Changeset 1300
- Timestamp:
- 14/07/06 11:34:15 (15 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 9 edited
-
NDG/SecurityCGI.py (modified) (8 diffs)
-
NDG/SecurityClient.py (modified) (5 diffs)
-
Tests/SecurityClientTest.py (modified) (4 diffs)
-
share/ndg-aa (modified) (6 diffs)
-
share/ndg-ca (modified) (6 diffs)
-
share/ndg-gk (modified) (6 diffs)
-
share/ndg-log (modified) (6 diffs)
-
share/ndg-sm (modified) (6 diffs)
-
www/cgi-bin/security.py (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/NDG/SecurityCGI.py
r1203 r1300 171 171 172 172 #_________________________________________________________________________ 173 def requestCreds(self,174 requestURI=None,175 returnURI=None,176 pageTitle='',177 headTags='',178 delayTime=0,179 redirectMsg=''):173 def _requestCreds(self, 174 requestURI=None, 175 returnURI=None, 176 pageTitle='', 177 headTags='', 178 delayTime=0, 179 redirectMsg=''): 180 180 """Request credentials from a user's home site 181 181 … … 211 211 212 212 #_________________________________________________________________________ 213 def receiveCredsResponse(self,214 sessID,215 sessMgrURI,216 encodedExpiry=None,217 **showCredsReceivedKwArgs):213 def _receiveCredsResponse(self, 214 sessID, 215 sessMgrURI, 216 encodedExpiry=None, 217 **showCredsReceivedKwArgs): 218 218 """Remote site receives returned credentials and creates a new cookie 219 219 for its domain""" … … 222 222 223 223 #_________________________________________________________________________ 224 def showCredsReceived(sessCookie, pageTitle='', hdrTxt='', bodyTxt=''): 224 def showCredsReceived(self, 225 sessCookie, 226 pageTitle='', 227 hdrTxt='', 228 bodyTxt=''): 225 229 """Called from receiveCredsResponse() once a cookie has been created. 226 230 Makes a page to set the cookie and display to the user that they have … … 242 246 243 247 #_________________________________________________________________________ 244 def createCookie(self, sessID, sessMgrURI, encodedExpiry=None):248 def _createCookie(self, sessID, sessMgrURI, encodedExpiry=None): 245 249 """Convert credentials passed over URI from users home site into a new 246 250 cookie""" … … 262 266 263 267 #_________________________________________________________________________ 264 def processCredsRequest(self,265 returnURI=None,266 bAuthorise=False,267 sessCookie=None,268 **returnCredsResponseKwArgs):268 def _processCredsRequest(self, 269 returnURI=None, 270 bAuthorise=False, 271 sessCookie=None, 272 **returnCredsResponseKwArgs): 269 273 """Receive request from remote site for credentials. Process and 270 274 return via a redirect""" … … 296 300 297 301 #_________________________________________________________________________ 298 def returnCredsResponse(self,302 def _returnCredsResponse(self, 299 303 sessCookie, 300 304 returnURI=None, … … 381 385 382 386 #_________________________________________________________________________ 383 def authenticate(self, bAuthorise=False):387 def _authenticate(self, bAuthorise=False): 384 388 """Authenticate username and passphrase input from preceeding login 385 389 form … … 442 446 443 447 #_________________________________________________________________________ 444 def getAttCert(self, sessCookie=None, reqRole=None):448 def _getAttCert(self, sessCookie=None, reqRole=None): 445 449 """Contact Attribute Authority to get Attribute Certificate for data 446 450 access -
TI12-security/trunk/python/NDG/SecurityClient.py
r1176 r1300 17 17 18 18 from ZSI import ServiceProxy 19 from ZSI.wstools.Utility import HTTPResponse 20 19 21 import sys 20 22 import os … … 198 200 def serviceProxy(self, smWSDL=None): 199 201 """Set the WS proxy for the Session Manager""" 202 200 203 if smWSDL: 201 204 self.__setSMwsdl(smWSDL) … … 205 208 use_wsdl=True, 206 209 tracefile=self.__traceFile) 207 except Exception, e: 208 raise SessionClientError("Initialising WSDL Service Proxy: " + \ 209 str(e)) 210 except HTTPResponse, e: 211 raise SessionClientError, \ 212 "Error initialising WSDL Service Proxy for \"%s\": %s %s" % \ 213 (self.__smWSDL, e.status, e.reason) 214 215 except Exception, e: 216 raise SessionClientError, \ 217 "Initialising WSDL Service Proxy for \"%s\": %s" % \ 218 (self.__smWSDL, str(e)) 210 219 211 220 … … 616 625 617 626 except IOError, (errNo, errMsg): 618 raise AttAuthorityClientError (\627 raise AttAuthorityClientError, \ 619 628 "Writing public key to temp \"%s\": %s" % \ 620 (self.__aaPubKeyTempFile.name, errMsg) )621 except Exception, e: 622 raise AttAuthorityClientError, "Retrieving Attribute Authority " 629 (self.__aaPubKeyTempFile.name, errMsg) 630 except Exception, e: 631 raise AttAuthorityClientError, "Retrieving Attribute Authority "+\ 623 632 "public key: %s" % str(e) 624 633 … … 634 643 use_wsdl=True, 635 644 tracefile=self.__traceFile) 636 except Exception, e:645 except HTTPResponse, e: 637 646 raise AttAuthorityClientError, \ 638 "Initialising WSDL Service Proxy: " + str(e) 647 "Error initialising WSDL Service Proxy for \"%s\": %s %s" % \ 648 (self.__aaWSDL, e.status, e.reason) 649 650 except Exception, e: 651 raise AttAuthorityClientError, \ 652 "Initialising WSDL Service Proxy for \"%s\": %s" % \ 653 (self.__aaWSDL, str(e)) 639 654 640 655 -
TI12-security/trunk/python/Tests/SecurityClientTest.py
r1231 r1300 29 29 # Session Manager WSDL 30 30 # self.smWSDL = './sessionMgr.wsdl' 31 # self.smWSDL = 'http://glue.badc.rl.ac.uk/sessionMgr.wsdl' 32 self.smWSDL = 'http://gabriel.bnsc.rl.ac.uk/sessionMgr.wsdl' 31 self.smWSDL = 'http://glue.badc.rl.ac.uk/sessionMgr.wsdl' 32 # self.smWSDL = 'http://gabriel.bnsc.rl.ac.uk/sessionMgr.wsdl' 33 34 # self.aaWSDL = '/home/pjkersha/Development/security/python/Tests/attAuthority.wsdl' 35 self.aaWSDL = 'http://glue.badc.rl.ac.uk/attAuthority.wsdl' 36 # self.aaWSDL = 'http://gabriel.bnsc.rl.ac.uk/attAuthority.wsdl' 37 38 aaPubKeyFilePath = None 33 39 34 40 # Public key of session manager used to encrypt requests … … 36 42 # getPubKey WS method 37 43 smPubKeyFilePath = None 44 45 self.newUserName = 'lawrence' 46 # self.newUserName = 'YosemiteSam' 47 48 # self.userName = 'gabriel' 49 self.userName = 'lawrence' 50 51 # self.trustedHostRequiredRole = 'acsoe' 52 self.trustedHostRequiredRole = 'coapec' 53 # self.trustedHostRequiredRole = 'academic' 38 54 39 55 self.__clntPriKeyPwd = open("./tmp2").read().strip() … … 51 67 traceFile=traceFile) 52 68 53 # Attribute Authority client tests 54 # self.aaWSDL = '/home/pjkersha/Development/security/python/Tests/attAuthority.wsdl' 55 # self.aaWSDL = 'http://glue.badc.rl.ac.uk/attAuthority.wsdl' 56 self.aaWSDL = 'http://gabriel.bnsc.rl.ac.uk/attAuthority.wsdl' 57 aaPubKeyFilePath = None 58 69 # Attribute Authority client tests 59 70 self.aaClnt = AttAuthorityClient(aaWSDL=self.aaWSDL, 60 71 aaPubKeyFilePath=aaPubKeyFilePath, … … 64 75 self.sessCookie = None 65 76 self.proxyCert = None 66 67 # self.newUserName = 'lawrence'68 self.newUserName = 'YosemiteSam'69 70 self.userName = 'gabriel'71 # self.userName = 'lawrence'72 73 # self.trustedHostRequiredRole = 'acsoe'74 # self.trustedHostRequiredRole = 'coapec'75 self.trustedHostRequiredRole = 'academic'76 77 77 78 except Exception, e: -
