Changeset 7847 for TI12-security


Ignore:
Timestamp:
26/01/11 16:40:54 (8 years ago)
Author:
pjkersha
Message:

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • fixes to the ndgsecurity_services template
Location:
TI12-security/trunk/NDGSecurity/python
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/Makefile

    r7846 r7847  
    8383        sed -e s/'portNum = .*'/'portNum = %%\{portNumber}'/ \ 
    8484        -e s/'baseURI =.*'/'baseURI = %%\{baseURI}'/ \ 
    85         -e s/'saml\.soapbinding\.mountPath.*'/'saml.soapbinding.mountPath = %%\{attributeServiceMountPoint\}'/ \ 
    86         -e s/'saml\.mountPath.*'/'saml.mountPath = %%\{authorisationServiceMountPoint\}'/ \ 
     85        -e s/'saml\.soapbinding\.mountPath.*'/'saml.soapbinding.mountPath = %%\{attributeServiceMountPath\}'/ \ 
     86        -e s/'saml\.mountPath.*'/'saml.mountPath = %%\{authorisationServiceMountPath\}'/ \ 
    8787        -e s/'saml\.soapbinding\.issuerName =.*'/'saml.soapbinding.issuerName = %%\{attributeServiceIssuerName}'/ \ 
    8888        -e s/'saml\.issuerName =.*'/'samlIssuerName = %%\{authorisationServiceIssuerName}'/ \ 
     
    9494        -e s/'testConfigDir = .*'// \ 
    9595        -e s/testConfigDir/here/g \ 
     96        -e s/\(os\.path\.join\(\'%\(here\)s\'/\(os.path.join\(\'%%\{outputDir}\'/ \ 
    9697        -e s/'# Revision:.*'//g \ 
    9798                ${SERVICE_INI_FILEPATH_TMP} > ${SERVICE_INI_TMPL_FILEPATH} 
     
    179180        rm -f ${SECUREDAPP_INI_FILEPATH_TMP} 
    180181        @-echo "Make template for ${SECUREDAPP_REQUEST_FILTER_FILENAME} ..." 
    181         sed -r -e s/'http:\/\/localhost:7080'/'%%\{baseURI}'/ \ 
     182        sed -r -e s/'http:\/\/localhost:7080\/'/'%%\{baseURI}'/ \ 
    182183                ${SECUREDAPP_REQUEST_FILTER_FILEPATH} > ${SECUREDAPP_REQUEST_FILTER_TMPL_FILEPATH} 
    183184        @-echo 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/request-filter.xml_tmpl

    r7846 r7847  
    2121                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2222                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    23                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^%%{baseURI}/(?!layout).*$</AttributeValue> 
     23                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^%%{baseURI}(?!layout).*$</AttributeValue> 
    2424                </ResourceMatch> 
    2525            </Resource> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/service.ini_tmpl

    r7846 r7847  
    11# 
    22# Description: NDG Security configuration to secure a given WSGI application.   
    3 # Security filters placed in front of the application in the WSGI pipeline act  
    4 # as client to security services running on a separate application stack.  - See 
    5 # ndg.security.test.integration.full_system or the ndgsecurity_services  
    6 # template. 
     3#              Security filters placed in front of the application in the WSGI  
     4#              pipeline act as client to security services running on a separate 
     5#              application stack.  - See  
     6#              ndg.security.test.integration.full_system or the  
     7#              ndgsecurity_services template. 
    78# 
    89# NERC DataGrid 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/securityservicesapp.py

    r7846 r7847  
    1010__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1111__revision__ = "$Id: securityservicesapp.py 7843 2011-01-25 10:22:43Z pjkersha $" 
    12 import os 
    13 from os.path import dirname, abspath 
     12from os import path, environ 
    1413import optparse  
    1514      
     
    2019 
    2120INI_FILENAME = 'securityservices.ini' 
    22  
    23 os.environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname( 
    24                                                                     __file__)) 
    25 os.environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR 
    26  
     21# 
     22#environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname( 
     23#                                                                    __file__)) 
     24#environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR 
    2725 
    2826 
     
