Changeset 5843 for TI12-security/trunk/python

Timestamp:

14/10/09 16:41:01 (11 years ago)

Author:

pjkersha

Message:

Completed unit tests for MyProxy? logon web service interface.

Location:

TI12-security/trunk/python

Files:

• ndg_security_server/ndg/security/server/wsgi/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authn.py (modified) (5 diffs)
• ndg_security_server/ndg/security/server/wsgi/myproxy (added)
• ndg_security_server/ndg/security/server/wsgi/myproxy/__init__.py (moved) (moved from TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/myproxy.py) (4 diffs)
• ndg_security_server/setup.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/authn/test_httpbasicauth.py (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy (added)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy/__init__.py (added)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test.ini (added)
• ndg_security_test/ndg/security/test/unit/wsgi/myproxy/test_myproxy.py (added)

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/__init__.py

@@ -236 +236 @@
                     
             if propertyDefaults is not None and filtK not in propertyDefaults:
-                badOpt += [k]                
+                badOpt += [k]
             else:
                 opt[filtK] = v

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/authn.py

@@ -16 +16 @@
 log = logging.getLogger(__name__)
 
+import re
 import base64
 import httplib
 import urllib
-from urlparse import urlsplit
-from paste.request import construct_url
-from paste.request import parse_querystring
-from beaker.middleware import SessionMiddleware
+from paste.request import construct_url, parse_querystring
 import authkit.authenticate
 
@@ -52 +50 @@
     AUTHN_FUNC_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
                               'HTTPBasicAuthMiddleware.authenticate')
-    AUTHN_FUNC_ENV_KEYNAME_PARAMNAME = 'authnFunc'       
-    PARAM_PREFIX = 'http.auth.basic'
+    AUTHN_FUNC_ENV_KEYNAME_OPTNAME = 'authnFuncEnvKeyName'       
+    PARAM_PREFIX = 'http.auth.basic.'
     HTTP_HDR_FIELDNAME = 'basic'
     FIELD_SEP = ':'
     AUTHZ_ENV_KEYNAME = 'HTTP_AUTHORIZATION'
     
+    RE_PATH_MATCH_LIST_OPTNAME = 'rePathMatchList'
+    
     def __init__(self, app, app_conf, prefix=PARAM_PREFIX, **local_conf):
+        self.__rePathMatchList = None
         self.__authnFuncEnvironKeyName = None
         
         super(HTTPBasicAuthMiddleware, self).__init__(app, app_conf, 
                                                       **local_conf)
+
+        rePathMatchListOptName = prefix + \
+                            HTTPBasicAuthMiddleware.RE_PATH_MATCH_LIST_OPTNAME
+        rePathMatchListVal = app_conf.pop(rePathMatchListOptName, '')
+        
+        self.rePathMatchList = [re.compile(i) 
+                                for i in rePathMatchListVal.split()]
+
         paramName = prefix + \
-                    HTTPBasicAuthMiddleware.AUTHN_FUNC_ENV_KEYNAME_PARAMNAME
+                    HTTPBasicAuthMiddleware.AUTHN_FUNC_ENV_KEYNAME_OPTNAME
                     
         self.authnFuncEnvironKeyName = local_conf.get(paramName,
@@ -84 +93 @@
                                            "custom authentication function "
                                            "used by this class")
+
+    def _getRePathMatchList(self):
+        return self.__rePathMatchList
+
+    def _setRePathMatchList(self, value):
+        if not isinstance(value, (list, tuple)):
+            raise TypeError('Expecting list or tuple type for '
+                            '"rePathMatchList"; got %r' % type(value))
+        
+        self.__rePathMatchList = value
+
+    rePathMatchList = property(fget=_getRePathMatchList, 
+                               fset=_setRePathMatchList, 
+                               doc="List of regular expressions determine the "
+                                   "URI paths intercepted by this middleware")
+
+    def _pathMatch(self):
+        """Apply a list of regular expression matching patterns to the contents
+        of environ['PATH_INFO'], if any match, return True.  This method is
+        used to determine whether to apply SSL client authentication
+        """
+        path = self.pathInfo
+        for regEx in self.rePathMatchList:
+            if regEx.match(path):
+                return True
+            
+        return False   
 
     def _parseCredentials(self):
@@ -116 +152 @@
         log.debug("HTTPBasicAuthNMiddleware.__call__ ...")
         
