Changeset 4775 for TI12-security


Ignore:
Timestamp:
09/01/09 13:25:52 (11 years ago)
Author:
pjkersha
Message:
  • Moved StaticURLParser app for serving OpenID Provider static content from into a Paste ini file [composit:...] - for combined services unit tests and default and full paster templates
  • Added main_app factory class method to OpenIDProviderMiddleware to fit main_app function signature required for Paste ini file to run OpenID Provider as the main app rather than as a filter.
Location:
TI12-security/trunk/python
Files:
1 added
11 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py

    r4770 r4775  
    574574         
    575575        if userPriKey is None: 
    576             log.warning("Setting user private key to None") 
    577576            self._userPriKey = None 
    578577        elif isinstance(userPriKey, basestring): 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl

    r4773 r4775  
    55# * Session Manager 
    66# * Attribute Authority 
     7# * OpenID Provider 
    78# 
    89# The %(here)s variable will be replaced with the parent directory of this file 
     
    129130# Authentication service properties  
    130131sessionManager.authNService.moduleFilePath:  
    131 sessionManager.authNService.moduleName: ndg.security.test.combinedservices.sessionmanager.userx509certauthn 
     132sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn 
    132133sessionManager.authNService.className: UserX509CertAuthN 
    133134 
     
    143144port = 8000 
    144145 
    145 [app:mainApp] 
    146 paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app 
    147 cache_dir = %(here)s/data 
    148 beaker.session.key = sso 
    149 beaker.session.secret = somesecret 
    150  
    151 # If you'd like to fine-tune the individual locations of the cache data dirs 
    152 # for the Cache data, or the Session saves, un-comment the desired settings 
    153 # here: 
    154 #beaker.cache.data_dir = %(here)s/data/cache 
    155 #beaker.session.data_dir = %(here)s/data/sessions 
    156  
    157 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* 
    158 # Debug mode will enable the interactive debugging tool, allowing ANYONE to 
    159 # execute malicious code after an exception is raised. 
    160 set debug = false 
    161  
    162 configfile = %(here)s/sso/sso.cfg 
    163  
    164 # AuthKit Set-up 
    165 authkit.setup.method=openid, cookie 
    166 authkit.cookie.secret=secret encryption string 
    167 authkit.cookie.signoutpath = /logout 
    168 authkit.openid.path.signedin=/ 
    169 authkit.openid.store.type=file 
    170 authkit.openid.store.config=%(here)s/data/openid 
    171 authkit.openid.session.key = authkit_openid 
    172 authkit.openid.session.secret = random string 
    173  
    174 authkit.openid.baseurl = http://localhost 
    175  
    176 # Template for signin 
    177 authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template 
    178  
    179 # Handler for parsing OpenID and creating a session from it 
    180 authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user 
    181  
    182 # Chain of SOAP Middleware filters 
    183 [pipeline:main] 
    184 pipeline = wsseSignatureVerificationFilter  
    185                    AttributeAuthorityFilter  
    186            SessionManagerFilter  
    187            wsseSignatureFilter  
    188            httpBasicAuthFilter  
    189            SessionMiddlewareFilter 
    190            OpenIDProviderFilter 
    191            mainApp 
    192  
    193  
    194 #______________________________________________________________________________ 
    195 # Attribute Authority WSGI settings 
    196 # 
    197 [filter:AttributeAuthorityFilter] 
    198 # This filter is a container for a binding to a SOAP based interface to the 
    199 # Attribute Authority 
    200 paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
    201  
    202 # Use this ZSI generated SOAP service interface class to handle i/o for this 
    203 # filter 
    204 ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS 
    205  
    206 # SOAP Binding Class specific keywords are in this section identified by this 
    207 # prefix: 
    208 ServiceSOAPBindingPropPrefix = AttributeAuthority 
    209  
    210 # The AttributeAuthority class has settings in the default section above  
    211 # identified by this prefix: 
    212 AttributeAuthority.propPrefix = attributeAuthority 
    213 AttributeAuthority.propFilePath = %(here)s/services.ini 
    214 AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    215  
    216 # Provide an identifier for this filter so that main WSGI app  
    217 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority 
    218 # directly 
    219 referencedFilters = filter:wsseSignatureVerificationFilter 
    220  
    221 # Path from URL for Attribute Authority in this Paste deployment 
    222 path = /AttributeAuthority 
    223  
    224 # Enable ?wsdl query argument to list the WSDL content 
    225 enableWSDLQuery = True 
    226 charset = utf-8 
    227 filterID = %(__name__)s 
    228  
    229 #______________________________________________________________________________ 
    230 # Session Manager WSGI settings 
    231 # 
    232 [filter:SessionManagerFilter] 
    233 # This filter is a container for a binding to a SOAP based interface to the 
    234 # Session Manager 
    235 paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
    236  
    237 # Use this ZSI generated SOAP service interface class to handle i/o for this 
    238 # filter 
