Changeset 5057


Ignore:
Timestamp:
02/03/09 16:28:19 (11 years ago)
Author:
pjkersha
Message:

Tested WS-Security SignatureHandler? based on the 4Suite-XML Canonicalizer. - Tested a client connecting to a server using the old dom based implementation of the SignatureHandler?.

Location:
TI12-security/trunk/python
Files:
1 added
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/BaseSignatureHandler.py

    r4840 r5057  
    347347                 
    348348        elif kw.get('inclusive_namespaces') and \ 
    349              not isinstance(kw['inclusive_namespaces'], list) and \ 
    350              not isinstance(kw['inclusive_namespaces'], tuple): 
     349             not isinstance(kw['inclusive_namespaces'], (list, tuple)): 
    351350            raise AttributeError('Expecting list or tuple of prefix names for ' 
    352351                                 '"%s" keyword' % 'inclusive_namespaces') 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py

    r4907 r5057  
    2727from openid.consumer import discover 
    2828 
     29from ndg.security.server.wsgi import NDGSecurityMiddlewareBase 
     30 
    2931quoteattr = lambda s: '"%s"' % cgi.escape(s, 1) 
    3032 
     
    176178    the AX interface but no AX Response handler has been set""" 
    177179   
    178 class OpenIDProviderMiddleware(object): 
     180class OpenIDProviderMiddleware(NDGSecurityMiddlewareBase): 
    179181    """WSGI Middleware to implement an OpenID Provider 
    180182     
     
    242244        class variable     
    243245        ''' 
     246        self._app = app 
     247        self._environ = {} 
     248        self._start_response = None 
     249        self._pathInfo = None 
     250        self._path = None 
     251        self.mountPath = '/' 
    244252 
    245253        opt = OpenIDProviderMiddleware.defOpt.copy() 
     
    371379                                                self.axResponseHandler) 
    372380         
    373         self.app = app 
    374          
    375381        # Instantiate OpenID consumer store and OpenID consumer.  If you 
    376382        # were connecting to a database, you would create the database 
     
    380386        self.oidserver = server.Server(store, self.urls['url_openidserver']) 
    381387 
    382     @classmethod 
    383     def main_app(cls, global_conf, **app_conf): 
    384         '''Provide Paste main_app function signature for inclusion in Paste ini 
    385         files 
    386         @type global_conf: dict         
    387         @param global_conf: PasteDeploy configuration dictionary 
    388         @type app_conf: dict 
    389         @param app_conf: keyword dictionary - must follow format of defOpt  
    390         class variable'''    
    391          
    392         openIDProviderApp = cls(None, global_conf, **app_conf) 
    393          
    394         # Make an application to handle invalid URLs making use of the  
    395         # rendering object created in the OpenID Provider initialisation 
    396         def app(environ, start_response): 
    397             msg = "Page not found" 
    398             response = openIDProviderApp.render.errorPage(environ,  
    399                                                           start_response,  
    400                                                           msg,  
    401                                                           code=404) 
    402             return response 
    403          
    404         # Update the OpenID Provider object with the new app 
    405         openIDProviderApp.app = app 
    406          
    407         return openIDProviderApp 
     388#    @classmethod 
     389#    def main_app(cls, global_conf, **app_conf): 
     390#        '''Provide Paste main_app function signature for inclusion in Paste ini 
     391#        files 
     392#        @type global_conf: dict         
     393#        @param global_conf: PasteDeploy configuration dictionary 
     394#        @type app_conf: dict 
     395#        @param app_conf: keyword dictionary - must follow format of defOpt  
     396#        class variable'''    
     397#         
     398#        openIDProviderApp = cls(None, global_conf, **app_conf) 
     399#         
     400#        # Make an application to handle invalid URLs making use of the  
     401#        # rendering object created in the OpenID Provider initialisation 
     402#        def app(environ, start_response): 
     403#            msg = "Page not found" 
     404#            response = openIDProviderApp.render.errorPage(environ,  
     405#                                                          start_response,  
     406#                                                          msg,  
     407#                                                          code=404) 
     408#            return response 
     409#         
     410#        # Update the OpenID Provider object with the new app 
     411#        openIDProviderApp.app = app 
     412#         
     413#        return openIDProviderApp 
    408414         
    409415    @classmethod 
     