TI12-security/trunk/python/share/ndg-aa
r1229 r1300 35 35 start() 36 36 { 37 38 39 40 41 42 43 44 45 46 47 48 37 echo -n "Starting ${serviceName}: " 38 39 # Source NDG Environment 40 if [ -f ${ndgSetupFilePath} ]; then 41 . ${ndgSetupFilePath} 42 else 43 failure $"Set-up of NDG environment" 44 return 45 fi 46 47 cmd="${NDG_DIR}/bin/${prog} ${args}" 48 49 49 # See if it's already running. Look *only* at the pid file. 50 50 local pid= 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 51 if [ -f /var/run/${serviceName}.pid ]; then 52 local line p 53 read line < /var/run/${serviceName}.pid 54 for p in $line ; do 55 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 56 done 57 fi 58 59 [ -n "${pid:-}" ] && return 60 61 # Make sure it doesn't core dump anywhere; while this could mask 62 # problems with the daemon, it also closes some security problems 63 ulimit -S -c 0 >/dev/null 2>&1 64 65 # Echo daemon 66 66 [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " ${serviceName}" 67 67 68 69 68 # And start it up. 69 initlog $INITLOG_ARGS -c "su - ${user} -c \"${cmd}\"" 70 70 RETVAL=$? 71 71 72 72 if [ $RETVAL = 0 ]; then 73 74 75 76 touch /var/lock/subsys/${serviceName}77 78 79 80 81 73 # Get the process ID 74 pid=(`ps --no-headers -u ${user} -o pid,cmd --sort=-pid|grep "$prog"`) 75 echo ${pid} > /var/run/${serviceName}.pid 76 touch /var/lock/subsys/${serviceName} 77 success $"${serviceName} startup" 78 else 79 failure $"${serviceName} startup" 80 fi 81 82 82 echo 83 83 } … … 86 86 stop() 87 87 { 88 89 88 echo -n "Shutting down ${serviceName}: " 89 90 90 # Find pid 91 92 93 94 95 96 97 98 99 100 101 102 103 91 pid= 92 if [ -f /var/run/${serviceName}.pid ]; then 93 local line p 94 read line < /var/run/${serviceName}.pid 95 for p in $line ; do 96 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 97 done 98 fi 99 100 if [ -z "$pid" ]; then 101 failure $"${serviceName} stop - no process found from PID file" 102 return 103 fi 104 104 105 105 # Kill it. … … 107 107 [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "${serviceName} " 108 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 fi 125 126 127 128 109 if checkpid $pid 2>&1; then 110 # TERM first, then KILL if not dead 111 kill -TERM $pid 112 usleep 100000 113 if checkpid $pid && sleep 1 && 114 checkpid $pid && sleep 3 && 115 checkpid $pid ; then 116 kill -KILL $pid 117 usleep 100000 118 fi 119 checkpid $pid 120 RC=$? 121 [ "$RC" -eq 0 ] && failure $"${serviceName} shutdown" || \ 122 success $"${serviceName} shutdown" 123 RC=$((! $RC)) 124 fi 125 else 126 failure $"${serviceName} shutdown" 127 RC=1 128 fi 129 129 130 130 # Remove pid file if any. 131 132 133 131 rm -f /var/run/${serviceName}.pid 132 133 echo 134 134 } 135 135 … … 137 137 restart() 138 138 { 139 140 139 stop 140 start 141 141 } 142 142 … … 144 144 status() 145 145 { 146 147 148 149 150 146 local pid= 147 local pidFilePath=/var/run/${serviceName}.pid 148 149 # Get pid from "/var/run/*.pid" file 150 if [ -f $pidFilePath ] ; then 151 151 read pid < $pidFilePath 152 152 if [ -z "$pid" ]; then … … 155 155 fi 156 156 else 157 158 159 160 161 162 163 164 165 166 167 157 echo $"No pid file $pidFilePath found" 158 return 159 fi 160 161 # look for pid in listing 162 local pidFound= 163 for i in `pidof -o $$ -o $PPID -o %PPID -x "python"`; do 164 [[ $i = $pid ]] && pidFound=Yes && break; 165 done 166 167 if [ -n "$pidFound" ]; then 168 168 echo $"$prog (pid $pid) is running..." 169 169 return 170 170 171 171 elif [ -f /var/lock/subsys/${serviceName} ]; then 172 173 172 echo $"$prog dead but subsys locked and pid file $pidFilePath exists" 173 return 174 174 else 175 175 echo $"$prog dead but pid file $pidFilePath exists" 176 176 fi 177 177 } 178 178 179 179 180 180 case "$1" in 181 182 183 184 185 186 187 188 189 190 191 192 193 181 start) 182 start 183 ;; 184 stop) 185 stop 186 ;; 187 status) 188 # Use status defined in functions file 189 status 190 ;; 191 restart) 192 restart ${serviceName} 193 ;; 194 194 condrestart) 195 196 197 198 199 200 201 202 203 204 195 if [ -f /var/run/${serviceName}.pid ] ; then 196 stop 197 start 198 fi 199 ;; 200 *) 201 echo \ 202 "Usage: ${serviceName} {start|stop|restart|condrestart|status}" 203 exit 1 204 ;; 205 205 esac -
TI12-security/trunk/python/share/ndg-ca
r1236 r1300 36 36 start() 37 37 { 38 39 40 41 42 43 44 45 46 47 48 49 50 38 echo -n "Starting ${serviceName}: " 39 40 # Source NDG Environment 41 if [ -f ${ndgSetupFilePath} ]; then 42 . ${ndgSetupFilePath} 43 else 44 failure $"Set-up of NDG environment" 45 return 46 fi 47 48 cmd="cat ${configFilePath} | ${NDG_DIR}/bin/${prog} ${args}" 49 50 51 51 # See if it's already running. Look *only* at the pid file. 52 52 local pid= 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 53 if [ -f /var/run/${serviceName}.pid ]; then 54 local line p 55 read line < /var/run/${serviceName}.pid 56 for p in $line ; do 57 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 58 done 59 fi 60 61 [ -n "${pid:-}" ] && return 62 63 # Make sure it doesn't core dump anywhere; while this could mask 64 # problems with the daemon, it also closes some security problems 65 ulimit -S -c 0 >/dev/null 2>&1 66 67 # Echo daemon 68 68 [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " ${serviceName}" 69 69 70 71 70 # And start it up. 71 initlog $INITLOG_ARGS -c "su -s /bin/bash - ${user} -c \"${cmd}\"" 72 72 RETVAL=$? 73 73 74 74 if [ $RETVAL = 0 ]; then 75 76 77 78 touch /var/lock/subsys/${serviceName}79 80 81 82 83 75 # Get the process ID 76 pid=(`ps --no-headers -u ${user} -o pid,cmd --sort=-pid|grep "$prog"`) 77 echo ${pid} > /var/run/${serviceName}.pid 78 touch /var/lock/subsys/${serviceName} 79 success $"${serviceName} startup" 80 else 81 failure $"${serviceName} startup" 82 fi 83 84 84 echo 85 85 } … … 88 88 stop() 89 89 { 90 91 90 echo -n "Shutting down ${serviceName}: " 91 92 92 # Find pid 93 94 95 96 97 98 99 100 101 102 103 104 105 93 pid= 94 if [ -f /var/run/${serviceName}.pid ]; then 95 local line p 96 read line < /var/run/${serviceName}.pid 97 for p in $line ; do 98 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 99 done 100 fi 101 102 if [ -z "$pid" ]; then 103 failure $"${serviceName} stop - no process found from PID file" 104 return 105 fi 106 106 107 107 # Kill it. … … 109 109 [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "${serviceName} " 110 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 fi 127 128 129 130 111 if checkpid $pid 2>&1; then 112 # TERM first, then KILL if not dead 113 kill -TERM $pid 114 usleep 100000 115 if checkpid $pid && sleep 1 && 116 checkpid $pid && sleep 3 && 117 checkpid $pid ; then 118 kill -KILL $pid 119 usleep 100000 120 fi 121 checkpid $pid 122 RC=$? 