Changeset 4584 for TI12-security/trunk/python

Timestamp:

09/12/08 17:01:44 (12 years ago)

Author:

pjkersha

Message:

Started integration work for common WSGI/SOAP client based interfaces (ndg.security.server.wsgi.utils.sessionmanagerclient and ndg.security.server.wsgi.utils.attributeauthorityclient) with Pylons Single Sign On package (ndg.security.server.sso)

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/attributeauthority.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/sessionmanager.py (modified) (1 diff)
• ndg.security.common/ndg/security/common/wssecurity/__init__.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso.cfg (modified) (1 diff)
• ndg.security.server/ndg/security/server/sso/sso/controllers/login.py (modified) (12 diffs)
• ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteAMapConfig.xml (modified) (1 diff)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/attributeauthority.py

@@ -111 +111 @@
         
         if uri:
-            self.__setURI(uri)
+            self.uri = uri
 
         self.httpProxyHost = httpProxyHost
@@ -135 +135 @@
         
         # Instantiate Attribute Authority WS proxy
-        if self.__uri:
+        if self.uri:
             self.initService()
         

TI12-security/trunk/python/ndg.security.common/ndg/security/common/sessionmanager.py

@@ -77 +77 @@
                     ac = AttCertParse(ac)
                 elif not isinstance(ac, AttCert):
-                    raise SessionManagerClientError(
-                        "Input external Attribute Cert. must be AttCert type")
+                    raise SessionManagerClientError("Input external Attribute "
+                                                    "Certificate must be "
+                                                    "AttCert type")
                          
                 self.__extAttCertList += [ac]

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

@@ -225 +225 @@
                 # Default to None if setting is an empty string.  Settings
                 # of '' causes problems for M2Crypto parsing
-                seqFilt[optName] = exVar(optVal) or None
+                if optVal is None:
+                    seqFilt[optName] = optVal
+                else:
+                    seqFilt[optName] = exVar(optVal) or None
                 
         if len(badKeys) > 0:

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

@@ -16 +16 @@
 
 # Service addresses
-sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager
-attAuthorityURI: http://localhost:5000/AttributeAuthority
+#sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager
+sessionMgrURI: http://localhost:8000/SessionManager
+attAuthorityURI: http://localhost:8000/AttributeAuthority
 
 # WS-Security signature handler - set a config file with 'wssCfgFilePath'

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -6 +6 @@
 from ndg.security.common.pylons.security_util import setSecuritySession, \
     SecuritySession, SSOServiceQuery
-from ndg.security.common.attributeauthority import AttributeAuthorityClient
-from ndg.security.common.sessionmanager import SessionManagerClient, SessionExpired, \
-    AttributeRequestDenied
+from ndg.security.server.wsgi.utils.attributeauthorityclient import \
+    WSGIAttributeAuthorityClient
+from ndg.security.server.wsgi.utils.sessionmanagerclient import \
+    WSGISessionManagerClient, SessionExpired, AttributeRequestDenied
 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \
     HostCheck, InvalidCertSignature, InvalidCertDN
@@ -40 +41 @@
         # Session is set in this domain - check it 
         try:    
-            smClnt = SessionManagerClient(uri=session['ndgSec']['h'],
+            smClnt = WSGISessionManagerClient(uri=session['ndgSec']['h'],
                         tracefile=self.cfg.tracefile,
                         httpProxyHost=self.cfg.httpProxyHost,
                         noHttpProxyList=self.cfg.noHttpProxyList,
                         sslCACertFilePathList=self.cfg.sslCACertFilePathList,
-                        **self.cfg.wss)
-                                
-        except Exception, e:
-            c.xml='Error establishing security context.  Please report ' + \
-                  'the error to your site administrator'
-            log.error("Initialising SessionManagerClient for " + \
-                      "getSessionStatus call: %s" % e)
+                        **self.cfg.wss)                                
+        except Exception, e:
+            c.xml = ('Error establishing security context.  Please report '
+                     'the error to your site administrator')
+            log.error("Initialising SessionManagerClient for getSessionStatus "
+                      "call: %s" % e)
             SecuritySession.delete()
             response.status_code = 400
@@ -57 +57 @@
         
