Changeset 3918 for TI12-security/trunk

Timestamp:

22/05/08 15:07:02 (12 years ago)

Author:

pjkersha

Message:

Initial Integration of Single Sign On Service with OpenID and Pylons AuthKit?:

• WAYF now contains an OpenID textbox for sign in
• No role integration carried out yet - OpenID has no better privileges than an anonymous user(!)
• Integrated into Authkit - requires lots of config settings in pylons ini file
• HTTP 401 error get redirected automatically to WAYF
• Need to create an AuthKit? egg from SVN 151 checkout - will put on NDG dist

Location:

TI12-security/trunk/python

Files:

• ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.py (modified) (1 diff)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.py (modified) (2 diffs)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.py (modified) (5 diffs)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.pyc (modified) (previous)
• ndg.security.client/ndg/security/client/ssoclient/ssoclient/templates/ndg/security/ndgPage.kid (modified) (7 diffs)
• ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (5 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/__init__.py (modified) (5 diffs)
• ndg.security.common/ndg/security/common/pylons/security_util.py (modified) (6 diffs)
• ndg.security.server/ndg/security/server/sso/development.ini (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/config/middleware.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py (modified) (3 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (16 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/base.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/error.kid (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/login.kid (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/ndgPage.kid (modified) (6 diffs)
• ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid (modified) (2 diffs)

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/config/ssoClientMiddleware.py

@@ -12 +12 @@
     '''
     class security:
-        class client:
-            class ssoclient:
+        class common:
+            class sso:
                 cfg = None
 

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/controllers/logout.py

@@ -9 +9 @@
 import sys # include in case tracefile is set to sys.stderr 
 import base64 # decode the return to address
-from urlparse import urlsplit, urlunsplit
 
 from ndg.security.common.SessionMgr import SessionMgrClient
@@ -32 +31 @@
         try:
             smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                    tracefile=g.ndg.security.client.ssoclient.cfg.tracefile,
-                    **g.ndg.security.client.ssoclient.cfg.wss)       
+                    tracefile=g.ndg.security.common.sso.cfg.tracefile,
+                    **g.ndg.security.common.sso.cfg.wss)       
         except Exception, e:
             log.error("logout - creating Session Manager client: %s" % e)

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/lib/base.py

@@ -51 +51 @@
             
             log.debug('Switching from https to http...')
-            returnToURL = g.ndg.security.client.ssoclient.cfg.server + \
+            returnToURL = g.ndg.security.common.sso.cfg.server + \
                 self.pathInfo
 
@@ -67 +67 @@
             log.debug("Removing security details following logout ...")
 
-            returnToURL = g.ndg.security.client.ssoclient.cfg.server + \
+            returnToURL = g.ndg.security.common.sso.cfg.server + \
                 self.pathInfo
                 
@@ -80 +80 @@
             # Redirect to cleaned up URL
             h.redirect_to(returnToURL)
+
+        self._OpenIDHandler()
                          
                          
@@ -97 +99 @@
         # construct URL picking up setting of server name from config to 
         # avoid exposing absolute URL hidden behind mod_proxy see #857 
-        c.requestURL = g.ndg.security.client.ssoclient.cfg.server + \
+        c.requestURL = g.ndg.security.common.sso.cfg.server + \
             self.pathInfo
         qs = '&'.join(["%s=%s" % item for item in request.params.items()])
@@ -106 +108 @@
         
         return WSGIController.__call__(self, environ, start_response)
-    
+
+        
+    def _OpenIDHandler(self):
+        '''OpenID handling - check for user set and if so that an existing
+        session doesn't already exist'''
+
+        if 'REMOTE_USER' in request.environ and \
+           SecuritySession()['u'] != request.environ['REMOTE_USER']:
+        
+            username = request.environ['REMOTE_USER']
+                            
+            # No session exists - set one.
+            # TODO: OpenID integration with Session Manager WS?
+            # TODO: OpenID user attribute allocation
+            setSecuritySession(h=None,
+                               u=username,
+                               org=username,
+                               roles=['OpenIDUser'],
+                               sid=None)
+            SecuritySession.save()
+   
 # Include the '_' function in the public names
 __all__ = [__name for __name in locals().keys() if not __name.startswith('_') \

TI12-security/trunk/python/ndg.security.client/ndg/security/client/ssoclient/ssoclient/templates/ndg/security/ndgPage.kid

@@ -9 +9 @@
         function is needed to avoid escaping the < character -->
         ${XML(h.javascript_include_tag(builtins=True))}
-        <script type="text/javascript" src="$g.ndg.security.client.ssoclient.cfg.server/js/toggleDiv.js"/>
+        <script type="text/javascript" src="$g.ndg.security.common.sso.cfg.server/js/toggleDiv.js"/>
 
-        <link media="all, screen" href="$g.ndg.security.client.ssoclient.cfg.server/layout/ndg2.css" type="text/css" rel="stylesheet"/>
-        <link rel="icon" type="image/ico" href="$g.ndg.security.client.ssoclient.cfg.server/layout/favicon.jpg" />
+        <link media="all, screen" href="$g.ndg.security.common.sso.cfg.server/layout/ndg2.css" type="text/css" rel="stylesheet"/>
+        <link rel="icon" type="image/ico" href="$g.ndg.security.common.sso.cfg.server/layout/favicon.jpg" />
 
     </head>
@@ -18 +18 @@
     <div py:def="header()">
         <div id="header"/>
-        <div id="logo"><img src="$g.ndg.security.client.ssoclient.cfg.LeftLogo" alt="$g.ndg.security.client.ssoclient.cfg.LeftAlt" /></div>
+        <div id="logo"><img src="$g.ndg.security.common.sso.cfg.LeftLogo" alt="$g.ndg.security.common.sso.cfg.LeftAlt" /></div>
     </div>
     
@@ -49 +49 @@
                 <td align="left" width="60%">
                     <table><tbody>
-                    <tr><td><span py:replace="linkimage(g.ndg.security.client.ssoclient.cfg.ndgLink,g.ndg.security.client.ssoclient.cfg.ndgImage,'NDG')"/></td>
+                    <tr><td><span py:replace="linkimage(g.ndg.security.common.sso.cfg.ndgLink,g.ndg.security.common.sso.cfg.ndgImage,'NDG')"/></td>
                     <td> This portal is a product of the <a href="http://ndg.nerc.ac.uk"> NERC DataGrid</a>
-                    ${g.ndg.security.client.ssoclient.cfg.disclaimer} </td>
+                    ${g.ndg.security.common.sso.cfg.disclaimer} </td>
                     </tr>
                     </tbody></table>
@@ -67 +67 @@
                     </div>
                 </td>
-                <td align="right"><span py:replace="linkimage(g.ndg.security.client.ssoclient.cfg.stfcLink,g.ndg.security.client.ssoclient.cfg.stfcImage,'Hosted by the STFC CEDA')"/></td>
+                <td align="right"><span py:replace="linkimage(g.ndg.security.common.sso.cfg.stfcLink,g.ndg.security.common.sso.cfg.stfcImage,'Hosted by the STFC CEDA')"/></td>
             </tr>
         </tbody></table></center>
@@ -83 +83 @@
         <span>
             <a href="javascript:;" title="Toggle help" onclick="toggleDiv(1,'$value','shown','hidden','div'); return false;">
-            <img src="$g.ndg.security.client.ssoclient.cfg.helpIcon" alt="Toggle help" class="helpicon"/></a>      
+            <img src="$g.ndg.security.common.sso.cfg.helpIcon" alt="Toggle help" class="helpicon"/></a>      
         </span>
     </span>
@@ -94 +94 @@
             # Base 64 encode to enable passing around in 'r' argument of query
             # string for use with login/logout
-            c.returnTo = c.requestURL
-            c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
+            g.ndg.security.common.sso.returnToURL = c.requestURL
+            g.ndg.security.common.sso.b64encReturnToURL = urlsafe_b64encode(c.requestURL)
             ?>
-        <form action="$g.ndg.security.client.ssoclient.cfg.logoutURI">
-            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
+        <form action="$g.ndg.security.common.sso.cfg.logoutURI">
+            <input type="hidden" name="r" value="${g.ndg.security.common.sso.b64encReturnToURL}"/>
             <input type="submit" value="Logout"/>
         </form>
@@ -109 +109 @@
             # Base 64 encode to enable passing around in 'r' argument of query
             # string for use with login/logout
-            c.returnTo = c.requestURL
-            c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
+            g.ndg.security.common.sso.returnToURL = c.requestURL
+            g.ndg.security.common.sso.b64encReturnToURL = urlsafe_b64encode(c.requestURL)
             ?>
-        <form action="$g.ndg.security.client.ssoclient.cfg.wayfuri">
-            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
+        <form action="$g.ndg.security.common.sso.cfg.wayfuri">
+            <input type="hidden" name="r" value="${g.ndg.security.common.sso.b64encReturnToURL}"/>
             <input type="submit" value="Login"/>
         </form>

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -115 +115 @@
         self.__uri = None
         self._transdict = {}        
-        self._transport = HTTPProxyConnection
+        self._transport = ProxyHTTPConnection
         
         if uri:
@@ -152 +152 @@
         @param uri: URI for service to connect to"""
         if not isinstance(uri, basestring):
-            raise AttAuthorityClientError, \
-                        "Attribute Authority WSDL URI must be a valid string"
+            raise AttAuthorityClientError(
+                        "Attribute Authority URI must be a valid string")
         
         self.__uri = uri
@@ -159 +159 @@
             scheme = urlparse.urlparse(self.__uri)[0]
         except TypeError:
-            raise AttributeAuthorityClientError, \
-                "Error parsing transport type from URI"
+            raise AttributeAuthorityClientError(
+                "Error parsing transport type from URI: %s" % self.__uri)
                 
         if scheme == "https":
@@ -183 +183 @@
         setting"""
         if self._transport != ProxyHTTPConnection:
-            raise AttAuthorityClientError(\
-                "Setting HTTP Proxy Host but transport class is not " + \
-                "ProxyHTTPConnection type")
+            log.info("Ignoring httpProxyHost setting: transport class is " +\
+                     " not ProxyHTTPConnection type")
+            return
         
         self._transdict['httpProxyHost'] = val
@@ -197 +197 @@
         """Set to True to ignore any http_proxy environment variable setting"""
         if self._transport != ProxyHTTPConnection:
-            raise AttAuthorityClientError(\
-                "Setting ignore HTTP Proxy Host flag but transport class " + \
-                "is not ProxyHTTPConnection type")
+            log.info("Ignore ignoreHttpProxyEnv setting: transport " + \
+                     "class is not ProxyHTTPConnection type")
+            return
         
         self._transdict['ignoreHttpProxyEnv'] = val

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -202 +202 @@
         if not isinstance(uri, basestring):
             raise SessionMgrClientError(
-                             "Session Manager WSDL URI must be a valid string")
+                             "Session Manager URI must be a valid string")
         
         self.__uri = uri
@@ -209 +209 @@
         except TypeError:
             raise AttributeAuthorityClientError(
-                                    "Error parsing transport type from URI")
+                    "Error parsing transport type from URI: %s" % self.__uri)
                 
