Context Navigation

← Previous Change
Next Change →

NDGSecurity

Timestamp:

11/01/10 09:29:41 (10 years ago)

Author:

pjkersha

Message:

ndg.security.server.wsgi.NDGSecurityMiddlewareBase: change code to leave trailing space in path info attribute
ndg.security.server.wsgi.openid.provider.OpenIDProviderMiddleware:
- added properties with type checking
- added trustedRelyingParties attribute - a list of sites trusted by the Provider for which no decide page interface is invoked.
ndg.security.server.wsgi.openid.provider.axinterface.csv: fixed adding of AX attributes for CSV class. Required attributes were being set twice.
ndg.security.server.wsgi.openid.relyingparty.OpenIDRelyingParty:
- changed whitelisting to use ndg.security.server.wsgi.openid.relyingparty.validation.SSLIdPValidationDriver class. FIXME: Fix required in SSL verify callback needed to check only the server certificate in the verification chain and ignore CA certificates.
ndg.security.server.wsgi.openid.relyingparty.validation.SSLIdPValidationDriver: changed to init to include keyword option for installing default urllib2 opener and defaulting to OMIT it.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 2 added
: 15 edited

ndg_security (modified) (1 prop)
ndg_security_server/ndg/security/server/wsgi/__init__.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (24 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/__init__.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/csv.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/__init__.py (modified) (8 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py (modified) (6 diffs)
ndg_security_test/ndg/security/test/integration/__init__.py (modified) (1 diff)
ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/ssl-idp-validator.xml (added)
ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/ssl-valid-server-names.cfg (added)
ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (2 diffs)
ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py (modified) (1 diff)
ndg_security_test/ndg/security/test/integration/combinedservices/services.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/integration/openid/securityservices.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/integration/openidprovider/securityservices.ini (modified) (1 diff)
ndg_security_test/ndg/security/test/unit/__init__.py (modified) (1 diff)
ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/test_validation.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/ndg_security
- Property svn:ignore set to
  *.egg-info

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/init.py

-                      r6069
+                      r6276
                 raise AttributeError("SCRIPT_URL key not set in environ: "
                                      "'mountPath' is set to None")
+        if self._mountPath != '/':
+            self._mountPath = self._mountPath.rstrip('/')
+        # Comment out as it breaks standard for URL trailing slash
+#        if self._mountPath != '/':
+#            self._mountPath = self._mountPath.rstrip('/')
     def _getMountPath(self):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/init.py

