Changeset 4290


Ignore:
Timestamp:
06/10/08 17:27:43 (11 years ago)
Author:
pjkersha
Message:

Refactoring of CredWallet? - added unit tests for AA getAttCert call with a userId (as in DEWS) and with a personal X.509 cert.

Location:
TI12-security/trunk/python
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r4285 r4290  
    427427        user ID to associate with the AC.  This is useful in the case where, 
    428428        as in the DEWS project, the holder will be a server cert. rather than 
    429         a user proxy cert. 
     429        a user cert. 
    430430         
    431431        If this keword is omitted, userId in the AC will default to the same 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

    r4285 r4290  
    296296        '_cfg', 
    297297        '_credentials', 
    298         '_dn' 
     298        '_dn', 
     299        '_attributeAuthorityURI' 
    299300    ] 
    300301     
     
    670671        return attributeAuthorityClnt 
    671672 
    672  
     673    def createAttributeAuthorityClnt(self, attributeAuthorityURI=None): 
     674        '''Convenience method to create an Attribute Authority Client based 
     675        on WS-Security config and user X.509 certificate settings if present 
     676         
     677        Nb. a client is created implicitly when the attributeAuthorityURI 
     678        attribute property is set''' 
     679         
     680        if attributeAuthorityURI is None: 
     681            attributeAuthorityURI = self.attributeAuthorityURI 
     682             
     683        self._attributeAuthorityClnt = self._createAttributeAuthorityClnt( 
     684                                                        attributeAuthorityURI) 
     685         
     686    def _getAttributeAuthorityURI(self): 
     687        """Get property method for Attribute Authority Web Service URI to 
     688        connect to.""" 
     689        return self._attributeAuthorityURI 
     690             
    673691    def _setAttributeAuthorityURI(self, attributeAuthorityURI): 
    674692        """Set property method for Attribute Authority Web Service URI to 
     
    676694         
    677695        @type attributeAuthorityURI: string 
    678         @param attributeAuthorityURI: Attribute Authority Web Service URI.  Set to None to 
    679         initialise.  Set to a URI to instantiate a new AA client""" 
     696        @param attributeAuthorityURI: Attribute Authority Web Service URI.  Set 
     697        to None to initialise.  Set to a URI to instantiate a new Attribute  
     698        Authority client""" 
    680699        if attributeAuthorityURI is None: 
    681             self._attributeAuthorityClnt = None 
     700            self._attributeAuthorityURI = self._attributeAuthorityClnt = None 
    682701            return 
    683702        else: 
     703            self._attributeAuthorityURI = attributeAuthorityURI 
    684704            self._attributeAuthorityClnt = self._createAttributeAuthorityClnt( 
    685705                                                        attributeAuthorityURI) 
    686706             
    687     attributeAuthorityURI = property(fset=_setAttributeAuthorityURI, 
    688              doc="AA URI - setting also sets up AttAuthorityClient instance!") 
     707    attributeAuthorityURI = property(fget=_getAttributeAuthorityURI, 
     708                                     fset=_setAttributeAuthorityURI, 
     709                                     doc="Attribute Authority address - " 
     710                                         "setting also sets up " 
     711                                         "AttAuthorityClient instance!") 
    689712 
    690713 
     
    873896        if attributeAuthorityClnt is None: 
    874897            attributeAuthorityClnt = self._attributeAuthorityClnt 
     898         
     899        # If a user cert. is present, ignore the user ID setting.  The 
     900        # Attribute Authority will set the userId field of the  
     901        # Attribute Certificate based on the DN of the user certificate 
     902        if self.userX509Cert: 
     903            userId = None 
     904        else: 
     905            userId = self.userId 
    875906             
    876907        if attributeAuthorityClnt is not None: 
    877908            try: 
    878909                log.debug("Calling attribute authority using supplied client") 
    879                 attCert = attributeAuthorityClnt.getAttCert( 
     910                attCert = attributeAuthorityClnt.getAttCert(userId=userId, 
    880911                                                        userAttCert=extAttCert) 
    881912                                
     
    896927                log.debug("Calling Attribute Authority using info from " 
    897928                          "properties file: %s" % self.attributeAuthority) 
    898                 attCert = self.attributeAuthority.getAttCert( 
     929                     
     930                attCert = self.attributeAuthority.getAttCert(userId=userId, 
    899931                                                        userAttCert=extAttCert) 
    900932                 
     
