Changeset 6419

Timestamp:

26/01/10 17:09:55 (11 years ago)

Author:

pjkersha

Message:

 

Location:

TI12-security/trunk/NDGSoap/ndg/soap/wssecurity

Files:

• server/wsgi/signaturehandler.py (modified) (4 diffs)
• test/unit/signaturehandler/foursuite/server/echoserver.py (modified) (1 diff)
• test/unit/signaturehandler/foursuite/server/echoservice.ini (modified) (6 diffs)
• test/unit/signaturehandler/foursuite/server/htdocs (added)
• test/unit/signaturehandler/foursuite/server/htdocs/index.html (added)

TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/server/wsgi/signaturehandler.py

@@ -1 @@
-"""WSGI Middleware for WS-Security
+"""WSGI Middleware for WS-Security Signature handler
 
 Implements Digital Signature handling based around ZSI
 
-NERC Data Grid Project"""
+NERC DataGrid Project"""
 __author__ = "P J Kershaw"
 __date__ = "11/06/08"
@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id: $'
-
 import logging
 log = logging.getLogger(__name__)
 
 from ZSI.parse import ParsedSoap
-
 from ZSI.writer import SoapWriter
-from ndg.security.common.wssecurity.signaturehandler.foursuite import \
-    SignatureHandler
-from ndg.security.server.wsgi.zsi import ZSIMiddleware, ZSIMiddlewareError
+
+from ndg.soap.wssecurity.signaturehandler import SignatureHandlerFactory
+from ndg.soap.server.wsgi.zsi import ZSIMiddleware, ZSIMiddlewareError
+
 
 class WSSecurityFilterError(ZSIMiddlewareError):
@@ -25 +24 @@
     _log = log
     
+    
 class WSSecurityFilterConfigError(WSSecurityFilterError):
     """WS-Security Filter Config Error"""
+ 
  
 class WSSecurityFilter(ZSIMiddleware):
@@ -72 +73 @@
                         None)
         
-        self.signatureHandler = SignatureHandler(cfg=wsseCfgFilePath,
-                                            cfgFileSection=wsseCfgFileSection,
-                                            cfgFilePrefix=wsseCfgFilePrefix,
+        self.signatureHandler = SignatureHandlerFactory.fromKeywords(
+                                            sectionName=wsseCfgFileSection,
+                                            prefix=wsseCfgFilePrefix,
                                             **app_conf)
 

TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/server/echoserver.py

@@ -1 +1 @@
 #!/usr/bin/env python
+"""NDG SOAP WS-Security test service
+
+NERC DataGrid Project
+
+"""
+__author__ = "P J Kershaw"
+__date__ = "26/01/2010"
+__copyright__ = "(C) 2010 Science and Technology Facilities Council"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = "$Id: $"
+import os
+from os.path import dirname, abspath, join
+
+    
+# To start run 
+# $ paster serve echoservice.ini or run this file as a script
+# $ ./echoservice.py [port #]
+if __name__ == '__main__':
+    import sys
+    import logging
+    logging.basicConfig(level=logging.DEBUG)
+
+    if len(sys.argv) > 1:
+        port = int(sys.argv[1])
+    else:
+        port = 9080
+        
+    cfgFilePath = os.path.join(dirname(abspath(__file__)), 'echoservice.ini')
+        
+    from paste.httpserver import serve
+    from paste.deploy import loadapp
+    from paste.script.util.logging_config import fileConfig
+    
+    fileConfig(cfgFilePath)
+    app = loadapp('config:%s' % cfgFilePath)
+    serve(app, host='0.0.0.0', port=port)
+    
+##!/usr/bin/env python
+##
+## How to build an echo server using the extended code generation
+##
+#import sys
+#import os
+#from ConfigParser import SafeConfigParser
 #
-# How to build an echo server using the extended code generation
+## Import the ZSI stuff you'd need no matter what
+#from ZSI.ServiceContainer import ServiceContainer
 #
-import sys
-import os
-from ConfigParser import SafeConfigParser
-
-# Import the ZSI stuff you'd need no matter what
-from ZSI.ServiceContainer import ServiceContainer
-
-# This is a new method imported to show it's value
-from ZSI.ServiceContainer import GetSOAPContext
-
-from EchoService_services_server import EchoService as _EchoService
-
-from ndg.wssecurity.common.signaturehandler import SignatureHandlerFactory
-
-from os.path import expandvars as xpdVars
-from os.path import join, dirname, abspath
-mkPath = lambda file: join(os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'], file)
-
-import logging
-log = logging.getLogger(__name__)
-logging.basicConfig(level=logging.DEBUG,
-                    format='%(asctime)s %(filename)s:%(lineno)d '
-                    '%(levelname)s %(message)s')
-
-
-from ndg.security.test.unit import BaseTestCase, _getParentDir
-
-# Initialize environment for unit tests
-if BaseTestCase.configDirEnvVarName not in os.environ:
-    os.environ[BaseTestCase.configDirEnvVarName] = \
-                            join(abspath(_getParentDir(depth=1)), 'config')
-
-class EchoService(_EchoService):
-
-    def __init__(self, **kw):
-        
-        # Stop in debugger at beginning of SOAP stub if environment variable 
-        # is set
-        self.__debug = bool(os.environ.get('NDGSEC_INT_DEBUG'))
-        if self.__debug:
-            import pdb
-            pdb.set_trace()
-            
-        _EchoService.__init__(self, **kw)
-        
-    def sign(self, sw):
-        '''\
-        Overrides ServiceInterface class method to allow digital signature'''
-        self.signatureHandler.sign(sw)
-        
-    def verify(self, ps):
-        '''\
-        Overrides ServiceInterface class method to allow signature 
-        verification'''      
-        self.signatureHandler.verify(ps)
-        
-    def soap_Echo(self, ps, **kw):
-        '''Simple echo method to test WS-Security DSIG
-        
-        @type ps: ZSI ParsedSoap
-        @param ps: client SOAP message
-        @rtype: tuple
-        @return: response objects'''
-        log.info("Server received an Echo service request...")
-        if self.__debug:
-            import pdb
-            pdb.set_trace()
-        
-        response = _EchoService.soap_Echo(self, ps)    
-        response.EchoResult = "Received message from client: " + \
-                            self.request.EchoIn
-        return response
-    
-    
-    def authorize(self, auth_info, post, action):
-        '''Override default simply to display client request info'''
-        ctx = GetSOAPContext()
-        print "-"*80
-        print dir(ctx)
-        print "Container: ", ctx.connection
-        print "Parsed SOAP: ", ctx.parsedsoap
-        print "Container: ", ctx.container
-        print "HTTP Headers:\n", ctx.httpheaders
-        print "-"*80
-        print "Client Request:\n", ctx.xmldata
-        return 1
-
-   
-if __name__ == "__main__":
-    # Here we set up the server
-        
-    if 'NDGSEC_WSSESRV_UNITTEST_DIR' not in os.environ:
-        os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'] = abspath(dirname(__file__))
-
-    if 'NDGSEC_TEST_CONFIG_DIR' not in os.environ:
-        os.environ['NDGSEC_TEST_CONFIG_DIR'] = \
-            abspath(join(dirname(dirname(dirname(dirname(__file__)))),
-                         'config'))
-            
-    configFilePath = mkPath('echoServer.cfg')
-
-    cfg = SafeConfigParser()
-    files = cfg.read(configFilePath)
-    assert len(files) == 1, "Error reading %s" % configFilePath
-    
-    hostname = cfg.get('setUp', 'hostname')
-    port = cfg.getint('setUp', 'port')
-    path = cfg.get('setUp', 'path')
-    
-    wsseCfgFilePath = xpdVars(cfg.get('setUp', 'wsseCfgFilePath'))
-
-    serviceContainer = ServiceContainer((hostname, port))   
-    
-    # Create the Inherited version of the server
-    echo = EchoService()
-    echo.signatureHandler = SignatureHandlerFactory.fromConfigFile(
-                                                                wsseCfgFilePath)
-
-    serviceContainer.setNode(echo, url=path)
-    
-    try:
-        # Run the service container
-        print "listening at http://%s:%s%s" % (hostname, port, path)
-        serviceContainer.serve_forever()
-    except KeyboardInterrupt:
-        sys.exit(0)
+## This is a new method imported to show it's value
+#from ZSI.ServiceContainer import GetSOAPContext
+#
+#from EchoService_services_server import EchoService as _EchoService
+#
+#from ndg.wssecurity.common.signaturehandler import SignatureHandlerFactory
+#
+#from os.path import expandvars as xpdVars
+#from os.path import join, dirname, abspath
+#mkPath = lambda file: join(os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'], file)
+#
+#import logging
+#log = logging.getLogger(__name__)
+#logging.basicConfig(level=logging.DEBUG,
+#                    format='%(asctime)s %(filename)s:%(lineno)d '
+#                    '%(levelname)s %(message)s')
+#
+#
+#from ndg.security.test.unit import BaseTestCase, _getParentDir
+#
+## Initialize environment for unit tests
+#if BaseTestCase.configDirEnvVarName not in os.environ:
+#    os.environ[BaseTestCase.configDirEnvVarName] = \
+#                            join(abspath(_getParentDir(depth=1)), 'config')
+#
+#class EchoService(_EchoService):
+#
+#    def __init__(self, **kw):
+#        
+#        # Stop in debugger at beginning of SOAP stub if environment variable 
+#        # is set
+#        self.__debug = bool(os.environ.get('NDGSEC_INT_DEBUG'))
+#        if self.__debug:
+#            import pdb
+#            pdb.set_trace()
+#            
+#        _EchoService.__init__(self, **kw)
+#        
+#    def sign(self, sw):
+#        '''\
+#        Overrides ServiceInterface class method to allow digital signature'''
+#        self.signatureHandler.sign(sw)
+#        
+#    def verify(self, ps):
+#        '''\
+#        Overrides ServiceInterface class method to allow signature 
+#        verification'''      
+#        self.signatureHandler.verify(ps)
+#        
+#    def soap_Echo(self, ps, **kw):
+#        '''Simple echo method to test WS-Security DSIG
+#        
+#        @type ps: ZSI ParsedSoap
+#        @param ps: client SOAP message
+#        @rtype: tuple
+#        @return: response objects'''
+#        log.info("Server received an Echo service request...")
+#        if self.__debug:
+#            import pdb
+#            pdb.set_trace()
+#        
+#        response = _EchoService.soap_Echo(self, ps)    
+#        response.EchoResult = "Received message from client: " + \
+#                            self.request.EchoIn
+#        return response
+#    
+#    
+#    def authorize(self, auth_info, post, action):
+#        '''Override default simply to display client request info'''
+#        ctx = GetSOAPContext()
+#        print "-"*80
+#        print dir(ctx)
+#        print "Container: ", ctx.connection
+#        print "Parsed SOAP: ", ctx.parsedsoap
+#        print "Container: ", ctx.container
+#        print "HTTP Headers:\n", ctx.httpheaders
+#        print "-"*80
+#        print "Client Request:\n", ctx.xmldata
+#        return 1
+#
+#   
+#if __name__ == "__main__":
+#    # Here we set up the server
+#        
+#    if 'NDGSEC_WSSESRV_UNITTEST_DIR' not in os.environ:
+#        os.environ['NDGSEC_WSSESRV_UNITTEST_DIR'] = abspath(dirname(__file__))
+#
+#    if 'NDGSEC_TEST_CONFIG_DIR' not in os.environ:
+#        os.environ['NDGSEC_TEST_CONFIG_DIR'] = \
+#            abspath(join(dirname(dirname(dirname(dirname(__file__)))),
+#                         'config'))
+#            
+#    configFilePath = mkPath('echoServer.cfg')
+#
+#    cfg = SafeConfigParser()
+#    files = cfg.read(configFilePath)
+#    assert len(files) == 1, "Error reading %s" % configFilePath
+#    
+#    hostname = cfg.get('setUp', 'hostname')
+#    port = cfg.getint('setUp', 'port')
+#    path = cfg.get('setUp', 'path')
+#    
+#    wsseCfgFilePath = xpdVars(cfg.get('setUp', 'wsseCfgFilePath'))
+#
+#    serviceContainer = ServiceContainer((hostname, port))   
+#    
+#    # Create the Inherited version of the server
+#    echo = EchoService()
+#    echo.signatureHandler = SignatureHandlerFactory.fromConfigFile(
+#                                                                wsseCfgFilePath)
+#
+#    serviceContainer.setNode(echo, url=path)
+#    
+#    try:
+#        # Run the service container
+#        print "listening at http://%s:%s%s" % (hostname, port, path)
+#        serviceContainer.serve_forever()
+#    except KeyboardInterrupt:
+#        sys.exit(0)

