Changeset 4447 for TI12-security/trunk/python

Timestamp:

19/11/08 13:10:48 (12 years ago)

Author:

pjkersha

Message:

• Updated Session Manager unit tests to include a call to a locally instantiated Attribute Authority
• fixed bug in CredentialWallet?.getAttCert - ensure attributeAuthority keyword input correctly picked up.

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/credentialwallet.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/zsi/attributeauthority/__init__.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/credentialwallet/siteAAttributeAuthority/__init__.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/credentialwallet/test_credentialwallet.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/sessionmanager/sessionMgrTest.cfg (modified) (2 diffs)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/__init__.py (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/attCertLog (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/attCertLog/__init__.py (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/siteA-aa.cfg (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/siteA-aa.crt (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/siteA-aa.key (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/siteAMapConfig.xml (added)
• ndg.security.test/ndg/security/test/sessionmanager/siteAAttributeAuthority/siteAUserRoles.py (added)
• ndg.security.test/ndg/security/test/sessionmanager/test_sessionmanager.py (modified) (14 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py

@@ -1070 +1070 @@
             raise CredentialWalletError("Error requesting attribute: "
                                         "certificate a URI or Attribute "
-                                        "Authority configuration file must be "
-                                        "specified")
+                                        "Authority instance must be specified")
         
         try:
@@ -1343 +1342 @@
             self.attributeAuthorityURI = attributeAuthorityURI
             
-        if attributeAuthority:
+        if attributeAuthority is not None:
             self.attributeAuthority = attributeAuthority
            

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/attributeauthority/__init__.py

@@ -73 +73 @@
             # Get certificate corresponding to private key that signed the
             # message - i.e. the user's proxy
-            holderCert = signatureFilter.signatureHandler.verifyingCert
+            holderX509Cert = signatureFilter.signatureHandler.verifyingCert
         else:
             # No signature from client - they must instead provide the
             # designated holder cert via the UserCert input
-            holderCert = request.UserCert
+            holderX509Cert = request.UserCert
 
         try:
             attCert = self.aa.getAttCert(userId=request.UserId,
-                                         holderCert=holderCert,
+                                         holderX509Cert=holderX509Cert,
                                          userAttCert=request.UserAttCert)  
             response.AttCert = attCert.toString()

TI12-security/trunk/python/ndg.security.test/ndg/security/test/credentialwallet/siteAAttributeAuthority/__init__.py

@@ -1 @@
-"""NDG Security Session Manager unit test package - ca directory
-for storing CA cert.s used in SSL connections
+"""NDG Security Credential Wallet unit test package - directory
+for test Attribute Authority used in these tests
 
 NERC Data Grid Project
 """
 __author__ = "P J Kershaw"
-__date__ = "12/12/07"
-__copyright__ = "(C) 2007 STFC & NERC"
+__date__ = "19/11/08"
+__copyright__ = "(C) 2008 STFC & NERC"
 __license__ = \
 """This software may be distributed under the terms of the Q Public 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/credentialwallet/test_credentialwallet.py

@@ -53 +53 @@
         
 
-#    def test01ReadOnlyClassVariables(self):
-#        
-#        try:
-#            CredentialWallet.accessDenied = 'yes'
-#            self.fail("accessDenied class variable should be read-only")
-#        except Exception, e:
-#            print("PASS - accessDenied class variable is read-only")
-#
-#        try:
-#            CredentialWallet.accessGranted = False
-#            self.fail("accessGranted class variable should be read-only")
-#        except Exception, e:
-#            print("PASS - accessGranted class variable is read-only")
-#            
-#        assert(not CredentialWallet.accessDenied)
-#        assert(CredentialWallet.accessGranted)
-#        
-#        
-#    def test02SetAttributes(self):
-#        
-#        credWallet = CredentialWallet()
-#        credWallet.userX509Cert = \
-#'''-----BEGIN CERTIFICATE-----
-#MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
-#MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
-#N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
-#MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-#rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
-#ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
-#JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
-#oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
-#B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
-#B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
-#KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
-#aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
-#9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
-#-----END CERTIFICATE-----
-#'''
-#        print("userCert=%s" % credWallet.userX509Cert)
-#        credWallet.userId = 'ndg-user'
-#        print("userId=%s" % credWallet.userId)
-#        
-#        try:
-#            credWallet.blah = 'blah blah'
-#            self.fail("Attempting to set attribute not in __slots__ class "
-#                      "variable should fail")
-#        except AttributeError:
-#            print("PASS - expected AttributeError when setting attribute "
-#                  "not in __slots__ class variable")
-#            
-#        credWallet.caCertFilePathList=None
-#        credWallet.attributeAuthorityURI='http://localhost/AttributeAuthority'
-#            
-#        credWallet.attributeAuthority = None
-#        credWallet.credentialRepository = None
-#        credWallet.mapFromTrustedHosts = False
-#        credWallet.rtnExtAttCertList = True
-#        credWallet.attCertRefreshElapse = 7200
-#            
-#    def test03GetAttCertWithUserId(self):
-#                    
-#        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
-#        attCert = credWallet.getAttCert()
-#        
-#        # No user X.509 cert is set so the resulting Attribute Certificate
-#        # user ID should be the same as that set for the wallet
-#        assert(attCert.userId == credWallet.userId)
-#        print "Attribute Certificate:\n%s" % attCert
-#        
-#    def test04GetAttCertWithUserX509Cert(self):
-#                    
-#        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
-#        
-#        # Set a test individual user certificate to override the client 
-#        # cert. and private key in WS-Security settings in the config file
-#        credWallet.userX509Cert = """
-#-----BEGIN CERTIFICATE-----
-#MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
-#MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
-#N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
-#MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-#rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
-#ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
-#JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
-#oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
-#B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
-#B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
-#KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
-#aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
-#9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
-#-----END CERTIFICATE-----
-#"""
-#        credWallet.userPriKey = """
-#-----BEGIN RSA PRIVATE KEY-----
-#MIIEowIBAAKCAQEArpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xM
-#ieMZy9XQft2dFBDYZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk
-#2dZxaAt97zXEruEHJoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5
-#Je8QREThIE5hRd9FoUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLC
-#cLvs3THQ3kO5qYYbB0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhM
-#ZvSJ/tVGJY4HfWG7B4PZzYwo5vn/tYH1mk7w5QIDAQABAoIBAQCQdxly/iBxWo60
-#Jh1zukxOj4QCzwLnps1P8z27FMeK/eJ33scCjeWpkios4An7MZktSW0UqXt135E1
-#wxjwdaBzABDZm/Q0xkGLyLfTXI5EgnIWQO+mRVifxGqXhsFSB6gYCUPEFfZnOE6x
-#XZ9sPluKvtTRUR79eb1glzGHRfEF31eBQdPkATA011twBNL3ApULxjlnFBch1LXD
-#lldbYb9wWV9Bcl9ftJ7Sr4kJ7gqiETWRgKuyMMwGfhIrr8PXB/oq9VOAGg+XSQQY
-#+0sm1URfh/N5Q7ES+dgOR4MTCn8LUFW859OqY5QZidqDxg/fTNNt6znx0FZcGfbd
-#oDJV6Oc9AoGBAOgjNePWgxiDYJohNWATs7fUXvT4cGrR6TdJKXd3T8bVp+AO94au
-#vM9iOZiCfQNRxGYHA25EfwflaF3yKLOvlsK7k1ewRvQ4Hqi/MRyRxIhPmLYCkavl
-#FOKHV3UeLItpRJMzjU4OBq2k1g3uC22ZYWWXFaYmP+KSW5ICq0v8M4SfAoGBAMCJ
-#UqbPP8MPht36P43dZJDX+GlPlhWcXrWCD0ePX0wExEBeg+M0GqHTWrz4OwSzHTY0
-#XPwPqm2kEICIhHyK/BSZ09CMOdHwUc3gRZULCrSnTkEcJY+XY9IftYcVXIL2xFfx
-#qXqiLe7Le7p2mscSKXUM4uE4Vz16JHDE3Kh3Gnf7AoGAdi2WvcrzKoOXpl/JoIPn
-#NmrzfJsOABOlOvQQHDWtc3hJ4pM8CGDk1l8XG0EzC4GRDq/7WyOb2BU+MLWbav61
-#LaX4uOeQ97uqQBY1lmnPN+XtxJtCNdSF8V0ddQ5Ldx28P4Q7J8WUOMp1/tl1D/LJ
-#1sI3z0Ihu+Luo0Kgmipmv9kCgYB+eTZL0RQHZCmpovsgi2/GHbhWJStnosIr5PV4
-#gluNKgxoZC2qj812w8l1HHJYUfg8ZQU3pmrDfuRAKm0tCncwaSPUeGh62axC2rGa
-#iBhONyCWcJDT1BSEMMQjqgqNFOBBDMPRhLs7g3sRL1vYrLuC4iYe382e2p8ZXJe+
-#Kg6/BQKBgDlFDM9m/9A11PIlh/ir0KXUqtPA1q+Hn629BRsbbsH2HW+kj018RLT+
-#SgRwhrqFtF5HCMXEh0ez/RyHHoMiVnan9jpLtGEdE8ojJnISjvkIyLUCCJdq8HYC
-#25UDHqKuoqHBiXWazfZ6MOlcIm6vp1FpVDygu59JHPROMxW+BAg/
-#-----END RSA PRIVATE KEY-----
-#"""
-#        attCert = credWallet.getAttCert()
-#        
-#        # A user X.509 cert. was set so this cert's DN should be set in the
-#        # userId field of the resulting Attribute Certificate
-#        assert(attCert.userId == str(credWallet.userX509Cert.dn))
-#        print "Attribute Certificate:\n%s" % attCert
-#         
-#
-#
-#    def test05GetAttCertRefusedWithUserCert(self):
-#        
-#        # Keyword mapFromTrustedHosts overrides any setting in the config file
-#        # This flag prevents role mapping from a trusted AA and so in this case
-#        # forces refusal of the request
-#        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'),
-#                                      mapFromTrustedHosts=False)    
-#        credWallet.userX509CertFilePath = self.cfg.get('setUp',
-#                                                       'userX509CertFilePath')
-#        credWallet.userPriKeyFilePath = self.cfg.get('setUp',
-#                                                     'userPriKeyFilePath')
-#        
-#        # Set AA URI AFTER user PKI settings so that these are picked in the
-#        # implicit call to create a new AA Client when the URI is set
-#        credWallet.attributeAuthorityURI = self.cfg.get('setUp', 
-#                                                    'attributeAuthorityURI')
-#        try:
-#            attCert = credWallet.getAttCert()
-#        except CredentialWalletAttributeRequestDenied, e:
-#            print "SUCCESS - obtained expected result: %s" % e
-#            return
-#        
-#        self.fail("Request allowed from Attribute Authority where user is NOT "
-#                  "registered!")
-#
-#    def test06GetMappedAttCertWithUserId(self):
-#        
-#        # Call Site A Attribute Authority where user is registered
-#        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
-#        attCert = credWallet.getAttCert()
-#
-#        # Use Attribute Certificate cached in wallet to get a mapped 
-#        # Attribute Certificate from Site B's Attribute Authority
-#        siteBURI = self.cfg.get('setUp', 'attributeAuthorityURI')        
-#        attCert = credWallet.getAttCert(attributeAuthorityURI=siteBURI)
-#            