    9981030                   attCertRefreshElapse=None): 
    9991031         
    1000         """For a given role, get an Attribute Certificate from an Attribute  
    1001         Authority using a user's X.509 certificate.  If this fails try to make 
    1002         a mapped Attribute Certificate by using a certificate from another  
     1032        """Get an Attribute Certificate from an Attribute Authority.  If this  
     1033        fails try to make a mapped Attribute Certificate by using a certificate from another  
    10031034        host which has a trust relationship to the Attribute Authority in  
    10041035        question. 
    10051036 
    1006         getAttCert([reqRole=r, ][attributeAuthority=f|attributeAuthorityURI=u,] 
     1037        getAttCert([reqRole=r, ][attributeAuthority=a|attributeAuthorityURI=u,] 
    10071038                   [mapFromTrustedHosts=m, ] 
    10081039                   [rtnExtAttCertList=e, ][extAttCertList=el, ] 
     
    10941125        existing AC in the cache with a fresh one.  If the existing one has  
    10951126        less than attCertRefreshElapse time in seconds left before expiry then 
    1096         replace it.""" 
     1127        replace it. 
     1128         
     1129        @rtype: ndg.security.common.AttCert.AttCert 
     1130        @return: Attribute Certificate retrieved from Attribute Authority""" 
    10971131         
    10981132        log.debug("CredWallet.getAttCert ...") 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/soap.py

    r4285 r4290  
    158158            soapIn = environ['wsgi.input'].read(contentLength) 
    159159            if len(soapIn) < contentLength: 
    160                 raise SOAPMiddlewareReadError("Expecting %s content length; " 
    161                                               "received %d instead." % \ 
    162                                               (environ['CONTENT_LENGTH'], 
    163                                                len(soapIn))) 
     160                raise SOAPMiddlewareReadError("Expecting %d content length; " 
     161                                              "received %d instead." %  
     162                                              (contentLength, len(soapIn))) 
    164163             
    165164            log.debug("SOAP Request for handler %r" % cls) 
     
    224223            if filterID in environ: 
    225224                raise SOAPMiddlewareConfigError("An filterID key '%s' is " 
    226                                                 "already set in environ" % \ 
     225                                                "already set in environ" % 
    227226                                                filterID) 
    228227            environ[filterID] = self 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/credwallet/test_credwallet.py

