Changeset 6988 for TI12-security


Ignore:
Timestamp:
11/06/10 13:25:00 (9 years ago)
Author:
pjkersha
Message:

Fix to WSGI SSL authn module for proxy cert support with Apache.

Location:
TI12-security/trunk/NDGSecurity/python
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/Tests

    • Property svn:ignore set to
      apache-mod-proxy
      curl
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

    r6861 r6988  
    8181 
    8282    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf): 
    83          
     83        """Read configuration settings from the global and application specific 
     84        ini file settings 
     85        """ 
    8486        super(ApacheSSLAuthnMiddleware, self).__init__(app,  
    8587                                                       global_conf,  
     
    104106                    ApacheSSLAuthnMiddleware.CACERT_FILEPATH_LIST_OPTNAME 
    105107                         
     108        # Verify against trust root if set.  Alternatively, the verification 
     109        # step can be configured in the Apache config file.  The latter will 
     110        # correctly verify proxy certificates if the environment variable 
     111        # OPENSSL_ALLOW_PROXY_CERTS is set in the start up.  The verification 
     112        # code in isValidClientCert can't correctly verify proxy certificates  
     113        # because only a single certificate is passed in the SSL_CLIENT_CERT  
     114        # environ variable and not the complete certificate chain 
    106115        self.caCertStack = app_conf.get(caCertFilePathListParamName, []) 
    107116         
     
    109118                    ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME 
    110119                     
     120        # Specify a restricted list of DNs of which the input client certificate 
     121        # DN must match at least one 
    111122        self.clientCertDNMatchList = app_conf.get( 
    112123                                        clientCertDNMatchListParamName, []) 
     
    341352            return False 
    342353         
    343         # Verify against trust root if set 
     354        # Verify against trust root if set.  Alternatively, the verification 
     355        # step can be configured in the Apache config file.  The latter will 
     356        # correctly verify proxy certificates if the environment variable 
     357        # OPENSSL_ALLOW_PROXY_CERTS is set in the start up.  The verification 
     358        # code HERE can't correctly verify proxy certificates because only a 
     359        # single certificate is passed in the SSL_CLIENT_CERT environ variable  
     360        # and not the complete certificate chain 
    344361        if len(self.caCertStack) == 0: 
    345362            log.warning("No CA certificates set for Client certificate " 
     
    361378            
    362379        # Verify against list of acceptable DNs if set 
    363          
    364380        if len(self.clientCertDNMatchList) > 0: 
    365381            dn = self.__clientCert.dn 
     
    440456        """Set user ID in AuthKit cookie from client certificate submitted 
    441457        """ 
    442         userId = self.clientCert.dn['CN'] 
     458        commonName = self.clientCert.dn['CN'] 
     459        if len(commonName) > 0: 
     460            # Proxy certificate will have multiple CNs 
     461            userId = commonName[0] 
     462        else: 
     463            userId = commonName 
    443464         
    444465        self.environ[ 
Note: See TracChangeset for help on using the changeset viewer.