-                      r6246
+                      r6276
 import paste.request
 from paste.util.import_string import eval_import
+import beaker.session
 from openid.extensions import sreg, ax
 from openid.server import server
 …
         trace=False,
         renderingClass=None,
+        sregResponseHandler=None,
+        axResponseHandler=None,
+        authNInterface=AbstractAuthNInterface)
+        sregResponse=None,
+        axResponse=None,
+        authNInterface=AbstractAuthNInterface,
+        trustedRelyingParties=())
     defPaths = dict([(k, v) for k, v in defOpt.items()
 …
     APPROVE_RP_SUBMIT = "ApproveRelyingParty"
     REJECT_RP_SUBMIT = "RejectRelyingParty"
+    TRUSTED_RELYINGPARTIES_SEP_PAT = re.compile(',\s*')
     def __init__(self, app, app_conf=None, prefix=PARAM_PREFIX, **kw):
 …
         class variable
         '''
+        self._app = app
+        self._environ = {}
+        self._start_response = None
+        self._pathInfo = None
+        self._path = None
+        self.mountPath = '/'
+        super(OpenIDProviderMiddleware, self).__init__(app, {})
+#        self._app = app
+#        self._environ = {}
+#        self._start_response = None
+#        self._pathInfo = None
+#        self._path = None
+#        self.mountPath = '/'
+        self.__charset = None
+        self.__paths = None
+        self.__base_url = None
+        self.__urls = None
+        self.__method = None
+        self.__sessionMiddlewareEnvironKeyName = None
+        self.__session = None
+        self.__oidserver = None
+        self.__query = {}
+        self.__sregResponse = None
+        self.__trustedRelyingParties = ()
+        self.__axResponse = None
         # See _createResponse method
         self.oidResponse = None
+        self.__oidResponse = None
         opt = OpenIDProviderMiddleware.defOpt.copy()
 …
         opt.update(kw)
+        # Convert from string type where required
+        opt['charset'] = opt.get('charset', '')
+        opt['trace'] = opt.get('trace', 'false').lower() == 'true'
+        self.charset = opt['charset']
+        # If True and debug log level is set display content of response
+        self._trace = opt.get('trace', 'false').lower() == 'true'
         renderingClassVal = opt.get('renderingClass', None)
 …
             opt['renderingClass'] = eval_import(renderingClassVal)
         sregResponseHandlerVal = opt.get('sregResponseHandler', None)
         if sregResponseHandlerVal:
             opt['sregResponseHandler'] = eval_import(sregResponseHandlerVal)
+        sregResponseVal = opt.get('sregResponse', None)
+        if sregResponseVal:
+            opt['sregResponse'] = eval_import(sregResponseVal)
         else:
+            opt['sregResponseHandler'] = None
+        axResponseHandlerVal = opt.get('axResponseHandler', None)
+        if axResponseHandlerVal:
+            opt['axResponseHandler'] = eval_import(axResponseHandlerVal)
+        else:
+            opt['axResponseHandler'] = None
+            opt['sregResponse'] = None
         # Authentication interface to OpenID Provider - interface to for
 …
                             for k, v in self.paths.items()])
+        self.session_middleware = opt['session_middleware']
+        if not opt['charset']:
+            self.charset = ''
+        else:
+            self.charset = '; charset=' + charset
+        # If True and debug log level is set display content of response
+        self._trace = opt['trace']
+        self.sessionMiddlewareEnvironKeyName = opt['session_middleware']
         log.debug("opt=%r", opt)
 …
         # Callable for setting of Simple Registration attributes in HTTP header
         # of response to Relying Party
         self.sregResponseHandler = opt.get('sregResponseHandler', None)
         if self.sregResponseHandler and not callable(self.sregResponseHandler):
+        self.sregResponse = opt.get('sregResponse', None)
+        if self.sregResponse and not callable(self.sregResponse):
             raise OpenIDProviderMiddlewareError("Expecting callable for "
                                                 "sregResponseHandler keyword, "
+                                                "sregResponse keyword, "
                                                 "got %r" %
                                                 self.sregResponseHandler)
+                                                self.sregResponse)
         # Class to handle OpenID Attribute Exchange (AX) requests from
         # the Relying Party
         axResponseClassName = opt.pop('axResponse_class', None)
+        if axResponseClassName is None:
+            # No AX Response handler set
+            self.axResponse = None
+        else:
+        if axResponseClassName is not None:
             axResponseModuleFilePath = opt.pop('axResponse_moduleFilePath',
                                                None)
 …
             try:
                 self.axResponse = instantiateClass(
                                     axResponseClassName,
                                     None,
                                     moduleFilePath=axResponseModuleFilePath,
                                     objectType=AXInterface,
                                     classProperties=axResponseProperties)
+                self.__axResponse = instantiateClass(
+                                        axResponseClassName,
+                                        None,
+                                        moduleFilePath=axResponseModuleFilePath,
+                                        objectType=AXInterface,
+                                        classProperties=axResponseProperties)
             except Exception, e:
                 log.error("Error instantiating AX interface: %s" % e)
                 raise
+        self.trustedRelyingParties = opt['trustedRelyingParties']
         # Instantiate OpenID consumer store and OpenID consumer.  If you
         # were connecting to a database, you would create the database
 …
                             os.path.expandvars(opt['consumer_store_dirpath']))
         self.oidserver = server.Server(store, self.urls['url_openidserver'])
+    def getCharset(self):
