Changeset 4838

Timestamp:

19/01/09 12:00:54 (12 years ago)

Author:

pjkersha

Message:

• Added LICENSE file to all egg top-level directories - contains the STFC copyirght statement and BSD license.
• ndg.security.server.wsgi.authn - WSGI authentication module contains HTTP Basic Authentication middleware class
• MyProxyClient package - modified license from LGPL to BSD
• ndg.security.server.wsgi.pep, ndg.security.server.wsgi.ssl: implementation for protection of pyDAP deployment with SSL Client AuthN.
• ndg.security.common.X509: added Parse class method to X500DN class.

Location:

TI12-security/trunk

Files:

• documentation/esgInteroperabilityForIPCCar5/esg-ipcc-ar5.eap (modified) (previous)
• python/MyProxyClient/LICENSE (added)
• python/MyProxyClient/myproxy/__init__.py (modified) (1 diff)
• python/MyProxyClient/myproxy/client.py (modified) (1 diff)
• python/MyProxyClient/myproxy/utils/__init__.py (modified) (1 diff)
• python/MyProxyClient/myproxy/utils/openssl.py (modified) (1 diff)
• python/MyProxyClient/setup.py (modified) (2 diffs)
• python/MyProxyClient/test/__init__.py (modified) (1 diff)
• python/MyProxyClient/test/test_myproxyclient.py (modified) (1 diff)
• python/ndg.security.client/LICENSE (added)
• python/ndg.security.common/LICENSE (added)
• python/ndg.security.common/ndg/security/common/X509.py (modified) (2 diffs)
• python/ndg.security.server/LICENSE (added)
• python/ndg.security.server/ndg/security/server/wsgi/__init__.py (modified) (4 diffs)
• python/ndg.security.server/ndg/security/server/wsgi/authn.py (added)
• python/ndg.security.server/ndg/security/server/wsgi/pep/__init__.py (modified) (2 diffs)
• python/ndg.security.server/ndg/security/server/wsgi/ssl.py (modified) (3 diffs)
• python/ndg.security.test/LICENSE (added)

TI12-security/trunk/python/MyProxyClient/myproxy/__init__.py

@@ -7 +7 @@
 __date__ = "15/12/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL"""
+__license__ = """BSD"""
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'

TI12-security/trunk/python/MyProxyClient/myproxy/client.py

@@ -11 +11 @@
 __date__ = "02/06/05"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL
+__license__ = """BSD
 
 For myproxy_logon see Access Grid Toolkit Public License (AGTPL)

TI12-security/trunk/python/MyProxyClient/myproxy/utils/__init__.py

@@ -7 +7 @@
 __date__ = "15/12/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL"""
+__license__ = """BSD"""
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'

TI12-security/trunk/python/MyProxyClient/myproxy/utils/openssl.py

@@ -7 +7 @@
 __date__ = "08/02/07"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL"""
+__license__ = """BSD"""
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id:openssl.py 4643 2008-12-15 14:53:53Z pjkersha $'

TI12-security/trunk/python/MyProxyClient/setup.py

@@ -7 +7 @@
 __date__ = "12/12/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL
+__license__ = """BSD
 
 Software adapted from myproxy_logon.  - For myproxy_logon see Access Grid 
@@ -52 +52 @@
         'Intended Audience :: System Administrators',
         'Intended Audience :: Science/Research',
-        'License :: OSI Approved :: GNU Library or Lesser General Public License (LGPL)',
+        'License :: OSI Approved :: GNU Library or Lesser General Public License (BSD)',
         'Natural Language :: English',
         'Operating System :: Microsoft :: Windows',

TI12-security/trunk/python/MyProxyClient/test/__init__.py

@@ -6 +6 @@
 __date__ = "13/12/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL"""
+__license__ = """BSD"""
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'

TI12-security/trunk/python/MyProxyClient/test/test_myproxyclient.py

@@ -7 +7 @@
 __date__ = "02/07/07"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = """LGPL"""
+__license__ = """BSD"""
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'

TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

@@ -6 +6 @@
 __date__ = "05/04/05"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
-__license__ = \
-"""This software may be distributed under the terms of the Q Public 
-License, version 1.0 or later."""
+__license__ = "BSD - See LICENSE file in the top-level directory"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
@@ -980 +978 @@
         else:
             return None
+
+    @classmethod
+    def Parse(cls, dn):
+        """Convenience method to create an X500DN object from a DN string
+        @type dn: basestring
+        @param dn: Distinguished Name 
+        """
+        return cls(dn=dn)
+    
+    Deserialise = Deserialize = Parse

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/__init__.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
+import logging
+log = logging.getLogger(__name__)
+import httplib
 
 class NDGSecurityMiddlewareBase(object):
@@ -15 +18 @@
     propertyDefaults = {}
     
-    def __init__(self, app, app_conf, **local_conf):
-        pass
-    
+    def __init__(self, app, app_conf, prefix='', **local_conf):
+        '''Set object attributes directly from app_conf and local_conf inputs
+        @type prefix: basestring
+        @param prefix: prefix for app_conf parameters e.g. 'ndgsecurity.' -
+        enables other global configuration parameters to be filtered out
+        '''
+        self._app = app
+        opt = self.__class__.propertyDefaults.copy()
+        
+        # If no prefix is set, there is no way to distinguish options set for 
+        # this app and those applying to other applications
+        if app_conf is not None and prefix:
+            # Update from application config dictionary - filter using prefix
+            self.__class__._filterOpts(opt, app_conf, prefix=prefix)
+                        
+        # Similarly, filter keyword input                 
+        self.__class__._filterOpts(opt, local_conf, prefix=prefix)
+       
+        # Update options from keywords - matching app_conf ones will be 
+        # overwritten
+        opt.update(local_conf)
+        
+        # Set options as object attributes
+        for name, val in opt.items():
+            if not name.startswith('_'):
+                setattr(self, name, val)
+                        
+    def _setResponse(self, 
+                     environ, 
+                     start_response, 
+                     notFoundMsg=None,
+                     notFoundMsgContentType=None):
+        if self._app:
+            return self._app(environ, start_response)
+        else:
+            return self._setErrorResponse(environ, 
+                                          start_response, 
+                                          msg=notFoundMsg,
+                                          code=404,
+                                          contentType=notFoundMsgContentType)
+            
+    def _setErrorResponse(self, environ, start_response, msg=None, code=500,
+                          contentType=None):
+        '''Convenience method to set a simple error response
+        
+        @type environ: dict
+        @param environ: standard WSGI environ parameter
+        @type start_response: builtin_function_or_method
+        @param start_response: standard WSGI callable to set the HTTP header
+        @type msg: basestring
+        @param msg: optional error message
+        @type code: int
+        @param code: standard HTTP error response code
+        @type contentType: basestring
+        @param contentType: set 'Content-type' HTTP header field - defaults to
+        'text/plain'
+        '''
+        status = '%d %s' % (code, httplib.responses[code])
+        if msg is None:
+            response = status
+        else:
+            response = msg
+        
+        if contentType is None:
+            contentType = 'text/plain'
+                
+        start_response(status,
+                       [('Content-type', contentType),
+                        ('Content-Length', str(len(response)))])
+        return response
+        
     # Utility functions to support Paste Deploy application and filter function
     # signatures
@@ -45 +116 @@
         defOpt class variable
         '''
-        
         badOpt = []
         for k,v in newOpt.items():
@@ -62 +132 @@
             raise TypeError("Invalid input option(s) set: %s" % 
                             (", ".join(badOpt)))
+
+    def setPathInfo(self, pathInfo=None, environ=None):