         # Check session status
-        log.debug('Calling Session Manager "%s" getSessionStatus ' % \
-                  session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\
-                  (session['ndgSec']['u'], session['ndgSec']['sid']))
+        log.debug('Calling Session Manager "%s" getSessionStatus %s for user '
+                  '"%s" with sid="%s" ...' %
+                  (session['ndgSec']['h'], 
+                   session['ndgSec']['u'], 
+                   session['ndgSec']['sid']))
 
         try:
@@ -71 +73 @@
    
         if bSessOK:
-            log.debug("Session found - redirect back to site requesting " + \
+            log.debug("Session found - redirect back to site requesting "
                       "credentials ...")
             # ... Return across http GET passing security parameters...
             return self._redirect()
         else:
-            log.debug("Session wasn't found - removing security details " + \
+            log.debug("Session wasn't found - removing security details "
                       "from cookie and re-displaying login...")
             SecuritySession.delete()
@@ -92 +94 @@
         
         try:    
-            smClnt = SessionManagerClient(uri=self.cfg.smURI,
+            smClnt = WSGISessionManagerClient(uri=self.cfg.smURI,
                          tracefile=self.cfg.tracefile,
                          httpProxyHost=self.cfg.httpProxyHost,
@@ -102 +104 @@
                                 
         except Exception, e:
-            c.xml='Error establishing security context.  Please report ' + \
-                  'the error to your site administrator'
-            log.error("Login: initialising SessionManagerClient: %s" % e)
+            c.xml = ('Error establishing security context.  Please report '
+                     'the error to your site administrator')
+            log.error("Login: initialising WSGISessionManagerClient: %s" % e)
             response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
         
         # Connect to Session Manager
-        log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \
+        log.debug('Calling Session Manager "%s" connect for user "%s" ...' %
                   (self.cfg.smURI, username))
         try:
             sessID = smClnt.connect(username, passphrase=passphrase)[-1]
         except Exception, e:
-            c.xml = "Error logging in.  Please check your username/" + \
-                    "pass-phrase and try again.  If the problem persists " + \
-                    "please contact your site administrator."
+            c.xml = ("Error logging in.  Please check your username/"
+                     "pass-phrase and try again.  If the problem persists "
+                     "please contact your site administrator.")
             log.error("Session Manager connect returned: %s" % e)
             response.status_code = 400
@@ -136 +138 @@
         except AttributeRequestDenied, e:
             log.error("Login: attribute Certificate request denied: %s" % e)
-            c.xml = "No authorisation roles are available for your " + \
-                    "account.  Please check with your site administrator."
+            c.xml = ("No authorisation roles are available for your "
+                    "account.  Please check with your site administrator.")
             response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
@@ -143 +145 @@
         except Exception, e:
             log.error("Login: attribute Certificate request: %s" % e)
-            c.xml = "An internal error occured.  Please report this to " + \
-                    "your site administrator."
+            c.xml = ("An internal error occurred.  Please report this to "
+                    "your site administrator.")
             response.status_code = 400
             return render('ndg.security.kid', 'ndg.security.login')
@@ -200 +202 @@
             
             # Look-up list of Cert DNs for trusted requestors
-            aaClnt = AttributeAuthorityClient(uri=self.cfg.aaURI,
+            aaClnt = WSGIAttributeAuthorityClient(uri=self.cfg.aaURI,
                                     tracefile=self.cfg.tracefile,
                                     httpProxyHost=self.cfg.httpProxyHost,
@@ -207 +209 @@
             
