Changeset 5770 for TI12-security

Timestamp:

25/09/09 17:02:25 (10 years ago)

Author:

pjkersha

Message:

Adding SSL Client authentication step into authz_lite integration test. Broken redirecting back from authn step to requested resource.

Location:

TI12-security/trunk/python

Files:

• ndg_security_server/ndg/security/server/wsgi/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authn.py (modified) (4 diffs)
• ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/__init__.py (modified) (3 diffs)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (9 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini (modified) (2 diffs)
• ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/authn/ssl-test.ini (modified) (1 diff)

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/__init__.py

@@ -31 +31 @@
         'mountPath': '/',
     }
-
-    USERNAME_ENVIRON_KEYNAME = 'REMOTE_USER'
     
     def __init__(self, app, app_conf, prefix='', **local_conf):

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/authn.py

@@ -55 +55 @@
     return to URI between initiator and consumer classes"""
     RETURN2URI_ARGNAME = 'ndg.security.r'
-#    
-#    _isAuthenticated = lambda self: \
-#            AuthnRedirectMiddleware.USERNAME_ENVIRON_KEYNAME in self.environ
-#            
-#    isAuthenticated = property(fget=_isAuthenticated,
-#                               doc='boolean for, "is user logged in?"')
+
 
 class AuthnRedirectInitiatorMiddleware(AuthnRedirectMiddleware):
@@ -192 +187 @@
             params = {}
         
+        # Store the return URI query argument in a beaker session
         quotedReferrer = params.get(self.__class__.RETURN2URI_ARGNAME, '')
         referrerURI = urllib.unquote(quotedReferrer)
@@ -198 +194 @@
             session.save()
             
+        # Check for a return URI setting in the beaker session and if the user
+        # is authenticated, redirect to this URL deleting the beaker session
+        # URL setting
         return2URI = session.get(self.__class__.RETURN2URI_ARGNAME)    
         if self.isAuthenticated and return2URI:
@@ -207 +206 @@
 
 
+class AuthKitRedirectResponseMiddleware(AuthnRedirectResponseMiddleware):
+    """Overload isAuthenticated method in parent class to set Authenticated 
+    state based on presence of AuthKit 'REMOTE_USER' environ variable
+    """
+    _isAuthenticated = lambda self: \
+        AuthnRedirectResponseMiddleware.USERNAME_ENVIRON_KEYNAME in self.environ
+        
+    isAuthenticated = property(fget=_isAuthenticated,
+                               doc="Boolean indicating if AuthKit "
+                                   "'REMOTE_USER' environment variable is set")
+    def __init__(self, app, app_conf, **local_conf):
+        super(AuthKitRedirectResponseMiddleware, self).__init__(app, app_conf,
+                                                                **local_conf)
+    @NDGSecurityMiddlewareBase.initCall
+    def __call__(self, environ, start_response):
+        return super(AuthKitRedirectResponseMiddleware, self).__call__(environ,
+                                                                start_response)
+       
+        
 class SessionHandlerMiddlewareConfigError(Exception):
     """Configuration errors from SessionHandlerMiddleware"""

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/__init__.py

@@ -21 +21 @@
 from paste.request import parse_querystring, parse_formvars
 import authkit.authenticate
+from authkit.authenticate.open_id import AuthOpenIDHandler
 from beaker.middleware import SessionMiddleware
 
@@ -125 +126 @@
         _app = app
         while True:
-            if isinstance(_app,authkit.authenticate.open_id.AuthOpenIDHandler):
+            if isinstance(_app, AuthOpenIDHandler):
                 authOpenIDHandler = _app
                 self._authKitVerifyPath = authOpenIDHandler.path_verify
@@ -170 +171 @@
         @return: response
         '''
+        # Skip Relying Party interface set-up if user has been authenticated
+        # by other middleware
+        if 'REMOTE_USER' in environ:
+            log.debug("Found REMOTE_USER=%s in environ, AuthKit "
+                      "based authentication has taken place in other "
+                      "middleware, skipping OpenID Relying Party interface" %
+                      environ['REMOTE_USER'])
+            return self._app(environ, start_response)
+        
         session = environ.get(self.sessionKey)
         if session is None:

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -17 +17 @@
 log = logging.getLogger(__name__)
 import os
-import re # Pattern matching to determine which URI paths to apply SSL AuthN to
+# Pattern matching to determine which URI paths to apply SSL AuthN to and to
+# parse SSL certificate environment variable
+import re 
+
+# Decode SSL certificate environment variable
+import base64        
 
