Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6440

Timestamp:

29/01/10 14:07:36 (11 years ago)

Author:

pjkersha

Message:

#1088 Important fix to AuthnRedirectResponseMiddleware? to set redirect ONLY when SSL client authentication has just succeeded in the upstream middleware AuthKitSSLAuthnMiddleware. This bug was causing the browser to redirect to the wrong place following OpenID sign in in the case where the user is already logged into their provider and selects a new relying party to sign into.
- Improvements to Provider decide page interface: leave out messages about attributes that the provider can't retrieve for the RP. Also included NDG style help icon.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

: 81 added
: 2 deleted
: 23 edited

Makefile (modified) (1 diff)
Tests/authtest/data (added)
Tests/authtest/data/openid (added)
Tests/authtest/data/openid/associations (added)
Tests/authtest/data/openid/nonces (added)
Tests/authtest/data/openid/temp (added)
Tests/m2Crypto/test_sslClntAuthN.py (modified) (1 diff)
Tests/m2Crypto/unicode.py (modified) (1 diff)
Tests/module.py (added)
Tests/oidresponse.xml (added)
Tests/openidaxtest (added)
Tests/openidaxtest/MANIFEST.in (added)
Tests/openidaxtest/README.txt (added)
Tests/openidaxtest/data (added)
Tests/openidaxtest/data/templates (added)
Tests/openidaxtest/data/templates/index.html.py (added)
Tests/openidaxtest/data/templates/signin.html.py (added)
Tests/openidaxtest/development.ini (added)
Tests/openidaxtest/docs (added)
Tests/openidaxtest/docs/index.txt (added)
Tests/openidaxtest/ez_setup.py (added)
Tests/openidaxtest/openidaxtest (added)
Tests/openidaxtest/openidaxtest.egg-info (added)
Tests/openidaxtest/openidaxtest.egg-info/PKG-INFO (added)
Tests/openidaxtest/openidaxtest.egg-info/SOURCES.txt (added)
Tests/openidaxtest/openidaxtest.egg-info/dependency_links.txt (added)
Tests/openidaxtest/openidaxtest.egg-info/entry_points.txt (added)
Tests/openidaxtest/openidaxtest.egg-info/not-zip-safe (added)
Tests/openidaxtest/openidaxtest.egg-info/paster_plugins.txt (added)
Tests/openidaxtest/openidaxtest.egg-info/requires.txt (added)
Tests/openidaxtest/openidaxtest.egg-info/top_level.txt (added)
Tests/openidaxtest/openidaxtest/__init__.py (added)
Tests/openidaxtest/openidaxtest/config (added)
Tests/openidaxtest/openidaxtest/config/__init__.py (added)
Tests/openidaxtest/openidaxtest/config/deployment.ini_tmpl (added)
Tests/openidaxtest/openidaxtest/config/environment.py (added)
Tests/openidaxtest/openidaxtest/config/middleware.py (added)
Tests/openidaxtest/openidaxtest/config/routing.py (added)
Tests/openidaxtest/openidaxtest/controllers (added)
Tests/openidaxtest/openidaxtest/controllers/__init__.py (added)
Tests/openidaxtest/openidaxtest/controllers/error.py (added)
Tests/openidaxtest/openidaxtest/controllers/hello.py (added)
Tests/openidaxtest/openidaxtest/lib (added)
Tests/openidaxtest/openidaxtest/lib/__init__.py (added)
Tests/openidaxtest/openidaxtest/lib/app_globals.py (added)
Tests/openidaxtest/openidaxtest/lib/auth.py (added)
Tests/openidaxtest/openidaxtest/lib/base.py (added)
Tests/openidaxtest/openidaxtest/lib/helpers.py (added)
Tests/openidaxtest/openidaxtest/model (added)
Tests/openidaxtest/openidaxtest/model/__init__.py (added)
Tests/openidaxtest/openidaxtest/public (added)
Tests/openidaxtest/openidaxtest/public/bg.png (added)
Tests/openidaxtest/openidaxtest/public/css (added)
Tests/openidaxtest/openidaxtest/public/css/main.css (added)
Tests/openidaxtest/openidaxtest/public/favicon.ico (added)
Tests/openidaxtest/openidaxtest/public/index.html (added)
Tests/openidaxtest/openidaxtest/public/pylons-logo.gif (added)
Tests/openidaxtest/openidaxtest/templates (added)
Tests/openidaxtest/openidaxtest/templates/index.html (added)
Tests/openidaxtest/openidaxtest/templates/signin.html (added)
Tests/openidaxtest/openidaxtest/templates/signout.html (added)
Tests/openidaxtest/openidaxtest/tests (added)
Tests/openidaxtest/openidaxtest/tests/__init__.py (added)
Tests/openidaxtest/openidaxtest/tests/functional (added)
Tests/openidaxtest/openidaxtest/tests/functional/__init__.py (added)
Tests/openidaxtest/openidaxtest/tests/functional/test_hello.py (added)
Tests/openidaxtest/openidaxtest/tests/test_models.py (added)
Tests/openidaxtest/openidaxtest/websetup.py (added)
Tests/openidaxtest/openidrelyingparty (added)
Tests/openidaxtest/openidrelyingparty/store (added)
Tests/openidaxtest/openidrelyingparty/store/associations (added)
Tests/openidaxtest/openidrelyingparty/store/nonces (added)
Tests/openidaxtest/openidrelyingparty/store/temp (added)
Tests/openidaxtest/setup.cfg (added)
Tests/openidaxtest/setup.py (added)
Tests/openidaxtest/test.ini (added)
ndg_security_common/ndg/security/common/X509.py (modified) (1 diff)
ndg_security_common/ndg/security/common/__init__.py (modified) (1 diff)
ndg_security_common/ndg/security/common/attributeauthority.py (modified) (1 diff)
ndg_security_common/ndg/security/common/m2CryptoSSLUtility.py (deleted)
ndg_security_common/ndg/security/common/sessionmanager.py (modified) (1 diff)
ndg_security_common/ndg/security/common/utils/classfactory.py (modified) (3 diffs)
ndg_security_server/ndg/security/server/initCredReposDb.py (deleted)
ndg_security_server/ndg/security/server/wsgi/authn.py (modified) (7 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (8 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/js (added)
ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/js/toggleDiv.js (added)
ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/base.html (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/decide.html (modified) (2 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/__init__.py (modified) (8 diffs)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/public/js (added)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/public/js/toggleDiv.js (added)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/public/layout/default.css (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/base.html (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/session.py (modified) (1 diff)
ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (3 diffs)
ndg_security_server/ndg/security/server/wsgi/zsi.py (modified) (2 diffs)
ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml (modified) (2 diffs)
ndg_security_test/ndg/security/test/integration/authz_lite/openidprovider/js (added)
ndg_security_test/ndg/security/test/integration/authz_lite/openidprovider/js/toggleDiv.js (added)
ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/public/js (added)
ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/public/js/toggleDiv.js (added)
ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/public/layout/default.css (modified) (5 diffs)
ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini (modified) (2 diffs)
ndg_security_test/ndg/security/test/unit/sslclientauthnmiddleware/test_sslclientauthn.py (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/NDGSecurity/python/Makefile

r6243	r6440
83	83	${EPYDOC} ./ndg_security_*/ndg -o ${EPYDOC_OUTDIR} \
84	84	--name ${EPYDOC_NAME} ${EPYDOC_FRAMES_OPT} --include-log --graph=all -v \
85		> ${EPYDOC_LOGFILE}
	85	--exclude=nosetests.* > ${EPYDOC_LOGFILE}
86	86
87	87	# Install epydoc on web server - set environment variables in a setup script

