Context Navigation

← Previous Changeset
Next Changeset →

Changeset 6918

Timestamp:

02/06/10 15:01:16 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 5: MyProxy? Logon HTTPS Interface

Updated MyProxyClient with bootstrap capability for get trust roots and logon methods.

Location:

TI12-security/trunk/MyProxyClient

Files:

: 2 added
: 4 deleted
: 8 edited
: 1 moved

MyProxyClient.egg-info/SOURCES.txt (modified) (1 diff)
build (deleted)
dist (deleted)
documentation (modified) (1 prop)
documentation.zip (added)
documentation/Makefile (modified) (1 diff)
myproxy/__init__.py (modified) (1 diff)
myproxy/client.py (modified) (30 diffs)
myproxy/test/3d41aba9.0 (moved) (moved from TI12-security/trunk/MyProxyClient/myproxy/test/test-ca.crt)
myproxy/test/ca (added)
myproxy/test/myProxyClient.cfg (modified) (3 diffs)
myproxy/test/myProxyClientTest.cfg (modified) (5 diffs)
myproxy/test/proxy.crt (deleted)
myproxy/test/proxy.key (deleted)
myproxy/test/test_myproxyclient.py (modified) (8 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/MyProxyClient/MyProxyClient.egg-info/SOURCES.txt

-                      r6845
+                      r6918
 MyProxyClient.egg-info/requires.txt
 MyProxyClient.egg-info/top_level.txt
+dist/MyProxyClient-1.0.0-py2.5.egg
+dist/MyProxyClient-1.0.0-py2.6.egg
 documentation/Makefile
-documentation/api-objects.txt
-documentation/class-tree.html
-documentation/crarr.png
-documentation/epydoc-log.html
-documentation/epydoc.css
-documentation/epydoc.js
-documentation/epydoc.log
-documentation/help.html
-documentation/identifier-index.html
-documentation/index.html
-documentation/module-tree.html
-documentation/myproxy-module.html
-documentation/myproxy-pysrc.html
-documentation/myproxy.client-module.html
-documentation/myproxy.client-pysrc.html
-documentation/myproxy.client.CaseSensitiveConfigParser-class.html
-documentation/myproxy.client.MyProxyClient-class.html
-documentation/myproxy.client.MyProxyClientConfigError-class.html
-documentation/myproxy.client.MyProxyClientError-class.html
-documentation/myproxy.client.MyProxyClientGetError-class.html
-documentation/myproxy.client.MyProxyClientRetrieveError-class.html
-documentation/myproxy.client._HostCheck-class.html
-documentation/myproxy.utils-module.html
-documentation/myproxy.utils-pysrc.html
-documentation/myproxy.utils.openssl-module.html
-documentation/myproxy.utils.openssl-pysrc.html
-documentation/myproxy.utils.openssl.OpenSSLConfig-class.html
-documentation/myproxy.utils.openssl.OpenSSLConfigError-class.html
-documentation/redirect.html
-documentation/uml_class_diagram_for_myproxy_.gif
-documentation/uml_class_diagram_for_myproxy__2.gif
-documentation/uml_class_diagram_for_myproxy__3.gif
-documentation/uml_class_diagram_for_myproxy__4.gif
-documentation/uml_class_diagram_for_myproxy__5.gif
-documentation/uml_class_diagram_for_myproxy__6.gif
-documentation/uml_class_diagram_for_myproxy__7.gif
-documentation/uml_class_diagram_for_myproxy__8.gif
-documentation/uml_class_diagram_for_myproxy__9.gif
 myproxy/__init__.py
 myproxy/client.py
 myproxy/test/README
 myproxy/test/__init__.py
+myproxy/test/localhost.crt
 myproxy/test/myProxyClient.cfg
 myproxy/test/myProxyClientTest.cfg

TI12-security/trunk/MyProxyClient/documentation
- Property svn:ignore set to
  *.*

TI12-security/trunk/MyProxyClient/documentation/Makefile

r5357	r6918
9	9	# @copyright: (C) 2008 STFC
10	10	#
11		# @license: This software may be distributed under the terms of the Q Public
12		# License, version 1.0 or later.
	11	# @license: http://www.apache.org/licenses/LICENSE-2.0
13	12	#
14	13	# $Id$

TI12-security/trunk/MyProxyClient/myproxy/init.py

r6069	r6918
9	9	__license__ = """BSD - See LICENSE file in top-level directory"""
10	10	__contact__ = "Philip.Kershaw@stfc.ac.uk"
11		__revision__ = '$Id: $'
	11	__revision__ = '$Id$'
	12	__import__('pkg_resources').declare_namespace(__name__)

