Changeset 6673

Timestamp:

04/03/10 12:07:21 (11 years ago)

Author:

pjkersha

Message:

Started pruning trunk of old security code. None of this code is used by the current system but it remains in the code base and is still unit tested:

• NDG Attribute Certificate (replaced by SAML assertions)
• SOAP/WSDL interfaces (replaced by SAML over SOAP)
• Attribute Authority get NDG Attribute Certificate interface (replaced with SAML AttributeQuery/Response)
• Session Manager (separate web service not needed for session management, new system uses Beaker to achieve much the same thing)
• NDG Credential Wallet (SAML replacement)
• WS-Security (replaced by SSL with client Authentication). WS-Security code is now in a separate WSSecurity branch to be released as a separate egg.
• ndg.security.common.XMLSec (no digital signature needed for SAML currently but may need to be revived later. This code uses PyXML which breaks with Python >= 2.5.5. If revived it should be implemented with 4Suite-XML or ElementTree or lxml

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• .pydevproject (modified) (1 diff)
• ndg_security_common/ndg/security/common/AttCert.py (deleted)
• ndg_security_common/ndg/security/common/XMLSec.py (deleted)
• ndg_security_common/ndg/security/common/attributeauthority.py (deleted)
• ndg_security_common/ndg/security/common/authz/msi.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/authz/xacml/__init__.py (modified) (3 diffs)
• ndg_security_common/ndg/security/common/credentialwallet.py (modified) (1 diff)
• ndg_security_common/ndg/security/common/sessionmanager.py (deleted)
• ndg_security_common/ndg/security/common/wssecurity (deleted)
• ndg_security_common/ndg/security/common/xmlsec (deleted)
• ndg_security_common/ndg/security/common/zsi/attributeauthority (deleted)
• ndg_security_common/ndg/security/common/zsi/sessionmanager (deleted)
• ndg_security_server/ndg/security/server/attributeauthority.py (modified) (26 diffs)
• ndg_security_server/ndg/security/server/wsgi/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/csv.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (1 diff)

TI12-security/trunk/NDGSecurity/python/.pydevproject

@@ -3 +3 @@
 
 <pydev_project>
-<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.5</pydev_property>
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
+<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.6</pydev_property>
 </pydev_project>

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/msi.py

@@ -16 +16 @@
 import traceback
 import warnings
-from elementtree import ElementTree
+from xml.etree import ElementTree
 
 from ndg.security.common.utils import TypedList

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/authz/xacml/__init__.py

@@ -3 +3 @@
     XACML_2_0_XMLNS = "urn:oasis:names:tc:xacml:2.0:policy:schema:os"
 
-    __slots__ = ('__xmlns', )
+    __slots__ = ('__xmlns', '__reader', '__writer')
 
     ELEMENT_LOCAL_NAME = None
@@ -9 +9 @@
     def __init__(self):
         self.__xmlns = PolicyComponent.XACML_2_0_XMLNS
+        self.__reader = None
+        self.__writer = None
         
     def _getXmlns(self):
@@ -25 +27 @@
     def isValidXmlns(self):
         return self.xmlns in PolicyComponent.XMLNS
+
+    def read(self, obj):
+        """Read using callable assinged to reader property"""
+        if self.__reader is None:
+            raise AttributeError('No reader set for %r' % self.__class__)
+        
+        self.__reader(self, obj)
+
+    @classmethod
+    def Read(cls, obj):
+        """Construct a new Policy""" 
+        xacmlObj = cls()
+        xacmlObj.read(obj)
+        return xacmlObj
     
-    
+    def write(self, obj):
+        """Read using callable assinged to reader property"""
+        if self.__writer is None:
+            raise AttributeError('No writer set for %r' % self.__class__)
+        
+        self.__writer(self, obj)
+        
+            
 class RequestPropertyBase(PolicyComponent):
     """Base type for Subject, Resource, Action and Environment types"""

TI12-security/trunk/NDGSecurity/python/ndg_security_common/ndg/security/common/credentialwallet.py

