Changeset 6557 for TI12-security/trunk/NDGSecurity

Timestamp:

11/02/10 17:09:02 (10 years ago)

Author:

pjkersha

Message:

Fix for ApacheSSLAuthnMiddleware - use comma separated list for accepted DNs. This enables DNs with fields containing spaces to be correctly parsed.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• Tests/property.py (added)
• ndg_security_common/ndg/security/common/X509.py (modified) (10 diffs)
• ndg_security_common/ndg/security/common/authz/xacml/cond/__init__.py (modified) (2 diffs)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (4 diffs)
• ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/X509.py

@@ -422 +422 @@
     def Read(cls, filePath, warningStackLevel=4, **isValidTimeKw):
         """Create a new X509 certificate read in from a file"""
-    
-        x509Cert = cls(filePath=filePath)
-        
+        x509Cert = cls(filePath=filePath)  
         x509Cert.read(warningStackLevel=warningStackLevel, **isValidTimeKw)
         
@@ -432 +430 @@
     def Parse(cls, x509CertTxt, warningStackLevel=4, **isValidTimeKw):
         """Create a new X509 certificate from string of file content"""
-    
-        x509Cert = cls()
-        
+        x509Cert = cls()      
         x509Cert.parse(x509CertTxt, 
                        warningStackLevel=warningStackLevel,
@@ -471 +467 @@
     """Error from X509Stack type"""
 
+
 class X509StackEmptyError(X509CertError):
     """Expecting non-zero length X509Stack"""
+
 
 class X509CertIssuerNotFound(X509CertError):
@@ -478 +476 @@
     input"""
 
+
 class SelfSignedCert(X509CertError):
     """Raise from verifyCertChain if cert. is self-signed and 
     rejectSelfSignedCert=True"""
 
+
 class X509CertInvalidSignature(X509CertError):
     """X.509 Certificate has an invalid signature"""
+       
        
 class X509Stack(object):
@@ -545 +546 @@
         return X509Cert(m2CryptoX509=self.__m2X509Stack.pop())
 
-
     def asDER(self):
         """Return the stack as a DER encoded string
@@ -551 +551 @@
         @rtype: string"""
         return self.__m2X509Stack.as_der()
-
 
     def verifyCertChain(self, 
@@ -585 +584 @@
 
             x509Cert2Verify = self[-1]
-             
-                
+              
         # Exit loop if all certs have been validated or if find a self 
         # signed cert.
@@ -622 +620 @@
         if issuerX509Cert:            
             # Check for self-signed certificate
-            if nValidated == 1 and rejectSelfSignedCert and \
-               issuerX509Cert.dn == issuerX509Cert.issuer:
+            if (nValidated == 1 and rejectSelfSignedCert and 
+                issuerX509Cert.dn == issuerX509Cert.issuer):
 
                 # If only one iteration occurred then it must be a self
@@ -634 +632 @@
                          
         elif not caX509Stack:
-            raise X509CertIssuerNotFound('No issuer cert. found for cert. '
-                                         '"%s"' % x509Cert2Verify.dn)
+            raise X509CertIssuerNotFound('No issuer certificate found for '
+                                         'certificate "%s"' % 
+                                         x509Cert2Verify.dn)
             
         for caCert in caX509Stack:
@@ -645 +644 @@
         if issuerX509Cert:   
             if not x509Cert2Verify.verify(issuerX509Cert.pubKey):
-                X509CertInvalidSignature('Signature is invalid for cert. "%s"'%
+                X509CertInvalidSignature('Signature is invalid for cert. "%s"' %
                                          x509Cert2Verify.dn)
             

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/cond/__init__.py

@@ -89 +89 @@
         self.isCondition = isCondition
     
-    
     @classmethod
     def getConditionInstance(cls, root):
@@ -104 +103 @@
             FunctionFactory
         cls.__getInstance(root, FunctionFactory.getConditionInstance(), True)
-    
     
     @classmethod

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -56 +56 @@
     CACERT_FILEPATH_LIST_OPTNAME = 'caCertFilePathList'
     CLIENT_CERT_DN_MATCH_LIST_OPTNAME = 'clientCertDNMatchList'
+    CLIENT_CERT_DN_MATCH_LIST_SEP_PAT = re.compile(',\s*')
     SSL_KEYNAME_OPTNAME = 'sslKeyName'
     SSL_CLIENT_CERT_KEYNAME_OPTNAME = 'sslClientCertKeyName'
@@ -78 +79 @@
     AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.'
                                        'ApacheSSLAuthnMiddleware.authenticated')
-    
+
     def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
         
@@ -212 +213 @@
         if isinstance(value, basestring):
             # Try parsing a space separated list of file paths
-            self.__clientCertDNMatchList = [X500DN(dn=dn) 
-                                            for dn in value.split()]
+            pat = ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_SEP_PAT
+            dnList = pat.split(value)
+            self.__clientCertDNMatchList = [X500DN(dn=dn) for dn in dnList]
             
         elif isinstance(value, (list, tuple)):
@@ -225 +227 @@
                     raise TypeError('Expecting a string, or %r type for "%s" '
                                     'list item; got %r' % 
-                (X500DN,
-                 ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME,
-                 type(dn)))
+                    (X500DN,
+                     ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME,
+                     type(dn)))
                     
         else:

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/ssl/test.ini

@@ -23 +23 @@
 ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
 ssl.rePathMatchList = ^/secured/.*$ ^/restrict.*
-ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test /O=localhost/OU=local/CN=test2
+ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test, /O=localhost/OU=local client/CN=test 2