Changeset 4480 for TI12-security


Ignore:
Timestamp:
21/11/08 12:47:38 (11 years ago)
Author:
pjkersha
Message:

Combined Services tests:

  • added capability for Session Manager to call a local Attribute Authority in the WSGI stack of the same Paste instance
  • SOAP client can specify that the Session Manager call a local Attribute Authority by setting AttAuthorityURI to nill in the web service call.
Location:
TI12-security/trunk/python
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py

    r4479 r4480  
    10371037        # Attribute Certificate based on the DN of the user certificate 
    10381038        if self.userX509Cert: 
    1039             userId = None 
     1039            userId = str(self.userX509Cert.dn) 
    10401040        else: 
    10411041            userId = self.userId 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/sessionmanager.py

    r4437 r4480  
    447447                   sessID=None, 
    448448                   attAuthorityURI=None, 
    449                    attAuthorityCert=None, 
    450449                   reqRole=None, 
    451450                   mapFromTrustedHosts=True, 
     
    479478        @param attAuthorityURI: URI for Attribute Authority WS. 
    480479         
    481         @type attAuthorityCert: string 
    482         @param attAuthorityCert: The Session Manager uses the Public key of  
    483         the Attribute Authority to encrypt requests to it. 
    484          
    485480        @type reqRole: string 
    486481        @param reqRole: The required role for access to a data set.  This  
     
    518513                                                           sessID,  
    519514                                                           attAuthorityURI, 
    520                                                            attAuthorityCert, 
    521515                                                           reqRole, 
    522516                                                           mapFromTrustedHosts, 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/zsi/sessionmanager/SessionManager_services.py

    r4437 r4480  
    2929        # no ws-addressing 
    3030 
    31     # op: <ZSI.wstools.WSDLTools.Message instance at 0x84b8d6c> 
     31    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84b8b0c> 
    3232    def getSessionStatus(self, userDN,sessID): 
    3333 
     
    4444        return isAlive 
    4545 
    46     # op: <ZSI.wstools.WSDLTools.Message instance at 0x84bf08c> 
     46    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84b8e0c> 
    4747    def connect(self, username,passphrase,createServerSess): 
    4848 
     
    6363        return userX509Cert,userPriKey,issuingCert,sessID 
    6464 
    65     # op: <ZSI.wstools.WSDLTools.Message instance at 0x84bfc4c> 
     65    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84c09ac> 
    6666    def disconnect(self, userX509Cert,sessID): 
    6767 
     
    7777        return  
    7878 
    79     # op: <ZSI.wstools.WSDLTools.Message instance at 0x84bfdec> 
    80     def getAttCert(self, userX509Cert,sessID,attAuthorityURI,attAuthorityCert,reqRole,mapFromTrustedHosts,rtnExtAttCertList,extAttCert,extTrustedHost): 
     79    # op: <ZSI.wstools.WSDLTools.Message instance at 0x84c0b4c> 
     80    def getAttCert(self, userX509Cert,sessID,attAuthorityURI,reqRole,mapFromTrustedHosts,rtnExtAttCertList,extAttCert,extTrustedHost): 
    8181 
    8282        request = getAttCertInputMsg() 
     
    8484        request._sessID = sessID 
    8585        request._attAuthorityURI = attAuthorityURI 
    86         request._attAuthorityCert = attAuthorityCert 
    8786        request._reqRole = reqRole 
    8887        request._mapFromTrustedHosts = mapFromTrustedHosts 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/zsi/sessionmanager/SessionManager_services_types.py

    r4437 r4480  
    149149        def __init__(self, **kw): 
    150150            ns = ns0.getAttCert_Dec.schema 
    151             TClist = [ZSI.TC.String(pname="userX509Cert", aname="_userX509Cert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="attAuthorityURI", aname="_attAuthorityURI", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="attAuthorityCert", aname="_attAuthorityCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="reqRole", aname="_reqRole", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.Boolean(pname="mapFromTrustedHosts", aname="_mapFromTrustedHosts", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.Boolean(pname="rtnExtAttCertList", aname="_rtnExtAttCertList", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="extAttCert", aname="_extAttCert", minOccurs=0, maxOccurs="unbounded", nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="extTrustedHost", aname="_extTrustedHost", minOccurs=0, maxOccurs="unbounded", nillable=False, typed=False, encoded=kw.get("encoded"))] 
     151            TClist = [ZSI.TC.String(pname="userX509Cert", aname="_userX509Cert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="attAuthorityURI", aname="_attAuthorityURI", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="reqRole", aname="_reqRole", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.Boolean(pname="mapFromTrustedHosts", aname="_mapFromTrustedHosts", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.Boolean(pname="rtnExtAttCertList", aname="_rtnExtAttCertList", minOccurs=1, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="extAttCert", aname="_extAttCert", minOccurs=0, maxOccurs="unbounded", nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="extTrustedHost", aname="_extTrustedHost", minOccurs=0, maxOccurs="unbounded", nillable=False, typed=False, encoded=kw.get("encoded"))] 
    152152            kw["pname"] = ("urn:ndg:security:SessionManager","getAttCert") 
    153153            kw["aname"] = "_getAttCert" 
     
    162162                    self._sessID = None 
    163163                    self._attAuthorityURI = None 
    164                     self._attAuthorityCert = None 
    165164                    self._reqRole = None 
    166165                    self._mapFromTrustedHosts = None 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/zsi/sessionmanager/sessionmanager.wsdl

    r4479 r4480  
    6969                    <xsd:element name="sessID" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    7070                    <xsd:element name="attAuthorityURI" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    71                     <xsd:element name="attAuthorityCert" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    7271                    <xsd:element name="reqRole" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    7372                    <xsd:element name="mapFromTrustedHosts" type="xsd:boolean" minOccurs="1" maxOccurs="1"/> 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/soap.py

    r4404 r4480  
    7979     
    8080    def _initCall(self, environ, start_response): 
     81        '''Sub-divided out from __call__ to enable derived classes to easily 
     82        include this functionality: 
     83         - Set a reference to this WSGI filter in environ if filterID was  
     84        set in the config and  
     85         - check the request to see if this filter should handle it 
     86        ''' 
     87         
     88        # Add any filter references for this WSGI component regardless of the 
     89        # current request ID.  This ensures that other WSGI components called 
     90        # may reference it if they need to. 
     91        self.addFilter2Environ(environ) 
     92         
    8193        # Apply filter for calls 
    8294        if not self.isSOAPMessage(environ): 
     
    104116            self.setSOAPWriter(environ, sw) 
    105117            return self.writeResponse(environ, start_response) 
    106          
    107         self.addFilter2Environ(environ) 
    108118         
    109119        # Return None to __call__ to indicate that it can proceed with  
     
    290300            # e.g. check output from signature verification filter 
    291301            if hasattr(self, 'referencedFilterKeys'): 
    292                 self.serviceSOAPBinding.referencedWSGIFilters = \ 
    293                                     dict([(i, environ[i]) \ 
     302                try: 
     303                    self.serviceSOAPBinding.referencedWSGIFilters = \ 
     304                                    dict([(i, environ[i])  
    294305                                          for i in self.referencedFilterKeys]) 
    295                      
     306                except KeyError: 
     307                    raise SOAPMiddlewareConfigError('No filter ID "%s" found ' 
     308                                                    'in environ' % i)     
    296309            ps = self.parseRequest(environ) 
    297310             
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/SessionManager_services_server.py

    r4437 r4480  
    7272                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userX509Cert\" type=\"xsd:string\"/> 
    7373                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"sessID\" type=\"xsd:string\"/> 
    74                     <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"attAuthorityURI\" type=\"xsd:string\"/> 
    75                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"attAuthorityCert\" type=\"xsd:string\"/> 
     74                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"attAuthorityURI\" type=\"xsd:string\"/> 
    7675                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"reqRole\" type=\"xsd:string\"/> 
    7776                    <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"mapFromTrustedHosts\" type=\"xsd:boolean\"/> 
     
    270269    def soap_getAttCert(self, ps): 
    271270        self.request = ps.Parse(getAttCertInputMsg.typecode) 
    272         parameters = (self.request._userX509Cert, self.request._sessID, self.request._attAuthorityURI, self.request._attAuthorityCert, self.request._reqRole, self.request._mapFromTrustedHosts, self.request._rtnExtAttCertList, self.request._extAttCert, self.request._extTrustedHost) 
    273  
    274         # If we have an implementation object use it 
    275         if hasattr(self,'impl'): 
    276             parameters = self.impl.getAttCert(parameters[0],parameters[1],parameters[2],parameters[3],parameters[4],parameters[5],parameters[6],parameters[7],parameters[8]) 
     271        parameters = (self.request._userX509Cert, self.request._sessID, self.request._attAuthorityURI, self.request._reqRole, self.request._mapFromTrustedHosts, self.request._rtnExtAttCertList, self.request._extAttCert, self.request._extTrustedHost) 
     272 
     273        # If we have an implementation object use it 
     274        if hasattr(self,'impl'): 
     275            parameters = self.impl.getAttCert(parameters[0],parameters[1],parameters[2],parameters[3],parameters[4],parameters[5],parameters[6],parameters[7]) 
    277276 
    278277        result = getAttCertOutputMsg() 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py

    r4437 r4480  
    2828from ndg.security.common.X509 import X509Cert, X509CertRead 
    2929 
    30  
     30class SessionManagerWSConfigError(Exception): 
     31    '''Raise for errors related to the Session Manager Web Service  
     32    configuration''' 
     33     
    3134class SessionManagerWS(_SessionManagerService): 
    3235    '''Session Manager ZSI SOAP Service Binding class''' 
     
    4043            import pdb 
    4144            pdb.set_trace() 
    42           
     45         
     46        # Extract local Attribute Authority environ identifier 
     47        self.attributeAuthorityFilterID = kw.pop('attributeAuthorityFilterID',  
     48                                                 None) 
     49         
    4350        # Initialise Attribute Authority class - property file will be 
    4451        # picked up from default location under $NDG_DIR directory 
     
    8996        sessID = request.SessID or None 
    9097             
    91         # Derive designated holder cert differently according to whether 
     98        # Derive designated holder X.509 cert differently according to whether 
     99        # a signed message is expected from the client - NB, this is dependent 
     100        # on whether a reference to the signature filter was set in the  
     101        # environment 
     102        signatureFilter = \ 
     103            self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01') 
     104        if signatureFilter is not None: 
     105            # Get certificate corresponding to private key that signed the 
     106            # message - i.e. the user's certificate 
     107            userX509Cert = signatureFilter.signatureHandler.verifyingCert 
     108        else: 
     109            # No signature from client - they must instead provide the 
     110            # designated holder cert via the UserX509Cert input 
     111            userX509Cert = request.UserX509Cert 
     112             
     113        self.sm.deleteUserSession(sessID=sessID, userX509Cert=userX509Cert) 
     114        return response 
     115 
     116 
     117    def soap_getSessionStatus(self, ps, **kw): 
     118        '''Check for existence of a session with given session ID or user 
     119        Distinguished Name 
     120         
     121        @type ps: ZSI ParsedSoap 
     122        @param ps: client SOAP message 
     123        @rtype: tuple 
     124        @return: request and response objects''' 
     125 
     126        if self.__debug: 
     127            import pdb 
     128            pdb.set_trace() 
     129             
     130        request = ps.Parse(getSessionStatusInputMsg.typecode)              
     131        response = _SessionManagerService.soap_getSessionStatus(self, ps) 
     132         
     133        response.IsAlive = self.sm.getSessionStatus(userDN=request.UserDN, 
     134                                                    sessID=request.SessID) 
     135                  
     136        return response 
     137 
     138 
     139    def soap_getAttCert(self, ps, **kw): 
     140        '''Get Attribute Certificate from a given Attribute Authority 
     141        and cache it in user's Credential Wallet 
     142         
     143        @type ps: ZSI ParsedSoap 
     144        @param ps: client SOAP message 
     145        @rtype: tuple 
     146        @return: request and response objects''' 
     147        if self.__debug: 
     148            import pdb 
     149            pdb.set_trace() 
     150             
     151        request = ps.Parse(getAttCertInputMsg.typecode)              
     152        response = _SessionManagerService.soap_getAttCert(self, ps) 
     153 
     154        # Derive designated holder X.509 cert. differently according to whether 
    92155        # a signed message is expected from the client - NB, this is dependent 
    93156        # on whether a reference to the signature filter was set in the  
     
    103166            # designated holder cert via the UserX509Cert input 
    104167            userX509Cert = request.UserX509Cert 
    105         self.sm.deleteUserSession(sessID=sessID, userX509Cert=userX509Cert) 
    106         return response 
    107  
    108  
    109     def soap_getSessionStatus(self, ps, **kw): 
    110         '''Check for existence of a session with given session ID or user 
    111         Distinguished Name 
    112          
    113         @type ps: ZSI ParsedSoap 
    114         @param ps: client SOAP message 
    115         @rtype: tuple 
    116         @return: request and response objects''' 
    117  
    118         if self.__debug: 
    119             import pdb 
    120             pdb.set_trace() 
    121              
    122         request = ps.Parse(getSessionStatusInputMsg.typecode)              
    123         response = _SessionManagerService.soap_getSessionStatus(self, ps) 
    124          
    125         response.IsAlive = self.sm.getSessionStatus(userDN=request.UserDN, 
    126                                                     sessID=request.SessID) 
    127                   
    128         return response 
    129  
    130  
    131     def soap_getAttCert(self, ps, **kw): 
    132         '''Get Attribute Certificate from a given Attribute Authority 
    133         and cache it in user's Credential Wallet 
    134          
    135         @type ps: ZSI ParsedSoap 
    136         @param ps: client SOAP message 
    137         @rtype: tuple 
    138         @return: request and response objects''' 
    139         if self.__debug: 
    140             import pdb 
    141             pdb.set_trace() 
    142              
    143         request = ps.Parse(getAttCertInputMsg.typecode)              
    144         response = _SessionManagerService.soap_getAttCert(self, ps) 
    145  
    146         # Derive designated holder cert differently according to whether 
    147         # a signed message is expected from the client - NB, this is dependent 
    148         # on whether a reference to the signature filter was set in the  
    149         # environment 
    150         signatureFilter = \ 
    151             self.referencedWSGIFilters.get('wsseSignatureVerificationFilter01') 
    152         if signatureFilter is not None: 
    153             # Get certificate corresponding to private key that signed the 
    154             # message - i.e. the user's proxy 
    155             userX509Cert = signatureFilter.signatureHandler.verifyingCert 
     168 
     169        # If no Attribute Authority URI is set pick up local Attribute  
     170        # instance Authority 
     171        if request.AttAuthorityURI is None: 
     172            attributeAuthorityFilter = \ 
     173                self.referencedWSGIFilters.get(self.attributeAuthorityFilterID) 
     174                 
     175            try: 
     176                attributeAuthority = \ 
     177                    attributeAuthorityFilter.serviceSOAPBinding.aa 
     178            except AttributeError, e: 
     179                raise SessionManagerWSConfigError("No Attribute Authority URI " 
     180                        "was input and no Attribute Authority instance " 
     181                        "reference set in environ: %s" % e) 
    156182        else: 
    157             # No signature from client - they must instead provide the 
    158             # designated holder cert via the UserX509Cert input 
    159             userX509Cert = request.UserX509Cert 
    160  
    161          
    162         # Cert used in signature is prefered over userX509Cert input element -  
    163         # userX509Cert may have been omitted. 
     183            attributeAuthority = None 
     184                 
     185        # X.509 Cert used in signature is preferred over userX509Cert input  
     186        # element - userX509Cert may have been omitted. 
    164187        result = self.sm.getAttCert( 
    165188                            userX509Cert=userX509Cert or request.UserX509Cert, 
    166189                            sessID=request.SessID, 
    167190                            attributeAuthorityURI=request.AttAuthorityURI, 
     191                            attributeAuthority=attributeAuthority, 
    168192                            reqRole=request.ReqRole, 
    169193                            mapFromTrustedHosts=request.MapFromTrustedHosts, 
     
    171195                            extAttCertList=request.ExtAttCert, 
    172196                            extTrustedHostList=request.ExtTrustedHost) 
    173  
    174197        if result[0]: 
    175198            response.AttCert = result[0].toString()  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

    r4464 r4480  
    152152# Chain of SOAP Middleware filters 
    153153[pipeline:main] 
    154 pipeline = wsseSignatureVerificationFilter SessionManagerFilter AttributeAuthorityFilter wsseSignatureFilter mainApp 
     154pipeline = wsseSignatureVerificationFilter AttributeAuthorityFilter SessionManagerFilter wsseSignatureFilter mainApp 
    155155 
    156156 
     
    165165enableWSDLQuery = True 
    166166charset = utf-8 
     167filterID = attributeAuthorityFilter 
    167168 
    168169[filter:SessionManagerFilter] 
     
    172173SessionManager.propPrefix = sessionManager 
    173174SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini 
    174 referencedFilters = wsseSignatureVerificationFilter01 
     175SessionManager.attributeAuthorityFilterID = attributeAuthorityFilter 
     176referencedFilters = wsseSignatureVerificationFilter01 attributeAuthorityFilter 
    175177path = /SessionManager 
    176178enableWSDLQuery = True 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/test_combinedservices.py

    r4479 r4480  
    253253           
    254254        print("Attribute Certificate:\n%s" % attCert)   
    255              
     255 
     256 
     257    def test08GetAttCertFromLocalAttributeAuthority(self): 
     258        """test08GetAttCertFromLocalAttributeAuthority: query the Attribute 
     259        Authority running in the same server instance as the Session Manager""" 
     260 
     261        print "\n\t" + self.test08GetAttCertFromLocalAttributeAuthority.__doc__ 
     262        self.test01Connect() 
     263         
     264        attCert = self.clnt.getAttCert(sessID=self.sessID) 
     265         
     266        print "Attribute Certificate:\n%s" % attCert  
     267 
    256268             
    257269class CombinedServicesTestSuite(unittest.TestSuite): 
Note: See TracChangeset for help on using the changeset viewer.