Changeset 7554 for TI12-security/trunk


Ignore:
Timestamp:
29/09/10 15:05:23 (9 years ago)
Author:
pjkersha
Message:

Preparing new release:

  • Important fix for PyOpenSSL based client authentication.
  • including new command line script 'myproxyclient' added by Stephen Pascoe
Location:
TI12-security/trunk/MyProxyClient
Files:
21 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/MyProxyClient/.project

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/.pydevproject

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/LICENSE

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/README

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/documentation/Makefile

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/ez_setup.py

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/__init__.py

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/client.py

    • Property svn:keywords set to Id
    r7056 r7554  
    1919certain rights.""" 
    2020__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    21 __revision__ = '$Id: $' 
     21__revision__ = '$Id$' 
    2222import logging 
    2323log = logging.getLogger(__name__) 
     
    8484         
    8585    def __call__(self, connection, peerCert, errorStatus, errorDepth,  
    86                  successStatus): 
     86                 preverifyOK): 
    8787        """Verify MyProxy server certificate 
    8888         
     
    9393        instance 
    9494        @type errorStatus: int 
    95         @param errorStatus: error code to return if verification fails 
     95        @param errorStatus: error status passed from caller.  This is the value 
     96        returned by the OpenSSL C function X509_STORE_CTX_get_error().  Look-up 
     97        x509_vfy.h in the OpenSSL source to get the meanings of the different 
     98        codes.  PyOpenSSL doesn't help you! 
    9699        @type errorDepth: int 
    97         @param errorDepth:  
    98         @type successStatus: int 
    99         @param successStatus:  
     100        @param errorDepth: a non-negative integer representing where in the  
     101        certificate chain the error occurred. If it is zero it occured in the  
     102        end entity certificate, one if it is the certificate which signed the  
     103        end entity certificate and so on. 
     104 
     105        @type preverifyOK: int 
     106        @param preverifyOK: the error status - 0 = Error, 1 = OK of the current 
     107        SSL context irrespective of any verification checks done here.  If this 
     108        function yields an OK status, it should enforce the preverifyOK value 
     109        so that any error set upstream overrides and is honoured. 
    100110        @rtype: int 
    101         @return: status code 
     111        @return: status code - 0/False = Error, 1/True = OK 
    102112        """ 
    103113        if peerCert.has_expired(): 
     
    124134                cn = self.cnPrefix + self.hostname 
    125135                if peerCertSubj.commonName == cn: 
    126                     return True 
     136                    return preverifyOK 
    127137                else: 
    128138                    log.error('Peer certificate CN %r doesn\'t match the ' 
     
    131141            else: 
    132142                if peerCertDN == self.certDN: 
    133                     return True 
     143                    return preverifyOK 
    134144                else: 
    135145                    log.error('Peer certificate DN %r doesn\'t match the ' 
     
    137147                    return False 
    138148        else: 
    139             return True 
     149            return preverifyOK 
    140150              
    141151    def _getCertDN(self): 
     
    319329    @param X509_CERT_DIR_ENVVARNAME: environment variable name 'X509_CERT_DIR', 
    320330    which if set points to the location of the trust roots  
     331     
     332    @type X509_USER_PROXY_ENVVARNAME: string 
     333    @param X509_USER_PROXY_ENVVARNAME: environment variable name  
     334    'X509_USER_PROXY' if set points to the output location of the output EEC / 
     335    Proxy certificate.  Not currently used by this class, included for 
     336    reference only 
    321337    """ 
    322338    MYPROXY_SERVER_ENVVARNAME = 'MYPROXY_SERVER' 
     
    406422    USER_TRUSTROOT_DIR = '~/.globus/certificates'     
    407423    X509_CERT_DIR_ENVVARNAME = 'X509_CERT_DIR' 
     424    X509_USER_PROXY_ENVVARNAME = 'X509_USER_PROXY' 
    408425     
    409426    # Restrict attributes to the above properties, their equivalent  
     
    707724        if verifyPeerWithTrustRoots: 
    708725            context.load_verify_locations(None, self.caCertDir) 
    709              
    710         # Verify peer's (MyProxy server) certificate 
    711         context.set_verify(SSL.VERIFY_PEER, self.__serverSSLCertVerify) 
     726                 
     727            # Verify peer's (MyProxy server) certificate 
     728            context.set_verify(SSL.VERIFY_PEER, self.__serverSSLCertVerify) 
    712729              
    713730        if certFile: 
  • TI12-security/trunk/MyProxyClient/myproxy/script.py

    • Property svn:keywords set to Id
    r7125 r7554  
    1  
    21""" 
    32Lightweight command-line interface to MyProxyClient. 
     