+        if pathInfo:
+            self._pathInfo = pathInfo
+        else:
+            if environ is None:
+                environ = self._environ
+            
+            self._pathInfo = environ['PATH_INFO']
+        
+    def _getPathInfo(self):
+        return self._pathInfo
+    
+    pathInfo = property(fget=_getPathInfo,
+                        fset=setPathInfo,
+                        doc="URL path as assigned to PATH_INFO environ key")
+
+    def _setEnviron(self, environ):
+        self._environ = environ
+        
+    def _getEnviron(self):
+        return self._environ
+    
+    environ = property(fget=_getEnviron,
+                       fset=_setEnviron,
+                       doc="Copy of WSGI environ dict")
+    
+    
+class NDGSecurityPathFilter(NDGSecurityMiddlewareBase):
+    """Specialization of NDG Security Middleware to enable filtering based on
+    PATH_INFO"""
+    propertyDefaults = {
+        'errorResponseCode': 401,
+        'serverName': None,
+        'mountPath': '',
+        'pathMatchList': '/'
+    }
+    propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
+    
+    _pathMatch = lambda self: self._pathInfo in self.pathMatchList
+    pathMatch = property(fget=_pathMatch,
+                         doc="Check for input path match to list of paths"
+                             "to which this middleware is to be applied")
+    
+    def __init__(self, *arg, **kw):
+        super(NDGSecurityPathFilter, self).__init__(*arg, **kw)
+        self._pathMatchList = []
+        
+    def _getPathMatchList(self):
+        return self._pathMatchList
+    
+    def _setPathMatchList(self, pathList):
+        '''
+        @type pathList: list or tuple
+        @param pathList: list of URL paths to apply this middleware 
+        to. Paths are relative to the point at which this middleware is mounted
+        as set in environ['PATH_INFO']
+        '''
+        # TODO: refactor to:
+        # * enable reading of path list from a database or some other 
+        # configuration source.
+        # * enable some kind of pattern matching for paths
+        
+        if isinstance(pathList, basestring):
+            # Try parsing a space separated list of file paths
+             self._pathMatchList = pathList.split()
+            
+        elif not isinstance(pathList, (list, tuple)):
+            raise TypeError('Expecting a list or tuple for "pathMatchList"')
+        else:
+            self._pathMatchList = pathList
+            
+    pathMatchList = property(fget=_getPathMatchList,
+                             fset=_setPathMatchList,
+                             doc='List of URL paths to which to apply SSL '
+                                 'client authentication')
+        
+    def _getErrorResponseCode(self):
+        """Error response code getter
+        @rtype: int
+        @return: HTTP error code set by this middleware on client cert.
+        verification error
+        """
+        return self._errorResponseCode
+            
+    def _setErrorResponseCode(self, code):
+        """Error response code setter
+        @type code: int or basestring
+        @param code: error response code set if client cert. verification
+        fails"""
+        if isinstance(code, int):
+            self._errorResponseCode = code
+        elif isinstance(code, basestring):
+            self._errorResponseCode = int(code)
+        else:
+            raise TypeError('Expecting int or string type for '
+                            '"errorResponseCode" attribute')
+            
+        if self._errorResponseCode not in httplib.responses: 
+            raise ValueError("Error response code [%d] is not recognised "
+                             "standard HTTP response code" % 
+                             self._errorResponseCode)  
+            
+    errorResponseCode = property(fget=_getErrorResponseCode,
+                                 fset=_setErrorResponseCode,
+                                 doc="Response code raised if client "
+                                     "certificate verification fails")

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/pep/__init__.py

@@ -1 @@
-"""WSGI Policy Enforcement Package
+"""WSGI Policy Enforcement Point Package
 
 NERC DataGrid Project
@@ -11 +11 @@
 import logging
 log = logging.getLogger(__name__)
+import httplib
 
-from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
+from ndg.security.server.wsgi import NDGSecurityPathFilter
+from ndg.security.common.X509 import X500DN
 