123 [ "$RC" -eq 0 ] && failure $"${serviceName} shutdown" || \ 124 success $"${serviceName} shutdown" 125 RC=$((! $RC)) 126 fi 127 else 128 failure $"${serviceName} shutdown" 129 RC=1 130 fi 131 131 132 132 # Remove pid file if any. 133 134 135 133 rm -f /var/run/${serviceName}.pid 134 135 echo 136 136 } 137 137 … … 139 139 restart() 140 140 { 141 142 141 stop 142 start 143 143 } 144 144 … … 146 146 status() 147 147 { 148 149 150 151 152 148 local pid= 149 local pidFilePath=/var/run/${serviceName}.pid 150 151 # Get pid from "/var/run/*.pid" file 152 if [ -f $pidFilePath ] ; then 153 153 read pid < $pidFilePath 154 154 if [ -z "$pid" ]; then … … 157 157 fi 158 158 else 159 160 161 162 163 164 165 166 167 168 169 159 echo $"No pid file $pidFilePath found" 160 return 161 fi 162 163 # look for pid in listing 164 local pidFound= 165 for i in `pidof -o $$ -o $PPID -o %PPID -x "python"`; do 166 [[ $i = $pid ]] && pidFound=Yes && break; 167 done 168 169 if [ -n "$pidFound" ]; then 170 170 echo $"$prog (pid $pid) is running..." 171 171 return 172 172 173 173 elif [ -f /var/lock/subsys/${serviceName} ]; then 174 175 174 echo $"$prog dead but subsys locked and pid file $pidFilePath exists" 175 return 176 176 else 177 177 echo $"$prog dead but pid file $pidFilePath exists" 178 178 fi 179 179 } 180 180 181 181 182 182 case "$1" in 183 184 185 186 187 188 189 190 191 192 193 194 195 183 start) 184 start 185 ;; 186 stop) 187 stop 188 ;; 189 status) 190 # Use status defined in functions file 191 status 192 ;; 193 restart) 194 restart ${serviceName} 195 ;; 196 196 condrestart) 197 198 199 200 201 202 203 204 205 206 197 if [ -f /var/run/${serviceName}.pid ] ; then 198 stop 199 start 200 fi 201 ;; 202 *) 203 echo \ 204 "Usage: ${serviceName} {start|stop|restart|condrestart|status}" 205 exit 1 206 ;; 207 207 esac -
TI12-security/trunk/python/share/ndg-gk
r1236 r1300 35 35 start() 36 36 { 37 38 39 40 41 42 43 44 45 46 47 48 37 echo -n "Starting ${serviceName}: " 38 39 # Source NDG Environment 40 if [ -f ${ndgSetupFilePath} ]; then 41 . ${ndgSetupFilePath} 42 else 43 failure $"Set-up of NDG environment" 44 return 45 fi 46 47 cmd="${NDG_DIR}/bin/${prog} ${args}" 48 49 49 # See if it's already running. Look *only* at the pid file. 50 50 local pid= 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 51 if [ -f /var/run/${serviceName}.pid ]; then 52 local line p 53 read line < /var/run/${serviceName}.pid 54 for p in $line ; do 55 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 56 done 57 fi 58 59 [ -n "${pid:-}" ] && return 60 61 # Make sure it doesn't core dump anywhere; while this could mask 62 # problems with the daemon, it also closes some security problems 63 ulimit -S -c 0 >/dev/null 2>&1 64 65 # Echo daemon 66 66 [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " ${serviceName}" 67 67 68 69 68 # And start it up. 69 initlog $INITLOG_ARGS -c "su - ${user} -c \"${cmd}\"" 70 70 RETVAL=$? 71 71 72 72 if [ $RETVAL = 0 ]; then 73 74 75 76 touch /var/lock/subsys/${serviceName}77 78 79 80 81 73 # Get the process ID 74 pid=(`ps --no-headers -u ${user} -o pid,cmd --sort=-pid|grep "$prog"`) 75 echo ${pid} > /var/run/${serviceName}.pid 76 touch /var/lock/subsys/${serviceName} 77 success $"${serviceName} startup" 78 else 79 failure $"${serviceName} startup" 80 fi 81 82 82 echo 83 83 } … … 86 86 stop() 87 87 { 88 89 88 echo -n "Shutting down ${serviceName}: " 89 90 90 # Find pid 91 92 93 94 95 96 97 98 99 100 101 102 103 91 pid= 92 if [ -f /var/run/${serviceName}.pid ]; then 93 local line p 94 read line < /var/run/${serviceName}.pid 95 for p in $line ; do 96 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 97 done 98 fi 99 100 if [ -z "$pid" ]; then 101 failure $"${serviceName} stop - no process found from PID file" 102 return 103 fi 104 104 105 105 # Kill it. … … 107 107 [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "${serviceName} " 108 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 fi 125 126 127 128 109 if checkpid $pid 2>&1; then 110 # TERM first, then KILL if not dead 111 kill -TERM $pid 112 usleep 100000 113 if checkpid $pid && sleep 1 && 114 checkpid $pid && sleep 3 && 115 checkpid $pid ; then 116 kill -KILL $pid 117 usleep 100000 118 fi 119 checkpid $pid 120 RC=$? 121 [ "$RC" -eq 0 ] && failure $"${serviceName} shutdown" || \ 122 success $"${serviceName} shutdown" 123 RC=$((! $RC)) 124 fi 125 else 126 failure $"${serviceName} shutdown" 127 RC=1 128 fi 129 129 130 130 # Remove pid file if any. 131 132 133 131 rm -f /var/run/${serviceName}.pid 132 133 echo 134 134 } 135 135 … … 137 137 restart() 138 138 { 139 140 139 stop 140 start 141 141 } 142 142 … … 144 144 status() 145 145 { 146 147 148 149 150 146 local pid= 147 local pidFilePath=/var/run/${serviceName}.pid 148 149 # Get pid from "/var/run/*.pid" file 150 if [ -f $pidFilePath ] ; then 151 151 read pid < $pidFilePath 152 152 if [ -z "$pid" ]; then … … 155 155 fi 156 156 else 157 158 159 160 161 162 163 164 165 166 167 157 echo $"No pid file $pidFilePath found" 158 return 159 fi 160 161 # look for pid in listing 162 local pidFound= 163 for i in `pidof -o $$ -o $PPID -o %PPID -x "python"`; do 164 [[ $i = $pid ]] && pidFound=Yes && break; 165 done 166 167 if [ -n "$pidFound" ]; then 168 168 echo $"$prog (pid $pid) is running..." 169 169 return 170 170 171 171 elif [ -f /var/lock/subsys/${serviceName} ]; then 172 173 172 echo $"$prog dead but subsys locked and pid file $pidFilePath exists" 173 return 174 174 else 175 175 echo $"$prog dead but pid file $pidFilePath exists" 176 176 fi 177 177 } 178 178 179 179 180 180 case "$1" in 181 182 183 184 185 186 187 188 189 190 191 192 193 181 start) 182 start 183 ;; 184 stop) 185 stop 186 ;; 187 status) 188 # Use status defined in functions file 189 status 190 ;; 191 restart) 192 restart ${serviceName} 193 ;; 194 194 condrestart) 195 196 197 198 199 200 201 202 203 204 195 if [ -f /var/run/${serviceName}.pid ] ; then 196 stop 197 start 198 fi 199 ;; 200 *) 201 echo \ 202 "Usage: ${serviceName} {start|stop|restart|condrestart|status}" 203 exit 1 204 ;; 205 205 esac -
TI12-security/trunk/python/share/ndg-log
r1236 r1300 35 35 start() 36 36 { 37 38 39 40 41 42 43 44 45 46 47 48 37 echo -n "Starting ${serviceName}: " 38 39 # Source NDG Environment 40 if [ -f ${ndgSetupFilePath} ]; then 41 . ${ndgSetupFilePath} 42 else 43 failure $"Set-up of NDG environment" 44 return 45 fi 46 47 cmd="${NDG_DIR}/bin/${prog} ${args}" 48 49 49 # See if it's already running. Look *only* at the pid file. 50 50 local pid= 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 51 if [ -f /var/run/${serviceName}.pid ]; then 52 local line p 53 read line < /var/run/${serviceName}.pid 54 for p in $line ; do 55 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 56 done 57 fi 58 59 [ -n "${pid:-}" ] && return 60 61 # Make sure it doesn't core dump anywhere; while this could mask 62 # problems with the daemon, it also closes some security problems 63 ulimit -S -c 0 >/dev/null 2>&1 64 65 # Echo daemon 66 66 [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " ${serviceName}" 67 67 68 69 68 # And start it up. 69 initlog $INITLOG_ARGS -c "su - ${user} -c \"${cmd}\"" 70 70 RETVAL=$? 