadding="5">
+                    <tr>
+                        <td>OpenID:</td> 
+                        <td><input type="text" name="openid" value="" class='openid-identifier'/></td>
+                        <td align="right">
+                        <input type="submit" name="authform" value="Go"/></td>
+                    </tr>
+                  </table>
+                </form>
+        </div>
+
+    <head>
+                <style>
+                        input.openid-identifier {
+                           background: url($g.ndg.security.server.ssoservice.cfg.server/layout/openid-inputicon.gif) no-repeat;
+                           background-color: #fff;
+                           background-position: 0 50%;
+                           padding-left: 18px;
+                        }
+                </style>
+        <replace py:replace="pagehead()"/>
+    </head>
+    <body>
+        <div py:replace="header()"/>
+        <replace py:replace="trustedSitesList()"/>
+        <replace py:replace="openIDSignin()"/>
         <div py:replace="footer(showLoginStatus=False)"/>
     </body>