    3129# $ ./securityservicesapp.py -h 
    3230if __name__ == '__main__':     
    33     cfgFileName = INI_FILENAME 
    34     cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)   
     31    cfgFilePath = path.join(path.dirname(path.abspath(__file__)), INI_FILENAME)  
     32      
     33    defCertFilePath = path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     34                                'pki',  
     35                                'localhost.crt') 
     36    defPriKeyFilePath = path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     37                                  'pki',  
     38                                  'localhost.key') 
    3539         
    3640    parser = optparse.OptionParser() 
     
    4953 
    5054    parser.add_option("-c", 
     55                      "--cert-file", 
     56                      dest='certFilePath', 
     57                      default=defCertFilePath, 
     58                      help="SSL Certificate file") 
     59 
     60    parser.add_option("-k", 
     61                      "--private-key-file", 
     62                      default=defPriKeyFilePath, 
     63                      dest='priKeyFilePath', 
     64                      help="SSL private key file") 
     65 
     66    parser.add_option("-f", 
    5167                      "--conf", 
    5268                      dest="configFilePath", 
     
    5470                      help="Configuration file path") 
    5571     
    56     # Initialise test user database 
    57     from ndg.security.test.unit import BaseTestCase 
    58     BaseTestCase.initDb() 
    59      
    6072    opt = parser.parse_args()[0] 
    6173     
    6274    if opt.withSSL.lower() == 'true': 
    63         certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
    64                                     'pki',  
    65                                     'localhost.crt') 
    66         priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
    67                                       'pki',  
    68                                       'localhost.key') 
    6975         
    7076        ssl_context = SSL.Context(SSL.SSLv23_METHOD) 
    7177        ssl_context.set_options(SSL.OP_NO_SSLv2) 
    7278     
    73         ssl_context.use_privatekey_file(priKeyFilePath) 
    74         ssl_context.use_certificate_file(certFilePath) 
     79        ssl_context.use_privatekey_file(opt.priKeyFilePath) 
     80        ssl_context.use_certificate_file(opt.certFilePath) 
    7581    else: 
    7682        ssl_context = None 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/services/service.ini_tmpl

    r7846 r7847  
    459459 
    460460# Path following the FQDN from which this service will be mounted 
    461 saml.soapbinding.mountPath = %%{attributeServiceMountPoint} 
     461saml.soapbinding.mountPath = %%{attributeServiceMountPath} 
    462462 
    463463# The key name for the environ dict item holding the Attribute Authority's  
     
    481481 
    482482# The URI path for this service 
    483 saml.mountPath = %%{authorisationServiceMountPoint} 
     483saml.mountPath = %%{authorisationServiceMountPath} 
    484484 
    485485# The key name in environ which the upstream authorisation service must assign 
     
    615615level=NOTSET 
    616616formatter=generic 
    617 args=(os.path.join('%(here)s', 'log', 'service.log'), 'a', 50000, 2) 
     617args=(os.path.join('%%{outputDir}', 'log', 'service.log'), 'a', 50000, 2) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/template.py

    r7846 r7847  
    7070@type _MYPROXY_SERVER_LOCALID_XRD_ENTRY_TMPL: ndg.security.server.paster_templates.template.DoublePercentTemplate 
    7171""" 
    72 _MYPROXY_SERVER_LOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate("""<Service priority="10"> 
     72_MYPROXY_SERVER_LOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate( 
     73"""        <Service priority="10"> 
    7374            <Type>urn:esg:security:myproxy-service</Type> 
    7475            <URI>%%{myproxyServerURI}</URI> 
     
    8283@type _ATTRIBUTE_SERVICE_LOCALID_XRD_ENTRY_TMPL: ndg.security.server.paster_templates.template.DoublePercentTemplate 
    8384""" 
    84 _ATTRIBUTE_SERVICE_LOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate("""<Service priority="20"> 
     85_ATTRIBUTE_SERVICE_LOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate( 
     86"""<Service priority="20"> 
    8587            <Type>urn:esg:security:attribute-service</Type> 
    8688            <Type>urn:esg:security:attribute-service</Type> 
     
    9698@type _MYPROXY_SERVER_NONLOCALID_XRD_ENTRY_TMPL: ndg.security.server.paster_templates.template.DoublePercentTemplate 
    9799""" 
    98 _MYPROXY_SERVER_NONLOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate("""<Service priority="10"> 
     100_MYPROXY_SERVER_NONLOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate( 
     101"""        <Service priority="10"> 
    99102            <Type>urn:esg:security:myproxy-service</Type> 
    100103            <URI>%%{myproxyServerURI}</URI> 
     
