Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1035

Timestamp:

26/05/06 14:53:19 (15 years ago)

Author:

pjkersha

Message:

Tests/SecurityClientTest?.py: minor change to re-test glue AA getTrustedHostInfo

Tests/security.py: WORKING VERSION -

fixed showLogin
fixed showCredsReceived

dist/NDG-Security-0.66.tar.gz: new version of distribution

NDG/SecurityCGI.py: WORKING VERSION -

cookie expiry for new cookie transfered from another domain can be set with cookieLifetimeHrs keyword to init

This is only applies if the 'expires' argument is not set when passed back from trusted host login URL. Only
'NDG-ID1' and 'NDG-ID2' args are needed to pass credential info back to the requestor.

receiveCredsResponse broken up into method createCookie() to create a new cookie from the credentials received

in the URL and showCredsReceived method to display a page on completion of the transaction and set the new cookie
in the users browser.

authenticate method modified so that if authentication fails, the login page is re-displayed.

NDG/Session.py:

UserSession? class reduced sessID length to 64 chars from 128 to keep URL lenght to a minimum when transfering

credentials between domains. ID should be as long as possible to make it difficult to guess.

Quoted cookie expiry: sessCookieExpiryFmt = "\"%a, %d-%b-%Y %H:%M:%S GMT\"" as official format reuqires. If not

quoted, SimpleCookie? won't parse it correctly.

Location:

TI12-security/trunk/python

Files:

: 5 edited

NDG/SecurityCGI.py (modified) (19 diffs)
NDG/Session.py (modified) (4 diffs)
Tests/SecurityClientTest.py (modified) (2 diffs)
Tests/security.py (modified) (6 diffs)
dist/NDG-Security-0.66.tar.gz (modified) (previous)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/NDG/SecurityCGI.py