+        return self.__charset
+    def getPaths(self):
+        return self.__paths
+    def getBase_url(self):
+        return self.__base_url
+    def getUrls(self):
+        return self.__urls
+    def getMethod(self):
+        return self.__method
+    def getSessionMiddlewareEnvironKeyName(self):
+        return self.__sessionMiddlewareEnvironKeyName
+    def getSession(self):
+        return self.__session
+    def setCharset(self, value):
+        # Convert from string type where required
+        if not value:
+            self.__charset = ''
+        elif isinstance(value, basestring):
+            self.__charset = '; charset=' + value
+        else:
+            raise TypeError('Expecting string type for "charset" attribute; '
+                            'got %r' % type(value))
+    def setPaths(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"paths" attribute; got %r' %
+                            type(value))
+        self.__paths = value
+    def setBase_url(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"base_url" attribute; got %r' %
+                            type(value))
+        self.__base_url = value
+    def setUrls(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"urls" attribute; got %r' %
+                            type(value))
+        self.__urls = value
+    def setMethod(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"method" attribute; got %r' %
+                            type(value))
+        self.__method = value
+    def setSessionMiddlewareEnvironKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"sessionMiddlewareEnvironKeyName" attribute; '
+                            'got %r' %
+                            type(value))
+        self.__sessionMiddlewareEnvironKeyName = value
+    def setSession(self, value):
+        if not isinstance(value, beaker.session.SessionObject):
+            raise TypeError('Expecting beaker.session.SessionObject type for '
+                            '"session" attribute; got %r' %
+                            type(value))
+        self.__session = value
+    def getOidResponse(self):
+        return self.__oidResponse
+    def getSregResponse(self):
+        return self.__sregResponse
+    def getAxResponse(self):
+        return self.__axResponse
+    def getOidserver(self):
+        return self.__oidserver
+    def getQuery(self):
+        return self.__query
+    def getTrustedRelyingParties(self):
+        return self.__trustedRelyingParties
+    def setOidResponse(self, value):
+        if not isinstance(value, server.OpenIDResponse):
+            raise TypeError('Expecting OpenIDResponse type for '
+                            '"oidResponse" attribute; got %r' %
+                            type(value))
+        self.__oidResponse = value
+    def setSregResponse(self, value):
+        self.__sregResponse = value
+    def setAxResponse(self, value):
+        if not isinstance(value, AXInterface):
+            raise TypeError('Expecting AXInterface type for '
+                            '"axResponse" attribute; got %r' %
+                            type(value))
+        self.__axResponse = value
+    def setOidserver(self, value):
+        if not isinstance(value, server.Server):
+            raise TypeError('Expecting openid.server.server.Server type for '
+                            '"oidserver" attribute; got %r' %
+                            type(value))
+        self.__oidserver = value
+    def setQuery(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"query" attribute; got %r' %
+                            type(value))
+        self.__query = value
+    def setTrustedRelyingParties(self, value):
+        if isinstance(value, basestring):
+            pat = OpenIDProviderMiddleware.TRUSTED_RELYINGPARTIES_SEP_PAT
+            self.__trustedRelyingParties = tuple([i for i in pat.split(value)])
+        elif isinstance(value, (list, tuple)):
+            self.__trustedRelyingParties = tuple(value)
+        else:
+            raise TypeError('Expecting list or tuple type for '
+                            '"trustedRelyingParties" attribute; got %r' %
+                            type(value))
     @classmethod
 …
         @return: WSGI response
         """
         if not environ.has_key(self.session_middleware):
+        if not environ.has_key(self.sessionMiddlewareEnvironKeyName):
             raise OpenIDProviderConfigError('The session middleware %r is not '
                                             'present. Have you set up the '
                                             'session middleware?' %
                                             self.session_middleware)
+                                        self.sessionMiddlewareEnvironKeyName)
         # Beware path is a property and invokes the _setPath method
         self.session = environ[self.session_middleware]
+        self.session = environ[self.sessionMiddlewareEnvironKeyName]
         self._render.session = self.session
 …
         except (OpenIDProviderMissingRequiredAXAttrs,
                 OpenIDProviderMissingAXResponseHandler):
+            log.error("%s type exception raised setting response following ID "
+                      "Approval: %s", e.__class__.__name__,
+                      traceback.format_exc())
             response = self._render.errorPage(self.environ,
                                               self.start_response,
 …
         except OpenIDProviderReloginRequired, e:
+            log.error("%s type exception raised setting response following ID "
+                      "Approval: %s", e.__class__.__name__,
+                      traceback.format_exc())
             response = self._render.errorPage(self.environ,
                                               self.start_response,
 …
             return response
     def _identityIsAuthorized(self, oidRequest):
+    def _identityIsAuthenticated(self, oidRequest):
         '''Check that a user is authorized i.e. does a session exist for their
         username and if so does it correspond to the identity URL provided.
 …
         if oidRequest.idSelect():
             log.debug("OpenIDProviderMiddleware._identityIsAuthorized - "
