Changeset 5181 for TI12-security
- Timestamp:
- 07/04/09 16:40:44 (12 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 21 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py
r4840 r5181 36 36 37 37 38 #_____________________________________________________________________________39 38 class AttCertError(Exception): 40 39 """Exception handling for NDG Attribute Certificate class.""" 41 40 42 #_____________________________________________________________________________ 41 class AttCertNotBeforeTimeError(AttCertError): 42 """Current time is before the Attribute Certificate's not before time""" 43 44 class AttCertExpired(AttCertError): 45 """Current time is after the Attribute Certificate's not after time""" 46 43 47 class AttCertReadOnlyDict(dict): 44 48 def __init__(self, inputDict): … … 46 50 47 51 def __setitem__(self, key, item): 48 raise KeyError , "Items are read-only in this dictionary"52 raise KeyError("Items are read-only in this dictionary") 49 53 50 #_____________________________________________________________________________51 54 class _MetaAttCert(type): 52 55 """Enable AttCert to have read only class variables e.g. … … 58 61 ... raises - AttributeError: can't set attribute""" 59 62 60 #_________________________________________________________________________61 63 def __getVersion(cls): 62 64 '''Version of THIS format for the certificate''' … … 1041 1043 version (default is True) 1042 1044 1043 @param chkProvenance set to True to check provenance value is valid1045 @param chkProvenance: set to True to check provenance value is valid 1044 1046 (default is True) 1045 1047 -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/msi.py
r5168 r5181 88 88 return resource 89 89 90 class Subject(object): 90 class _AttrDict(dict): 91 """Utility class for holding a constrained list of attributes governed 92 by a namespace list""" 93 namespaces = () 94 def __init__(self, **attributes): 95 invalidAttributes = [attr for attr in attributes \ 96 if attr not in self.__class__.namespaces] 97 if len(invalidAttributes) > 0: 98 raise TypeError("The following attribute namespace(s) are not " 99 "recognised: %s" % invalidAttributes) 100 101 self.update(attributes) 102 103 def __setitem__(self, key, val): 104 if key not in self.__class__.namespaces: 105 raise KeyError('Namespace "%s" not recognised. Valid namespaces ' 106 'are: %s' % self.__class__.namespaces) 107 108 dict.__setitem__(self, key, val) 109 110 111 def update(self, d, **kw): 112 for dictArg in (d, kw): 113 for k in dictArg: 114 if key not in self.__class__.namespaces: 115 raise KeyError('Namespace "%s" not recognised. Valid ' 116 'namespaces are: %s' % 117 self.__class__.namespaces) 118 119 dict.update(self, d, **kw) 120 121 class Subject(_AttrDict): 91 122 '''Subject designator''' 92 def __init__(self, attributes={}): 93 self.attributes = attributes 94 95 class Resource(object): 123 namespaces = ( 124 "urn:ndg:security:authz:1.0:attr:subject:userId", 125 "urn:ndg:security:authz:1.0:attr:subject:sessionId", 126 "urn:ndg:security:authz:1.0:attr:subject:sessionManagerURI", 127 "urn:ndg:security:authz:1.0:attr:subject:roles" 128 ) 129 (USERID_NS, SESSIONID_NS, SESSIONMANAGERURI_NS, ROLES_NS) = namespaces 130 131 class Resource(_AttrDict): 96 132 '''Resource designator''' 97 def __init__(self, uri=''): 98 self.uri = uri 99 100 def __str__(self): 101 return self.uri 102 103 def __eq__(self, uri): 104 return self.uri == uri 105 133 namespaces = ( 134 "urn:ndg:security:authz:1.0:attr:resource:uri", 135 ) 136 (URI_NS,) = namespaces 137 106 138 class Request(object): 107 139 '''Request to send to a PDP''' … … 129 161 130 162 163 from ndg.security.common.sessionmanager import SessionManagerClient, \ 164 SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession, \ 165 AttributeRequestDenied 166 167 from ndg.security.common.authz.pdp import PDPUserNotLoggedIn, \ 168 PDPUserAccessDenied 169 170 class SubjectRetrievalError(Exception): 171 """Generic exception class for errors related to information about the 172 subject""" 173 174 class InvalidAttributeCertificate(SubjectRetrievalError): 175 "The certificate containing authorisation roles is invalid" 176 def __init__(self, msg=None): 177 SubjectRetrievalError.__init__(self, msg or 178 InvalidAttributeCertificate.__doc__) 179 180 class AttributeCertificateNotBeforeTimeError(SubjectRetrievalError): 181 ("There is a time issuing error with certificate containing authorisation " 182 "roles") 183 def __init__(self, msg=None): 184 SubjectRetrievalError.__init__(self, msg or 185 AttributeCertificateNotBeforeTimeError.__doc__) 186 187 class AttributeCertificateExpired(SubjectRetrievalError): 188 "The certificate containing authorisation roles has expired" 189 def __init__(self, msg=None): 190 SubjectRetrievalError.__init__(self, msg or 191 AttributeCertificateExpired.__doc__) 192 193 class SessionExpiredMsg(SubjectRetrievalError): 194 'Session has expired. Please re-login at your home organisation' 195 def __init__(self, msg=None): 196 SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__) 197 198 class SessionNotFoundMsg(SubjectRetrievalError): 199 'No session was found. Please try re-login with your home organisation' 200 def __init__(self, msg=None): 201 SubjectRetrievalError.__init__(self, msg or 202 SessionNotFoundMsg.__doc__) 203 204 class InvalidSessionMsg(SubjectRetrievalError): 205 'Session is invalid. Please try re-login with your home organisation' 206 def __init__(self, msg=None): 207 SubjectRetrievalError.__init__(self, msg or 208 InvalidSessionMsg.__doc__) 209 210 class InitSessionCtxError(SubjectRetrievalError): 211 'A problem occurred initialising a session connection' 212 def __init__(self, msg=None): 213 SubjectRetrievalError.__init__(self, msg or 214 InitSessionCtxError.__doc__) 215 216 class AttributeCertificateRequestError(SubjectRetrievalError): 217 'A problem occurred requesting a certificate containing authorisation roles' 218 def __init__(self, msg=None): 219 SubjectRetrievalError.__init__(self,msg or 220 AttributeCertificateRequestError.