Changeset 6895

Timestamp:

27/05/10 14:30:08 (11 years ago)

Author:

pjkersha

Message:

• Working myproxy-ws-logon.sh MyProxy? logon web service client script.
• Also integrated with unit test which launches the WSGI app by starting it running over HTTPS with paster in a separate thread and then queries it with the client script.

Location:

TI12-security/trunk/MyProxyServerUtils/myproxy/server

Files:

• test/myproxy-ws-logon.sh (modified) (5 diffs)
• test/myproxy_ws.py (modified) (2 diffs)
• test/myproxywsgi.ini (modified) (1 diff)
• test/test_myproxywsgi.cfg (modified) (1 diff)
• test/test_myproxywsgi_with_paster.py (modified) (3 diffs)
• wsgi/httpbasicauth.py (modified) (2 diffs)

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/myproxy-ws-logon.sh

@@ -1 +1 @@
 #!/bin/bash
 #
-# Client script for web service interface to MyProxy logon
+# Client script for web service interface to MyProxy logon based on openssl and
+# curl
 #
 # @author P J Kershaw 25/05/2010
@@ -10 +11 @@
 #
 # $Id$
-cmdline_opt=`getopt -o hU:l:So: --long help,uri:,username:,stdin_pass,out:: -n "$0" -- "$@"`
+cmdname=$(basename $0)
+cmdline_opt=`getopt -o hU:l:So: --long help,uri:,username:,stdin_pass,out:: -n "$cmdname" -- "$@"`
 
-usage="Usage: myproxy-logon [-U MyProxy Web Service URI][-l username] ...\n
+usage="Usage: $cmdname [-U MyProxy Web Service URI][-l username] ...\n
 \n
    Options\n
-       -h | --help                       Displays usage\n
-       -U | --uri                        MyProxy web service URI\n
-       -l | --username        <username> Username for the delegated proxy\n
-       -S | --stdin_pass                 pass password from stdin rather prompt from tty\n
-       -o | --out             <path>     Location of delegated proxy\n
-                                         (use '-' for stdout)\n
+       -h | --help\t\t\t\tDisplays usage\n
+       -U | --uri\t\t<uri>\t\tMyProxy web service URI\n
+       -l | --username\t<username>\tUsername for the delegated proxy (defaults to \$LOGNAME)\n
+       -S | --stdin_pass\t\t\tpass password from stdin rather prompt from tty\n
+       -o | --out\t\t<filepath>\tLocation of delegated proxy (default to stdout)\n
 "
 
 if [ $? != 0 ] ; then
-    echo $usage >&2 ;
+    echo -e $usage >&2 ;
     exit 1 ;
 fi
@@ -32 +33 @@
 while true ; do
     case "$1" in
-        -h|--help) echo $usage ; exit 0 ;;
+        -h|--help) echo -e $usage ; exit 0 ;;
         -U|--uri) uri=$2 ; shift 2 ;;
         -l|--username) username=$2 ; shift 2 ;;
@@ -43 +44 @@
 
 if [ -z $uri ]; then
-    echo Give the URI for the MyProxy Logon web service ;
-    echo $usage >&2 ;
+    echo -e Give the URI for the MyProxy Logon web service ;
+    echo -e $usage >&2 ;
     exit 1;
 fi
@@ -92 +93 @@
 # 1) -t 1 to ensure only one attempt is made
 # 2) --auth-no-challenge force sending of username/password to allow for servers that may not issue an authentication challenge
-wget $uri --http-user=$username --http-password=$password --post-file=$certreqfilepath --ca-directory=$cadir -O $outfilepath -t 1 --auth-no-challenge
-if [ "$?" != "0" ]; then
-    cat $outfilepath
+#wget $uri --http-user=$username --http-password=$password --post-file=$certreqfilepath --ca-directory=$cadir -O $outfilepath -t 1 --auth-no-challenge
+response=$(curl $uri -u $username:$password -d "$(cat $certreqfilepath)" --capath $cadir -w " %{http_code}" -s -S)
+responsemsg=$(echo "$response"|sed '$s/ *\([^ ]* *\)$//')
+responsecode=$(echo $response|awk '{print $NF}')
+if [ "$responsecode" != "200" ]; then
+    echo "$responsemsg" >&2
     exit 1
 fi
 
-# Add key to output file
+# Output certificate
+echo "$responsemsg" > $outfilepath
+
+# Add key 
 echo "$key" >> $outfilepath

