Changeset 4609 for TI12-security/trunk/python

Timestamp:

12/12/08 10:36:33 (12 years ago)

Author:

pjkersha

Message:

#1004 Security Filter:

• added unit tests for SSLClientAuthNMiddleware. The middleware must <currently> be run under mod_wsgi to enable it to pick up SSL_CLIENT_CERT from environ.
• TODO: extend to enable client authN with paste running over SSL? - Unit test dir contains an e.g. paste app running over SSL using pyOpenSSL but it's not clear how to pass SSL client cert to the middleware.
• TODO: current version supports a simple scheme of matching a list of URLs from config to see which ones to secure - will need to change to something more sophisticated as proposed in the NDG3 work plan,

Location:

TI12-security/trunk/python

Files:

• ndg.security.server/ndg/security/server/wsgi/sslclientauthn.py (modified) (9 diffs)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/README (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/__init__.py (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/localhost.crt (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/localhost.key (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/localhost.pem (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/ndg-test-ca.crt (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/ndgsecurity.wsgi (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/sslClientAuthN.cfg (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/sslclientauthnapp.py (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/test.crt (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/test.ini (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/test.key (added)
• ndg.security.test/ndg/security/test/sslclientauthnmiddleware/test_sslclientauthn.py (added)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/sslclientauthn.py

@@ -18 +18 @@
 import logging
 log = logging.getLogger(__name__)
+import os
 import httplib
-from ndg.security.common.X509 import X509Cert, X509CertError
+from ndg.security.common.X509 import X509Stack, X509Cert, X509CertError
 
 class SSLClientAuthNMiddleware(object):
@@ -31 +32 @@
     }
 
-    _isSSLClientCertSet = lambda self: \
-        SSLClientAuthNMiddleware.sslClientCertKeyName in self._environ
+    _isSSLClientCertSet = lambda self: bool(self._environ.get(
+                                SSLClientAuthNMiddleware.sslClientCertKeyName)) 
     isSSLClientCertSet = property(fget=_isSSLClientCertSet,
                                   doc="Check for client cert. set in environ")
@@ -45 +46 @@
 
         opt = SSLClientAuthNMiddleware.propertyDefaults.copy()
-        if app_conf is not None:
-            # Update from application config dictionary - filter from using
-            # prefix
+        
+        # If no prefix is set, there is no way to distinguish options set for 
+        # this app and those applying to other applications
+        if app_conf is not None and prefix:
+            # Update from application config dictionary - filter using prefix
             SSLClientAuthNMiddleware._filterOpts(opt, app_conf, prefix=prefix)
                         
         # Similarly, filter keyword input                 
-        SSLClientAuthNMiddleware._filterOpts(opt, kw, prefix=prefix)
+        SSLClientAuthNMiddleware._filterOpts(opt, local_conf, prefix=prefix)
        
         # Update options from keywords - matching app_conf ones will be 
@@ -111 +114 @@
 
         for caCertFilePath in caCertFilePathList:
-            self._caCertStack.push(X509.load_cert(caCertFilePath))
+            x509Cert = X509Cert.Read(os.path.expandvars(caCertFilePath))
+            self._caCertStack.push(x509Cert)
         
     caCertFilePathList = property(fset=_setCACertsFromFileList,
@@ -117 +121 @@
                                       "peer certificate must validate against "
                                       "one")
+    def _getPathMatchList(self):
+        return self._pathMatchList
     
     def _setPathMatchList(self, pathList):
-        '''Read CA certificates from file and add them to an X.509 Cert.
-        stack
-        
+        '''
         @type pathList: list or tuple
         @param pathList: list of URL paths to apply SSL client authentication 
@@ -134 +138 @@
         if isinstance(pathList, basestring):
             # Try parsing a space separated list of file paths
-            pathList = pathList.split()
+             self._pathMatchList = pathList.split()
             
         elif not isinstance(pathList, (list, tuple)):
             raise TypeError('Expecting a list or tuple for "pathMatchList"')
+        else:
+            self._pathMatchList = pathList
+            
+    pathMatchList = property(fget=_getPathMatchList,
+                             fset=_setPathMatchList,
+                             doc='List of URL paths to which to apply SSL '
+                                 'client authentication')
     
     @classmethod
@@ -174 +185 @@
     def __call__(self, environ, start_response):
         
-        self._path = environ.get('PATH_INFO').rstrip('/')
+        self._path = environ.get('PATH_INFO')
+        if self._path != '/':
+            self._path.rstrip('/')
+        
+        self._environ = environ
         
         if not self.pathMatch:
-            return self._setResponse()
-        
-        self._environ = environ
-        
-        if not self.sslClientCertSet:
-            return self._setErrorResponse()
-            
-        if self.isValidClientCert():            
-            return self._setResponse()
-        else:
-            return self._setErrorResponse()
-            
-    def _setResponse(self):
+            log.debug("ignoring path [%s]" % self._path)
+            return self._setResponse(environ, start_response)
+                    
+        if not self.isSSLClientCertSet:
+            log.error("No SSL Client path set for request to [%s]"%self._path)
+            return self._setErrorResponse(environ, start_response,
+                                          msg='No client SSL Certificate set')
+            
+        if self.isValidClientCert(environ):            
+            return self._setResponse(environ, start_response)
+        else:
+            return self._setErrorResponse(environ, start_response)
+            
+    def _setResponse(self, environ, start_response):
         if self._app:
             return self._app(environ, start_response)
@@ -200 +216 @@
             return response
 
-    def _setErrorResponse(self, msg='Invalid SSL client certificate'):
+    def _setErrorResponse(self, environ, start_response,
+                          msg='Invalid SSL client certificate'):
         response = msg
         status = '%d %s' % (self.errorResponseCode, 
@@ -210 +227 @@
         return response
 
-    def isValidClientCert(self):
-        x509Cert = X509Cert.Parse(filePath)
+    def isValidClientCert(self, environ):
+        sslClientCert = environ[SSLClientAuthNMiddleware.sslClientCertKeyName]
+        x509Cert = X509Cert.Parse(sslClientCert)
         
         if len(self._caCertStack) == 0: