Changeset 6888

Timestamp:

24/05/10 15:01:36 (10 years ago)

Author:

pjkersha

Message:

Working unit tests with HTTP based MyProxy? logon tested using past.deploy fronting a real MyProxy? server

Location:

TI12-security/trunk/MyProxyServerUtils

Files:

• .pydevproject (modified) (1 diff)
• myproxy/__init__.py (modified) (1 diff)
• myproxy/server/test/myproxywsgi.ini (modified) (2 diffs)
• myproxy/server/test/test_myproxywsgi.cfg (added)
• myproxy/server/test/test_myproxywsgi.py (modified) (1 diff)
• myproxy/server/wsgi/app.py (modified) (3 diffs)
• myproxy/server/wsgi/httpbasicauth.py (modified) (1 diff)
• myproxy/server/wsgi/middleware.py (modified) (5 diffs)

TI12-security/trunk/MyProxyServerUtils/.pydevproject

@@ -8 +8 @@
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.6</pydev_property>
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Python2.6</pydev_property>
+<pydev_pathproperty name="org.python.pydev.PROJECT_EXTERNAL_SOURCE_PATH">
+<path>/home/pjkersha/workspace/MyProxyClient</path>
+</pydev_pathproperty>
 </pydev_project>

TI12-security/trunk/MyProxyServerUtils/myproxy/__init__.py

@@ +1 @@
+"""MyProxy Server Utilities myproxy namespace package
+
+This is a setuptools namespace_package.  DO NOT place any other
+code in this file!  There is no guarantee that it will be installed
+with easy_install.  See:
+
+http://peak.telecommunity.com/DevCenter/setuptools#namespace-packages
+
+... for details.
+"""
+__author__ = "P J Kershaw"
+__date__ = "21/05/10"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
+__license__ = "BSD - see LICENSE file in top-level directory"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = '$Id$'
+
+__import__('pkg_resources').declare_namespace(__name__)

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/myproxywsgi.ini

@@ -1 +1 @@
 #
-# SSL Client Authn WSGI Testing environment configuration
+# MyProxy Logon Application in file for unit tests.
+#
+# Author: P J Kershaw
+#
+# Date: 21/05/10
+#
+# Copyright: STFC 2010
+#
+# Licence: BSD - See top-level LICENCE file for licence details
 #
 # The %(here)s variable will be replaced with the parent directory of this file
 #
-[DEFAULT]
-testConfigDir = %(here)s/../../../config
-
 [server:main]
 use = egg:Paste#http
@@ -12 +17 @@
 port = 5000
 
-[pipeline:main]
-pipeline = SSLClientAuthnFilter TestApp
-
-[app:TestApp]
-paste.app_factory = ndg.security.test.unit.wsgi.ssl.test_ssl:TestSSLClientAuthnApp
-
-[filter:SSLClientAuthnFilter]
-paste.filter_app_factory = ndg.security.server.wsgi.ssl:ApacheSSLAuthnMiddleware
-prefix = ssl.
-ssl.caCertFilePathList = %(testConfigDir)s/ca/ndg-test-ca.crt
-ssl.rePathMatchList = ^/secured/.*$ ^/restrict.*
-ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=test, /O=localhost/OU=local client/CN=test 2
+[app:main]
+paste.app_factory = myproxy.server.wsgi.app:MyProxyLogonApp.app_factory
+prefix = myproxy.
+myproxy.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC
+myproxy.rePathMatchList = /logon
+myproxy.client.hostname = localhost
+myproxy.client.caCertDir = /etc/grid-security/certificates

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/test_myproxywsgi.py

@@ -9 +9 @@
 __revision__ = '$Id: $'
 import logging
+logging.basicConfig(level=logging.DEBUG)
 
 import unittest
 import os
-import re
+import base64
+from getpass import getpass
+from ConfigParser import SafeConfigParser, NoOptionError
 
+from OpenSSL import crypto
 import paste.fixture
 from paste.deploy import loadapp
 