__doc__) 221 222 class PIPAttributeQuery(_AttrDict): 223 namespaces = ( 224 "urn:ndg:security:authz:1.0:attr:subject", 225 "urn:ndg:security:authz:1.0:attr:attributeAuthorityURI", 226 ) 227 (SUBJECT_NS, ATTRIBUTEAUTHORITY_NS) = namespaces 228 229 class PIPAttributeResponse(_AttrDict): 230 namespaces = ( 231 "urn:ndg:security:authz:1.0:attr:attributeCertificate", 232 ) 233 (ATTRIBUTECERTIFICATE_NS,) = namespaces 234 235 236 from ndg.security.common.wssecurity import WSSecurityConfig 237 from ndg.security.common.credentialwallet import CredentialWallet 238 239 class PIP(object): 240 """Policy Information Point - this implementation enables the PDP to 241 retrieve attributes about the Subject""" 242 243 def __init__(self, prefix='', **cfg): 244 '''Set-up WS-Security and SSL settings for connection to an 245 Attribute Authority 246 247 @type **cfg: dict 248 @param **cfg: keywords including 'sslCACertFilePathList' used to set a 249 list of CA certificates for an SSL connection to the Attribute 250 Authority if used and also WS-Security settings as used by 251 ndg.security.common.wssecurity.WSSecurityConfig 252 ''' 253 self._subjectCache = {} 254 255 self.wssecurityCfg = WSSecurityConfig() 256 wssePrefix = prefix + 'wssecurity' 257 self.wssecurityCfg.update(cfg, prefix=wssePrefix) 258 259 self.sslCACertFilePathList = cfg.get(prefix+'sslCACertFilePathList',[]) 260 261 def attributeQuery(self, attributeQuery): 262 """Query the Attribute Authority specified in the request to retrieve 263 the attributes if any corresponding to the subject 264 265 @type attributeResponse: PIPAttributeQuery 266 @param attributeResponse: 267 @rtype: PIPAttributeResponse 268 @return: response containing the attributes retrieved from the 269 Attribute Authority""" 270 271 subject = attributeQuery[PIPAttributeQuery.SUBJECT_NS] 272 sessionId = subject[Subject.SESSIONID_NS] 273 attributeAuthorityURI = attributeQuery[ 274 PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] 275 276 # Check this subject's cache for an Attribute Certificate previously 277 # retrieved. 278 attributeCertificate = None 279 if self._subjectCache.get(sessionId) is not None: 280 subjectCred = subjectCache.credentialByURI.get( 281 attributeAuthorityURI) 282 283 if subjectCred is not None: 284 if subjectCred['attCert'].isValid(): 285 attributeCertificate = subjectCred['attCert'] 286 287 # If no Attribute Certificate is available, retrieve from the relevant 288 # Attribute Authority 289 if attributeCertificate is None: 290 sessionId = subject[Subject.SESSIONID_NS] 291 attributeCertificate = self._getAttributeCertificate( 292 sessionId, 293 subject[Subject.SESSIONMANAGERURI_NS], 294 attributeAuthorityURI) 295 296 # Make a new wallet for this subject 297 self._subjectCache[sessionId] = \ 298 CredentialWallet(userId=attributeCertificate.userId) 299 300 self._subjectCache[sessionId].addCredential( 301 attributeCertificate, 302 attributeAuthorityURI=attributeAuthorityURI) 303 304 attributeResponse = PIPAttributeResponse() 305 attributeResponse[PIPAttributeResponse.ATTRIBUTECERTIFICATE_NS] = \ 306 attributeCertificate 307 308 return attributeResponse 309 310 311 def _getAttributeCertificate(self, 312 sessionId, 313 sessionManagerURI, 314 attributeAuthorityURI): 315 '''Retrieve an Attribute Certificate using the subject's Session 316 Manager 317 318 @type sessionId: basestring 319 @param sessionId: Session Manager session handle 320 @type sessionManagerURI: basestring 321 @param sessionManagerURI: URI to remote session manager service 322 @type attributeAuthorityURI: basestring 323 @param attributeAuthorityURI: URI to Attribute Authority service 324 ''' 325 326 try: 327 # Create Session Manager client - if a file path was set, setting 328 # are read from a separate config file section otherwise, from the 329 # PDP config object 330 smClnt = SessionManagerClient( 331 uri=sessionManagerURI, 332 sslCACertFilePathList=self.sslCACertFilePathList, 333 cfg=self.wssecurityCfg) 334 except Exception, e: 335 log.error("Creating Session Manager client: %s" % e) 336 raise InitSessionCtxError() 337 338 339 try: 340 # Make request for attribute certificate 341 attCert = smClnt.getAttCert( 342 attributeAuthorityURI=attributeAuthorityURI, 343 sessID=sessionId) 344 345 except AttributeRequestDenied, e: 346 log.error("Request for attribute certificate denied: %s" % e) 347 raise PDPUserAccessDenied() 348 349 except SessionNotFound, e: 350 log.error("No session found: %s" % e) 351 raise SessionNotFoundMsg() 352 353 except SessionExpired, e: 354 log.error("Session expired: %s" % e) 355 raise SessionExpiredMsg() 356 357 except SessionCertTimeError, e: 358 log.error("Session cert. time error: %s" % e) 359 raise InvalidSessionMsg() 360 361 except InvalidSession, e: 362 log.error("Invalid user session: %s" % e) 363 raise InvalidSessionMsg() 364 365 except Exception, e: 366 log.error("Request from Session Manager [%s] to Attribute " 367 "Authority [%s] for attribute certificate: %s: %s" % 368 (sessionManagerURI, 369 attributeAuthorityURI, 370 e.__class__, e)) 371 raise AttributeCertificateRequestError() 372 373 try: 374 attCert.isValid(raiseExcep=True) 375 376 except AttCertNotBeforeTimeError, e: 377 log.exception(e) 378 raise AttributeCertificateNotBeforeTimeError() 379 380 except AttCertExpired, e: 381 log.exception(e) 382 raise AttributeCertificateExpired() 383 384 except AttCertError, e: 385 log.exception(e) 386 raise InvalidAttributeCertificate() 387 388 return attCert 389 390 391 131 392 class PDP(object): 132 def __init__(self, policyFilePath): 393 """Policy Decision Point""" 394 395 def __init__(self, policyFilePath=Policy(), pip=None): 396 """Read in a file which determines access policy""" 133 397 self.policy = Policy.Parse(policyFilePath) 398 self.pip = pip 134 399 135 400 def evaluate(self, request): 136 401 '''Make access control decision''' 137 138 for attr in request.resource.attributes: 139 if attr in request.subject.attributes: 402 403 # Look for matching targets to the given resource 404 resourceURI = request.resource[Resource.URI_NS] 405 matchingTargets = [target for target in self.policy.targets 406 if target.regEx.match(resourceURI) is not None] 407 408 knownAttributeAuthorityURIs = [] 409 for matchingTarget in matchingTargets: 410 411 # Make call to the Policy Information Point to pull user 412 # attributes applicable to this resource 413 if matchingTarget.attributeAuthorityURI not in \ 414 knownAttributeAuthorityURIs: 415 416 attributeQuery = PIPAttributeQuery() 417 attributeQuery[PIPAttributeQuery.SUBJECT_NS]=request.subject 418 419 attributeQuery[PIPAttributeQuery.ATTRIBUTEAUTHORITY_NS] = \ 420 matchingTarget.attributeAuthorityURI 421 422 attributeResponse = self.pip.attributeQuery(attributeQuery) 423 knownAttributeAuthorityURIs.append( 424 matchingTarget.attributeAuthorityURI) 425 426 attributeCertificate = attributeResponse[ 427 PIPAttributeResponse.ATTRIBUTECERTIFICATE_NS] 428 request.subject[Subject.ROLES_NS] = attributeCertificate.roles 429 430 # Match the subject's attributes against the target 431 for attr in matchingTarget.attributes: 432 if attr in request.subject[Subject.ROLES_NS]: 140 433 return Response(Response.DECISION_PERMIT) 141 434 -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/credentialwallet.py
r5063 r5181 305 305 '_cfg', 306 306 '_credentials', 307 '_credentialsKeyedByURI', 307 308 '_dn', 308 309 '_attributeAuthorityURI' … … 413 414 self.audit() 414 415 416 def __getstate__(self): 417 '''Enable pickling for use with beaker.session''' 418 return dict([(attrName, getattr(self, attrName)) \ 419 for attrName in CredentialWallet._protectedAttrs]) 420 421 def __setstate__(self): 422 '''Enable pickling for use with beaker.session''' 423 pass 424 415 425 def parseConfig(self, cfg, prefix='', section='DEFAULT'): 416 426 '''Extract parameters from _cfg config object''' … … 631 641 632 642 def _getCredentials(self): 633 """Get Property method. Credentials are read-only 643 """Get Property method. Credentials doct is read-only but also see 644 addCredential method 634 645 635 646 @rtype: dict … … 642 653 "issuing authorities") 643 654 644 655 def _getCredentialsKeyedByURI(self): 656 """Get Property method for credentials keyed by Attribute Authority URI 657 Credentials dict is read-only but also see addCredential method 658 659 @rtype: dict 660 @return: cached ACs indexed by issuing Attribute Authority""" 661 return self._credentialsKeyedByURI 662 663 # Publish attribute 664 credentialsKeyedByURI = property(fget=_getCredentials, 665 doc="List of Attribute Certificates linked to " 666 "attribute authority URI") 667 645 668 def _getCACertFilePathList(self): 646 669 """Get CA cert or certs used to validate AC signatures and signatures … … 845 868 846 869 847 def addCredential(self, attCert, bUpdateCredentialRepository=True): 870 def addCredential(self, 871 attCert, 872 attributeAuthorityURI=None, 873 bUpdateCredentialRepository=True): 848 874 """Add a new attribute certificate to the list of credentials held. 849 875 850 876 @type attCert: 851 877 @param attCert: new attribute Certificate to be added 878 @type attributeAuthorityURI: basestring 879 @param attributeAuthorityURI: input the Attribute Authority URI from 880 which attCert was retrieved. This is added to a dict to enable access 881 to a given Attribute Certificate keyed by Attribute Authority URI. 882 See the getCredential method. 852 883 @type bUpdateCredentialRepository: bool 853 884 @param bUpdateCredentialRepository: if set to True, and a repository … … 857 888 @return: True if certificate was added otherwise False. - If an 858 889 existing certificate from the same issuer has a later expiry it will 859 take prece nce and the new input certificate is ignored."""890 take precedence and the new input certificate is ignored.""" 860 891 861 892 # Check input 862 893 if not isinstance(attCert, AttCert): 863 raise CredentialWalletError("Attribute Certificate must be an AttCert"864 "type object")894 raise CredentialWalletError("Attribute Certificate must be an " 895 "AttCert type object") 865 896 866 897 # Check certificate validity … … 897 928 # from the CredentialRepository during creation of the wallet will 898 929 # have +ve IDs previously allocated by the database 899 self._credentials[issuerName] = {'id': -1, 'attCert': attCert} 900 930 self._credentials[issuerName] = { 931 'id': -1, 932 'attCert': attCert, 933 'attributeAuthorityURI': attributeAuthorityURI 934 } 935 936 if attributeAuthorityURI: 937 self._credentialsKeyedByURI[attributeAuthorityURI] = \ 938 self._credentials[issuerName] 939 901 940 # Update the Credentials Repository - the permanent store of user 902 941 # authorisation credentials. This allows credentials for previous -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/signaturehandler/__init__.py
r5168 r5181 238 238 self.cfg = cfg 239 239 else: 240 raise TypeError("cfg keyword set to %s type. cfg must be a " 241 "file path string, RawConfigParser derived " 242 "class instance or WSSecurityConfig type" % 243 cfg.__class__) 244 240 self.cfg = cfgClass() 241 245 242 # Also update config from keywords set 246 log.debug("BaseSignatureHandler.__init__: setting config from "243 log.debug("BaseSignatureHandler.__init__: updating config from " 247 244 "keywords...") 248 245 -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py
r4821 r5181 118 118 self.smURI = None 119 119 120 if self.cfg.has_option(defSection, 'sessionManagerEnvironKey '):121 self.smEnvironKey = self.cfg.get(defSection,122 'sessionManagerEnvironKey ')123 else: 124 self.smEnvironKey = None120 if self.cfg.has_option(defSection, 'sessionManagerEnvironKeyName'): 121 self.smEnvironKeyName = self.cfg.get(defSection, 122 'sessionManagerEnvironKeyName') 123 else: 124 self.smEnvironKeyName = None 125 125 126 126 if self.cfg.has_option(defSection, 'attributeAuthorityURI'): … … 129 129 self.aaURI = None 130 130 131 if self.cfg.has_option(defSection, 'attributeAuthorityEnvironKey '):132 self.aaEnvironKey = self.cfg.get(defSection,133 'attributeAuthorityEnvironKey ')134 else: 135 self.aaEnvironKey = None131 if self.cfg.has_option(defSection, 'attributeAuthorityEnvironKeyName'): 132 self.aaEnvironKeyName = self.cfg.get(defSection, 133 'attributeAuthorityEnvironKeyName') 134 else: 135 self.aaEnvironKeyName = None 136 136 137 137 # ... for SSL connections to security web services -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py
r4898 r5181 52 52 try: 53 53 smClnt = WSGISessionManagerClient( 54 55 56 environKey=self.cfg.smEnvironKey,57 attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,58 59 60 61 62 54 environ=request.environ, 55 uri=session['ndgSec']['h'], 56 environKeyName=self.cfg.smEnvironKeyName, 57 attributeAuthorityEnvironKeyName=self.cfg.aaEnvironKeyName, 58 tracefile=self.cfg.tracefile, 59 httpProxyHost=self.cfg.httpProxyHost, 60 noHttpProxyList=self.cfg.noHttpProxyList, 61 sslCACertFilePathList=self.cfg.sslCACertFilePathList, 62 **self.cfg.wss) 63 63 except Exception, e: 64 64 c.xml = ('Error establishing security context. Please report ' … … 109 109 try: 110 110 smClnt = WSGISessionManagerClient( 111 112 113 environKey=self.cfg.smEnvironKey,114 attributeAuthorityEnvironKey=self.cfg.aaEnvironKey,115 116 117 118 111 environ=request.environ, 112 uri=self.cfg.smURI, 113 environKeyName=self.cfg.smEnvironKeyName, 114 attributeAuthorityEnvironKeyName=self.cfg.aaEnvironKeyName, 115 tracefile=self.cfg.tracefile, 116 httpProxyHost=self.cfg.httpProxyHost, 117 noHttpProxyList=self.cfg.noHttpProxyList, 118 **self.cfg.wss) 119 119 120 120 username = request.params['username'] … … 225 225 environ=request.environ, 226 226 uri=self.cfg.aaURI, 227 environKey =self.cfg.aaEnvironKey,227 environKeyName=self.cfg.aaEnvironKeyName, 228 228 tracefile=self.cfg.tracefile, 229 229 httpProxyHost=self.cfg.httpProxyHost, -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py