+            log.debug("OpenIDProviderMiddleware._identityIsAuthenticated - "
                       "ID Select mode set but user is already logged in")
             return True
 …
         if oidRequest.identity != identityURI:
             log.debug("OpenIDProviderMiddleware._identityIsAuthorized - user "
+            log.debug("OpenIDProviderMiddleware._identityIsAuthenticated - user "
                       "is already logged in with a different ID=%s and "
                       "identityURI=%s" %
 …
             return False
         log.debug("OpenIDProviderMiddleware._identityIsAuthorized - "
+        log.debug("OpenIDProviderMiddleware._identityIsAuthenticated - "
                   "user is logged in with ID matching ID URI")
         return True
 …
         return approvedRoots.get(trust_root) is not None
+    def _isConfiguredTrustedRoot(self, trust_root):
+        """the Relying Party is one of a
+        list of RPs set in the start up configuration as not needing
+        approval.  This could be for example sites within the same
+        organisation as this Provider
+        @type trust_root: dict
+        @param trust_root: keyed by trusted root (Relying Party) URL and
+        containing string item 'always' if approved
+        @rtype: bool
+        @return: True - trust has already been approved, False - trust root is
+        not approved
+        """
+        return trust_root in self.trustedRelyingParties
     def _addSRegResponse(self, oidRequest):
         '''Add Simple Registration attributes to response to Relying Party
 …
         @param oidRequest: OpenID Check ID Request object'''
         if self.sregResponseHandler is None:
+        if self.sregResponse is None:
             # No Simple Registration response object was set
             return
 …
         # Callout to external callable sets additional user attributes to be
         # returned in response to Relying Party
         sreg_data = self.sregResponseHandler(self.session.get(
+        sreg_data = self.sregResponse(self.session.get(
                             OpenIDProviderMiddleware.USERNAME_SESSION_KEYNAME))
         sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
 …
             if len(requiredAttr) > 0:
                 msg = ("Relying party requires these attributes: %s; but No"
                        "Attribute exchange handler 'axResponseHandler' has "
+                       "Attribute exchange handler 'axResponse' has "
                        "been set" % requiredAttr)
                 log.error(msg)
 …
         self.session.save()
         if self._identityIsAuthorized(oidRequest):
+        if self._identityIsAuthenticated(oidRequest):
             # User is logged in - check for ID Select type request i.e. the
 …
             # full OpenID URL.  In this case, the identity they wish to use must
             # be confirmed.
+            if oidRequest.idSelect():
+            isConfiguredTrustedRoot = self._isConfiguredTrustedRoot(
+                                                        oidRequest.trust_root)
+            if oidRequest.idSelect() and not isConfiguredTrustedRoot:
                 # OpenID identifier must be confirmed
                 return self.do_decide(self.environ, self.start_response)
+            elif self._trustRootIsAuthorized(oidRequest.trust_root):
+            elif (self._trustRootIsAuthorized(oidRequest.trust_root) or
+                  isConfiguredTrustedRoot):
                 # User entered their full OpenID URL and they have previously
+                # approved this Relying Party
+                # approved this Relying Party OR the Relying Party is one of a
+                # list of RPs set in the start up configuration as not needing
+                # approval.  This could be for example sites within the same
+                # organisation as this Provider
                 try:
+                    self._createResponse(oidRequest)
+                    identityURI = self.session[
+                        OpenIDProviderMiddleware.IDENTITY_URI_SESSION_KEYNAME
+                    ]
+                    self._createResponse(oidRequest, identifier=identityURI)
                 except (OpenIDProviderMissingRequiredAXAttrs,
 …
         return []
+    charset = property(getCharset, setCharset, None, "Charset's Docstring")
+    paths = property(getPaths, setPaths, None, "Dictionary of Paths for the app")
+    base_url = property(getBase_url, setBase_url, None, "Base URL for the app")
+    urls = property(getUrls, setUrls, None, "dictionary of URLs for app")
+    method = property(getMethod, setMethod, None,
+                      "Method name keyed from requested URL")
+    sessionMiddlewareEnvironKeyName = property(
+                                  getSessionMiddlewareEnvironKeyName,
+                                  setSessionMiddlewareEnvironKeyName,
+                                  None,
+                                  "environ key name for Beaker Session "
+                                  "middleware")
+    session = property(getSession, setSession, None, "Session's Docstring")
+    oidResponse = property(getOidResponse,
+                           setOidResponse,
+                           None,
+                           "OpenID response object")
+    sregResponse = property(getSregResponse,
+                            setSregResponse,
+                            None,
+                            "SReg response handler class")
+    axResponse = property(getAxResponse, setAxResponse, None,
+                          "Attribute Exchange response object")
+    oidserver = property(getOidserver, setOidserver, None,
+                         "OpenID server instance")
+    query = property(getQuery, setQuery, None,
+                     "dictionary of HTML query parameters")
+    trustedRelyingParties = property(getTrustedRelyingParties,
+                                     setTrustedRelyingParties,
+                                     None,
+                                     "Relying Parties trusted by this Provider")
 class RenderingInterfaceError(Exception):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/init.py