+from myproxy.server.wsgi.middleware import MyProxyClientMiddleware
 
-class TestSSLClientAuthnApp(BaseTestCase):
-    '''Test Application for the Authentication handler to protect'''
-    response = "Test Authentication redirect application"
-       
-    def __init__(self, app_conf, **local_conf):
-        pass
+
+class TestMyProxyClientMiddlewareApp(object):
+    '''Test Application for MyClientProxyMiddleware'''
+    RESPONSE = "Test MyProxyClientMiddleware"
     
     def __call__(self, environ, start_response):
         
-        if environ['PATH_INFO'] == '/secured/uri':
-            status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/unsecured':
-            status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/test_200WithNotLoggedIn':
-            status = "200 OK"
-            
-        elif environ['PATH_INFO'] == '/test_200WithLoggedIn':
-            environ['REMOTE_USER'] = 'testuser'
-            status = "200 OK"
-        else:
-            status = "404 Not found"
+        assert(environ[MyProxyClientMiddleware.CLIENT_ENV_KEYNAME])
+        assert(environ[MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME])
+        status = "200 OK"
                 
         start_response(status,
                        [('Content-length', 
-                         str(len(TestSSLClientAuthnApp.response))),
+                         str(len(self.__class__.RESPONSE))),
                         ('Content-type', 'text/plain')])
-        return [TestSSLClientAuthnApp.response]
+        return [self.__class__.RESPONSE]
 
 
-class MyProxyWSGITestCase(BaseTestCase):
+class MyProxyClientMiddlewareTestCase(unittest.TestCase):
+    def __init__(self, *args, **kwargs):
+        app = TestMyProxyClientMiddlewareApp()
+        app = MyProxyClientMiddleware.filter_app_factory(app, {}, prefix='')
+        self.app = paste.fixture.TestApp(app)
+         
+        unittest.TestCase.__init__(self, *args, **kwargs)
 
+    def test01AssertMyProxyClientInEnviron(self):
+        # Check the middleware has set the MyProxy client object in environ
+        response = self.app.get('/', status=200)
+        self.assert_(response)
+        
+        
+class MyProxyLogonAppTestCase(unittest.TestCase):
+    INI_FILENAME = 'myproxywsgi.ini'
+    THIS_DIR = os.path.dirname(__file__)
+    CONFIG_FILENAME = 'test_myproxywsgi.cfg'
+    CONFIG_FILEPATH = os.path.join(THIS_DIR, CONFIG_FILENAME)
+    
     def __init__(self, *args, **kwargs):
         here_dir = os.path.dirname(os.path.abspath(__file__))
-        wsgiapp = loadapp('config:test.ini', relative_to=here_dir)
+        wsgiapp = loadapp('config:' + MyProxyLogonAppTestCase.INI_FILENAME, 
+                          relative_to=here_dir)
         self.app = paste.fixture.TestApp(wsgiapp)
-         
-        BaseTestCase.__init__(self, *args, **kwargs)
         
-
-    def test01NotAnSSLRequest(self):
-        # This request should be ignored because the SSL environment settings
-        # are not present
-        response = self.app.get('/unsecured')
-    
-    def test02NoClientCertSet(self):
-        extra_environ = {'HTTPS':'1'}
-        response = self.app.get('/secured/uri',
-                                extra_environ=extra_environ,
-                                status=401)
-    
-    def test03ClientCertSet(self):
-        thisDir = os.path.dirname(__file__)
-        sslClientCertFilePath = os.path.join(
-                                os.environ[BaseTestCase.configDirEnvVarName],
-                                'pki',
-                                'test.crt')
-        sslClientCert = X509Cert.Read(sslClientCertFilePath).toString()
-        extra_environ = {'HTTPS':'1', 'SSL_CLIENT_CERT': sslClientCert}
-        response = self.app.get('/secured/uri',
-                                extra_environ=extra_environ,
-                                status=200)
-
+        self.cfg = SafeConfigParser({'here': MyProxyLogonAppTestCase.THIS_DIR})
+        self.cfg.optionxform = str
+        self.cfg.read(MyProxyLogonAppTestCase.CONFIG_FILEPATH)
+        
+        unittest.TestCase.__init__(self, *args, **kwargs)
+        
+    def _createRequestCreds(self):
+        keyPair = crypto.PKey()
+        keyPair.generate_key(crypto.TYPE_RSA, 1024)
+        
+        certReq = crypto.X509Req()
+        
+        # Create public key object
+        certReq.set_pubkey(keyPair)
+        
+        # Add the public key to the request
+        certReq.sign(keyPair, "md5")
+        
+        pemCertReq = crypto.dump_certificate_request(crypto.FILETYPE_PEM, 
+                                                     certReq)
+        return keyPair, pemCertReq
+        
+    def test01Logon(self):
+        username = self.cfg.get('test01Logon', 'username')
+        try: 
+            password = self.cfg.get('test01Logon', 'password')
+        except NoOptionError:
+            password = getpass('test01Logon password: ')
+            
+        base64String = base64.encodestring('%s:%s' % (username, password))[:-1]
+        authHeader =  "Basic %s" % base64String
+        headers = {'Authorization': authHeader}
+        
+        # Create key pair and certificate request
+        keyPair, certReq = self._createRequestCreds()
+        response = self.app.post('/logon', certReq, headers=headers, status=200)
+        print response 
+        self.assert_(response)
+          
 