r4907 r5181 45 45 smClnt = WSGISessionManagerClient(uri=session['ndgSec']['h'], 46 46 environ=request.environ, 47 environKey =self.cfg.smEnvironKey,47 environKeyName=self.cfg.smEnvironKeyName, 48 48 tracefile=cfg.tracefile, 49 49 sslCACertFilePathList=cfg.sslCACertFilePathList, -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/openid_util.py
r4900 r5181 128 128 aaClnt = WSGIAttributeAuthorityClient(environ=pylons.request.environ, 129 129 uri=cfg.aaURI, 130 environKey =cfg.aaEnvironKey,130 environKeyName=cfg.aaEnvironKeyName, 131 131 tracefile=cfg.tracefile, 132 132 httpProxyHost=cfg.httpProxyHost, -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authn.py
r5154 r5181 29 29 try: 30 30 client = WSGISessionManagerClient(environ=environ, 31 environKey=self.sessionManagerFilterID)31 environKeyName=self.sessionManagerFilterID) 32 32 res = client.connect(username, passphrase=password) 33 33 … … 76 76 self._redirectURI = None 77 77 super(AuthenticationRedirectMiddleware, self).__init__(app, 78 global_conf,79 **app_conf)78 global_conf, 79 **app_conf) 80 80 81 81 @NDGSecurityMiddlewareBase.initCall … … 196 196 session.pop('username', None) 197 197 session.pop('sessionManagerURI', None) 198 session.pop('sessionId', None) 198 199 session.save() 199 200 else: … … 204 205 # eval is safe here because AuthKit cookie is signed and 205 206 # AuthKit middleware checks for tampering 206 if 'sessionManagerURI' not in session: 207 if 'sessionManagerURI' not in session or \ 208 'sessionId' not in session: 207 209 axData = eval(environ['REMOTE_USER_DATA']) 208 210 sessionManagerURI=axData['ax']['value.sessionManagerURI.1'] 209 211 session['sessionManagerURI'] = sessionManagerURI 210 212 213 sessionId = axData['ax']['value.sessionId.1'] 214 session['sessionId'] = sessionId 215 211 216 # Reset cookie removing user data 212 217 environ['paste.auth_tkt.set_user'](session['username']) -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz/__init__.py
r5168 r5181 15 15 from ndg.security.server.wsgi import NDGSecurityPathFilter 16 16 from ndg.security.common.X509 import X500DN 17 from ndg.security.common.authz.msi import Policy18 17 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \ 19 18 NDGSecurityMiddlewareConfigError … … 22 21 NDGSecurityMiddlewareConfigError 23 22 24 from ndg.security.common.authz.msi import PDP, Request, Resource 25 from ndg.security.common.wssecurity import WSSecurityConfig 26 from ndg.security.common.sessionmanager import SessionManagerClient, \ 27 SessionNotFound, SessionCertTimeError, SessionExpired, InvalidSession, \ 28 AttributeRequestDenied 29 30 class SubjectRetrievalError(Exception): 31 """Generic exception class for errors related to information about the 32 subject""" 33 34 class InvalidAttributeCertificate(SubjectRetrievalError): 35 "The certificate containing authorisation roles is invalid" 36 def __init__(self, msg=None): 37 SubjectRetrievalError.__init__(self, msg or 38 InvalidAttributeCertificate.__doc__) 39 40 class SessionExpiredMsg(SubjectRetrievalError): 41 'Session has expired. Please re-login' 42 def __init__(self, msg=None): 43 SubjectRetrievalError.__init__(self, msg or SessionExpiredMsg.__doc__) 44 45 class InvalidSessionMsg(SubjectRetrievalError): 46 'Session is invalid. Please try re-login' 47 def __init__(self, msg=None): 48 SubjectRetrievalError.__init__(self, msg or 49 InvalidSessionMsg.__doc__) 50 51 class InitSessionCtxError(SubjectRetrievalError): 52 'A problem occurred initialising a session connection' 53 def __init__(self, msg=None): 54 SubjectRetrievalError.__init__(self, msg or 55 InitSessionCtxError.__doc__) 56 57 class AttributeCertificateRequestError(SubjectRetrievalError): 58 'A problem occurred requesting a certificate containing authorisation roles' 59 def __init__(self, msg=None): 60 SubjectRetrievalError.__init__(self,msg or 61 AttributeCertificateRequestError.__doc__) 23 from ndg.security.common.authz.msi import PIP, PDP, Request, Response, \ 24 Resource, Subject 62 25 63 26 class PEPMiddleware(NDGSecurityPathFilter): … … 76 39 def __init__(self, app, global_conf, prefix='', **app_conf): 77 40 41 # Policy Enforcement Point 42 pipCfg = PEPMiddleware._filterKeywords(app_conf, 'pip.') 43 pip = PIP(**pipCfg) 44 45 # Policy Decision Point 78 46 pdpCfg = PEPMiddleware._filterKeywords(app_conf, 'pdp.') 79 self.pdp = PDP(**pdpCfg) 80 81 self.wssecurityCfg = WSSecurityConfig() 82 wssePrefix = 'sessionManagerClient.wssecurity' 83 self.wssecurityCfg.update(app_conf, prefix=wssePrefix) 84 85 PEPMiddleware._filterKeywords(app_conf, wssePrefix+'.') 86 87 self.sslCACertFilePathList = app_conf.pop( 88 'sessionManagerClient.sslCACertFilePathList', []) 47 self.pdp = PDP(pip=pip, **pdpCfg) 89 48 90 49 super(PEPMiddleware, self).__init__(app, … … 117 76 [('Content-type', 'text/plain') , 118 77 ('Content-length', str(len(response)))]) 119 return response 120 121 def _getAttributeCertificate(self, attributeAuthorityURI): 122 try: 123 # Create Session Manager client - if a file path was set, setting 124 # are read from a separate config file section otherwise, from the 125 # PDP config object 126 smClnt = SessionManagerClient( 127 uri=self.session['sessionManagerURI'], 128 sslCACertFilePathList=self.sslCACertFilePathList, 129 cfg=self.wssecurityCfg) 130 except Exception, e: 131 log.error("Creating Session Manager client: %s" % e) 132 raise InitSessionCtxError() 133 134 135 try: 136 # Make request for attribute certificate 137 attCert = smClnt.getAttCert( 138 attributeAuthorityURI=attributeAuthorityURI, 139 sessID=self.session['sessionID']) 140 return attCert 141 142 except AttributeRequestDenied, e: 143 log.error("Request for attribute certificate denied: %s" % e) 144 raise PDPUserAccessDenied() 145 146 except SessionNotFound, e: 147 log.error("No session found: %s" % e) 148 raise PDPUserNotLoggedIn() 149 150 except SessionExpired, e: 151 log.error("Session expired: %s" % e) 152 raise InvalidSessionMsg() 153 154 except SessionCertTimeError, e: 155 log.error("Session cert. time error: %s" % e) 156 raise InvalidSessionMsg() 157 158 except InvalidSession, e: 159 log.error("Invalid user session: %s" % e) 160 raise InvalidSessionMsg() 161 162 except Exception, e: 163 log.error("Request from Session Manager [%s] to Attribute " 164 "Authority [%s] for attribute certificate: %s: %s" % 165 (self.session['sessionManagerURI'], 166 attributeAuthorityURI, 167 e.