Changeset 4606 for TI12-security/trunk/python

Timestamp:

11/12/08 17:08:31 (11 years ago)

Author:

pjkersha

Message:

#1004 Security Filter:

• SSLClientAuthNMiddleware initial version near completion

Location:

TI12-security/trunk/python

Files:

• ndg.security.common/ndg/security/common/X509.py (modified) (8 diffs)
• ndg.security.server/ndg/security/server/wsgi/sslclientauthn.py (modified) (4 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

@@ -347 +347 @@
         return x509Cert
         
-#_____________________________________________________________________________
 # Alternative AttCert constructors
-#
 def X509CertRead(filePath):
     """Create a new X509 certificate read in from a file"""
@@ -358 +356 @@
     return x509Cert
 
-
-#_____________________________________________________________________________
 def X509CertParse(x509CertTxt):
     """Create a new X509 certificate from string of file content"""
@@ -369 +365 @@
 
 
-#_____________________________________________________________________________
-class X509StackError(Exception):
+class X509StackError(X509CertError):
     """Error from X509Stack type"""
 
-#_____________________________________________________________________________
-class CertIssuerNotFound(X509StackError):
+class X509StackEmptyError(X509CertError):
+    """Expecting non-zero length X509Stack"""
+
+class X509CertIssuerNotFound(X509CertError):
     """Raise from verifyCertChain if no certificate can be found to verify the
     input"""
 
-class SelfSignedCert(X509StackError):
+class SelfSignedCert(X509CertError):
     """Raise from verifyCertChain if cert. is self-signed and 
     rejectSelfSignedCert=True"""
+
+class X509CertInvalidSignature(X509CertError):
+    """X.509 Certificate has an invalid signature"""
        
-#_____________________________________________________________________________
 class X509Stack(object):
     """Wrapper for M2Crypto X509_Stack"""
@@ -479 +478 @@
             # populated
             if n2Validate == 0:
-                raise X509StackError, \
-                "Empty stack and no x509Cert2Verify set: no cert.s to verify"
+                raise X509StackEmptyError("Empty stack and no x509Cert2Verify "
+                                          "set: no cert.s to verify")
 
             x509Cert2Verify = self[-1]
@@ -505 +504 @@
                 # signature of the cert. to be verified
                 if not x509Cert2Verify.verify(issuerX509Cert.pubKey):
-                    X509CertError, 'Signature is invalid for cert. "%s"' % \
-                                    x509Cert2Verify.dn
+                    X509CertInvalidSignature('Signature is invalid for cert. '
+                                             '"%s"' % x509Cert2Verify.dn)
                 
                 # In the next iteration the issuer cert. will be checked:
@@ -525 +524 @@
                 # If only one iteration occured then it must be a self
                 # signed certificate
-                raise SelfSignedCert, "Certificate is self signed"
+                raise SelfSignedCert("Certificate is self signed: [DN=%s]" %
+                                     issuerX509Cert.dn)
            
             if not caX509Stack:
@@ -531 +531 @@
                          
         elif not caX509Stack:
-            raise CertIssuerNotFound, \
-                    'No issuer cert. found for cert. "%s"'%x509Cert2Verify.dn
+            raise X509CertIssuerNotFound('No issuer cert. found for cert. '
+                                         '"%s"' % x509Cert2Verify.dn)
             
         for caCert in caX509Stack:
@@ -542 +542 @@
         if issuerX509Cert:   
             if not x509Cert2Verify.verify(issuerX509Cert.pubKey):
-                X509CertError, 'Signature is invalid for cert. "%s"' % \
-                                x509Cert2Verify.dn
+                X509CertInvalidSignature('Signature is invalid for cert. "%s"'%
+                                         x509Cert2Verify.dn)
             
             # Chain is validated through to CA cert
             return
         else:
-            raise CertIssuerNotFound, 'No issuer cert. found for cert. "%s"'%\
-                                x509Cert2Verify.dn
+            raise X509CertIssuerNotFound('No issuer cert. found for '
+                                         'certificate "%s"'%x509Cert2Verify.dn)
         
         # If this point is reached then an issuing cert is missing from the
         # chain        
-        raise X509CertError, 'Can\'t find issuer cert "%s" for cert "%s"' % \
-                          (x509Cert2Verify.issuer, x509Cert2Verify.dn)  
+        raise X509CertIssuerNotFound('Can\'t find issuer cert "%s" for '
+                                     'certificate "%s"' %
+                                     (x509Cert2Verify.issuer, 
+                                      x509Cert2Verify.dn))
 
