Changeset 4587 for TI12-security


Ignore:
Timestamp:
10/12/08 15:37:16 (12 years ago)
Author:
pjkersha
Message:
  • Completed integration work for common WSGI/SOAP client based interfaces (ndg.security.server.wsgi.utils.sessionmanagerclient and ndg.security.server.wsgi.utils.attributeauthorityclient) with Pylons Single Sign On package (ndg.security.server.sso)
  • Integrated Single Sign On service into Combined Services Paste service as a Pylons app. This also includes Session Manager, Attribute Authority, OpenID. SSO Service will eventually be removed replaced with OpenID based SSO.
Location:
TI12-security/trunk/python
Files:
6 added
9 edited

Legend:

Unmodified
Added
Removed

  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py

    r4404 r4587  
    7373            self.caCertFilePathList = caCertFilePathList 
    7474             
    75          
    7675    def __call__(self, peerCert, host=None): 
    7776        """Carry out checks on server ID 
     
    119118        # They match - drop the exception and return all OK instead           
    120119        return True 
    121      
    122      
     120       
    123121    def __setCACertList(self, caCertList): 
    124122        """Set list of CA certs - peer cert must validate against at least one 
     
    131129              doc="list of CA certs - peer cert must validate against one") 
    132130 
    133  
    134     #_________________________________________________________________________ 
    135131    def __setCACertsFromFileList(self, caCertFilePathList): 
    136132        '''Read CA certificates from file and add them to the X.509 

  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

    r4138 r4587  
    111111            self.tracefile = None 
    112112             
    113         self.smURI = self.cfg.get(defSection, 'sessionMgrURI')         
    114         self.aaURI = self.cfg.get(defSection, 'attAuthorityURI') 
     113        if self.cfg.has_option(defSection, 'sessionMgrURI'): 
     114            self.smURI = self.cfg.get(defSection, 'sessionMgrURI') 
     115        else: 
     116            self.smURI = None 
     117             
     118        if self.cfg.has_option(defSection, 'attAuthorityURI'):         
     119            self.aaURI = self.cfg.get(defSection, 'attAuthorityURI') 
     120        else: 
     121            self.aaURI = None 
    115122         
    116123        # ... for SSL connections to security web services 

  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

    r4584 r4587  
     1"""Single Sign On Service Login Controller 
     2 
     3NERC Data Grid Project 
     4""" 
     5__author__ = "P J Kershaw" 
     6__date__ = "10/12/08" 
     7__copyright__ = "(C) 2008 STFC & NERC" 
     8__license__ = \ 
     9"""This software may be distributed under the terms of the Q Public  
     10License, version 1.0 or later.""" 
     11__contact__ = "Philip.Kershaw@stfc.ac.uk" 
     12__revision__ = '$Id$' 
     13import logging 
     14log = logging.getLogger(__name__) 
     15 
    116# _redirect requires this to parse the server name 
    217from urlparse import urlsplit 
     
    1429 
    1530from base64 import urlsafe_b64decode, urlsafe_b64decode 
    16 import logging 
    17  
    18 log = logging.getLogger(__name__) 
    1931 
    2032class LoginController(BaseController):   
     
    4153        # Session is set in this domain - check it  
    4254        try:     
    43             smClnt = WSGISessionManagerClient(uri=session['ndgSec']['h'], 
     55            smClnt = WSGISessionManagerClient( 
     56                        environ=request.environ, 
     57                        uri=session['ndgSec']['h'], 
    4458                        tracefile=self.cfg.tracefile, 
    4559                        httpProxyHost=self.cfg.httpProxyHost, 
     
    5771         
    5872        # Check session status 
    59         log.debug('Calling Session Manager "%s" getSessionStatus %s for user ' 
     73        log.debug('Calling Session Manager "%s" getSessionStatus for user ' 
    6074                  '"%s" with sid="%s" ...' % 
    6175                  (session['ndgSec']['h'],  
     