r6069	r6276
38	38	def __init__(self, **cfg):
39	39	"""Add custom settings from the OpenID Provider's
40		openid.provider.axResponse~~Handler~~.* settings contained in the host
	40	openid.provider.axResponse.* settings contained in the host
41	41	Paste ini file
42	42

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/csv.py

-                      r6069
+                      r6276
                                        ', '.join(missingAttributeURIs))
+        # Add the required attributes
+        for requiredAttributeURI in requiredAttributeURIs:
+            log.info("Adding required AX parameter %s=%s ...",
+                     requiredAttributeURI,
+                     userAttributeMap[requiredAttributeURI])
+            ax_resp.addValue(requiredAttributeURI,
+                             userAttributeMap[requiredAttributeURI])
+        # Append requested attribute if available
+        # Add the requested attributes
         for requestedAttributeURI in ax_req.requested_attributes.keys():
             if requestedAttributeURI in self.attributeNames:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/init.py

-                      r6069
+                      r6276
 import httplib # to get official status code messages
 import urllib # decode quoted URI in query arg
+import urllib2 # SSL based whitelisting
 from urlparse import urlsplit, urlunsplit
 from paste.request import parse_querystring, parse_formvars
 …
 from beaker.middleware import SessionMiddleware
+# SSL based whitelisting
+from M2Crypto import SSL
+from M2Crypto.m2urllib2 import build_opener, HTTPSHandler
+from openid.fetchers import setDefaultFetcher, Urllib2Fetcher
+from ndg.security.common.utils.classfactory import instantiateClass
 from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
 from ndg.security.server.wsgi.authn import AuthnRedirectMiddleware
+from ndg.security.common.utils.classfactory import instantiateClass
+from ndg.security.server.wsgi.openid.relyingparty.validation import (
+                                                        SSLIdPValidationDriver)
 …
     '''
     sslPropertyDefaults = {
+        'certFilePath': '',
+        'priKeyFilePath': None,
+        'priKeyPwd': None,
+        'caCertDirPath': None,
+        'providerWhitelistFilePath': None
+        'idpWhitelistConfigFilePath': None
+    }
     propertyDefaults = {
-        'sslPeerCertAuthN': True,
         'signinInterfaceMiddlewareClass': None,
         'baseURL': ''
 …
         format of propertyDefaults class variable"""
+        # Default to set SSL peer cert authN where no flag is set in the config
+        # To override, it must explicitly be set to False in the config
+        if app_conf.get('sslPeerCertAuthN', 'true').lower() != 'false':
+            # Set parameters for SSL client connection to OpenID Provider Yadis
+            # retrieval URI
+            for paramName in self.__class__.sslPropertyDefaults:
+                paramDefault = self.__class__.sslPropertyDefaults[paramName]
+                setattr(self,
+                        paramName,
+                        app_conf.get(prefix+paramName, paramDefault))
+            self._initSSLPeerAuthN()
+        # Whitelisting of IDPs.  If no config file is set, no validation is
+        # executed
+        idpWhitelistConfigFilePath = app_conf.get(
+                                        prefix + 'idpWhitelistConfigFilePath')
+        if idpWhitelistConfigFilePath is not None:
+            self._initIdPValidation(idpWhitelistConfigFilePath)
         # Check for sign in template settings
 …
         referrerPathInfo = urlsplit(referrer)[2]
         if referrer and \
            not referrerPathInfo.endswith(self._authKitVerifyPath) and \
            not referrerPathInfo.endswith(self._authKitProcessPath):
+        if (referrer and
+            not referrerPathInfo.endswith(self._authKitVerifyPath) and
+            not referrerPathInfo.endswith(self._authKitProcessPath)):
             # Subvert authkit.authenticate.open_id.AuthOpenIDHandler.process
             # reassigning it's session 'referer' key to the URI specified in
 …
         return self._app(environ, _start_response)
     def _initSSLPeerAuthN(self):
+    def _initIdPValidation(self, idpWhitelistConfigFilePath):
