Changeset 4692 for TI12-security/trunk/python/ndg.security.server/ndg

Timestamp:

19/12/08 16:39:57 (12 years ago)

Author:

pjkersha

Message:

Refactoring of SSO service to enable use of local AA and SM instances via keys to environ.

Location:

TI12-security/trunk/python/ndg.security.server/ndg/security/server

Files:

• paster_templates/default_deployment/services.ini_tmpl (modified) (5 diffs)
• paster_templates/template.py (modified) (2 diffs)
• sso/certs/clnt.crt (modified) (3 diffs)
• sso/sso.cfg (modified) (1 diff)
• sso/sso/config/ssoServiceMiddleware.py (modified) (1 diff)
• sso/sso/controllers/login.py (modified) (3 diffs)
• sso/sso/lib/openid_util.py (modified) (1 diff)
• wsgi/openid/provider/__init__.py (modified) (1 diff)
• zsi/sessionmanager/SessionManager_services_server.py (modified) (2 diffs)
• zsi/sessionmanager/__init__.py (modified) (2 diffs)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl

@@ -20 +20 @@
 # Attribute Authority settings
 # 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: Site A
+attributeAuthority.name: ${attributeAuthorityID}
 
 # Lifetime is measured in seconds
@@ -41 +41 @@
 
 # Location of role mapping file
-attributeAuthority.mapConfigFile: %(here)s/attributeauthority/siteAMapConfig.xml
+attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml
 
 # Settings for custom AAUserRoles derived class to get user roles for given 
@@ -141 +141 @@
 use = egg:Paste#http
 host = 0.0.0.0
-port = 5000
+port = 8000
 
 [app:mainApp]
@@ -160 +160 @@
 set debug = false
 
-configfile = %(here)s/singleSignOnService/sso.cfg
-#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg
+configfile = %(here)s/sso/sso.cfg
 
 # AuthKit Set-up
@@ -301 +300 @@
 # Certificate associated with private key used to sign a message.  The sign 
 # method will add this to the BinarySecurityToken element of the WSSE header.  
-wssecurity.signingCertFilePath=%(here)s/server.crt
+wssecurity.signingCertFilePath=%(here)s/wssecurity/server.crt
 
 # PEM encoded private key file
-wssecurity.signingPriKeyFilePath=%(here)s/server.key
+wssecurity.signingPriKeyFilePath=%(here)s/wssecurity/server.key
 
 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a

TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/template.py

@@ -2 +2 @@
 
 from paste.script.templates import Template, var, _skip_variables
+import os
 import socket
 _hostTuple = socket.gethostbyaddr(socket.gethostname())
@@ -22 +23 @@
     summary = 'NERC DataGrid Security services deployment template'
     vars = vars
-    
+
+    def write_files(self, command, output_dir, vars):
+        '''Extend to enable substitutions for Single Sign On Service config
+        file'''
+        if output_dir.startswith('./'):
+            outDir = output_dir.lstrip('./')
+        else:
+            outDir = output_dir
+            
+        vars['ssoConfigDir'] = os.path.join(os.getcwd(), outDir, 'sso')
+        super(DefaultDeploymentTemplate, self).write_files(command, 
+                                                           output_dir, 
+                                                           vars)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/certs/clnt.crt