__class__, e)) 168 raise AttributeCertificateRequestError() 169 78 return response 170 79 171 80 def isAuthorized(self): … … 176 85 # Make a request object to pass to the PDP 177 86 request = Request() 178 request.subject.attributes['userId'] = self.session['username'] 179 request.resource = self.environ.get( 180 'ndg.security.server.wsgi.pep.resource') or Resource(self.pathInfo) 87 request.subject[Subject.USERID_NS] = self.session['username'] 88 request.subject[Subject.SESSIONID_NS] = self.session['sessionId'] 89 request.subject[Subject.SESSIONMANAGERURI_NS] = self.session[ 90 'sessionManagerURI'] 181 91 182 # Look for matching targets to the given resource 183 matchingTargets = [target for target in self.pdp.policy.targets 184 if target.regEx.match(request.resource.uri) \ 185 is not None] 186 187 attributeAuthorityURIs = [] 188 for matchingTarget in matchingTargets: 189 190 # Make call to relevant Attribute Authority if not already 191 # requested 192 if matchingTarget.attributeAuthorityURI not in \ 193 attributeAuthorityURIs: 194 attributeCertificate = self._getAttributeCertificate( 195 matchingTarget.attributeAuthorityURI) 196 attributeAuthorityURIs.append( 197 matchingTarget.attributeAuthorityURI) 198 199 request.subject.attributes.update( 200 {'roles': attributeCertificate.roles}) 92 resourceURI = self.environ.get('ndg.security.server.wsgi.pep.resource') 93 request.resource[Resource.URI_NS] = resourceURI or self.pathInfo 201 94 202 95 response = self.pdp.evaluate(request) 203 return status96 return response.status == Response.DECISION_PERMIT 204 97 205 98 def accessDeniedResponse(self): … … 208 101 response''' 209 102 response = "Access Denied" 210 s tart_response(PEPMiddleware.getStatusMessage(403),211 [('Content-type', 'text/plain') ,212 ('Content-length', str(len(response)))])103 self.start_response(PEPMiddleware.getStatusMessage(403), 104 [('Content-type', 'text/plain') , 105 ('Content-length', str(len(response)))]) 213 106 return response 214 107 -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py
r5168 r5181 30 30 URI to logout method AXResponse instance 31 31 """ 32 def __init__(self, uri=None, environKeyName =None, sessionId=None):32 def __init__(self, uri=None, environKeyNameName=None, sessionId=None): 33 33 self.uri = uri 34 self.environKeyName = environKeyName34 self.environKeyNameName = environKeyNameName 35 35 self.sessionId = sessionId 36 36 … … 116 116 try: 117 117 authNCtx = SessionManagerAuthNCtx(uri=self._client.uri, 118 environKeyName=self._client._environKey)118 environKeyNameName=self._client.environKeyName) 119 119 self._client.environ = environ 120 120 authNCtx.sessionId = self._client.connect(username, … … 188 188 189 189 try: 190 self._client.environ = environ191 190 self._client.disconnect(sessID=authNCtx.sessionId) 192 191 -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py
r5168 r5181 20 20 from ndg.security.server.wsgi.openid.provider.axinterface import \ 21 21 AXInterface, AXInterfaceConfigError, MissingRequiredAttrs 22 22 from ndg.security.server.wsgi.openid.provider import AuthNInterfaceCtx 23 23 24 24 class SessionManagerAXInterface(AXInterface): … … 34 34 'sessionManagerURI', 35 35 'sessionManagerURITypeURI', 36 'sessionId ',37 'sessionIdTypeURI')36 'sessionIdTypeURI' 37 ) 38 38 39 39 def __init__(self, **cfg): … … 48 48 if val is None: 49 49 raise AXInterfaceConfigError("Missing configuration setting: " 50 "%s" % val)50 '"%s"' % name) 51 51 52 52 setattr(self, name, val) -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py
r4891 r5181 33 33 """ 34 34 35 environKey= "ndg.security.server.wsgi.attributeAuthorityFilter"35 defaultEnvironKeyName = "ndg.security.server.wsgi.attributeAuthorityFilter" 36 36 37 _getRef = lambda self:self._environ[self._environKey].serviceSOAPBinding.aa 38 ref = property(fget=_getRef, doc="Attribute Authority local instance") 37 _getLocalClient = lambda self:self._environ[ 38 self.environKeyName].serviceSOAPBinding.aa 39 localClient = property(fget=_getLocalClient, 40 doc="Attribute Authority local instance") 39 41 40 def __init__(self, environKey=None, environ={}, **clientKw): 42 def __init__(self, environKeyName=None, environ={}, **clientKw): 43 """Initialise an interface to an Attribute Authority accessible either 44 via a keyword to a WSGI environ dictionary or via a web service call 45 46 @type environKeyName: basestring or None 47 @param environKeyName: dict key reference to service object to be 48 invoked. This may be set later using the environKeyName property 49 or may be omitted altogether if the service is to be invoked via a 50 web service call 51 @type environ: dict 52 @param environ: WSGI environment dictionary containing a reference to 53 the service object. This may not be known at instantiation of this 54 class. environ is not required if the service is to be invoked over 55 a web service interface 56 @type clientKw: dict 57 @param clientKw: custom keywords to instantiate a web service client 58 interface. Derived classes are responsible for instantiating this 59 from an extended version of this __init__ method. 60 """ 41 61 42 62 log.debug("WSGIAttributeAuthorityClient.__init__ ...") 43 63 44 self._environKey=environKey or WSGIAttributeAuthorityClient.environKey 64 self.environKeyName = environKeyName or \ 65 WSGIAttributeAuthorityClient.defaultEnvironKeyName 45 66 46 67 # Standard WSGI environment dict … … 48 69 49 70 if clientKw.get('uri'): 50 self. _client = AttributeAuthorityClient(**clientKw)71 self.wsClient = AttributeAuthorityClient(**clientKw) 51 72 else: 52 self. _client = None73 self.wsClient = None 53 74 54 75 def getHostInfo(self): … … 60 81 configuration held by the AA""" 61 82 62 if self. refInEnviron:83 if self.localClientInEnviron: 63 84 # Connect to local instance 64 return self. ref.hostInfo85 return self.localClient.hostInfo 65 86 66 elif self. _client is None:87 elif self.wsClient is None: 67 88 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 68 89 "local Attribute Authority is set and no SOAP client " … … 70 91 else: 71 92 # Make connection to remote service 72 return self. _client.getHostInfo()93 return self.wsClient.getHostInfo() 73 94 74 95 … … 86 107 from the map configuration""" 87 108 88 if self. refInEnviron:109 if self.localClientInEnviron: 89 110 # Connect to local instance 90 return self.ref.getTrustedHostInfo(**kw) 91 elif self._client is None: 111 return self.localClient.getTrustedHostInfo(**kw) 112 113 elif self.wsClient is None: 92 114 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 93 115 "local Attribute Authority is set and no SOAP client " … … 95 117 else: 96 118 # Make connection to remote service 97 return self. _client.getTrustedHostHostInfo(**kw)119 return self.wsClient.getTrustedHostHostInfo(**kw) 98 120 99 121 … … 106 128 from the map configuration""" 107 129 108 if self. refInEnviron:130 if self.localClientInEnviron: 109 131 # Connect to