         """Initialise M2Crypto based urllib2 HTTPS handler to enable SSL
         authentication of OpenID Providers"""
 …
                  "Provider ...")
+        def verifySSLPeerCertCallback(preVerifyOK, x509StoreCtx):
+            '''SSL verify callback function used to control the behaviour when
+            the SSL_VERIFY_PEER flag is set
+            http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
+            @type preVerifyOK: int
+            @param preVerifyOK: If a verification error is found, this
+            parameter will be set to 0
+            @type x509StoreCtx: M2Crypto.X509_Store_Context
+            @param x509StoreCtx: locate the certificate to be verified and
+            perform additional verification steps as needed
+            @rtype: int
+            @return: controls the strategy of the further verification process.
+            - If verify_callback returns 0, the verification process is
+            immediately stopped with "verification failed" state. If
+            SSL_VERIFY_PEER is set, a verification failure alert is sent to the
+            peer and the TLS/SSL handshake is terminated.
+            - If verify_callback returns 1, the verification process is
+            continued.
+            If verify_callback always returns 1, the TLS/SSL handshake will not
+            be terminated with respect to verification failures and the
+            connection
+            will be established. The calling process can however retrieve the
+            error code of the last verification error using
+            SSL_get_verify_result or by maintaining its own error storage
+            managed by verify_callback.
+            '''
+            if preVerifyOK == 0:
+                # Something is wrong with the certificate don't bother
+                # proceeding any further
+                log.error("verifyCallback: pre-verify OK flagged an error "
+                          "with the peer certificate, returning error state "
+                          "to caller ...")
+                return preVerifyOK
+            x509Cert = x509StoreCtx.get_current_cert()
+            x509Cert.get_subject()
+            x509CertChain = x509StoreCtx.get1_chain()
+            for cert in x509CertChain:
+                subject = cert.get_subject()
+                dn = subject.as_text()
+                log.debug("verifyCallback: dn = %r", dn)
+            # If all is OK preVerifyOK will be 1.  Return this to the caller to
+            # that it's OK to proceed
+            return preVerifyOK
+        # Imports here so that if SSL Auth is not set the app will not need
+        # these packages
+        import urllib2
+        from M2Crypto import SSL
+        from M2Crypto.m2urllib2 import build_opener
+        from openid.fetchers import setDefaultFetcher, Urllib2Fetcher
+        # Create a context specifying verification of the peer but with an
+        # additional callback function
+        ctx = SSL.Context()
+        ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,
+,
+                       callback=verifySSLPeerCertCallback)
+        # Point to a directory containing CA certificates.  These must be named
+        # in their hashed form as expected by the OpenSSL API.  Use c_rehash
+        # utility to generate names or in the CA directory:
+        #
+        # $ for i in *.crt *.pem; do ln -s $i $(openssl x509 -hash -noout -in $i).0; done
+        ctx.load_verify_locations(capath=self.caCertDirPath)
+        # Load this client's certificate and private key to enable the peer
+        # OpenID Provider to authenticate it
+        ctx.load_cert(self.certFilePath,
+                      keyfile=self.priKeyFilePath,
+                      callback=lambda *arg, **kw: self.priKeyPwd)
+        idPValidationDriver = SSLIdPValidationDriver(
+                                idpConfigFilePath=idpWhitelistConfigFilePath)
+#        def verifySSLPeerCertCallback(preVerifyOK, x509StoreCtx):
+#            '''SSL verify callback function used to control the behaviour when
+#            the SSL_VERIFY_PEER flag is set
+#
+#            http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
+#
+#            @type preVerifyOK: int
+#            @param preVerifyOK: If a verification error is found, this