-                      r1022
+                      r1035
                  returnURI=None,
                  trustedHostInfo=None,
                  cookieLifetimeHrs=12,
+                 cookieLifetimeHrs=8,
                  wsDebug=False,
                  **cgiFieldStorageKwArgs):
 …
                               list of login URI for trusted hosts
         returnURI:            the address to redirect back to following a
                               redirect
+                              redirect
                               to the user's home site to obtain their
                               credentials
 …
         # Work out expiry time offset from the time this script is run
         self.dtCookieExpiry = datetime.utcnow()
         self.dtCookieExpiry += timedelta(seconds=self.cookieLifetimeHrs*60*60)
+        self.dtCookieExpiry = datetime.utcnow() + \
+                                timedelta(seconds=self.cookieLifetimeHrs*60*60)
         self.__wsDebug = False
         self.__authorisationMethod = None
+        self._authorisationMethod = None
         cgi.FieldStorage.__init__(self, **cgiFieldStorageKwArgs)
 …
             # Receive credentials back from home site and set a new cookie at
             # remote site
+            if 'expires' in self:
+                encodedExpiry = self['expires'].value
+            else:
+                encodedExpiry = None
             self.receiveCredsResponse(self['NDG-ID1'].value,
                                       self['NDG-ID2'].value,
+                                      encodedExpiry=encodedExpiry,
                                       **kwargs)
         elif 'authenticate' in self:
             # User has logged on at home site and a cookie is now set -
+            # User has logged on at home site and a cookie is now set -
             # next step is processCredsRequest() below
             sessCookie = self.authenticate()
             if 'returnURI' in self:
                 # Authentication is required following a redirect from
+                # Authentication is required following a redirect from
                 # another site - redirect back to the remote site returning
                 # the cookie information
 …
                      pageTitle='',
                      headTags='',
                      delayTime=3,
                      redirectMsg='Redirecting'):
+                     delayTime=0,
+                     redirectMsg=''):
         """Request credentials from a user's home site
 …
             requestURI = self['requestURI'].value
         output = """Content-type: text/html
+        print """Content-type: text/html
 <html>
 …
 </html>""" % \
     (pageTitle, delayTime, requestURI, self.returnURI, headTags, redirectMsg)
+        sys.stderr.write(output)
+        print output
     #_________________________________________________________________________
     def receiveCredsResponse(self,
                              sessID,
                              sessMgrURI,
+                             pageTitle='',
+                             hdrTxt='',
+                             bodyTxt=''):
+        """Remote site receives returned credentials and creates a new cookie
+                             encodedExpiry=None,
+                             **showCredsReceivedKwArgs):
+        """Remote site receives returned credentials and creates a new cookie
         for its domain"""
+        sessCookie = UserSession.createSecurityCookie(sessID,
+                                                sessMgrURI,
+                                                dtExpiry=self.dtCookieExpiry)
+        sessCookie = self.createCookie(sessID, sessMgrURI, encodedExpiry)
+        self.showCredsReceived(sessCookie)
+    #_________________________________________________________________________
+    def showCredsReceived(sessCookie, pageTitle='', hdrTxt='', bodyTxt=''):
+        """Called from receiveCredsResponse() once a cookie has been created.
+        Makes a page to set the cookie and display to the user that they have
+        been authenticated.  Derived class should override this method as
+        required"""
         print """Content-type: text/html"
 %s
 …
 </body>
 </html>""" % (sessCookie.output(), pageTitle, hdrTxt, bodyTxt)
+    #_________________________________________________________________________
+    def processCredsRequest(self,
+    #_________________________________________________________________________
+    def createCookie(self, sessID, sessMgrURI, encodedExpiry=None):
+        """Convert credentials passed over URI from users home site into a new
+        cookie"""
+        if encodedExpiry:
+            # Expiry is taken from encoded value passed over URI
+            dtExpiry = None
+            expiryStr = base64.b64decode(encodedExpiry)
+        else:
+            # Expiry is set from life time in hours input in __init__
+            dtExpiry = self.dtCookieExpiry
+            expiryStr = None
+        return UserSession.createSecurityCookie(sessID,
+                                                sessMgrURI,
+                                                dtExpiry=dtExpiry,
+                                                expiryStr=expiryStr)
+        #_________________________________________________________________________
+    def processCredsRequest(self,
                             returnURI=None,
                             sessCookie=None,
 …
             sessCookie = SimpleCookie(os.environ['HTTP_COOKIE'])
         if sessCookie:
             # Cookie is set - check for NDG cookie
 …
             # Return cookie to requestor
             self.returnCreds(sessCookie, returnURI, **returnCredsKwArgs)
         else:
             # No cookie present - display login.  Submit must redirect back to
 …