local instance - combine this host's info with info 110 132 # from other trusted hosts 111 allHostsInfo = self. ref.hostInfo112 allHostsInfo.update(self. ref.getTrustedHostInfo())133 allHostsInfo = self.localClient.hostInfo 134 allHostsInfo.update(self.localClient.getTrustedHostInfo()) 113 135 return allHostsInfo 114 elif self. _client is None:136 elif self.wsClient is None: 115 137 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 116 138 "local Attribute Authority is set and no SOAP client " … … 118 140 else: 119 141 # Make connection to remote service 120 return self. _client.getAllHostsInfo()142 return self.wsClient.getAllHostsInfo() 121 143 122 144 … … 136 158 service""" 137 159 138 if self. refInEnviron:160 if self.localClientInEnviron: 139 161 # Connect to local instance 140 162 if 'userX509Cert' in kw: 141 163 kw['holderX509Cert'] = kw.pop('userX509Cert') 142 164 143 return self. ref.getAttCert(**kw)144 elif self. _client is None:165 return self.localClient.getAttCert(**kw) 166 elif self.wsClient is None: 145 167 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 146 168 "local Attribute Authority is set and no SOAP client " … … 151 173 kw['userX509Cert'] = kw.pop('holderX509Cert') 152 174 153 return self. _client.getAttCert(**kw)175 return self.wsClient.getAttCert(**kw) -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/clientbase.py
r4892 r5181 23 23 ''' 24 24 25 environKey= ''25 defaultEnvironKeyName = '' 26 26 27 def __init__(self, 28 environKey=None, 29 environ={}, 30 **clientKw): 31 32 self._environKey = environKey or WSGICLientBase.environKey 27 def __init__(self, environKeyName=None, environ={}, **clientKw): 28 """Initialise an interface to a service accessible either via a 29 keyword to a WSGI environ dictionary or via a web service call 30 31 @type environKeyName: basestring or None 32 @param environKeyName: dict key reference to service object to be 33 invoked. This may be set later using the environKeyName property 34 or may be omitted altogether if the service is to be invoked via a 35 web service call 36 @type environ: dict 37 @param environ: WSGI environment dictionary containing a reference to 38 the service object. This may not be known at instantiation of this 39 class. environ is not required if the service is to be invoked over 40 a web service interface 41 @type clientKw: dict 42 @param clientKw: custom keywords to instantiate a web service client 43 interface. Derived classes are responsible for instantiating this 44 from an extended version of this __init__ method. 45 """ 46 47 self._environKeyName = environKeyName or \ 48 WSGICLientBase.defaultEnvironKeyName 33 49 34 50 # Standard WSGI environment dict … … 37 53 # Derived class could instantiate required client type if a 'uri' 38 54 # key is set in clientKw 39 self._ client = None55 self._wsClient = None 40 56 57 def _getWSClient(self): 58 return getattr(self, '_wsClient', None) 59 60 def _setWSClient(self, wsClient): 61 self._wsClient = wsClient 62 63 wsClient = property(fget=_getWSClient, 64 fset=_setWSClient, 65 doc="Web service client to service to be invoked") 66 67 def _getWSClientURI(self): 68 return getattr(self.wsClient, 'uri', None) 41 69 70 uri = property(fget=_getWSClientURI, 71 doc="URI for web service or None if no WS Client is set") 72 73 def _setEnvironKeyName(self, keyName): 74 if not isinstance(keyName, (None.__class__, basestring)): 75 raise TypeError("environKeyName must be string or None type; got " 76 "%s" % keyName) 77 78 self._environKeyName = keyName 79 80 def _getEnvironKeyName(self): 81 return self._environKeyName 82 83 environKeyName = property(fget=_getEnvironKeyName, 84 fset=_setEnvironKeyName, 85 doc="key in environ dict holding reference to " 86 "service to be invoked. This may be None " 87 "if the service is to be invoked via the " 88 "web service client") 89 42 90 def _setEnviron(self, environ): 43 91 if not isinstance(environ, dict): … … 45 93 self._environ = environ 46 94 47 def _getEnviron(self , environ):95 def _getEnviron(self): 48 96 return self._environ 49 97 … … 52 100 doc="WSGI environ dictionary") 53 101 54 def _get Ref(self):102 def _getLocalClient(self): 55 103 """Get reference to WSGI service instance in environ""" 56 104 raise NotImplementedError() 57 105 58 ref = property(fget=_getRef, doc="local instance")106 localClient = property(fget=_getLocalClient, doc="local instance") 59 107 60 def _ refInEnviron(self):108 def _localClientInEnviron(self): 61 109 '''Check whether a reference is present in the WSGI environ to the 62 110 service to be queried. Check also that if a URI was specified by the … … 71 119 referenced must have a published URI attribute 72 120 ''' 73 if self._environKey not in self._environ:121 if self._environKeyName not in self._environ: 74 122 log.debug("Checking for referenced WSGI service in environ: " 75 123 "the given key was not found in the environ dictionary") 76 124 return False 77 125 78 if self._ client:126 if self._wsClient: 79 127 # A SOAP client was initialised - check to see if its URI matches 80 128 # the URI for the service referenced in environ 81 requestedURI = getattr(self._ client, 'uri', None)129 requestedURI = getattr(self._wsClient, 'uri', None) 82 130 if requestedURI is None: 83 131 log.debug("Checking for referenced WSGI service in environ: " … … 86 134 return True 87 135 88 serviceURI = getattr(self._environ[self._environKey ],136 serviceURI = getattr(self._environ[self._environKeyName], 89 137 'publishedURI', 90 138 None) … … 104 152 105 153 # Define as property for convenient call syntax 106 refInEnviron = property(fget=_refInEnviron,107 doc="return True if referenced instance is"108 "available in WSGI environ")154 localClientInEnviron = property(fget=_localClientInEnviron, 155 doc="return True if referenced instance " 156 "is available in WSGI environ") -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py
r4890 r5181 95 95 keyword 96 96 97 @type environKey: basestring98 @cvar environKey: default WSGI environ keyword name for reference to a99 local Session Manager instance. Override with the environKey keyword to100 __init__101 102 @type attributeAuthorityEnvironKey : basestring103 @cvar attributeAuthorityEnvironKey : default WSGI environ keyword name for104 reference to a local Attribute Authority instance used in calls to105 getAttCert(). Override with the attributeAuthorityEnvironKey keyword to106 __init__97 @type defaultEnvironKeyName: basestring 98 @cvar defaultEnvironKeyName: default WSGI environ keyword name for 99 reference to a local Session Manager instance. Override with the 100 environKeyName keyword to __init__ 101 102 @type attributeAuthorityEnvironKeyName: basestring 103 @cvar attributeAuthorityEnvironKeyName: default WSGI environ keyword name 104 for reference to a local Attribute Authority instance used in calls to 105 getAttCert(). Override with the attributeAuthorityEnvironKeyName keyword 106 to __init__ 107 107 """ 108 environKey = "ndg.security.server.wsgi.sessionManagerFilter" 109 attributeAuthorityEnvironKey = WSGIAttributeAuthorityClient.environKey 110 111 _getRef = lambda self:self._environ[self._environKey].serviceSOAPBinding.sm 112 ref = property(fget=_getRef, doc="local session manager instance") 108 defaultEnvironKeyName = "ndg.security.server.wsgi.sessionManagerFilter" 109 attributeAuthorityEnvironKeyName = \ 110 WSGIAttributeAuthorityClient.defaultEnvironKeyName 111 112 _getLocalClient = lambda self:self._environ[ 113 self.environKeyName].serviceSOAPBinding.sm 114 115 localClient = property(fget=_getLocalClient, 116 doc="local session manager instance") 113 117 114 118 115 119 def __init__(self, 116 environKey =None,117 attributeAuthorityEnvironKey =None,120 environKeyName=None, 121 attributeAuthorityEnvironKeyName=None, 118 122 environ={}, 119 **soapClientKw): 123 **clientKw): 124 """Initialise an interface to a Session Manager accessible either via a 125 keyword to a WSGI environ dictionary or via a web service call 126 127 @type environKeyName: basestring or None 128 @param environKeyName: dict key reference to service object to be 129 invoked. This may be set later using the environKeyName property 130 or may be omitted altogether if the service is to be invoked via a 131 web service call 132 @type environ: dict 133 @param environ: WSGI environment dictionary containing a reference to 134 the service object. This may not be known at instantiation of this 135 class. environ is not required if the service is to be invoked over 136 a web service interface 137 @type clientKw: dict 138 @param clientKw: custom keywords to instantiate a web service client 139 interface. Derived classes are responsible for instantiating this 140 from an extended version of this __init__ method. 141 """ 120 142 121 143 log.debug("WSGISessionManagerClient.__init__ ...") 122 144 123 self._environKey = environKey or WSGISessionManagerClient.environKey 124 self._attributeAuthorityEnvironKey = attributeAuthorityEnvironKey or \ 125 WSGISessionManagerClient.attributeAuthorityEnvironKey 145 self.environKeyName = environKeyName or \ 146 WSGISessionManagerClient.defaultEnvironKeyName 147 148 self._attributeAuthorityEnvironKeyName = \ 149 attributeAuthorityEnvironKeyName or \ 150 WSGISessionManagerClient.attributeAuthorityEnvironKeyName 126 151 127 152 # Standard WSGI environment dict 128 153 self._environ = environ 129 154 130 if soapClientKw.get('uri'):131 self. _client = SessionManagerClient(**soapClientKw)132 else: 133 self. _client = None155 if clientKw.get('uri'): 156 self.wsClient = SessionManagerClient(**clientKw) 157 else: 158 self.wsClient = None 134 159 135 160 … … 141 166 """ 142 167 143 if self. refInEnviron:168 if self.localClientInEnviron: 144 169 log.debug("Connecting to local Session Manager instance") 145 170 if 'username' in kw: … … 148 173 149 174 # Connect to local instance 150 res = self. ref.connect(username=username, **kw)151 152 elif self. _client is None:175 res = self.localClient.connect(username=username, **kw) 176 177 elif self.wsClient is None: 153 178 raise WSGISessionManagerClientConfigError("No reference to a " 154 179 "local Session Manager is set and no SOAP client " … … 162 187 163 188 # Make connection to remote service 164 res = self. _client.connect(username, **kw)189 res = self.wsClient.connect(username, **kw) 165 190 166 191 # Convert from unicode because unicode causes problems with … … 182 207 # Modify keywords according to correct interface for server side / 183 208 # SOAP client 184 if self. refInEnviron:209 if self.localClientInEnviron: 185 210 if 'userDN' in kw: 186 211 log.warning('Removing keyword "userDN": this is not supported ' … … 189 214 kw.pop('userX509Cert', None) 190 215 191 self. ref.deleteUserSession(**kw)192 193 elif self. _client is None:216 self.localClient.deleteUserSession(**kw) 217 218 elif self.wsClient is None: 194 219 raise WSGISessionManagerClientConfigError("No reference to a " 195 220 "local Session Manager is set and no SOAP client " … … 199 224 kw['userDN'] = kw.pop('userX509Cert').dn 200 225 201 self. _client.disconnect(**kw)226 self.wsClient.disconnect(**kw) 202 227 203 228 … … 212 237 the SOAP client""" 213 238 214 if self. refInEnviron:215 return self. ref.getSessionStatus(**kw)216 217 elif self. _client is None:239 if self.localClientInEnviron: 240 return self.localClient.getSessionStatus(**kw) 241 242 elif self.wsClient is None: 218 243 raise WSGISessionManagerClientConfigError("No reference to a " 219 244 "local Session Manager is set and no SOAP client " 220 245 "to a remote service has been initialized") 221 246 else: 222 return self. _client.getSessionStatus(**kw)247 return self.wsClient.getSessionStatus(**kw) 223 248 224 249 … … 236 261 """ 237 262 238 if self. refInEnviron:263 if self.localClientInEnviron: 239 264 # Connect to local instance of Session Manager - next check for 240 265 # an Attribute Authority URI or instance running locally … … 243 268 wsgiAttributeAuthorityClient = WSGIAttributeAuthorityClient( 244 269 environ=self._environ, 245 environKey =self._attributeAuthorityEnvironKey)246 247 if wsgiAttributeAuthorityClient. refInEnviron:270 environKeyName=self._attributeAuthorityEnvironKeyName) 271 272 if wsgiAttributeAuthorityClient.localClientInEnviron: 248 273 kw['attributeAuthority'] = wsgiAttributeAuthorityClient.ref 249 274 else: … … 252 277 "set and no reference is available in environ") 253 278 254 return self. ref.getAttCert(**kw)255 256 elif self. _client is None:279 return self.localClient.getAttCert(**kw) 280 281 elif self.wsClient is None: 257 282 raise WSGISessionManagerClientConfigError("No reference to a " 258 283 "local Session Manager is set and no SOAP client " … … 285 310 'this keyword') 286 311 287 return self. _client.getAttCert(**kw)312 return self.wsClient.getAttCert(**kw) -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini
r5168 r5181 5 5 # 6 6 [DEFAULT] 7 testConfigDir = %(here)s/../../config 7 8 8 9 [server:main] … … 44 45 pdp.policyFilePath = %(here)s/policy.xml 45 46 46 # Settings for connection to the user's Session Manager 47 sessionManagerClient.sslCACertFilePathList= 47 # Settings for Policy Information Point used by the Policy Decision Point to 48 # retrieve subject attributes from the Attribute Authority associated with the 49 # resource to be accessed 50 pip.sslCACertFilePathList= 51 48 52 # 49 53 # WS-Security Settings for call to Session Manager … … 57 61 58 62 # PEM encode cert 59 sessionManagerClient.wssecurity.signingCertFilePath= 63 pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt 60 64 61 65 # PEM encoded private key file 62 sessionManagerClient.wssecurity.signingPriKeyFilePath= 66 pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key 63 67 64 68 # Password protecting private key. Leave blank if there is no password. 65 sessionManagerClient.wssecurity.signingPriKeyPwd=69 pip.wssecurity.signingPriKeyPwd= 66 70 67 # Provide a space separated list of file paths68 sessionManagerClient.wssecurity.caCertFilePathList= 71 # For signature verification. Provide a space separated list of file paths 72 pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt 69 73 70 74 # ValueType for the BinarySecurityToken added to the WSSE header 71 sessionManagerClient.wssecurity.reqBinSecTokValType=X509v375 pip.wssecurity.reqBinSecTokValType=X509v3 72 76 73 77 # Add a timestamp element to an outbound message 74 sessionManagerClient.wssecurity.addTimestamp=True78 pip.wssecurity.addTimestamp=True -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini
r5168 r5181 300 300 openid.provider.axResponse.sessionManagerURI=%(sessionManagerURI)s 301 301 openid.provider.axResponse.sessionManagerURITypeURI=%(openid.ax.sessionManagerURI.typeURI)s 302 openid.provider.axResponse.sessionManagerURI=%(sessionId)s303 302 openid.provider.axResponse.sessionIdTypeURI=%(openid.ax.sessionId.typeURI)s 304 303 … … 319 318 # setting below is the default and can be omitted if it matches the filterID 320 319 # set for the Session Manager 321 openid.provider.authN.environKey =filter:SessionManagerFilter320 openid.provider.authN.environKeyName=filter:SessionManagerFilter 322 321 323 322 # Database connection to enable check between username and OpenID identifier -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/combinedservices/serverapp.py
r4863 r5181 31 31 try: 32 32 client = WSGISessionManagerClient(environ=environ, 33 environKey=self.sessionManagerFilterID)33 environKeyName=self.sessionManagerFilterID) 34 34 res = client.connect(username, passphrase=password) 35 35 … … 38 38 39 39 # Keep a reference to the session ID for test purposes 40 environ[client.environKey +'.user'] = res[-1]40 environ[client.environKeyName+'.user'] = res[-1] 41 41 42 42 except Exception, e: … … 92 92 def test_localSessionManagerGetSessionStatus(self, environ,start_response): 93 93 client = WSGISessionManagerClient(environ=environ, 94 environKey=self.sessionManagerFilterID) 95 stat=client.getSessionStatus(sessID=environ[client.environKey+'.user']) 94 environKeyName=self.sessionManagerFilterID) 95 stat=client.getSessionStatus( 96 sessID=environ[client.environKeyName+'.user']) 96 97 start_response('200 OK', [('Content-type', 'text/xml')]) 97 98 return ("test_localSessionManagerGetSessionStatus succeeded. Response " … … 101 102 def test_localSessionManagerDisconnect(self, environ, start_response): 102 103 client = WSGISessionManagerClient(environ=environ, 103 environKey=self.sessionManagerFilterID)104 client.disconnect(sessID=environ[client.environKey +'.user'])104 environKeyName=self.sessionManagerFilterID) 105 client.disconnect(sessID=environ[client.environKeyName+'.user']) 105 106 106 107 # Re-initialise user authentication … … 112 113 def test_localSessionManagerGetAttCert(self, environ, start_response): 113 114 client = WSGISessionManagerClient(environ=environ, 114 environKey=self.sessionManagerFilterID, 115 attributeAuthorityEnvironKey=self.attributeAuthorityFilterID) 116 117 attCert = client.getAttCert(sessID=environ[client.environKey+'.user']) 115 environKeyName=self.sessionManagerFilterID, 116 attributeAuthorityEnvironKeyName=self.attributeAuthorityFilterID) 117 118 attCert = client.getAttCert( 119 sessID=environ[client.environKeyName+'.user']) 118 120 start_response('200 OK', [('Content-type', 'text/xml')]) 119 121 return str(attCert) … … 121 123 def test_localAttributeAuthorityGetHostInfo(self, environ, start_response): 122 124 client = WSGIAttributeAuthorityClient(environ=environ, 123 environKey=self.attributeAuthorityFilterID)125 environKeyName=self.attributeAuthorityFilterID) 124 126 hostInfo = client.getHostInfo() 125 127 start_response('200 OK', [('Content-type', 'text/html')]) … … 131 133 start_response): 132 134 client = WSGIAttributeAuthorityClient(environ=environ, 133 environKey=self.attributeAuthorityFilterID)135 environKeyName=self.attributeAuthorityFilterID) 134 136 role = environ.get('QUERY_STRING', '').split('=')[-1] or None 135 137 hostInfo = client.getTrustedHostInfo(role=role) … … 142 144 start_response): 143 145 client = WSGIAttributeAuthorityClient(environ=environ, 144 environKey=self.attributeAuthorityFilterID)146 environKeyName=self.attributeAuthorityFilterID) 145 147 hostInfo = client.getAllHostsInfo() 146 148 start_response('200 OK', [('Content-type', 'text/html')]) … … 152 154 153 155 client = WSGIAttributeAuthorityClient(environ=environ, 154 environKey=self.attributeAuthorityFilterID)156 environKeyName=self.attributeAuthorityFilterID) 155 157 username=CombinedServicesWSGI.httpBasicAuthentication._userIn.users[-1] 156 158 -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/combinedservices/services.ini
r5057 r5181 438 438 # setting below is the default and can be omitted if it matches the filterID 439 439 # set for the Session Manager 440 #openid.provider.authN.environKey =filter:SessionManagerFilter440 #openid.provider.authN.environKeyName=filter:SessionManagerFilter 441 441 442 442 # Database connection to enable check between username and OpenID identifier -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openid/securityservices.ini
r5084 r5181 295 295 # setting below is the default and can be omitted if it matches the filterID 296 296 # set for the Session Manager 297 openid.provider.authN.environKey =filter:SessionManagerFilter297 openid.provider.authN.environKeyName=filter:SessionManagerFilter 298 298 299 299 # Database connection to enable check between username and OpenID identifier -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidprovider/securityservices.ini
r5080 r5181 261 261 # setting below is the default and can be omitted if it matches the filterID 262 262 # set for the Session Manager 263 openid.provider.authN.environKey =filter:SessionManagerFilter263 openid.provider.authN.environKeyName=filter:SessionManagerFilter 264 264 265 265 # Database connection to enable check between username and OpenID identifier
Note: See TracChangeset
for help on using the changeset viewer.