+#            parameter will be set to 0
+#            @type x509StoreCtx: M2Crypto.X509_Store_Context
+#            @param x509StoreCtx: locate the certificate to be verified and
+#            perform additional verification steps as needed
+#            @rtype: int
+#            @return: controls the strategy of the further verification process.
+#            - If verify_callback returns 0, the verification process is
+#            immediately stopped with "verification failed" state. If
+#            SSL_VERIFY_PEER is set, a verification failure alert is sent to the
+#            peer and the TLS/SSL handshake is terminated.
+#            - If verify_callback returns 1, the verification process is
+#            continued.
+#            If verify_callback always returns 1, the TLS/SSL handshake will not
+#            be terminated with respect to verification failures and the
+#            connection
+#            will be established. The calling process can however retrieve the
+#            error code of the last verification error using
+#            SSL_get_verify_result or by maintaining its own error storage
+#            managed by verify_callback.
+#            '''
+#            if preVerifyOK == 0:
+#                # Something is wrong with the certificate don't bother
+#                # proceeding any further
+#                log.error("verifyCallback: pre-verify OK flagged an error "
+#                          "with the peer certificate, returning error state "
+#                          "to caller ...")
+#                return preVerifyOK
+#
+#            x509Cert = x509StoreCtx.get_current_cert()
+#            x509Cert.get_subject()
+#            x509CertChain = x509StoreCtx.get1_chain()
+#            for cert in x509CertChain:
+#                subject = cert.get_subject()
+#                dn = subject.as_text()
+#                log.debug("verifyCallback: dn = %r", dn)
+#
+#            # If all is OK preVerifyOK will be 1.  Return this to the caller to
+#            # that it's OK to proceed
+#            return preVerifyOK
+#
+#
+#        # Create a context specifying verification of the peer but with an
+#        # additional callback function
+#        ctx = SSL.Context()
+#        ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,
+#                       9,
+#                       callback=verifySSLPeerCertCallback)
+#
+#        # Point to a directory containing CA certificates.  These must be named
+#        # in their hashed form as expected by the OpenSSL API.  Use c_rehash
+#        # utility to generate names or in the CA directory:
+#        #
+#        # $ for i in *.crt *.pem; do ln -s $i $(openssl x509 -hash -noout -in $i).0; done
+#        ctx.load_verify_locations(capath=self.caCertDirPath)
+#
+#        # Load this client's certificate and private key to enable the peer
+#        # OpenID Provider to authenticate it
+#        ctx.load_cert(self.certFilePath,
+#                      keyfile=self.priKeyFilePath,
+#                      callback=lambda *arg, **kw: self.priKeyPwd)
         # Force Python OpenID library to use Urllib2 fetcher instead of the
 …
         setDefaultFetcher(Urllib2Fetcher())
+        log.debug("Adding the M2Crypto SSL handler to urllib2's list of "
+                  "handlers...")
+        urllib2.install_opener(build_opener(ssl_context=ctx))
+#        log.debug("Adding the M2Crypto SSL handler to urllib2's list of "
+#                  "handlers...")
+#        urllib2.install_opener(build_opener(ssl_context=ctx))
+        log.debug("Setting the M2Crypto SSL handler ...")
+        opener = urllib2.OpenerDirector()
+        opener.add_handler(FlagHttpsOnlyHandler())
+        opener.add_handler(HTTPSHandler(idPValidationDriver.ctx))
+        urllib2.install_opener(opener)
+class FlagHttpsOnlyHandler(urllib2.AbstractHTTPHandler):
+    '''Raise an exception for any other protocol than https'''
+    def unknown_open(self, req):
+        """Signal to caller that default handler is not supported"""
+        raise urllib2.URLError("Only HTTPS based OpenID Providers "
+                               "are supported")
 class SigninInterfaceError(Exception):
     """Base class for SigninInterface exceptions

