Changeset 5254

Timestamp:

06/05/09 09:05:09 (12 years ago)

Author:

pjkersha

Message:

Added additional debug logging and improved error handling

Location:

TI12-security/trunk/python

Files:

• ndg.security.server/ndg/security/server/wsgi/authz/__init__.py (modified) (2 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (8 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/basic.py (modified) (4 diffs)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py (modified) (1 diff)
• ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py (modified) (2 diffs)
• ndg.security.test/ndg/security/test/integration/authz/policy.xml (modified) (2 diffs)
• ndg.security.test/ndg/security/test/integration/authz/securedapp.ini (modified) (1 diff)
• ndg.security.test/ndg/security/test/integration/authz/securedapp.py (modified) (4 diffs)
• ndg.security.test/ndg/security/test/integration/authz/securityservices.ini (modified) (1 diff)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz/__init__.py

@@ -80 +80 @@
 
     _isAuthenticated = lambda self: \
-                            'username' in self.environ.get(self.sessionKey, ())
+                            'username' in self.environ.get(self.sessionKey,())
     isAuthenticated = property(fget=_isAuthenticated,
                                doc='boolean to indicate is user logged in')
@@ -164 +164 @@
                 return False
         else:
-            log.debug("AuthorizationHandler access denied for policy")
+            log.debug("AuthorizationHandler policy [%s] denied access for "
+                      "uri [%s]", self.policyFilePath, resourceURI)
             # True invokes the access forbidden middleware
             return True

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -746 +746 @@
                     
             except Exception, e:
-                log.error("Setting response following ID Approval: %s" % e)
+                log.error("%s type exception raised setting response "
+                          "following ID Approval: %s", e.__class__.__name__,e)
                 return self._render.errorPage(environ, start_response,
                         'An error occurred setting additional parameters '
@@ -859 +860 @@
                 self.session['approved'] = {}
                 self.session.save()
+                
+                log.info("user [%s] logged in", self.session['username'])
             else:
                 # logout
                 if 'username' not in self.session:
                     log.error("No user is logged in")
-                    return self._redirect(start_response,self.query['fail_to'])
+                    return self._redirect(start_response,
+                                          self.query['fail_to'])
                 
+                log.info("user [%s] logging out ...",self.session['username'])
+
                 del self.session['username']
                 self.session.pop('approved', None)
@@ -954 +960 @@
                     
             except Exception, e:
-                log.error("Setting response following ID Approval: %s" % e)
+                log.error("%s type exception raised setting response "
+                          "following ID Approval: %s", e.__class__.__name__,e)
                 response = self._render.errorPage(environ, start_response,
                         'An error occurred setting additional parameters '
@@ -963 +970 @@
             return self.oidResponse(response)
         else:
-            return self._render.decidePage(environ, start_response, oidRequest)
+            try:
+                return self._render.decidePage(environ, 
+                                               start_response, 
+                                               oidRequest)
+            except AuthNInterfaceError, e:
+                log.error("%s type exception raised calling decide page "
+                          "rendering - an OpenID identifier look-up error? "
+                          "message is: %s", e.__class__.__name__,e)
+                response = self._render.errorPage(environ, start_response,
+                        'An error has occurred displaying an options page '
+                        'which checks whether you want to return to the site '
+                        'requesting your ID.  Please report this fault to '
+                        'your site administrator.')
+                return response
+                
         
         
@@ -1070 +1091 @@
             return
         
+        log.debug("Calling AX plugin: %s ...",
+                  self.axResponse.__class__.__name__)
+        
         # Set requested values - need user intervention here to confirm 
         # release of attributes + assignment based on required attributes - 
@@ -1083 +1107 @@
         except Exception, e:
             log.error("%s exception raised setting requested Attribute "
-                      "Exchange values: %s" % (e.__class__, e))
+                      "Exchange values: %s", e.__class__.__name__, e)
             raise
         
+        log.debug("Adding AX parameters to response: %s ...", ax_resp)
         oidResponse.addExtension(ax_resp)
+        log.debug("Added AX parameters to response")
         
         
@@ -1138 +1164 @@
                 try:
                     oidResponse = self._identityApprovedPostProcessing(
-                                                                    oidRequest)
+                                                                oidRequest)
                 except (OpenIDProviderMissingRequiredAXAttrs,
                         OpenIDProviderMissingAXResponseHandler):
@@ -1149 +1175 @@
                     
                 except Exception, e:
-                    log.error("Setting response following ID Approval: %s" % e)
+                    log.error("%s type exception raised setting response "
+                          "following ID Approval: %s", e.__class__.__name__,e)
+                    log.exception(e)
                     response = self._render.errorPage(environ, start_response,
                         'An error occurred setting additional parameters '

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/basic.py

@@ -17 +17 @@
 log = logging.getLogger(__name__)
 
-from ndg.security.server.wsgi.openid.provider import AbstractAuthNInterface
+from ndg.security.server.wsgi.openid.provider import AbstractAuthNInterface, \
+    AuthNInterfaceInvalidCredentials, AuthNInterfaceRetrieveError, \
+    AuthNInterfaceConfigError, AuthNInterfaceUsername2IdentifierMismatch
  
