Changeset 7877

Timestamp:

07/02/11 14:26:05 (10 years ago)

Author:

pjkersha

Message:

• ndg.security.common.utils.pyopenssl: PyOpenSSL based implementations of SSL Socket and HTTPSConnection compatible with httplib/urllib2
• ndg.security.server.attributeauthority: tidying and refactoring, incls fix for SAML assertion issuer format - now reflects Response.Issuer format set be query interface caller
• test attribute and authorisation services - fixed logging format

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• ndg_security_common/ndg/security/common/utils/pyopenssl.py (added)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (7 diffs)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attribute-service.ini (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -1 +1 @@
 """NDG Attribute Authority server side code
 
-handles security user attribute (role) allocation
-
-NERC Data Grid Project
+handles security user attribute (role) queries
+
+NERC DataGrid Project
 """
 __author__ = "P J Kershaw"
@@ -27 +27 @@
 # SAML 2.0 Attribute Query Support - added 20/08/2009
 from uuid import uuid4
-from datetime import datetime, timedelta
+from datetime import timedelta
 
 from ndg.saml.utils import SAMLDateTime
@@ -38 +38 @@
 from ndg.security.common.saml_utils.esgf import ESGFSamlNamespaces
 from ndg.security.common.X509 import X500DN
-from ndg.security.common.utils import TypedList
 from ndg.security.common.utils.classfactory import instantiateClass
 from ndg.security.common.utils.factory import importModuleObject
@@ -696 +695 @@
 except ImportError:
     pass
-
-class PostgresAttributeInterface(AttributeInterface):
-    """User Roles interface to Postgres database
-    
-    The SAML getAttributes method is NOT implemented
-    
-    The configuration file follows the form,
-    
-    [Connection]
-    # name of database
-    dbName: user.db
-    
-    # database host machine
-    host: mydbhost.ac.uk
-    
-    # database account username
-    username: mydbaccount
-    
-    # Password - comment out to prompt from stdin instead
-    pwd: mydbpassword
-    
-    [getRoles]
-    query0: select distinct grp from users_table, where user = '%%s'
-    defaultRoles = publicRole
-    """
-
-    CONNECTION_SECTION_NAME = "Connection"
-    GETROLES_SECTION_NAME = "getRoles"
-    HOST_OPTION_NAME = "host"
-    DBNAME_OPTION_NAME = "dbName"
-    USERNAME_OPTION_NAME = "username"
-    PWD_OPTION_NAME = "pwd"
-    QUERYN_OPTION_NAME = "query%d"
-    DEFAULT_ROLES_OPTION_NAME = "defaultRoles"
-    
-    def __init__(self, propertiesFilePath=None):
-        """Connect to Postgres database"""
-        self.__con = None
-        self.__host = None
-        self.__dbName = None
-        self.__username = None
-        self.__pwd = None
-
-        if propertiesFilePath is None:
-            raise AttributeError("No Configuration file was set")
-
-        self.readConfigFile(propertiesFilePath)
-
-    def __del__(self):
-        """Close database connection"""
-        self.close()
-
-    def readConfigFile(self, propertiesFilePath):
-        """Read the configuration for the database connection
-
-        @type propertiesFilePath: string
-        @param propertiesFilePath: file path to config file"""
-
-        if not isinstance(propertiesFilePath, basestring):
-            raise TypeError("Input Properties file path must be a valid "
-                            "string; got %r" % type(propertiesFilePath))
-
-        cfg = SafeConfigParser()
-        cfg.read(propertiesFilePath)
-
-        self.__host = cfg.get(
-                        PostgresAttributeInterface.CONNECTION_SECTION_NAME, 
-                        PostgresAttributeInterface.HOST_OPTION_NAME)
-        self.__dbName = cfg.get(
-                        PostgresAttributeInterface.CONNECTION_SECTION_NAME, 
-                        PostgresAttributeInterface.DBNAME_OPTION_NAME)
-        self.__username = cfg.get(
-                        PostgresAttributeInterface.CONNECTION_SECTION_NAME, 
-                        PostgresAttributeInterface.USERNAME_OPTION_NAME)
-        self.__pwd = cfg.get(
-                        PostgresAttributeInterface.CONNECTION_SECTION_NAME, 
-                        PostgresAttributeInterface.PWD_OPTION_NAME)
-
-        try:
-            self.__getRolesQuery = []
-            for i in range(10):
-                queryStr = cfg.get(
-                        PostgresAttributeInterface.GETROLES_SECTION_NAME, 
-                        PostgresAttributeInterface.QUERYN_OPTION_NAME % i)
-                self.__getRolesQuery += [queryStr]
-        except NoOptionError:
-             # Continue until no more query<n> items left
-             pass
-
-        # This option may be omitted in the config file
-        try:
-            self.__defaultRoles = cfg.get(
-                PostgresAttributeInterface.GETROLES_SECTION_NAME, 
-                PostgresAttributeInterface.DEFAULT_ROLES_OPTION_NAME).split()
-        except NoOptionError:
-            self.__defaultRoles = []
-
-    def connect(self,
-                username=None,
-                dbName=None,
-                host=None,
-                pwd=None,
-                prompt="Database password: "):
-        """Connect to database
-
-        Values for keywords omitted are derived from the config file.  If pwd
-        is not in the config file it will be prompted for from stdin
-
-        @type username: string
-        @keyword username: database account username
-        @type dbName: string
-        @keyword dbName: name of database
-        @type host: string
-        @keyword host: database host machine
-        @type pwd: string
-        @keyword pwd: password for database account.  If omitted and not in
-        the config file it will be prompted for from stdin
-        @type prompt: string
-        @keyword prompt: override default password prompt"""
-
-        if not host:
-            host = self.__host
-
-        if not dbName:
-            dbName = self.__dbName
-
-        if not username:
-            username = self.__username
-
-        if not pwd:
-            pwd = self.__pwd
-
-            if not pwd:
-                import getpass
-                pwd = getpass.getpass(prompt=prompt)
-
-        try:
-            self.__db = connect("host=%s dbname=%s user=%s password=%s" % \
-                                (host, dbName, username, pwd))
-            self.__cursor = self.__db.cursor()
-
-        except NameError, e:
-            raise AttributeInterfaceError("psycopg2 Postgres package not "
-                                          "installed? %s" % e)
-        except Exception, e:
-            raise AttributeInterfaceError("Error connecting to database "
-                                          "\"%s\": %s" % (dbName, e))
-
-    def close(self):
-        """Close database connection"""
-        if self.__con:
-            self.__con.close()
-
-    def getRoles(self, userId):
-        """Return valid roles for the given userId
-
-        @type userId: basestring
-        @param userId: user identity"""
-
-        try:
-            self.connect()
-
-            # Process each query in turn appending role names
-            roles = self.__defaultRoles[:]
-            for query in self.__getRolesQuery:
-                try:
-                    self.__cursor.execute(query % userId)
-                    queryRes = self.__cursor.fetchall()
-
-                except Exception, e:
-                    raise AttributeInterfaceError("Query for %s: %s" %
-                                                  (userId, e))
-
-                roles += [res[0] for res in queryRes if res[0]]
-        finally:
-            self.close()
-
-        return roles
-
-    def __getCursor(self):
-        """Return a database cursor instance"""
-        return self.__cursor
-
-    cursor = property(fget=__getCursor, doc="database cursor")
 