    65------------ 
    76 
    8 ``myproxyclient logon`` a replacement for myproxy-logon.  It understands most of the same options and tries to behave the same with a few exceptions: 
     7``myproxyclient logon`` a replacement for myproxy-logon.  It understands most of 
     8the same options and tries to behave the same with a few exceptions: 
    99 
    1010  1. -C/--cadir allows you to override the CA directory 
     
    2525certain rights.""" 
    2626 
    27 __revision__ = '$Id: $' 
    28  
     27__revision__ = '$Id$' 
    2928 
    3029import sys 
    3130import optparse 
    3231import getpass 
    33 import urlparse 
    3432import os 
    3533 
    36  
    3734from myproxy.client import MyProxyClient 
    3835 
    3936def make_optparser(): 
     37    """Make command line option parser 
     38     
     39    @rtype: optparse.OptionParser 
     40    @return: option parser instance 
     41    """ 
    4042    usage = """\ 
    4143usage: %prog [command] [options] 
     
    5456variable.  To write the credential tostdout use -o -. 
    5557''') 
     58     
    5659    op.add_option('-C', '--cadir', dest='cadir',  
    5760                  action='store', type='string', 
     
    6063environment variable or ~/.globus/certificates or /etc/grid-security. 
    6164''') 
     65     
    6266    op.add_option('-s', '--pshost', dest='hostname', 
    6367                  action='store', type='string', 
    6468                  help='Set hostname of myproxy server') 
     69     
    6570    op.add_option('-p', '--psport', dest='port',  
    6671                  action='store', type='int', 
    6772                  help='Set port of myproxy server') 
    68     #!NOTE: convert hours to minutes 
     73     
    6974    def set_lifetime(opt, opt_str, val, op): 
    70         op.values.lifetime = val * 60 
    71     op.add_option('-t', '--proxy_lifetime', type='int',  
     75        """Callback to convert input requested proxy lifetime from hours to  
     76        seconds 
     77         
     78        @type opt: optparse.Option 
     79        @param opt: Option instance that’s calling the callback 
     80        @type opt_str: string 
     81        @param opt_str: option string seen on the command-line that’s triggering  
     82        this callback 
     83        @type val: float 
     84        @param val: argument to this option seen on the command-line 
     85        @type op: optparse.OptionParser 
     86        @param op: OptionParser instance 
     87        """ 
     88        op.values.lifetime = val * 60 * 60 
     89         
     90    op.add_option('-t', '--proxy_lifetime', type='float',  
    7291                  action='callback', callback=set_lifetime, 
    73                   help='Set proxy certificate Lifetime') 
     92                  help='Set proxy certificate Lifetime (hours)') 
     93     
    7494    op.add_option('-S', '--stdin_pass', dest='stdin_pass', 
    7595                  action='store_true', 
    7696                  help='Read the password directly from stdin') 
     97     
    7798    #!TODO: What is the myproxy-logon equivilent of this option? 
    7899    #op.add_option('-m', '--maxlifetime', dest='maxlifetime', 
     
    82103                  action='store_true', 
    83104                  help='Download trusted CA certificates') 
     105     
    84106    op.add_option('-T', '--trustroots', dest='trustroots', 
    85107                  action='store_true', 
    86108                  help='Update trustroots') 
     109     
    87110    op.add_option('-l', '--username', dest='username', 
    88111                  action='store', type='string', 
    89112                  help='Set username') 
    90  
    91  
    92      
    93113 
    94114    op.set_defaults( 
     
    98118        port=MyProxyClient.PROPERTY_DEFAULTS['port'], 
    99119        lifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertLifetime'], 
    100         #maxlifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertMaxLifetime'], 
    101120        bootstrap=False, 
    102121        trustroots=False, 
     
    115134 
    116135    command = argv[1] 
     136     
    117137    # Catch example of just specifying --help or '-h' 
    118138    if command in ['--help', '-h']: 
     