@@ -612 +612 @@
             
         return _dict
-
-   
-class NDGCredentialWallet(CredentialWalletBase):
-    """Volatile store of user credentials associated with a user session
-    
-    @type userX509Cert: string / M2Crypto.X509.X509 /
-    ndg.security.common.X509.X509Cert
-    @ivar userX509Cert: X.509 certificate for user (property attribute)
-    
-    @type userPriKey: string / M2Crypto.RSA.RSA 
-    @ivar userPriKey: private key for user cert (property attribute)
-    
-    @type issuingX509Cert: string / ndg.security.common.X509.X509Cert
-    @ivar issuingX509Cert: X.509 cert for issuer of user cert (property 
-    attribute)
-    
-    @type attributeAuthorityURI: string
-    @ivar attributeAuthorityURI: URI of Attribute Authority to make 
-    requests to.  Setting this ALSO creates an AttributeAuthorityClient 
-    instance _attributeAuthorityClnt.  - See attributeAuthorityURI property for
-    details. (property attribute)
-    
-    @type attributeAuthority: ndg.security.server.attributeauthority.AttributeAuthority
-    @ivar attributeAuthority: Attribute Authority to make requests to.  
-    attributeAuthorityURI takes precedence over this keyword i.e. if an
-    attributeAuthorityURI has been set, then calls are made to the AA web 
-    service at this location rather to any self.attributeAuthority running 
-    locally. (property attribute)
-    
-    @type caCertFilePathList: string (for single file), list or tuple
-    @ivar caCertFilePathList: Certificate Authority's certificates - used
-    in validation of signed Attribute Certificates and WS-Security 
-    signatures of incoming messages.  If not set here, it must
-    be input in call to getAttCert. (property attribute)
-            
-    @type credentialRepository: instance of CredentialRepository derived 
-    class
-    @ivar credentialRepository: Credential Repository instance.   (property 
-    attribute).  If not set, defaults to NullCredentialRepository type - see 
-    class below...
-
-    
-    @type mapFromTrustedHosts: bool
-    @ivar mapFromTrustedHosts sets behaviour for getAttCert().  If
-    set True and authorisation fails with the given Attribute Authority, 
-    attempt to get authorisation using Attribute Certificates issued by 
-    other trusted AAs. (property attribute)
-    
-    @type rtnExtAttCertList: bool
-    @ivar rtnExtAttCertList: behaviour for getAttCert().  If True, and 
-    authorisation fails with the given Attribute Authority, return a list 
-    of Attribute Certificates from other trusted AAs which could be used 
-    to obtain a mapped Attribute Certificate on a subsequent authorisation
-    attempt. (property attribute)
-    
-    @type attCertRefreshElapse: float / int
-    @ivar attCertRefreshElapse: used by getAttCert to determine 
-    whether to replace an existing AC in the cache with a fresh one.  If 
-    the existing one has less than attCertRefreshElapse time in seconds
-    left before expiry then replace it. (property attribute)
-    
-    @type wssCfgKw: dict
-    @ivar wssCfgKw: keywords to WS-Security SignatureHandler
-    used for Credential Wallet's SOAP interface to Attribute Authorities.
-    (property attribute)
-            
-    @type _credentialRepository: ndg.security.common.CredentialRepository or 
-    derivative
-    @ivar _credentialRepository: reference to Credential Repository object.  
-    An optional non-volatile cache for storage of wallet info which can be
-    later restored. (Don't reference directly - see equivalent property 
-    attribute)
-
-    @type _mapFromTrustedHosts: bool
-    @ivar _mapFromTrustedHosts: if true, allow a mapped attribute certificate
-    to obtained in a getAttCert call.  Set false to prevent mappings.
-    (Don't reference directly - see equivalent property attribute)
-
-    @type _rtnExtAttCertList: bool
-    @ivar _rtnExtAttCertList: if true, return a list of external attribute 
-    certificates from getAttCert call. (Don't reference directly - see 
-    equivalent property attribute)
-
-    @type __dn: ndg.security.common.X509.X500DN
-    @ivar __dn: distinguished name from user certificate.  (Don't reference 
-    directly - see equivalent property attribute)
-
-    @type _credentials: dict       
-    @ivar _credentials: Credentials are stored as a dictionary one element per
-    attribute certificate held and indexed by certificate issuer name.
-    (Don't reference directly - see equivalent property attribute)
-
-    @type _caCertFilePathList: basestring, list, tuple or None
-    @ivar _caCertFilePathList: file path(s) to CA certificates.  If None
-    then the input is quietly ignored.  See caCertFilePathList property.
-    (Don't reference directly - see equivalent property attribute)
-
-    @type _userX509Cert: ndg.security.common.X509.X509Cert
-    @ivar _userX509Cert: X.509 user certificate instance.
-    (Don't reference directly - see equivalent property attribute)
-
-    @type _issuingX509Cert: ndg.security.common.X509.X509Cert
-    @ivar _issuingX509Cert: X.509 user certificate instance.
-    (Don't reference directly - see equivalent property attribute)
- 
-    @type _userPriKey: M2Crypto.RSA.RSA
-    @ivar _userPriKey: Private key used to sign outbound message.
-    (Don't reference directly - see equivalent property attribute)
-    """
-
-    __metaclass__ = _MetaCredentialWallet
-
-    # Names that may be set in a properties file
-    propertyDefaults = dict(
-        userX509Cert=None,
-        userX509CertFilePath=None,
-        userPriKey=None,
-        userPriKeyFilePath=None,
-        issuingX509Cert=None,
-        issuingX509CertFilePath=None,
-        caCertFilePathList=[],
-        sslCACertFilePathList=[],
-        attributeAuthority=None,
-        credentialRepository=None,
-        mapFromTrustedHosts=False,
-        rtnExtAttCertList=True,
-        attCertRefreshElapse=7200
-    )
-    
-    __slots__ = dict(
-        _cfg=None,
-        _dn=None,
-        _userPriKeyPwd=None,
-        _attributeAuthorityClnt=None,
-        _attributeAuthorityURI=None,
-        sslCACertFilePathList=[],
-        wssCfgFilePath=None,
-        wssCfgSection='DEFAULT',
-        wssCfgPrefix='',
-        wssCfgKw={}
-    )
-    __slots__.update(dict([("_" + n, v) for n, v in propertyDefaults.items()]))
-    del n
-    
-    FUTURE_DEPRECATION_MSG = (
-        "This class will be deprecated in future releases.  Use "
-        "SAMLCredentialWallet and "
-        "ndg.security.common.saml_utils.binding.soap.attributequery."
-        "AttributeQuerySslSOAPbinding client interface instead for retrieving "
-        "and caching user attributes.")
-    
-    def __init__(self, 
-                 cfg=None, 
-                 cfgFileSection='DEFAULT', 
-                 cfgPrefix='', 
-                 wssCfgKw={},
-                 **kw):
-        """Create store of user credentials for their current session
-
-        @type cfg: string / ConfigParser object
-        @param cfg: if a string type, this is interpreted as the file path to
-        a configuration file, otherwise it will be treated as a ConfigParser 
-        object 
-        @type cfgSection: string
-        @param cfgSection: sets the section name to retrieve config params 
-        from
-        @type cfgPrefix: basestring
-        @param cfgPrefix: apply a prefix to all NDGCredentialWallet config 
-        params so that if placed in a file with other parameters they can be 
-        distinguished
-        @type cfgKw: dict
-        @param cfgKw: set parameters as key value pairs."""
-
-        warnings.warn(NDGCredentialWallet.FUTURE_DEPRECATION_MSG)
-        log.warning(NDGCredentialWallet.FUTURE_DEPRECATION_MSG)
-        log.debug("Calling NDGCredentialWallet.__init__ ...")
-
-        super(NDGCredentialWallet, self).__init__()
-        
-        # Initialise attributes
-        for k, v in NDGCredentialWallet.__slots__.items():
-            setattr(self, k, v)
-            
-        # Update attributes from a config file
-        if cfg:
-            self.parseConfig(cfg, section=cfgFileSection, prefix=cfgPrefix)
-
-        # Update attributes from keywords passed - set user private key
-        # password first if it's present.  This is to avoid an error setting
-        # the private key
-        self.userPriKeyPwd = kw.pop('userPriKeyPwd', None)
-        for k, v in kw.items():
-            setattr(self, k, v)
-
-        # Get the distinguished name from the user certificate
-        if self._userX509Cert:
-            self._dn = self._userX509Cert.dn.serialise()
-
-        # Make a connection to the Credentials Repository
-        if self._credentialRepository is None:
-            log.info('Applying default CredentialRepository %r for user '
-                     '"%s"' % (NullCredentialRepository, self.userId))
-            self._credentialRepository = NullCredentialRepository()
-        else:
-            log.info('Checking CredentialRepository for credentials for user '
-                     '"%s"' % self.userId)
-            
-            if not issubclass(self._credentialRepository, CredentialRepository):
-                raise CredentialWalletError("Input Credential Repository "
-                                            "instance must be of a class "
-                                            "derived from "
-                                            "\"CredentialRepository\"")
-    
-       
-            # Check for valid attribute certificates for the user
-            try:
-                self._credentialRepository.auditCredentials(self.userId)
-                userCred=self._credentialRepository.getCredentials(self.userId)
-    
-            except Exception, e:
-                log.error("Error updating wallet with credentials from "
-                          "repository: %s" % e)
-                raise
-    
-    
-            # Update wallet with attribute certificates stored in the 
-            # repository.  Store ID and certificate instantiated as an AttCert
-            # type
-            try:
-                for cred in userCred: 
-                    attCert = AttCert.Parse(cred.attCert)
-                    issuerName = attCert['issuerName']
-                    
-                    self.credentials[issuerName] = {'id':cred.id, 
-                                                     'attCert':attCert}    
-            except Exception, e:
-                try:
-                    raise CredentialWalletError("Error parsing Attribute "
-                        "Certificate ID '%s' retrieved from the " 
-                        "Credentials Repository: %s" % (cred.id, e))            
-                except:
-                    raise CredentialWalletError("Error parsing Attribute "
-                                          "Certificate retrieved from the "
-                                          "Credentials Repository: %s:" % e)
-            
-            # Filter out expired or otherwise invalid certificates
-            self.audit()
-    
-    def __getstate__(self):
-        '''Enable pickling for use with beaker.session'''
-        _dict = super(NDGCredentialWallet, self).__getstate__()
-        
-        for attrName in NDGCredentialWallet.__slots__:
-            # Ugly hack to allow for derived classes setting private member
-            # variables
-            if attrName.startswith('__'):
-                attrName = "_NDGCredentialWallet" + attrName
-                
-            _dict[attrName] = getattr(self, attrName)
-            
-        return _dict
-        
-    def parseConfig(self, cfg, prefix='', section='DEFAULT'):
-        '''Extract parameters from cfg config object'''
-        
-        if isinstance(cfg, basestring):
-            cfgFilePath = os.path.expandvars(cfg)
-            self._cfg = None
-        else:
-            cfgFilePath = None
-            self._cfg = cfg
-            
-        # Configuration file properties are held together in a dictionary
-        readAndValidate = INIPropertyFileWithValidation()
-        prop = readAndValidate(cfgFilePath,
-                               cfg=self._cfg,
-                               validKeys=NDGCredentialWallet.propertyDefaults,
-                               prefix=prefix,
-                               sections=(section,))
-        
-        # Keep a copy of config for use by WS-Security SignatureHandler parser
-        if self._cfg is None:
-            self._cfg = readAndValidate.cfg
-        
-        # Copy prop dict into object attributes - __slots__ definition and 
-        # property methods will ensure only the correct attributes are set
-        # Set user private key password first if it's present.  This is to 
-        # avoid an error setting the private key
-        self.userPriKeyPwd = prop.pop('userPriKeyPwd', None)
-        for key, val in prop.items():
-            setattr(self, key, val)
-
-
-    def _getAttCertRefreshElapse(self):
-        """Get property method for Attribute Certificate wallet refresh time
-        @rtype: float or int
-        @return: "elapse time in seconds"""
-        return self._attCertRefreshElapse
-    
-    def _setAttCertRefreshElapse(self, val):
-        """Set property method for Attribute Certificate wallet refresh time
-        @type val: float or int
-        @param val: "elapse time in seconds"""
-        if isinstance(val, (float, int)):
-            self._attCertRefreshElapse = val
-            
-        elif isinstance(val, basestring):
-            self._attCertRefreshElapse = float(val)
-        else:
-            raise AttributeError("Expecting int, float or string type input "
-                                 "for attCertRefreshElapse")
-            
-    attCertRefreshElapse = property(fget=_getAttCertRefreshElapse, 
-                                    fset=_setAttCertRefreshElapse,
-                                    doc="If an existing one has AC less than "
-                                        "attCertRefreshElapse time in seconds "
-                                        "left before expiry then replace it")
-    
-    def _setX509Cert(self, cert):
-        """filter and convert input cert to signing verifying cert set 
-        property methods.  For signingCert, set to None if it is not to be
-        included in the SOAP header.  For verifyingCert, set to None if this
-        cert can be expected to be retrieved from the SOAP header of the 
-        message to be verified
-        
-        @type: ndg.security.common.X509.X509Cert / M2Crypto.X509.X509 /
-        string or None
-        @param cert: X.509 certificate.  
-        
-        @rtype ndg.security.common.X509.X509Cert
-        @return X.509 certificate object"""
-        
-        if cert is None or isinstance(cert, X509Cert):
-            # ndg.security.common.X509.X509Cert type / None
-            return cert
-            
-        elif isinstance(cert, X509.X509):
-            # M2Crypto.X509.X509 type
-            return X509Cert(m2CryptoX509=cert)
-            
-        elif isinstance(cert, basestring):
-            return X509Cert.Parse(cert)
-        
-        else:
-            raise AttributeError("X.509 Cert. must be type: "
-                                 "ndg.security.common.X509.X509Cert, "
-                                 "M2Crypto.X509.X509 or a base64 encoded "
-                                 "string")
-
-    def _setUserX509Cert(self, userX509Cert):
-        "Set property method for X.509 user cert."
-        self._userX509Cert = self._setX509Cert(userX509Cert)       
-
-    def _getUserX509Cert(self):
-        """Get user cert X509Cert instance"""
-        return self._userX509Cert
-
-    userX509Cert = property(fget=_getUserX509Cert,