 
-class PEP(NDGSecurityMiddlewareBase):
-    def __init__(self, app, app_conf, **local_conf):
-        self._app = app
+class PEPMiddleware(NDGSecurityPathFilter):
+   
+    def __init__(self, *arg, **kw):
+        log.debug("Initialising PEPMiddleware ...")
+        super(PEPMiddleware, self).__init__(*arg, **kw)
+        self.charset = '; charset=utf-8'
     
     def __call__(self, environ, start_response):
+        log.info("Calling PEP middleware ...")
+        self.environ = environ
+        self.setPathInfo()
+        log.error("environ=%s" % environ)
+        print >> environ['wsgi.errors'], "environ=%s" % environ
+        
+        # TODO: Is a security session set?
+        
+        # Is this requested URL secured?
+        if self.pathMatch:
+            return self._setErrorResponse(environ, 
+                                          start_response,
+                                          code=self.errorResponseCode)
+        else:
+            # User is logged in - Redirect to HTTP based URL and complete
+            # Policy enforcement
+            response = self._redirectFromHTTPS2HTTP(start_response)
+            if response is not None:
+                return response
+            
         return self._setResponse(environ, start_response)
+
+    def _redirectFromHTTPS2HTTP(self, start_response):
+        sslServerDN = self.environ.get('SSL_SERVER_S_DN')
+        if sslServerDN is not None:
+            if self.serverName:
+                serverName = self.serverName
+            else:
+                dn = X500DN.Parse(sslServerDN)
+                serverName = dn['CN']
+            
+            url = 'http://' + serverName + self.mountPath + self.pathInfo
+            print >> self.environ['wsgi.errors'], "redirecting to [%s]" % url
+            return self._redirect(start_response, url)
         
-    def _setResponse(self, 
-                     environ, 
-                     start_response, 
-                     notFoundMsg=None,
-                     notFoundMsgContentType=None):
-        if self._app:
-            return self._app(environ, start_response)
-        else:
-            return self._setErrorResponse(environ, 
-                                          start_response, 
-                                          msg=notFoundMsg,
-                                          code=404,
-                                          contentType=notFoundMsgContentType)
-            
-    def _setErrorResponse(self, environ, start_response, msg=None, code=500,
-                          contentType=None):
-        '''Convenience method to set a simple error response
         
-        @type environ: dict
-        @param environ: standard WSGI environ parameter
-        @type start_response: builtin_function_or_method
-        @param start_response: standard WSGI callable to set the HTTP header
-        @type msg: basestring
-        @param msg: optional error message
-        @type code: int
-        @param code: standard HTTP error response code
-        @type contentType: basestring
-        @param contentType: set 'Content-type' HTTP header field - defaults to
-        'text/plain'
-        '''
-        status = '%d %s' % (code, httplib.responses[code])
-        if msg is None:
-            response = status
-        else:
-            response = msg
+    def _redirect(self, start_response, url):
+        """Do a HTTP 302 redirect
         
-        if contentType is None:
-            contentType = 'text/plain'
-                
-        start_response(status,
-                       [('Content-type', contentType),
-                        ('Content-Length', str(len(response)))])
-        return response
+        @type start_response: callable following WSGI start_response convention
+        @param start_response: WSGI start response callable
+        @type url: basestring
+        @param url: URL to redirect to
+        @rtype: list
+        @return: empty HTML body
+        """
+        start_response('302 %s' % httplib.responses[302], 
+                       [('Content-type', 'text/html'+self.charset),
+                        ('Location', url)])
+        return []

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/ssl.py

@@ -22 +22 @@
 import httplib
 
-from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
+from ndg.security.server.wsgi import NDGSecurityPathFilter
 from ndg.security.common.X509 import X509Stack, X509Cert, X509CertError
 
-class SSLClientAuthNMiddleware(NDGSecurityMiddlewareBase):
+class SSLClientAuthNMiddleware(NDGSecurityPathFilter):
     '''Apply to SSL client authentication to configured URL paths.
 
@@ -34 +34 @@
     
     propertyDefaults = {
-        'errorResponseCode': 401,
-        'pathMatchList': '/',
         'caCertFilePathList': []
     }
-
+    propertyDefaults.update(NDGSecurityPathFilter.propertyDefaults)
+    
     _isSSLClientCertSet = lambda self: bool(self._environ.get(
                                 SSLClientAuthNMiddleware.sslClientCertKeyName)) 
     isSSLClientCertSet = property(fget=_isSSLClientCertSet,
                                   doc="Check for client cert. set in environ")
-    
-    _pathMatch = lambda self: self._path in self.pathMatchList
-    pathMatch = property(fget=_pathMatch,
-                         doc="Check for input path match to list of paths"
-                             "to which SSL client AuthN is to be applied")
-    
-    def __init__(self, app, app_conf, prefix='', **local_conf):
-        self._app = app
-
-        opt = SSLClientAuthNMiddleware.propertyDefaults.copy()
-        
-        # If no prefix is set, there is no way to distinguish options set for 
-        # this app and those applying to other applications
-        if app_conf is not None and prefix:
-            # Update from application config dictionary - filter using prefix
-            SSLClientAuthNMiddleware._filterOpts(opt, app_conf, prefix=prefix)
-                        
-        # Similarly, filter keyword input                 
-        SSLClientAuthNMiddleware._filterOpts(opt, local_conf, prefix=prefix)
-       
-        # Update options from keywords - matching app_conf ones will be 
-        # overwritten
-        opt.update(local_conf)
-        
-        # Set options as object attributes
-        for name, val in opt.items():
-            setattr(self, name, val)
-    
-    def _getErrorResponseCode(self):
-        """
-        @rtype: int
-        @return: HTTP error code set by this middleware on client cert.
-        verification error
-        """
-        return self._errorResponseCode
-            
-    def _setErrorResponseCode(self, code):
-        """
-        @type code: int or basestring
-        @param code: error response code set if client cert. verification
-        fails"""
-        if isinstance(code, int):
-            self._errorResponseCode = code
-        elif isinstance(code, basestring):
-            self._errorResponseCode = int(code)
-        else:
-            raise TypeError('Expecting int or string type for '
-                            '"errorResponseCode" attribute')
-            
-        if self._errorResponseCode not in httplib.responses: 
-            raise ValueError("Error response code [%d] is not recognised "
-                             "standard HTTP response code" % 
-                             self._errorResponseCode)  
-            
-    errorResponseCode = property(fget=_getErrorResponseCode,
-                                 fset=_setErrorResponseCode,
-                                 doc="Response code raised if client "
-                                     "certificate verification fails")
         
     def _setCACertsFromFileList(self, caCertFilePathList):
@@ -156 +97 @@
                              doc='List of URL paths to which to apply SSL '
                                  'client authentication')
-    
-    @classmethod
-    def _filterOpts(cls, opt, newOpt, prefix=''):
-        '''Convenience utility to filter input options set in __init__ via
-        app_conf or keywords
-        
-        @type opt: dict
-        @param opt: existing options set.  These will be updated by this
-        method based on the content of newOpt
-        @type newOpt: dict
-        @param newOpt: new options to update opt with
-        @type prefix: basestring 
-        @param prefix: if set, remove the given prefix from the input options
-        @raise KeyError: if an option is set that is not in the classes
-        defOpt class variable
-        '''
-        
-        badOpt = []
-        for k,v in newOpt.items():
-            if prefix and k.startswith(prefix):
-                subK = k.replace(prefix, '')                    
-                filtK = '_'.join(subK.split('.'))  
-            else:
-                filtK = k
-                    
-            if filtK not in cls.propertyDefaults:
-                badOpt += [k]                
-            else:
-                opt[filtK] = v
-                
-        if len(badOpt) > 0:
-            raise TypeError("Invalid input option(s) set: %s" % 
-                            (", ".join(badOpt)))
                
     def __call__(self, environ, start_response):