+        if not self._pathMatch():
+            return self._app(environ, start_response)
+        
         authenticate = environ.get(self.authnFuncEnvironKeyName)
         if authenticate is None:
@@ -126 +165 @@
             return self._setErrorResponse(code=httplib.UNAUTHORIZED)
         
+        # Call authentication application
         try:
-            authenticate(environ, username, password)
-                
+            return authenticate(environ, start_response, username, password)
+        
         except HTTPBasicAuthUnauthorized, e:
             log.error(e)

TI12-security/trunk/python/ndg_security_server/ndg/security/server/wsgi/myproxy/__init__.py

@@ -13 +13 @@
 import re
 import httplib
+import socket
 
-from myproxy.client import MyProxyClient
+from myproxy.client import MyProxyClient, MyProxyClientError
+from ndg.security.server.wsgi import NDGSecurityMiddlewareBase, \
+    NDGSecurityMiddlewareConfigError
+    
 from ndg.security.server.wsgi.authn import HTTPBasicAuthMiddleware
+        
+        
+class MyProxyClientMiddlewareConfigError(NDGSecurityMiddlewareConfigError):
+    """Configuration error with MyProxyClientMiddleware"""
 
-class MyProxyClientMiddleware(object):
+
+class MyProxyClientMiddleware(NDGSecurityMiddlewareBase):
     '''
-    HTTPS proxy to a MyProxy server to enable HTTPS type calls to MyProxy
+    Create a MyProxy client and make it available to other middleware in the 
+    WSGI stack
     '''
     # Options for ini file
-    RE_PATH_MATCH_LIST_OPTNAME = 'rePathMatchList'
+    CLIENT_ENV_KEYNAME_OPTNAME = 'clientEnvKeyName'
+    LOGON_FUNC_ENV_KEYNAME_OPTNAME = 'logonFuncEnvKeyName'     
     
+    # Default environ key names
+    CLIENT_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
+                          'MyProxyClientMiddleware')
     LOGON_FUNC_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
                               'MyProxyClientMiddleware.logon')
-    LOGON_FUNC_ENV_KEYNAME_OPTNAME = 'logonFunc'     
+    
+    # Option prefixes
     PARAM_PREFIX = 'myproxy.'
     MYPROXY_CLIENT_PARAM_PREFIX = 'client.'
     
-    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
+    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, 
+                 myProxyClientPrefix=MYPROXY_CLIENT_PARAM_PREFIX, **app_conf):
         ''''''
-        super(MyProxyClientMiddleware, self).__init__(app, 
-                                                      global_conf, 
-                                                      prefix=prefix,
-                                                      *app_conf)
+        super(MyProxyClientMiddleware, self).__init__(app, global_conf)
         self.__myProxyClient = None
 
-        rePathMatchListParamName = prefix + \
-                            MyProxyClientMiddleware.RE_PATH_MATCH_LIST_OPTNAME
-        rePathMatchListVal = app_conf.get(rePathMatchListParamName, '')
-        
-        self.rePathMatchList = [re.compile(r) 
-                                for r in rePathMatchListVal.split()]
-
         # Get MyProxyClient initialisation parameters
-        myProxyClientPrefix = prefix + \
-                            MyProxyClientMiddleware.MYPROXY_CLIENT_PARAM_PREFIX
+        myProxyClientFullPrefix = prefix + myProxyClientPrefix
                             
-        myProxyClientKw = dict([(k.replace(myProxyClientPrefix, ''), v) 
+        myProxyClientKw = dict([(k.replace(myProxyClientFullPrefix, ''), v) 
                                  for k,v in app_conf.items() 
-                                 if k.startswith(myProxyClientPrefix)])
+                                 if k.startswith(myProxyClientFullPrefix)])
         
         self.myProxyClient = MyProxyClient(**myProxyClientKw)
-        paramName = prefix + \
+        clientEnvKeyOptName = prefix + \
+                            MyProxyClientMiddleware.CLIENT_ENV_KEYNAME_OPTNAME
+                    
+        self.clientEnvironKeyName = app_conf.get(clientEnvKeyOptName,
+                                MyProxyClientMiddleware.CLIENT_ENV_KEYNAME)
+                    
+        logonFuncEnvKeyOptName = prefix + \
                     MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME_OPTNAME
-                    
-        self.logonFuncEnvironKeyName = local_conf.get(paramName,
+
+        self.logonFuncEnvironKeyName = app_conf.get(logonFuncEnvKeyOptName,
                                 MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME)
+
+    def _getClientEnvironKeyName(self):
+        return self.__clientEnvironKeyName
+
+    def _setClientEnvironKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for "clientEnvironKeyName"; '
+                            'got %r type' % type(value))
+        self.__clientEnvironKeyName = value
+
+    clientEnvironKeyName = property(fget=_getClientEnvironKeyName, 
+                                    fset=_setClientEnvironKeyName, 
+                                    doc="key name in environ for the "
+                                        "MyProxyClient instance")    
 
     def _getLogonFuncEnvironKeyName(self):
@@ -73 +98 @@
                                        fset=_setLogonFuncEnvironKeyName, 
                                        doc="key name in environ for the "
-                                           "custom authentication function "
-                                           "used by this class")
+                                           "MyProxy logon function")
+    
     def _getMyProxyClient(self):
         return self.__myProxyClient
@@ -91 +116 @@
     @NDGSecurityMiddlewareBase.initCall
     def __call__(self, environ, start_response):
-        '''Intercept MyProxy call and relay to MyProxy server
+        '''Set MyProxyClient instance and MyProxy logon method in environ
         
         @type environ: dict
@@ -99 +124 @@
         '''
         log.debug("MyProxyClientMiddleware.__call__ ...")
-        environ[self.logonFuncEnvironKeyName] = self.myProxyLogonFunc
+        environ[self.clientEnvironKeyName] = self.myProxyClient
+        environ[self.logonFuncEnvironKeyName] = self.myProxyLogon
         
-#        if not self._pathMatch():
-#            return self._app(environ, start_response)
-#        else:
-#            try:
-#                # TODO: get username/passphrase from upstream HTTP Basic Auth
-#                # middleware
-#                credentials = self.myProxyClient.logon(username, passphrase)
-#            except Exception, e:
-#                log.error(e)
-#                
-#                # TODO: fit to appropriate HTTP error code
-#                raise
-#            
-#            response = '\n'.join(credentials)
-#            start_response(MyProxyClientMiddleware.getStatusMessage(httplib.OK),
-#                           [('Content-length', str(len(response))),
-#                            ('Content-type', 'plain/text')])
-#            return [response]
-        
-    def _pathMatch(self):
-        """Apply a list of regular expression matching patterns to the contents
-        of environ['PATH_INFO'], if any match, return True.  This method is
-        used to determine whether to apply SSL client authentication
-        """
-        path = self.pathInfo
-        for regEx in self.rePathMatchList:
-            if regEx.match(path):
-                return True
-            
-        return False   
+        return self._app(environ, start_response)
     
     @property
-    def myProxyLogonFunc(self):
+    def myProxyLogon(self):
         """Return the MyProxy logon method wrapped as a HTTP Basic Auth 
         authenticate interface function
         """
-        def HTTPBasicAuthFunc(environ, username, password):
-            """Wrap MyProxy logon method as HTTPBasicAuthMiddleware 
-            authenticate function"""
-            return self.myProxyClient.logon(environ, username, password)
+        def _myProxylogon(environ, start_response, username, password):
+            """Wrap MyProxy logon method as a WSGI app
+            """
+            try:
+                credentials = self.myProxyClient.logon(username, password)
+                status = self.getStatusMessage(httplib.OK)
+                response = '\n'.join(credentials)
+                
+            except MyProxyClientError, e:
+                status = self.getStatusMessage(httplib.UNAUTHORIZED)
+                response = str(e)
+            
+            except socket.error, e:
+                raise MyProxyClientMiddlewareConfigError("Socket error "
+                                        "with MyProxy server %r: %s" % 
+                                        (self.myProxyClient.hostname, e))
+            
+            start_response(status,
+                           [('Content-length', str(len(response))),
+                            ('Content-type', 'text/plain')])
+            return [response]
         