-                            fset=_setUserX509Cert,
-                            doc="X.509 user certificate instance")
- 
-    def _setUserX509CertFilePath(self, filePath):
-        "Set user X.509 cert file path property method"
-        
-        if isinstance(filePath, basestring):
-            filePath = os.path.expandvars(filePath)
-            self._userX509Cert = X509Cert.Read(filePath)
-            
-        elif filePath is not None:
-            raise AttributeError("User X.509 cert. file path must be a valid "
-                                 "string")
-        
-        self._userX509CertFilePath = filePath
-                
-    userX509CertFilePath = property(fset=_setUserX509CertFilePath,
-                                    doc="File path to user X.509 cert.")
-    
-    def _setIssuingX509Cert(self, issuingX509Cert):
-        "Set property method for X.509 user cert."
-        self._issuingX509Cert = self._setX509Cert(issuingX509Cert)
-        
-    def _getIssuingX509Cert(self):
-        """Get user cert X509Cert instance"""
-        return self._issuingX509Cert
-
-    issuingX509Cert = property(fget=_getIssuingX509Cert,
-                               fset=_setIssuingX509Cert,
-                               doc="X.509 user certificate instance")
- 
-    def _setIssuerX509CertFilePath(self, filePath):
-        "Set user X.509 cert file path property method"
-        
-        if isinstance(filePath, basestring):
-            filePath = os.path.expandvars(filePath)
-            self._issuerX509Cert = X509Cert.Read(filePath)
-            
-        elif filePath is not None:
-            raise AttributeError("User X.509 cert. file path must be a valid "
-                                 "string")
-        
-        self._issuerX509CertFilePath = filePath
-                
-    issuerX509CertFilePath = property(fset=_setIssuerX509CertFilePath,
-                                      doc="File path to user X.509 cert. "
-                                          "issuing cert.")     
-
-    def _getUserPriKey(self):
-        "Get method for user private key"
-        return self._userPriKey
-    
-    def _setUserPriKey(self, userPriKey):
-        """Set method for user private key
-        
-        Nb. if input is a string, userPriKeyPwd will need to be set if
-        the key is password protected.
-        
-        @type userPriKey: M2Crypto.RSA.RSA / string
-        @param userPriKey: private key used to sign message"""
-        
-        if userPriKey is None:
-            self._userPriKey = None
-        elif isinstance(userPriKey, basestring):
-            pwdCallback = lambda *ar, **kw: self._userPriKeyPwd
-            self._userPriKey = RSA.load_key_string(userPriKey,
-                                                   callback=pwdCallback)
-        elif isinstance(userPriKey, RSA.RSA):
-            self._userPriKey = userPriKey          
-        else:
-            raise AttributeError("user private key must be a valid "
-                                 "M2Crypto.RSA.RSA type or a string")
-                
-    userPriKey = property(fget=_getUserPriKey,
-                          fset=_setUserPriKey,
-                          doc="User private key if set, used to sign outbound "
-                              "messages to Attribute authority")
-
-    def _setUserPriKeyFilePath(self, filePath):
-        "Set user private key file path property method"
-        
-        if isinstance(filePath, basestring):
-            filePath = os.path.expandvars(filePath)
-            try:
-                # Read Private key to sign with    
-                priKeyFile = BIO.File(open(filePath)) 
-                pwdCallback = lambda *ar, **kw: self._userPriKeyPwd
-                self._userPriKey = RSA.load_key_bio(priKeyFile, 
-                                                    callback=pwdCallback)    
-            except Exception, e:
-                raise AttributeError("Setting user private key: %s" % e)
-        
-        elif filePath is not None:
-            raise AttributeError("Private key file path must be a valid "
-                                 "string or None")
-        
-        self._userPriKeyFilePath = filePath
-        
-    userPriKeyFilePath = property(fset=_setUserPriKeyFilePath,
-                                  doc="File path to user private key")
- 
-    def _setUserPriKeyPwd(self, userPriKeyPwd):
-        "Set method for user private key file password"
-        if userPriKeyPwd is not None and not isinstance(userPriKeyPwd, 
-                                                        basestring):
-            raise AttributeError("Signing private key password must be None "
-                                 "or a valid string")
-        
-        # Explicitly convert to string as M2Crypto OpenSSL wrapper fails with
-        # unicode type
-        self._userPriKeyPwd = str(userPriKeyPwd)
-
-    def _getUserPriKeyPwd(self):
-        "Get property method for user private key"
-        return self._userPriKeyPwd
-        
-    userPriKeyPwd = property(fset=_setUserPriKeyPwd,
-                             fget=_getUserPriKeyPwd,
-                             doc="Password protecting user private key file")
-        
-    def _getCACertFilePathList(self):
-        """Get CA cert or certs used to validate AC signatures and signatures
-        of peer SOAP messages.
-        
-        @rtype caCertFilePathList: basestring, list or tuple
-        @return caCertFilePathList: file path(s) to CA certificates."""
-        return self._caCertFilePathList
-    
-    def _setCACertFilePathList(self, caCertFilePathList):
-        """Set CA cert or certs to validate AC signatures, signatures
-        of Attribute Authority SOAP responses and SSL connections where 
-        AA SOAP service is run over SSL.
-        
-        @type caCertFilePathList: basestring, list, tuple or None
-        @param caCertFilePathList: file path(s) to CA certificates.  If None
-        then the input is quietly ignored."""
-        
-        if isinstance(caCertFilePathList, basestring):
-           self._caCertFilePathList = [caCertFilePathList]
-           
-        elif isinstance(caCertFilePathList, list):
-           self._caCertFilePathList = caCertFilePathList
-           
-        elif isinstance(caCertFilePathList, tuple):
-           self._caCertFilePathList = list(caCertFilePathList)
-
-        elif caCertFilePathList is not None:
-            raise TypeError('Expecting string/list/tuple or None type for '
-                            '"caCertFilePathList"; got %r type' % 
-                            type(caCertFilePathList))      
-        
-    caCertFilePathList = property(fget=_getCACertFilePathList,
-                                  fset=_setCACertFilePathList,
-                                  doc="CA Certificates - used for "
-                                      "verification of AC and SOAP message "
-                                      "signatures")
-
-    def _getAttributeAuthorityURI(self):
-        return self._attributeAuthorityURI
-
-    def _setAttributeAuthorityURI(self, value):
-        """String or None type are allowed - The URI may be set to None to 
-        flag that a local Attribute Authority instance is being invoked rather
-        one hosted via a remote URI
-        """
-        if not isinstance(value, (basestring, type(None))):
-            raise TypeError('Expecting string or None type for '
-                            '"attributeAuthorityURI"; got %r instead' % 
-                            type(value))
-            
-        self._attributeAuthorityURI = value
-         
-        if value is not None:     
-            # Re-initialize local instance
-            self._attributeAuthority = NDGCredentialWallet.propertyDefaults[
-                                                        'attributeAuthority']
-
-    attributeAuthorityURI = property(fget=_getAttributeAuthorityURI,
-                                     fset=_setAttributeAuthorityURI,
-                                     doc="Attribute Authority address - "
-                                         "setting also sets up "
-                                         "AttributeAuthorityClient instance!")
-
-    def _getAttributeAuthority(self):
-        """Get property method for Attribute Authority Web Service client
-        instance.  Use attributeAuthorityURI propert to set up 
-        attributeAuthorityClnt
-        
-        @rtype attributeAuthority: ndg.security.server.attributeauthority.AttributeAuthority
-        @return attributeAuthority: Attribute Authority instance"""
-        return self._attributeAuthority
-
-    def _setAttributeAuthority(self, attributeAuthority):
-        """Set property method for Attribute Authority Web Service instance to
-        connect to.  This method ALSO RESETS attributeAuthorityURI - the 
-        address of a remote Attribute Authority - to None
-        
-        @type attributeAuthority: ndg.security.server.attributeauthority.AttributeAuthority
-        @param attributeAuthority: Attribute Authority instance.
-        """
-        if not isinstance(attributeAuthority, (AttributeAuthority, type(None))):
-            raise AttributeError("Expecting %r or None type for "
-                                 "\"attributeAuthority\" attribute; got %r" % 
-                                 (AttributeAuthority, type(attributeAuthority)))
-            
-        self._attributeAuthority = attributeAuthority
-        
-        # Re-initialize setting for remote service
-        self.attributeAuthorityURI = None
-            
-    attributeAuthority = property(fget=_getAttributeAuthority,
-                                  fset=_setAttributeAuthority, 
-                                  doc="Attribute Authority instance")
-
-
-    def _getMapFromTrustedHosts(self):
-        """Get property method for boolean flag - if set to True it allows
-        role mapping to be attempted when connecting to an Attribute Authority
-        
-        @type mapFromTrustedHosts: bool
-        @param mapFromTrustedHosts: set to True to try role mapping in AC 
-        requests to Attribute Authorities"""
-        return self._mapFromTrustedHosts
-
-    def _setMapFromTrustedHosts(self, mapFromTrustedHosts):
-        """Set property method for boolean flag - if set to True it allows
-        role mapping to be attempted when connecting to an Attribute Authority
-        
-        @type mapFromTrustedHosts: bool
-        @param mapFromTrustedHosts: Attribute Authority Web Service."""
-        if not isinstance(mapFromTrustedHosts, bool):
-            raise AttributeError("Expecting %r for mapFromTrustedHosts "
-                                 "attribute" % bool)
-            
-        self._mapFromTrustedHosts = mapFromTrustedHosts
-            
-    mapFromTrustedHosts = property(fget=_getMapFromTrustedHosts,
-                                   fset=_setMapFromTrustedHosts, 
-                                   doc="Set to True to enable mapped AC "
-                                       "requests")
-
-    def _getRtnExtAttCertList(self):
-        """Get property method for Attribute Authority Web Service client
-        instance.  Use rtnExtAttCertListURI propert to set up 
-        rtnExtAttCertListClnt
-        
-        @type rtnExtAttCertList: bool
-        @param rtnExtAttCertList: """
-        return self._rtnExtAttCertList
-
-    def _setRtnExtAttCertList(self, rtnExtAttCertList):
-        """Set property method for boolean flag - when a AC request fails,
-        return a list of candidate ACs that could be used to re-try with in
-        order to get mapped AC.
-        
-        @type rtnExtAttCertList: bool
-        @param rtnExtAttCertList: set to True to configure getAttCert to return
-        a list of ACs that could be used in a re-try to get a mapped AC from 
-        the target Attribute Authority."""
-        if not isinstance(rtnExtAttCertList, bool):
-            raise AttributeError("Expecting %r for rtnExtAttCertList "
-                                 "attribute" % bool)
-            
-        self._rtnExtAttCertList = rtnExtAttCertList
-            
-    rtnExtAttCertList = property(fget=_getRtnExtAttCertList,
-                                 fset=_setRtnExtAttCertList, 
-                                 doc="Set to True to enable mapped AC "
-                                     "requests")
-
-    def isValid(self, **x509CertKeys):
-        """Check wallet's user cert.  If expired return False
-        
-        @type **x509CertKeys: dict
-        @param **x509CertKeys: keywords applying to 
-        ndg.security.common.X509.X509Cert.isValidTime method"""
-        if self._userX509Cert is not None:
-            return self._userX509Cert.isValidTime(**x509CertKeys)
-        else:
-            log.warning("NDGCredentialWallet.isValid: no user certificate set in "
-                        "wallet")
-            return True
-
-    def addCredential(self, 
-                      attCert, 
-                      attributeAuthorityURI=None,
-                      bUpdateCredentialRepository=True):
-        """Add a new attribute certificate to the list of credentials held.
-
-        @type attCert:
-        @param attCert: new attribute Certificate to be added
-        @type attributeAuthorityURI: basestring
-        @param attributeAuthorityURI: input the Attribute Authority URI from
-        which attCert was retrieved.  This is added to a dict to enable access
-        to a given Attribute Certificate keyed by Attribute Authority URI. 
-        See the getCredential method.
-        @type bUpdateCredentialRepository: bool
-        @param bUpdateCredentialRepository: if set to True, and a repository 
-        exists it will be updated with the new credentials also
-        
-        @rtype: bool
-        @return: True if certificate was added otherwise False.  - If an
-        existing certificate from the same issuer has a later expiry it will
-        take precedence and the new input certificate is ignored."""
-
-        # Check input
-        if not isinstance(attCert, AttCert):
-            raise CredentialWalletError("Credential must be an %r type object" %
-                                        AttCert)
-            
-        # Check certificate validity
-        try:
-            attCert.isValid(raiseExcep=True)
-            
-        except AttCertError, e:
-            raise CredentialWalletError("Adding Credential: %s" % e)
-
-        # Check to see if there is an existing Attribute Certificate held
-        # that was issued by the same host.  If so, compare the expiry time.
-        # The one with the latest expiry will be retained and the other
-        # ingored
-        bUpdateCred = True
-        issuerName = attCert['issuerName']
-        
-        if issuerName in self.credentials:
-            # There is an existing certificate held with the same issuing
-            # host name as the new certificate
-            attCertOld = self.credentials[issuerName].credential
-
-            # Get expiry times in datetime format to allow comparison
-            dtAttCertOldNotAfter = attCertOld.getValidityNotAfter(\
-                                                            asDatetime=True)
-            dtAttCertNotAfter = attCert.getValidityNotAfter(asDatetime=True)
-
-            # If the new certificate has an earlier expiry time then ignore it
-            bUpdateCred = dtAttCertNotAfter > dtAttCertOldNotAfter
-
-                
-        if bUpdateCred:
-            thisCredential = CredentialContainer(AttCert)
-            thisCredential.credential = attCert
-            thisCredential.issuerName = issuerName