         if setCookie:
             cookieTxt = sessCookie.output() + os.line_sep()
+            cookieTxt = sessCookie.output() + os.linesep
         else:
             cookieTxt = ''
         print """Content-type: text/html
 %s
+        output = """Content-type: text/html
+%s
 <html>
 <head>
 <title>%s</title>
 <meta http-equiv="REFRESH"
 content="%d; url=%s?NDG-ID1=%s&NDG-ID2=%s">
+content="%d; url=%s?NDG-ID1=%s&NDG-ID2=%s&expires=%s">
 %s
 </head>
 …
                sessCookie['NDG-ID1'].value,
                sessCookie['NDG-ID2'].value,
+               base64.b64encode(sessCookie['NDG-ID1']['expires']),
                hdrTxt,
                redirectMsg)
+        print output
     #_________________________________________________________________________
     def authenticate(self, bAuthorise=False):
 …
         if self.userName is None:
+            self.showLogin(returnURI=self['returnURI'].value,
+                           setCookie=True,
+                           contentTypeHdr=True,
+                           pageTitle="NDG Login",
+                           htmlTag=True,
+                           bodyTag=True)
             raise SecurityCGIError("no username set for authentication")
         if self.passPhrase is None:
+            self.showLogin(returnURI=self['returnURI'].value,
+                           setCookie=True,
+                           contentTypeHdr=True,
+                           pageTitle="NDG Login",
+                           htmlTag=True,
+                           bodyTag=True)
             raise SecurityCGIError("no pass-phrase set for authentication")
 …
                                    traceFile=traceFile)
+            return smClnt.connect(userName=self.userName,
+                                  pPhrase=self.passPhrase,
+                                  clntPriKeyPwd=self.clntPriKeyPwd)
+            sSessCookie = smClnt.connect(userName=self.userName,
+                                         pPhrase=self.passPhrase,
+                                         clntPriKeyPwd=self.clntPriKeyPwd)
+            sessCookie = SimpleCookie(sSessCookie)
+            return sessCookie
         except Exception, e:
+            self.showLogin(returnURI=self['returnURI'].value,
+                           setCookie=True,
+                           contentTypeHdr=True,
+                           pageTitle="NDG Login",
+                           htmlTag=True,
+                           bodyTag=True)
             raise SecurityCGIError("Session client: " + str(e))
 …
                                     "noMapping":                 ''}
         if self.__authorisationMethod is None:
+        if self._authorisationMethod is None:
             # Default to safest option for user
             authorisationMethodChk["allowMappingWithPrompt"] = ' checked'
         else:
             authorisationMethodChk[self.__authorisationMethod] = ' checked'
+            authorisationMethodChk[self._authorisationMethod] = ' checked'
         print \
 …
                 var style = document.layers[whichLayer].style;
+            }
             style.visibility = style.visibility == "visible" ? "hidden":"visible";
+        }
+            style.visibility = style.visibility == "visible" ?
+"hidden":"visible";        }
     //-->
     </script>
 …
     <tr>
         <td colspan="2" align="right">
             <a href="javascript:toggleLayer('advSettings');">Advanced Settings</a>
             <input type=submit value="Login">
+            <a href="javascript:toggleLayer('advSettings');">Advanced
+Settings</a>            <input type=submit value="Login">
         </td>
     </tr>
 …
     <div id="advSettings" style="position: relative; visibility: hidden;">
         <h4>Role Mapping for access to other trusted sites</h4>
         <p>Your account has roles or <i>privileges</i> which determine what data you have access to.  If you access data at another NDG trusted site, these roles can be mapped to local roles at that site to help you gain access:
+        </p>
+        <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5>
         <tbody>
+        <p>Your account has roles or <i>privileges</i> which determine what data
+you have access to.  If you access data at another NDG trusted site, these roles
+can be mapped to local roles at that site to help you gain access:        </p>
+     <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5>        <tbody>
         <tr>
         <td>
             <input type="radio" name="authorisationMethod" value="allowMapping"%s>
         </td>
+            <input type="radio" name="authorisationMethod"
+value="allowMapping"%s>        </td>
             <td>
                 Allow my roles to be mapped to local roles at other NDG trusted sites.
             </td>
+                Allow my roles to be mapped to local roles at other NDG trusted
+sites.            </td>
         </tr>
         <tr>
             <td>
                 <input type="radio" name="authorisationMethod" value="allowMappingWithPrompt"%s>
             </td>
+                <input type="radio" name="authorisationMethod"
+value="allowMappingWithPrompt"%s>            </td>
         <td>
             Allow my roles to be mapped, but prompt me so that I may choose which roles to map before gaining access.
         </td>
+            Allow my roles to be mapped, but prompt me so that I may choose
+which roles to map before gaining access.        </td>
         <tr>
         <td>
 …
                                 clntPubKeyFilePath=self.clntPubKeyFilePath,
                                 clntPriKeyFilePath=self.clntPriKeyFilePath,
                                 traceFile=traceFile)
+                                traceFile=traceFile)
             self.trustedHostInfo = aaClnt.getTrustedHostInfo(

TI12-security/trunk/python/NDG/Session.py

-                      r1022
+                      r1035
 #_____________________________________________________________________________
 # Inheriting from 'object' allows Python 'new-style' class with Get/Set
 …
     # Session ID
     __sessIDlen = 128
+    __sessIDlen = 64
     __cookieTags = ("NDG-ID1", "NDG-ID2")
 …
     __cookieDomainTag = 'domain'
     __cookieExpiryTag = "expires"
+    __sessCookieExpiryFmt = "%a, %d-%b-%Y %H:%M:%S GMT"
+    # Quotes are vital (and part of the official cookei format) - otherwise it
+    # will not be parsed correctly
+    __sessCookieExpiryFmt = "\"%a, %d-%b-%Y %H:%M:%S GMT\""
 …
             if not isinstance(dtExpiry, datetime):
                 UserSessionError, \
                     "Expecting vaild datetime object with dtExpiry keyword"
+                    "Expecting valid datetime object with dtExpiry keyword"
             expiryStr = dtExpiry.strftime(cls.__sessCookieExpiryFmt)

TI12-security/trunk/python/Tests/SecurityClientTest.py

-                      r1022
+                      r1035
             # Attribute Authority client tests
             aaWSDL = 'http://gabriel.bnsc.rl.ac.uk/attAuthority.wsdl'
+            aaWSDL = 'http://glue.badc.rl.ac.uk/attAuthority.wsdl'
             aaPubKeyFilePath = None
 …
         import pdb
         pdb.set_trace()
         role = 'staff'
+        role = 'acsoe'
         try:
             trustedHosts = self.aaClnt.getTrustedHostInfo(

TI12-security/trunk/python/Tests/security.py

-                      r1022
+                      r1035
     #_________________________________________________________________________
     def showLogin(self, returnURI=None, **kwargs):
+    def showLogin(self, returnURI=None, bAuthorise=False, **kwargs):
         """Display initial NDG login form"""
         if returnURI:
             returnURIfield = \
                 "<input type=hidden name=returnURI value=\"%s\">" % returnURI
+             "<input type=hidden name=\"returnURI\" value=\"%s\">" % returnURI
         else:
             returnURIfield = ''
 …
         if bAuthorise:
+            authoriseArg = "<input type=hidden name=authorise value=\"1\">"
+            authoriseField = \
+                "<input type=hidden name=\"authorise\" value=\"1\">"
         else:
             authoriseArg = ""
+            authoriseField = ""
 …
                                     "allowMappingWithPrompt" :   '',
                                     "noMapping":                 ''}
         if self.__authorisationMethod is None:
+        if self._authorisationMethod is None:
             # Default to safest option for user
             authorisationMethodChk["allowMappingWithPrompt"] = ' checked'
         else:
             authorisationMethodChk[self.__authorisationMethod] = ' checked'
+            authorisationMethodChk[self._authorisationMethod] = ' checked'
         print """Content-type: text/html
 <html>"
+<html>
 <head>
 <title>%s</title>
+<title>NDG Login</title>
 <style type=\"text/css\">
 <!--
 …
                     var style = document.layers[whichLayer].style;
+                }
                 style.visibility = style.visibility == "visible" ? "hidden":"visible";
+            }
+                style.visibility = style.visibility == "visible" ?
+"hidden":"visible";            }
         //-->
     </script>
     <h3>NERC Data Grid Site Login (Test)<BR clear=all></h3>
     <hr>
     <form action="%s" method="POST">
     <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5>
     <tbody>
+    <tr><td>User Name:</td> <td><input type=text name=userName value="">
+    </td></tr>
+    <tr>
+        <td>Password:</td>
+        <td><input type=password name=passPhrase></td>
+    </tr>
+    <tr>
+        <td colspan="2" align="right">
+            <a href="javascript:toggleLayer('advSettings');">Advanced Settings</a>
+            <input type=submit value="Login">
+        </td>
+    </tr>
+    <input type=hidden name=authenticate value="1">
+    %s"""  % (self.scriptName, returnURIfield)
+    <tr>
+      <td>User Name:</td>
+      <td><input type=text name="userName" value=""></td>
+    </tr>
+    <tr>
+      <td>Password:</td>
+      <td><input type=password name="passPhrase"></td>
+    </tr>
+    <tr>
+      <td colspan="2" align="right">
+        <a href="javascript:toggleLayer('advSettings');">
+        Advanced Settings
+        </a>
+        <input type=submit value="Login">
+      </td>
+    </tr>
+    <input type=hidden name="authenticate" value="1">
+    </tbody>
+    </table>
+    %s
+    %s
+    </form>
+</body>
+</html>"""  % (self.scriptName, returnURIfield, authoriseField)
         print \
+    """</tbody></table>
+"""    </tbody>
+    </table>
     <br>
     <div id="advSettings" style="position: relative; visibility: hidden;">
+        <h4>Role Mapping for access to other trusted sites</h4>
+        <p>Your account has roles or <i>privileges</i> which determine what data you have access to.  If you access data at another NDG trusted site, these roles can be mapped to local roles at that site to help you gain access:
+        </p>
+        <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5>
+        <tbody>
+      <h4>Role Mapping for access to other trusted sites</h4>
+      <p>Your account has roles or <i>privileges</i> which determine what data
+you have access to.  If you access data at another NDG trusted site, these
+roles can be mapped to local roles at that site to help you gain access:
+      </p>
+    <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5>
+    <tbody>
+      <tr>
+        <td><input type="radio" name="authorisationMethod"
+value="allowMapping"%s>
+        </td>
+        <td>
+        Allow my roles to be mapped to local roles at other NDG trusted sites.
+        </td>
+      </tr>
+      <tr>
+        <td>
+          <input type="radio" name="authorisationMethod"
+value="allowMappingWithPrompt"%s>
+        </td>
+        <td>
+            Allow my roles to be mapped, but prompt me so that I may choose
+which roles to map before gaining access.
+        </td>
         <tr>
         <td>
             <input type="radio" name="authorisationMethod" value="allowMapping"%s>
         </td>
             <td>
                 Allow my roles to be mapped to local roles at other NDG trusted sites.
             </td>
+          <input type="radio" name="authorisationMethod" value="noMapping"%s>
+        </td>
+        <td>
+          Don't allow mapping of my roles.
+        </td>
         </tr>
+        <tr>
+            <td>
+                <input type="radio" name="authorisationMethod" value="allowMappingWithPrompt"%s>
+            </td>
+        <td>
+            Allow my roles to be mapped, but prompt me so that I may choose which roles to map before gaining access.
+        </td>
+        <tr>
+        <td>
+            <input type="radio" name="authorisationMethod" value="noMapping"%s>
+        </td>
+        <td>
+            Don't allow mapping of my roles.
+        </td>
+        </tr>
+        </tbody>
+        </table>
+      </tbody>
+      </table>
     </div>
     </form>
 …
+    #_________________________________________________________________________
+    def showCredsReceived(self,
+                              sessCookie,
+                                                  pageTitle='',
+                                                  hdrTxt='',
+                                                  bodyTxt=''):
+        """Called from receiveCredsResponse() once a cookie has been created.
+        Makes a page to set the cookie and display to the user that they have
+        been authenticated.  Derived class should override this method as
+        required"""
+        print """Content-type: text/html
+%s
+<html>
+<head>
+<title>NDG Authentication</title>
+    <style type=\"text/css\">
+    <!--
+    .al {
+    text-align: justify
+    }
+    a{
+    text-decoration:none;
+    }
+    a:hover{
+    color:#0000FF;
+    }
+        body { font-family: Verdana, sans-serif; font-size: 11}
+        table { font-family: Verdana, sans-serif; font-size: 11}
+    -->
+    </style>
+</head>
+<body>
+    New cookie set from credentials transfered from other domain
+</body>
+</html>""" % sessCookie.output()
+#_____________________________________________________________________________
 if __name__ == "__main__":
     smWSDL = "http://gabriel.bnsc.rl.ac.uk/sessionMgr.wsdl"
     aaWSDL = 'http://gabriel.bnsc.rl.ac.uk/attAuthority.wsdl'
 …
     smPubKeyFilePath = "/usr/local/NDG/conf/certs/gabriel-sm-cert.pem"
     aaPubKeyFilePath = "/usr/local/NDG/conf/certs/gabriel-aa-cert.pem"
     clntPubKeyFilePath = "../certs/GabrielCGI-cert.pem"
     clntPriKeyFilePath = "../certs/GabrielCGI-key.pem"

Note: See TracChangeset for help on using the changeset viewer.