@@ -2 +2 @@
     Data:
         Version: 3 (0x2)
-        Serial Number: 243 (0xf3)
+        Serial Number: 259 (0x103)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=NDG, OU=BADC, CN=Test CA
         Validity
-            Not Before: Dec 18 11:42:41 2007 GMT
-            Not After : Dec 17 11:42:41 2008 GMT
+            Not Before: Dec 16 15:19:45 2008 GMT
+            Not After : Dec 15 15:19:45 2013 GMT
         Subject: O=NDG Security Test, OU=WS-Security Unittest, CN=client
         Subject Public Key Info:
@@ -33 +33 @@
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            Netscape Cert Type:
+            Netscape Cert Type: 
                 SSL Client, SSL Server, S/MIME, Object Signing
     Signature Algorithm: md5WithRSAEncryption
-        c1:2b:11:0e:c3:fe:3e:f2:87:ee:48:e5:f1:29:9c:1f:a3:d8:
-        eb:f9:3a:d4:af:75:c7:b4:39:e0:b2:83:5e:ee:71:7c:fc:28:
-        73:fb:e4:62:7e:96:7b:f1:c3:b7:a4:94:b5:f7:41:a4:32:6a:
-        16:4b:8c:60:36:0c:c1:79:62:51:aa:79:fa:1e:8c:a0:82:58:
-        28:c6:cf:da:9b:79:eb:3a:f3:bf:e2:4a:8e:c2:f3:55:3f:b9:
-        c6:0e:55:ea:a9:79:9e:3c:d2:d1:07:6c:81:90:2f:a9:54:ba:
-        4a:7e:3c:f0:7c:86:c5:e0:b3:71:a5:48:a8:77:e3:83:b6:48:
-        6d:78
+        63:11:bf:8c:fe:88:3a:7d:12:1e:c1:ea:90:f6:11:33:f2:7d:
+        1d:2b:f3:22:3d:72:fb:1b:35:ed:cc:55:79:0e:98:13:41:cf:
+        44:5e:c7:88:75:08:b4:b2:2b:ad:11:0e:0b:2e:49:21:41:18:
+        6b:e9:2f:77:6d:27:4b:17:85:c8:fa:7b:91:45:97:a4:2d:f3:
+        24:4e:1e:be:c5:e5:bc:ca:fd:dc:b2:e9:e1:b1:8a:f0:c1:4f:
+        f9:c9:14:f8:c3:c2:98:66:fa:04:82:f1:8d:68:59:17:1f:f2:
+        bf:34:f7:c6:3c:85:9b:80:c6:bc:2f:66:2e:0e:f4:24:7c:d8:
+        9e:5f
 -----BEGIN CERTIFICATE-----
-MIICizCCAfSgAwIBAgICAPMwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
-MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA3MTIxODExNDI0
-MVoXDTA4MTIxNzExNDI0MVowTDEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
+MIICizCCAfSgAwIBAgICAQMwDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNjE1MTk0
+NVoXDTEzMTIxNTE1MTk0NVowTDEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx
 HTAbBgNVBAsTFFdTLVNlY3VyaXR5IFVuaXR0ZXN0MQ8wDQYDVQQDEwZjbGllbnQw
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY7CFf5GAGGJEY38Vukj0U
@@ -55 +55 @@
 mtvitXt9HJwdCZbPmPyxs6STvFHMZru1mY5dj1YWT8PBT5Svmpo/EEiL+TZctcXE
 SRRSVxu99yRBJ0f9Nd8IPxtuyyIVX4+xfgOLrNoVQuIV5vKTCZh5RrWjpbk/0eqN
-AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0BAQQFAAOBgQDB
-KxEOw/4+8ofuSOXxKZwfo9jr+TrUr3XHtDngsoNe7nF8/Chz++RifpZ78cO3pJS1
-90GkMmoWS4xgNgzBeWJRqnn6Hoygglgoxs/am3nrOvO/4kqOwvNVP7nGDlXqqXme
-PNLRB2yBkC+pVLpKfjzwfIbF4LNxpUiod+ODtkhteA==
+AgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIE8DANBgkqhkiG9w0BAQQFAAOBgQBj
+Eb+M/og6fRIeweqQ9hEz8n0dK/MiPXL7GzXtzFV5DpgTQc9EXseIdQi0siutEQ4L
+LkkhQRhr6S93bSdLF4XI+nuRRZekLfMkTh6+xeW8yv3csunhsYrwwU/5yRT4w8KY
+ZvoEgvGNaFkXH/K/NPfGPIWbgMa8L2YuDvQkfNieXw==
 -----END CERTIFICATE-----

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

@@ -18 +18 @@
 #sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager
 sessionMgrURI: http://localhost:8000/SessionManager
-attAuthorityURI: http://localhost:8000/AttributeAuthority
+attributeAuthorityURI: http://localhost:8000/AttributeAuthority
 
 # WS-Security signature handler - set a config file with 'wssCfgFilePath'

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

@@ -116 +116 @@
             self.smURI = None
             
-        if self.cfg.has_option(defSection, 'attAuthorityURI'):        
-            self.aaURI = self.cfg.get(defSection, 'attAuthorityURI')
+        if self.cfg.has_option(defSection, 'sessionManagerEnvironKey'):        
+            self.smEnvironKey = self.cfg.get(defSection, 
+                                             'sessionManagerEnvironKey')
+        else:
+            self.smEnvironKey = None
+            
+        if self.cfg.has_option(defSection, 'attributeAuthorityURI'):        
+            self.aaURI = self.cfg.get(defSection, 'attributeAuthorityURI')
         else:
             self.aaURI = None
+            
+        if self.cfg.has_option(defSection, 'attributeAuthorityEnvironKey'):        
+            self.aaEnvironKey = self.cfg.get(defSection, 
+                                             'attributeAuthorityEnvironKey')
+        else:
+            self.aaEnvironKey = None
         