    94108         
    95109        try:     
    96             smClnt = WSGISessionManagerClient(uri=self.cfg.smURI, 
    97                          tracefile=self.cfg.tracefile, 
    98                          httpProxyHost=self.cfg.httpProxyHost, 
    99                          noHttpProxyList=self.cfg.noHttpProxyList, 
    100                          **self.cfg.wss) 
     110            smClnt = WSGISessionManagerClient( 
     111                                     environ=request.environ, 
     112                                     uri=self.cfg.smURI, 
     113                                     tracefile=self.cfg.tracefile, 
     114                                     httpProxyHost=self.cfg.httpProxyHost, 
     115                                     noHttpProxyList=self.cfg.noHttpProxyList, 
     116                                     **self.cfg.wss) 
    101117                                 
    102118            username = request.params['username'] 
     
    129145            # Make request for attribute certificate 
    130146            attCert = smClnt.getAttCert(sessID=sessID,  
    131                                         attAuthorityURI=self.cfg.aaURI) 
     147                                        attributeAuthorityURI=self.cfg.aaURI) 
    132148        except SessionExpired, e: 
    133149            log.info("Session expired getting Attribute Certificate: %s" % e) 
     
    202218             
    203219            # Look-up list of Cert DNs for trusted requestors 
    204             aaClnt = WSGIAttributeAuthorityClient(uri=self.cfg.aaURI, 
     220            aaClnt = WSGIAttributeAuthorityClient( 
     221                                    environ=request.environ, 
     222                                    uri=self.cfg.aaURI, 
    205223                                    tracefile=self.cfg.tracefile, 
    206224                                    httpProxyHost=self.cfg.httpProxyHost, 

  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

    r4584 r4587  
    124124     
    125125    try: 
    126         aaClnt = WSGIAttributeAuthorityClient(uri=cfg.aaURI, 
     126        aaClnt = WSGIAttributeAuthorityClient( 
     127                                        environ=pylons.request.environ, 
     128                                        uri=cfg.aaURI, 
    127129                                        tracefile=cfg.tracefile, 
    128130                                        httpProxyHost=cfg.httpProxyHost, 

  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py

    r4584 r4587  
    4848        self._environ = environ 
    4949         
    50         if 'uri' in soapClientKw: 
     50        if soapClientKw.get('uri'): 
    5151            self._soapClient = AttributeAuthorityClient(**soapClientKw) 
    5252        else: 
     
    114114            # from other trusted hosts 
    115115            allHostsInfo = self.ref.hostInfo 
    116             allHostsInfo.update(self.ref.getAllHostsInfo()) 
     116            allHostsInfo.update(self.ref.getTrustedHostInfo()) 
    117117            return allHostsInfo 
    118118        else: 

  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py

    r4584 r4587  
    139139        self._environ = environ 
    140140         
    141         if 'uri' in soapClientKw: 
     141        if soapClientKw.get('uri'): 
    142142            self._soapClient = SessionManagerClient(**soapClientKw) 
    143143        else: 
     
    244244         
    245245        if self.refInEnviron: 
    246             # Connect to local instance 
     246            # Connect to local instance of Session Manager - next check for  
     247            # an Attribute Authority URI or instance running locally 
    247248            if kw.get('attributeAuthorityURI') is None and \ 
    248249               kw.get('attributeAuthority') is None: 

  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/serverapp.py

    r4565 r4587  
    5858    } 
    5959    httpBasicAuthentication = HTTPBasicAuthentication() 
    60      
     60 
     61    def __init__(self, app, globalConfig, **localConfig): 
     62        self.app = app 
     63         
    6164    def __call__(self, environ, start_response): 
    6265         
     
    6568            action = getattr(self, methodName) 
    6669            return action(environ, start_response) 
     70        elif self.app is not None: 
     71            return self.app(environ, start_response) 
    6772        else: 
    6873            start_response('404 Not Found', [('Content-type', 'text/plain')]) 
     