    239 ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS 
    240  
    241 # SOAP Binding Class specific keywords are in this section identified by this 
    242 # prefix: 
    243 ServiceSOAPBindingPropPrefix = SessionManager 
    244  
    245 # The SessionManager class has settings in the default section above identified 
    246 # by this prefix: 
    247 SessionManager.propPrefix = sessionManager 
    248 SessionManager.propFilePath = %(here)s/services.ini 
    249  
    250 # This filter references other filters - a local Attribute Authority (optional) 
    251 # and a WS-Security signature verification filter (required if using signature 
    252 # to authenticate user in requests 
    253 SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
    254 SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    255  
    256 # The SessionManagerWS SOAP interface class needs to know about these other  
    257 # filters 
    258 referencedFilters = filter:wsseSignatureVerificationFilter  
    259                                         filter:AttributeAuthorityFilter 
    260  
    261 # Path from URL for Session Manager in this Paste deployment 
    262 path = /SessionManager 
    263  
    264 # Enable ?wsdl query argument to list the WSDL content 
    265 enableWSDLQuery = True 
    266 charset = utf-8 
    267  
    268 # Provide an identifier for this filter so that main WSGI app  
    269 # CombinedServicesWSGI can call this Session Manager directly 
    270 filterID = %(__name__)s 
    271  
    272 #______________________________________________________________________________ 
    273 # WS-Security Signature Verification 
    274 [filter:wsseSignatureVerificationFilter] 
    275 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 
    276 filterID = %(__name__)s 
    277  
    278 # Settings for WS-Security SignatureHandler class used by this filter 
    279 wsseCfgFilePrefix = wssecurity 
    280  
    281 # Verify against known CAs - Provide a space separated list of file paths 
    282 wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 
    283  
    284 #______________________________________________________________________________ 
    285 # Apply WS-Security Signature  
    286 [filter:wsseSignatureFilter] 
    287 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter 
    288  
    289 # Reference the verification filter in order to be able to apply signature 
    290 # confirmation 
    291 referencedFilters = filter:wsseSignatureVerificationFilter 
    292 wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    293  
    294 # Last filter in chain of SOAP handlers writes the response 
    295 writeResponse = True 
    296  
    297 # Settings for WS-Security SignatureHandler class used by this filter 
    298 wsseCfgFilePrefix = wssecurity 
    299  
    300 # Certificate associated with private key used to sign a message.  The sign  
    301 # method will add this to the BinarySecurityToken element of the WSSE header.   
    302 wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt 
    303  
    304 # PEM encoded private key file 
    305 wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key 
    306  
    307 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
    308 # signed message.  See __setReqBinSecTokValType method and binSecTokValType  
    309 # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
    310 # give full namespace to alternative - see  
    311 # ZSI.wstools.Namespaces.OASIS.X509TOKEN 
    312 # 
    313 # binSecTokValType determines whether signingCert or signingCertChain  
    314 # attributes will be used. 
    315 wssecurity.reqBinSecTokValType=X509v3 
    316  
    317 # Add a timestamp element to an outbound message 
    318 wssecurity.addTimestamp=True 
    319  
    320 # For WSSE 1.1 - service returns signature confirmation containing signature  
    321 # value sent by client 
    322 wssecurity.applySignatureConfirmation=True 
    323  
    324 #______________________________________________________________________________ 
    325 # Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP 
    326 # based call to Session Manager connect method 
    327 [filter:httpBasicAuthFilter] 
    328 paste.filter_app_factory = authkit.authenticate:middleware 
    329 setup_method=basic 
    330 basic_realm=NDG Security Combined Services Tests 
    331 basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication 
    332  
    333  
    334 #______________________________________________________________________________ 
    335 # OpenID Provider WSGI Settings 
    336 [filter:OpenIDProviderFilter] 
    337 paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware 
     146[filter-app:mainApp] 
     147use = egg:Paste#httpexceptions 
     148next = cascade 
     149 
     150# Put OpenID Provider and Static URL parser together in a cascade 
     151[composit:cascade] 
     152use = egg:Paste#cascade 
     153app1 = StaticOpenIDProviderContent 
     154app2 = OpenIDProviderApp 
     155catch = 404 
     156 
     157[app:StaticOpenIDProviderContent] 
     158# Static URL Parser to serve OpenID Provider static page content such as CSS 
     159# and graphics 
     160use = egg:Paste#static 
     161document_root = %(here)s/openidprovider 
     162 
     163[app:OpenIDProviderApp] 
     164# OpenID Provider set as the main application 
     165paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.main_app 
    338166openid.provider.path.openidserver=/openid/endpoint 
    339167openid.provider.path.login=/openid/login 
     