         if scheme == "https":
@@ -234 +234 @@
         setting"""
         if self._transport != ProxyHTTPConnection:
-            raise SessionMgrClientError(\
-                "Setting HTTP Proxy Host - transport class is %s type, " % \
-                self._transport + \
-                "expecting ProxyHTTPConnection type")
-        
-        self._transdict['httpProxyHost']= val
+            log.info("Ignoring httpProxyHost setting: transport class is " +\
+                     " not ProxyHTTPConnection type")
+            return
+        
+        self._transdict['httpProxyHost'] = val
 
     httpProxyHost = property(fset=__setHTTPProxyHost, 
@@ -249 +248 @@
         """Set to True to ignore any http_proxy environment variable setting"""
         if self._transport != ProxyHTTPConnection:
-            raise SessionMgrClientError(\
-                "Setting ignore HTTP Proxy Host flag but transport class " + \
-                "is not ProxyHTTPConnection type")
+            log.info("Ignore ignoreHttpProxyEnv setting: transport " + \
+                     "class is not ProxyHTTPConnection type")
+            return
         
         self._transdict['ignoreHttpProxyEnv']= val
@@ -438 +437 @@
         
         if sessID and userDN:
-            raise SessionMgrClientError, \
-                            'Only "SessID" or "userDN" keywords may be set'
-
+            raise SessionMgrClientError(
+                            'Only "SessID" or "userDN" keywords may be set')
+            
+        if not sessID and not userDN:
+            raise SessionMgrClientError(
+                            'A "SessID" or "userDN" keyword must be set')          
+            
         # Make connection
         return self.__srv.getSessionStatus(userDN, sessID)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/pylons/security_util.py

@@ -17 +17 @@
 
 
-class SecuritySession(object):
+class SecuritySession(dict):
     """Utility for Pylons security session keys enables correct
     keys to be set
@@ -32 +32 @@
     subKeys = ('h', 'sid', 'u', 'org', 'roles')
 
-    def __init__(self, **subKeys):
+    def __init__(self):
+        '''Initialize security dict key in session object'''
+        if SecuritySession.key not in session:
+            session[SecuritySession.key] = {}.fromkeys(SecuritySession.subKeys)
+            
+        session[SecuritySession.key]['roles'] = []
+           
+    def set(self, **subKeys):
         """Update the security key of session object with the
         input sub keys
@@ -43 +50 @@
         # were input
         if subKeys == {}:
-            subKeys = LoginServiceQuery.decodeRequestParams()
+            subKeys = SSOServiceQuery.decodeRequestParams()
             
         # Ensure security key is present
@@ -52 +59 @@
         for k in subKeys:
             if k not in SecuritySession.subKeys:
-                raise KeyError, 'Invalid key Security session dict: "%s"' % k
+                raise KeyError('Invalid key Security session dict: "%s"' % k)
         
         # Update security values
@@ -59 +66 @@
         log.debug("Set security session: %s" % session[SecuritySession.key])
 
+    def __delitem__(self, key):
+        "Keys cannot be removed"        
+        raise KeyError('Keys cannot be deleted from security session')
+
+    def __getitem__(self, key):
+        '''data dictionary overload'''
+        if key not in session[SecuritySession.key]:
+            raise KeyError("Invalid key '%s'" % key)
+        
+        return session[SecuritySession.key][key]
+        
+    def __setitem__(self, key, item):
+        '''data dictionary overload'''
+        if key not in SecuritySession.subKeys:
+            raise KeyError("Invalid security key %s" % key)
+        
+        session[SecuritySession.key][key] = item
+           
+    def get(self, kw):
+        '''data dictionary overload'''
+        return session[SecuritySession.key][kw]
+
+    def clear(self):
+        '''data dictionary overload'''
+        raise KeyError("Data cannot be cleared from security session")
+   
+    def keys(self):
+        '''data dictionary overload'''
+        return session[SecuritySession.key].keys()
+
+    def items(self):
+        '''data dictionary overload'''
+        return session[SecuritySession.key].items()
+
+    def values(self):
+        return session[SecuritySession.key].values()
+
+    def has_key(self, key):
+        return session[SecuritySession.key].has_key(key)
+
+    # 'in' operator
+    def __contains__(self, key):
+        return key in session[SecuritySession.key]
+
+    
+    @classmethod
+    def save(self):
+        session.save()
+        
     @classmethod
     def delete(self):
@@ -66 +122 @@
             session.save()
         log.debug("Deleted security key to session object: %s" % session)
-            
-setSecuritySession = SecuritySession
-           
+
+            
+def setSecuritySession(**kw):
+    '''Convenience wrapper to SecuritySession and it's set method'''
+    SecuritySession().set(**kw)
+   
            
 class LoginServiceQueryError(Exception):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/development.ini

@@ -32 +32 @@
 authkit.cookie.secret=secret encryption string
 authkit.cookie.signoutpath = /openidsignout
-authkit.openid.path.signedin=/login
+authkit.openid.path.signedin=/
 authkit.openid.store.type=file
 authkit.openid.store.config=%(here)s/data/openid
@@ -62 +62 @@
 # Logging configuration
 [loggers]
-keys = root, sso, ndg
+keys = root, sso, ndg, authkit
 
 [handlers]