-            thisCredential.attributeAuthorityURI = attributeAuthorityURI
-            
-            self.credentials[issuerName] = thisCredential 
-            
-            if attributeAuthorityURI:
-                self.credentialsKeyedByURI[
-                    attributeAuthorityURI] = thisCredential
-            
-            # Update the Credentials Repository - the permanent store of user
-            # authorisation credentials.  This allows credentials for previous
-            # sessions to be re-instated
-            if self._credentialRepository and bUpdateCredentialRepository:
-                self.updateCredentialRepository()
-
-        # Flag to caller to indicate whether the input certificate was added
-        # to the credentials or an exsiting certificate from the same issuer
-        # took precedence
-        return bUpdateCred
-            
-
-    def audit(self):
-        """Check the credentials held in the wallet removing any that have
-        expired or are otherwise invalid."""
-
-        log.debug("NDGCredentialWallet.audit ...")
-        
-        # Nb. No signature check is carried out.  To do a check, access is
-        # needed to the cert of the CA that issued the Attribute Authority's
-        # cert
-        #
-        # P J Kershaw 12/09/05
-        for key, val in self.credentials.items():
-            if not val.credential.isValid(chkSig=False):
-                del self.credentials[key]
-
-    def updateCredentialRepository(self, auditCred=True):
-        """Copy over non-persistent credentials held by wallet into the
-        perminent repository.
-        
-        @type auditCred: bool
-        @param auditCred: filter existing credentials in the repository
-        removing invalid ones"""
-
-        log.debug("NDGCredentialWallet.updateCredentialRepository ...")
-        
-        if not self._credentialRepository:
-            raise CredentialWalletError("No Credential Repository has been "
-                                        "created for this wallet")
-                            
-        # Filter out invalid certs unless auditCred flag is explicitly set to
-        # false
-        if auditCred: self.audit()
-
-        # Update the database - only add new entries i.e. with an ID of -1
-        attCertList = [i.credential for i in self.credentials.values() 
-                       if i.id == -1]
-
-        self._credentialRepository.addCredentials(self.userId, attCertList)
-
-    def _createAttributeAuthorityClnt(self, attributeAuthorityURI):
-        """Set up a client to an Attribute Authority with the given URI
-        
-        @type attributeAuthorityURI: string
-        @param attributeAuthorityURI: Attribute Authority Web Service URI.
-
-        @rtype: ndg.security.common.attributeauthority.AttributeAuthorityClient
-        @return: new Attribute Authority client instance"""
-
-        log.debug('NDGCredentialWallet._createAttributeAuthorityClnt for '
-                  'service: "%s"' % attributeAuthorityURI)
-
-        attributeAuthorityClnt = AttributeAuthorityClient(
-                            uri=attributeAuthorityURI,
-                            sslCACertFilePathList=self.sslCACertFilePathList,
-                            cfg=self.wssCfgFilePath or self._cfg,
-                            cfgFileSection=self.wssCfgSection,
-                            cfgFilePrefix=self.wssCfgPrefix,
-                            **(self.wssCfgKw or {}))
-        
-        # If a user certificate is set, use this to sign messages instead of
-        # the default settings in the WS-Security config.  
-        if attributeAuthorityClnt.signatureHandler is not None and \
-           self.userPriKey is not None:
-            if self.issuingX509Cert is not None:
-                # Pass a chain of certificates - 
-                # Initialise WS-Security signature handling to pass 
-                # BinarySecurityToken containing user cert and cert for user 
-                # cert issuer 
-                attributeAuthorityClnt.signatureHandler.reqBinSecTokValType = \
-                            SignatureHandler.binSecTokValType["X509PKIPathv1"]
-                attributeAuthorityClnt.signatureHandler.signingCertChain = (
-                                    self.issuingX509Cert, self.userX509Cert)                
-
-                attributeAuthorityClnt.signatureHandler.signingPriKey = \
-                                                            self.userPriKey
-            elif self.userX509Cert is not None:
-                # Pass user cert only - no need to pass a cert chain.  
-                # This type of token is more likely to be supported by the 
-                # various WS-Security toolkits
-                attributeAuthorityClnt.signatureHandler.reqBinSecTokValType = \
-                                    SignatureHandler.binSecTokValType["X509v3"]
-                attributeAuthorityClnt.signatureHandler.signingCert = \
-                                                            self.userX509Cert
-
-                attributeAuthorityClnt.signatureHandler.signingPriKey = \
-                                                            self.userPriKey
-
-        return attributeAuthorityClnt
-
-
-    def _getAttCert(self, 
-                    attributeAuthorityURI=None, 
-                    attributeAuthority=None,
-                    extAttCert=None):       
-        """Wrapper to Attribute Authority attribute certificate request.  See
-        getAttCert for the classes' public interface.
-        
-        If successful, a new attribute certificate is issued to the user
-        and added into the wallet
-        
-        @type attributeAuthorityURI: string
-        @param attributeAuthorityURI: to call as a web service, specify the URI 
-        for the Attribute Authority.
-        
-        @type attributeAuthority: ndg.security.server.attributeauthority.AttributeAuthority
-        @param attributeAuthority: Alternative to attributeAuthorityURI - to 
-        run on the local machine, specify a local Attribute Authority 
-        instance.
-
-        @type extAttCert: ndg.security.common.AttCert.AttCert
-        @param extAttCert: an existing Attribute Certificate which can 
-        be used to making a mapping should the user not be registered with the
-        Attribute Authority"""
-      
-        log.debug("NDGCredentialWallet._getAttCert ...")
-        
-        
-        # If a user cert. is present, ignore the user ID setting.  The
-        # Attribute Authority will set the userId field of the 
-        # Attribute Certificate based on the DN of the user certificate
-        if self.userX509Cert:
-            userId = str(self.userX509Cert.dn)
-        else:
-            userId = self.userId
-            
-        if attributeAuthority is not None and \
-           attributeAuthorityURI is not None:
-            raise KeyError("Both attributeAuthorityURI and attributeAuthority "
-                           "keywords have been set")
-        
-        if attributeAuthority is None:
-            attributeAuthority = self.attributeAuthority
-            
-        if attributeAuthorityURI is None:
-            attributeAuthorityURI = self.attributeAuthorityURI
-            
-        # Set a client alias according to whether the Attribute Authority is
-        # being called locally or as a remote service
-        if attributeAuthorityURI is not None:
-            # Call Remote Service at given URI
-            aaInterface = self._createAttributeAuthorityClnt(
-                                                        attributeAuthorityURI)                            
-            log.debug('NDGCredentialWallet._getAttCert for remote Attribute '
-                      'Authority service: "%s" ...' % attributeAuthorityURI)
-                
-        elif attributeAuthority is not None:
-            # Call local based Attribute Authority with settings from the 
-            # configuration file attributeAuthority
-            aaInterface = attributeAuthority
-            log.debug('NDGCredentialWallet._getAttCert for local Attribute '
-                      'Authority: "%r" ...' % attributeAuthority)
-        else:
-            raise CredentialWalletError("Error requesting attribute: "
-                                        "certificate a URI or Attribute "
-                                        "Authority instance must be specified")
-        
-        try:
-            # Request a new attribute certificate from the Attribute
-            # Authority
-            attCert = aaInterface.getAttCert(userId=userId,
-                                             userAttCert=extAttCert)
-            
-            log.info('Granted Attribute Certificate from issuer DN = "%s"'%
-                     attCert.issuerDN)
-            
-        except (AttributeAuthorityAccessDenied, AttributeRequestDenied), e:
-            # AttributeAuthorityAccessDenied is raised if 
-            # aaInterface is a local AA instance and 
-            # AttributeRequestDenied is raised for a client to a remote AA
-            # service
-            raise CredentialWalletAttributeRequestDenied(str(e))
-                    
-        except Exception, e:
-            raise CredentialWalletError("Requesting attribute certificate: %s"%
-                                        e)
-
-        # Update attribute Certificate instance with CA's certificate ready 
-        # for signature check in addCredential()
-        if self._caCertFilePathList is None:
-            raise CredentialWalletError("No CA certificate has been set")
-        
-        attCert.certFilePathList = self._caCertFilePathList
-
-        
-        # Add credential into wallet
-        #
-        # Nb. if the certificates signature is invalid, it will be rejected
-        log.debug("Adding credentials into wallet...")
-        self.addCredential(attCert)
-        
-        return attCert
-
-    def _getAAHostInfo(self, 
-                       attributeAuthority=None,
-                       attributeAuthorityURI=None):
-        """Wrapper to Attribute Authority getHostInfo
-        
-        _getAAHostInfo([attributeAuthority=f|attributeAuthorityURI=u])
-                   
-        @type userRole: string
-        @param userRole: get hosts which have a mapping to this role
-        
-        @type attributeAuthorityURI: string
-        @param attributeAuthorityURI: to call as a web service, specify the URI
-        for the Attribute Authority.
-        
-        @type attributeAuthority: string
-        @param attributeAuthority: Alternative to attributeAuthorityURI - to 
-        run on the local machine, specify the local Attribute Authority 
-        instance.
-        """
-
-        if attributeAuthority is None:
-            attributeAuthority = self.attributeAuthority
-            
-        if attributeAuthorityURI is None:
-            attributeAuthorityURI = self.attributeAuthorityURI
-        
-        log.debug('NDGCredentialWallet._getAAHostInfo for service: "%s" ...' % 
-                  attributeAuthorityURI or attributeAuthority)
-            
-        # Set a client alias according to whether the Attribute Authority is
-        # being called locally or asa remote service
-        if attributeAuthorityURI is not None:
-            # Call Remote Service at given URI
-            attributeAuthorityClnt = self._createAttributeAuthorityClnt(
-                                                    attributeAuthorityURI)
-
-        elif attributeAuthority is not None:
-            # Call local based Attribute Authority with settings from the 
-            # configuration file attributeAuthority
-            attributeAuthorityClnt = attributeAuthority
-            
-        else:
-            raise CredentialWalletError("Error requesting trusted hosts info: " 
-                                        "a URI or Attribute Authority " 
-                                        "configuration file must be specified")
-            
-        try:
-            # Request a new attribute certificate from the Attribute
-            # Authority
-            return attributeAuthorityClnt.getHostInfo()
-            
-        except Exception, e:
-            log.error("Requesting host info: %s" % e)
-            raise
-
-    def _getAATrustedHostInfo(self, 
-                              userRole=None,
-                              attributeAuthority=None,
-                              attributeAuthorityURI=None):
-        """Wrapper to Attribute Authority getTrustedHostInfo
-        
-        _getAATrustedHostInfo([userRole=r, ][attributeAuthority=f|
-                              attributeAuthorityURI=u])
-                   
-        @type userRole: string
-        @param userRole: get hosts which have a mapping to this role
-        
-        @type attributeAuthorityURI: string
-        @param attributeAuthorityURI: to call as a web service, specify the URI 
-        for the Attribute Authority.
-        
-        @type attributeAuthority: string
-        @param attributeAuthority: Alternative to attributeAuthorityURI - to 
-        run on the local machine, specify the local Attribute Authority 
-        instance.
-        """
-
-        if attributeAuthority is None:
-            attributeAuthority = self.attributeAuthority
-            
-        if attributeAuthorityURI is None:
-            attributeAuthorityURI = self.attributeAuthorityURI
-        
-        log.debug('NDGCredentialWallet._getAATrustedHostInfo for role "%s" and '
-                  'service: "%s" ...' % (userRole, 
-                                attributeAuthorityURI or attributeAuthority))
-            
-        # Set a client alias according to whether the Attribute Authority is
-        # being called locally or asa remote service
-        if attributeAuthorityURI is not None:
-            # Call Remote Service at given URI
-            attributeAuthorityClnt = self._createAttributeAuthorityClnt(
-                                                    attributeAuthorityURI)
-
-        elif attributeAuthority is not None:
-            # Call local based Attribute Authority with settings from the 
-            # configuration file attributeAuthority
-            attributeAuthorityClnt = attributeAuthority
-            
-        else:
-            raise CredentialWalletError("Error requesting trusted hosts info: " 
-                                        "a URI or Attribute Authority " 
-                                        "configuration file must be specified")
-            
-        try:
-            # Request a new attribute certificate from the Attribute
-            # Authority
-            return attributeAuthorityClnt.getTrustedHostInfo(role=userRole)
-            
-        except Exception, e:
-            log.error("Requesting trusted host info: %s" % e)
-            raise
-
-    def getAttCert(self,
-                   reqRole=None,
-                   attributeAuthority=None,
-                   attributeAuthorityURI=None,
-                   mapFromTrustedHosts=None,
-                   rtnExtAttCertList=None,
-                   extAttCertList=None,
-                   extTrustedHostList=None,
-                   refreshAttCert=False,
-                   attCertRefreshElapse=None):
-        
-        """Get an Attribute Certificate from an Attribute Authority.  If this 
-        fails try to make a mapped Attribute Certificate by using a certificate 
-        from another host which has a trust relationship to the Attribute 
-        Authority in question.
-
-        getAttCert([reqRole=r, ][attributeAuthority=a|attributeAuthorityURI=u,]