    462468                            (", ".join(badOptNames))) 
    463469             
    464  
     470    @NDGSecurityMiddlewareBase.initCall 
    465471    def __call__(self, environ, start_response): 
    466472        """Standard WSGI interface.  Intercepts the path if it matches any of  
     
    490496             
    491497            # Disallow identifier and yadis URIs where no ID was specified 
    492             return self.app(environ, start_response) 
     498            return self._app(environ, start_response) 
    493499             
    494500        elif self.path.startswith(self.paths['path_id']) or \ 
     
    517523        else: 
    518524            log.debug("No match for path %s" % self.path) 
    519             return self.app(environ, start_response) 
     525            return self._setResponse(environ, start_response) 
    520526 
    521527 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/relyingparty/__init__.py

    r5042 r5057  
    138138        referrer = urllib.unquote(quotedReferrer) 
    139139        referrerPathInfo = urlsplit(referrer)[2] 
     140 
    140141        if referrer and \ 
    141142           not referrerPathInfo.endswith(self._authKitVerifyPath) and \ 
     
    181182                environ['HTTP_REFERER'] 
    182183            session.save() 
    183              
    184         def set401UnauthorizedReponse(status, header, exc_info=None): 
    185             '''Make OpenID Relying Party OpenID prompt page return a 401 
    186             status to signal to non-browser based clients that authentication 
    187             is required.  Requests are filtered on content type so that  
    188             static content such as graphics and style sheets associated with 
    189             the page are let through unaltered 
    190              
    191             @type status: str 
    192             @param status: HTTP status code and status message 
    193             @type header: list 
    194             @param header: list of field, value tuple HTTP header content 
    195             @type exc_info: Exception 
    196             @param exc_info: exception info 
    197             ''' 
    198             _status = status 
    199             for name, val in header: 
    200                 if name.lower() == 'content-type' and \ 
    201                    val.startswith('text/html'): 
    202                     _status = self.getStatusMessage(401) 
    203                     break 
    204                  
    205             return start_response(_status, header, exc_info) 
    206  
    207         return self._app(environ, set401UnauthorizedReponse) 
     184         
     185        # See _start_response doc for an explanation... 
     186        if environ['PATH_INFO'] == self._authKitVerifyPath:  
     187            def _start_response(status, header, exc_info=None): 
     188                '''Make OpenID Relying Party OpenID prompt page return a 401 
     189                status to signal to non-browser based clients that  
     190                authentication is required.  Requests are filtered on content  
     191                type so that static content such as graphics and style sheets  
     192                associated with the page are let through unaltered 
     193                 
     194                @type status: str 
     195                @param status: HTTP status code and status message 
     196                @type header: list 
     197                @param header: list of field, value tuple HTTP header content 
     198                @type exc_info: Exception 
     199                @param exc_info: exception info 
     200                ''' 
     201                _status = status 
     202                for name, val in header: 
     203                    if name.lower() == 'content-type' and \ 
     204                       val.startswith('text/html'): 
     205                        _status = self.getStatusMessage(401) 
     206                        break 
     207                     
     208                return start_response(_status, header, exc_info) 
     209        else: 
     210            _start_response = start_response 
     211 
     212        return self._app(environ, _start_response) 
    208213 
    209214     
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/combinedservices/services.ini

    r4890 r5057  
    1616 
    1717[DEFAULT] 
     18portNum = 9443 
     19hostname = localhost 
     20scheme = http 
     21baseURI = %(scheme)s://%(hostname)s:%(portNum)s 
     22testConfigDir = %(here)s/../../config 
     23 
    1824#______________________________________________________________________________ 
    1925# Attribute Authority settings 
     
    3036 
    3137# All Attribute Certificates issued are recorded in this dir 
    32 attributeAuthority.attCertDir: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/attributeCertificateLog 
     38attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog 
    3339 
    3440# Files in attCertDir are stored using a rotating file handler 
     
    4046 
    4147# Location of role mapping file 
    42 attributeAuthority.mapConfigFile: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteAMapConfig.xml 
     48attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml 
    4349 
    4450# Settings for custom AttributeInterface derived class to get user roles for given  
    4551# user ID 
    46 attributeAuthority.attributeInterface.modFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea 
     52attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea 
    4753attributeAuthority.attributeInterface.modName: siteAUserRoles 
    4854attributeAuthority.attributeInterface.className: TestUserRoles 
    4955 
    5056# Config for XML signature of Attribute Certificate 
    51 attributeAuthority.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.key 
    52 attributeAuthority.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/attributeauthority/sitea/siteA-aa.crt 
    53 attributeAuthority.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     57attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key 
     58attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt 
     59attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt 
    5460 
    5561#______________________________________________________________________________ 
     