TI12-security/trunk/NDGSecurity/python/Tests/m2Crypto/test_sslClntAuthN.py

r4603	r6440
56	56	# self.socket.connect(self.server_address)
57	57	# self.connected = True
58		from ndg.security.common.~~m2CryptoSSLUtility~~ import HTTPSConnection
	58	from ndg.security.common.utils.m2crypto import HTTPSConnection
59	59
60	60	if __name__ == "__main__":

TI12-security/trunk/NDGSecurity/python/Tests/m2Crypto/unicode.py

r4082	r6440
1	1	#!/use/bin/env python
2	2	#from M2Crypto.httpslib import HTTPSConnection
3		from ndg.security.common.~~m2CryptoSSLUtility~~ import HTTPSConnection
	3	from ndg.security.common.utils.m2crypto import HTTPSConnection
4	4
5	5	#hostname = u'ndgbeta.badc.rl.ac.uk'

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/X509.py

r6040	r6440
368	368	dtNow,
369	369	self.__dtNotAfter))
	370	log.error(msg)
370	371	if raiseExcep:
371	372	raise X509CertExpired(msg)

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/init.py

-                      r4840
+                      r6440
     'attributeauthority',
     'AttCert',
+    'saml_utils',
+    'soap',
     'credentialwallet',
-    'm2CryptoSSLUtility',
     'openssl',
     'sessionmanager',

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/attributeauthority.py

r6062	r6440
36	36	DomletteElementProxy
37	37	from ndg.security.common.AttCert import AttCert, AttCertParse
38		from ndg.security.common.~~m2CryptoSSLUtility~~ import HTTPSConnection, HostCheck
	38	from ndg.security.common.utils.m2crypto import HTTPSConnection, HostCheck
39	39	from ndg.security.common.zsi.httpproxy import ProxyHTTPConnection
40	40

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/sessionmanager.py

r5441	r6440
27	27
28	28	from ndg.security.common.AttCert import AttCert, AttCertParse
29		from ndg.security.common.~~m2CryptoSSLUtility~~ import HTTPSConnection, \
	29	from ndg.security.common.utils.m2crypto import HTTPSConnection, \
30	30	HostCheck
31	31	from ndg.security.common.zsi.httpproxy import ProxyHTTPConnection

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/utils/classfactory.py

-                      r6069
+                      r6440
 log = logging.getLogger(__name__)
 class ClassFactoryError(Exception):
     """Exception handling for NDG classfactory module."""
 …
         log.error(msg)
         Exception.__init__(self, msg)
 def importClass(moduleName, className=None, objectType=None):
 …
 def instantiateClass(moduleName, className, moduleFilePath=None,
+def instantiateClass(moduleName, className=None, moduleFilePath=None,
                      objectType=None, classArgs=(), classProperties={}):
     '''

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authn.py

-                      r6264
+                      r6440
                                               SessionHandlerMiddleware)
+from ndg.security.server.wsgi.ssl import AuthKitSSLAuthnMiddleware
 class AuthnException(NDGSecurityMiddlewareError):
 …
     '''HTTP Basic Authentication Middleware
     '''
     AUTHN_FUNC_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
                               'HTTPBasicAuthMiddleware.authenticate')
 …
         quotedReturn2URI = urllib.quote(return2URI, safe='')
         return2URIQueryArg = urllib.urlencode(
                     {AuthnRedirectInitiatorMiddleware.RETURN2URI_ARGNAME:
                      quotedReturn2URI})
+            {AuthnRedirectInitiatorMiddleware.RETURN2URI_ARGNAME:
+             quotedReturn2URI})
         redirectURI = self.redirectURI
 …
         """
         if status.startswith(cls.TRIGGER_HTTP_STATUS_CODE):
             log.debug("%s.checker caught status [%s]: invoking authentication"
                       " handler", cls.__name__, cls.TRIGGER_HTTP_STATUS_CODE)
+            log.debug("%s.checker caught status [%s]: invoking authentication "
+                      "handler", cls.__name__, cls.TRIGGER_HTTP_STATUS_CODE)
             return True
         else:
 …
     which performs a similar function.
     """
     @NDGSecurityMiddlewareBase.initCall
     def __call__(self, environ, start_response):
 …
         # Check for a return URI setting in the beaker session and if the user
+        # is authenticated, redirect to this URL deleting the beaker session
+        # has just been authenticated by the AuthKit SSL Client authentication
+        # middleware.  If so, redirect to this URL deleting the beaker session
         # URL setting
         return2URI = session.get(self.__class__.RETURN2URI_ARGNAME)
         if self.isAuthenticated and return2URI:
+        if self.sslAuthnSucceeded and return2URI:
             del session[self.__class__.RETURN2URI_ARGNAME]
             session.save()
 …
                                doc="Boolean indicating if AuthKit "
                                    "'REMOTE_USER' environment variable is set")
+    _sslAuthnSucceeded = lambda self: self.environ.get(
+                    AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME,
+                    False)
+    sslAuthnSucceeded = property(fget=_sslAuthnSucceeded,
+                                 doc="Boolean indicating SSL authentication "
+                                     "has succeeded in "
+                                     "AuthKitSSLAuthnMiddleware upstream of "
+                                     "this middleware")
     def __init__(self, app, app_conf, **local_conf):
         super(AuthKitRedirectResponseMiddleware, self).__init__(app, app_conf,