    r4285 r4290  
    114114        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath')) 
    115115        attCert = credWallet.getAttCert() 
    116      
    117 #    def test6GetAttCertWithSessID(self): 
    118 #        """test6GetAttCertWithSessID: make an attribute request using 
    119 #        a session ID as authentication credential""" 
    120 # 
    121 #        self.sessionMgrConnect() 
    122 #         
    123 #        attCert, errMsg, extAttCertList = self.credWallet.getAttCert(\ 
    124 #            sessID=self.sessID,  
    125 #            aaURI=self.cfg.get('test6GetAttCertWithSessID', 'aauri')) 
    126 #        if errMsg: 
    127 #            self.fail(errMsg) 
    128 #             
    129 #        print "Attribute Certificate:\n%s" % attCert  
    130 #        attCert.filePath = \ 
    131 #            xpdVars(self.cfg.get('test6GetAttCertWithSessID', 'acoutfilepath'))  
    132 #        attCert.write() 
    133 #         
    134 #        return self.credWallet 
     116         
     117        # No user X.509 cert is set so the resulting Attribute Certificate 
     118        # user ID should be the same as that set for the wallet 
     119        assert(attCert.userId == credWallet.userId) 
     120        print "Attribute Certificate:\n%s" % attCert 
     121         
     122    def test4GetAttCertWithUserX509Cert(self): 
     123                     
     124        credWallet = CredWallet(cfg=self.cfg.get('setUp', 'cfgFilePath')) 
     125         
     126        # Set a test individual user certificate to override the client  
     127        # cert. and private key in WS-Security settings in the config file 
     128        credWallet.userX509Cert = """ 
     129-----BEGIN CERTIFICATE----- 
     130MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH 
     131MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0 
     132N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD 
     133MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 
     134rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY 
     135ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH 
     136JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F 
     137oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb 
     138B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7 
     139B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ 
     140KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46 
     141aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl 
     1429Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI= 
     143-----END CERTIFICATE----- 
     144""" 
     145        credWallet.userPriKey = """ 
     146-----BEGIN RSA PRIVATE KEY----- 
     147MIIEowIBAAKCAQEArpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xM 
     148ieMZy9XQft2dFBDYZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk 
     1492dZxaAt97zXEruEHJoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5 
     150Je8QREThIE5hRd9FoUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLC 
     151cLvs3THQ3kO5qYYbB0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhM 
     152ZvSJ/tVGJY4HfWG7B4PZzYwo5vn/tYH1mk7w5QIDAQABAoIBAQCQdxly/iBxWo60 
     153Jh1zukxOj4QCzwLnps1P8z27FMeK/eJ33scCjeWpkios4An7MZktSW0UqXt135E1 
     154wxjwdaBzABDZm/Q0xkGLyLfTXI5EgnIWQO+mRVifxGqXhsFSB6gYCUPEFfZnOE6x 
     155XZ9sPluKvtTRUR79eb1glzGHRfEF31eBQdPkATA011twBNL3ApULxjlnFBch1LXD 
     156lldbYb9wWV9Bcl9ftJ7Sr4kJ7gqiETWRgKuyMMwGfhIrr8PXB/oq9VOAGg+XSQQY 
     157+0sm1URfh/N5Q7ES+dgOR4MTCn8LUFW859OqY5QZidqDxg/fTNNt6znx0FZcGfbd 
     158oDJV6Oc9AoGBAOgjNePWgxiDYJohNWATs7fUXvT4cGrR6TdJKXd3T8bVp+AO94au 
     159vM9iOZiCfQNRxGYHA25EfwflaF3yKLOvlsK7k1ewRvQ4Hqi/MRyRxIhPmLYCkavl 
     160FOKHV3UeLItpRJMzjU4OBq2k1g3uC22ZYWWXFaYmP+KSW5ICq0v8M4SfAoGBAMCJ 
     161UqbPP8MPht36P43dZJDX+GlPlhWcXrWCD0ePX0wExEBeg+M0GqHTWrz4OwSzHTY0 
     162XPwPqm2kEICIhHyK/BSZ09CMOdHwUc3gRZULCrSnTkEcJY+XY9IftYcVXIL2xFfx 
     163qXqiLe7Le7p2mscSKXUM4uE4Vz16JHDE3Kh3Gnf7AoGAdi2WvcrzKoOXpl/JoIPn 
     164NmrzfJsOABOlOvQQHDWtc3hJ4pM8CGDk1l8XG0EzC4GRDq/7WyOb2BU+MLWbav61 
     165LaX4uOeQ97uqQBY1lmnPN+XtxJtCNdSF8V0ddQ5Ldx28P4Q7J8WUOMp1/tl1D/LJ 
     1661sI3z0Ihu+Luo0Kgmipmv9kCgYB+eTZL0RQHZCmpovsgi2/GHbhWJStnosIr5PV4 
     167gluNKgxoZC2qj812w8l1HHJYUfg8ZQU3pmrDfuRAKm0tCncwaSPUeGh62axC2rGa 
     168iBhONyCWcJDT1BSEMMQjqgqNFOBBDMPRhLs7g3sRL1vYrLuC4iYe382e2p8ZXJe+ 
     169Kg6/BQKBgDlFDM9m/9A11PIlh/ir0KXUqtPA1q+Hn629BRsbbsH2HW+kj018RLT+ 
     170SgRwhrqFtF5HCMXEh0ez/RyHHoMiVnan9jpLtGEdE8ojJnISjvkIyLUCCJdq8HYC 
     17125UDHqKuoqHBiXWazfZ6MOlcIm6vp1FpVDygu59JHPROMxW+BAg/ 
     172-----END RSA PRIVATE KEY----- 
     173""" 
     174        credWallet.createAttributeAuthorityClnt() 
     175        attCert = credWallet.getAttCert() 
     176         
     177        # A user X.509 cert. was set so this cert's DN should be set in the 
     178        # userId field of the resulting Attribute Certificate 
     179        assert(attCert.userId == str(credWallet.userX509Cert.dn)) 
     180        print "Attribute Certificate:\n%s" % attCert 
     181          
    135182# 
    136183# 
Note: See TracChangeset for help on using the changeset viewer.