    6167# 
    6268# CA certificates for Attribute Certificate signature validation 
    63 sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     69sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
    6470 
    6571# CA certificates for SSL connection peer cert. validation - required if 
    6672# connecting to an Attribute Authority over SSL 
    67 sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     73sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
    6874 
    6975# Allow Get Attribute Certificate calls to try to get a mapped certificate 
     
    94100# The CA certificates of other NDG trusted sites should go here.  NB, multiple 
    95101# values should be delimited by a space 
    96 sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     102sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt 
    97103 
    98104# Signature of an outbound message 
     
    104110 
    105111# PEM encoded cert 
    106 sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.crt 
     112sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt 
    107113 
    108114# ... or provide file path to PEM encoded private key file 
    109 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/sessionmanager/sm.key 
     115sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key 
    110116 
    111117# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     
    133139# Specific settings for UserCertAuthN Session Manager authentication plugin 
    134140# This sets up PKI credentials for a single test account 
    135 sessionManager.authNService.userX509CertFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.crt 
    136 sessionManager.authNService.userPriKeyFilePath: $NDGSEC_UNITTEST_CONFIG_DIR/pki/user.key 
     141sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt 
     142sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key 
    137143sessionManager.authNService.userPriKeyPwd: testpassword 
    138144 
     
    140146use = egg:Paste#http 
    141147host = 0.0.0.0 
    142 port = 8000 
     148port = %(portNum)s 
    143149 
    144150[filter-app:mainApp] 
     
    208214[filter:testHarnessFilter] 
    209215paste.filter_app_factory =  
    210         ndg.security.test.combinedservices.serverapp:filter_app_factory 
     216        ndg.security.test.integration.combinedservices.serverapp:filter_app_factory 
    211217sessionManagerFilterID = filter:SessionManagerFilter 
    212218attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
     
    250256# if a request is being made to the local service or to another Attribute  
    251257# Authority running elsewhere 
    252 publishedURI = http://localhost:8000%(path)s 
     258publishedURI = %(baseURI)s%(path)s 
    253259 
    254260# Enable ?wsdl query argument to list the WSDL content 
     
    300306# a request is being made to the local service or to another session manager 
    301307# running elsewhere 
    302 publishedURI = http://localhost:8000%(path)s 
     308publishedURI = %(baseURI)s%(path)s 
    303309 
    304310# Enable ?wsdl query argument to list the WSDL content 
     
    320326 
    321327# Verify against known CAs - Provide a space separated list of file paths 
    322 wssecurity.caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     328wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 
    323329 
    324330#______________________________________________________________________________ 
     
    340346# Certificate associated with private key used to sign a message.  The sign  
    341347# method will add this to the BinarySecurityToken element of the WSSE header.   
    342 wssecurity.signingCertFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.crt 
     348wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 
    343349 
    344350# PEM encoded private key file 
    345 wssecurity.signingPriKeyFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.key 
     351wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 
    346352 
    347353# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     
    369375setup_method=basic 
    370376basic_realm=NDG Security Combined Services Tests 
    371 basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication 
     377basic_authenticate_function=ndg.security.test.integration.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication 
    372378 
    373379 
     
    391397openid.provider.path.mainpage=/openid/ 
    392398openid.provider.session_middleware=beaker.session  
    393 openid.provider.base_url=http://localhost:8000 
     399openid.provider.base_url=%(baseURI)s 
    394400openid.provider.trace=False 
    395401openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/wssecurity/foursuite/client/test_echoclient.py

    r5053 r5057  
    2222from os.path import join as jnPath 
    2323mkPath = lambda file: jnPath(os.environ['NDGSEC_WSSECLNT_UNITTEST_DIR'], file) 
     24from os.path import join, dirname, abspath 
    2425from ConfigParser import SafeConfigParser 
    2526 
     