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/init.py

-                      r6354
+                      r6440
 # Place here to avoid circular import error with IdentityMapping class
 from ndg.security.server.wsgi.openid.provider.authninterface import (
+    AbstractAuthNInterface, AuthNInterfaceError)
+    AbstractAuthNInterface, AuthNInterfaceError,
+    AuthNInterfaceInvalidCredentials)
 from ndg.security.server.wsgi.openid.provider.axinterface import (AXInterface,
     MissingRequiredAttrs, AXInterfaceReloginRequired)
 …
     @type: defPaths: dict
     @cvar formRespWrapperTmpl: If the response to the Relying Party is too long
     it's rendered as form with the POST method instead of query arguments in a
     GET 302 redirect.  Wrap the form in this document to make the form submit
     automatically without user intervention.  See _displayResponse method
+    @cvar FORM_RESP_WRAPPER_TMPL: If the response to the Relying Party is too
+    long it's rendered as form with the POST method instead of query arguments
+    in a GET 302 redirect.  Wrap the form in this document to make the form
+    submit automatically without user intervention.  See _displayResponse method
     below...
     @type formRespWrapperTmpl: basestring"""
     formRespWrapperTmpl = """<html>
+    @type FORM_RESP_WRAPPER_TMPL: basestring"""
+    FORM_RESP_WRAPPER_TMPL = """<html>
     <head>
         <script type="text/javascript">
             function doRedirect()
+            {
+                document.forms[0].style.visibility = "hidden";
                 document.forms[0].submit();
+            }
 …
                             os.path.expandvars(opt['consumer_store_dirpath']))
         self.oidserver = server.Server(store, self.urls['url_openidserver'])
-    def getCharset(self):
-        return self.__charset
-    def getPaths(self):
-        return self.__paths
-    def getBase_url(self):
-        return self.__base_url
-    def getUrls(self):
-        return self.__urls
-    def getMethod(self):
-        return self.__method
-    def getSessionMiddlewareEnvironKeyName(self):
-        return self.__sessionMiddlewareEnvironKeyName
-    def getSession(self):
-        return self.__session
-    def setCharset(self, value):
-        # Convert from string type where required
-        if not value:
-            self.__charset = ''
-        elif isinstance(value, basestring):
-            self.__charset = '; charset=' + value
-        else:
-            raise TypeError('Expecting string type for "charset" attribute; '
-                            'got %r' % type(value))
-    def setPaths(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"paths" attribute; got %r' %
-                            type(value))
-        self.__paths = value
-    def setBase_url(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for '
-                            '"base_url" attribute; got %r' %
-                            type(value))
-        self.__base_url = value
-    def setUrls(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"urls" attribute; got %r' %
-                            type(value))
-        self.__urls = value
-    def setMethod(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"method" attribute; got %r' %
-                            type(value))
-        self.__method = value
-    def setSessionMiddlewareEnvironKeyName(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for '
-                            '"sessionMiddlewareEnvironKeyName" attribute; '
-                            'got %r' %
-                            type(value))
-        self.__sessionMiddlewareEnvironKeyName = value
-    def setSession(self, value):
-        if not isinstance(value, beaker.session.SessionObject):
-            raise TypeError('Expecting beaker.session.SessionObject type for '
-                            '"session" attribute; got %r' %
-                            type(value))
-        self.__session = value
-    def getOidResponse(self):
-        return self.__oidResponse
-    def getSregResponse(self):
-        return self.__sregResponse
-    def getAxResponse(self):
-        return self.__axResponse
-    def getOidserver(self):
-        return self.__oidserver
-    def getQuery(self):
-        return self.__query
-    def getTrustedRelyingParties(self):
-        return self.__trustedRelyingParties
-    def setOidResponse(self, value):
-        if not isinstance(value, server.OpenIDResponse):
-            raise TypeError('Expecting OpenIDResponse type for '
-                            '"oidResponse" attribute; got %r' %
-                            type(value))
-        self.__oidResponse = value
-    def setSregResponse(self, value):
-        self.__sregResponse = value
-    def setAxResponse(self, value):
-        if not isinstance(value, AXInterface):
-            raise TypeError('Expecting AXInterface type for '
-                            '"axResponse" attribute; got %r' %
-                            type(value))
-        self.__axResponse = value
-    def setOidserver(self, value):
-        if not isinstance(value, server.Server):
-            raise TypeError('Expecting openid.server.server.Server type for '
-                            '"oidserver" attribute; got %r' %
-                            type(value))
-        self.__oidserver = value
-    def setQuery(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"query" attribute; got %r' %
-                            type(value))
-        self.__query = value
-    def setTrustedRelyingParties(self, value):
-        if isinstance(value, basestring):
-            pat = OpenIDProviderMiddleware.TRUSTED_RELYINGPARTIES_SEP_PAT
-            self.__trustedRelyingParties = tuple([i for i in pat.split(value)])
-        elif isinstance(value, (list, tuple)):
-            self.__trustedRelyingParties = tuple(value)
-        else:
-            raise TypeError('Expecting list or tuple type for '
-                            '"trustedRelyingParties" attribute; got %r' %
-                            type(value))
     @classmethod
 …
                 identity = oidRequest.identity
+            trust_root = oidRequest.trust_root
+            if self.query.get('remember', 'no').lower() == 'yes':
+                self.session[
+                    OpenIDProviderMiddleware.APPROVED_FLAG_SESSION_KEYNAME] = {
+                        trust_root: 'always'
+                    }
+                self.session.save()
+            # Check for user selected to trust this RP for future logins.
+            self._applyTrustRoot(oidRequest)
             # Check for POST'ed user explicit setting of AX parameters
             self._applyUserAXSelections()
 …
                                           code=400)
+    def _applyTrustRoot(self, oidRequest):
+        """Check to see if user wants to trust the current Relying Party and if
+        so set record this decision in the session
+        """
+        if self.query.get('remember', 'no').lower() == 'yes':
+            self.session[
+                OpenIDProviderMiddleware.APPROVED_FLAG_SESSION_KEYNAME] = {
+                    oidRequest.trust_root: 'always'
+                }
+            self.session.save()
     def _applyUserAXSelections(self):
         """Helper for do_allow method - process the query response checking
 …
                                                 environ,
                                                 self.query['username'])
+            except AuthNInterfaceInvalidCredentials:
+                log.error("No username %r matching an OpenID URL: %s",
+                          self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("No match was found for your account name.  Please "
+                       "check that your details are correct or contact the "
+                       "site administrator.")
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
+                return response
             except Exception:
                 log.error("Associating username %r with OpenID URL: %s"%
                           (self.query.get('username'),
                            traceback.format_exc()))
                 msg = ("An internal error occured matching an OpenID "
                        "to your account.  If the problem persists "
                        "contact your system administrator.")
                 response = self._render.errorPage(environ,
                                                   start_response,
                                                   msg)
+                log.error("Associating username %r with OpenID URL: %s",
+                          self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("An error occured matching an OpenID to your account.  "
+                       "If the problem persists contact the site "
+                       "administrator.")
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
                 return response
 …
             # Wrap in HTML with Javascript OnLoad to submit the form
             # automatically without user intervention
             response = OpenIDProviderMiddleware.formRespWrapperTmpl % \
+            response = OpenIDProviderMiddleware.FORM_RESP_WRAPPER_TMPL % \
                                                         webresponse.body
         else:
 …
                         ('Location', url)])
         return []
+    def getCharset(self):
+        return self.__charset
+    def getPaths(self):
+        return self.__paths
+    def getBase_url(self):
+        return self.__base_url
+    def getUrls(self):
+        return self.__urls
+    def getMethod(self):
+        return self.__method
+    def getSessionMiddlewareEnvironKeyName(self):
+        return self.__sessionMiddlewareEnvironKeyName
+    def getSession(self):
+        return self.__session
+    def setCharset(self, value):
+        # Convert from string type where required
+        if not value:
+            self.__charset = ''
+        elif isinstance(value, basestring):
+            self.__charset = '; charset=' + value
+        else:
+            raise TypeError('Expecting string type for "charset" attribute; '
+                            'got %r' % type(value))
+    def setPaths(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"paths" attribute; got %r' %
+                            type(value))
+        self.__paths = value
+    def setBase_url(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"base_url" attribute; got %r' %
+                            type(value))
+        self.__base_url = value
+    def setUrls(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"urls" attribute; got %r' %
+                            type(value))
+        self.__urls = value
+    def setMethod(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"method" attribute; got %r' %
+                            type(value))
+        self.__method = value
+    def setSessionMiddlewareEnvironKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"sessionMiddlewareEnvironKeyName" attribute; '
+                            'got %r' %
+                            type(value))
+        self.__sessionMiddlewareEnvironKeyName = value
+    def setSession(self, value):
+        if not isinstance(value, beaker.session.SessionObject):
+            raise TypeError('Expecting beaker.session.SessionObject type for '
+                            '"session" attribute; got %r' %
+                            type(value))
+        self.__session = value
+    def getOidResponse(self):
+        return self.__oidResponse
+    def getSregResponse(self):
+        return self.__sregResponse
+    def getAxResponse(self):
+        return self.__axResponse
+    def getOidserver(self):
+        return self.__oidserver
+    def getQuery(self):
+        return self.__query
+    def getTrustedRelyingParties(self):
+        return self.__trustedRelyingParties
+    def setOidResponse(self, value):
+        if not isinstance(value, server.OpenIDResponse):
+            raise TypeError('Expecting OpenIDResponse type for '
+                            '"oidResponse" attribute; got %r' %
+                            type(value))
+        self.__oidResponse = value
+    def setSregResponse(self, value):
+        self.__sregResponse = value
+    def setAxResponse(self, value):
+        if not isinstance(value, AXInterface):
+            raise TypeError('Expecting AXInterface type for '
+                            '"axResponse" attribute; got %r' %
+                            type(value))
+        self.__axResponse = value
+    def setOidserver(self, value):
+        if not isinstance(value, server.Server):
+            raise TypeError('Expecting openid.server.server.Server type for '
+                            '"oidserver" attribute; got %r' %
+                            type(value))
+        self.__oidserver = value
+    def setQuery(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"query" attribute; got %r' %
+                            type(value))
+        self.__query = value
+    def setTrustedRelyingParties(self, value):
+        if isinstance(value, basestring):
+            pat = OpenIDProviderMiddleware.TRUSTED_RELYINGPARTIES_SEP_PAT
+            self.__trustedRelyingParties = tuple([i for i in pat.split(value)])
+        elif isinstance(value, (list, tuple)):
+            self.__trustedRelyingParties = tuple(value)
+        else:
+            raise TypeError('Expecting list or tuple type for '
+                            '"trustedRelyingParties" attribute; got %r' %
+                            type(value))
     charset = property(getCharset, setCharset, None, "Charset's Docstring")