-                   [mapFromTrustedHosts=m, ]
-                   [rtnExtAttCertList=e, ][extAttCertList=el, ]
-                   [extTrustedHostList=et, ][refreshAttCert=ra])
-                  
-        The procedure is:
-
-        1) Try attribute request using user certificate
-        2) If the Attribute Authority (AA) doesn't recognise the certificate,
-        find out any other hosts which have a trust relationship to the AA.
-        3) Look for Attribute Certificates held in the wallet corresponding
-        to these hosts.
-        4) If no Attribute Certificates are available, call the relevant
-        hosts' AAs to get certificates
-        5) Finally, use these new certificates to try to obtain a mapped
-        certificate from the original AA
-        6) If this fails access is denied      
-                    
-        @type reqRole: string
-        @param reqRole: the required role to get access for
-        
-        @type attributeAuthorityURI: string
-        @param attributeAuthorityURI: to call as a web service, specify the URI
-        for the Attribute Authority.
-        
-        @type attributeAuthority: string
-        @param attributeAuthority: Altenrative to attributeAuthorityURI - to 
-        run on the local machine, specify a local Attribute Authority 
-        instance.
-                                
-        @type mapFromTrustedHosts: bool / None     
-        @param mapFromTrustedHosts: if request fails via the user's cert
-        ID, then it is possible to get a mapped certificate by using 
-        certificates from other AA's.  Set this flag to True, to allow this 
-        second stage of generating a mapped certificate from the certificate 
-        stored in the wallet credentials.
-
-        If set to False, it is possible to return the list of certificates 
-        available for mapping and then choose which one or ones to use for
-        mapping by re-calling getAttCert with extAttCertList set to these 
-        certificates.
-        
-        Defaults to None in which case self._mapFromTrustedHosts is not 
-        altered
-
-        The list is returned via CredentialWalletAttributeRequestDenied 
-        exception.  If no value is set, the default value held in 
-        self.mapFromTrustedHosts is used
-
-        @type rtnExtAttCertList: bool / None
-        @param rtnExtAttCertList: If request fails, make a list of 
-        candidate certificates from other Attribute Authorities which the user
-        could use to retry and get a mapped certificate.
-                                
-        If mapFromTrustedHosts is set True this flags value is overriden and 
-        effectively set to True.
-
-        If no value is set, the default value held in self._rtnExtAttCertList
-        is used.
-                                
-        The list is returned via a CredentialWalletAttributeRequestDenied 
-        exception object.
-                                
-        @type extAttCertList: list
-        @param extAttCertList: Attribute Certificate or list of certificates
-        from other Attribute Authorities.  These can be used to get a mapped 
-        certificate if access fails based on the user's certificate
-        credentials.  They are tried out in turn until access is granted so 
-        the order of the list decides the order in which they will be tried
-
-        @type extTrustedHostList:
-        @param extTrustedHostList: same as extAttCertList keyword, but 
-        instead of providing Attribute Certificates, give a list of Attribute 
-        Authority hosts.  These will be matched up to Attribute Certificates 
-        held in the wallet.  Matching certificates will then be used to try to
-        get a mapped Attribute Certificate.
-        
-        @type refreshAttCert: bool
-        @param refreshAttCert: if set to True, the attribute request 
-        will go ahead even if the wallet already contains an Attribute 
-        Certificate from the target Attribute Authority.  The existing AC in 
-        the wallet will be replaced by the new one obtained from this call.
-                                
-        If set to False, this method will check to see if an AC issued by the 
-        target AA already exists in the wallet.  If so, it will return this AC
-        to the caller without proceeding to make a call to the AA.
-        
-        @type attCertRefreshElapse: float / int
-        @param attCertRefreshElapse: determine whether to replace an 
-        existing AC in the cache with a fresh one.  If the existing one has 
-        less than attCertRefreshElapse time in seconds left before expiry then
-        replace it.
-        
-        @rtype: ndg.security.common.AttCert.AttCert
-        @return: Attribute Certificate retrieved from Attribute Authority"""
-        
-        log.debug("NDGCredentialWallet.getAttCert ...")
-        
-        # Both these assignments are calling set property methods implicitly!
-        if attributeAuthorityURI:
-            self.attributeAuthorityURI = attributeAuthorityURI
-            
-        if attributeAuthority is not None:
-            self.attributeAuthority = attributeAuthority
-           
-        if not refreshAttCert and self.credentials:
-            # Refresh flag is not set so it's OK to check for any existing
-            # Attribute Certificate in the wallet whose issuerName match the 
-            # target AA's name
-            
-            # Find out the site ID for the target AA by calling AA's host
-            # info WS method
-            log.debug("NDGCredentialWallet.getAttCert - check AA site ID ...")
-            try:
-                hostInfo = self._getAAHostInfo()
-                aaName = hostInfo.keys()[0]
-            except Exception, e:
-                raise CredentialWalletError("Getting host info: %s" % e)
-            
-            # Look in the wallet for an AC with the same issuer name
-            if aaName in self.credentials:
-                # Existing Attribute Certificate found in wallet - Check that 
-                # it will be valid for at least the next 2 hours
-                if attCertRefreshElapse is not None:
-                    self.attCertRefreshElapse = attCertRefreshElapse
-                    
-                dtNow = datetime.utcnow() + \
-                        timedelta(seconds=self.attCertRefreshElapse)
-                
-                attCert = self.credentials[aaName]['attCert']
-                if attCert.isValidTime(dtNow=dtNow):
-                    log.info("Retrieved an existing %s AC from the wallet" % 
-                             aaName)
-                    return attCert
-                      
-        # Check for settings from input, if not set use previous settings
-        # made
-        if mapFromTrustedHosts is not None:
-            self.mapFromTrustedHosts = mapFromTrustedHosts
-
-        if rtnExtAttCertList is not None:
-            self.rtnExtAttCertList = rtnExtAttCertList
-
-        # Check for list of external trusted hosts (other trusted NDG data 
-        # centres)
-        if extTrustedHostList:
-            log.info("Checking for ACs in wallet matching list of trusted "
-                     "hosts set: %s" % extTrustedHostList)
-            
-            if not self.mapFromTrustedHosts:
-                raise CredentialWalletError("A list of trusted hosts has been " 
-                                      "input but mapping from trusted hosts "
-                                      "is set to disallowed")
-            
-            if isinstance(extTrustedHostList, basestring):
-                extTrustedHostList = [extTrustedHostList]
-
-            # Nb. Any extAttCertList is overriden by extTrustedHostList being
-            # set
-            extAttCertList = [self.credentials[hostName]['attCert'] 
-                              for hostName in extTrustedHostList 
-                              if hostName in self.credentials]
-
-        # Set an empty list to trigger an AttributeError by initialising it to
-        # None
-        if extAttCertList == []:
-            extAttCertList = None
-            
-        # Repeat authorisation attempts until succeed or means are exhausted
-        while True:
-            
-            # Check for candidate certificates for mapping
-            try:
-                # If list is set get the next cert
-                extAttCert = extAttCertList.pop()
-
-            except AttributeError:
-                log.debug("No external Attribute Certificates - trying "
-                          "request without mapping...")
-                # No List set - attempt request without
-                # using mapping from trusted hosts
-                extAttCert = None
-                            
-            except IndexError:
-                
-                # List has been emptied without attribute request succeeding -
-                # give up
-                errMsg = ("Attempting to obtained a mapped certificate: "
-                          "no external attribute certificates are available")
-                    
-                # Add the exception form the last call to the Attribute
-                # Authority if an error exists
-                try:
-                    errMsg += ": %s" % attributeRequestDenied
-                except NameError:
-                    pass
-
-                raise CredentialWalletAttributeRequestDenied(errMsg)
-                                                    
-                
-            # Request Attribute Certificate from Attribute Authority
-            try:
-                attCert = self._getAttCert(extAttCert=extAttCert)                
-                # Access granted
-                return attCert
-            
-            except CredentialWalletAttributeRequestDenied, \
-                   attributeRequestDenied:
-                if not self.mapFromTrustedHosts and not self.rtnExtAttCertList:
-                    log.debug("Creating a mapped certificate option is not "
-                              "set - raising "
-                              "CredentialWalletAttributeRequestDenied "
-                              "exception saved from earlier")
-                    raise attributeRequestDenied
-
-                if isinstance(extAttCertList, list):
-                    # An list of attribute certificates from trusted hosts
-                    # is present continue cycling through this until one of
-                    # them is accepted and a mapped certificate can be derived
-                    log.debug("AC request denied - but external ACs available "
-                              "to try mapped AC request ...")
-                    continue
-                             
-                #  Use the input required role and the AA's trusted host list
-                # to identify attribute certificates from other hosts which
-                # could be used to make a mapped certificate
-                log.debug("Getting a list of trusted hosts for mapped AC "
-                          "request ...")
-                try:
-                    trustedHostInfo = self._getAATrustedHostInfo(reqRole)
-                    
-                except NoMatchingRoleInTrustedHosts, e:
-                    raise CredentialWalletAttributeRequestDenied(
-                        'Can\'t get a mapped Attribute Certificate for '
-                        'the "%s" role' % reqRole)
-                
-                except Exception, e:
-                    raise CredentialWalletError("Getting trusted hosts: %s"%e)
-
-                if not trustedHostInfo:
-                    raise CredentialWalletAttributeRequestDenied(
-                        "Attribute Authority has no trusted hosts with "
-                        "which to make a mapping")
-
-                # Initialise external certificate list here - if none are
-                # found IndexError will be raised on the next iteration and
-                # an access denied error will be raised
-                extAttCertList = []
-
-                # Look for Attribute Certificates with matching issuer host
-                # names
-                log.debug("Checking wallet for ACs issued by one of the "
-                          "trusted hosts...")
-                for hostName in self.credentials:
-
-                    # Nb. Candidate certificates for mappings must have
-                    # original provenance and contain at least one of the
-                    # required roles
-                    attCert = self.credentials[hostName].credential
-                    
-                    if hostName in trustedHostInfo and attCert.isOriginal():                        
-                        for role in attCert.roles:
-                            if role in trustedHostInfo[hostName]['role']:                                
-                                extAttCertList.append(attCert)
-
-                if not extAttCertList:
-                    log.debug("No wallet ACs matched any of the trusted "
-                              "hosts.  - Try request for an AC from a "
-                              "trusted host ...")
-                    
-                    # No certificates in the wallet matched the trusted host
-                    # and required roles
-                    #
-                    # Try each host in turn in order to get a certificate with
-                    # the required credentials in order to do a mapping
-                    for host, info in trustedHostInfo.items():
-                        try:
-                            # Try request to trusted host
-                            extAttCert = self._getAttCert(
-                                        attributeAuthorityURI=info['aaURI'])
-
-                            # Check the certificate contains at least one of
-                            # the required roles
-                            if [True for r in extAttCert.roles 
-                                if r in info['role']]:
-                               extAttCertList.append(extAttCert)
-
-                               # For efficiency, stop once obtained a valid
-                               # cert - but may want complete list for user to
-                               # choose from
-                               #break
-                               
-                        except Exception, e:
-                            # ignore any errors and continue
-                            log.warning('AC request to trusted host "%s"' 
-                                        ' resulted in: %s' % (info['aaURI'],e))
-                            
-                if not extAttCertList:                        
-                    raise CredentialWalletAttributeRequestDenied(
-                        "No certificates are available with which to "
-                        "make a mapping to the Attribute Authority")
-
-
-                if not self.mapFromTrustedHosts:
-                    
-                    # Exit here returning the list of candidate certificates
-                    # that could be used to make a mapped certificate
-                    msg = ("User is not registered with Attribute "
-                           "Authority - retry using one of the returned "
-                           "Attribute Certificates obtained from other " 
-                           "trusted hosts")
-                          
-                    raise CredentialWalletAttributeRequestDenied(msg,
-                                            extAttCertList=extAttCertList,
-                                            trustedHostInfo=trustedHostInfo)
         