71 71 72 72 if [ $RETVAL = 0 ]; then 73 74 75 76 touch /var/lock/subsys/${serviceName}77 78 79 80 81 73 # Get the process ID 74 pid=(`ps --no-headers -u ${user} -o pid,cmd --sort=-pid|grep "$prog"`) 75 echo ${pid} > /var/run/${serviceName}.pid 76 touch /var/lock/subsys/${serviceName} 77 success $"${serviceName} startup" 78 else 79 failure $"${serviceName} startup" 80 fi 81 82 82 echo 83 83 } … … 86 86 stop() 87 87 { 88 89 88 echo -n "Shutting down ${serviceName}: " 89 90 90 # Find pid 91 92 93 94 95 96 97 98 99 100 101 102 103 91 pid= 92 if [ -f /var/run/${serviceName}.pid ]; then 93 local line p 94 read line < /var/run/${serviceName}.pid 95 for p in $line ; do 96 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 97 done 98 fi 99 100 if [ -z "$pid" ]; then 101 failure $"${serviceName} stop - no process found from PID file" 102 return 103 fi 104 104 105 105 # Kill it. … … 107 107 [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "${serviceName} " 108 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 fi 125 126 127 128 109 if checkpid $pid 2>&1; then 110 # TERM first, then KILL if not dead 111 kill -TERM $pid 112 usleep 100000 113 if checkpid $pid && sleep 1 && 114 checkpid $pid && sleep 3 && 115 checkpid $pid ; then 116 kill -KILL $pid 117 usleep 100000 118 fi 119 checkpid $pid 120 RC=$? 121 [ "$RC" -eq 0 ] && failure $"${serviceName} shutdown" || \ 122 success $"${serviceName} shutdown" 123 RC=$((! $RC)) 124 fi 125 else 126 failure $"${serviceName} shutdown" 127 RC=1 128 fi 129 129 130 130 # Remove pid file if any. 131 132 133 131 rm -f /var/run/${serviceName}.pid 132 133 echo 134 134 } 135 135 … … 137 137 restart() 138 138 { 139 140 139 stop 140 start 141 141 } 142 142 … … 144 144 status() 145 145 { 146 147 148 149 150 146 local pid= 147 local pidFilePath=/var/run/${serviceName}.pid 148 149 # Get pid from "/var/run/*.pid" file 150 if [ -f $pidFilePath ] ; then 151 151 read pid < $pidFilePath 152 152 if [ -z "$pid" ]; then … … 155 155 fi 156 156 else 157 158 159 160 161 162 163 164 165 166 167 157 echo $"No pid file $pidFilePath found" 158 return 159 fi 160 161 # look for pid in listing 162 local pidFound= 163 for i in `pidof -o $$ -o $PPID -o %PPID -x "python"`; do 164 [[ $i = $pid ]] && pidFound=Yes && break; 165 done 166 167 if [ -n "$pidFound" ]; then 168 168 echo $"$prog (pid $pid) is running..." 169 169 return 170 170 171 171 elif [ -f /var/lock/subsys/${serviceName} ]; then 172 173 172 echo $"$prog dead but subsys locked and pid file $pidFilePath exists" 173 return 174 174 else 175 175 echo $"$prog dead but pid file $pidFilePath exists" 176 176 fi 177 177 } 178 178 179 179 180 180 case "$1" in 181 182 183 184 185 186 187 188 189 190 191 192 193 181 start) 182 start 183 ;; 184 stop) 185 stop 186 ;; 187 status) 188 # Use status defined in functions file 189 status 190 ;; 191 restart) 192 restart ${serviceName} 193 ;; 194 194 condrestart) 195 196 197 198 199 200 201 202 203 204 195 if [ -f /var/run/${serviceName}.pid ] ; then 196 stop 197 start 198 fi 199 ;; 200 *) 201 echo \ 202 "Usage: ${serviceName} {start|stop|restart|condrestart|status}" 203 exit 1 204 ;; 205 205 esac -
TI12-security/trunk/python/share/ndg-sm
r1236 r1300 35 35 start() 36 36 { 37 38 39 40 41 42 43 44 45 46 47 48 37 echo -n "Starting ${serviceName}: " 38 39 # Source NDG Environment 40 if [ -f ${ndgSetupFilePath} ]; then 41 . ${ndgSetupFilePath} 42 else 43 failure $"Set-up of NDG environment" 44 return 45 fi 46 47 cmd="${NDG_DIR}/bin/${prog} ${args}" 48 49 49 # See if it's already running. Look *only* at the pid file. 50 50 local pid= 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 51 if [ -f /var/run/${serviceName}.pid ]; then 52 local line p 53 read line < /var/run/${serviceName}.pid 54 for p in $line ; do 55 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 56 done 57 fi 58 59 [ -n "${pid:-}" ] && return 60 61 # Make sure it doesn't core dump anywhere; while this could mask 62 # problems with the daemon, it also closes some security problems 63 ulimit -S -c 0 >/dev/null 2>&1 64 65 # Echo daemon 66 66 [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " ${serviceName}" 67 67 68 69 68 # And start it up. 69 initlog $INITLOG_ARGS -c "su - ${user} -c \"${cmd}\"" 70 70 RETVAL=$? 71 71 72 72 if [ $RETVAL = 0 ]; then 73 74 75 76 touch /var/lock/subsys/${serviceName}77 78 79 80 81 73 # Get the process ID 74 pid=(`ps --no-headers -u ${user} -o pid,cmd --sort=-pid|grep "$prog"`) 75 echo ${pid} > /var/run/${serviceName}.pid 76 touch /var/lock/subsys/${serviceName} 77 success $"${serviceName} startup" 78 else 79 failure $"${serviceName} startup" 80 fi 81 82 82 echo 83 83 } … … 86 86 stop() 87 87 { 88 89 88 echo -n "Shutting down ${serviceName}: " 89 90 90 # Find pid 91 92 93 94 95 96 97 98 99 100 101 102 103 91 pid= 92 if [ -f /var/run/${serviceName}.pid ]; then 93 local line p 94 read line < /var/run/${serviceName}.pid 95 for p in $line ; do 96 [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" 97 done 98 fi 99 100 if [ -z "$pid" ]; then 101 failure $"${serviceName} stop - no process found from PID file" 102 return 103 fi 104 104 105 105 # Kill it. … … 107 107 [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "${serviceName} " 108 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 fi 125 126 127 128 109 if checkpid $pid 2>&1; then 110 # TERM first, then KILL if not dead 111 kill -TERM $pid 112 usleep 100000 113 if checkpid $pid && sleep 1 && 114 checkpid $pid && sleep 3 && 115 checkpid $pid ; then 116 kill -KILL $pid 117 usleep 100000 118 fi 119 checkpid $pid 120 RC=$? 121 [ "$RC" -eq 0 ] && failure $"${serviceName} shutdown" || \ 122 success $"${serviceName} shutdown" 123 RC=$((! $RC)) 124 fi 125 else 126 failure $"${serviceName} shutdown" 127 RC=1 128 fi 129 129 130 130 # Remove pid file if any. 131 132 133 131 rm -f /var/run/${serviceName}.pid 132 133 echo 134 134 } 135 135 … … 137 137 restart() 138 138 { 139 140 139 stop 140 start 141 141 } 142 142 … … 144 144 status() 145 145 { 146 147 148 149 150 146 local pid= 147 local pidFilePath=/var/run/${serviceName}.pid 148 149 # Get pid from "/var/run/*.pid" file 150 if [ -f $pidFilePath ] ; then 151 151 read pid < $pidFilePath 152 152 if [ -z "$pid" ]; then … … 155 155 fi 156 156 else 157 158 159 160 161 162 163 164 165 166 167 157 echo $"No pid file $pidFilePath found" 158 return 159 fi 160 161 # look for pid in listing 162 local pidFound= 163 for i in `pidof -o $$ -o $PPID -o %PPID -x "python"`; do 164 [[ $i = $pid ]] && pidFound=Yes && break; 165 done 166 167 if [ -n "$pidFound" ]; then 168 168 echo $"$prog (pid $pid) is running..." 169 169 return 170 170 171 171 elif [ -f /var/lock/subsys/${serviceName} ]; then 172 173 172 echo $"$prog dead but subsys locked and pid file $pidFilePath exists" 173 return 174 174 else 175 175 echo $"$prog dead but pid file $pidFilePath exists" 176 176 fi 177 177 } 178 178 179 179 180 180 case "$1" in 181 182 183 184 185 186 187 188 189 190 191 192 193 181 start) 182 start 183 ;; 184 stop) 185 stop 186 ;; 187 status) 188 # Use status defined in functions file 189 status 190 ;; 191 restart) 192 restart ${serviceName} 193 ;; 194 194 condrestart) 195 196 197 198 199 200 201 202 203 204 195 if [ -f /var/run/${serviceName}.pid ] ; then 196 stop 197 start 198 fi 199 ;; 200 *) 201 echo \ 202 "Usage: ${serviceName} {start|stop|restart|condrestart|status}" 203 exit 1 204 ;; 205 205 esac -