-#        print("Mapped Attribute Certificate from Site B Attribute "
-#              "Authority:\n%s" % attCert)
+    def test01ReadOnlyClassVariables(self):
+        
+        try:
+            CredentialWallet.accessDenied = 'yes'
+            self.fail("accessDenied class variable should be read-only")
+        except Exception, e:
+            print("PASS - accessDenied class variable is read-only")
+
+        try:
+            CredentialWallet.accessGranted = False
+            self.fail("accessGranted class variable should be read-only")
+        except Exception, e:
+            print("PASS - accessGranted class variable is read-only")
+            
+        assert(not CredentialWallet.accessDenied)
+        assert(CredentialWallet.accessGranted)
+        
+        
+    def test02SetAttributes(self):
+        
+        credWallet = CredentialWallet()
+        credWallet.userX509Cert = \
+'''-----BEGIN CERTIFICATE-----
+MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
+N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
+MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
+ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
+JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
+oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
+B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
+B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
+KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
+aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
+9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
+-----END CERTIFICATE-----
+'''
+        print("userCert=%s" % credWallet.userX509Cert)
+        credWallet.userId = 'ndg-user'
+        print("userId=%s" % credWallet.userId)
+        
+        try:
+            credWallet.blah = 'blah blah'
+            self.fail("Attempting to set attribute not in __slots__ class "
+                      "variable should fail")
+        except AttributeError:
+            print("PASS - expected AttributeError when setting attribute "
+                  "not in __slots__ class variable")
+            
+        credWallet.caCertFilePathList=None
+        credWallet.attributeAuthorityURI='http://localhost/AttributeAuthority'
+            
+        credWallet.attributeAuthority = None
+        credWallet.credentialRepository = None
+        credWallet.mapFromTrustedHosts = False
+        credWallet.rtnExtAttCertList = True
+        credWallet.attCertRefreshElapse = 7200
+            
+    def test03GetAttCertWithUserId(self):
+                    
+        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
+        attCert = credWallet.getAttCert()
+        
+        # No user X.509 cert is set so the resulting Attribute Certificate
+        # user ID should be the same as that set for the wallet
+        assert(attCert.userId == credWallet.userId)
+        print "Attribute Certificate:\n%s" % attCert
+        
+    def test04GetAttCertWithUserX509Cert(self):
+                    
+        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
+        
+        # Set a test individual user certificate to override the client 
+        # cert. and private key in WS-Security settings in the config file
+        credWallet.userX509Cert = """
+-----BEGIN CERTIFICATE-----
+MIICazCCAdSgAwIBAgICAPcwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MDEwNDEwMTk0
+N1oXDTA5MDEwMzEwMTk0N1owLDEMMAoGA1UEChMDTkRHMQ0wCwYDVQQLEwRCQURD
+MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+rpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xMieMZy9XQft2dFBDY
+ZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk2dZxaAt97zXEruEH
+JoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5Je8QREThIE5hRd9F
+oUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLCcLvs3THQ3kO5qYYb
+B0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhMZvSJ/tVGJY4HfWG7
+B4PZzYwo5vn/tYH1mk7w5QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBPAwDQYJ
+KoZIhvcNAQEEBQADgYEAFKEdr2FwlposAGRDHBMX9d48TKm1gXzOMEvReTYIaq46
+aMpDDuApsbjpRqohvKIrngGa2e1p81tOTL5kbuusNjcNsagXkNgeO6qcGZCly/Bl
+9Kxfynaned5jmgWgoxJP7VtOynvlLqJfrS/cEwOWDYpyPjJDRx2cZgEd3P4WfYI=
+-----END CERTIFICATE-----
+"""
+        credWallet.userPriKey = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArpbuNUHWVRwhjHzhTOdym+fcZdmD7HbaeoFdef2V//Wj41xM
+ieMZy9XQft2dFBDYZIHLElojVhZTHoowMkwXxsmLt7hZF8fL7j3ssU/lflM9E0Uk
+2dZxaAt97zXEruEHJoNqHTEQlH0qMALfuUrAaZEIXHDdTQDNRJl4oXvjJWaqS8Y5
+Je8QREThIE5hRd9FoUlgfMNNnwzLyIH7s0KBci2yryeubAG/Qig5LkulbpnhxYLC
+cLvs3THQ3kO5qYYbB0g11YOBgshZ0SpNwEEyhDzHUt3Ii2XmAh25/II08BR61fhM
+ZvSJ/tVGJY4HfWG7B4PZzYwo5vn/tYH1mk7w5QIDAQABAoIBAQCQdxly/iBxWo60
+Jh1zukxOj4QCzwLnps1P8z27FMeK/eJ33scCjeWpkios4An7MZktSW0UqXt135E1
+wxjwdaBzABDZm/Q0xkGLyLfTXI5EgnIWQO+mRVifxGqXhsFSB6gYCUPEFfZnOE6x
+XZ9sPluKvtTRUR79eb1glzGHRfEF31eBQdPkATA011twBNL3ApULxjlnFBch1LXD
+lldbYb9wWV9Bcl9ftJ7Sr4kJ7gqiETWRgKuyMMwGfhIrr8PXB/oq9VOAGg+XSQQY
++0sm1URfh/N5Q7ES+dgOR4MTCn8LUFW859OqY5QZidqDxg/fTNNt6znx0FZcGfbd
+oDJV6Oc9AoGBAOgjNePWgxiDYJohNWATs7fUXvT4cGrR6TdJKXd3T8bVp+AO94au
+vM9iOZiCfQNRxGYHA25EfwflaF3yKLOvlsK7k1ewRvQ4Hqi/MRyRxIhPmLYCkavl
+FOKHV3UeLItpRJMzjU4OBq2k1g3uC22ZYWWXFaYmP+KSW5ICq0v8M4SfAoGBAMCJ
+UqbPP8MPht36P43dZJDX+GlPlhWcXrWCD0ePX0wExEBeg+M0GqHTWrz4OwSzHTY0
+XPwPqm2kEICIhHyK/BSZ09CMOdHwUc3gRZULCrSnTkEcJY+XY9IftYcVXIL2xFfx
+qXqiLe7Le7p2mscSKXUM4uE4Vz16JHDE3Kh3Gnf7AoGAdi2WvcrzKoOXpl/JoIPn
+NmrzfJsOABOlOvQQHDWtc3hJ4pM8CGDk1l8XG0EzC4GRDq/7WyOb2BU+MLWbav61
+LaX4uOeQ97uqQBY1lmnPN+XtxJtCNdSF8V0ddQ5Ldx28P4Q7J8WUOMp1/tl1D/LJ
+1sI3z0Ihu+Luo0Kgmipmv9kCgYB+eTZL0RQHZCmpovsgi2/GHbhWJStnosIr5PV4
+gluNKgxoZC2qj812w8l1HHJYUfg8ZQU3pmrDfuRAKm0tCncwaSPUeGh62axC2rGa
+iBhONyCWcJDT1BSEMMQjqgqNFOBBDMPRhLs7g3sRL1vYrLuC4iYe382e2p8ZXJe+
+Kg6/BQKBgDlFDM9m/9A11PIlh/ir0KXUqtPA1q+Hn629BRsbbsH2HW+kj018RLT+
+SgRwhrqFtF5HCMXEh0ez/RyHHoMiVnan9jpLtGEdE8ojJnISjvkIyLUCCJdq8HYC
+25UDHqKuoqHBiXWazfZ6MOlcIm6vp1FpVDygu59JHPROMxW+BAg/
+-----END RSA PRIVATE KEY-----
+"""
+        attCert = credWallet.getAttCert()
+        
+        # A user X.509 cert. was set so this cert's DN should be set in the
+        # userId field of the resulting Attribute Certificate
+        assert(attCert.userId == str(credWallet.userX509Cert.dn))
+        print "Attribute Certificate:\n%s" % attCert
+         
+
+
+    def test05GetAttCertRefusedWithUserCert(self):
+        
+        # Keyword mapFromTrustedHosts overrides any setting in the config file
+        # This flag prevents role mapping from a trusted AA and so in this case
+        # forces refusal of the request
+        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'),
+                                      mapFromTrustedHosts=False)    
+        credWallet.userX509CertFilePath = self.cfg.get('setUp',
+                                                       'userX509CertFilePath')
+        credWallet.userPriKeyFilePath = self.cfg.get('setUp',
+                                                     'userPriKeyFilePath')
+        
+        # Set AA URI AFTER user PKI settings so that these are picked in the
+        # implicit call to create a new AA Client when the URI is set
+        credWallet.attributeAuthorityURI = self.cfg.get('setUp', 
+                                                    'attributeAuthorityURI')
+        try:
+            attCert = credWallet.getAttCert()
+        except CredentialWalletAttributeRequestDenied, e:
+            print "SUCCESS - obtained expected result: %s" % e
+            return
+        
+        self.fail("Request allowed from Attribute Authority where user is NOT "
+                  "registered!")
+
+    def test06GetMappedAttCertWithUserId(self):
+        
+        # Call Site A Attribute Authority where user is registered
+        credWallet = CredentialWallet(cfg=self.cfg.get('setUp', 'cfgFilePath'))
+        attCert = credWallet.getAttCert()
+
+        # Use Attribute Certificate cached in wallet to get a mapped 
+        # Attribute Certificate from Site B's Attribute Authority
+        siteBURI = self.cfg.get('setUp', 'attributeAuthorityURI')        
+        attCert = credWallet.getAttCert(attributeAuthorityURI=siteBURI)
+            
+        print("Mapped Attribute Certificate from Site B Attribute "
+              "Authority:\n%s" % attCert)
                         
     def test07GetAttCertFromLocalAAInstance(self):

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionmanager/sessionMgrTest.cfg

@@ -22 +22 @@
 propFilePath = $NDGSEC_SM_UNITTEST_DIR/sessionMgr.cfg
 
-[test1Connect]
+[test01Connect2AuthNServiceWithNoUserCertReturned]
 # Alter username according to the MyProxy credentials you wish to test.  If
 # passphrase is commented out you will be prompted for it on the command line.
@@ -29 +29 @@
 passphrase = testpassword
 
-[test2Connect2AuthNServiceReturningAUserCert]
+[test02Connect2AuthNServiceReturningAUserCert]
 outputCredsFilePath = user.creds
 
-[test4ConnectNoCreateServerSess]         
+[test04ConnectNoCreateServerSess]         
 username = testuser
 passphrase = testpassword
 
-[test7GetAttCertWithSessID]
+[test07GetAttCertWithSessID]
 aaURI = http://localhost:5000/AttributeAuthority
 acOutputFilePath = $NDGSEC_SM_UNITTEST_DIR/ac-out.xml
 
-[test8GetAttCertRefusedWithSessID]
+[test08GetAttCertRefusedWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
 
-[test9GetMappedAttCertWithSessID]
+[test09GetMappedAttCertWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
 
 [test10GetAttCertWithExtAttCertListWithSessID]
 aaURI = http://localhost:5100/AttributeAuthority
-# Use output from test7GetAttCertWithSessID!
+# Use output from test07GetAttCertWithSessID!
 extACFilePath = $NDGSEC_SM_UNITTEST_DIR/ac-out.xml
 
 [test11GetAttCertWithUserCert]
 aaURI = http://localhost:5000/AttributeAuthority
+
+[test12GetAttCertFromLocalAAInstance]
+aaPropFilePath = $NDGSEC_SM_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.cfg
+acOutputFilePath = $NDGSEC_SM_UNITTEST_DIR/test12-ac-out.xml

TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionmanager/test_sessionmanager.py

@@ -23 +23 @@
                                                     CaseSensitiveConfigParser
 from ndg.security.common.X509 import X509CertParse
-from ndg.security.server.sessionmanager import *
+from ndg.security.server.sessionmanager import SessionManager
+from ndg.security.server.attributeauthority import AttributeAuthority
 
 from os.path import expandvars as xpdVars
@@ -130 +131 @@
         print("Finished setting up connection")
    
-    def test1Connect2AuthNServiceWithNoUserCertReturned(self):
-        
-        username = self.cfg.get('test1Connect', 'username')
+    def test01Connect2AuthNServiceWithNoUserCertReturned(self):
+        
+        thisSection = 'test01Connect2AuthNServiceWithNoUserCertReturned'
+        username = self.cfg.get(thisSection, 'username')
         if SessionManagerTestCase.passphrase is None and \
-           self.cfg.has_option('test1Connect', 'passphrase'):
-            SessionManagerTestCase.passphrase=self.cfg.get('test1Connect', 
-                                                                'passphrase')
+           self.cfg.has_option(thisSection, 'passphrase'):
+            SessionManagerTestCase.passphrase=self.cfg.get(thisSection, 
+                                                           'passphrase')
         
         if not SessionManagerTestCase.passphrase:
@@ -150 +152 @@
         assert(issuingCert is None)
         
-        print "User '%s' connected to Session Manager:\n%s" % \
-                                                        (username, sessID)       
+        print("User '%s' connected to Session Manager:\n%s"%(username, sessID))     
                                   
-    def test2Connect2AuthNServiceReturningAUserCert(self):
-        
-        section = 'test2Connect2AuthNServiceReturningAUserCert'
+    def test02Connect2AuthNServiceReturningAUserCert(self):
+        
+        section = 'test02Connect2AuthNServiceReturningAUserCert'
         
         # Change to alternative authentication service
@@ -185 +186 @@
     
             
-    def test3GetSessionStatus(self):
-        """test3GetSessionStatus: check a session is alive"""
+    def test03GetSessionStatus(self):
+        """test03GetSessionStatus: check a session is alive"""
         
         self._connect()
@@ -197 +198 @@
         print "CORRECT: sessID=abc doesn't exist"
         
-    def test4ConnectNoCreateServerSess(self):
-        """test4ConnectNoCreateServerSess: Connect to retrieve credentials
+    def test04ConnectNoCreateServerSess(self):
+        """test04ConnectNoCreateServerSess: Connect to retrieve credentials
         only - no session is created.  This makes sense only for an AuthN
         Service that returns user credentials"""
-        section = 'test4ConnectNoCreateServerSess'
+        section = 'test04ConnectNoCreateServerSess'
         
         # Change to alternative authentication service
@@ -243 +244 @@
             
 
-    def test5DisconnectWithSessID(self):
-        """test5DisconnectWithSessID: disconnect as if acting as a browser 
+    def test05DisconnectWithSessID(self):
+        """test05DisconnectWithSessID: disconnect as if acting as a browser 
         client 
         """
@@ -254 +255 @@
             
 
-    def test6DisconnectWithUserCert(self):
+    def test06DisconnectWithUserCert(self):
         """test5DisconnectWithUserCert: Disconnect based on a user X.509
         cert. credential from an earlier call to connect 
@@ -266 +267 @@
 
 
-    def test7GetAttCertWithSessID(self):
-        """test7GetAttCertWithSessID: make an attribute request using
+    def test07GetAttCertWithSessID(self):
+        """test07GetAttCertWithSessID: make an attribute request using
         a session ID as authentication credential"""
 
         self._connect()
         
-        section = 'test7GetAttCertWithSessID'
+        section = 'test07GetAttCertWithSessID'
         aaURI = self.cfg.get(section, 'aaURI')
         attCert, errMsg, extAttCertList=self.sm.getAttCert(sessID=self.sessID, 
@@ -282 +283 @@
         attCert.filePath = xpdVars(self.cfg.get(section, 'acOutputFilePath')) 
         attCert.write()
-        
-        return self.sm
-
-
-    def test8GetAttCertRefusedWithSessID(self):
-        """test8GetAttCertRefusedWithSessID: make an attribute request using
+
+
+    def test08GetAttCertRefusedWithSessID(self):
+        """test08GetAttCertRefusedWithSessID: make an attribute request using
         a sessID as authentication credential requesting an AC from an
         Attribute Authority where the user is NOT registered"""
@@ -293 +292 @@
         self._connect()
         
-        aaURI = self.cfg.get('test8GetAttCertRefusedWithSessID', 'aaURI')
+        aaURI = self.cfg.get('test08GetAttCertRefusedWithSessID', 'aaURI')
         
         attCert, errMsg, extAttCertList=self.sm.getAttCert(sessID=self.sessID, 
@@ -305 +304 @@
 
 
-    def test9GetMappedAttCertWithSessID(self):
-        """test9GetMappedAttCertWithSessID: make an attribute request using
+    def test09GetMappedAttCertWithSessID(self):
+        """test09GetMappedAttCertWithSessID: make an attribute request using
         a session ID as authentication credential"""
 
@@ -313 +312 @@
         # Attribute Certificate cached in test 6 can be used to get a mapped
         # AC for this test ...
-        self.sm = self.test7GetAttCertWithSessID()
-
-        aaURI = self.cfg.get('test9GetMappedAttCertWithSessID', 'aaURI')
+        self.test07GetAttCertWithSessID()
+
+        aaURI = self.cfg.get('test09GetMappedAttCertWithSessID', 'aaURI')
         
         attCert, errMsg, extAttCertList=self.sm.getAttCert(sessID=self.sessID,
@@ -364 +363 @@
           
         print("Attribute Certificate:\n%s" % attCert)  
+
+
+    def test12GetAttCertFromLocalAAInstance(self):
+        """test12GetAttCertFromLocalAAInstance: make an attribute request to a
+        locally instantiated Attribute Authority"""
+
+        self._connect()
+        
+        section = 'test12GetAttCertFromLocalAAInstance'
+        aaPropFilePath = self.cfg.get(section, 'aaPropFilePath')
+        attributeAuthority=AttributeAuthority(propFilePath=aaPropFilePath,
+                                              propPrefix='attributeAuthority')
+        
+        attCert, errMsg, extAttCertList=self.sm.getAttCert(sessID=self.sessID, 
+                                        attributeAuthority=attributeAuthority)
+        if errMsg:
+            self.fail(errMsg)
+            
+        print("Attribute Certificate:\n%s" % attCert) 
+        attCert.filePath = xpdVars(self.cfg.get(section, 'acOutputFilePath')) 
+        attCert.write()
 
 
@@ -372 +392 @@
         smTestCaseMap = map(SessionManagerTestCase,
                           (
-                            "test1Connect2AuthNServiceWithNoUserCertReturned",
-                            "test2Connect2AuthNServiceReturningAUserCert",
-                            "test3GetSessionStatus",
-                            "test4ConnectNoCreateServerSess",
-                            "test5DisconnectWithSessID",
-                            "test6DisconnectWithUserCert",
-                            "test7GetAttCertWithSessID",
-                            "test8GetAttCertRefusedWithSessID",
-                            "test9GetMappedAttCertWithSessID",
+                            "test01Connect2AuthNServiceWithNoUserCertReturned",
+                            "test02Connect2AuthNServiceReturningAUserCert",
+                            "test03GetSessionStatus",
+                            "test04ConnectNoCreateServerSess",
+                            "test05DisconnectWithSessID",
+                            "test06DisconnectWithUserCert",
+                            "test07GetAttCertWithSessID",
+                            "test08GetAttCertRefusedWithSessID",
+                            "test09GetMappedAttCertWithSessID",
                             "test10GetAttCertWithExtAttCertListWithSessID",
                             "test11GetAttCertWithUserCert",
+                            "test12GetAttCertFromLocalAAInstance",
                           ))
         unittest.TestSuite.__init__(self, smTestCaseMap)