TI12-security/trunk/NDGSoap/ndg/soap/wssecurity/test/unit/signaturehandler/foursuite/server/echoservice.ini

@@ -1 +1 @@
 #
-# NERC DataGrid Security
+# NERC DataGrid SOAP WS-Security tests
 #
-# Paste configuration for combined Session Manager, Attribute Authority,
-# OpenID Relying Party and Provider services
+# Paste configuration for test application secured with WS-Security signature
+# handler
 #
 # The %(here)s variable will be replaced with the parent directory of this file
 #
 # Author: P J Kershaw
-# date: 26/02/09
-# Copyright: (C) 2009 Science and Technology Facilities Council
+# date: 26/01/2010
+# Copyright: (C) 2010 Science and Technology Facilities Council
 # license: BSD - see LICENSE file in top-level directory
 # Contact: Philip.Kershaw@stfc.ac.uk
-# Revision: $Id$
+# Revision: $Id: $
 
 [DEFAULT]
-portNum = 7443
+portNum = 9080
 hostname = localhost
 scheme = http
 baseURI = %(scheme)s://%(hostname)s:%(portNum)s
-openIDProviderIDBase = /openid
-openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
-testConfigDir = %(here)s/../../config
-sessionManagerPath = /SessionManager
-sessionManagerURI = %(baseURI)s%(sessionManagerPath)s
-openid.ax.sessionManagerURI.typeURI=urn:ndg:security:openid:sessionManagerURI
-openid.ax.sessionId.typeURI=urn:ndg:security:openid:sessionId
+testConfigDir = %(here)s/../../../../config
+echoServicePath = /echoService
+echoServiceURI = %(baseURI)s%(echoServicePath)s
 
-#______________________________________________________________________________
-# Attribute Authority settings
-# 'name' setting MUST agree with map config file 'thisHost' name attribute
-attributeAuthority.name: Site A
-
-# Lifetime is measured in seconds
-attributeAuthority.attCertLifetime: 28800 
-
-# Allow an offset for clock skew between servers running 
-# security services. NB, measured in seconds - use a minus sign for time in the
-# past
-attributeAuthority.attCertNotBeforeOff: 0
-
-# All Attribute Certificates issued are recorded in this dir
-attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
-
-# Files in attCertDir are stored using a rotating file handler
-# attCertFileLogCnt sets the max number of files created before the first is 
-# overwritten
-attributeAuthority.attCertFileName: ac.xml
-attributeAuthority.attCertFileLogCnt: 16
-attributeAuthority.dnSeparator:/
-
-# Location of role mapping file
-attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
-
-# Settings for custom AttributeInterface derived class to get user roles for given 
-# user ID
-#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
-attributeAuthority.attributeInterface.modName: ndg.soap.test.integration.authz.attributeinterface
-attributeAuthority.attributeInterface.className: TestUserRoles
-
-# Config for XML signature of Attribute Certificate
-attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
-attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
-attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
-
-#______________________________________________________________________________
-# Session Manager specific settings - commented out settings will take their
-# default settings.  To override the defaults uncomment and set as required.
-# See ndg.soap.server.sessionmanager module for details
-
-# Credential Wallet Settings - global to all user sessions
-#
-# CA certificates for Attribute Certificate signature validation
-sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
-
-# CA certificates for SSL connection peer cert. validation - required if
-# connecting to an Attribute Authority over SSL
-sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
-
-# Allow Get Attribute Certificate calls to try to get a mapped certificate
-# from another organisation trusted by the target Attribute Authority
-sessionManager.credentialWallet.mapFromTrustedHosts=True
-sessionManager.credentialWallet.rtnExtAttCertList=True
-
-# Refresh an Attribute Certificate, if an existing one in the wallet has only
-# this length of time left before it expires
-credentialWallet.attCertRefreshElapse=7200
-
-# Pointer to WS-Security settings.  These WS-Security settings are for use
-# by user credential wallets held in user sessions hosted by the Session
-# Manager.  They enable individual wallets to query Attribute Authorities for
-# user Attribute Certificates.  Nb. the difference between these settings and
-# the WS-Security section for handling requests to the Session Manager.
-#
-# Settings are identified by a prefix.  
-sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
-
-# ...A section name could also be used.
-#sessionManager.credentialWallet.wssCfgSection=
-
-# SOAP Signature Handler settings for the Credential Wallet's Attribute 
-# Authority interface
-#
-# CA Certificates used to verify X.509 certs used in Attribute Certificates.
-# The CA certificates of other NDG trusted sites should go here.  NB, multiple
-# values should be delimited by a space
-sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
-
-# Signature of an outbound message
-#
-# Certificate associated with private key used to sign a message.  The sign 
-# method will add this to the BinarySecurityToken element of the WSSE header.  
-# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
-# As an alternative, use signingCertChain - see below...
-
-# PEM encoded cert
-sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt
-
-# ... or provide file path to PEM encoded private key file
-sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key
-
-# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
-# signed message.  See __setReqBinSecTokValType method and binSecTokValType 
-# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or 
-# give full namespace to alternative - see 
-# ZSI.wstools.Namespaces.OASIS.X509TOKEN
-#
-# binSecTokValType determines whether signingCert or signingCertChain 
-# attributes will be used.
-sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
-
-# Add a timestamp element to an outbound message
-sessionManager.credentialWallet.wssecurity.addTimestamp: True
-
-# For WSSE 1.1 - service returns signature confirmation containing signature 
-# value sent by client
-sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
-
-# Authentication service properties 
-sessionManager.authNService.moduleFilePath: 
-sessionManager.authNService.moduleName: ndg.soap.test.config.sessionmanager.userx509certauthn
-sessionManager.authNService.className: UserX509CertAuthN
-
-# Specific settings for UserCertAuthN Session Manager authentication plugin
-# This sets up PKI credentials for a single test account
-sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt
-sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key
-sessionManager.authNService.userPriKeyPwd: testpassword
 