    2829from ndg.security.test import BaseTestCase 
    2930from ndg.security.common.wssecurity.foursuite import SignatureHandler 
     31from ndg.security.common.wssecurity.utils import DomletteReader, \ 
     32    DomletteElementProxy 
    3033 
    3134class EchoClientTestCase(BaseTestCase): 
     
    4043        if 'NDGSEC_WSSECLNT_UNITTEST_DIR' not in os.environ: 
    4144            os.environ['NDGSEC_WSSECLNT_UNITTEST_DIR'] = \ 
    42                 os.path.abspath(os.path.dirname(__file__)) 
     45                abspath(dirname(__file__)) 
     46     
     47        if 'NDGSEC_TEST_CONFIG_DIR' not in os.environ: 
     48            os.environ['NDGSEC_TEST_CONFIG_DIR'] = \ 
     49                abspath(join(dirname(dirname(dirname(dirname(__file__)))), 
     50                             'config')) 
    4351         
    4452        configFilePath = mkPath('echoClientTest.cfg') 
     
    6573 
    6674        locator = EchoServiceLocator() 
    67         self.clnt = locator.getEcho(uri,  
     75        self.clnt = locator.getEcho(uri, 
     76                                    readerclass=DomletteReader, 
     77                                    writerclass=DomletteElementProxy,  
    6878                                    sig_handler=sigHandler, 
    6979                                    tracefile=sys.stderr) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/wssecurity/foursuite/server/echoServer.py

    r5053 r5057  
    33# How to build an echo server using the extended code generation 
    44# 
    5 import sys, os 
     5import sys 
     6import os 
    67from ConfigParser import SafeConfigParser 
    78 
     
    9495         
    9596    if 'NDGSEC_WSSESRV_UNITTEST_DIR' not in os.environ: 
    96         os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'] = \ 
    97             os.path.abspath(os.path.dirname(__file__)) 
    98      
     97        os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'] = abspath(dirname(__file__)) 
     98 
     99    if 'NDGSEC_TEST_CONFIG_DIR' not in os.environ: 
     100        os.environ['NDGSEC_TEST_CONFIG_DIR'] = \ 
     101            abspath(join(dirname(dirname(dirname(dirname(__file__)))), 
     102                         'config')) 
     103             
    99104    configFilePath = mkPath('echoServer.cfg') 
    100105 
    101106    cfg = SafeConfigParser() 
    102     cfg.read(configFilePath) 
     107    files = cfg.read(configFilePath) 
     108    assert len(files) == 1, "Error reading %s" % configFilePath 
    103109     
    104110    hostname = cfg.get('setUp', 'hostname') 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/wssecurity/foursuite/server/wssecurity.cfg

    r5053 r5057  
    2828 
    2929# ... or provide file path PEM encode cert here 
    30 signingCertFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.crt 
    31 #signingCertFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/java-ca-server.crt 
     30signingCertFilePath=$NDGSEC_TEST_CONFIG_DIR/pki/wsse-server.crt 
     31#signingCertFilePath=$NDGSEC_TEST_CONFIG_DIR/pki/java-ca-server.crt 
    3232 
    3333# Pass a list of certificates ',' separated PEM encoded certs constituting a  
     
    4141 
    4242# ... or provide file path to PEM encoded private key file 
    43 signingPriKeyFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/wsse-server.key 
    44 #signingPriKeyFilePath=$NDGSEC_UNITTEST_CONFIG_DIR/pki/java-ca-server.key 
     43signingPriKeyFilePath=$NDGSEC_TEST_CONFIG_DIR/pki/wsse-server.key 
     44#signingPriKeyFilePath=$NDGSEC_TEST_CONFIG_DIR/pki/java-ca-server.key 
    4545 
    4646# Password protecting private key.  Leave blank if there is no password. 
     
    9595# Provide a space separated list of file paths 
    9696# - NB, the two CA certificates are for the python and the java clients, respectively 
    97 caCertFilePathList=$NDGSEC_UNITTEST_CONFIG_DIR/ca/java-ca.crt $NDGSEC_UNITTEST_CONFIG_DIR/ca/ndg-test-ca.crt 
     97caCertFilePathList=$NDGSEC_TEST_CONFIG_DIR/ca/java-ca.crt $NDGSEC_TEST_CONFIG_DIR/ca/ndg-test-ca.crt 
Note: See TracChangeset for help on using the changeset viewer.