Changeset 4584


Ignore:
Timestamp:
09/12/08 17:01:44 (11 years ago)
Author:
pjkersha
Message:

Started integration work for common WSGI/SOAP client based interfaces (ndg.security.server.wsgi.utils.sessionmanagerclient and ndg.security.server.wsgi.utils.attributeauthorityclient) with Pylons Single Sign On package (ndg.security.server.sso)

Location:
TI12-security/trunk/python
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/attributeauthority.py

    r4521 r4584  
    111111         
    112112        if uri: 
    113             self.__setURI(uri) 
     113            self.uri = uri 
    114114 
    115115        self.httpProxyHost = httpProxyHost 
     
    135135         
    136136        # Instantiate Attribute Authority WS proxy 
    137         if self.__uri: 
     137        if self.uri: 
    138138            self.initService() 
    139139         
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/sessionmanager.py

    r4545 r4584  
    7777                    ac = AttCertParse(ac) 
    7878                elif not isinstance(ac, AttCert): 
    79                     raise SessionManagerClientError( 
    80                         "Input external Attribute Cert. must be AttCert type") 
     79                    raise SessionManagerClientError("Input external Attribute " 
     80                                                    "Certificate must be " 
     81                                                    "AttCert type") 
    8182                          
    8283                self.__extAttCertList += [ac] 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

    r4527 r4584  
    225225                # Default to None if setting is an empty string.  Settings 
    226226                # of '' causes problems for M2Crypto parsing 
    227                 seqFilt[optName] = exVar(optVal) or None 
     227                if optVal is None: 
     228                    seqFilt[optName] = optVal 
     229                else: 
     230                    seqFilt[optName] = exVar(optVal) or None 
    228231                 
    229232        if len(badKeys) > 0: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

    r4138 r4584  
    1616 
    1717# Service addresses 
    18 sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager 
    19 attAuthorityURI: http://localhost:5000/AttributeAuthority 
     18#sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager 
     19sessionMgrURI: http://localhost:8000/SessionManager 
     20attAuthorityURI: http://localhost:8000/AttributeAuthority 
    2021 
    2122# WS-Security signature handler - set a config file with 'wssCfgFilePath' 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

    r4384 r4584  
    66from ndg.security.common.pylons.security_util import setSecuritySession, \ 
    77    SecuritySession, SSOServiceQuery 
    8 from ndg.security.common.attributeauthority import AttributeAuthorityClient 
    9 from ndg.security.common.sessionmanager import SessionManagerClient, SessionExpired, \ 
    10     AttributeRequestDenied 
     8from ndg.security.server.wsgi.utils.attributeauthorityclient import \ 
     9    WSGIAttributeAuthorityClient 
     10from ndg.security.server.wsgi.utils.sessionmanagerclient import \ 
     11    WSGISessionManagerClient, SessionExpired, AttributeRequestDenied 
    1112from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 
    1213    HostCheck, InvalidCertSignature, InvalidCertDN 
     
    4041        # Session is set in this domain - check it  
    4142        try:     
    42             smClnt = SessionManagerClient(uri=session['ndgSec']['h'], 
     43            smClnt = WSGISessionManagerClient(uri=session['ndgSec']['h'], 
    4344                        tracefile=self.cfg.tracefile, 
    4445                        httpProxyHost=self.cfg.httpProxyHost, 
    4546                        noHttpProxyList=self.cfg.noHttpProxyList, 
    4647                        sslCACertFilePathList=self.cfg.sslCACertFilePathList, 
    47                         **self.cfg.wss) 
    48                                  
    49         except Exception, e: 
    50             c.xml='Error establishing security context.  Please report ' + \ 
    51                   'the error to your site administrator' 
    52             log.error("Initialising SessionManagerClient for " + \ 
    53                       "getSessionStatus call: %s" % e) 
     48                        **self.cfg.wss)                                 
     49        except Exception, e: 
     50            c.xml = ('Error establishing security context.  Please report ' 
     51                     'the error to your site administrator') 
     52            log.error("Initialising SessionManagerClient for getSessionStatus " 
     53                      "call: %s" % e) 
    5454            SecuritySession.delete() 
    5555            response.status_code = 400 
     