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/myproxy_ws.py

@@ -17 +17 @@
 THIS_DIR = path.dirname(__file__)
 INI_FILENAME = 'myproxywsgi.ini'
-INI_FILEPATH = path.join(THIS_DIR, INI_FILENAME)  
-SSLCERT_FILEPATH = 'localhost.crt'
-SSLKEY_FILEPATH = 'localhost.key'
+INI_FILEPATH = path.join(THIS_DIR, INI_FILENAME) 
+SSLCERT_FILEPATH = path.join(THIS_DIR, 'localhost.crt')
+SSLKEY_FILEPATH = path.join(THIS_DIR, 'localhost.key')
 PORTNUM = 7443
-WITH_SSL = True
+WITH_SSL = True # Set to False to run over HTTP
 
 if __name__ == "__main__":
+    # Provide a port number as command line argument or accept the default
+    # PORTNUM
     if len(sys.argv) > 1:
         port = sys.argv[1]
@@ -29 +31 @@
         port = PORTNUM
         
-    certFilePath = path.join(THIS_DIR, SSLCERT_FILEPATH)
-    priKeyFilePath = path.join(THIS_DIR, SSLKEY_FILEPATH)
-    
     if WITH_SSL:
         ssl_context = SSL.Context(SSL.SSLv23_METHOD)
         ssl_context.set_options(SSL.OP_NO_SSLv2)
     
-        ssl_context.use_privatekey_file(priKeyFilePath)
-        ssl_context.use_certificate_file(certFilePath)
+        ssl_context.use_privatekey_file(SSLKEY_FILEPATH)
+        ssl_context.use_certificate_file(SSLCERT_FILEPATH)
     else:
         ssl_context = None

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/myproxywsgi.ini

@@ -22 +22 @@
 myproxy.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC
 myproxy.rePathMatchList = /logon
-myproxy.client.hostname = localhost
+#myproxy.client.hostname = localhost
+myproxy.client.hostname = myproxy.ceda.ac.uk
 myproxy.client.caCertDir = /etc/grid-security/certificates

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/test_myproxywsgi.cfg

@@ -14 +14 @@
 [test01Logon]
 username: pjk
-password = mypassword
+#password = mypassword
 uri = https://localhost:10443/logon

TI12-security/trunk/MyProxyServerUtils/myproxy/server/test/test_myproxywsgi_with_paster.py

@@ -19 +19 @@
 logging.basicConfig(level=logging.DEBUG)
 
-from OpenSSL import SSL
+from OpenSSL import SSL, crypto
 
 from myproxy.server.test import PasteDeployAppServer
@@ -39 +39 @@
     SCRIPT_URI_OPTNAME = '--uri'
     SCRIPT_USER_OPTNAME = '--username'
-    SCRIPT_PASSWD_OPTNAME = '--stdin_pass'
-    SCRIPT_OUTPUT_OPTNAME = '--out'
     SCRIPT_STDIN_PASS = '--stdin_pass'
     
@@ -80 +78 @@
                               env={'X509_CERT_DIR':self.__class__.THIS_DIR})
         stdoutdata, stderrdata = p2.communicate()
-#        self.failIf(status[-1] != 0, "Expecting 0 exit status for %r" % cmd)
-        print stdoutdata
- 
+        self.failIf(len(stderrdata) > 0, "An error message was returned: %s" % 
+                    stderrdata)
+        print("stdout = %s" % stdoutdata)
+        
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, stdoutdata)
+        subj = cert.get_subject()
+        self.assert_(subj)
+        self.assert_(subj.CN)
+        print("Returned certificate subject CN=%r" % subj.CN)
+        
     def addService(self, *arg, **kw):
         """Utility for setting up threads to run Paste HTTP based services with

TI12-security/trunk/MyProxyServerUtils/myproxy/server/wsgi/httpbasicauth.py

@@ -174 +174 @@
         username, password = self._parseCredentials(environ)
         if username is None:
-            log.info('No username set in HTTP Authorization header')
-            return self.setErrorResponse(start_response)
+            log.error('No username set in HTTP Authorization header')
+            return self.setErrorResponse(start_response, 
+                                         msg="No username set\n")
         
         authenticateFunc = environ.get(self.authnFuncEnvironKeyName)
@@ -215 +216 @@
         status = '%d %s' % (code, httplib.responses[code])
         if msg is None:
-            response = status
+            response = "%s\n" % status
         else:
             response = msg