         

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

@@ -29 +29 @@
 
 from ndg.saml.utils import SAMLDateTime
-from ndg.saml.saml2.core import (Response, Assertion, Attribute, AttributeStatement,
-                             SAMLVersion, Subject, NameID, Issuer, Conditions,
-                             AttributeQuery, XSStringAttributeValue, Status, 
-                             StatusCode, StatusMessage)
+from ndg.saml.saml2.core import (Response, Assertion, Attribute, 
+                                 AttributeStatement, SAMLVersion, Subject, 
+                                 NameID, Issuer, Conditions, AttributeQuery, 
+                                 XSStringAttributeValue, Status, 
+                                 StatusCode, StatusMessage)
 
 from ndg.security.common.saml_utils.esg import EsgSamlNamespaces
@@ -39 +40 @@
 from ndg.security.common.utils.configfileparsers import (
     CaseSensitiveConfigParser)
-    
-# X.509 Certificate handling
-from ndg.security.common.X509 import X509Cert, X500DN
-
-# NDG Attribute Certificate
-from ndg.security.common.AttCert import AttCert
 
 
@@ -91 +86 @@
     keywords for the Attribute Interface plugin
     
-    @type mapConfigHostDefaults: dict
-    @cvar mapConfigHostDefaults: valid configuration property 
-    keywords for the Map Configuration XML Host element
-    
     @type DEFAULT_CONFIG_DIRNAME: string
     @cvar DEFAULT_CONFIG_DIRNAME: configuration directory under $NDGSEC_DIR - 
@@ -117 +108 @@
     DEFAULT_PROPERTY_FILENAME = "attributeAuthority.cfg"
     ATTRIBUTE_INTERFACE_KEYNAME = 'attributeInterface'
-    CONFIG_LIST_SEP_PAT = re.compile(',\W*')
+    CONFIG_LIST_SEP_PAT = re.compile(',\s*')
     
     attributeInterfacePropertyDefaults = {
@@ -130 +121 @@
     propertyDefaults = { 
         'name':                         '',
-        'signingCertFilePath':          '',
-        'signingPriKeyFilePath':        '',
-        'signingPriKeyPwd':             None,
-        'caCertFilePathList':           [],
         'attCertLifetime':              -1,
         'attCertNotBeforeOff':          0.,
         'clockSkew':                    timedelta(seconds=0.),
-        'attCertFileName':              '',
-        'attCertFileLogCnt':            0,
-        'mapConfigFilePath':            '',
-        'attCertDir':                   '',
         'dnSeparator':                  '/',
         ATTRIBUTE_INTERFACE_KEYNAME:    attributeInterfacePropertyDefaults
@@ -167 +150 @@
         self.__propFileSection = 'DEFAULT'
         self.__propPrefix = ''
-        
-        # Initialise role mapping look-ups - These are set in readMapConfig()
-        self.__mapConfig = None
-        self.__localRole2RemoteRole = None
-        self.__remoteRole2LocalRole = None
-        
+                
         self.__cert = None
         
@@ -184 +162 @@
         self.__attributeInterfaceCfg = {}
 
-    def _getMapConfig(self):
-        return self.__mapConfig
-
     def _getCert(self):
         return self.__cert
@@ -196 +171 @@
         return self.__issuerSerialNumber
 
-    def _getAttCertLog(self):
-        return self.__attCertLog
-
     def _getName(self):
         return self.__name
@@ -211 +183 @@
         return self.__clockSkew
 
-    def _getAttCertDir(self):
-        return self.__attCertDir
-
     def _getAttributeInterface(self):
         return self.__attributeInterface
-
-    def _getTrustedHostInfo(self):
-        return self.__trustedHostInfo
 
     def _setCert(self, value):
@@ -236 +202 @@
         self.__issuerSerialNumber = value
 
-    def _setAttCertLog(self, value):
-        if not isinstance(value, AttCertLog):
-            raise TypeError('Expecting %r type for "attCertLog"; got %r' %
-                            (AttCertLog, type(value)))
-        self.__attCertLog = value
-
     def _setName(self, value):
         if not isinstance(value, basestring):
@@ -278 +238 @@
                             '"clockSkew"; got %r' % type(value))
 
-    def _setAttCertDir(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "attCertDir"; got %r' % 
-                            type(value))
-
-        # Check directory path
-        try:
-            dirList = os.listdir(value)
-
-        except OSError, osError:
-            raise AttributeAuthorityConfigError('Invalid directory path for '
-                                                'Attribute Certificates store '
-                                                '"%s": %s' % 
-                                                (value, osError.strerror))
-        self.__attCertDir = value
-
     def _setAttributeInterface(self, value):
         if not isinstance(value, AttributeInterface):
@@ -301 +245 @@
             
         self.__attributeInterface = value
-
-    def _setTrustedHostInfo(self, value):
-        self.__trustedHostInfo = value
 
     def _get_caCertFilePathList(self):
@@ -324 +265 @@
                                       "used to validate an Attribute "
                                       "Certificate")
-    
-    def _get_signingCertFilePath(self):
-        return self.__signingCertFilePath
-    
-    def _set_signingCertFilePath(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "signingCertFilePath"; '
-                            'got %r' % type(value))
-        self.__signingCertFilePath = value
-         
-    signingCertFilePath = property(fget=_get_signingCertFilePath, 
-                                   fset=_set_signingCertFilePath,
-                                   doc="X.509 certificate used for Attribute "
-                                       "certificate signature")
-    
-    def _get_signingPriKeyFilePath(self):
-        return self.__signingPriKeyFilePath
-    
-    def _set_signingPriKeyFilePath(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for '
-                            '"signingPriKeyFilePath"; got %r' % type(value))
-        self.__signingPriKeyFilePath = value
-         
-    signingPriKeyFilePath = property(fget=_get_signingPriKeyFilePath, 
-                                     fset=_set_signingPriKeyFilePath,
-                                     doc="File Path for private key used to "
-                                         "sign Attribute certificate")
-    
-    def _get_signingPriKeyPwd(self):
-        return self.__signingPriKeyPwd
-    
-    def _set_signingPriKeyPwd(self, value):
-        if not isinstance(value, (type(None), basestring)):
-            raise TypeError('Expecting string or None type for '
-                            '"signingPriKeyPwd"; got %r' % type(value))
-        self.__signingPriKeyPwd = value
-         
-    signingPriKeyPwd = property(fget=_get_signingPriKeyPwd, 
-                                fset=_set_signingPriKeyPwd,
-                                doc="Password for private key file used to "
-                                    "for Attribute certificate signature")
 
     def _get_attributeInterfaceCfg(self):
@@ -373 +272 @@
                                      doc="Settings for Attribute Interface "
                                          "initialisation")
-    
-    def _get_attCertFileName(self):
-        return self.__attCertFileName
-    
-    def _set_attCertFileName(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for "attCertFileName"; got '
-                            '%r' % type(value))
-            
-        self.__attCertFileName = value
-         
-    attCertFileName = property(fget=_get_attCertFileName, 
-                                fset=_set_attCertFileName,
-                                doc="Attribute certificate file name for log "
-                                    "initialisation")
-    
-    def _get_attCertFileLogCnt(self):
-        return self.__attCertFileLogCnt
-    
-    def _set_attCertFileLogCnt(self, value):
-        if isinstance(value, int):
-            self.__attCertFileLogCnt = value
-        elif isinstance(value, basestring):
-            self.__attCertFileLogCnt = int(value)
-        else:
-            raise TypeError('Expecting int or string type for '
-                            '"attCertFileLogCnt"; got %r' % type(value))
-         
-    attCertFileLogCnt = property(fget=_get_attCertFileLogCnt, 
-                                 fset=_set_attCertFileLogCnt,
-                                 doc="Counter for Attribute Certificate log "
-                                     "rotating file handler")
     
     def _get_dnSeparator(self):
@@ -419 +286 @@
                            doc="Distinguished Name separator character used "
                                "with X.509 Certificate issuer certificate")
-            
-    def _getMapConfigFilePath(self):
-        return self.__mapConfigFilePath
-    
-    def _setMapConfigFilePath(self, val):
-        if not isinstance(val, basestring):
-            raise AttributeAuthorityConfigError("Input Map Configuration "
-                                                "file path must be a "
-                                                "valid string.")
-        self.__mapConfigFilePath = val
-          
-    mapConfigFilePath = property(fget=_getMapConfigFilePath,
-                                 fset=_setMapConfigFilePath,
-                                 doc="File path for Role Mapping "
-                                     "configuration") 
 
     def setPropFilePath(self, val=None):
@@ -542 +394 @@
                           fget=getPropPrefix,
                           doc="Set a prefix for ini file properties")   
-    
-    mapConfig = property(fget=_getMapConfig, 
-                         doc="MapConfig object")
 
     cert = property(fget=_getCert, 
@@ -557 +406 @@
                                   fset=_setIssuerSerialNumber, 
                                   doc="Issuer Serial Number")
-
-    attCertLog = property(fget=_getAttCertLog,
-                          fset=_setAttCertLog, 
-                          doc="Attribute certificate logging object")
 
     name = property(fget=_getName, 
@@ -580 +425 @@
                              " Query issueInstant parameter check")
 
-    attCertDir = property(fget=_getAttCertDir, 
-                          fset=_setAttCertDir, 
-                          doc="Attribute certificate log directory")
-
     attributeInterface = property(fget=_getAttributeInterface, 
                                   fset=_setAttributeInterface,
@@ -589 +430 @@
 
     name = property(fget=_getName, fset=_setName, doc="Organisation Name")
-
-    trustedHostInfo = property(fget=_getTrustedHostInfo, 
-                               fset=_setTrustedHostInfo, 
-                               doc="Dictionary of trusted organisations")
         
     @classmethod
@@ -630 +467 @@
         return attributeAuthority
 
-        
     @classmethod
     def fromProperties(cls, propPrefix='attributeauthority.', 
@@ -697 +533 @@
         
         attCertFilePath = os.path.join(self.attCertDir, self.attCertFileName)
-                
-        # Rotating file handler used for logging attribute certificates 
-        # issued.
-        self.attCertLog = AttCertLog(attCertFilePath,
-                                     backUpCnt=self.attCertFileLogCnt)
 