             HostInfo = aaClnt.getAllHostsInfo()
-            requestServerDN = [val['loginRequestServerDN'] \
+            requestServerDN = [val['loginRequestServerDN']
                                for val in HostInfo.values()]
-            log.debug(\
-            "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \
-                (self.cfg.aaURI, requestServerDN))
+            log.debug("Attribute Authority [%s] expecting DN for SSL peer "
+                      "one of: %s" % (self.cfg.aaURI, requestServerDN))
             
             hostCheck = HostCheck(acceptedDNs=requestServerDN,
@@ -226 +227 @@
                 except (InvalidCertSignature, InvalidCertDN), e:
                     log.error("Login: requestor SSL certificate: %s" % e)
-                    c.xml = """Request to redirect back to %s with your 
-credentials refused: there is a problem with the SSL certificate of this site.
-  Please report this to your site administrator.""" % returnToURLHostname
+                    c.xml = ("Request to redirect back to %s with your "
+                             "credentials refused: there is a problem with "
+                             "the SSL certificate of this site.  Please "
+                             "report this to your site administrator." % 
+                             returnToURLHostname)
                     response.status_code = 400
                     return render('ndg.security.kid', 'ndg.security.login')
@@ -234 +237 @@
                 testConnection.close()
 
-            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % \
+            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." %
                                                                 returnToURL)
             # redirect_to doesn't like unicode
             h.redirect_to(str(returnToURL))
         else:
-            log.debug(\
-        "LoginController._redirect: no redirect URL set - render login page")
+            log.debug("LoginController._redirect: no redirect URL set - "
+                      "render login page")
             c.xml='Logged in'
             return render('ndg.security.kid', 'ndg.security.login')

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

@@ -102 +102 @@
 
 
-from ndg.security.common.attributeauthority import AttributeAuthorityClient
+from ndg.security.server.wsgi.utils.attributeauthorityclient import \
+    WSGIAttributeAuthorityClient
 
 def _getTrustedIdPs(g):
@@ -123 +124 @@
     
     try:
-        aaClnt = AttributeAuthorityClient(uri=cfg.aaURI,
-                                tracefile=cfg.tracefile,
-                                httpProxyHost=cfg.httpProxyHost,
-                                noHttpProxyList=cfg.noHttpProxyList,
-                                **cfg.wss)
+        aaClnt = WSGIAttributeAuthorityClient(uri=cfg.aaURI,
+                                        tracefile=cfg.tracefile,
+                                        httpProxyHost=cfg.httpProxyHost,
+                                        noHttpProxyList=cfg.noHttpProxyList,
+                                        **cfg.wss)
     except Exception, e:
         c.xml='Error establishing security context.  Please report ' + \

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py

@@ -15 +15 @@
 import logging
 log = logging.getLogger(__name__)
+
+from ndg.security.common.attributeauthority import AttributeAuthorityClient
 
 class WSGIAttributeAuthorityClient(object):
@@ -112 +114 @@
             # from other trusted hosts
             allHostsInfo = self.ref.hostInfo
-            allHostsInfo.update(self.ref.getTrustedHostInfo())
+            allHostsInfo.update(self.ref.getAllHostsInfo())
             return allHostsInfo
         else:
             # Make connection to remote service
-            return self._soapClient.getTrustedHostHostInfo()
+            return self._soapClient.getAllHostsInfo()
 
 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py

@@ -23 +23 @@
     WSGIAttributeAuthorityClient
 
-# Import exception types from Session Manager and Session Manager client to
-# give caller some capability to trap errors
 # Session Manager Authentication interface ...
 from ndg.security.server.sessionmanager import AuthNServiceError, \
@@ -30 +28 @@
     AuthNServiceInitError, AuthNServiceConfigError
 
-from ndg.security.common.sessionmanager import InvalidSessionManagerClientCtx
-
+# Session Manager SOAP client interface
+from ndg.security.common.sessionmanager import SessionManagerClient
+    
+# Import exception types from Session Manager and Session Manager client to
+# give caller some capability to trap errors
+# Session Manager server side exceptions ...
+from ndg.security.server.sessionmanager import SessionManagerError, \
+    UserSessionExpired, UserSessionX509CertNotBeforeTimeError, \
+    InvalidUserSession, CredentialWalletAttributeRequestDenied
+    
+from ndg.security.server.sessionmanager import SessionNotFound as \
+    _SrvSessionNotFound
+
+# ... and client side exceptions ...
+from ndg.security.common.sessionmanager import SessionNotFound as \
+    _ClntSessionNotFound
+
+from ndg.security.common.sessionmanager import SessionExpired as \
+    _ClntSessionExpired
+
+from ndg.security.common.sessionmanager import InvalidSession as \
+    _ClntInvalidSession
+  
+from ndg.security.common.sessionmanager import AttributeRequestDenied as \
+    _ClntAttributeRequestDenied
+     
+from ndg.security.common.sessionmanager import InvalidSessionManagerClientCtx,\
+    SessionManagerClientError, SessionCertTimeError
+
+# Combine Session not found exception classes as raised from server and
+# client side to enable convenient exception handling by a client to this
+# class.  e.g. a call to WSGISessionManager.connect without the need to know 
+# whether the wrapper is calling a remote service over the SOAP interface or
+# the service locally via a reference a Session Manager in environ:
+# 
+# try:
+#     wsgiClnt.connect(username, passphrase=p)
+# except SessionNotFound, e:
+#     #  do something
+#     raise
+#     
+# Rather than having to do:
+# 
+# try:
+#     wsgiClnt.connect(username, passphrase=p)
+# except (ndg.security.server.sessionmanager.SessionNotFound,
+#         ndg.security.common.sessionmanager.SessionNotFound), e:
+#     #  do something
+#     raise
+SessionNotFound = (_SrvSessionNotFound, _ClntSessionNotFound)
+
+# Combine client and server session not before time error exceptions to 
+# enable easier exception handling for a WSGISessionManagerClient caller.  
+# See SessionNotFound.__doc__ for more details of reasoning
+SessionNotBeforeTimeError = (UserSessionX509CertNotBeforeTimeError, 
+                             SessionCertTimeError)
+
+# Combine client and server session expired exceptions to enable easier
+# exception handling for a WSGISessionManagerClient caller.  See
+# SessionNotFound.__doc__ for more details of reasoning
+SessionExpired = (UserSessionExpired, _ClntSessionExpired)
+
+# Combine client and server invalid session exceptions to enable easier
+# exception handling for a WSGISessionManagerClient caller.  See
+# SessionNotFound.__doc__ for more details of reasoning""" 
+InvalidSession = (InvalidUserSession, _ClntInvalidSession)
+   
+# Combine client and server invalid session exceptions to enable easier
+# exception handling for a WSGISessionManagerClient caller.  See
+# SessionNotFound.__doc__ for more details of reasoning
+AttributeRequestDenied = (CredentialWalletAttributeRequestDenied, 
+                          _ClntAttributeRequestDenied)
+
+# End of server/client side exception combinations
+
+        
 class WSGISessionManagerClientError(Exception):
     """Base class exception for WSGI Session Manager client errors"""

TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteAMapConfig.xml

@@ -2 +2 @@
 <AAmap>
     <thisHost name="Site A">
-        <aaURI>http://localhost:5000/AttributeAuthority</aaURI>
-        <loginURI>https://localhost/login</loginURI>
+        <aaURI>http://localhost:8000/AttributeAuthority</aaURI>
+        <loginURI>https://localhost/sso/login</loginURI>
             <aaDN>/O=NDG/OU=Site A/CN=AttributeAuthority</aaDN>
             <loginServerDN>/C=UK/ST=Oxfordshire/O=STFC/OU=BADC/CN=localhost</loginServerDN>