    124144 
    125145    if options.outfile is None: 
    126         if 'X509_USER_PROXY' in os.environ: 
    127             options.outfile = os.environ['X509_USER_PROXY'] 
     146        if MyProxyClient.X509_USER_PROXY_ENVVARNAME in os.environ: 
     147            options.outfile = os.environ[ 
     148                                    MyProxyClient.X509_USER_PROXY_ENVVARNAME] 
    128149        else: 
    129             op.error("Credential output file must be specified or X509_USER_PROXY set") 
     150            op.error("Credential output file must be specified or %r set" % 
     151                     MyProxyClient.X509_USER_PROXY_ENVVARNAME) 
    130152             
    131153    if options.username is None: 
     
    134156    if options.cadir: 
    135157        cadir = options.cadir 
    136     elif 'X509_CERT_DIR' in os.environ: 
    137         cadir = os.environ['X509_CERT_DIR'] 
     158         
     159    elif MyProxyClient.X509_CERT_DIR_ENVVARNAME in os.environ: 
     160        cadir = os.environ[MyProxyClient.X509_CERT_DIR_ENVVARNAME] 
     161         
    138162    elif logname == 'root': 
    139         cadir = '/etc/grid-security' 
    140     else: 
    141         cadir = os.path.join(os.path.expanduser('~'),'.globus/certificates') 
    142  
     163        cadir = MyProxyClient.ROOT_TRUSTROOT_DIR 
     164    else: 
     165        cadir = os.path.join( 
     166                        os.path.expanduser(MyProxyClient.USER_TRUSTROOT_DIR)) 
    143167 
    144168    client_props = dict(caCertDir=cadir, 
     
    146170                        port=options.port, 
    147171                        proxyCertLifetime=options.lifetime, 
    148                         #proxyCertMaxLifetime=options.maxlifetime, 
    149172                        ) 
    150173 
     
    157180 
    158181 
    159  
    160182def do_logon(myproxy, options): 
     183    """Execute MyProxy logon command 
     184     
     185    @type myproxy: myproxy.client.MyProxyClient 
     186    @param myproxy: MyProxy client object 
     187    @type options:  
     188    @param options: command line options 
     189    """ 
    161190    if options.stdin_pass: 
    162191        #!TODO: Is this right to read just the first line of stdin? 
    163192        password = sys.stdin.readline().rstrip() 
    164193    else: 
    165         password = getpass.getpass('Enter password for user %s on myproxy %s:' 
     194        password = getpass.getpass('Enter password for user %r on MyProxy ' 
     195                                   'server %r:' 
    166196                                   % (options.username, options.hostname)) 
    167197 
     
    178208        fout.write(cred) 
    179209     
    180     #!TODO: Would we want to close stdout? 
    181     fout.close() 
     210    if fout != sys.stdout: 
     211        fout.close() 
    182212 
    183213 
  • TI12-security/trunk/MyProxyClient/myproxy/test/README

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/ca

    • Property svn:ignore set to
      d573507a.0
  • TI12-security/trunk/MyProxyClient/myproxy/test/localhost.crt

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClient.cfg

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClientTest.cfg

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/openssl.conf

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/test_myproxyclient.py

    r6981 r7554  
    310310                 
    311311            client = MyProxyClient() 
    312               
     312             
    313313            connection = None 
    314314            errorStatus = False 
  • TI12-security/trunk/MyProxyClient/myproxy/test/testuser.crt

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/test/testuser.key

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/myproxy/utils/__init__.py

    • Property svn:keywords set to Id
    r6840 r7554  
    99__license__ = """BSD - See LICENSE file in top-level directory""" 
    1010__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    11 __revision__ = '$Id: $' 
     11__revision__ = '$Id$' 
    1212from ConfigParser import SafeConfigParser 
    1313 
  • TI12-security/trunk/MyProxyClient/setup.cfg

    • Property svn:keywords set to Id
  • TI12-security/trunk/MyProxyClient/setup.py

    • Property svn:keywords set to Id
    r7035 r7554  
    1616certain rights.""" 
    1717__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    18 __revision__ = '$Id: $' 
     18__revision__ = '$Id$' 
    1919 
    2020# Bootstrap setuptools if necessary. 
     
    2828setup( 
    2929    name =              'MyProxyClient', 
    30     version =           '1.1.2', 
     30    version =           '1.2.0', 
    3131    description =       'MyProxy Client', 
    3232    long_description =  '''\ 
Note: See TracChangeset for help on using the changeset viewer.