    407235[filter:SessionMiddlewareFilter] 
    408236paste.filter_app_factory=beaker.middleware:SessionMiddleware 
     237# Chain of SOAP Middleware filters 
     238[pipeline:main] 
     239pipeline = wsseSignatureVerificationFilter  
     240                   AttributeAuthorityFilter  
     241           SessionManagerFilter  
     242           wsseSignatureFilter  
     243           SessionMiddlewareFilter 
     244           mainApp 
     245 
     246 
     247#______________________________________________________________________________ 
     248# Attribute Authority WSGI settings 
     249# 
     250[filter:AttributeAuthorityFilter] 
     251# This filter is a container for a binding to a SOAP based interface to the 
     252# Attribute Authority 
     253paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
     254 
     255# Use this ZSI generated SOAP service interface class to handle i/o for this 
     256# filter 
     257ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS 
     258 
     259# SOAP Binding Class specific keywords are in this section identified by this 
     260# prefix: 
     261ServiceSOAPBindingPropPrefix = AttributeAuthority 
     262 
     263# The AttributeAuthority class has settings in the default section above  
     264# identified by this prefix: 
     265AttributeAuthority.propPrefix = attributeAuthority 
     266AttributeAuthority.propFilePath = %(here)s/services.ini 
     267AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     268 
     269# Provide an identifier for this filter so that main WSGI app  
     270# CombinedServicesWSGI Session Manager filter can call this Attribute Authority 
     271# directly 
     272referencedFilters = filter:wsseSignatureVerificationFilter 
     273 
     274# Path from URL for Attribute Authority in this Paste deployment 
     275path = /AttributeAuthority 
     276 
     277# Enable ?wsdl query argument to list the WSDL content 
     278enableWSDLQuery = True 
     279charset = utf-8 
     280filterID = %(__name__)s 
     281 
     282#______________________________________________________________________________ 
     283# Session Manager WSGI settings 
     284# 
     285[filter:SessionManagerFilter] 
     286# This filter is a container for a binding to a SOAP based interface to the 
     287# Session Manager 
     288paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
     289 
     290# Use this ZSI generated SOAP service interface class to handle i/o for this 
     291# filter 
     292ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS 
     293 
     294# SOAP Binding Class specific keywords are in this section identified by this 
     295# prefix: 
     296ServiceSOAPBindingPropPrefix = SessionManager 
     297 
     298# The SessionManager class has settings in the default section above identified 
     299# by this prefix: 
     300SessionManager.propPrefix = sessionManager 
     301SessionManager.propFilePath = %(here)s/services.ini 
     302 
     303# This filter references other filters - a local Attribute Authority (optional) 
     304# and a WS-Security signature verification filter (required if using signature 
     305# to authenticate user in requests 
     306SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
     307SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     308 
     309# The SessionManagerWS SOAP interface class needs to know about these other  
     310# filters 
     311referencedFilters = filter:wsseSignatureVerificationFilter  
     312                                        filter:AttributeAuthorityFilter 
     313 
     314# Path from URL for Session Manager in this Paste deployment 
     315path = /SessionManager 
     316 
     317# Enable ?wsdl query argument to list the WSDL content 
     318enableWSDLQuery = True 
     319charset = utf-8 
     320 
     321# Provide an identifier for this filter so that main WSGI app  
     322# CombinedServicesWSGI can call this Session Manager directly 
     323filterID = %(__name__)s 
     324 
     325#______________________________________________________________________________ 
     326# WS-Security Signature Verification 
     327[filter:wsseSignatureVerificationFilter] 
     328paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 
     329filterID = %(__name__)s 
     330 
     331# Settings for WS-Security SignatureHandler class used by this filter 
     332wsseCfgFilePrefix = wssecurity 
     333 
     334# Verify against known CAs - Provide a space separated list of file paths 
     335wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 
     336 
     337#______________________________________________________________________________ 
     338# Apply WS-Security Signature  
     339[filter:wsseSignatureFilter] 
     340paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter 
     341 
     342# Reference the verification filter in order to be able to apply signature 
     343# confirmation 
     344referencedFilters = filter:wsseSignatureVerificationFilter 
     345wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
     346 
     347# Last filter in chain of SOAP handlers writes the response 
     348writeResponse = True 
     349 
     350# Settings for WS-Security SignatureHandler class used by this filter 
     351wsseCfgFilePrefix = wssecurity 
     352 
     353# Certificate associated with private key used to sign a message.  The sign  
     354# method will add this to the BinarySecurityToken element of the WSSE header.   
     355wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt 
     356 
     357# PEM encoded private key file 
     358wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key 
     359 
     360# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     361# signed message.  See __setReqBinSecTokValType method and binSecTokValType  
     362# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
     363# give full namespace to alternative - see  
     364# ZSI.wstools.Namespaces.OASIS.X509TOKEN 
     365# 
     366# binSecTokValType determines whether signingCert or signingCertChain  
     367# attributes will be used. 
     368wssecurity.reqBinSecTokValType=X509v3 
     369 
     370# Add a timestamp element to an outbound message 
     371wssecurity.addTimestamp=True 
     372 
     373# For WSSE 1.1 - service returns signature confirmation containing signature  
     374# value sent by client 
     375wssecurity.applySignatureConfirmation=True 
     376 
    409377 
    410378# Logging configuration 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py

    r4770 r4775  
    384384        self.oidserver = server.Server(store, self.urls['url_openidserver']) 
    385385 
     386    @classmethod 
     387    def main_app(cls, global_conf, **app_conf): 
     388        '''Provide Paste main_app function signature for inclusion in Paste ini 
     389        files 
     390        @type global_conf: dict         
     391        @param global_conf: PasteDeploy configuration dictionary 
     392        @type app_conf: dict 
     393        @param app_conf: keyword dictionary - must follow format of defOpt  
     394        class variable'''    
     395         
     396        openIDProviderApp = cls(None, global_conf, **app_conf) 
     397         
     398        # Make an application to handle invalid URLs making use of the  
     399        # rendering object created in the OpenID Provider initialisation 
     400        def app(environ, start_response): 
     401            msg = "Page not found" 
     402            response = openIDProviderApp.render.errorPage(environ,  
     403                                                          start_response,  
     404                                                          msg,  
     405                                                          code=404) 
     406            return response 
     407         
     408        # Update the OpenID Provider object with the new app 
     409        openIDProviderApp.app = app 
     410         
     411        return openIDProviderApp 
     412         
    386413    @classmethod 
    387414    def _filterOpts(cls, opt, newOpt, prefix=''): 
     
    781808        return response 
    782809 
    783  
     810    def _getRender(self): 
     811        """Get method for rendering interface object 
     812        @rtype: RenderingInterface 
     813        @return: rendering interface object 
     814        """ 
     815        return self._render 
     816     
     817    render = property(fget=_getRender, doc="Rendering interface instance") 
     818     
     819     
    784820    def do_decide(self, environ, start_response): 
    785821        """Display page prompting the user to decide whether to trust the site 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/renderinginterface/buffet/__init__.py

    r4770 r4775  
    9393                       [('Content-type', 'text/html'+self.charset), 
    9494                        ('Content-length', str(len(response)))]) 
     95        self.xml = '' 
    9596        return response 
    9697        
     
    132133                       [('Content-type', 'text/html'+self.charset), 
    133134                        ('Content-length', str(len(response)))]) 
     135        self.xml = '' 
    134136        return response 
    135137 
     
    158160                       [('Content-type', 'text/html'+self.charset), 
    159161                        ('Content-length', str(len(response)))]) 
     162        self.xml = '' 
    160163        return response 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/serverapp.py

    r4770 r4775  
    201201     
    202202    app = loadapp('config:%s' % cfgFilePath) 
    203     rootPath = os.path.join(os.environ['NDGSEC_COMBINED_SRVS_UNITTEST_DIR'],  
    204                             'openidprovider') 
    205      
    206     # Include to enable stylesheet and graphics 
    207     staticURLParser = StaticURLParser(rootPath) 
    208     app2 = Cascade([staticURLParser, app]) 
    209     serve(app2, host='0.0.0.0', port=port) 
     203    serve(app, host='0.0.0.0', port=port) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini

    r4770 r4775  
    143143port = 5000 
    144144 
    145 [app:mainApp] 
     145[filter-app:mainApp] 
     146use = egg:Paste#httpexceptions 
     147next = cascade 
     148 
     149[composit:cascade] 
     150use = egg:Paste#cascade 
     151app1 = static 
     152app2 = SingleSignOnService 
     153catch = 404 
     154 
     155[app:static] 
     156use = egg:Paste#static 
     157document_root = %(here)s/openidprovider 
     158 
     159[app:SingleSignOnService] 
    146160paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app 
    147161cache_dir = %(here)s/data 
     
    316330# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or  
    317331# give full namespace to alternative - see  
    318 # ZSI.wstoo-+ ls.Namespaces.OASIS.X509TOKEN 
     332# ZSI.wstools.Namespaces.OASIS.X509TOKEN 
    319333# 
    320334# binSecTokValType determines whether signingCert or signingCertChain  
Note: See TracChangeset for help on using the changeset viewer.