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/base.html

r6127	r6440
10	10	<link rel="icon" type="image/ico"
11	11	href="${c.baseURL}/layout/favicon.jpg"/>
	12	<script type="text/javascript" src="${c.baseURL}/js/toggleDiv.js"></script>
12	13	</head>
13	14

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/decide.html

-                      r6272
+                      r6440
                                     <td>
                                                 This site has also requested some additional information:
+                                         <table id="opAXRequestedAttributes">
+                                        <span>
+                                                <a href="javascript:;" title="Toggle help" onclick="toggleDiv(1,'axHelp','shown','hidden','div'); return false;">
+                                                        <img src="/layout/icons/help.png" alt="Toggle help" class="helpicon"/></a>
+                                        </span>
+                                        <div id="axHelp" class="hidden">
+                                                <div class="helptxt">
+                                                        <p>The site where you want to sign in has requested some additional
+                                                                information as well as your OpenID.  Review the list of items below.
+                                                                The righthand column, "Return Item to Requesting Site?" has a tick box
+                                                                assigned to each item.  By unticking a given box you can prevent the
+                                                                related item from being returned to the requested site.  However, for
+                                                                some items, the tick box may be disabled.  This indicates that the
+                                                                requesting site has marked this item as mandatory.  In this case,
+                                                                you can still choose the "No" button at the bottom off this form and
+                                                                cancel sign in to the given site.</p>
+                                                        <p>If you are otherwise happy to return the requested information,
+                                                                select the "Yes" button</p>
+                                                </div>
+                                        </div>
+                                        <table id="opAXRequestedAttributes">
                                                 <tr>
                                                     <th>Item</th>
 …
                                                     <th>Return Item to Requesting Site?</th>
                                                 </tr>
+                                                                        <tr py:for="i in axRequestedAttr.values()">
+                                                                            <td>${i.alias or i.type_uri}</td>
+                                                <?python
+                                                        # Only get those attributes that it was possible to retrieve
+                                                        # values for
+                                                        requestedVals = [i for i in axRequestedAttr.values()
+                                                                         if axFetchResponse.getSingle(i.type_uri)]
+                                                ?>
+                                                <tr py:for="i in requestedVals">
                                                                             <?python
-                                                                               defaultVal = "<information not available from this site>"
-                                                                               attrVal = axFetchResponse.getSingle(i.type_uri, default=defaultVal)
                                                                                # Disable checkbox if attribute is required and not optional
                                                                                nameAttr = 'ax.%s' % i.alias
                                                                                if i.required:
                                                                                    inputAttr = {'disabled': 'disabled'}
+                                                                                   inputAttr = {'disabled': 'disabled', 'checked': "checked"}
                                                                                else:
                                                                                    inputAttr = {'id': i.alias, 'name': nameAttr, 'value': i.type_uri}
-                                                                               if attrVal == defaultVal:
-                                                                                   inputAttr.update({'disabled': 'disabled'})
-                                                                               else:
-                                                                                   inputAttr.update({'checked': "checked"})
                                                                             ?>
+                                                                                <td>${attrVal}</td>
+                                                                            <td>${i.alias or i.type_uri}</td>
+                                                        <td>${axFetchResponse.getSingle(i.type_uri)}</td>
                                                                                 <!-- hidden input is required to force the setting of disabled checkbox values -->
                                                                             <td><input type="checkbox"  py:attrs="inputAttr"/>
+                                                                                <td><input type="checkbox"  py:attrs="inputAttr"/>
                                                                                 <input py:if="i.required" type="hidden" value="${i.type_uri}" name="$nameAttr"/></td>
                                                                         </tr>