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/middleware.py

@@ -41 +41 @@
 
     # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
-    app = SSOMiddleware(app, app_conf['configfile'], app.globals)
-    
-    # OpenID Middleware
-    if app.globals.ndg.security.server.ssoservice.cfg.enableOpenID:
-        import authkit.authenticate
-        from beaker.middleware import SessionMiddleware
-        
-        app = authkit.authenticate.middleware(app, app_conf)
-        app = SessionMiddleware(app)#,key='authkit.open_id',secret='some secret')
-        log.info('OpenID is enabled')
+    app = SSOMiddleware(app, app.globals, app_conf)
 
     if asbool(full_stack):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

@@ -4 +4 @@
 P J Kershaw 18/03/08
 '''
+import authkit.authenticate
+from beaker.middleware import SessionMiddleware
+        
 from os.path import expandvars as xpdvars
 import logging
@@ -14 +17 @@
     class security:
         class server:
-            class ssoservice:
+            class sso:
                 cfg = None
-        class client:
+                class state:
+                    '''State information specific to server side'''
+                    trustedIdPs = {}
+                
+        class common:
             '''Client class is also needed for BaseController handler to handle
             responses from Single Sign On IdP'''
-            class ssoclient:
+            class sso:
                 class cfg:
                     '''Placeholder for server and sslServer attributes'''
-
-class SSOMiddleware:
-            
-    def __init__(self, app, cfg, appGlobals, **kw):
+                class state:
+                    '''State information - return to URL should be set each 
+                    time a new page is loaded.  In ows_server this is handled
+                    by setting it in ndgPage.kid a template that is extended by
+                    all Browse pages.'''
+                    returnToURL = None
+                    b64encReturnToURL = None
+                
+class SSOMiddleware(object):
+            
+    def __init__(self, app, g, app_conf, **kw):
         log.debug("SSOMiddleware.__init__ ...")
-        self.app = app
-        ndg.security.server.ssoservice.cfg = SSOServiceConfig(cfg, **kw)
+        ndg.security.server.sso.cfg = SSOServiceConfig(app_conf['configfile'], **kw)
         
         # Copy into client for the benefit of
         # ndg.security.client.ssoclient.ssoclient.lib.base.BaseController
         # used to process responses back from SSO IdP
-        ndg.security.client.ssoclient.cfg.server = \
-            ndg.security.server.ssoservice.cfg.server
-        ndg.security.client.ssoclient.cfg.sslServer = \
-            ndg.security.server.ssoservice.cfg.sslServer
-            
-        appGlobals.ndg = ndg
-        self.globals = appGlobals
-        
+        ndg.security.common.sso.cfg.server = ndg.security.server.sso.cfg.server
+        ndg.security.common.sso.cfg.sslServer = \
+                                        ndg.security.server.sso.cfg.sslServer
+            
+        g.ndg = ndg
+        self.globals = g
+    
+        # OpenID Middleware
+        app = authkit.authenticate.middleware(app, app_conf)
+        app = SessionMiddleware(app)
+
+        self.app = app
+                
     def __call__(self, environ, start_response):
-        
         return self.app(environ, start_response)
 
@@ -156 +173 @@
 
         # Flag to enable OpenID interface
-        try:
+        if self.cfg.has_option(defSection, 'enableOpenID'):
             self.enableOpenID = self.cfg.getboolean(defSection, 'enableOpenID')
-        except ConfigParser.NoOptionError:
+        else:
             self.enableOpenID = False
             

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -1 @@
-import logging
+# _redirect requires this to parse the server name
+from urlparse import urlsplit
+
 
 from ndg.security.server.sso.sso.lib.base import *
@@ -11 +13 @@
 
 from base64 import urlsafe_b64decode, urlsafe_b64decode
+import logging
 
 log = logging.getLogger(__name__)
 
-class LoginController(BaseController):        
+class LoginController(BaseController):  
+    '''Handle NDG Login and redirect backing to requesting URL if set'''
+          
+    def __before__(self):
+        '''Set-up alias to SSO settings global'''
+        self.cfg = g.ndg.security.server.sso.cfg
+        self.state = g.ndg.security.common.sso.state
         
     def index(self):
@@ -21 +30 @@
         present login'''
         log.debug("LoginController.index ...")   
-        
-        # Convenience alias
-        cfg = g.ndg.security.server.ssoservice.cfg
-
-        # Check the return to URL
-        c.b64encReturnTo = str(request.params.get('r', ''))
+
+        # Check the return to URL from the 'r' argument in the request
+        self.state.b64encReturnToURL = str(request.params.get('r', ''))
         
         if 'ndgSec' not in session: 
@@ -35 +41 @@
         try:    
             smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                                    tracefile=cfg.tracefile,
-                                    httpProxyHost=cfg.httpProxyHost,
-                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
-                                    **cfg.wss)
+                            tracefile=self.cfg.tracefile,
+                            httpProxyHost=self.cfg.httpProxyHost,
+                            ignoreHttpProxyEnv=self.cfg.ignoreHttpProxyEnv,
+                            **self.cfg.wss)
                                 
         except Exception, e:
@@ -53 +59 @@
                   session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\
                   (session['ndgSec']['u'], session['ndgSec']['sid']))
+
         try:
             bSessOK = smClnt.getSessionStatus(sessID=session['ndgSec']['sid'])
         except Exception, e:
             c.xml = "Error checking your session details.  Please re-login"
-            log.error("Session Manager getSessionStatus returned: %s" % e)
+            log.error("Session Manager getSessionStatus: %s" % e)
             SecuritySession.delete()
             response.status_code = 400
@@ -75 +82 @@
 
     def getCredentials(self):
-        """Authenticate user and cache user credentials in
-        Session Manager following user login"""
+        """Authenticate user and cache user credentials in Session Manager 
+        following user login"""
         log.debug("LoginController.getCredentials ...")   
-        
-        # Convenience alias
-        cfg = g.ndg.security.server.ssoservice.cfg
-
-        # Check the return to URL
-        c.b64encReturnTo = str(request.params.get('r', ''))
 