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
 from ndg.security.common.X509 import X509Stack, X509Cert, X509CertError, X500DN
 from ndg.security.common.utils.classfactory import instantiateClass
-
-
-class ClientCertVerificationInterface(object):
-    """Interface to enable customised verification of the client certificate 
-    Distinguished Name"""
-    def __init__(self, **cfg):
-        """@type cfg: dict
-        @param cfg: configuration parameters, derived class may customise
-        """
-        raise NotImplementedError()
-    
-    def __call__(self, x509Cert):
-        """Derived class implementation should return True if the certificate
-        DN is valid, False otherwise
-        @type x509Cert: ndg.security.common.X509.X509Cert
-        @param x509Cert: client X.509 certificate received from Apache
-        environment"""
-        raise NotImplementedError()
-
-
-class NoClientCertVerification(ClientCertVerificationInterface):
-    """Implementation of ClientCertVerificationInterface ignoring the 
-    client certificate DN set"""
-    def __init__(self, **cfg):
-        pass
-    
-    def __call__(self, x509Cert):
-        return True
-    
-class ClientCertVerificationList(ClientCertVerificationInterface):
-    """Implementation of ClientCertVerificationInterface matching the input
-    client certificate DN against a configurable list"""
-    
-    def __init__(self, validDNList=[]):
-        self.validDNList = validDNList
-    
-    def __call__(self, x509Cert):
-        inputDN = x509Cert.dn
-        return inputDN in self._validDNList
-    
-    def _setValidDNList(self, dnList):
-        '''Read CA certificates from file and add them to an X.509 Cert.
-        stack
-        
-        @type dnList: list or tuple
-        @param dnList: list of DNs to match against the input certificate DN
-        '''
-        
-        if isinstance(dnList, basestring):
-            # Try parsing a space separated list of file paths
-            dnList = dnList.split()
-            
-        elif not isinstance(dnList, (list, tuple)):
-            raise TypeError('Expecting a list or tuple for "dnList"')
-
-        self._validDNList = [X500DN(dn) for dn in dnList]
-
-    
-    def _getValidDNList(self):
-        return self._validDNList
-    
-    validDNList = property(fset=_setValidDNList,
-                           fget=_getValidDNList,
-                           doc="list of permissible certificate Distinguished "
-                               "Names permissible")
     
 
@@ -101 +41 @@
     """
     SSL_KEYNAME = 'HTTPS'
-    SSL_KEYVALUE = '1'
-    
-    _isSSLRequest = lambda self: self.environ.get(
-                                    ApacheSSLAuthnMiddleware.SSL_KEYNAME) == \
-                                    ApacheSSLAuthnMiddleware.SSL_KEYVALUE
+    SSL_KEYVALUES = ('1', 'on')
+    
+    _isSSLRequest = lambda self: self.environ.get(self.sslKeyName) in \
+                                    ApacheSSLAuthnMiddleware.SSL_KEYVALUES
     isSSLRequest = property(fget=_isSSLRequest,
                             doc="Is an SSL request boolean - depends on "
@@ -111 +50 @@
     
     SSL_CLIENT_CERT_KEYNAME = 'SSL_CLIENT_CERT'
+    PEM_CERT_PREFIX = '-----BEGIN CERTIFICATE-----'
     
     # Options for ini file
@@ -116 +56 @@
     CACERT_FILEPATH_LIST_OPTNAME = 'caCertFilePathList'
     CLIENT_CERT_DN_MATCH_LIST_OPTNAME = 'clientCertDNMatchList'
+    SSL_KEYNAME_OPTNAME = 'sslKeyName'
+    SSL_CLIENT_CERT_KEYNAME_OPTNAME = 'sslClientCertKeyName'
     
     propertyDefaults = {
         RE_PATH_MATCH_LIST_OPTNAME: [],
         CACERT_FILEPATH_LIST_OPTNAME: [],
-        CLIENT_CERT_DN_MATCH_LIST_OPTNAME: []
+        CLIENT_CERT_DN_MATCH_LIST_OPTNAME: [],
+        SSL_KEYNAME_OPTNAME: SSL_KEYNAME,
+        SSL_CLIENT_CERT_KEYNAME_OPTNAME: SSL_CLIENT_CERT_KEYNAME
     }
     propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
-        
-    _isSSLClientCertSet = lambda self: bool(self.environ.get(
-                            ApacheSSLAuthnMiddleware.SSL_CLIENT_CERT_KEYNAME)) 
-    isSSLClientCertSet = property(fget=_isSSLClientCertSet,
-                                  doc="Check for client X.509 certificate "
-                                      "'SSL_CLIENT_CERT' setting in environ")
-    
-    def __init__(self, app, global_conf, prefix='sslAuthn.', **app_conf):
+    
+    PARAM_PREFIX = 'sslAuthn.'
+    
+    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
         