    108111@type _ATTRIBUTE_SERVICE_NONLOCALID_XRD_ENTRY_TMPL: ndg.security.server.paster_templates.template.DoublePercentTemplate 
    109112""" 
    110 _ATTRIBUTE_SERVICE_NONLOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate("""<Service priority="20"> 
     113_ATTRIBUTE_SERVICE_NONLOCALID_XRD_ENTRY_TMPL = DoublePercentTemplate( 
     114"""<Service priority="20"> 
    111115            <Type>urn:esg:security:attribute-service</Type> 
    112116            <URI>%%{attributeServiceURI}</URI> 
     
    142146            default=DEFAULT_URI), 
    143147             
    144         var('attributeServiceMountPoint', 
    145             'Mount point for Attribute Service', 
     148        var('attributeServiceMountPath', 
     149            'Mount path for Attribute Service', 
    146150            ATTRIBUTE_SERVICE_DEFAULT_MOUNT_PATH), 
    147151             
    148         var('authorisationServiceMountPoint', 
    149             'Mount point for Authorisation Service', 
     152        var('authorisationServiceMountPath', 
     153            'Mount path for Authorisation Service', 
    150154            AUTHORISATION_SERVICE_DEFAULT_MOUNT_PATH), 
    151155             
     
    168172        var('authkitCookieSecret',  
    169173            ('Cookie secret for AuthKit authentication middleware.  This value ' 
    170              'MUST agree with the one used for the ini file of the application ' 
    171              'to be secured'), 
     174             '*MUST* agree with the one used for the ini file of the ' 
     175             'application to be secured - see ndgsecurity_securedapp template'), 
    172176            default=base64.b64encode(os.urandom(32))[:32]), 
    173177 
     
    203207        @type vars: dict 
    204208        '''   
    205  
     209         
     210        # Fix for baseURI in case trailing slash was included.  In THIS template 
     211        # it should not be there 
     212        if vars['baseURI'].endswith('/'): 
     213            vars['baseURI'] = vars['baseURI'].rstrip('/') 
     214 
     215        # Fix for mount paths in case leading slash was omitted. 
     216        if not vars['attributeServiceMountPath'].startswith('/'): 
     217            vars['attributeServiceMountPath'] = '/' + vars[ 
     218                                                'attributeServiceMountPath'] 
     219 
     220        if not vars['authorisationServiceMountPath'].startswith('/'): 
     221            vars['authorisationServiceMountPath'] = '/' + vars[ 
     222                                            'authorisationServiceMountPath'] 
     223             
    206224        # Cut out port number from base URI 
    207225        uriParts = urlparse(vars['baseURI']) 
     
    216234         
    217235        attributeServiceURI = vars['baseURI'] + vars[ 
    218                                 'attributeServiceMountPoint'].lstrip('/') 
     236                                'attributeServiceMountPath'] 
    219237         
    220238        # Attribute Service entry added if flag was set 
     
    256274    DEFAULT_ISSUER_NAME = 'O=NDG, OU=Security, CN=localhost' 
    257275    DEFAULT_ISSUER_FORMAT = Issuer.X509_SUBJECT 
    258     DEFAULT_ACCESS_DENIED_HEADING = 'Access is denied for this resource' 
     276    DEFAULT_ACCESS_DENIED_HEADING = 'Access Denied' 
    259277     
    260278    _template_dir = 'securedapp' 
     
    322340        else: 
    323341            vars['portNumber'] = '' 
    324              
     342         
     343        # Fix for baseURI in case trailing slash was omitted. 
     344        if not vars['baseURI'].endswith('/'): 
     345            vars['baseURI'] += '/' 
     346                         
    325347        # This sets the log file path 
    326348        super(SecuredAppTemplate, self).pre(command, output_dir, vars) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

    r7414 r7847  
    161161        """To be secured, the Authorization middleware must have this URI in 
    162162        its policy""" 
     163        username = environ[self.beakerSessionKeyName].get('username') 
     164        if username is None: 
     165            response = ("Error: User is not logged in!  Check that the " 
     166                        "that this URI is set as secured in the authorisation " 
     167                        "policy - request-filter.xml and policy.xml (set with " 
     168                        "the security services configuration)") 
     169            start_response('200 OK',  
     170                           [('Content-type', 'text/html'), 
     171                            ('Content-length', str(len(response)))]) 
     172            return response 
     173             
    163174        response = """<html> 
    164175    <head/> 
     