         if 'username' not in request.params:
@@ -90 +91 @@
         
         try:    
-            smClnt = SessionMgrClient(uri=cfg.smURI,
-                                     tracefile=cfg.tracefile,
-                                     httpProxyHost=cfg.httpProxyHost,
-                                     ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
-                                     **cfg.wss)
+            smClnt = SessionMgrClient(uri=self.cfg.smURI,
+                         tracefile=self.cfg.tracefile,
+                         httpProxyHost=self.cfg.httpProxyHost,
+                         ignoreHttpProxyEnv=self.cfg.ignoreHttpProxyEnv,
+                         **self.cfg.wss)
                                 
             username = request.params['username']
@@ -108 +109 @@
         # Connect to Session Manager
         log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \
-                  (cfg.smURI, username))
+                  (self.cfg.smURI, username))
         try:
             sessID = smClnt.connect(username, passphrase=passphrase)[-1]
@@ -116 +117 @@
                     "please contact your site administrator."
             log.error("Session Manager connect returned: %s" % e)
-            response.status_code = 401
+            response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
         
@@ -124 +125 @@
             # Make request for attribute certificate
             attCert = smClnt.getAttCert(sessID=sessID, 
-                                        attAuthorityURI=cfg.aaURI)
+                                        attAuthorityURI=self.cfg.aaURI)
         except SessionExpired, e:
             log.info("Session expired getting Attribute Certificate: %s" % e)
             c.xml = "Session has expired, please re-login"
-            response.status_code = 401
+            response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
             
@@ -135 +136 @@
             c.xml = "No authorisation roles are available for your " + \
                     "account.  Please check with your site administrator."
-            response.status_code = 401
+            response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
             
@@ -148 +149 @@
         
         # Make security session details
-        setSecuritySession(h=cfg.smURI,
+        setSecuritySession(h=self.cfg.smURI,
                            u=username,
                            org=attCert.issuerName,
@@ -167 +168 @@
         log.debug("LoginController._redirect...")
         
-        # Convenience alias
-        cfg = g.ndg.security.server.ssoservice.cfg
-        
         # This is set in index and getCredentials
-        if c.b64encReturnTo:
+        if self.state.b64encReturnToURL:
         
             # Only add token if return URI is in a different domain
@@ -177 +175 @@
             
             # Decode return to address
-            returnToURL = urlsafe_b64decode(c.b64encReturnTo)
+            returnToURL = urlsafe_b64decode(self.state.b64encReturnToURL)
             log.debug('Login redirect to [%s]' % returnToURL)
 
@@ -200 +198 @@
             
             # Look-up list of Cert DNs for trusted requestors
-            aaClnt = AttAuthorityClient(uri=cfg.aaURI,
-                                    tracefile=cfg.tracefile,
-                                    httpProxyHost=cfg.httpProxyHost,
-                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
-                                    **cfg.wss)
+            aaClnt = AttAuthorityClient(uri=self.cfg.aaURI,
+                            tracefile=self.cfg.tracefile,
+                            httpProxyHost=self.cfg.httpProxyHost,
+                            ignoreHttpProxyEnv=self.cfg.ignoreHttpProxyEnv,
+                            **self.cfg.wss)
             
             HostInfo = aaClnt.getAllHostsInfo()
@@ -211 +209 @@
             log.debug(\
             "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \
-                (cfg.aaURI, requestServerDN))
+                (self.cfg.aaURI, requestServerDN))
             
             hostCheck = HostCheck(acceptedDNs=requestServerDN,
-                                  caCertFilePathList=cfg.sslCACertFilePathList)
+                        caCertFilePathList=self.cfg.sslCACertFilePathList)
             
             testConnection = HTTPSConnection(returnToURLHostname, 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py

@@ -21 +21 @@
         log.info("LogoutController.index ...")
         
+        # Convenience alias
+        cfg = g.ndg.security.server.sso.cfg
+        
 
         if 'ndgSec' not in session:
@@ -29 +32 @@
         try:
             smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                    tracefile=g.ndg.security.server.ssoservice.cfg.tracefile,
-                    **g.ndg.security.server.ssoservice.cfg.wss)       
+                                      tracefile=cfg.tracefile,
+                                      **cfg.wss)       
         except Exception, e:
             log.error("logout - creating Session Manager client: %s" % e)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py

@@ -3 +3 @@
 from ndg.security.server.sso.sso.lib.base import *
 from ndg.security.common.AttAuthority import AttAuthorityClient
-import base64
+from base64 import urlsafe_b64decode
 
 log = logging.getLogger(__name__)
@@ -11 +11 @@
     """Where Are You From Controller - display a list of trusted sites for 
     login"""
-    
-    def __before__(self, action): 
-        """For each action, get 'r' return to URL argument from current URL 
-        query string.  c.b64encReturnTo is used in some of the .kid files"""
-        c.b64encReturnTo = str(request.params.get('r', ''))
-        log.debug("WayfController.__before__: c.b64encReturnTo = %s" % \
-                                                              c.b64encReturnTo)
-        
-        # Decode the return URL so that it can be displayed to the user by 
-        # wayf.kid
-        # The URL has previously been encoded from the BaseController and set 
-        # in ndgPage.kid  
-        # Use str() - urlsafe_b64decode() doesn't like unicode
-        c.returnTo = base64.urlsafe_b64decode(str(c.b64encReturnTo))
-        
-        # Ensure login can return to an address over https to 
-        # preserve confidentiality of credentials
-        if g.ndg.security.server.ssoservice.cfg.server in c.returnTo:
-            c.returnTo = c.returnTo.replace(\
-                                g.ndg.security.server.ssoservice.cfg.server, 
-                                g.ndg.security.server.ssoservice.cfg.sslServer)
-            c.b64encReturnTo = urlsafe_b64encode(c.returnTo)        
-            log.debug(\
-    "WayfController.__before__: switched return to address to https = %s" % \
-                                                              c.returnTo) 
-
 
     def index(self):
         ''' NDG equivalent to Shibboleth WAYF '''
         