         super(ApacheSSLAuthnMiddleware, self).__init__(app, 
@@ -136 +76 @@
                                                        prefix=prefix,
                                                        **app_conf)
-        
+
         self.__caCertFilePathList = None
         self.__caCertStack = None
         self.__clientCertDNMatchList = None
         self.__clientCert = None
-        
-        rePathMatchListVal = app_conf.get(
-                ApacheSSLAuthnMiddleware.RE_PATH_MATCH_LIST_OPTNAME, '')
+        self.__sslClientCertKeyName = None
+        self.__sslKeyName = None
+        
+        rePathMatchListParamName = prefix + \
+                    ApacheSSLAuthnMiddleware.RE_PATH_MATCH_LIST_OPTNAME
+        rePathMatchListVal = app_conf.get(rePathMatchListParamName, '')
+        
         self.rePathMatchList = [re.compile(r) 
                                 for r in rePathMatchListVal.split()]
-
-        self.caCertStack = app_conf.get(
-                ApacheSSLAuthnMiddleware.CACERT_FILEPATH_LIST_OPTNAME, [])
-        
+        
+        caCertFilePathListParamName = prefix + \
+                    ApacheSSLAuthnMiddleware.CACERT_FILEPATH_LIST_OPTNAME
+                        
+        self.caCertStack = app_conf.get(caCertFilePathListParamName, [])
+        
+        clientCertDNMatchListParamName = prefix + \
+                    ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME
+                    
         self.clientCertDNMatchList = app_conf.get(
-                ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME, [])
-                
+                                        clientCertDNMatchListParamName, [])
+        
+        sslClientCertParamName = prefix + \
+                    ApacheSSLAuthnMiddleware.SSL_CLIENT_CERT_KEYNAME_OPTNAME   
+        self.sslClientCertKeyName = app_conf.get(sslClientCertParamName, 
+                            ApacheSSLAuthnMiddleware.SSL_CLIENT_CERT_KEYNAME)
+        
+        sslKeyNameParamName = prefix + \
+                    ApacheSSLAuthnMiddleware.SSL_KEYNAME_OPTNAME   
+        self.sslKeyName = app_conf.get(sslKeyNameParamName, 
+                                       ApacheSSLAuthnMiddleware.SSL_KEYNAME)
+
+    def _getSslClientCertKeyName(self):
+        return self.__sslClientCertKeyName
+
+    def _setSslClientCertKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting %r type for "sslClientCertKeyName"; '
+                            'got %r' % (basestring, type(value)))
+        self.__sslClientCertKeyName = value
+
+    sslClientCertKeyName = property(_getSslClientCertKeyName, 
+                                    _setSslClientCertKeyName, 
+                                    doc="SslClientCertKeyName's Docstring")
+
+    def _getSslKeyName(self):
+        return self.__sslKeyName
+
+    def _setSslKeyName(self, value):       
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting %r type for "sslKeyName"; got %r' %
+                            (basestring, type(value)))
+        self.__sslKeyName = value
+
+    sslKeyName = property(_getSslKeyName, 
+                          _setSslKeyName, 
+                          doc="SslKeyName's Docstring")
+
+               
     def _setCACertStack(self, caCertList):
         '''Read CA certificates from file and add them to an X.509 Cert.
@@ -254 +240 @@
                           doc="Client certificate for verification set by "
                               "isValidClientCert()")
+
     
     @NDGSecurityMiddlewareBase.initCall         
@@ -311 +298 @@
             
         return False
+        
+    def _isSSLClientCertSet(self):
+        """Check for SSL Certificate set in environ"""
+        sslClientCert = self.environ.get(
+                        self.sslClientCertKeyName, '')
+        return sslClientCert.startswith(
+                                    ApacheSSLAuthnMiddleware.PEM_CERT_PREFIX) 
+        
+    isSSLClientCertSet = property(fget=_isSSLClientCertSet,
+                                  doc="Check for client X.509 certificate "
+                                      "%r setting in environ" %
+                                      SSL_CLIENT_CERT_KEYNAME)
     