 

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/sslclientauthn.py

@@ +1 @@
+"""SSL Client Authentication Middleware
+
+Apply to SSL client authentication to configured URL paths.
+
+SSL Client certificate is expected to be present in environ as SSL_CLIENT_CERT
+key as set by standard Apache SSL.
+
+NERC Data Grid Project
+
+This software may be distributed under the terms of the Q Public License,
+version 1.0 or later.
+"""
+__author__ = "P J Kershaw"
+__date__ = "11/12/08"
+__copyright__ = "(C) 2008 STFC & NERC"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = "$Id$"
 import logging
 log = logging.getLogger(__name__)
-from ndg.security.common.X509 import X509Cert
+import httplib
+from ndg.security.common.X509 import X509Cert, X509CertError
 
 class SSLClientAuthNMiddleware(object):
@@ -17 +35 @@
     isSSLClientCertSet = property(fget=_isSSLClientCertSet,
                                   doc="Check for client cert. set in environ")
+    
+    _pathMatch = lambda self: self._path in self.pathMatchList
+    pathMatch = property(fget=_pathMatch,
+                         doc="Check for input path match to list of paths"
+                             "to which SSL client AuthN is to be applied")
     
     def __init__(self, app, app_conf, prefix='', **local_conf):
@@ -58 +81 @@
             raise TypeError('Expecting int or string type for '
                             '"errorResponseCode" attribute')
+            
+        if self._errorResponseCode not in httplib.responses: 
+            raise ValueError("Error response code [%d] is not recognised "
+                             "standard HTTP response code" % 
+                             self._errorResponseCode)  
             
     errorResponseCode = property(fget=_getErrorResponseCode,
@@ -145 +173 @@
                
     def __call__(self, environ, start_response):
+        
+        self._path = environ.get('PATH_INFO').rstrip('/')
+        
+        if not self.pathMatch:
+            return self._setResponse()
+        
         self._environ = environ
-        self._path = environ.get('PATH_INFO').rstrip('/')
-        
-        if self.sslClientCertSet:
-            self.verifyClientCert()
-            
+        
+        if not self.sslClientCertSet:
+            return self._setErrorResponse()
+            
+        if self.isValidClientCert():            
+            return self._setResponse()
+        else:
+            return self._setErrorResponse()
+            
+    def _setResponse(self):
         if self._app:
             return self._app(environ, start_response)
         else:
-            response = 'No app set for SSLClientAuthNMiddleware'
-            start_response('200 OK',
+            response = 'No application set for SSLClientAuthNMiddleware'
+            status = '%d %s' % (404, httplib.responses[404])
+            start_response(status,
                            [('Content-type', 'text/plain'),
                             ('Content-Length', str(len(response)))])
             return response
-                  
-    def verifyClientCert(self):
+
+    def _setErrorResponse(self, msg='Invalid SSL client certificate'):
+        response = msg
+        status = '%d %s' % (self.errorResponseCode, 
+                            httplib.responses[self.errorResponseCode])
+        
+        start_response(status,
+                       [('Content-type', 'text/plain'),
+                        ('Content-Length', str(len(response)))])
+        return response
+
+    def isValidClientCert(self):
         x509Cert = X509Cert.Parse(filePath)
         
-        
+        if len(self._caCertStack) == 0:
+            log.warning("No CA certificates set for Client certificate "
+                        "signature verification")
+        else:
+            try:
+                self._caCertStack.verifyCertChain(x509Cert2Verify=x509Cert)
+
+            except X509CertError, e:
+                log.info("Client certificate verification failed: %s" % e)
+                return False
+            
+            except Exception, e:
+                log.error("Client certificate verification failed with "
+                          "unexpected error: %s" % e)
+                return False
+            
+        return True
+        
+
+# Utility functions to support Paste Deploy application and filter function
+# signatures        
 def filter_app_factory(app, app_conf, **local_conf):
+    '''Wrapper to SSLClientAuthNMiddleware for Paste Deploy filter'''
     return SSLClientAuthNMiddleware(app, app_conf, **local_conf)
    
 def app_factory(app_conf, **local_conf):
+    '''Wrapper to SSLClientAuthNMiddleware for Paste Deploy app'''
     return SSLClientAuthNMiddleware(None, app_conf, **local_conf)