 if __name__ == "__main__":

TI12-security/trunk/MyProxyServerUtils/myproxy/server/wsgi/app.py

@@ -9 +9 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id: $"
-import logging
-log = logging.getLogger(__name__)
-import traceback
-import re
-import httplib
-import socket
-
 from myproxy.server.wsgi.httpbasicauth import HttpBasicAuthMiddleware
 from myproxy.server.wsgi.middleware import MyProxyClientMiddleware
@@ -25 +18 @@
     
 class MyProxyLogonApp(object):
-    """HTTP Basic Auth interface to MyProxy logon.  This interfaces creates a
-    MyProxy client instance and HTTP Basic Auth based web service interface
-    for MyProxy logon calls.  This WSGI must be run over HTTPS to ensure
-    confidentiality of username/passphrase credentials
+    """HTTP interface to MyProxy logon.  This interfaces creates a MyProxy 
+    client instance with a HTTP Basic Auth based web service interface
+    to pass username/passphrase for MyProxy logon calls.  
+    
+    This WSGI must be run over HTTPS to ensure confidentiality of 
+    username/passphrase credentials.  PKI based verification of requests
+    should be done out of band of this app e.g. in other filter middleware or
+    Apache SSL configuration.
     """
     PARAM_PREFIX = 'myproxy.logon.'
@@ -44 +41 @@
         dictionary
         """
-        authnFuncEnvKeyNameOptName = HttpBasicAuthMiddleware.PARAM_PREFIX + \
-                        HttpBasicAuthMiddleware.AUTHN_FUNC_ENV_KEYNAME_OPTNAME
-                        
-        if authnFuncEnvKeyNameOptName in app_conf:
-            raise MyProxyLogonMiddlewareConfigError("Found %r option name in "
-                "application configuration settings.  Use %r instead" %
-                (authnFuncEnvKeyNameOptName, 
-                 MyProxyLogonApp.PARAM_PREFIX + \
-                 MyProxyLogonApp.LOGON_FUNC_ENV_KEYNAME_OPTNAME))
+        logonFuncEnvKeyNameOptName = prefix + \
+                        MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME_OPTNAME
+        
+        logonFuncEnvironKeyName = app_conf.get(logonFuncEnvKeyNameOptName,
+                                MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME)
             
+        # Mirror callback function setting in HTTP Basic Auth middleware so
+        # that it correctly picks up the authentication function
+        app_conf[prefix + HttpBasicAuthMiddleware.AUTHN_FUNC_ENV_KEYNAME_OPTNAME
+                 ] = logonFuncEnvironKeyName
+                 
         app = MyProxyLogonApp()
         httpBasicAuthMWare = HttpBasicAuthMiddleware.filter_app_factory(app, 
-                                                                    global_conf, 
-                                                                    prefix, 
-                                                                    **app_conf)
+                                                                global_conf, 
+                                                                prefix=prefix, 
+                                                                **app_conf)
         
         app = MyProxyClientMiddleware.filter_app_factory(httpBasicAuthMWare, 
                                                          global_conf, 
-                                                         prefix, 
-                                                         myProxyClientPrefix)
+                                                         prefix=prefix,
+                                                         **app_conf)
         
         # Set HTTP Basic Auth to use the MyProxy client logon for its
         # authentication method
-        httpBasicAuthApp.authnFuncEnvironKeyName = app.logonFuncEnvironKeyName
+        httpBasicAuthMWare.authnFuncEnvironKeyName = app.logonFuncEnvironKeyName
         
         return app
+    
+    def __call__(self, environ, start_response):
+        """Catch case where request path doesn't match mount point for app"""
+        status = response = '404 Not Found'
+        start_response(status,
+                       [('Content-type', 'text/plain'),
+                        ('Content-length', str(len(response)))])
+        return [response]
+        
 
 

TI12-security/trunk/MyProxyServerUtils/myproxy/server/wsgi/httpbasicauth.py

@@ -161 +161 @@
             
         creds = base64.decodestring(encodedCreds)
-        username, password = creds.split(HttpBasicAuthMiddleware.FIELD_SEP, 1)
+        username, password = creds.rsplit(HttpBasicAuthMiddleware.FIELD_SEP, 1)
         return username, password
 

TI12-security/trunk/MyProxyServerUtils/myproxy/server/wsgi/middleware.py

@@ -13 +13 @@
 log = logging.getLogger(__name__)
 import traceback
-
+import socket
+import httplib
+from cStringIO import StringIO
+
+from OpenSSL import crypto
 from myproxy.client import MyProxyClient, MyProxyClientError
        
@@ -31 +35 @@
     
     # Default environ key names
-    CLIENT_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
-                          'MyProxyClientMiddleware')
-    LOGON_FUNC_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
+    CLIENT_ENV_KEYNAME = ('myproxy.server.wsgi.middleware.'
+                          'MyProxyClientMiddleware.myProxyClient')
+    LOGON_FUNC_ENV_KEYNAME = ('myproxy.server.wsgi.middleware.'
                               'MyProxyClientMiddleware.logon')
     
@@ -179 +183 @@
             """               
             if environ.get('REQUEST_METHOD') == 'POST':
-                pemCertReq = environ[
-                        MyProxyClientMiddleware.WSGI_INPUT_ENV_KEYNAME].read()
-                
-                # TODO: restore WSGI file object
+                wsgiInput = environ[
+                                MyProxyClientMiddleware.WSGI_INPUT_ENV_KEYNAME]
+                pemCertReq = wsgiInput.read()
+                
+                # Restore WSGI file object with duck typing(!)
+                wsgiInput = StringIO()
+                wsgiInput.write(pemCertReq)
+                wsgiInput.seek(0)
                 
                 # Expecting PEM encoded request
-                certReq = X509.load_request_string(pemCertReq)  
+                certReq = crypto.load_certificate_request(
+                                                        crypto.FILETYPE_PEM,
+                                                        pemCertReq)
+                
+                # Convert to ASN1 format expect by logon client call
+                asn1CertReq = crypto.dump_certificate_request(
+                                                        crypto.FILETYPE_ASN1, 
+                                                        certReq)
             else:
                 status = self.getStatusMessage(httplib.UNAUTHORIZED)
@@ -195 +210 @@
                 credentials = self.myProxyClient.logon(username, 
                                                        password,
-                                                       certReq=certReq)
+                                                       certReq=asn1CertReq)
                 status = self.getStatusMessage(httplib.OK)
                 response = '\n'.join(credentials)
                 
-            except MyProxyClientError:
+            except MyProxyClientError, e:
                 status = self.getStatusMessage(httplib.UNAUTHORIZED)
                 response = str(e)
@@ -220 +235 @@
         
         return _myProxylogon
+
+    @staticmethod
+    def getStatusMessage(statusCode):
+        '''Make a standard status message for use with start_response
+        @type statusCode: int
+        @param statusCode: HTTP status code
+        @rtype: str
+        @return: status code with standard message
+        @raise KeyError: for invalid status code
+        '''
+        return '%d %s' % (statusCode, httplib.responses[statusCode])
+