     def isValidClientCert(self):
-        sslClientCert = self.environ[
-                            ApacheSSLAuthnMiddleware.SSL_CLIENT_CERT_KEYNAME]
-        self.__clientCert = X509Cert.Parse(sslClientCert)
+        sslClientCert = self.environ[self.sslClientCertKeyName]
+        
+        # Certificate string passed through a proxy has spaces in place of
+        # newline delimiters.  Fix by re-organising the string into a single 
+        # line and remove the BEGIN CERTIFICATE / END CERTIFICATE delimiters.
+        # Then, treat as a base64 encoded string decoding and passing as DER
+        # format to the X.509 parser
+        x509CertPat = re.compile('(\s?-----[A-Z]+\sCERTIFICATE-----\s?)|\s+')
+        cert = x509CertPat.sub('', sslClientCert)
+        derCert = base64.decodestring(cert)
+        self.__clientCert = X509Cert.Parse(derCert, format=X509Cert.formatDER)
         
         if len(self.caCertStack) == 0:
@@ -340 +347 @@
             
         return True
-#        
-#        # Check certificate Distinguished Name via 
-#        # ClientCertVerificationInterface object
-#        return self.verifyClientCert(x509Cert)
     
 
@@ -373 +376 @@
 
         elif not self.isSSLRequest:
-            log.warning("AuthKitSSLAuthnMiddleware: 'HTTPS' environment "
+            log.debug("AuthKitSSLAuthnMiddleware: 'HTTPS' environment "
                         "variable not found in environment; ignoring request")
                         

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securedapp.ini

@@ -55 +55 @@
 
 # Set redirect for OpenID Relying Party in the Security Services app instance
-authN.redirectURI = http://localhost:7443/verify
+#authN.redirectURI = http://localhost:7443/verify
+authN.redirectURI = https://localhost/verify
 
 # AuthKit Set-up
@@ -115 +116 @@
 # Add a timestamp element to an outbound message
 pip.wssecurity.addTimestamp=True
+
+# Logging configuration
+[loggers]
+keys = root, ndg
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_ndg]
+level = DEBUG
+handlers =
+qualname = ndg
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
+

TI12-security/trunk/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

@@ -50 +50 @@
 document_root = %(here)s/openidprovider
 
+# Ordering of filters and app is critical
 [pipeline:main]
 pipeline = wsseSignatureVerificationFilter 
@@ -57 +58 @@
            AttributeAuthoritySamlSoapBindingFilter
                    SessionMiddlewareFilter
+                   SSLClientAuthenticationFilter
+                   SSLCientAuthKitFilter
+                   SSLCientAuthenticationRedirectFilter
                    OpenIDRelyingPartyFilter
                    OpenIDProviderApp
@@ -76 +80 @@
 # Key name for keying into environ dictionary
 environ_key = %(beakerSessionKeyName)s
+
+[filter:SSLCientAuthKitFilter]
+paste.filter_app_factory = authkit.authenticate:middleware
+
+# AuthKit Set-up
+setup.method=cookie
+
+# This cookie name and secret MUST agree with the name used by the 
+# Authentication Filter used to secure a given app
+cookie.name=ndg.security.auth
+
+cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
+cookie.signoutpath = /logout
+
+# Disable inclusion of client IP address from cookie signature due to 
+# suspected problem with AuthKit setting it when a HTTP Proxy is in place
+cookie.includeip = False
+
+# SSL Client Certificate based authentication is invoked if the client passed
+# a certificate with request.  This bypasses OpenID based authn.
+[filter:SSLClientAuthenticationFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
+prefix = ssl.
+ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
+
+# HTTP_ prefix is set when passed through a proxy
+ssl.sslKeyName = HTTP_HTTPS
+ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
+
+# Set the URI pattern match here to interrupt a redirect to the OpenID Relying 
+# Party from the service running over HTTP and see if a client certificate has 
+# been set
+ssl.rePathMatchList = ^/verify.*
 
 [filter:OpenIDRelyingPartyFilter]
@@ -134 +171 @@
 #authkit.openid.urltouser = 
 
+# Redirect to original requested URI following SSL Client Authentication.  This
+# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
+# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
+# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
+# would need to be made so that this redirect filter can still function
+[filter:SSLCientAuthenticationRedirectFilter]
+paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
+prefix = ssl.
+ssl.sessionKey = %(beakerSessionKeyName)s
+
 #______________________________________________________________________________
 # OpenID Provider WSGI Settings

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authn/ssl-test.ini

@@ -66 +66 @@
 paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
 prefix = ssl.
-caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
-clientCertVerificationClassName = 
-rePathMatchList = ^/ssl-client-authn.*
+ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
+ssl.rePathMatchList = ^/ssl-client-authn.*