-        return HTTPBasicAuthFunc
+        return _myProxylogon
         
         
+class MyProxyLogonMiddlewareConfigError(NDGSecurityMiddlewareConfigError):
+    """Configuration error with MyProxyLogonMiddleware"""
+    
+    
 class MyProxyLogonMiddleware(NDGSecurityMiddlewareBase):
-    """HTTP Basic Auth interface to MyProxy logon"""
+    """HTTP Basic Auth interface to MyProxy logon.  This interfaces creates a
+    MyProxy client instance and HTTP Basic Auth based web service interface
+    for MyProxy logon calls.  This WSGI must be run over HTTPS to ensure
+    confidentiality of username/passphrase credentials
+    """
     PARAM_PREFIX = 'myproxy.logon.'
     
-    def __init__(self, app, app_conf, prefix=PARAM_PREFIX, **local_conf):
-        app = HTTPBasicAuthMiddleware(app, app_conf, **local_conf)
-        app = MyProxyClientMiddleware(app, app_conf, **local_conf)
+    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):        
+        
+        authnFuncEnvKeyNameOptName = HTTPBasicAuthMiddleware.PARAM_PREFIX + \
+                        HTTPBasicAuthMiddleware.AUTHN_FUNC_ENV_KEYNAME_OPTNAME
+                        
+        if authnFuncEnvKeyNameOptName in app_conf:
+            raise MyProxyLogonMiddlewareConfigError("Found %r option name in "
+                "application configuration settings.  Use %r instead" %
+                (authnFuncEnvKeyNameOptName, 
+                 MyProxyClientMiddleware.PARAM_PREFIX + \
+                 MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME_OPTNAME))
+        
+        httpBasicAuthApp = HTTPBasicAuthMiddleware(app, app_conf, **app_conf)
+        app = MyProxyClientMiddleware(httpBasicAuthApp, app_conf, **app_conf)
+        
+        # Set HTTP Basic Auth to use the MyProxy client logon for its
+        # authentication method
+        httpBasicAuthApp.authnFuncEnvironKeyName = app.logonFuncEnvironKeyName
+        
+        super(MyProxyLogonMiddleware, self).__init__(app, global_conf, 
+                                                     prefix=prefix, **app_conf)

TI12-security/trunk/python/ndg_security_server/setup.py

@@ -23 +23 @@
     'ndg_security_common',
     'Pylons <= 0.9.6.2', # TODO: drop Pylons dependency in future release
-    'AuthKit'
+    'AuthKit',
+    'MyProxyClient'
 ]
 

TI12-security/trunk/python/ndg_security_test/ndg/security/test/unit/wsgi/authn/test_httpbasicauth.py

@@ -25 +25 @@
     response = "Test HTTP Basic Authentication application"
     
-    loggedIn = lambda self, environ: 'username' in environ.get(
-                                                self.beakerSessionKeyName, {})
-    
     def __init__(self, app_conf, **local_conf):
-        self.beakerSessionKeyName = app_conf.get('beakerSessionKeyName')
+        pass
         
     def __call__(self, environ, start_response):
         
-        if environ['PATH_INFO'] == '/test_401WithNotLoggedIn':
-            status = "401 Unauthorized"
-            
-        elif environ['PATH_INFO'] == '/test_401WithLoggedIn':
-            status = "401 Unauthorized"
-            
-        elif environ['PATH_INFO'] == '/test_200WithNotLoggedIn':
+        if environ['PATH_INFO'] == '/test_200':
             status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/test_200':
-            status = "200 OK"
-        
-        elif environ['PATH_INFO'] == '/test_sslClientAuthn':
-            if self.loggedIn(environ):
-                status = "200 OK"
-            else:
-                status = "401 Unauthorized"
         else:
             status = "404 Not found"
@@ -124 +106 @@
         authHeader =  "Basic %s" % base64String
         req.add_header("Authorization", authHeader)
-        try:
-            handle = urllib2.urlopen(req)
-        except IOError, e:
-            print("It looks like the username or password is wrong: %s" % e)
-            return
+        
+        handle = urllib2.urlopen(req)
         
         response = handle.read()