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/init.py

-                      r6354
+                      r6440
     middleware to return to following OpenID sign in.
     '''
+    OPENID_RP_PREFIX = 'openid.relyingparty.'
+    IDP_WHITELIST_CONFIG_FILEPATH_OPTNAME = 'idpWhitelistConfigFilePath'
+    SIGNIN_INTERFACE_MIDDLEWARE_CLASS_OPTNAME = 'signinInterfaceMiddlewareClass'
+    SIGNIN_INTERFACE_PREFIX = 'signinInterface.'
+    AUTHKIT_COOKIE_SIGNOUTPATH_OPTNAME = 'authkit.cookie.signoutpath'
+    AUTHKIT_OPENID_TMPL_OPTNAME_PREFIX = 'authkit.openid.template.'
+    AUTHKIT_OPENID_TMPL_OBJ_OPTNAME = AUTHKIT_OPENID_TMPL_OPTNAME_PREFIX + 'obj'
+    AUTHKIT_OPENID_TMPL_STRING_OPTNAME = AUTHKIT_OPENID_TMPL_OPTNAME_PREFIX + \
+        'string'
+    AUTHKIT_OPENID_TMPL_FILE_OPTNAME = AUTHKIT_OPENID_TMPL_OPTNAME_PREFIX + \
+        'file'
     sslPropertyDefaults = {
         'idpWhitelistConfigFilePath': None
+        IDP_WHITELIST_CONFIG_FILEPATH_OPTNAME: None
+    }
     propertyDefaults = {
         'signinInterfaceMiddlewareClass': None,
+        SIGNIN_INTERFACE_MIDDLEWARE_CLASS_OPTNAME: None,
         'baseURL': ''
+    }
 …
     propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
     def __init__(self, app, global_conf, prefix='openid.relyingparty.',
+    def __init__(self, app, global_conf, prefix=OPENID_RP_PREFIX,
                  **app_conf):
         """Add AuthKit and Beaker middleware dependencies to WSGI stack and
 …
         # Whitelisting of IDPs.  If no config file is set, no validation is
         # executed
+        cls = OpenIDRelyingPartyMiddleware
         idpWhitelistConfigFilePath = app_conf.get(
                                         prefix + 'idpWhitelistConfigFilePath')
+                            prefix + cls.IDP_WHITELIST_CONFIG_FILEPATH_OPTNAME)
         if idpWhitelistConfigFilePath is not None:
             self._initIdPValidation(idpWhitelistConfigFilePath)
         # Check for sign in template settings
+        if prefix+'signinInterfaceMiddlewareClass' in app_conf:
+            if 'authkit.openid.template.obj' in app_conf or \
+               'authkit.openid.template.string' in app_conf or \
+               'authkit.openid.template.file' in app_conf:
+                log.warning("OpenID Relying Party "
+                            "'signinInterfaceMiddlewareClass' "
+                            "setting overrides 'authkit.openid.template.*' "
+                            "AuthKit settings")
+        if prefix+cls.SIGNIN_INTERFACE_MIDDLEWARE_CLASS_OPTNAME in app_conf:
+            if (cls.AUTHKIT_OPENID_TMPL_OBJ_OPTNAME in app_conf or
+                cls.AUTHKIT_OPENID_TMPL_STRING_OPTNAME in app_conf or
+                cls.AUTHKIT_OPENID_TMPL_FILE_OPTNAME in app_conf):
+            signinInterfacePrefix = prefix+'signinInterface.'
+                log.warning("OpenID Relying Party %r setting overrides "
+                            "'%s*' AuthKit settings",
+                            cls.AUTHKIT_OPENID_TMPL_OPTNAME_PREFIX,
+                            cls.SIGNIN_INTERFACE_MIDDLEWARE_CLASS_OPTNAME)
+            signinInterfacePrefix = prefix+cls.SIGNIN_INTERFACE_PREFIX
+            className = app_conf[
+                        prefix + cls.SIGNIN_INTERFACE_MIDDLEWARE_CLASS_OPTNAME]
             classProperties = {'prefix': signinInterfacePrefix}
             classProperties.update(app_conf)
             app = instantiateClass(
                            app_conf[prefix+'signinInterfaceMiddlewareClass'],
                            None,
                            objectType=SigninInterface,
                            classArgs=(app, global_conf),
                            classProperties=classProperties)
+            app = instantiateClass(className,
+                                   None,
+                                   objectType=SigninInterface,
+                                   classArgs=(app, global_conf),
+                                   classProperties=classProperties)
             # Delete sign in interface middleware settings
 …
                         del conf[k]
+            app_conf['authkit.openid.template.string'] = app.makeTemplate()
+            app_conf[
+                    cls.AUTHKIT_OPENID_TMPL_STRING_OPTNAME] = app.makeTemplate()
         self.signoutPath = app_conf.get('authkit.cookie.signoutpath')
+        self.signoutPath = app_conf.get(cls.AUTHKIT_COOKIE_SIGNOUTPATH_OPTNAME)
         app = authkit.authenticate.middleware(app, app_conf)
 …
         interface
         - Manage AuthKit verify and process actions setting the referrer URI
         to manage redirects
+        to manage redirects correctly
         @type environ: dict
 …
             not referrerPathInfo.endswith(self._authKitVerifyPath) and
             not referrerPathInfo.endswith(self._authKitProcessPath)):
+            # Subvert authkit.authenticate.open_id.AuthOpenIDHandler.process
+            # An app has redirected to the Relying Party interface setting the
+            # special ndg.security.r query argument.  Subvert
+            # authkit.authenticate.open_id.AuthOpenIDHandler.process
             # reassigning it's session 'referer' key to the URI specified in
             # the referrer query argument set in the request URI
+            # ndg.security.r in the request URI
             session['referer'] = referrer
             session.save()
 …
                 _status = status
                 for name, val in header:
                     if name.lower() == 'content-type' and \
                        val.startswith('text/html'):
+                    if (name.lower() == 'content-type' and
+                        val.startswith('text/html')):
                         _status = self.getStatusMessage(401)
                         break
 …
         Exception.__init__(self, msg, **kw)
 class SigninInterfaceInitError(SigninInterfaceError):
     """Error with initialisation of SigninInterface.  Raise from __init__"""
     errorMsg = "SigninInterface initialisation error"
 class SigninInterfaceConfigError(SigninInterfaceError):
     """Error with configuration settings.  Raise from __init__"""
     errorMsg = "SigninInterface configuration error"
 class SigninInterface(NDGSecurityMiddlewareBase):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/public/layout/default.css

-                      r6245
+                      r6440
         line-height:1.4;
         font-size: small;
+}
+.helptxt {
+    font-size: smaller;
+    background-color: #e6f0f8;
+}
+div.hidden {
+    display: none;
+}
+.helpicon
+{
+    cursor:help;
+}

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/base.html

r6202	r6440
10	10	<link rel="icon" type="image/ico"
11	11	href="${c.baseURL}/layout/favicon.jpg"/>
	12	<script type="text/javascript" src="${c.baseURL}/js/toggleDiv.js"></script>
12	13	</head>
13	14

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html

r6113	r6440
35	35	input.openid-identifier {
36	36	background: url($c.baseURL/layout/openid-inputicon.gif) no-repeat;
37		~~background-color: #fff;~~
38	37	background-position: 0 50%;
39	38	padding-left: 18px;

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

-                      r6271
+                      r6440
                       "path [%s]", self.signoutPath)
+            referrer = environ.get('HTTP_REFERER')
+            if referrer is not None:
+                def _start_response(status, header, exc_info=None):
+                    """Alter the header to send a redirect to the logout
+                    referrer address"""
+                    filteredHeader = [(field, val) for field, val in header
+                                      if field.lower() != 'location']
+                    filteredHeader.extend([('Location', referrer)])
+                    return start_response(self.getStatusMessage(302),
+                                          filteredHeader,
+                                          exc_info)
+            else:
+                log.error('No referrer set for redirect following logout')
+                _start_response = start_response
+            # Clear user details from beaker session
+            for keyName in self.__class__.SESSION_KEYNAMES:
+                session.pop(keyName, None)
+            session.save()
+            _start_response = self._doLogout(environ, start_response, session)
         else:
             log.debug("SessionHandlerMiddleware.__call__: checking for "
                       "REMOTE_* environment variable settings set by OpenID "
                       "Relying Party signin...")
+            if SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME not in session\
+               and SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME in environ:
+                log.debug("SessionHandlerMiddleware.__call__: updating session "
+                          "username=%s", environ[
+                            SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME])
+            self._setSession(environ, session)
+            _start_response = start_response
+        return self._app(environ, _start_response)
+    def _doLogout(self, environ, start_response, session):
+        """Execute logout action,
+         - clear the beaker session
+         - set the referrer URI to redirect back to by setting a custom
+        start_response function which modifies the HTTP header setting the
+        location field for a redirect
+        @param environ: environment dictionary
+        @type environ: dict like object
+        @type start_response: function
+        @param start_response: standard WSGI start response function
+        @param session: beaker session
+        @type session: beaker.session.SessionObject
+        """
+        # Clear user details from beaker session
+        for keyName in self.__class__.SESSION_KEYNAMES:
+            session.pop(keyName, None)
+        session.save()
+        referrer = environ.get('HTTP_REFERER')
+        if referrer is not None:
+            def _start_response(status, header, exc_info=None):
+                """Alter the header to send a redirect to the logout
+                referrer address"""
+                filteredHeader = [(field, val) for field, val in header
+                                  if field.lower() != 'location']
+                filteredHeader.extend([('Location', referrer)])
+                return start_response(self.getStatusMessage(302),
+                                      filteredHeader,
+                                      exc_info)
+                session[SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME
+                        ] = environ[
+                            SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME]
+                session.save()
+            remoteUserData = environ.get(
+            return _start_response
+        else:
+            log.error('No referrer set for redirect following logout')
+            return start_response
+    def _setSession(self, environ, session):
+        """Check for REMOTE_USER and REMOTE_USER_DATA set by authentication
+        handlers and set a new session from them if present
+        @type environ: dict like object
+        @param environ: WSGI environment variables dictionary
+        @param session: beaker session
+        @type session: beaker.session.SessionObject
+        """
+        # Set user id
+        if (SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME not in session
+            and SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME in environ):
+            log.debug("SessionHandlerMiddleware.__call__: updating session "
+                      "username=%s", environ[
+                        SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME])
+            session[SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME
+                    ] = environ[
+                        SessionHandlerMiddleware.USERNAME_ENVIRON_KEYNAME]
+            session.save()
+        # Check for auxiliary user data
+        remoteUserData = environ.get(
                         SessionHandlerMiddleware.USERDATA_ENVIRON_KEYNAME, '')
+            if remoteUserData:
+                log.debug("SessionHandlerMiddleware.__call__: found "
+                          "REMOTE_USER_DATA=%s, set from OpenID Relying Party "
+                          "signin",
+                          environ[
+                              SessionHandlerMiddleware.USERDATA_ENVIRON_KEYNAME
+                          ])
+        if remoteUserData:
+            log.debug("SessionHandlerMiddleware.__call__: found "
+                      "REMOTE_USER_DATA=%s, set from OpenID Relying Party "
+                      "signin",
+                      environ[
+                          SessionHandlerMiddleware.USERDATA_ENVIRON_KEYNAME
+                      ])
+            if (SessionHandlerMiddleware.SM_URI_SESSION_KEYNAME not in
+                session or
+                SessionHandlerMiddleware.ID_SESSION_KEYNAME not in session):
                 # eval is safe here because AuthKit cookie is signed and
+                # AuthKit middleware checks for tampering
+                if (SessionHandlerMiddleware.SM_URI_SESSION_KEYNAME not in
+                    session or
+                    SessionHandlerMiddleware.ID_SESSION_KEYNAME not in session):
+                    axData = eval(remoteUserData)
+                    if (isinstance(axData, dict) and
+                        SessionHandlerMiddleware.AX_KEYNAME in axData):
+                # AuthKit middleware checks for tampering
+                axData = eval(remoteUserData)
+                if (isinstance(axData, dict) and
+                    SessionHandlerMiddleware.AX_KEYNAME in axData):
+                    ax = axData[SessionHandlerMiddleware.AX_KEYNAME]
+                    # Save attributes keyed by attribute name
+                    session[SessionHandlerMiddleware.AX_SESSION_KEYNAME
+                            ] = SessionHandlerMiddleware._parseOpenIdAX(ax)
+                    log.debug("SessionHandlerMiddleware.__call__: updated "
+                              "session with OpenID AX values: %r",
+                              session[
+                                SessionHandlerMiddleware.AX_SESSION_KEYNAME
+                              ])
+                        ax = axData[SessionHandlerMiddleware.AX_KEYNAME]
+                    # Save Session Manager specific attributes
+                    sessionManagerURI = ax.get(
+                            SessionHandlerMiddleware.SM_URI_AX_KEYNAME)
+                        # Save attributes keyed by attribute name
+                        session[
+                            SessionHandlerMiddleware.AX_SESSION_KEYNAME
+                        ] = SessionHandlerMiddleware._parseOpenIdAX(ax)
+                        log.debug("SessionHandlerMiddleware.__call__: updated "
+                                  "session with OpenID AX values: %r" %
+                                  session[
+                                    SessionHandlerMiddleware.AX_SESSION_KEYNAME
+                                  ])
+                    session[SessionHandlerMiddleware.SM_URI_SESSION_KEYNAME
+                            ] = sessionManagerURI
+                    sessionId = ax.get(
+                            SessionHandlerMiddleware.SESSION_ID_AX_KEYNAME)
+                    session[SessionHandlerMiddleware.ID_SESSION_KEYNAME
+                            ] = sessionId
+                        # Save Session Manager specific attributes
+                        sessionManagerURI = ax.get(
+                                SessionHandlerMiddleware.SM_URI_AX_KEYNAME)
+                        session[SessionHandlerMiddleware.SM_URI_SESSION_KEYNAME
+                                ] = sessionManagerURI
+                        sessionId = ax.get(
+                                SessionHandlerMiddleware.SESSION_ID_AX_KEYNAME)
+                        session[SessionHandlerMiddleware.ID_SESSION_KEYNAME
+                                ] = sessionId
+                        session.save()
+                        log.debug("SessionHandlerMiddleware.__call__: updated "
+                                  "session "
+                                  "with sessionManagerURI=%s and "
+                                  "sessionId=%s",
+                                  sessionManagerURI,
+                                  sessionId)
+                # Reset cookie removing user data
+                setUser = environ[
+                    session.save()
+                    log.debug("SessionHandlerMiddleware.__call__: updated "
+                              "session "
+                              "with sessionManagerURI=%s and "
+                              "sessionId=%s",
+                              sessionManagerURI,
+                              sessionId)
+            # Reset cookie removing user data by accessing the Auth ticket
+            # function available from environ
+            setUser = environ[
                     SessionHandlerMiddleware.AUTH_TKT_SET_USER_ENVIRON_KEYNAME]
+                setUser(
+                    session[SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME])
+            else:
+                log.debug("SessionHandlerMiddleware.__call__: REMOTE_USER_DATA "
+                          "is not set")
+            _start_response = start_response
+        return self._app(environ, _start_response)
+            setUser(session[SessionHandlerMiddleware.USERNAME_SESSION_KEYNAME])
+        else:
+            log.debug("SessionHandlerMiddleware.__call__: REMOTE_USER_DATA "
+                      "is not set")
     @staticmethod
     def _parseOpenIdAX(ax):

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

-                      r6069
+                      r6440
     PARAM_PREFIX = 'sslAuthn.'
+    # isValidCert requires special parsing of certificate when passed via a
+    # proxy
+    X509_CERT_PAT = re.compile('(\s?-----[A-Z]+\sCERTIFICATE-----\s?)|\s+')
+    # Flag to other middleware that authentication succeeded by setting this key
+    # in the environ to True.  This is done in the isValidCert method
+    AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.'
+                                       'ApacheSSLAuthnMiddleware.authenticated')
     def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
 …
         # Then, treat as a base64 encoded string decoding and passing as DER
         # format to the X.509 parser
         x509CertPat = re.compile('(\s?-----[A-Z]+\sCERTIFICATE-----\s?)|\s+')
         cert = x509CertPat.sub('', sslClientCert)
+        cert = self.__class__.X509_CERT_PAT.sub('', sslClientCert)
         derCert = base64.decodestring(cert)
         self.__clientCert = X509Cert.Parse(derCert, format=X509Cert.formatDER)
+        # Check validity time
+        if not self.__clientCert.isValidTime():
+            return False
+        # Verify against trust root if set
         if len(self.caCertStack) == 0:
             log.warning("No CA certificates set for Client certificate "
 …
                           "unexpected exception type %s: %s" % (type(e), e))
                 return False
+        # Verify against list of acceptable DNs if set
         if len(self.clientCertDNMatchList) > 0:
             dn = self.__clientCert.dn
             for expectedDN in self.clientCertDNMatchList:
                 if dn == expectedDN:
+                    self.environ[
+                        ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME
+                    ] = True
                     return True
             return False
+        self.environ[
+            ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME] = True
         return True

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/zsi.py

-                      r6069
+                      r6440
 from ndg.security.common.utils.classfactory import instantiateClass, \
     importClass
 class ZSIMiddlewareError(SOAPMiddlewareError):
     """Base class for ZSI Middleware type exceptions"""
 class ZSIMiddlewareReadError(SOAPMiddlewareReadError):
     """ZSI Middleware read error"""
 class ZSIMiddlewareConfigError(SOAPMiddlewareConfigError):
     """ZSI middleware configuration error"""
 class ZSIMiddleware(SOAPMiddleware):
 …
     SERVICE_SOAP_BINDING_PROPPREFIX_OPTNAME = 'serviceSOAPBindingPropPrefix'
     DEFAULT_SERVICE_SOAP_BINDING_PROPPREFIX_OPTNAME = \
                             'ndg.security.servier.wsgi.zsi.serviceSOAPBinding.'
+                            'ndg.security.server.wsgi.zsi.serviceSOAPBinding.'
     SERVICE_SOAP_BINDING_ENVIRON_KEYNAME_OPTNAME = \