    5757         
    5858        # Check session status 
    59         log.debug('Calling Session Manager "%s" getSessionStatus ' % \ 
    60                   session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\ 
    61                   (session['ndgSec']['u'], session['ndgSec']['sid'])) 
     59        log.debug('Calling Session Manager "%s" getSessionStatus %s for user ' 
     60                  '"%s" with sid="%s" ...' % 
     61                  (session['ndgSec']['h'],  
     62                   session['ndgSec']['u'],  
     63                   session['ndgSec']['sid'])) 
    6264 
    6365        try: 
     
    7173    
    7274        if bSessOK: 
    73             log.debug("Session found - redirect back to site requesting " + \ 
     75            log.debug("Session found - redirect back to site requesting " 
    7476                      "credentials ...") 
    7577            # ... Return across http GET passing security parameters... 
    7678            return self._redirect() 
    7779        else: 
    78             log.debug("Session wasn't found - removing security details " + \ 
     80            log.debug("Session wasn't found - removing security details " 
    7981                      "from cookie and re-displaying login...") 
    8082            SecuritySession.delete() 
     
    9294         
    9395        try:     
    94             smClnt = SessionManagerClient(uri=self.cfg.smURI, 
     96            smClnt = WSGISessionManagerClient(uri=self.cfg.smURI, 
    9597                         tracefile=self.cfg.tracefile, 
    9698                         httpProxyHost=self.cfg.httpProxyHost, 
     
    102104                                 
    103105        except Exception, e: 
    104             c.xml='Error establishing security context.  Please report ' + \ 
    105                   'the error to your site administrator' 
    106             log.error("Login: initialising SessionManagerClient: %s" % e) 
     106            c.xml = ('Error establishing security context.  Please report ' 
     107                     'the error to your site administrator') 
     108            log.error("Login: initialising WSGISessionManagerClient: %s" % e) 
    107109            response.status_code = 400 
    108110            return render('ndg.security.kid', 'ndg.security.login') 
    109111         
    110112        # Connect to Session Manager 
    111         log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \ 
     113        log.debug('Calling Session Manager "%s" connect for user "%s" ...' % 
    112114                  (self.cfg.smURI, username)) 
    113115        try: 
    114116            sessID = smClnt.connect(username, passphrase=passphrase)[-1] 
    115117        except Exception, e: 
    116             c.xml = "Error logging in.  Please check your username/" + \ 
    117                     "pass-phrase and try again.  If the problem persists " + \ 
    118                     "please contact your site administrator." 
     118            c.xml = ("Error logging in.  Please check your username/" 
     119                     "pass-phrase and try again.  If the problem persists " 
     120                     "please contact your site administrator.") 
    119121            log.error("Session Manager connect returned: %s" % e) 
    120122            response.status_code = 400 
     
    136138        except AttributeRequestDenied, e: 
    137139            log.error("Login: attribute Certificate request denied: %s" % e) 
    138             c.xml = "No authorisation roles are available for your " + \ 
    139                     "account.  Please check with your site administrator." 
     140            c.xml = ("No authorisation roles are available for your " 
     141                    "account.  Please check with your site administrator.") 
    140142            response.status_code = 400 
    141143            return render('ndg.security.kid', 'ndg.security.login') 
     
    143145        except Exception, e: 
    144146            log.error("Login: attribute Certificate request: %s" % e) 
    145             c.xml = "An internal error occured.  Please report this to " + \ 
    146                     "your site administrator." 
     147            c.xml = ("An internal error occurred.  Please report this to " 
     148                    "your site administrator.") 
    147149            response.status_code = 400 
    148150            return render('ndg.security.kid', 'ndg.security.login') 
     
    200202             
    201203            # Look-up list of Cert DNs for trusted requestors 
    202             aaClnt = AttributeAuthorityClient(uri=self.cfg.aaURI, 
     204            aaClnt = WSGIAttributeAuthorityClient(uri=self.cfg.aaURI, 
    203205                                    tracefile=self.cfg.tracefile, 
    204206                                    httpProxyHost=self.cfg.httpProxyHost, 
     
    207209             
    208210            HostInfo = aaClnt.getAllHostsInfo() 
    209             requestServerDN = [val['loginRequestServerDN'] \ 
     211            requestServerDN = [val['loginRequestServerDN'] 
    210212                               for val in HostInfo.values()] 
    211             log.debug(\ 
    212             "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \ 
    213                 (self.cfg.aaURI, requestServerDN)) 
     213            log.debug("Attribute Authority [%s] expecting DN for SSL peer " 
     214                      "one of: %s" % (self.cfg.aaURI, requestServerDN)) 
    214215             
    215216            hostCheck = HostCheck(acceptedDNs=requestServerDN, 
     
    226227                except (InvalidCertSignature, InvalidCertDN), e: 
    227228                    log.error("Login: requestor SSL certificate: %s" % e) 
    228                     c.xml = """Request to redirect back to %s with your  
    229 credentials refused: there is a problem with the SSL certificate of this site. 
    230   Please report this to your site administrator.""" % returnToURLHostname 
     229                    c.xml = ("Request to redirect back to %s with your " 
     230                             "credentials refused: there is a problem with " 
     231                             "the SSL certificate of this site.  Please " 
     232                             "report this to your site administrator." %  
     233                             returnToURLHostname) 
    231234                    response.status_code = 400 
    232235                    return render('ndg.security.kid', 'ndg.security.login') 
     
    234237                testConnection.close() 
    235238 
    236             log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % \ 
     239            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % 
    237240                                                                returnToURL) 
    238241            # redirect_to doesn't like unicode 
    239242            h.redirect_to(str(returnToURL)) 
    240243        else: 
    241             log.debug(\ 
    242         "LoginController._redirect: no redirect URL set - render login page") 
     244            log.debug("LoginController._redirect: no redirect URL set - " 
     245                      "render login page") 
    243246            c.xml='Logged in' 
    244247            return render('ndg.security.kid', 'ndg.security.login') 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

    r4377 r4584  
    102102 
    103103 
    104 from ndg.security.common.attributeauthority import AttributeAuthorityClient 
     104from ndg.security.server.wsgi.utils.attributeauthorityclient import \ 
     105    WSGIAttributeAuthorityClient 
    105106 
    106107def _getTrustedIdPs(g): 
     
    123124     
    124125    try: 
    125         aaClnt = AttributeAuthorityClient(uri=cfg.aaURI, 
    126                                 tracefile=cfg.tracefile, 
    127                                 httpProxyHost=cfg.httpProxyHost, 
    128                                 noHttpProxyList=cfg.noHttpProxyList, 
    129                                 **cfg.wss) 
     126        aaClnt = WSGIAttributeAuthorityClient(uri=cfg.aaURI, 
     127                                        tracefile=cfg.tracefile, 
     128                                        httpProxyHost=cfg.httpProxyHost, 
     129                                        noHttpProxyList=cfg.noHttpProxyList, 
     130                                        **cfg.wss) 
    130131    except Exception, e: 
    131132        c.xml='Error establishing security context.  Please report ' + \ 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py

    r4545 r4584  
    1515import logging 
    1616log = logging.getLogger(__name__) 
     17 
     18from ndg.security.common.attributeauthority import AttributeAuthorityClient 
    1719 
    1820class WSGIAttributeAuthorityClient(object): 
     
    112114            # from other trusted hosts 
    113115            allHostsInfo = self.ref.hostInfo 
    114             allHostsInfo.update(self.ref.getTrustedHostInfo()) 
     116            allHostsInfo.update(self.ref.getAllHostsInfo()) 
    115117            return allHostsInfo 
    116118        else: 
    117119            # Make connection to remote service 
    118             return self._soapClient.getTrustedHostHostInfo() 
     120            return self._soapClient.getAllHostsInfo() 
    119121 
    120122 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py

    r4545 r4584  
    2323    WSGIAttributeAuthorityClient 
    2424 
    25 # Import exception types from Session Manager and Session Manager client to 
    26 # give caller some capability to trap errors 
    2725# Session Manager Authentication interface ... 
    2826from ndg.security.server.sessionmanager import AuthNServiceError, \ 
     
    3028    AuthNServiceInitError, AuthNServiceConfigError 
    3129 
    32 from ndg.security.common.sessionmanager import InvalidSessionManagerClientCtx 
    33  
     30# Session Manager SOAP client interface 
     31from ndg.security.common.sessionmanager import SessionManagerClient 
     32     
     33# Import exception types from Session Manager and Session Manager client to 
     34# give caller some capability to trap errors 
     35# Session Manager server side exceptions ... 
     36from ndg.security.server.sessionmanager import SessionManagerError, \ 
     37    UserSessionExpired, UserSessionX509CertNotBeforeTimeError, \ 
     38    InvalidUserSession, CredentialWalletAttributeRequestDenied 
     39     
     40from ndg.security.server.sessionmanager import SessionNotFound as \ 
     41    _SrvSessionNotFound 
     42 
     43# ... and client side exceptions ... 
     44from ndg.security.common.sessionmanager import SessionNotFound as \ 
     45    _ClntSessionNotFound 
     46 
     47from ndg.security.common.sessionmanager import SessionExpired as \ 
     48    _ClntSessionExpired 
     49 
     50from ndg.security.common.sessionmanager import InvalidSession as \ 
     51    _ClntInvalidSession 
     52   
     53from ndg.security.common.sessionmanager import AttributeRequestDenied as \ 
     54    _ClntAttributeRequestDenied 
     55      
     56from ndg.security.common.sessionmanager import InvalidSessionManagerClientCtx,\ 
     57    SessionManagerClientError, SessionCertTimeError 
     58 
     59# Combine Session not found exception classes as raised from server and 
     60# client side to enable convenient exception handling by a client to this 
     61# class.  e.g. a call to WSGISessionManager.connect without the need to know  
     62# whether the wrapper is calling a remote service over the SOAP interface or 
     63# the service locally via a reference a Session Manager in environ: 
     64#  
     65# try: 
     66#     wsgiClnt.connect(username, passphrase=p) 
     67# except SessionNotFound, e: 
     68#     #  do something 
     69#     raise 
     70#      
     71# Rather than having to do: 
     72#  
     73# try: 
     74#     wsgiClnt.connect(username, passphrase=p) 
     75# except (ndg.security.server.sessionmanager.SessionNotFound, 
     76#         ndg.security.common.sessionmanager.SessionNotFound), e: 
     77#     #  do something 
     78#     raise 
     79SessionNotFound = (_SrvSessionNotFound, _ClntSessionNotFound) 
     80 
     81# Combine client and server session not before time error exceptions to  
     82# enable easier exception handling for a WSGISessionManagerClient caller.   
     83# See SessionNotFound.__doc__ for more details of reasoning 
     84SessionNotBeforeTimeError = (UserSessionX509CertNotBeforeTimeError,  
     85                             SessionCertTimeError) 
     86 
     87# Combine client and server session expired exceptions to enable easier 
     88# exception handling for a WSGISessionManagerClient caller.  See 
     89# SessionNotFound.__doc__ for more details of reasoning 
     90SessionExpired = (UserSessionExpired, _ClntSessionExpired) 
     91 
     92# Combine client and server invalid session exceptions to enable easier 
     93# exception handling for a WSGISessionManagerClient caller.  See 
     94# SessionNotFound.__doc__ for more details of reasoning"""  
     95InvalidSession = (InvalidUserSession, _ClntInvalidSession) 
     96    
     97# Combine client and server invalid session exceptions to enable easier 
     98# exception handling for a WSGISessionManagerClient caller.  See 
     99# SessionNotFound.__doc__ for more details of reasoning 
     100AttributeRequestDenied = (CredentialWalletAttributeRequestDenied,  
     101                          _ClntAttributeRequestDenied) 
     102 
     103# End of server/client side exception combinations 
     104 
     105         
    34106class WSGISessionManagerClientError(Exception): 
    35107    """Base class exception for WSGI Session Manager client errors""" 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteAMapConfig.xml

    r4464 r4584  
    22<AAmap> 
    33    <thisHost name="Site A"> 
    4         <aaURI>http://localhost:5000/AttributeAuthority</aaURI> 
    5         <loginURI>https://localhost/login</loginURI> 
     4        <aaURI>http://localhost:8000/AttributeAuthority</aaURI> 
     5        <loginURI>https://localhost/sso/login</loginURI> 
    66            <aaDN>/O=NDG/OU=Site A/CN=AttributeAuthority</aaDN> 
    77            <loginServerDN>/C=UK/ST=Oxfordshire/O=STFC/OU=BADC/CN=localhost</loginServerDN> 
Note: See TracChangeset for help on using the changeset viewer.