-        # Convenience alias
-        cfg = g.ndg.security.server.ssoservice.cfg
+        # Check for return to arg in query.  This is necessary only if the 
+        # WAYF query originates from a different service to this one
+        if 'r' in request.params:
+            # Convenience alias
+            state = g.ndg.security.common.sso.state
         
-        log.debug("WayfController.index ...")
-        log.debug("Initialising connection to Attribute Authority [%s]" % \
-                  cfg.aaURI)
-        
-        try:
-            aaClnt = AttAuthorityClient(uri=cfg.aaURI,
-                                    tracefile=cfg.tracefile,
-                                    httpProxyHost=cfg.httpProxyHost,
-                                    ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
-                                    **cfg.wss)
-        except Exception, e:
-            c.xml='Error establishing security context.  Please report ' + \
-                  'the error to your site administrator'
-            log.error("Initialising AttAuthorityClient for " + \
-                      "getAllHostsInfo call: %s" % e)
-            return render('ndg.security.kid', 'ndg.security.error')
-            
-        # Get list of login uris for trusted sites including THIS one
-        log.debug("Calling Attribute Authority getAllHostsInfo for wayf ...")
+            state.b64encReturnToURL = str(request.params['r'])
+            state.returnToURL = urlsafe_b64decode(str(state.b64encReturnToURL)) 
+            log.debug("Set return to URL from 'r' query arg: r = %s"% \
+                                                        state.returnToURL)
 
-        hosts = aaClnt.getAllHostsInfo() 
-        try:
-            hosts = aaClnt.getAllHostsInfo() 
-        except Exception, e:
-            c.xml='Error getting a list of trusted sites for login.  ' + \
-                'Please report the error to your site administrator.'
-            log.error("AttAuthorityClient getAllHostsInfo call: %s" % e)  
-            return render('ndg.security.kid', 'ndg.security.error')
-            
-        c.providers = dict([(k, v['loginURI']) for k, v in hosts.items()])
-        
-        session.save()
-        
-        # Use an alias 'ndg.security.kid' to integration with another pylons
-        # code stack.  The alias tells render to pick up the template from a
-        # separate SSO templates directory to whatever is the default
-        return render('ndg.security.kid', 'ndg.security.wayf')
+        # Trigger AuthKit handler:
+        abort(401)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/base.py

@@ -37 +37 @@
         if 'getCredentials' in pathInfo:
             log.debug("Reverting request URL from getCredentials to login...")
-            c.requestURL = g.ndg.security.server.ssoservice.cfg.server+'/login'       
+            c.requestURL = g.ndg.security.server.sso.cfg.server+'/login'       
         else:
-            c.requestURL = g.ndg.security.server.ssoservice.cfg.server+pathInfo
+            c.requestURL = g.ndg.security.server.sso.cfg.server+pathInfo
             query='&'.join(["%s=%s" % item for item in request.params.items()])
             if query:
                 c.requestURL += '?' + query
 
-        #log.debug("BaseController.__call__: c.requestURL = %s" % c.requestURL)
         self._openidHandler(environ)
         
@@ -60 +59 @@
                            u=environ['REMOTE_USER'],
                            org=environ['REMOTE_USER'],
-                           roles=[],
+                           roles=['OpenIDUser'],
                            sid=None)
         session.save()

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

@@ -1 +1 @@
 import pylons
 from pylons.templating import Buffet
-from pylons import config
-import sso.lib.helpers as h
-from sso.lib.app_globals import Globals
+from pylons import config, request, session
+import ndg.security.server.sso.sso.lib.helpers as h
+from ndg.security.server.sso.sso.lib.app_globals import Globals
 
 import logging
@@ -33 +33 @@
     pass
 
+
+# State variable for WAYF kid file set-up
 c = State()
 c.openid = 'None'
-c.title = "OpenID Login"
+c.title = "Where are You From?"
 c.xml = ''
+c.doc = 'logged in'
 c.providers = {}
 
-log.debug("config=%s" % config)
+import base64
+
 def make_template():
-    '''Make kid template for OpenID login - this piggy backs the NDG WAYF'''
-    return buffet.render(
-        template_name="ndg.security.wayf",
-        namespace=dict(h=h, g=config['pylons.g'], c=c)
-    ).replace("%", "%%").replace("SERVER", "%s")
+    '''Make kid template for OpenID login - the NDG WAYF piggy backs this.
+    
+    It's triggered by a HTTP 401 authorisation error and called explicitly
+    via the WAYF controller'''
+    
+    g = config['pylons.g']
+    
+    # Check for return from OpenID login
+    if 'REMOTE_USER' in request.environ:
+        if not g.ndg.security.common.sso.state.returnToURL:
+            log.error("No returnToURL set for redirect following OpenID " + \
+                      "login")
+        else:
+            log.info("Redirecting to [%s] following OpenID login ..." % \
+                     g.ndg.security.common.sso.state.returnToURL)
+            h.redirect_to(g.ndg.security.common.sso.state.returnToURL)
 
+    
+    state = g.ndg.security.common.sso.state
+    cfg =  g.ndg.security.common.sso.cfg
+    
+    # Set encoded return to address - ensure login can return to an address 
+    # over https to preserve confidentiality of credentials
+    if state.returnToURL and cfg.server in state.returnToURL:
+        state.returnToURL = state.returnToURL.replace(cfg.server, 
+                                                      cfg.sslServer)
+        log.debug("make_template: switched return to address to https = %s" % \
+                                                            state.returnToURL)
+
+    state.b64encReturnToURL = base64.urlsafe_b64encode(str(state.returnToURL))        
+    
+    # Retrieve IdP details 
+    _getTrustedIdPs(g)
+    
+    return buffet.render('ndg.security.kid', 
+                         template_name="ndg.security.wayf",
+                         namespace=dict(h=h, g=g, c=c))
+
+from ndg.security.common.AttAuthority import AttAuthorityClient
+
+def _getTrustedIdPs(g):
+    '''Retrieve list of trusted login sites for user to select - calls
+    Attribute Authority WS'''
+
+    # Get references to globals
+    state = g.ndg.security.common.sso.state
+    cfg =  g.ndg.security.server.sso.cfg
+                                
+    # Check for cached copy and return if set to avoid recalling
+    # Attribute Authority - This has the consequence that if the list
+    # of trusted hosts in the Map Configuration changes, the Attribute
+    # Authority and THIS service must be restarted.
+    if len(g.ndg.security.server.sso.state.trustedIdPs) > 0:
+        return buffet.render('ndg.security.kid', 
+                             template_name='ndg.security.wayf',
+                             namespace=dict(h=h, g=g, c=c))
+    
+    log.debug("Initialising connection to Attribute Authority [%s]" % \
+              cfg.aaURI)
+    
+    try:
+        aaClnt = AttAuthorityClient(uri=cfg.aaURI,
+                                tracefile=cfg.tracefile,
+                                httpProxyHost=cfg.httpProxyHost,
+                                ignoreHttpProxyEnv=cfg.ignoreHttpProxyEnv,
+                                **cfg.wss)
+    except Exception, e:
+        c.xml='Error establishing security context.  Please report ' + \
+              'the error to your site administrator'
+        log.error("Initialising AttAuthorityClient for " + \
+                  "getAllHostsInfo call: %s" % e)
+        return buffet.render('ndg.security.kid', 
+                             template_name='ndg.security.error',
+                             namespace=dict(h=h, g=config['pylons.g'], c=c))
+        
+    # Get list of login uris for trusted sites including THIS one
+    log.debug("Calling Attribute Authority getAllHostsInfo for wayf ...")
+
+    try:
+        hosts = aaClnt.getAllHostsInfo() 
+    except Exception, e:
+        c.xml='Error getting a list of trusted sites for login.  ' + \
+            'Please report the error to your site administrator.'
+        log.error("AttAuthorityClient getAllHostsInfo call: %s" % e)  
+        return render('ndg.security.kid', template_name='ndg.security.error')
+        
+    g.ndg.security.server.sso.state.trustedIdPs = \
+                        dict([(k, v['loginURI']) for k, v in hosts.items()])
+
+
+from ndg.security.common.pylons.security_util import setSecuritySession
+from urlparse import urlsplit
 
 def url2user(environ, url):
     '''Function picked up by authkit.openid.urltouser config setting.  It
-    sets a session from the users OpenID URL following login'''
-
-    username = url.replace('http://', '').replace('https://', '').strip('/').split('/')[-1]
+    sets a username from the users OpenID URL following login'''
+    log.info("OpenID sign in with [%s]" % url)
+    
+    # Remove protocol prefix and strip /'s
+    username = ''.join(urlsplit(url)[1:]).strip('/').replace('/', '-')
     return username

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/error.kid

@@ -6 +6 @@
     <div id="entirepage">
         <div py:replace="header()"/>
-        <?python
-        id="contents"
-        if "ndgSec" in session: id="contentsRight"
-        ?> 
         <div id="${id}">
             <div class="error" py:if="c.xml">

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/login.kid

@@ -2 +2 @@
     
     <div py:def="loginForm()" class="loginForm">
-        <form action="$g.ndg.security.server.ssoservice.cfg.getCredentials" method="POST">
-            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
+        <form action="$g.ndg.security.server.sso.cfg.getCredentials" method="POST">
+            <!--
+            <input type="hidden" name="r" value="${g.ndg.security.common.sso.b64encReturnToURL}"/>
+            -->
             <table cellspacing="0" border="0" cellpadding="5">
                 <tr>

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/ndgPage.kid

@@ -9 +9 @@
         function is needed to avoid escaping the < character -->
         ${XML(h.javascript_include_tag(builtins=True))}
-        <script type="text/javascript" src="$g.ndg.security.server.ssoservice.cfg.server/js/toggleDiv.js"/>
+        <script type="text/javascript" src="$g.ndg.security.server.sso.cfg.server/js/toggleDiv.js"/>
 
-        <link media="all, screen" href="$g.ndg.security.server.ssoservice.cfg.server/layout/ndg2.css" type="text/css" rel="stylesheet"/>
-        <link rel="icon" type="image/ico" href="$g.ndg.security.server.ssoservice.cfg.server/layout/favicon.jpg" />
+        <link media="all, screen" href="$g.ndg.security.server.sso.cfg.server/layout/ndg2.css" type="text/css" rel="stylesheet"/>
+        <link rel="icon" type="image/ico" href="$g.ndg.security.server.sso.cfg.server/layout/favicon.jpg" />
 
     </head>
@@ -18 +18 @@
     <div py:def="header()">
         <div id="header"/>
-        <div id="logo"><img src="$g.ndg.security.server.ssoservice.cfg.LeftLogo" alt="$g.ndg.security.server.ssoservice.cfg.LeftAlt" /></div>
+        <div id="logo"><img src="$g.ndg.security.server.sso.cfg.LeftLogo" alt="$g.ndg.security.server.sso.cfg.LeftAlt" /></div>
     </div>
     