    172183       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    173184                 for link,name in self.method.items() if name != 'default']), 
    174        environ[self.beakerSessionKeyName]['username']) 
     185       username) 
    175186 
    176187 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7846 r7847  
    11# 
    22# Description: NDG Security configuration to secure a given WSGI application.   
    3 # Security filters placed in front of the application in the WSGI pipeline act  
    4 # as client to security services running on a separate application stack.  - See 
    5 # ndg.security.test.integration.full_system or the ndgsecurity_services  
    6 # template. 
     3#              Security filters placed in front of the application in the WSGI  
     4#              pipeline act as client to security services running on a separate 
     5#              application stack.  - See  
     6#              ndg.security.test.integration.full_system or the  
     7#              ndgsecurity_services template. 
    78# 
    89# NERC DataGrid 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservicesapp.py

    r7843 r7847  
    1010__contact__ = "Philip.Kershaw@stfc.ac.uk" 
    1111__revision__ = "$Id$" 
    12 import os 
    13 from os.path import dirname, abspath 
     12from os import path, environ 
    1413import optparse  
    1514      
     
    2019 
    2120INI_FILENAME = 'securityservices.ini' 
    22  
    23 os.environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname( 
    24                                                                     __file__)) 
    25 os.environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR 
    26  
     21# 
     22#environ['NDGSEC_INTEGRATION_TEST_DIR'] = os.path.dirname(os.path.dirname( 
     23#                                                                    __file__)) 
     24#environ[BaseTestCase.configDirEnvVarName] = TEST_CONFIG_DIR 
    2725 
    2826 
     
    3129# $ ./securityservicesapp.py -h 
    3230if __name__ == '__main__':     
    33     cfgFileName = INI_FILENAME 
    34     cfgFilePath = os.path.join(dirname(abspath(__file__)), cfgFileName)   
     31    cfgFilePath = path.join(path.dirname(path.abspath(__file__)), INI_FILENAME)  
     32      
     33    defCertFilePath = path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     34                                'pki',  
     35                                'localhost.crt') 
     36    defPriKeyFilePath = path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
     37                                  'pki',  
     38                                  'localhost.key') 
    3539         
    3640    parser = optparse.OptionParser() 
     
    4953 
    5054    parser.add_option("-c", 
     55                      "--cert-file", 
     56                      dest='certFilePath', 
     57                      default=defCertFilePath, 
     58                      help="SSL Certificate file") 
     59 
     60    parser.add_option("-k", 
     61                      "--private-key-file", 
     62                      default=defPriKeyFilePath, 
     63                      dest='priKeyFilePath', 
     64                      help="SSL private key file") 
     65 
     66    parser.add_option("-f", 
    5167                      "--conf", 
    5268                      dest="configFilePath", 
     
    5470                      help="Configuration file path") 
    5571     
    56     # Initialise test user database 
    57     from ndg.security.test.unit import BaseTestCase 
    58     BaseTestCase.initDb() 
    59      
    6072    opt = parser.parse_args()[0] 
    6173     
    6274    if opt.withSSL.lower() == 'true': 
    63         certFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
    64                                     'pki',  
    65                                     'localhost.crt') 
    66         priKeyFilePath = os.path.join(BaseTestCase.NDGSEC_TEST_CONFIG_DIR,  
    67                                       'pki',  
    68                                       'localhost.key') 
    6975         
    7076        ssl_context = SSL.Context(SSL.SSLv23_METHOD) 
    7177        ssl_context.set_options(SSL.OP_NO_SSLv2) 
    7278     
    73         ssl_context.use_privatekey_file(priKeyFilePath) 
    74         ssl_context.use_certificate_file(certFilePath) 
     79        ssl_context.use_privatekey_file(opt.priKeyFilePath) 
     80        ssl_context.use_certificate_file(opt.certFilePath) 
    7581    else: 
    7682        ssl_context = None 
Note: See TracChangeset for help on using the changeset viewer.