     def setProperties(self, **prop):
@@ -774 +605 @@
                                              objectType=AttributeInterface,
                                              classProperties=classProperties)
-
-    def getAttCert(self,
-                   userId=None,
-                   holderX509Cert=None,
-                   holderX509CertFilePath=None,
-                   userAttCert=None,
-                   userAttCertFilePath=None):
-
-        """Request a new Attribute Certificate for use in authorisation
-
-        getAttCert([userId=uid][holderX509Cert=x509Cert|
-                    holderX509CertFilePath=x509CertFile, ]
-                   [userAttCert=cert|userAttCertFilePath=certFile])
-         
-        @type userId: string
-        @param userId: identifier for the user who is entitled to the roles
-        in the certificate that is issued.  If this keyword is omitted, then
-        the userId will be set to the DN of the holder.
-        
-        holder = the holder of the certificate - an inidividual user or an
-        organisation to which the user belongs who vouches for that user's ID
-        
-        userId = the identifier for the user who is entitled to the roles
-        specified in the Attribute Certificate that is issued.
-                  
-        @type holderX509Cert: string / ndg.security.common.X509.X509Cert type
-        @param holderX509Cert: base64 encoded string containing proxy cert./
-        X.509 cert object corresponding to the ID who will be the HOLDER of
-        the Attribute Certificate that will be issued.  - Normally, using
-        proxy certificates, the holder and user ID are the same but there
-        may be cases where the holder will be an organisation ID.  This is the
-        case for NDG security with the DEWS project
-        
-        @param holderX509CertFilePath: string
-        @param holderX509CertFilePath: file path to proxy/X.509 certificate of 
-        candidate holder
-      
-        @type userAttCert: string or AttCert type
-        @param userAttCert: externally provided attribute certificate from 
-        another data centre.  This is only necessary if the user is not 
-        registered with this attribute authority. 
-                       
-        @type userAttCertFilePath: string 
-        @param userAttCertFilePath: alternative to userAttCert except pass 
-        in as a file path to an attribute certificate instead.
-        
-        @rtype: AttCert
-        @return: new attribute certificate"""
-
-        log.debug("Calling getAttCert ...")
-        
-        # Read candidate Attribute Certificate holder's X.509 certificate
-        try:
-            if holderX509CertFilePath is not None:
-                                    
-                # Certificate input as a file 
-                holderX509Cert = X509Cert()
-                holderX509Cert.read(holderX509CertFilePath)
-                
-            elif isinstance(holderX509Cert, basestring):
-
-                # Certificate input as string text
-                holderX509Cert = X509Cert.Parse(holderX509Cert)
-                
-            elif not isinstance(holderX509Cert, (X509Cert, None.__class__)):
-                raise AttributeAuthorityError("Holder X.509 Certificate must "
-                                              "be set to valid type: a file "
-                                              "path, string, X509 object or "
-                                              "None")            
-        except Exception, e:
-            log.error("Holder X.509 certificate: %s" % e)
-            raise
-
-
-        # Check certificate hasn't expired
-        if holderX509Cert:
-            log.debug("Checking candidate holder X.509 certificate ...")
-            try:
-                holderX509Cert.isValidTime(raiseExcep=True)
-                
-            except Exception, e:
-                log.error("User X.509 certificate is invalid: " + e)
-                raise
-
-            
-        # If no user ID is input, set id from holder X.509 certificate DN
-        # instead
-        if not userId:
-            if not holderX509Cert:
-                raise AttributeAuthorityError("If no user ID is set a holder "
-                                              "X.509 certificate must be "
-                                              "present")
-            try:
-                userId = holderX509Cert.dn.serialise(\
-                                         separator=self.dnSeparator) 
-            except Exception, e:
-                log.error("Setting user Id from holder certificate DN: %s" % e)
-                raise
-       
-        # Make a new Attribute Certificate instance passing in certificate
-        # details for later signing
-        attCert = AttCert()
-
-        # First certificate in list contains the public key corresponding to 
-        # the private key
-        attCert.certFilePathList = [self.signingCertFilePath] + \
-                                                                self.caCertFilePathList
-             
-        # Check for expiry of each certificate                   
-        for x509Cert in attCert.certFilePathList:
-            X509Cert.Read(x509Cert).isValidTime(raiseExcep=True)
-                                                                
-        attCert.signingKeyFilePath = self.signingPriKeyFilePath
-        attCert.signingKeyPwd = self.signingPriKeyPwd
-        
-        
-        # Set holder's Distinguished Name if a holder X.509 certificate was 
-        # input 
-        if holderX509Cert:
-            try:
-                attCert['holder'] = holderX509Cert.dn.serialise(
-                                        separator=self.dnSeparator)            
-            except Exception, e:
-                 log.error("Holder X.509 Certificate DN: %s" % e)
-                 raise
-            
-        # Set Issuer details from Attribute Authority
-        issuerDN = self.cert.dn
-        try:
-            attCert['issuer'] = \
-                    issuerDN.serialise(separator=self.dnSeparator)            
-        except Exception, e:
-            log.error("Issuer X.509 Certificate DN: %s" % e)
-            raise 
-           
-        attCert['issuerName'] = self.name
-        attCert['issuerSerialNumber'] = self.issuerSerialNumber
-
-        attCert['userId'] = userId
-        
-        # Set validity time
-        try:
-            attCert.setValidityTime(
-                        lifetime=self.attCertLifetime,
-                        notBeforeOffset=self.attCertNotBeforeOff)
-
-            # Check against the holder X.509 certificate's expiry if set
-            if holderX509Cert:
-                dtHolderCertNotAfter = holderX509Cert.notAfter
-                
-                if attCert.getValidityNotAfter(asDatetime=True) > \
-                   dtHolderCertNotAfter:
-    
-                    # Adjust the attribute certificate's expiry date time
-                    # so that it agrees with that of the certificate
-                    # ... but also make ensure that the not before skew is 
-                    # still applied
-                    attCert.setValidityTime(dtNotAfter=dtHolderCertNotAfter,
-                            notBeforeOffset=self.attCertNotBeforeOff)
-            
-        except Exception, e:
-            log.error("Error setting attribute certificate validity time: %s" %
-                      e)
-            raise 
-
-        # Check name is registered with this Attribute Authority - if no
-        # user roles are found, the user is not registered
-        userRoles = self.getRoles(userId)
-        if userRoles:
-            # Set as an Original Certificate
-            #
-            # User roles found - user is registered with this data centre
-            # Add roles for this user for this data centre
-            attCert.addRoles(userRoles)
-
-            # Mark new Attribute Certificate as an original
-            attCert['provenance'] = AttCert.origProvenance
-
-        else:            
-            # Set as a Mapped Certificate
-            #
-            # No roles found - user is not registered with this data centre
-            # Check for an externally provided certificate from another
-            # trusted data centre
-            if userAttCertFilePath:
-                
-                # Read externally provided certificate
-                try:
-                    userAttCert = AttCert.Read(userAttCertFilePath)
-                    
-                except Exception, e:
-                    raise AttributeAuthorityError("Reading external Attribute "
-                                                  "Certificate: %s" % e)                           
-            elif userAttCert:
-                # Allow input as a string but convert to 
-                if isinstance(userAttCert, basestring):
-                    userAttCert = AttCert.Parse(userAttCert)
-                    
-                elif not isinstance(userAttCert, AttCert):
-                    raise AttributeAuthorityError(
-                        "Expecting userAttCert as a string or AttCert type")        
-            else:
-                raise AttributeAuthorityAccessDenied('User "%s" is not '
-                    'registered and no external attribute certificate is '
-                    'available to make a mapping.' % userId)
-
-
-            # Check it's an original certificate - mapped certificates can't
-            # be used to make further mappings
-            if userAttCert.isMapped():
-                raise AttributeAuthorityError("External Attribute Certificate "
-                                              "must have an original "
-                                              "provenance in order "
-                                              "to make further mappings.")
-
-
-            # Check it's valid and signed
-            try:
-                # Give path to CA cert to allow check
-                userAttCert.certFilePathList = self.caCertFilePathList
-                userAttCert.isValid(raiseExcep=True)
-                
-            except Exception, e:
-                raise AttributeAuthorityError("Invalid Remote Attribute "
-                                        "Certificate: " + str(e))       
-
-
-            # Check that's it's holder matches the candidate holder 
-            # certificate DN
-            if holderX509Cert and userAttCert.holderDN != holderX509Cert.dn:
-                raise AttributeAuthorityError("User certificate and Attribute "
-                                        'Certificate DNs don\'t match: "%s"'
-                                        ' and "%s"' % (holderX509Cert.dn, 
-                                                       userAttCert.holderDN))
-            
-  
-            # Get roles from external Attribute Certificate
-            trustedHostRoles = userAttCert.roles
-
-
-            # Map external roles to local ones
-            localRoles = self.mapRemoteRoles2LocalRoles(
-                                                    userAttCert['issuerName'],
-                                                    trustedHostRoles)
-            if not localRoles:
-                raise AttributeAuthorityAccessDenied("No local roles mapped "
-                                               "to the %s roles: %s" % 
-                                               (userAttCert['issuerName'], 
-                                                ', '.join(trustedHostRoles)))
-
-            attCert.addRoles(localRoles)
-            
-            
-            # Mark new Attribute Certificate as mapped
-            attCert.provenance = AttCert.mappedProvenance
-
-            # Copy the user Id from the external AC
-            attCert.userId = userAttCert.userId
-            
-            # End set mapped certificate block
-
-        try:
-            # Digitally sign certificate using Attribute Authority's
-            # certificate and private key
-            attCert.applyEnvelopedSignature()
-            
-            # Check the certificate is valid
-            attCert.isValid(raiseExcep=True)
-            
-            # Write out certificate to keep a record of it for auditing
-            #attCert.write()
-            self.__attCertLog.info(attCert)
-            
-            log.info('Issued an Attribute Certificate to "%s" with roles: '
-                     '"%s"' % (userId, '", "'.join(attCert.roles)))
-
-            # Return the cert to caller
-            return attCert
-        
-        except Exception, e:
-            raise AttributeAuthorityError('New Attribute Certificate "%s": %s'%
-                                          (attCert.filePath, e))
 