@@ -44 +44 @@
 
     <!-- Page Footer follows -->
-    <div py:def="footer(showLoginStatus=True)" id="Footer">
+    <div py:def="footer(showLoginStatus=False)" id="Footer">
         <center><table><tbody>
             <tr>
                 <td align="left" width="60%">
                     <table><tbody>
-                    <tr><td><span py:replace="linkimage(g.ndg.security.server.ssoservice.cfg.ndgLink,g.ndg.security.server.ssoservice.cfg.ndgImage,'NDG')"/></td>
+                    <tr><td><span py:replace="linkimage(g.ndg.security.server.sso.cfg.ndgLink,g.ndg.security.server.sso.cfg.ndgImage,'NDG')"/></td>
                     <td> This portal is a product of the <a href="http://ndg.nerc.ac.uk"> NERC DataGrid</a>
-                    ${g.ndg.security.server.ssoservice.cfg.disclaimer} </td>
+                    ${g.ndg.security.server.sso.cfg.disclaimer} </td>
                     </tr>
                     </tbody></table>
                 </td>
                 <td width="40%" align="center">
-                    <div id="loginStatus" py:if="showLoginStatus==True">
-                        <!--! now we choose one of the next two (logged in or not) -->
-                        <div py:if="'ndgSec' in session"><table><tbody><tr><td> 
-                        User [${session['ndgSec']['u']}] logged in at 
-                        ${session['ndgSec']['org']} with roles 
-                        [${len(session['ndgSec']['roles'])==1 and session['ndgSec']['roles'][0] or ', '.join(session['ndgSec']['roles'])}]</td><td>
-                        &nbsp;<span py:replace="logOut()"/></td></tr></tbody></table></div>
-                        <div py:if="'ndgSec' not in session">Further services maybe available if you can
-                            <span py:replace="logIn()"/></div>
-                    </div>
                 </td>
-                <td align="right"><span py:replace="linkimage(g.ndg.security.server.ssoservice.cfg.stfcLink,g.ndg.security.server.ssoservice.cfg.stfcImage,'Hosted by the STFC CEDA')"/></td>
+                <td align="right"><span py:replace="linkimage(g.ndg.security.server.sso.cfg.stfcLink,g.ndg.security.server.sso.cfg.stfcImage,'Hosted by the STFC CEDA')"/></td>
             </tr>
         </tbody></table></center>
@@ -83 +73 @@
         <span>
             <a href="javascript:;" title="Toggle help" onclick="toggleDiv(1,'$value','shown','hidden','div'); return false;">
-            <img src="$g.ndg.security.server.ssoservice.cfg.helpIcon" alt="Toggle help" class="helpicon"/></a>
+            <img src="$g.ndg.security.server.sso.cfg.helpIcon" alt="Toggle help" class="helpicon"/></a>
       
         </span>
@@ -90 +80 @@
     <!-- Login and out buttons -->    
     <span py:def="logOut()" class="logOut">
-        <form action="$g.ndg.security.server.ssoservice.cfg.logout">
-            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
+        <form action="$g.ndg.security.server.sso.cfg.logoutURI">
+            <input type="hidden" name="r" value="${g.ndg.security.common.sso.b64encReturnToURL}"/>
             <input type="submit" value="Logout"/>
         </form>
@@ -102 +92 @@
         # Base 64 encode to enable passing around in 'r' argument of query
         # string for use with login/logout
-        c.returnTo = c.requestURL
-        c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
+        g.ndg.security.common.sso.returnToURL = c.requestURL
+        g.ndg.security.common.sso.b64encReturnToURL = urlsafe_b64encode(c.requestURL)
         ?>
-        <form action="$g.ndg.security.server.ssoservice.cfg.wayfuri">
-            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
+        <form action="$g.ndg.security.server.sso.cfg.wayfuri">
+            <input type="hidden" name="r" value="${g.ndg.security.common.sso.b64encReturnToURL}"/>
             <input type="submit" value="Login"/>
         </form>

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid

@@ -5 +5 @@
                 <?python
                 # Sort alphabetically
-                providerNames = c.providers.keys()
+                providerNames = g.ndg.security.server.sso.state.trustedIdPs.keys()
                 providerNames.sort()
                 ?>
                 <ul py:for="h in providerNames">
-                    <li> <a href="${c.providers[h]}?r=${c.b64encReturnTo}">${h}</a></li>
+                    <li> <a href="${g.ndg.security.server.sso.state.trustedIdPs[h]}?r=${g.ndg.security.common.sso.state.b64encReturnToURL}">${h}</a></li>
                 </ul>
             </p>
-        <!--
-        <p>Before clicking on these links, please check that the links redirect to a site
-        you trust with your security credentials.</p>
-        <p> How can I tell?  For any of the above, following login you will be 
-        redirected back to the URL: <a href="${c.returnTo}">${c.returnTo}</a></p>
-        -->
         </div>
         
     <div py:def="openIDSignin()" class="openIDSignin" style="text-indent:5px">
                 <p>Alternatively, sign in with OpenID:</p>
-                <form action="$g.ndg.security.server.ssoservice.cfg.server/verify" method="post">
+                <form action="$g.ndg.security.server.sso.cfg.server/verify" method="post">
                   <table cellspacing="0" border="0" cellpadding="5">
                     <tr>
@@ -37 +31 @@
                 <style>
                         input.openid-identifier {
-                           background: url($g.ndg.security.server.ssoservice.cfg.server/layout/openid-inputicon.gif) no-repeat;
+                           background: url($g.ndg.security.server.sso.cfg.server/layout/openid-inputicon.gif) no-repeat;
                            background-color: #fff;
                            background-position: 0 50%;