TI12-security/trunk/python/www/cgi-bin/security.py
r751 r1300 1 1 #!/usr/local/NDG/ActivePython-2.4/bin/python 2 """NDG CGI security script 3 2 3 """Example NDG Security CGI service based on SecurityCGI base class 4 4 5 NERC Data Grid Project 5 6 P J Kershaw 14/09/057 8 Copyright (C) 200 5CCLRC & NERC9 6 7 P J Kershaw 25/05/06 8 9 Copyright (C) 2006 CCLRC & NERC 10 10 11 This software may be distributed under the terms of the Q Public License, 11 12 version 1.0 or later. 12 13 """ 13 14 import os 14 import sys 15 import cgi 16 import re 17 18 # Catch socket errors 19 import socket 20 21 from Cookie import SimpleCookie 22 from ZSI import ServiceProxy 23 24 25 from NDG.AttCert import * 26 from NDG.SessionClient import * 27 28 29 #_____________________________________________________________________________ 30 class SecurityCGIError(Exception): 31 32 def __init__(self, msg): 33 34 self.__msg = msg 35 36 def __str__(self): 37 return self.__msg 38 39 40 #_____________________________________________________________________________ 41 class SecurityCGI: 42 """CGI for NDG authentication and authorisation""" 43 44 def __init__(self, 45 smWSDL, 46 aaWSDL, 47 userName=None, 48 passPhrase=None, 49 smPubKeyFilePath=None, 50 clntPubKeyFilePath=None, 51 clntPriKeyFilePath=None, 52 clntPriKeyPwd=None, 53 aaPubKey=None, 54 org=None, 55 bDebug=False): 56 """Omit username, passphrase and org if running from CGI""" 57 58 self.__aaWSDL = aaWSDL 59 self.__smWSDL = smWSDL 60 self.__userName = userName 61 self.__passPhrase = passPhrase 62 self.__smPubKeyFilePath = smPubKeyFilePath 63 self.__clntPubKeyFilePath = clntPubKeyFilePath 64 self.__clntPriKeyFilePath = clntPriKeyFilePath 65 self.__clntPriKeyPwd = clntPriKeyPwd 66 self.__aaPubKey = aaPubKey 67 68 self.__bDebug = bDebug 69 70 # Authenticating organisation 71 self.__org = org 72 73 # Flag taken from form radio button decides whether mapping is 74 # allowed or not and if so, should the user be prompted for which 75 # attribute certificate to submit 76 self.__authorisationMethod = None 77 78 self.__attCert = None 79 80 15 from NDG.SecurityCGI import * 16 17 18 class TestSecurityCGI(SecurityCGI): 19 """CGI interface test class for NDG Security""" 20 21 81 22 #_________________________________________________________________________ 82 def cgi(self): 83 """Two stage process - login followed by authentication. If 84 authentication fails re-call login.""" 85 86 # Use userName field to flag authentication call 87 form = cgi.FieldStorage() 88 bAuthorise = form.has_key("authorise") 89 90 91 #sys.stderr.write("Form keys: %s\n" % ', '.join(form.keys())) 92 93 # if form.has_key("extTrustedHost"): 94 # extTrustedHost = form["extTrustedHost"].value 95 # else: 96 # extTrustedHost = '' 97 98 if form.has_key("authorisationMethod"): 99 self.__authorisationMethod = form["authorisationMethod"].value 100 101 102 if form.has_key("addUser"): 103 104 # Register new account 105 if not form.has_key("userName") or not form["userName"].value: 106 raise SecurityCGIError("No username set") 107 108 if not form.has_key("passPhrase") or not form["passPhrase"].value: 109 raise SecurityCGIError("No pass-phrase set") 110 111 if not form.has_key("confirmPassPhrase") or \ 112 not form["confirmPassPhrase"].value: 113 raise SecurityCGIError("No confirmation pass-phrase set") 114 115 if form["passPhrase"].value != form["confirmPassPhrase"].value: 116 raise SecurityCGIError(\ 117 "Pass-phrase and confirmation pass-phrase don't agree") 118 119 self.__userName = form["userName"].value 120 self.__passPhrase = form["passPhrase"].value 121 122 self.addUser() 123 124 elif form.has_key("login") or not form.keys(): 125 126 # Login 127 print "Content-type: text/html" + os.linesep 128 self.showLogin(bAuthorise=bAuthorise, bodyTag=True) 129 130 elif form.has_key("authenticate"): 131 132 # Authentication 133 if form.has_key("userName") and form["userName"].value: 134 self.__userName = form["userName"].value 135 136 if form.has_key("passPhrase") and form["passPhrase"].value: 137 self.__passPhrase = form["passPhrase"].value 138 139 if form.has_key("org") and form["org"].value: 140 self.__org = form["org"].value 141 142 if bAuthorise: 143 144 # Authorisation and authentication arguments were set 145 # - Call authentication first 146 cookie = self.authenticate(setCookie=False) 147 148 # Call authorisation passing the session ID for authorise to 149 # set the cookie 150 self.authorise(cookie) 151 152 else: 153 # Only the authentication flag was set - Call authentication 154 # and set cookie 155 self.authenticate() 156 157 elif bAuthorise: 158 self.authorise() 159 160 elif form.has_key("cookie"): 161 self.setCookie(form['cookie'].value) 162 163 elif form.has_key("attCert"): 164 self.showAttCert(attCert=form['attCert'].value) 165 23 def showLogin(self, returnURI=None, bAuthorise=False, **kwargs): 24 """Display initial NDG login form""" 25 26 if returnURI: 27 returnURIfield = \ 28 "<input type=hidden name=\"returnURI\" value=\"%s\">" % returnURI 166 29 else: 167 raise SecurityCGIError(\ 168 "None of the Form keys were recognised: %s" % \ 169 ', '.join(form.keys())) 170 171 172 #_________________________________________________________________________ 173 def showLogin(self, 174 bAuthorise=False, 175 htmlTag=False, 176 heading=None, 177 bodyTag=False): 178 """Display initial NDG login form""" 179 if htmlTag: print "<html>" 180 181 if isinstance(heading, basestring): 182 print """<head> 183 <title>%s</title> 184 <style type=\"text/css\"> 185 <!-- 186 .al { 187 text-align: justify 188 } 189 a{ 190 text-decoration:none; 191 } 192 a:hover{ 193 color:#0000FF; 194 } 195 body { font-family: Verdana, sans-serif; font-size: 11} 196 table { font-family: Verdana, sans-serif; font-size: 11} 197 --> 198 </style> 199 </head>""" % heading 200 201 202 if bodyTag: print "<body>" 30 returnURIfield = '' 31 203 32 204 33 if bAuthorise: 205 authoriseArg = "<input type=hidden name=authorise value=\"1\">" 34 authoriseField = \ 35 "<input type=hidden name=\"authorise\" value=\"1\">" 206 36 else: 207 authorise Arg= ""37 authoriseField = "" 208 38 209 39 210 40 # Set authorisation method default 211 authorisationMethodChk = { "allowMapping": '',212 "allowMappingWithPrompt" : '',213 "noMapping": ''}214 215 if self._ _authorisationMethod is None:41 authorisationMethodChk = { "allowMapping": '', 42 "allowMappingWithPrompt" : '', 43 "noMapping": ''} 44 45 if self._authorisationMethod is None: 216 46 # Default to safest option for user 217 47 authorisationMethodChk["allowMappingWithPrompt"] = ' checked' 218 48 else: 219 authorisationMethodChk[self.__authorisationMethod] = ' checked' 220 221 print \ 222 """<script language="javascript"> 49 authorisationMethodChk[self._authorisationMethod] = ' checked' 50 51 52 print """Content-type: text/html 53 54 <html> 55 <head> 56 <title>Gabriel Login (NDG Test)</title> 57 <style type=\"text/css\"> 223 58 <!-- 224 function toggleLayer(layerId) 225 { 226 if (document.getElementById) 227 { 228 // Standard 229 var style = document.getElementById(layerId).style; 230 } 231 else if (document.all) 232 { 233 // Old msie versions 234 var style = document.all[whichLayer].style; 235 } 236 else if (document.layers) 237 { 238 // nn4 239 var style = document.layers[whichLayer].style; 240 } 241 style.visibility = style.visibility == "visible" ? "hidden":"visible"; 242 } 243 //--> 244 </script> 245 <h3>NERC Data Grid Site Login (Test)<BR clear=all></h3> 246 <hr> 247 248 <form action="./security.cgi" method="POST"> 249 250 <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5> 251 <tbody> 252 <tr><td>User Name:</td> <td><input type=text name=userName value=""> 253 </td></tr> 254 <tr> 255 <td>Password:</td> 256 <td><input type=password name=passPhrase></td> 257 </tr> 258 <tr> 259 <td colspan="2" align="right"> 260 <a href="javascript:toggleLayer('advSettings');">Advanced Settings</a> 261 <input type=submit value="Login"> 262 </td> 263 </tr> 264 <input type=hidden name=authenticate value="1"> 265 %s""" % authoriseArg 266 267 print \ 268 """</tbody></table> 269 <br> 270 <div id="advSettings" style="position: relative; visibility: hidden;"> 271 <h4>Role Mapping for access to other trusted sites</h4> 272 <p>Your account has roles or <i>privileges</i> which determine what data you have access to. If you access data at another NDG trusted site, these roles can be mapped to local roles at that site to help you gain access: 273 </p> 59 .al { 60 text-align: justify 61 } 62 a{ 63 text-decoration:none; 64 } 65 a:hover{ 66 color:#0000FF; 67 } 68 body { font-family: Verdana, sans-serif; font-size: 11} 69 table { font-family: Verdana, sans-serif; font-size: 11} 70 --> 71 </style> 72 </head> 73 <body> 74 <script language="javascript"> 75 <!-- 76 function toggleLayer(layerId) 77 { 78 if (document.getElementById) 79 { 80 // Standard 81 var style = document.getElementById(layerId).style; 82 } 83 else if (document.all) 84 { 85 // Old msie versions 86 var style = document.all[whichLayer].style; 87 } 88 else if (document.layers) 89 { 90 // nn4 91 var style = document.layers[whichLayer].style; 92 } 93 style.visibility = style.visibility == "visible" ? 94 "hidden":"visible"; } 95 //--> 96 </script> 97 <h3>Gabriel Login (NDG Test)<BR clear=all></h3> 98 <hr> 99 100 <form action="%s" method="POST"> 101 274 102 <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5> 275 103 <tbody> 276 104 <tr> 277 <td> 278 <input type="radio" name="authorisationMethod" value="allowMapping"%s> 279 </td> 280 <td> 281 Allow my roles to be mapped to local roles at other NDG trusted sites. 282 </td> 283 </tr> 284 <tr> 285 <td> 286 <input type="radio" name="authorisationMethod" value="allowMappingWithPrompt"%s> 287 </td> 288 <td> 289 Allow my roles to be mapped, but prompt me so that I may choose which roles to map before gaining access. 290 </td> 291 <tr> 292 <td> 293 <input type="radio" name="authorisationMethod" value="noMapping"%s> 294 </td> 295 <td> 296 Don't allow mapping of my roles. 297 </td> 298 </tr> 105 <td>User Name:</td> 106 <td><input type=text name="userName" value=""></td> 107 </tr> 108 <tr> 109 <td>Password:</td> 110 <td><input type=password name="passPhrase"></td> 111 </tr> 112 <tr> 113 <td colspan="2" align="right"> 114 <a href="javascript:toggleLayer('advSettings');"> 115 Advanced Settings 116 </a> 117 <input type=submit value="Login"> 118 </td> 119 </tr> 120 <input type=hidden name="authenticate" value="1"> 299 121 </tbody> 300 122 </table> 301 </div> 302 </form> 303 """ % (authorisationMethodChk['allowMapping'], \ 304 authorisationMethodChk['allowMappingWithPrompt'], \ 305 authorisationMethodChk['noMapping']) 306 307 if bodyTag: print "</body>" 308 if htmlTag: print "</html>" 309 310 # end of showLogin() 311 312 313 #_________________________________________________________________________ 314 def addUser(self): 315 """Add a new NDG User account""" 316 317 if self.__userName is None: 318 raise SecurityCGIError("No username set") 319 320 if self.__passPhrase is None: 321 raise SecurityCGIError("No passphrase set") 322 323 if self.__bDebug: 324 traceFile = sys.stderr 325 else: 326 traceFile = None 327 328 try: 329 # Instantiate WS proxy and request connection 330 try: 331 smClient = SessionClient( 332 smWSDL=self.__smWSDL, 333 smPubKeyFilePath=self.__smPubKeyFilePath, 334 clntPubKeyFilePath=self.__clntPubKeyFilePath, 335 clntPriKeyFilePath=self.__clntPriKeyFilePath, 336 traceFile=traceFile) 337 338 339 smClient.addUser(userName=self.__userName, 340 pPhrase=self.__passPhrase, 341 clntPriKeyPwd=self.__clntPriKeyPwd) 342 except Exception, e: 343 raise SecurityCGIError("Session Client: " + str(e)) 344 345 print \ 346 """Content-type: text/html 347 123 %s 124 %s 125 </form> 126 </body> 127 </html>""" % (self.scriptName, returnURIfield, authoriseField) 128 129 print \ 130 """ </tbody> 131 </table> 132 <br> 133 <div id="advSettings" style="position: relative; visibility: hidden;"> 134 <h4>Role Mapping for access to other trusted sites</h4> 135 <p>Your account has roles or <i>privileges</i> which determine what data 136 you have access to. If you access data at another NDG trusted site, these 137 roles can be mapped to local roles at that site to help you gain access: 138 </p> 139 <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5> 140 <tbody> 141 <tr> 142 <td><input type="radio" name="authorisationMethod" 143 value="allowMapping"%s> 144 </td> 145 <td> 146 Allow my roles to be mapped to local roles at other NDG trusted sites. 147 </td> 148 </tr> 149 <tr> 150 <td> 151 <input type="radio" name="authorisationMethod" 152 value="allowMappingWithPrompt"%s> 153 </td> 154 <td> 155 Allow my roles to be mapped, but prompt me so that I may choose 156 which roles to map before gaining access. 157 </td> 158 <tr> 159 <td> 160 <input type="radio" name="authorisationMethod" value="noMapping"%s> 161 </td> 162 <td> 163 Don't allow mapping of my roles. 164 </td> 165 </tr> 166 </tbody> 167 </table> 168 </div> 169 </form> 170 </body> 171 </html>""" % (authorisationMethodChk['allowMapping'], \ 172 authorisationMethodChk['allowMappingWithPrompt'], \ 173 authorisationMethodChk['noMapping']) 174 175 # end of showLogin() 176 177 178 def showHomeSiteSelect(self, **kwargs): 179 180 if not self.trustedHostInfo: 181 self.getTrustedHostInfo() 182 183 print """Content-type: text/html 184 185 <html> 348 186 <head> 349 <title> NDG User Registration (Test)</title>350 <style type= "text/css">187 <title>Select site to retrieve credentials</title> 188 <style type=\"text/css\"> 351 189 <!-- 352 353 354 355 356 357 358 359 360 190 .al { 191 text-align: justify 192 } 193 a{ 194 text-decoration:none; 195 } 196 a:hover{ 197 color:#0000FF; 198 } 361 199 body { font-family: Verdana, sans-serif; font-size: 11} 362 200 table { font-family: Verdana, sans-serif; font-size: 11} … … 365 203 </head> 366 204 <body> 367 <p>New user %s registered</p> 368 </body>""" % self.__userName 369 370 except Exception, e: 371 # Re-display login screen 372 print \ 373 """Content-type: text/html 374 205 <form action="%s" method="POST"> 206 <table bgcolor=#ADD8E6 cellspacing=0 border=0 cellpadding=5> 207 <tbody> 208 <tr> 209 <td> 210 <select name="requestURI"> 211 <option value="">Select your home site...""" % self.scriptName 212 213 for hostname, info in self.trustedHostInfo.items(): 214 print "<option value=\"%s\">%s" % (info['loginURI'], hostname) 215 216 print \ 217 """ </select> 218 </td> 219 <td align="right"> 220 <input type=submit value="Go"> 221 </td> 222 </tr> 223 </tbody> 224 </table> 225 </form> 226 </body> 227 </html>""" 228 229 # end of showHomeSiteSelect() 230 231 232 #_________________________________________________________________________ 233 def showCredsReceived(self, 234 sessCookie, 235 pageTitle='', 236 hdrTxt='', 237 bodyTxt=''): 238 """Called from receiveCredsResponse() once a cookie has been created. 239 Makes a page to set the cookie and display to the user that they have 240 been authenticated. Derived class should override this method as 241 required""" 242 print """Content-type: text/html 243 %s 244 245 <html> 375 246 <head> 376 <title>NDG User Registration (Test)</title>377 <style type= "text/css">247 <title>NDG Authentication</title> 248 <style type=\"text/css\"> 378 249 <!-- 379 380 381 382 383 384 385 386 387 250 .al { 251 text-align: justify 252 } 253 a{ 254 text-decoration:none; 255 } 256 a:hover{ 257 color:#0000FF; 258 } 388 259 body { font-family: Verdana, sans-serif; font-size: 11} 389 260 table { font-family: Verdana, sans-serif; font-size: 11} … … 391 262 </style> 392 263 </head> 393 394 264 <body> 395 <p>Registration failed for new user account %s: %s</p>""" % \ 396 (self.__userName, e) 397 398 raise SecurityCGIError("User registration failed: %s" % e) 399 400 401 #_________________________________________________________________________ 402 def authenticate(self, setCookie=True, bAuthorise=False): 403 """Authenticate username and passphrase input from preceeding login 404 form 405 406 bAuthorise: set to True so that if an error occurs, login will be 407 recalled followed by authorisation""" 408 409 if self.__bDebug: 410 traceFile = sys.stderr 411 else: 412 traceFile = None 413 414 415 try: 416 if self.__userName is None: 417 raise SecurityCGIError("no username set") 418 419 if self.__passPhrase is None: 420 raise SecurityCGIError("no pass-phrase input") 421 422 # Instantiate WS proxy and request connection 423 try: 424 smClient = SessionClient( 425 smWSDL=self.__smWSDL, 426 smPubKeyFilePath=self.__smPubKeyFilePath, 427 clntPubKeyFilePath=self.__clntPubKeyFilePath, 428 clntPriKeyFilePath=self.__clntPriKeyFilePath, 429 traceFile=traceFile) 430 431 sessCookie = smClient.connect(userName=self.__userName, 432 pPhrase=self.__passPhrase, 433 clntPriKeyPwd=self.__clntPriKeyPwd) 434 except Exception, e: 435 # Socket error returns tuple - reformat to just give msg 436 raise SecurityCGIError("Session client: " + str(e)) 437 438 439 if setCookie: 440 print \ 441 """Content-type: text/html 442 %s 443 444 <head> 445 <title>NDG User Authentication (Test)</title> 446 <style type="text/css"> 447 <!-- 448 .al { 449 text-align: justify 450 } 451 a{ 452 text-decoration:none; 453 } 454 a:hover{ 455 color:#0000FF; 456 } 457 body { font-family: Verdana, sans-serif; font-size: 11} 458 table { font-family: Verdana, sans-serif; font-size: 11} 459 --> 460 </style> 461 </head> 462 463 <body> 464 <p>User %s authenticated</p> 465 <p>Cookie is: %s</p> 466 </body>""" % (sessCookie, self.__userName, sessCookie) 467 return sessCookie 468 469 except Exception, e: 470 # Re-display login screen 471 if self.__userName is None: 472 msgFmt = '' 473 else: 474 msgFmt = " for user '%s'" % self.__userName 475 476 print \ 477 """Content-type: text/html 478 479 <head> 480 <title>NDG User Authentication (Test)</title> 481 <style type="text/css"> 482 <!-- 483 .al { 484 text-align: justify 485 } 486 a{ 487 text-decoration:none; 488 } 489 a:hover{ 490 color:#0000FF; 491 } 492 body { font-family: Verdana, sans-serif; font-size: 11} 493 table { font-family: Verdana, sans-serif; font-size: 11} 494 --> 495 </style> 496 </head> 497 498 <body>""" 499 self.showLogin(bAuthorise=bAuthorise) 500 print \ 501 """<script>alert("Login error%s: %s")</script> 502 </body>""" % (msgFmt, e) 503 504 raise SecurityCGIError("Login failed: %s" % e) 505 506 507 #_________________________________________________________________________ 508 def authorise(self, cookie=None, reqRole=None): 509 """Contact Attribute Authority to get Attribute Certificate for data 510 access 511 512 cookie: cookie containing session ID 513 reqRole: required role to get authorisation - default to NERC for 514 testing""" 515 516 if self.__bDebug: 517 traceFile = sys.stderr 518 else: 519 traceFile = None 520 521 522 extAttCertList = None 523 bSetCookie = False 524 525 526 try: 527 # Check for session ID input 528 if isinstance(cookie, basestring): 529 bSetCookie = True 530 531 elif 'HTTP_COOKIE' not in os.environ: 532 # Check for session ID set in existing cookie 533 534 # Re-display login screen 535 print "Content-type: text/html" + os.linesep 536 self.showLogin(bAuthorise=True, 537 bodyTag=True, 538 heading="NDG User Authorisation (Test)") 539 540 return 541 else: 542 cookie = os.environ['HTTP_COOKIE'] 543 544 545 # Get session ID from existing cookie 546 cookieObj = SimpleCookie(cookie) 547 if "NDG-ID1" not in cookieObj: 548 raise SecurityCGIError(\ 549 'Expecting "NDG-ID1" ID for session cookie') 550 551 if "NDG-ID2" not in cookieObj: 552 raise SecurityCGIError(\ 553 'Expecting "NDG-ID2" ID for session cookie') 554 555 556 if self.__authorisationMethod == 'allowMapping': 557 bMapFromTrustedHosts = True 558 bRtnExtAttCertList = True 559 560 elif self.__authorisationMethod == 'allowMappingWithPrompt': 561 bMapFromTrustedHosts = False 562 bRtnExtAttCertList = True 563 else: 564 bMapFromTrustedHosts = False 565 bRtnExtAttCertList = False 566 567 568 # Instantiate WS proxy and request authorisation 569 try: 570 smClient = SessionClient( 571 smWSDL=self.__smWSDL, 572 smPubKeyFilePath=self.__smPubKeyFilePath, 573 clntPubKeyFilePath=self.__clntPubKeyFilePath, 574 clntPriKeyFilePath=self.__clntPriKeyFilePath, 575 traceFile=traceFile) 576 577 resp = smClient.reqAuthorisation(sessCookie=cookieObj, 578 aaWSDL=self.__aaWSDL, 579 aaPubKey=self.__aaPubKey, 580 reqRole=reqRole, 581 rtnExtAttCertList=bRtnExtAttCertList, 582 clntPriKeyPwd=self.__clntPriKeyPwd) 583 except Exception, e: 584 # Socket error returns tuple - reformat to just give msg 585 raise SecurityCGIError("Session client: " + str(e)) 586 587 if resp['statCode'] == 'AccessGranted': 588 # Convert from unicode 589 self.__attCert = str(resp['attCert']) 590 591 elif resp['statCode'] == 'AccessDenied': 592 593 if 'extAttCertList' not in resp or not resp['extAttCertList']: 594 raise SecurityCGIError(str(resp['errMsg'])) 595 596 elif resp['statCode'] == 'AccessError': 597 raise SecurityCGIError(str(resp['errMsg'])) 598 599 600 # Handle access denied/granted 601 if bSetCookie: 602 cookieTxt = cookie + os.linesep 603 else: 604 cookieTxt = '' 605 606 print \ 607 """Content-type: text/html 608 %s 609 610 <head> 611 <Title>NDG User Authorisation (Test)</Title> 612 <script language="JavaScript"> 613 <!-- 614 function ndgDataOpenWindow(theURL, winName, features) 615 { //v2.0 616 window.open(theURL, winName, features); 617 } 618 //--> 619 </script> 620 <style type="text/css"> 621 <!-- 622 .al { 623 text-align: justify 624 } 625 a{ 626 text-decoration:none; 627 } 628 a:hover{ 629 color:#0000FF; 630 } 631 body { font-family: Verdana, sans-serif; font-size: 11} 632 table { font-family: Verdana, sans-serif; font-size: 11} 633 --> 634 </style> 635 </head> 636 637 <body>""" % cookieTxt 638 639 if self.__attCert: 640 641 # Get data using certificate obtained 642 print "<p>User authorised</p>" 643 644 print "<p>Attribute Certificate: <br>%s</p>" % \ 645 re.sub("<", "<", re.sub(">", ">", self.__attCert)) 646 647 elif 'extAttCertList' in resp: 648 # Display available certificates from other AAs in a table 649 self.showExtAttCertSelect(resp['extAttCertList']) 650 651 print "</body>" 652 653 except Exception, e: 654 655 # Re-display login screen 656 print \ 657 """Content-type: text/html 658 659 <head> 660 <title>NDG User Authorisation (Test)</title> 661 <style type="text/css"> 662 <!-- 663 .al { 664 text-align: justify 665 } 666 a{ 667 text-decoration:none; 668 } 669 a:hover{ 670 color:#0000FF; 671 } 672 body { font-family: Verdana, sans-serif; font-size: 11} 673 table { font-family: Verdana, sans-serif; font-size: 11} 674 --> 675 </style> 676 </head> 677 678 <body>""" 679 680 self.showLogin(bAuthorise=True) 681 print \ 682 """<script>alert("Authorisation failed: %s")</script> 683 </body>""" % e 684 685 raise SecurityCGIError("Authorisation failed: %s" % e) 686 687 688 def showAttCert(self, attCert=None): 689 """Make a page to display Attribute Certificate""" 690 if attCert is not None: 691 self.__attCert = attCert 692 693 if self.__attCert is None: 694 print \ 695 """Content-type: text/html 696 697 <head> 698 <title>NDG User Authorisation (Test)</title> 699 <style type="text/css"> 700 <!-- 701 .al { 702 text-align: justify 703 } 704 a{ 705 text-decoration:none; 706 } 707 a:hover{ 708 color:#0000FF; 709 } 710 body { font-family: Verdana, sans-serif; font-size: 11} 711 table { font-family: Verdana, sans-serif; font-size: 11} 712 --> 713 </style> 714 </head> 715 716 <body> 717 <p>No Attribute Certificate set</p> 718 </body>""" 719 return 720 721 print \ 722 """Content-type: text/xml 723 724 %s""" % self.__attCert 725 726 727 #_________________________________________________________________________ 728 def showExtAttCertSelect(self, 729 extAttCertList, 730 htmlTag=False, 731 heading=None, 732 bodyTag=False): 733 """Display table for selection of external attribute certificates for 734 mapping""" 735 if htmlTag: print "<html>" 736 737 if isinstance(heading, basestring): 738 print """<head> 739 <title>%s</title> 740 <style type="text/css"> 741 <!-- 742 .al { 743 text-align: justify 744 } 745 a{ 746 text-decoration:none; 747 } 748 a:hover{ 749 color:#0000FF; 750 } 751 body { font-family: Verdana, sans-serif; font-size: 11} 752 table { font-family: Verdana, sans-serif; font-size: 11} 753 --> 754 </style> 755 </head>""" % heading 756 757 sys.stderr.write("extAttCertList: \n\n%s\n" % extAttCertList) 758 759 # Display title and table first row 760 # 761 # Form contains hidden fields so that on submit, authorisation is 762 # called to get authorisation via a mapped certificate 763 print \ 764 """<h2>NDG Data Access</h2> 765 <hr style="width: 100%; height: 2px;"><br> 766 <p>Select a certificate to allow access to data:</p> 767 <form action="./security.cgi" method="post"> 768 <input type=hidden name=authorise value="1"> 769 <input type=hidden name=authorisationMethod value="allowMapping"> 770 <table style="width: 100%;" border="0" cellpadding="10" 771 cellspacing="1"> 772 <tbody> 773 <tr bgcolor="#d5d5de"> 774 <td style="text-align: left; vertical-align: top;"> 775 <br> 776 </td> 777 <td style="width: 10px; text-align: left; vertical-align: top;"> 778 <span style="font-weight: bold;">Issuer</span> 779 </td> 780 <td style="text-align: left; vertical-align: top;"> 781 <span style="font-weight: bold;">Available Roles</span> 782 </td> 783 </tr>""" 784 785 # Display available certificates - one in each row 786 chkTxt = ['' for i in range(len(extAttCertList))] 787 chkTxt[0] = ' checked' 788 789 for sCert in extAttCertList: 790 791 cert = AttCertParse(sCert) 792 793 # Nb. hidden field authorisationMethod set to allowMapping so that 794 # authorisation request can be made again but this time with the 795 # s 796 print """ 797 <tr bgcolor="#e2e2e2"> 798 <td style="vertical-align: top;"> 799 <input type="radio" name="extTrustedHost" 800 value="%s"%s><br> 801 </td> 802 <td style="width: 20px;" valign="top"> 803 %s<br> 804 </td> 805 <td valign="top" width="80%%"> 806 %s<br> 807 </td> 808 </tr> 809 """ % (cert['issuerName'], 810 chkTxt.pop(), 811 cert['issuerName'], 812 ', '.join(cert.getRoles())) 813 814 print \ 815 """ <tr bgcolor="#d5d5de"> 816 <td colspan="3" align="right"> 817 <input type=submit value=" OK "> 818 <input type=button value="Cancel" 819 onClick="javascript:window.close();"> 820 </td> 821 </tr> 822 </tbody> 823 </table> 824 </form> 825 """ 826 827 if bodyTag: print "</body>" 828 if htmlTag: print "</html>" 829 830 # end of showExtAttCertSelect() 831 832 833 834 #_________________________________________________________________________ 835 def setCookie(self, cookie): 836 """Set a page with input cookie""" 837 print "Content-type: text/html" 838 print cookie 839 840 841 842 265 New cookie set from credentials transfered from other domain 266 </body> 267 </html>""" % sessCookie.output() 268 269 843 270 #_____________________________________________________________________________ 844 271 if __name__ == "__main__": 845 272 846 smWSDL = "http://.../sessionMgr.wsdl" 847 aaWSDL = "http://.../attAuthority.wsdl" 848 try: 849 aaPubKey=open("...cert.pem").read() 850 851 except IOError, (errNo, errMsg): 852 raise Exception("Making temporary file for Attribute " + \ 853 "Authority public key: %s" % errMsg) 854 except Exception, e: 855 raise Exception("Making temporary file for Attribute " + \ 856 "Authority public key: %s" % str(e)) 857 858 859 smPubKeyFilePath = "...cert.pem" 860 clntPubKeyFilePath = "...-cert.pem" 861 clntPriKeyFilePath = "...-key.pem" 862 863 864 865 # Instantiate and call CGI 866 security = SecurityCGI(smWSDL, 867 aaWSDL, 868 smPubKeyFilePath=smPubKeyFilePath, 869 clntPubKeyFilePath=clntPubKeyFilePath, 870 clntPriKeyFilePath=clntPriKeyFilePath, 871 aaPubKey=aaPubKey, 872 bDebug=False) 873 security.cgi() 273 smWSDL = "http://gabriel.bnsc.rl.ac.uk/sessionMgr.wsdl" 274 aaWSDL = 'http://gabriel.bnsc.rl.ac.uk/attAuthority.wsdl' 275 276 smPubKeyFilePath = "/usr/local/NDG/conf/certs/gabriel-sm-cert.pem" 277 aaPubKeyFilePath = "/usr/local/NDG/conf/certs/gabriel-aa-cert.pem" 278 279 clntPubKeyFilePath = "../certs/GabrielCGI-cert.pem" 280 clntPriKeyFilePath = "../certs/GabrielCGI-key.pem" 281 282 securityCGI = TestSecurityCGI(smWSDL, 283 aaWSDL, 284 scriptName=os.path.basename(__file__), 285 smPubKeyFilePath=smPubKeyFilePath, 286 aaPubKeyFilePath=aaPubKeyFilePath, 287 clntPubKeyFilePath=clntPubKeyFilePath, 288 clntPriKeyFilePath=clntPriKeyFilePath) 289 securityCGI()
Note: See TracChangeset
for help on using the changeset viewer.