     def samlAttributeQuery(self, attributeQuery):
@@ -1175 +724 @@
 
         return samlResponse
-    
-    def readMapConfig(self):
-        """Parse Map Configuration file.
-        """
-        log.debug("Reading map configuration file ...")
-        
-        try:
-            tree = ElementTree.parse(self.mapConfigFilePath)
-            rootElem = tree.getroot()
-            
-        except IOError, e:
-            raise AttributeAuthorityConfigError('Error parsing Map '
-                                                'Configuration file "%s": %s' % 
-                                                (e.filename, e.strerror))          
-        except Exception, e:
-            raise AttributeAuthorityConfigError('Error parsing Map '
-                                                'Configuration file: "%s": %s'% 
-                                                (self.mapConfigFilePath, e))
-       
-        trustedElem = rootElem.findall('trusted')
-        if not trustedElem: 
-            # Make an empty list so that for loop block below is skipped 
-            # without an error  
-            trustedElem = ()
-
-        # Dictionaries:
-        # 1) to hold all the data
-        self.__mapConfig = {'thisHost': {}, 'trustedHosts': {}}
-
-        # ... look-up
-        # 2) hosts corresponding to a given role and
-        # 3) roles of external data centre to this data centre
-        self.__localRole2TrustedHost = {}
-        self.__localRole2RemoteRole = {}
-        self.__remoteRole2LocalRole = {}
-
-        # Information about this host
-        try:
-            thisHostElem = rootElem.findall('thisHost')[0]
-            
-        except Exception, e:
-            raise AttributeAuthorityConfigError('"thisHost" tag not found in '
-                                                'Map Configuration file "%s"' % 
-                                                self.mapConfigFilePath)
-
-        try:
-            hostName = thisHostElem.attrib.values()[0]
-            
-        except Exception, e:
-            raise AttributeAuthorityConfigError('"name" attribute of '
-                                                '"thisHost" element not found '
-                                                'in Map Configuration file '
-                                                '"%s"' % 
-                                                self.mapConfigFilePath)
-
-        # hostname is also stored in the AA's config file in the 'name' tag.  
-        # Check the two match as the latter is copied into Attribute 
-        # Certificates issued by this AA
-        #
-        # TODO: would be better to rationalise this so that the hostname is 
-        # stored in one place only.
-        #
-        # P J Kershaw 14/06/06
-        if hostName != self.name:
-            raise AttributeAuthorityError('"name" attribute of "thisHost" '
-                                          'element in Map Configuration file '
-                                          'doesn\'t match "name" element in '
-                                          'properties file.')
-        
-        # Information for THIS Attribute Authority
-        self.__mapConfig['thisHost'][hostName] = {}
-
-        for k, v in AttributeAuthority.mapConfigHostDefaults.items():
-            val = thisHostElem.findtext(k)
-            if val is None and v == NotImplemented:
-                raise AttributeAuthorityConfigError('<thisHost> option <%s> '
-                                                    'must be set.' % k)
-            self.__mapConfig['thisHost'][hostName][k] = val     
-        
-        # Information about trusted hosts
-        for elem in trustedElem:
-            try:
-                trustedHost = elem.attrib.values()[0]
-                
-            except Exception, e:
-                raise AttributeAuthorityConfigError('Error reading trusted '
-                                                    'host name: %s' % e)
- 
-            # Add signatureFile and list of roles
-            #
-            # (Currently Optional) additional tag allows query of the URI
-            # where a user would normally login at the trusted host.  Added
-            # this feature to allow users to be forwarded to their home site
-            # if they are accessing a secure resource and are not 
-            # authenticated
-            #
-            # P J Kershaw 25/05/06
-            self.__mapConfig['trustedHosts'][trustedHost] = {}
-            for k, v in AttributeAuthority.mapConfigHostDefaults.items():
-                val = thisHostElem.findtext(k)
-                if val is None and v == NotImplemented:
-                    raise AttributeAuthorityConfigError('<trustedHost> option '
-                                                        '<%s> must be set.'%k)
-                    
-                self.__mapConfig['trustedHosts'][trustedHost][k] = \
-                                                        elem.findtext(k)   
-
-            roleElem = elem.findall('role')
-            if roleElem:
-                # Role keyword value requires special parsing before 
-                # assignment
-                self.__mapConfig['trustedHosts'][trustedHost]['role'] = \
-                                        [dict(i.items()) for i in roleElem]
-            else:
-                # It's possible for trust relationships to not contain any 
-                # role mapping.  e.g. a site's login service trusting other
-                # sites login requests
-                self.__mapConfig['trustedHosts'][trustedHost]['role'] = []
-                       
-            self.__localRole2RemoteRole[trustedHost] = {}
-            self.__remoteRole2LocalRole[trustedHost] = {}
-            
-            for role in self.__mapConfig['trustedHosts'][trustedHost]['role']:
-                try:
-                    localRole = role['local']
-                    remoteRole = role['remote']
-                except KeyError, e:
-                    raise AttributeAuthorityError('Reading map configuration '
-                                                  ' file "%s": no element '
-                                                  '"%s" for host "%s"' % 
-                                                (self.mapConfigFilePath, 
-                                                 e, 
-                                                 trustedHost))
-                    
-                # Role to host look-up
-                if localRole in self.__localRole2TrustedHost:
-                    
-                    if trustedHost not in \
-                       self.__localRole2TrustedHost[localRole]:
-                        self.__localRole2TrustedHost[localRole].\
-                                                        append(trustedHost)                        
-                else:
-                    self.__localRole2TrustedHost[localRole] = [trustedHost]
-
-
-                # Trusted Host to local role and trusted host to trusted role
-                # map look-ups
-                try:
-                    self.__remoteRole2LocalRole[trustedHost][remoteRole].\
-                                                            append(localRole)                  
-                except KeyError:
-                    self.__remoteRole2LocalRole[trustedHost][remoteRole] = \
-                                                                [localRole]
-                    
-                try:
-                    self.__localRole2RemoteRole[trustedHost][localRole].\
-                                                            append(remoteRole)                  
-                except KeyError:
-                    self.__localRole2RemoteRole[trustedHost][localRole] = \
-                                                                [remoteRole]
-        
-        # Store trusted host info look-up for retrieval by getTrustedHostInfo
-        # method                                                                         
-        #
-        # Nb. {}.fromkeys([...]).keys() is a fudge to get unique elements
-        # from a list i.e. convert the list elements to a dict eliminating
-        # duplicated elements and convert the keys back into a list.
-        self._trustedHostInfo = dict(
-        [
-            (
-                k, 
-                {
-                    'siteName':             v['siteName'],
-                    'aaURI':                v['aaURI'], 
-                    'aaDN':                 v['aaDN'], 
-                    'loginURI':             v['loginURI'], 
-                    'loginServerDN':        v['loginServerDN'], 
-                    'loginRequestServerDN': v['loginRequestServerDN'], 
-                    'role':                 {}.fromkeys([role['remote'] 
-                                                         for role in v['role']]
-                                                       ).keys()
-                }
-            ) for k, v in self.__mapConfig['trustedHosts'].items()
-        ])
-
-        log.info('Loaded map configuration file "%s"' % self.mapConfigFilePath)
-       
         
     def getRoles(self, userId):
@@ -1381 +743 @@
             raise AttributeAuthorityError("Getting user roles: %s" % e)
        
-        
-    def _getHostInfo(self):
-        """Return the host that this Attribute Authority represents: its ID,
-        the user login URI and WSDL address.  Call this method via the
-        'hostInfo' property
-        
-        @rtype: dict
-        @return: dictionary of host information derived from the map 
-        configuration"""
-        
-        return self.__mapConfig['thisHost']
-        
-    hostInfo = property(fget=_getHostInfo, 
-                        doc="Return information about this host")
-       
-        
-    def getTrustedHostInfo(self, role=None):
-        """Return a dictionary of the hosts that have trust relationships
-        with this AA.  The dictionary is indexed by the trusted host name
-        and contains AA service, login URIs and the roles that map to the
-        given input local role.
-
-        @type role: string
-        @param role: if set, return trusted hosts that having a mapping set 
-        for this role.  If no role is input, return all the AA's trusted hosts 
-        with all their possible roles
-
-        @rtype: dict
-        @return: dictionary of the hosts that have trust relationships
-        with this AA.  It returns an empty dictionary if role isn't 
-        recognised"""
-               
-        log.debug('Calling getTrustedHostInfo with role = "%s" ...' % role) 
-                                 
-        if not self.__mapConfig or not self.__localRole2RemoteRole:
-            # This Attribute Authority has no trusted hosts
-            raise AttributeAuthorityNoTrustedHosts("The %s Attribute "
-                                                   "Authority has no trusted "
-                                                   "hosts" % 
-                                                   self.name)
-
-
-        if role is None:
-            # No role input - return all trusted hosts with their service URIs
-            # and the remote roles they map to
-            return self._trustedHostInfo
-
-        else:           
-            # Get trusted hosts for given input local role        
-            try:
-                trustedHosts = self.__localRole2TrustedHost[role]
-            except:
-                raise AttributeAuthorityNoMatchingRoleInTrustedHosts(
-                    'None of the trusted hosts have a mapping to the '
-                    'input role "%s"' % role)
-    
-    
-            # Get associated Web service URI and roles for the trusted hosts 
-            # identified and return as a dictionary indexed by host name
-            trustedHostInfo = dict(
-       [(
-            host, 
-            {
-                'siteName': self.__mapConfig['trustedHosts'][host]['siteName'],
-                'aaURI':    self.__mapConfig['trustedHosts'][host]['aaURI'],
-                'aaDN':     self.__mapConfig['trustedHosts'][host]['aaDN'],
-                'loginURI': self.__mapConfig['trustedHosts'][host]['loginURI'],
-                'loginServerDN': 
-                        self.__mapConfig['trustedHosts'][host]['loginServerDN'],
-                'loginRequestServerDN': 
-                self.__mapConfig['trustedHosts'][host]['loginRequestServerDN'],
-                'role':     self.__localRole2RemoteRole[host][role]
-            }
-        ) for host in trustedHosts])
-                         
-            return trustedHostInfo
-       
-        
-    def mapRemoteRoles2LocalRoles(self, trustedHost, trustedHostRoles):
-        """Map roles of trusted hosts to roles for this data centre
-
-        @type trustedHost: string
-        @param trustedHost: name of external trusted data centre
-        @type trustedHostRoles: list
-        @param trustedHostRoles:   list of external roles to map
-        @return: list of mapped roles"""
-
-        if not self.__remoteRole2LocalRole:
-            raise AttributeAuthorityError("Roles map is not set - ensure " 
-                                    "readMapConfig() has been called.")
-
-
-        # Check the host name is a trusted one recorded in the map
-        # configuration
-        if not self.__remoteRole2LocalRole.has_key(trustedHost):
-            return []
-
-        # Add local roles, skipping if no mapping is found
-        localRoles = []
-        for trustedRole in trustedHostRoles:
-            if trustedRole in self.__remoteRole2LocalRole[trustedHost]:
-                localRoles.extend(
-                        self.__remoteRole2LocalRole[trustedHost][trustedRole])
-                
-        return localRoles
-
     def getAttCertFactory(self):
-        """Factory method to create SAML Attribute Qeury wrapper function
+        """Factory method to create SAML Attribute Query wrapper function
         @rtype: function
         @return getAttCert method function wrapper
@@ -1521 +777 @@
         return samlAttributeQueryWrapper
     
-
-from logging.handlers import RotatingFileHandler
-
-# Inherit directly from Logger
-_loggerClass = logging.getLoggerClass()
-class AttCertLog(_loggerClass, object):
-    """Log each Attribute Certificate issued using a rotating file handler
-    so that the number of files held can be managed"""
-    
-    def __init__(self, attCertFilePath, backUpCnt=1024):
-        """Set up a rotating file handler to log ACs issued.
-        @type attCertFilePath: string
-        @param attCertFilePath: set where to store ACs.  Set from 
-        AttributeAuthority properties file.
-        
-        @type backUpCnt: int
-        @param backUpCnt: set the number of files to store before rotating
-        and overwriting old files."""
-        
-        if not isinstance(backUpCnt, int):
-            raise TypeError('Expecting int type for "backUpCnt" keyword')
-        
-        # Inherit from Logger class
-        super(AttCertLog, self).__init__(name='', level=logging.INFO)
-                            
-        # Set a format for messages so that only the content of the AC is
-        # logged, nothing else.
-        formatter = logging.Formatter(fmt="", datefmt="")
-
-        # maxBytes is set to one so that only one AC will be written before 
-        # rotation to the next file
-        fileLog = RotatingFileHandler(attCertFilePath, 
-                                      maxBytes=1, 
-                                      backupCount=backUpCnt)
-        fileLog.setFormatter(formatter)            
-        self.addHandler(fileLog)
- 
-                      
+               
 class AttributeInterfaceError(Exception):
     """Exception handling for NDG Attribute Authority User Roles interface
@@ -1677 +896 @@
         self.attributeMap = {}
         for line in lines:
-            fields = re.split(',\W*', line.strip())
+            fields = re.split(',\s*', line.strip())
             self.attributeMap[fields[0]] = fields[1:]
     

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/__init__.py

@@ -373 +373 @@
     propertyDefaults.update(NDGSecurityMiddlewareBase.propertyDefaults)
     
-    CSV_PAT = re.compile(',\W*')
+    CSV_PAT = re.compile(',\s*')
     
     # TODO: refactor to:

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -1315 +1315 @@
         @rtype: basestring
         @return: WSGI response'''
-        """      
+        """
+        if not isinstance(oidResponse, server.OpenIDResponse):
+            log.error("OpenID Response is %r type, expecting %r",
+                      type(oidResponse), server.OpenIDResponse)
+            return self._render.errorPage(environ, start_response,
+                                          "Error setting a response.  Please "
+                                          "report this fault to your site "
+                                          "administrator.",
+                                          code=500)
+        
         try:
             webresponse = self.oidserver.encodeResponse(oidResponse)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/axinterface/csv.py

@@ -91 +91 @@
         nAttributes = len(self.attributeNames)
         for line in lines:
-            fields = re.split(',\W*', line.strip())
+            fields = re.split(',\s*', line.strip())
             
             # Dictionary keyed by user ID with each val itself a dict keyed

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -368 +368 @@
                         ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME
                     ] = True
+                    log.debug("Client Certificate DN %s matches DN in "
+                              "permitted DNs list %r", dn, 
+                              self.clientCertDNMatchList)
                     return True
+        else:
+            log.debug("No match found for Client Certificate DN %s in "
+                      "permitted DNs list %r", dn, self.clientCertDNMatchList)
                 
             return False