 
@@ -1250 +1065 @@
         assertion.issueInstant = response.issueInstant
     
-        # Assumes SAML response issuer name set independently - 
+        # Assumes SAML response issuer details as set by - 
         # ndg.security.server.wsgi.saml.SOAPQueryInterfaceMiddleware
         assertion.issuer = Issuer()
         assertion.issuer.value = response.issuer.value
-        assertion.issuer.format = Issuer.X509_SUBJECT
+        
+        if response.issuer.format:
+            assertion.issuer.format = response.issuer.format
 
         assertion.conditions = Conditions()
@@ -1338 +1155 @@
 
         log.debug('Checking for SAML subject with SQL Query = "%s"', query)
+
+        connection = dbEngine.connect()
+            
         try:
-            connection = dbEngine.connect()
             result = connection.execute(query)
 
@@ -1399 +1218 @@
             
         log.debug('Checking for SAML attributes with SQL Query = "%s"', query)
+        
+        connection = dbEngine.connect()
                 
         try:
-            connection = dbEngine.connect()
             result = connection.execute(query)
             

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attribute-service.ini

@@ -131 +131 @@
 
 [logger_root]
-level = INFO
-handlers = console
+level = DEBUG
+handlers = console, logfile
 
 [logger_ndg]

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini

@@ -159 +159 @@
 
 [logger_root]
-level = INFO
-handlers = console
+level = DEBUG
+handlers = console, logfile
 
 [logger_ndg]