Changeset 4527 for TI12-security


Ignore:
Timestamp:
03/12/08 16:15:56 (11 years ago)
Author:
pjkersha
Message:

Updated BaseSignatureHandler? and WSSecurityconfig classes to correctly handle config via keywords:

  • keywords can be prefixed to delimit them from other non-WS-Security related options
  • Changed services.ini in Combined Services tests to separate out inbound and message sig handler config into WSGI verification and siganture application filters respectively.
Location:
TI12-security/trunk/python
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/BaseSignatureHandler.py

    r4407 r4527  
    256256        log.debug("BaseSignatureHandler.__init__: setting config from " 
    257257                  "keywords...") 
    258         self.cfg.update(kw) 
     258         
     259        # Filter keywords if a prefix is set removing any that don't start with 
     260        # the prefix given 
     261#        if cfgFilePrefix: 
     262#            pfxWithDot = cfgFilePrefix+'.' 
     263#            kw = dict([(k.replace(pfxWithDot, ''), v) for k, v in kw.items()  
     264#                       if k.startswith(pfxWithDot)]) 
     265#                     
     266        self.cfg.update(kw, prefix=cfgFilePrefix) 
    259267         
    260268        # set default value type, if none specified in config file 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

    r4404 r4527  
    1212__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1313__revision__ = "$Id$" 
     14import logging 
     15log = logging.getLogger(__name__) 
    1416 
    1517from ConfigParser import SafeConfigParser 
     
    1820from ZSI.wstools.Namespaces import OASIS 
    1921 
    20 class WSSecurityConfigOpNotPermitted(Exception): 
     22class WSSecurityConfigError(Exception): 
     23    """Configuration error with WS-Security setting or settings""" 
     24     
     25class WSSecurityConfigOpNotPermitted(WSSecurityConfigError): 
    2126    "Raise for dict methods not allowed in WSSecurityConfig" 
    2227     
     
    180185        return key in self._param 
    181186     
    182     def update(self, seq, *arg): 
    183         badKeys=[i for i in seq if i not in WSSecurityConfig.propertyDefaults] 
    184         if badKeys: 
    185             raise KeyError("Parameter key(s) %s not recognised" % \ 
    186                            ','.join(badKeys)) 
    187         return self._param.update(seq, *arg) 
     187    def update(self, seq, *arg, **kw): 
     188 
     189        # Prefix for option names - optNames = name as they appear in the  
     190        # config file, self._param are the names used in the code. 
     191        prefix = kw.pop('prefix', None) 
     192        if prefix: 
     193            pfxWithDot = prefix+'.' 
     194            seqFilt = dict([(k.replace(pfxWithDot, ''), v)  
     195                            for k, v in seq.items()  
     196                            if k.startswith(pfxWithDot)]) 
     197        else: 
     198            seqFilt = seq 
     199         
     200        badKeys = [] 
     201        for optName, optVal in seqFilt.items(): 
     202            if optName not in WSSecurityConfig.propertyDefaults: 
     203                badKeys += [optName] 
     204                 
     205            elif isinstance(WSSecurityConfig.propertyDefaults[optName], list): 
     206                if isinstance(optVal, basestring): 
     207                    # Parse into a list 
     208                    seqFilt[optName] = exVar(optVal).split() 
     209                elif isinstance(optVal, list): 
     210                    seqFilt[optName] = exVar(optVal) 
     211                else: 
     212                    raise WSSecurityConfigError("Expecting list type for " 
     213                                                'option "%s"' % optName) 
     214            elif isinstance(WSSecurityConfig.propertyDefaults[optName], bool): 
     215                if isinstance(optVal, basestring): 
     216                    # Parse into a boolean 
     217                    seqFilt[optName] = bool(optVal) 
     218                     
     219                elif isinstance(optVal, bool): 
     220                    seqFilt[optName] = optVal 
     221                else: 
     222                    raise WSSecurityConfigError("Expecting bool type for " 
     223                                                'option "%s"' % optName) 
     224            else: 
     225                # Default to None if setting is an empty string.  Settings 
     226                # of '' causes problems for M2Crypto parsing 
     227                seqFilt[optName] = exVar(optVal) or None 
     228                 
     229        if len(badKeys) > 0: 
     230            log.warning("Ignoring unrecognised parameter key(s) for update: " 
     231                        "%s" % ', '.join(badKeys)) 
     232 
     233        return self._param.update(seqFilt, *arg) 
    188234     
    189235    def fromkeys(self, seq): 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/soap.py

    r4521 r4527  
    6666            # keywords 
    6767            self.referencedFilterKeys = \ 
    68                                     self.app_conf['referencedFilters'].split() 
     68                                self.app_conf.pop('referencedFilters').split() 
     69                                 
     70            # Remove equivalent keyword if present 
     71            kw.pop('referencedFilters', None) 
     72             
    6973 
    7074    def __call__(self, environ, start_response): 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/wssecurity.py

    r4521 r4527  
    4646        wsseCfgFilePrefix = self.app_conf.get('wsseCfgFilePrefix') 
    4747         
     48        # Where possible remove keywords not applicable to SignatureHandler 
     49        kw.pop('wsseCfgFilePath', None) 
     50        kw.pop('wsseCfgFileSection', None) 
     51        kw.pop('wsseCfgFilePrefix', None) 
     52         
    4853        self.signatureHandler = SignatureHandler(cfg=wsseCfgFilePath, 
    4954                                            cfgFileSection=wsseCfgFileSection, 
    50                                             cfgFilePrefix=wsseCfgFilePrefix) 
     55                                            cfgFilePrefix=wsseCfgFilePrefix, 
     56                                            **kw) 
    5157            
    5258     
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

    r4526 r4527  
    244244 
    245245# Settings for WS-Security SignatureHandler class used by this filter 
    246 wsseCfgFilePath = %(here)s/services.ini 
    247 wsseCfgFileSection = WS-Security 
     246#wsseCfgFilePath = %(here)s/services.ini 
     247#wsseCfgFileSection = WS-Security 
     248wsseCfgFilePrefix = wssecurity 
     249 
     250# Verify against known CAs - Provide a space separated list of file paths 
     251wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt 
     252#wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt 
    248253 
    249254#______________________________________________________________________________ 
     
    261266 
    262267# Settings for WS-Security SignatureHandler class used by this filter 
    263 wsseCfgFilePath = %(here)s/services.ini 
    264 wsseCfgFileSection = WS-Security 
     268wsseCfgFilePrefix = wssecurity 
     269 
     270# Certificate associated with private key used to sign a message.  The sign  
     271# method will add this to the BinarySecurityToken element of the WSSE header.   
     272wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt 
     273#wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt 
     274 
     275# PEM encoded private key file 
     276wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key 
     277#wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key 
     278 
     279# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     280# signed message.  See __setReqBinSecTokValType method and binSecTokValType  
     281# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
     282# give full namespace to alternative - see  
     283# ZSI.wstools.Namespaces.OASIS.X509TOKEN 
     284# 
     285# binSecTokValType determines whether signingCert or signingCertChain  
     286# attributes will be used. 
     287wssecurity.reqBinSecTokValType=X509v3 
     288 
     289# Add a timestamp element to an outbound message 
     290wssecurity.addTimestamp=True 
     291 
     292# For WSSE 1.1 - service returns signature confirmation containing signature  
     293# value sent by client 
     294wssecurity.applySignatureConfirmation=True 
    265295 
    266296#______________________________________________________________________________ 
     
    305335paste.filter_app_factory=beaker.middleware:SessionMiddleware 
    306336 
    307 #______________________________________________________________________________ 
    308 # Common WS-Security settings for wsseSignatureFilter and  
    309 # wsseSignatureVerificationFilter 
    310 [WS-Security] 
    311 # 
    312 # OUTBOUND MESSAGE CONFIG 
    313  
    314 # Signature of an outbound message 
    315  
    316 # Certificate associated with private key used to sign a message.  The sign  
    317 # method will add this to the BinarySecurityToken element of the WSSE header.   
    318 signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt 
    319 #signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt 
    320  
    321 # PEM encoded private key file 
    322 signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key 
    323 #signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key 
    324  
    325 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
    326 # signed message.  See __setReqBinSecTokValType method and binSecTokValType  
    327 # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
    328 # give full namespace to alternative - see  
    329 # ZSI.wstools.Namespaces.OASIS.X509TOKEN 
    330 # 
    331 # binSecTokValType determines whether signingCert or signingCertChain  
    332 # attributes will be used. 
    333 reqBinSecTokValType=X509v3 
    334  
    335 # Add a timestamp element to an outbound message 
    336 addTimestamp=True 
    337  
    338 # For WSSE 1.1 - service returns signature confirmation containing signature  
    339 # value sent by client 
    340 applySignatureConfirmation=True 
    341  
    342 # 
    343 # INBOUND MESSAGE CONFIG 
    344  
    345 # Provide a space separated list of file paths 
    346 caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt 
    347 #caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt 
    348  
    349  
    350337# Logging configuration 
    351338[loggers] 
Note: See TracChangeset for help on using the changeset viewer.