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml

-                      r6290
+                      r6440
         <userId>ndg-user</userId>
         <validity>
             <notBefore>2010 01 11 15 49 07</notBefore>
             <notAfter>2010 01 11 23 49 07</notAfter>
+            <notBefore>2010 01 20 08 54 54</notBefore>
+            <notAfter>2010 01 20 16 54 54</notAfter>
         </validity>
         <attributes>
 …
         <provenance>original</provenance>
     </acInfo>
 <ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>cs742SaTEW8PS3CCXsxLO6MicaE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Z2CdNfHi6XVUdUMKWZMvEzd2vBLJebd4NEfnetyfEAHjhZosiZ6ladn4p+tgnUXZ2ZdtnpYE3j44
+F1ceowUA5DWxaS2Gs1jhWXTZYAkgohwH9ZUUEwiN7Rtj/C8aMB0aAjxHI/X5U/J/Lrriw0MrIQ1r
 oA0AIRrGA9YByOVP1jY=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgICAP0wDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
+<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>s1dB/p8Cl1SmY0/Jcq+2z2biXHs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Sw36kLKRjSro9409KGZ5YPsQrU9FcvkzwO5n3WJ1WQkgDTS2IhGHCW5OB64bL8e3Ub3gdM1WlHC4
+ybGYfPOuuVfQ4ZHHfLqQMWA9p5ALRmUTAglSt9/uTPYzc8yk7wCWHNYqMDVPHbHwy5MWyAToCHGx
+rqJRs9WgozMJMugslJk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgICAP0wDQYJKoZIhvcNAQEEBQAwLzEMMAoGA1UEChMDTkRH
 MQ0wCwYDVQQLEwRCQURDMRAwDgYDVQQDEwdUZXN0IENBMB4XDTA4MTIxNTE2MzUy
 NFoXDTEzMTIxNDE2MzUyNFowSjEaMBgGA1UEChMRTkRHIFNlY3VyaXR5IFRlc3Qx

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/openidrelyingparty/public/layout/default.css

-                      r6127
+                      r6440
+/* Following information on http://css.maxdesign.com.au/floatutorial/tutorial0816.htm */
+/* Entire Page Contents */
+/*
+* NDG Security OpenID Provider and Relying Party Stylesheet
+*/
 body, html {
         margin: 0;
         padding: 0;
         border: 0;
         background-color: #eee;
         color:#333333;
         font-family:Verdana, Arial, Helvetica, sans-serif;
         line-height:1.4;
         font-size:small;
+    margin: 0;
+    padding: 0;
+    border: 0;
+    background-color: #eee;
+    color:#333333;
+    font-family:Verdana, Arial, Helvetica, sans-serif;
+    line-height:1.4;
+    font-size: small;
+}
+body {
+.helptxt {
+    font-size: smaller;
+    background-color: #e6f0f8;
+}
+div.hidden {
+    display: none;
+}
+.helpicon
+{
+    cursor:help;
+}
+/*
+* Provider Attribute Exchange Request parameters
+*/
+#opAXRequestedAttributes {
+    width: 100%;
+    border-collapse: collapse;
+    background-color: #e6f0f8;
+    table-layout: auto;
+    margin-top:10px;
+    margin-bottom: 20px;
+}
+#opAXRequestedAttributes td, #opAXRequestedAttributes th
+{
+    font-size:0.9em;
+    border:1px solid #ffffff;
+    padding:3px 7px 2px 7px;
+}
+#opAXRequestedAttributes th
+{
+    font-size:1.0em;
+    text-align:left;
+    padding-top:5px;
+    padding-bottom:4px;
+    background-color: #cedbe5;
+    color: #333;
+}
 /* Top Banner Div */
 #header {
     color: #8c8c8c;
 …
     clear: both;
     margin-top:10px;
-/*    border: solid #555555;*/
     border: solid #8c8c8c;
     border-width: 0 0 2px 0;
 …
+}
-.searchBar {margin-top: 2px; background-color:  #f0f0f0; } /* Change this color and you need to change the color in the pagetab current */
-.searchBar table {padding-left:10px; padding-bottom:0px; margin:0px;font-weight:bold;}
-.searchBar .hidden {display:none}
-/* .searchOneLine {margin-top: 2px; margin-bottom: 2px; background-color: #f0f0f0; text-align:right; font-size:100%;} */
-#Header {color: black; background-color: white; text-align: center; margin-bottom: 10px; padding-top: 3px; padding-right: 0px; padding-left: 0px; padding-bottom: 0px; font-size: medium; font-weight:bold; color:white}
-#Header table {margin:0px; padding:20px;}
-/* Main Tabs First Cut */
-/* Reminder: top, right, bottom, left */
-#PageTabs {margin: 5px 0px 0px 0px; line-height:normal;border: solid black; border-width: 0px 0px 0px 0px;}
-#PageTabRow {width:100%; }
-#PageTabRow ul {margin:0 0 0 10px; padding:0; list-style:none; }
-#PageTabRow li {float:left; margin-right:10px; padding: 2px 10px; border: solid black; border-width:1px 1px 0px 1px; }
-#PageTabRow li.current {position:relative; top:1px; background-color: #f0f0f0; } /* color should be same as searchBar! */
-#PageTabRow li.hidden {}
-#PageTabRow a {display:block; text-decoration:none;}
-.line {border-top: 1px solid black; clear:both;}
-/* In page tabs */
-/* Reminder: top, right, bottom, left */
-.InPageTabs {margin: 5px 20px 0px 20px; line-height:normal; border: solid black; border-width: 0px 0px 0px 0px;}
-.InPageHdr ul {margin:0 0 0 10px; padding:0; list-style:none; }
-.InPageHdr li {float:left; margin-right:10px; padding: 2px 10px; border: solid black; border-width:1px 1px 0px 1px; }
-.InPageHdr li.current {position:relative; top:1px; background-color: #f0f0f0; } /* color should be same as searchBar! */
-.InPageHdr li.hidden {}
-.InPageHdr a {display:block; text-decoration:none;}
-.InPageContent {border:1px solid black; clear: both;}
-.InPageContent ul {list-style:none;}
-.InPageContent .hidden {display:none;}
-/* Left Column if Necessary */
-#Left{ WIDTH: 220px; FLOAT: left; margin-bottom: 10px; margin-right:10px;margin-left:5px;}
-.tabhdr { margin-top:5px; float:left; line-height:normal;}
-.tabhdr ul {margin:0; padding:0; list-style:none;}
-.tabhdr a:link {display:block; text-decoration:none; color:black; float:left; width:5em;}
-.tabhdr li {margin:0;}
-.tabhdr li.current {float:left; margin-right:3px; padding:2px 10px; background-color:#f0f0f0;
-                    border-top: 1px solid #3c78b5; border-right: 1px solid #3c78b5; border-left: 1px solid #3c78b5; position:relative;top:1px;}
-.tabhdr li.hidden {float:left; margin-right:3px; padding:2px 10px;
-    border-left:1px solid #3c78b5; border-right:1px solid #3c78b5; border-top:1px solid #3c78b5; }
-.tabcontent {padding:2px 10px; background: #f0f0f0; clear:both; border:1px solid #3c78b5;}
-.tabcontent ul {list-style:none; font-size:50%; margin-left:0; padding-left:0; }
-/* Main Content */
-#contents  {border-left: 1px solid #3c78b5;}
-#contentsRight  {border-left: 1px solid #3c78b5; margin-left:250px;}
-.error {display:block;text-align:center;font-size:150%;background-color:red; padding:10px;}
-/* The following is the css associated with pretty printing xml */
-.xmlDoc {font-size:80%}
-.xmlElem {PADDING-LEFT: 20px;}
-.xmlAttrVal {COLOR:Red; }
-.xmlAttrTyp {COLOR:Green; }
-.xmlElemTag {COLOR:Blue; }
-.highlight {BACKGROUND-COLOR:Yellow; }
-.ndgem {FONT-WEIGHT: bold}
-/* This is the "metadata" css */
-.metadata {PADDING-LEFT: 20px; font-size:80%; padding-right:20px;}
-#Corrections {PADDING-LEFT:20px; font-size:80%; padding-right:20px;}
-.metadata #keywords {COLOR: Blue; FONT-SIZE:120%; FONT-WEIGHT:bold;}
-.metaentry {COLOR: Black}
-.metadata .hidden {display:none}
 /* We don't want borders on linked images */
 a img {border: none;}
-/* StubB */
-.headingblock{background-color: #f0f0f0;border: 1px solid #3c78b5; margin:10px 60px 20px 50px; padding-top:5px;}
-/* .bottomblock{border: 1px solid #3c78b5; margin-left:5px;margin-right:5px;padding:5px;}*/
-.heading {
-    font-size: 140%;
-    font-weight: bold;
-    color: #003366;
-    padding: 4px;
-    text-align:center;
+    }
-/* top right bottom left */
-.metadata #abstract {MARGIN: 5px 20px 10px 20px; font-size:100%;  padding: 8px 8px 8px 8px; text-align:justify;}
-.metadata h4 {font-size: 120%;
-    line-height: normal;
-    font-weight: bold;
-    color: #003366;
-    padding: 2px 2px 2px 2px;
-    margin: 0px 0px 4px 0px;
+}
-.metadata table {padding-top:10px;}
-.linehead {
-    font-size: 120%;
-    line-height: normal;
-    font-weight: bold;
-    background-color: #f0f0f0;
-    color: #003366;
-    border-bottom: 1px solid #3c78b5;
-    padding: 2px 2px 2px 2px;
-    margin: 0px 0px 4px 0px;
+}
-.emphatic {font-size: 120%;
-    line-height: normal;
-    font-weight: bold;
-    background-color: #f0f0f0;
-    color: #003366;
-    border-bottom: 1px solid #3c78b5;
-    padding: 2px 2px 2px 2px;
-    margin: 0px 0px 4px 0px;
+    }
-.rowhead {
-    font-size: 100%;
-    font-weight: bold;
-    border-bottom: 1px solid #3c78b5;
+    }
-.cellhead { font-size: 100%; font-weight: bold;}
-.ndgem {font-weight:bold}
-tr.rowlo {background: #eeeeee;
-border-top:1px;
-border-bottom:1px;
-border-bottom-color:#FFFFFF;
-border-top-color:#000000;
+}
-tr.rowhi {
-border-top:1px;
-border-bottom:1px;
-border-bottom-color:#FFFFFF;
-border-top-color:#000000;
+}
-/* Selection page */
-.gsummary .hidden {display: none}
 /* And now the footer */
 #Footer  {
+#footer {
     color: #ffffff;
     background-color: #003153;
 …
+}
+/*
+* Provider Login
+*/
+#loginForm {
+    margin-bottom: 50px;
+    padding-top: 0px;
+    padding-right: 10px;
+    padding-left: 10px;
+    clear: both;
+    margin-top:25px;
+}
+/*
+* Provider Decide Page form Content
+*/
+#decideFormContent {
+    margin-top:25px;
+    margin-bottom: 50px;
+    padding-top: 0px;
+    padding-right: 10px;
+    padding-left: 10px;
+    border-width: 0 0 2px 0;
+    clear: both;
+}
+/*
+* Provider - display user OpenID in decide page interface
+*/
+#identityUriBox {
+    font-size:0.9em;
+    color: black;
+    background-color: #e6f0f8;
+    margin-top:10px;
+    margin-bottom: 20px;
+    padding-top: 10px;
+    padding-right: 10px;
+    padding-left: 7px;
+    padding-bottom: 10px;
+}
+/*
+* Provider Main page
+*/
+#mainPageContent {
+    margin-top:25px;
+    margin-bottom: 50px;
+    padding-top: 0px;
+    padding-right: 10px;
+    padding-left: 10px;
+    border-width: 0 0 2px 0;
+    clear: both;
+}
+/*
+* Provider - error page
+*/
+#errorContent {
+    margin-top:25px;
+    margin-bottom: 50px;
+    padding-top: 0px;
+    padding-right: 10px;
+    padding-left: 10px;
+    border-width: 0 0 2px 0;
+    clear: both;
+}
 #message {
     color: #8c8c8c;
 …
     border-radius: 10px 10px;
     margin: 20px;
-    /*padding: 10px 20px;*/
+}