         # ... for SSL connections to security web services

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

@@ -56 +56 @@
                         environ=request.environ,
                         uri=session['ndgSec']['h'],
+                        environKey=self.cfg.smEnvironKey,
+                        attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,
                         tracefile=self.cfg.tracefile,
                         httpProxyHost=self.cfg.httpProxyHost,
@@ -109 +111 @@
         try:    
             smClnt = WSGISessionManagerClient(
-                                     environ=request.environ,
-                                     uri=self.cfg.smURI,
-                                     tracefile=self.cfg.tracefile,
-                                     httpProxyHost=self.cfg.httpProxyHost,
-                                     noHttpProxyList=self.cfg.noHttpProxyList,
-                                     **self.cfg.wss)
+                        environ=request.environ,
+                        uri=self.cfg.smURI,
+                        environKey=self.cfg.smEnvironKey,
+                        attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,
+                        tracefile=self.cfg.tracefile,
+                        httpProxyHost=self.cfg.httpProxyHost,
+                        noHttpProxyList=self.cfg.noHttpProxyList,
+                        **self.cfg.wss)
                                 
             username = request.params['username']
@@ -221 +225 @@
                                     environ=request.environ,
                                     uri=self.cfg.aaURI,
+                                    environKey=self.cfg.aaEnvironKey,
                                     tracefile=self.cfg.tracefile,
                                     httpProxyHost=self.cfg.httpProxyHost,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py

@@ -127 +127 @@
                                         environ=pylons.request.environ,
                                         uri=cfg.aaURI,
+                                        environKey=self.cfg.aaEnvironKey,
                                         tracefile=cfg.tracefile,
                                         httpProxyHost=cfg.httpProxyHost,

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -421 +421 @@
                     else:
                         opt[filtOptName] = optVal
-                else:
-                    # Options not starting with prefix are ignored
-                    log.debug("Skipping option \"%s\": it doesn't start with "
-                              "the prefix \"%s\"", optName, prefix)
+#                else:
+                    # Options not starting with prefix are ignored - omit debug
+                    # it's too verbose even for debug setting :)
+#                    log.debug("Skipping option \"%s\": it doesn't start with "
+#                              "the prefix \"%s\"", optName, prefix)
             else:
                 filtOptName = '_'.join(optName.split('.'))

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/SessionManager_services_server.py

@@ -72 +72 @@
                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userX509Cert\" type=\"xsd:string\"/>
                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"sessID\" type=\"xsd:string\"/>
-                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"attAuthorityURI\" type=\"xsd:string\"/>
+                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"attributeAuthorityURI\" type=\"xsd:string\"/>
                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"reqRole\" type=\"xsd:string\"/>
                     <xsd:element maxOccurs=\"1\" minOccurs=\"1\" name=\"mapFromTrustedHosts\" type=\"xsd:boolean\"/>
@@ -269 +269 @@
     def soap_getAttCert(self, ps):
         self.request = ps.Parse(getAttCertInputMsg.typecode)
-        parameters = (self.request._userX509Cert, self.request._sessID, self.request._attAuthorityURI, self.request._reqRole, self.request._mapFromTrustedHosts, self.request._rtnExtAttCertList, self.request._extAttCert, self.request._extTrustedHost)
+        parameters = (self.request._userX509Cert, self.request._sessID, self.request._attributeAuthorityURI, self.request._reqRole, self.request._mapFromTrustedHosts, self.request._rtnExtAttCertList, self.request._extAttCert, self.request._extTrustedHost)
 
         # If we have an implementation object use it

TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/sessionmanager/__init__.py

@@ -190 +190 @@
         # If no Attribute Authority URI is set pick up local Attribute 
         # instance Authority
-        if request.AttAuthorityURI is None:
+        if request.AttributeAuthorityURI is None:
             attributeAuthorityFilter = \
                 self.referencedWSGIFilters.get(self.attributeAuthorityFilterID)
                 
             try:
-                attributeAuthority = \
-                    attributeAuthorityFilter.serviceSOAPBinding.aa
+                attributeAuthority= \
+                                attributeAuthorityFilter.serviceSOAPBinding.aa
             except AttributeError, e:
                 raise SessionManagerWSConfigError("No Attribute Authority URI "
@@ -210 +210 @@
                             userX509Cert=userX509Cert or request.UserX509Cert,
                             sessID=request.SessID,
-                            attributeAuthorityURI=request.AttAuthorityURI,
+                            attributeAuthorityURI=request.AttributeAuthorityURI,
                             attributeAuthority=attributeAuthority,
                             reqRole=request.ReqRole,