    138143        start_response('200 OK', [('Content-type', 'text/xml')]) 
    139144        return str(attCert) 
    140          
    141          
    142 def app_factory(global_config, **local_conf): 
    143     return CombinedServicesWSGI() 
    144145 
     146def app_factory(globalConfig, **localConfig): 
     147    return CombinedServicesWSGI(None, globalConfig, **localConfig) 
     148 
     149def filter_app_factory(app, globalConfig, **localConfig): 
     150    return CombinedServicesWSGI(app, globalConfig, **localConfig) 
    145151 
    146152# Initialize environment for unit tests 

  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

    r4573 r4587  
    148148 
    149149[app:mainApp] 
    150 paste.app_factory = ndg.security.test.combinedservices.serverapp:app_factory 
     150paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app 
     151cache_dir = %(here)s/data 
     152beaker.session.key = sso 
     153beaker.session.secret = somesecret 
     154 
     155# If you'd like to fine-tune the individual locations of the cache data dirs 
     156# for the Cache data, or the Session saves, un-comment the desired settings 
     157# here: 
     158#beaker.cache.data_dir = %(here)s/data/cache 
     159#beaker.session.data_dir = %(here)s/data/sessions 
     160 
     161# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* 
     162# Debug mode will enable the interactive debugging tool, allowing ANYONE to 
     163# execute malicious code after an exception is raised. 
     164set debug = false 
     165 
     166configfile = %(here)s/singleSignOnService/sso.cfg 
     167#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg 
     168 
     169# AuthKit Set-up 
     170authkit.setup.method=openid, cookie 
     171authkit.cookie.secret=secret encryption string 
     172authkit.cookie.signoutpath = /logout 
     173authkit.openid.path.signedin=/ 
     174authkit.openid.store.type=file 
     175authkit.openid.store.config=%(here)s/data/openid 
     176authkit.openid.session.key = authkit_openid 
     177authkit.openid.session.secret = random string 
     178 
     179authkit.openid.baseurl = http://localhost 
     180 
     181# Template for signin 
     182authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template 
     183 
     184# Handler for parsing OpenID and creating a session from it 
     185authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user 
    151186 
    152187# Chain of SOAP Middleware filters 
     
    159194           SessionMiddlewareFilter 
    160195           OpenIDProviderFilter 
     196           testHarnessFilter 
    161197           mainApp 
     198 
     199[filter:testHarnessFilter] 
     200paste.filter_app_factory =  
     201        ndg.security.test.combinedservices.serverapp:filter_app_factory 
     202 
    162203 
    163204#______________________________________________________________________________ 

  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/siteAAttributeAuthority/siteAMapConfig.xml

    r4584 r4587  
    55        <loginURI>https://localhost/sso/login</loginURI> 
    66            <aaDN>/O=NDG/OU=Site A/CN=AttributeAuthority</aaDN> 
     7<!-- 
    78            <loginServerDN>/C=UK/ST=Oxfordshire/O=STFC/OU=BADC/CN=localhost</loginServerDN> 
    89            <loginRequestServerDN>/C=UK/ST=Oxfordshire/O=STFC/OU=BADC/CN=localhost</loginRequestServerDN> 
    9     </thisHost> 
     10--> 
     11                <loginServerDN>/C=UK/CN=gabriel.badc.rl.ac.uk/O=RAL/ST=Oxfordshire/OU=BADC</loginServerDN> 
     12                <loginRequestServerDN>/C=UK/CN=gabriel.badc.rl.ac.uk/O=RAL/ST=Oxfordshire/OU=BADC</loginRequestServerDN> 
     13                </thisHost> 
    1014    <trusted name="Site C"> 
    1115        <aaURI>http://aa.sitec.blah</aaURI> 
Note: See TracChangeset for help on using the changeset viewer.