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/authz_lite/securityservices.ini

-                      r6276
+                      r6440
 openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
 openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
+#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
 openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
 #openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
+openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
 openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
 openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
 …
 # specified - see commented out entry for firstName below.  The number of
 # attributes for each attribute name defaults to 1 unless otherwise set
 authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
 authkit.openid.ax.alias.firstName=firstName
 #authkit.openid.ax.count.firstName=1
+#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
+#authkit.openid.ax.alias.firstName=firstName
+##authkit.openid.ax.count.firstName=1
 #authkit.openid.ax.required.firstName=True
+authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
+authkit.openid.ax.alias.lastName=lastName
+authkit.openid.ax.required.lastName=True
+authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
+authkit.openid.ax.alias.emailAddress=emailAddress
+authkit.openid.ax.required.emailAddress=True
+#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
+#authkit.openid.ax.alias.lastName=lastName
+#authkit.openid.ax.required.lastName=True
+#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
+#authkit.openid.ax.alias.emailAddress=emailAddress
+#authkit.openid.ax.required.emailAddress=True
+# ESG Gateway requested parameters
+authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
+authkit.openid.ax.alias.uuid=uuid
+authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
+authkit.openid.ax.alias.username=username
+authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
+authkit.openid.ax.alias.firstname=firstname
+authkit.openid.ax.required.firstname:True
+authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
+authkit.openid.ax.alias.middlename=middlename
+authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
+authkit.openid.ax.required.lastname:True
+authkit.openid.ax.alias.lastname=lastname
+authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
+authkit.openid.ax.required.email:True
+authkit.openid.ax.alias.email=email
+authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
+authkit.openid.ax.alias.gateway=gateway
+authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
+authkit.openid.ax.alias.organization=organization
+authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
+authkit.openid.ax.alias.city=city
+authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
+authkit.openid.ax.alias.state=state
+authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
+authkit.openid.ax.alias.country=country
 [filter:SSLCientAuthnRedirectResponseFilter]

TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/sslclientauthnmiddleware/test_sslclientauthn.py

r6069	r6440
25	25	from ndg.security.common.utils.configfileparsers import \
26	26	CaseSensitiveConfigParser
27		from ndg.security.common.~~m2CryptoSSLUtility~~ import HTTPSConnection
	27	from ndg.security.common.utils.m2crypto import HTTPSConnection
28	28
29	29

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 6440

Legend:

Download in other formats: