Changeset 6943

Timestamp:

07/06/10 15:11:20 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 5: MyProxy? Logon HTTPS Interface

• Working myproxy-ws-get-trustroots.sh http client shell script.

Location:

TI12-security/trunk/MyProxyWebService

Files:

• .project (added)
• .pydevproject (added)
• myproxy/server/test/myproxy-ws-get-trustroots.sh (added)
• myproxy/server/test/myproxy-ws-logon.sh (modified) (2 diffs)
• myproxy/server/test/myproxywsgi.ini (modified) (1 diff)
• myproxy/server/test/test_myproxywsgi.cfg (modified) (1 diff)
• myproxy/server/test/test_myproxywsgi.py (modified) (6 diffs)
• myproxy/server/wsgi/app.py (modified) (4 diffs)
• myproxy/server/wsgi/middleware.py (modified) (4 diffs)

TI12-security/trunk/MyProxyWebService/myproxy/server/test/myproxy-ws-logon.sh

@@ -44 +44 @@
 
 if [ -z $uri ]; then
-    echo -e Give the URI for the MyProxy Logon web service ;
+    echo -e Give the URI for the MyProxy web service logon request;
     echo -e $usage >&2 ;
     exit 1;
@@ -90 +90 @@
 # Post request to MyProxy web service passing username/password for HTTP Basic
 # auth based authentication.  
-# Nb. 
-# 1) -t 1 to ensure only one attempt is made
-# 2) --auth-no-challenge force sending of username/password to allow for servers that may not issue an authentication challenge
-#wget $uri --http-user=$username --http-password=$password --post-file=$certreqfilepath --ca-directory=$cadir -O $outfilepath -t 1 --auth-no-challenge
-#response=$(curl $uri -u $username:$password -d "$(cat $certreqfilepath)" --capath $cadir -w " %{http_code}" -s -S)
-#response=$(curl $uri -u $username:$password -F "certificate_request=@${certreqfilepath};get_trustroots=1" --capath $cadir -w " %{http_code}" -s -S)
 response=$(curl $uri -u $username:$password --data-urlencode "certificate_request=$(cat $certreqfilepath)" --capath $cadir -w " %{http_code}" -s -S)
 responsemsg=$(echo "$response"|sed '$s/ *\([^ ]* *\)$//')

TI12-security/trunk/MyProxyWebService/myproxy/server/test/myproxywsgi.ini

@@ -18 +18 @@
 
 [app:main]
-paste.app_factory = myproxy.server.wsgi.app:MyProxyLogonApp.app_factory
+paste.app_factory = myproxy.server.wsgi.app:MyProxyApp.app_factory
 prefix = myproxy.
 myproxy.httpbasicauth.realm = myproxy-realm
-myproxy.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC
-myproxy.rePathMatchList = /logon
+myproxy.logon.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC
+myproxy.logon.rePathMatchList = /logon
 myproxy.getTrustRoots.path = /get-trustroots
 #myproxy.client.hostname = localhost

TI12-security/trunk/MyProxyWebService/myproxy/server/test/test_myproxywsgi.cfg

@@ -12 +12 @@
 # The %(here)s variable will be replaced with the parent directory of this file
 #
-[test01Logon]
-username = https://ceda.ac.uk/openid/Philip.Kershaw
-#username: pjk
-#password = mypassword
+[MyProxyLogonAppTestCase.test01Logon]
+username: pjk
+password = mypassword
 uri = https://localhost:10443/logon

TI12-security/trunk/MyProxyWebService/myproxy/server/test/test_myproxywsgi.py

@@ -31 +31 @@
     def __call__(self, environ, start_response):
         
-        assert(environ[MyProxyClientMiddleware.CLIENT_ENV_KEYNAME])
-        assert(environ[MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME])
+        assert(environ[MyProxyClientMiddleware.DEFAULT_CLIENT_ENV_KEYNAME])
+        assert(environ[MyProxyClientMiddleware.DEFAULT_LOGON_FUNC_ENV_KEYNAME])
         status = "200 OK"
                 
@@ -97 +97 @@
     def test01Logon(self):
         # Test successful logon
-        username = self.cfg.get('test01Logon', 'username')
+        username = self.cfg.get('MyProxyLogonAppTestCase.test01Logon', 
+                                'username')
         try: 
-            password = self.cfg.get('test01Logon', 'password')
+            password = self.cfg.get('MyProxyLogonAppTestCase.test01Logon', 
+                                    'password')
         except NoOptionError:
-            password = getpass('test01Logon password: ')
+            password = getpass('MyProxyLogonAppTestCase.test01Logon password: ')
             
         base64String = base64.encodestring('%s:%s' % (username, password))[:-1]
@@ -109 +111 @@
         # Create key pair and certificate request
         keyPair, certReq = self._createRequestCreds()
-        response = self.app.post('/logon', certReq, headers=headers, status=200)
+        
+        postData = {
+            MyProxyClientMiddleware.CERT_REQ_POST_PARAM_KEYNAME: certReq
+        }
+        response = self.app.post('/logon', postData, headers=headers, 
+                                 status=200)
         print response 
         self.assert_(response)
@@ -126 +133 @@
         # Test with missing certificate request
         
-        username = self.cfg.get('test01Logon', 'username')
-        try: 
-            password = self.cfg.get('test01Logon', 'password')
-        except NoOptionError:
-            password = getpass('test01Logon password: ')
-            
+        # Username and password don't matter - exception is raised in server
+        # middleware prior to authentication
+        username = ''
+        password = ''
+                    
         base64String = base64.encodestring('%s:%s' % (username, password))[:-1]
         authHeader =  "Basic %s" % base64String
@@ -144 +150 @@
         # Test HTTP GET request - should be rejected - POST is expected
         
-        username = self.cfg.get('test01Logon', 'username')
-        try: 
-            password = self.cfg.get('test01Logon', 'password')
-        except NoOptionError:
-            password = getpass('test01Logon password: ')
-            
+        # Username and password don't matter - exception is raised in server
+        # middleware prior to authentication
+        username = ''
+        password = ''
         base64String = base64.encodestring('%s:%s' % (username, password))[:-1]
         authHeader =  "Basic %s" % base64String
@@ -166 +170 @@
         self.assert_(response)         
         print response 
+        
+        # Test deserialisation
+        for line in response.body.split('\n'):
+            fieldName, val = line.split('=', 1)
+            print("%s: %s\n" % (fieldName, base64.b64decode(val)))
 
 if __name__ == "__main__":

TI12-security/trunk/MyProxyWebService/myproxy/server/wsgi/app.py

@@ -25 +25 @@
     """
     PARAM_PREFIX = 'myproxy.'
+    LOGON_PARAM_PREFIX = 'logon.'
     GET_TRUSTROOTS_PARAM_PREFIX = 'getTrustRoots.'
     HTTPBASICAUTH_REALM_OPTNAME = 'httpbasicauth.realm'
@@ -44 +45 @@
         
         # HTTP Basic auth middleware - a container for MyProxy logon
+        logonPrefix = prefix + cls.LOGON_PARAM_PREFIX
         httpBasicAuthMWare = HttpBasicAuthMiddleware.filter_app_factory(app, 
-                                                                global_conf, 
-                                                                prefix=prefix, 
-                                                                **app_conf)
+                                                            global_conf, 
+                                                            prefix=logonPrefix, 
+                                                            **app_conf)
         
         # MyProxy get trust roots middleware
@@ -54 +56 @@
                                                     httpBasicAuthMWare, 
                                                     global_conf, 
-                                                    prefix=getTrustRootsPrefix)
+                                                    prefix=getTrustRootsPrefix,
+                                                    **app_conf)
         
         # Middleware to hold a MyProxy client and expose interface in environ
@@ -66 +69 @@
         httpBasicAuthMWare.authnFuncEnvironKeyName = app.logonFuncEnvironKeyName
         
-        # Mirror callback function setting in HTTP Basic Auth middleware so
-        # that it correctly picks up the authentication function
+        # Set Get trust roots middleware to use the MyProxyClient environ key
+        # name set by MyProxyClientMiddleware
+        getTrustRootsMWare.clientEnvironKeyName = app.clientEnvironKeyName
+        
+        # Pick up HTTP Basic Auth realm setting
         realmOptName = prefix + cls.HTTPBASICAUTH_REALM_OPTNAME
         httpBasicAuthMWare.realm = app_conf[realmOptName]

TI12-security/trunk/MyProxyWebService/myproxy/server/wsgi/middleware.py

@@ -15 +15 @@
 import socket
 import httplib
-from cStringIO import StringIO
+import base64
 
 from webob import Request
@@ -98 +98 @@
     
     # Default environ key names
-    LOGON_FUNC_ENV_KEYNAME = ('myproxy.server.wsgi.middleware.'
-                              'MyProxyClientMiddleware.logon')
+    DEFAULT_LOGON_FUNC_ENV_KEYNAME = ('myproxy.server.wsgi.middleware.'
+                                      'MyProxyClientMiddleware.logon')
     
     CERT_REQ_POST_PARAM_KEYNAME = 'certificate_request'
@@ -175 +175 @@
                     
         logonFuncEnvKeyOptName = prefix + \
-                    MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME_OPTNAME
+                        MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME_OPTNAME
 
         self.logonFuncEnvironKeyName = app_conf.get(logonFuncEnvKeyOptName,
-                                MyProxyClientMiddleware.LOGON_FUNC_ENV_KEYNAME)
+                        MyProxyClientMiddleware.DEFAULT_LOGON_FUNC_ENV_KEYNAME)
 
     def _getLogonFuncEnvironKeyName(self):
@@ -469 +469 @@
             
             # Serialise dict response
-            response = "\n".join(["%s=%s" % i for i in trustRoots.items()])
+            response = "\n".join(["%s=%s" % (k, base64.b64encode(v))
+                                  for k,v in trustRoots.items()])
             
             return response