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/validation.py

-                      r6069
+                      r6276
     '''Interface class for implementing OpenID Provider validators for a
     Relying Party to call'''
+    __slots__ = ()
     def __init__(self):
 …
 class SSLClientAuthNValidator(SSLIdPValidator):
+    """HTTPS based validation with the addition that this client can provide
+    a certificate to the peer enabling mutual authentication
+    """
     PARAMETERS = {
         'configFilePath': basestring,
 …
         'priKeyPwd': basestring
+    }
+    __slots__ = {}
+    __slots__.update(PARAMETERS)
+    __slots__.update({'validIdPNames': []})
     def __init__(self):
         """Set-up default SSL context for HTTPS requests"""
+        self.validIdPNames = []
         for p in SSLClientAuthNValidator.PARAMETERS:
+            setattr(self, p, None)
+            setattr(self, p, '')
+    def __setattr__(self, name, value):
+        if (name in SSLClientAuthNValidator.PARAMETERS and
+            not isinstance(value, SSLClientAuthNValidator.PARAMETERS[name])):
+            raise TypeError('Invalid type %r for parameter "%s" expecting '
+                            '%r ' %
+                            (type(value),
+                             name,
+                             SSLClientAuthNValidator.PARAMETERS[name]))
+        super(SSLClientAuthNValidator, self).__setattr__(name, value)
     def initialize(self, ctx, **parameters):
         '''@raise ConfigException:'''
         for name, val in parameters.items():
-            if name not in SSLClientAuthNValidator.PARAMETERS:
-                raise AttributeError('Invalid parameter name "%s".  Valid '
-                                     'names are %r' % (name,
-                                    SSLClientAuthNValidator.PARAMETERS.keys()))
-            if not isinstance(val, SSLClientAuthNValidator.PARAMETERS[name]):
-                raise TypeError('Invalid type %r for parameter "%s" expecting '
-                                '%r ' %
-                                (type(val),
-                                 name,
-                                 SSLClientAuthNValidator.PARAMETERS[name]))
             setattr(self, name, os.path.expandvars(val))
 …
         x509Cert = X509Cert.fromM2Crypto(x509StoreCtx.get_current_cert())
         commonName = x509Cert.dn['CN']
+        x509CertChain = x509StoreCtx.get1_chain()
+        for cert in x509CertChain:
+            subject = cert.get_subject()
+            dn = subject.as_text()
+            log.debug("verifyCallback: dn = %r", dn)
         # If all is OK preVerifyOK will be 1.  Return this to the caller to
 …
     IDP_VALIDATOR_BASE_CLASS = SSLIdPValidator
     def __init__(self, idpConfigFilePath=None):
+    def __init__(self, idpConfigFilePath=None, installOpener=False):
         super(SSLIdPValidationDriver, self).__init__()
 …
                             callback=self)
+        urllib2.install_opener(build_opener(ssl_context=self.ctx))
+        if installOpener:
+            urllib2.install_opener(build_opener(ssl_context=self.ctx))
         if idpConfigFilePath is not None:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/init.py

r6069	r6276
9	9	__contact__ = "Philip.Kershaw@stfc.ac.uk"
10	10	__revision__ = "$Id: $"
	11
11	12
12	13	class AuthZTestApp(object):

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

-                      r6271
+                      r6276
 openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
+openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
+openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
+openid.relyingparty.priKeyPwd =
+openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
+openid.relyingparty.providerWhitelistFilePath =
+openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
 openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
 #openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
 …
     http://openid.net/schema/namePerson/last
     http://openid.net/schema/contact/internet/email
+openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
+        https://badc.somewhere.ac.uk
 #______________________________________________________________________________

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservicesapp.py

-                      r6069
+                      r6276
 from OpenSSL import SSL
 from ndg.security.test.unit import BaseTestCase
+from ndg.security.test.unit import BaseTestCase, TEST_CONFIG_DIR
 from ndg.security.test.unit.wsgi import PasteDeployAppServer
 INI_FILEPATH = 'securityservices.ini'
+os.environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname(
+                                                                    __file__))
+os.environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR
 # To start run

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/combinedservices/services.ini

r5656	r6276
419	419
420	420
421		#openid.provider.sregResponse~~Handler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler~~
	421	#openid.provider.sregResponse=ndg.security.server.pylons.container.lib.openid_provider_util:esgSregResponse
422	422	#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
423	423

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openid/securityservices.ini

r5648	r6276
276	276
277	277
278		#openid.provider.sregResponse~~Handler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler~~
	278	#openid.provider.sregResponse=ndg.security.server.pylons.container.lib.openid_provider_util:esgSregResponse
279	279	#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
280	280

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidprovider/securityservices.ini

r5648	r6276
242	242
243	243
244		#openid.provider.sregResponse~~Handler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler~~
	244	#openid.provider.sregResponse=ndg.security.server.pylons.container.lib.openid_provider_util:esgSregResponse
245	245	#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
246	246

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/init.py

r6067	r6276
1	1	"""NDG Security unit test package
2	2
3		NERC Data Grid Project
	3	NERC DataGrid Project
4	4	"""
5	5	__author__ = "P J Kershaw"

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/openid/relyingparty/validation/test_validation.py

-                      r6069
+                      r6276
 import unittest
 from ndg.security.test.unit import BaseTestCase, mkDataDirPath
 from ndg.security.server.wsgi.openid.relyingparty.validation import \
     IdPValidator, IdPValidationDriver, IdPInvalidException, \
     SSLIdPValidationDriver, SSLClientAuthNValidator
+from ndg.security.server.wsgi.openid.relyingparty.validation import (
+    IdPValidator, IdPValidationDriver, IdPInvalidException,
+    SSLIdPValidationDriver, SSLClientAuthNValidator)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 6276 for TI12-security/trunk/NDGSecurity

Legend:

Download in other formats: