Changeset 7472


Ignore:
Timestamp:
10/09/10 10:40:02 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 13: OpenID Provider doesn't validate OpenID against username

  • Prepared 1.5.7 release fixing this loophole. The logon submit callback now verifies the previously set OpenID URL against the username entered to ensure they tie together in the database
Location:
TI12-security/branches/ndg-security-1.5.x
Files:
2 added
7 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/branches/ndg-security-1.5.x

    • Property svn:ignore
      •  

        old new  
        33ndg_security.egg-info 
        44.metadata 
         51_5_x-env.sh 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security/setup.py

    r7122 r7472  
    4242setup( 
    4343    name =                      'ndg_security', 
    44     version =                   '1.5.6', 
     44    version =                   '1.5.7', 
    4545    description =               'NERC DataGrid Security Utilities', 
    4646    long_description =          _longDescription, 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

    r7119 r7472  
    636636    ndg.security.server.wsgi.authn.AuthenticationMiddleware 
    637637    ''' 
    638     PEP_PARAM_PREFIX = 'pep.filter.' 
    639     PIP_PARAM_PREFIX = 'pip.' 
     638    PEP_PARAM_PREFIX = 'pep.' 
    640639    PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler" 
    641640    PEP_RESULT_HANDLER_PARAM_PREFIX = PEP_RESULT_HANDLER_PARAMNAME + '.' 
    642641    PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir' 
     642    PIP_PARAM_PREFIX = 'pip.' 
    643643     
    644644    class PIP_MIDDLEWARE_CLASS(object): 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

    r7122 r7472  
    871871            identityURI = oidRequest.identity 
    872872             
     873            # Check the username used to login with matches the identity URI  
     874            # given.  This check is essential otherwise a user could impersonate 
     875            # someone else with an account with this provider 
     876            try: 
     877                userIdentifiers = self._authN.username2UserIdentifiers( 
     878                                                environ, 
     879                                                self.query['username']) 
     880                 
     881            except AuthNInterfaceInvalidCredentials: 
     882                log.error("No username %r matching an OpenID URL: %s", 
     883                          self.query.get('username'), 
     884                          traceback.format_exc()) 
     885                msg = ("No match was found for your account name.  Please " 
     886                       "check that your details are correct or contact the " 
     887                       "site administrator.") 
     888 
     889                response = self._render.login(environ, start_response, 
     890                                          msg=msg, 
     891                                          success_to=self.urls['url_decide']) 
     892                return response 
     893             
     894            except Exception: 
     895                log.error("Checking username %r association with OpenID URL: " 
     896                          "%s", self.query.get('username'), 
     897                          traceback.format_exc()) 
     898                msg = ("An error occured matching an OpenID to your account.  " 
     899                       "If the problem persists contact the site " 
     900                       "administrator.")  
     901                 
     902            expectedIdentityURI = self.createIdentityURI(self.identityUriTmpl, 
     903                                                         userIdentifiers[0]) 
     904            if identityURI != expectedIdentityURI: 
     905                log.error("OpenID given %r, doesn't match the expected " 
     906                          "OpenID %r for this account name %r" %  
     907                          (identityURI, expectedIdentityURI,  
     908                           self.query.get('username'))) 
     909                 
     910                msg = ("The OpenID you provided earlier %r doesn't match the " 
     911                       "username %r you entered above.  Please check that your " 
     912                       "OpenID and username are correct or contact the site " 
     913                       "administrator." %  
     914                       (identityURI, self.query.get('username', ''))) 
     915 
     916                response = self._render.login(environ, start_response, 
     917                                          msg=msg, 
     918                                          success_to=self.urls['url_decide']) 
     919                return response 
     920                            
    873921        # Invoke custom authentication interface plugin 
    874922        try: 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml

    r7121 r7472  
    99        <userId>testuser</userId> 
    1010        <validity> 
    11             <notBefore>2010 06 29 11 52 40</notBefore>  
    12             <notAfter>2010 06 29 19 52 40</notAfter>  
     11            <notBefore>2010 09 10 09 33 05</notBefore>  
     12            <notAfter>2010 09 10 17 33 05</notAfter>  
    1313        </validity> 
    1414        <attributes> 
     
    3333        <provenance>original</provenance>  
    3434    </acInfo> 
    35 <ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>g3i1NdV0/JdFgRZwMxgwcHLkp14=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>eDhUSCRfq7LcaadE8W01nQG6Cs9UjySmFB3UUhbgxpF2KOcwTajk6GidZp5ewE6Zle2iDNxzkXge 
    36 XVT5UfORkHTSWG0Z+D6WlVLK3V7NnnKwYn58TxHOJAPGYNwgbcmd0zh3W1OAc+U2scvrGWfZSL41 
    37 w+P+Gxr8wDjrwaee4nk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB+jCCAWOgAwIBAgIBFDANBgkqhkiG9w0BAQQFADAzMQwwCgYDVQQKEwNOREcx 
     35<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>y3/SZ5I9Qc01pE1Vw+iUk7qMwjk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>gT9QCgi2HfJZfwxODDt4egD+2K7jjoW4jP50ZDwJrF7nOOxQEllz1fvkqLVkUj8CDZhRuCnPdWzi 
     362QOF/YhU7sniqS8tdR9QIgx/GT6qRNsTwhBWTNsmE01zH7SVAoMuOASf19SYfoklEQ6ocC1Jmrg/ 
     37eXqVgspjZ6nTriYXd/A=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB+jCCAWOgAwIBAgIBFDANBgkqhkiG9w0BAQQFADAzMQwwCgYDVQQKEwNOREcx 
    3838ETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQDEwdUZXN0IENBMB4XDTEwMDYyOTEw 
    3939NTQxOFoXDTExMDYyOTEwNTQxOFowPDEMMAoGA1UEChMDTkRHMQ8wDQYDVQQLEwZT 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg

    r7119 r7472  
    1 # NERC Data Grid Project 
     1# NERC DataGrid Project 
    22# 
    33# P J Kershaw 16/01/07 
  • TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini

    r7119 r7472  
    5252# user ID 
    5353#attributeauthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea 
    54 attributeauthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface 
     54attributeauthority.attributeInterface.modName: ndg.security.test.integration.authz_lite.attributeinterface 
    5555attributeauthority.attributeInterface.className: TestUserRoles 
    5656 
Note: See TracChangeset for help on using the changeset viewer.