     
@@ -82 +84 @@
         
         @raise AuthNInterfaceInvalidCredentials: invalid username/password
+        @raise AuthNInterfaceUsername2IdentifierMismatch: no OpenID matching
+        the given username
         """
         if self._userCreds.get(username) != password:
@@ -152 +156 @@
         self._client = WSGISessionManagerClient(**prop)
         
+        # This is set at login
+        self.sessionId = None
         
     def logon(self, environ, userIdentifier, username, password):
@@ -175 +181 @@
         try:
             self._client.environ = environ
-            self.sessionId = self._client.connect(username, 
-                                                  passphrase=password)[-1]
+            connectResp = self._client.connect(username, passphrase=password)
+            log.debug("Connected to Session Manager with: %s", connectResp)
+            
+            self.sessionId = connectResp[-1]
             
         except AuthNServiceInvalidCredentials, e:

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/authninterface/sessionmanager.py

@@ -62 +62 @@
         self._client = WSGISessionManagerClient(**prop)
         
+        # Set at login
+        self.sessionId = None
         
     def logon(self, environ, userIdentifier, username, password):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid/provider/axinterface/sessionmanager.py

@@ -72 +72 @@
         reqAttrURIs = ax_req.getRequiredAttrs()
         if self.sessionManagerURITypeURI in reqAttrURIs:
+            log.debug("Adding AX parameter %s=%s ...", 
+                      self.sessionManagerURITypeURI,
+                      self.sessionManagerURI)
+            
             ax_resp.addValue(self.sessionManagerURITypeURI,
                              self.sessionManagerURI)
@@ -81 +85 @@
                                              "type for authNInterface arg; "
                                              "got: %s" % 
-                                             authNInterface.__class__.__name__)
+                                            authNInterface.__class__.__name__)
                 
+            log.debug("Adding AX parameter %s=%s ...", self.sessionIdTypeURI,
+                                                    authNInterface.sessionId)
+            
             ax_resp.addValue(self.sessionIdTypeURI, authNInterface.sessionId)

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/policy.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Policy PolicyId="AuthZTest" xmlns="urn:ndg:security:authz:1.0:policy">
+<Policy PolicyId="pyDAP" xmlns="urn:ndg:security:authz:1.0:policy">
     <Description>Restrict access for Authorization integration tests</Description>
     
     <Target>
-        <URIPattern>/test_securedURI</URIPattern>
+        <URIPattern>^/test_securedURI*$</URIPattern>
         <Attributes>
             <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
@@ -13 +13 @@
     </Target>
     <Target>
-        <URIPattern>^/test_accessDenied.*$</URIPattern>
+        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
         <Attributes>
             <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

@@ -1 +1 @@
 #
-# AuthN WSGI Testing environment configuration
+# NDG Security AuthZ WSGI Testing environment configuration
+#
+# NERC DataGrid
+#
+# Author: P J Kershaw
+#
+# Copyright: STFC 2009
+#
+# Licence: BSD
 #
 # The %(here)s variable will be replaced with the parent directory of this file

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.py

@@ -56 +56 @@
         <h1>Authorisation integration tests:</h1>
         <ul>%s</ul>
-        <p>You are logged in.  <a href="/logout">Logout</a></p>
-    </body>
-</html>
-""" % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default'])
+        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
+    </body>
+</html>
+""" % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
+                 for link,name in self.method.items() if name != 'default']),
+       environ['REMOTE_USER'])
         
             start_response('200 OK', 
@@ -114 +115 @@
         <h1>Authorised!</h1>
         <ul>%s</ul>
-        <p>You are logged in.  <a href="/logout">Logout</a></p>
-    </body>
-</html>
-""" % '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default'])
+        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
+    </body>
+</html>
+""" % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
+                 for link,name in self.method.items() if name != 'default']),
+       environ['REMOTE_USER'])
 
             start_response('200 OK', 
@@ -140 +142 @@
         <h1>Authorised for path [%s]!</h1>
         <ul>%s</ul>
-        <p>You are logged in.  <a href="/logout">Logout</a></p>
+        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
     </body>
 </html>
 """ % (environ['PATH_INFO'],
        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default']))
+                 for link,name in self.method.items() if name != 'default']),
+       environ['REMOTE_USER'])
 
 
@@ -171 +174 @@
         <h1>Authorised for path [%s]!</h1>
         <ul>%s</ul>
-        <p>You are logged in.  <a href="/logout">Logout</a></p>
+        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p>
     </body>
 </html>
 """ % (environ['PATH_INFO'],
        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name) 
-                 for link,name in self.method.items() if name != 'default']))
+                 for link,name in self.method.items() if name != 'default']),
+       environ['REMOTE_USER'])
 
 

TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securityservices.ini

@@ -325 +325 @@
 openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
 
+## Basic Authentication but linking to a Session Manager
+#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicSessionManagerOpenIDAuthNInterface
+#
+## Connect to a Session Manager at a given URI or see next...
+##openid.provider.authN.sessionManagerURI=
+#
+## environ dictionary key to Session Manager WSGI instance held locally.  
+## The setting below is the default and can be omitted if it matches the 
+## filterID set for the Session Manager
+#openid.provider.authN.environKeyName=filter:SessionManagerFilter
+#
+## Link usernames for login to the OpenID identifiers they correspond to.
+## See openid.provider.path.id with $userIdentifier setting
+#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
+
 # Basic authentication for testing/admin - comma delimited list of 
 # <username>:<password> pairs