 [server:main]
@@ -173 +49 @@
 # Use this ZSI generated SOAP service interface class to handle i/o for this
 # filter
-ServiceSOAPBindingClass = ndg.soap.server.zsi.sessionmanager.SessionManagerWS
+ServiceSOAPBindingClass = ndg.soap.wssecurity.test.unit.signatureHandler.foursuite.server.echoService.echoServiceWS
 
 # SOAP Binding Class specific keywords are in this section identified by this
 # prefix:
-ServiceSOAPBindingPropPrefix = SessionManager
+ServiceSOAPBindingPropPrefix = echoService
 
-# The SessionManager class has settings in the default section above identified
+# The echoService class has settings in the default section above identified
 # by this prefix:
-SessionManager.propPrefix = sessionManager
-SessionManager.propFilePath = %(here)s/securityservices.ini
+echoService.propPrefix = echoService
+echoService.propFilePath = %(here)s/securityservices.ini
 
-# This filter references other filters - a local Attribute Authority (optional)
-# and a WS-Security signature verification filter (required if using signature
-# to authenticate user in requests
-SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
-SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
+# This filter may references the WS-Security signature verification 
+# filter to access content e.g. client certificate used
+echoService.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
 
-# The SessionManagerWS SOAP interface class needs to know about these other 
+# The echoServiceWS SOAP interface class needs to know about these other 
 # filters
 referencedFilters = filter:wsseSignatureVerificationFilter 
@@ -196 +70 @@
 
 # Path from URI for Session Manager in this Paste deployment
-path = %(sessionManagerPath)s
+path = %(echoServicePath)s
 
-# External endpoint for this Session Manager - must agree with setting used to
-# invoke this service set in:
-# * securityservicesapp.py 
-# * or port in [server:main] if calling with paster serve securityservices.ini
-# * or something else e.g. proxied through Apache?
-# This setting is used by Session Manager clients in this WSGI stack to see if
-# a request is being made to the local service or to another session manager
-# running elsewhere
-publishedURI = %(sessionManagerURI)s
+# External endpoint for this service 
+publishedURI = %(echoServiceURI)s
 
 # Enable ?wsdl query argument to list the WSDL content
@@ -219 +86 @@
 # WS-Security Signature Verification
 [filter:wsseSignatureVerificationFilter]
-paste.filter_app_factory = ndg.soap.wssecurity.server.wsgi.signaturehandler:SignatureVerificationFilter
+paste.filter_app_factory = ndg.soap.wssecurity.server.wsgi.signaturehandler:SignatureVerificationFilter.filter_app_factory
 filterID = %(__name__)s
 
@@ -231 +98 @@
 # Apply WS-Security Signature 
 [filter:wsseSignatureFilter]
-paste.filter_app_factory = ndg.soap.wssecurity.server.wsgi.signaturehandler:ApplySignatureFilter
+paste.filter_app_factory = ndg.soap.wssecurity.server.wsgi.signaturehandler:ApplySignatureFilter.filter_app_factory
 
 # Reference the verification filter in order to be able to apply signature
@@ -294 +161 @@
 
 [formatter_generic]
-format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
-datefmt = %H:%M:%S
+format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
+datefmt = %Y-%m-%d %H:%M:%S