TI12-security/trunk/MyProxyClient/myproxy/client.py

-                      r6847
+                      r6918
     environment variable name
+    @type GLOBUS_LOCATION_ENVVARNAME: string
+    @param GLOBUS_LOCATION_ENVVARNAME: 'GLOBUS_LOCATION' environment variable
+    name
     @type GET_CMD: string
     @cvar GET_CMD: get command string
 …
     @cvar GET_TRUST_ROOTS_CMD: get trust roots command string
+    @type _hostCertSubDirPath: string
+    @cvar _hostCertSubDirPath: sub-directory path host certificate (as tuple)
+    @type _hostKeySubDirPath: string
+    @cvar _hostKeySubDirPath: sub-directory path to host key (as tuple)
+    @type TRUSTED_CERTS_FIELDNAME: string
+    @param TRUSTED_CERTS_FIELDNAME: field name in get trust roots response for
+    trusted certificate file names
+    @type TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX: string
+    @param TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX: field name prefix in get
+    trust roots response for trusted certificate file contents
+    @type HOSTCERT_SUBDIRPATH: string
+    @cvar HOSTCERT_SUBDIRPATH: sub-directory path host certificate (as tuple)
+    @type HOSTKEY_SUBDIRPATH: string
+    @cvar HOSTKEY_SUBDIRPATH: sub-directory path to host key (as tuple)
     @type PRIKEY_NBITS: int
 …
     @cvar PROPERTY_DEFAULTS: sets permissable element names for MyProxy config
     file
+    @type ROOT_USERNAME: string
+    @cvar ROOT_USERNAME: root username - used to determine output directory
+    for trust roots
+    @type ROOT_TRUSTROOT_DIR: string
+    @param ROOT_TRUSTROOT_DIR: default trust root directory if running as root
+    user
+    @type USER_TRUSTROOT_DIR: string
+    @param USER_TRUSTROOT_DIR: default trust root directory for users other
+    than root
+    @type X509_CERT_DIR_ENVVARNAME: string
+    @param X509_CERT_DIR_ENVVARNAME: environment variable name 'X509_CERT_DIR',
+    which if set points to the location of the trust roots
     """
     MYPROXY_SERVER_ENVVARNAME = 'MYPROXY_SERVER'
     MYPROXY_SERVER_PORT_ENVVARNAME = 'MYPROXY_SERVER_PORT'
     MYPROXY_SERVER_DN_ENVVARNAME = 'MYPROXY_SERVER_DN'
+    GLOBUS_LOCATION_ENVVARNAME = 'GLOBUS_LOCATION'
     GET_CMD="""VERSION=MYPROXYv2
 COMMAND=0
 …
 TRUSTED_CERTS=1"""
+    _hostCertSubDirPath = ('etc', 'hostcert.pem')
+    _hostKeySubDirPath = ('etc', 'hostkey.pem')
+    TRUSTED_CERTS_FIELDNAME = 'TRUSTED_CERTS'
+    TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX = 'FILEDATA_'
+    HOSTCERT_SUBDIRPATH = ('etc', 'hostcert.pem')
+    HOSTKEY_SUBDIRPATH = ('etc', 'hostkey.pem')
     PROXY_FILE_PERMISSIONS = 0600
 …
        'hostname':              'localhost',
        'port':                  7512,
+       'cnPrefix':          MyProxyServerSSLCertVerification.SERVER_CN_PREFIX,
        'serverDN':              None,
        'openSSLConfFilePath':   '',
        'proxyCertMaxLifetime':  43200,
        'proxyCertLifetime':     43200,
-       'caCertFilePath':        None,
        'caCertDir':             None
+    }
+    ROOT_USERNAME = 'root'
+    ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
+    USER_TRUSTROOT_DIR = '~/.globus/certificates'
+    X509_CERT_DIR_ENVVARNAME = 'X509_CERT_DIR'
     # Restrict attributes to the above properties, their equivalent
 …
         self.__proxyCertLifetime = MyProxyClient.PROPERTY_DEFAULTS[
                                                         'proxyCertLifetime']
-        self.__caCertFilePath = None
         self.__caCertDir = None
 …
             self.serverDN = serverDN
+        # Set trust root - the directory containing the CA certificates for
+        # verifying the MyProxy server's SSL certificate
+        self.setDefaultCACertDir()
         # Any keyword settings override the defaults above
         for opt, val in prop.items():
 …
         if cfgFilePath is not None:
             self.parseConfig(cfg=cfgFilePath)
+    def _getServerSSLCertVerify(self):
+        return self.__serverSSLCertVerify
+    serverSSLCertVerify = property(_getServerSSLCertVerify,
+                                   doc="Server SSL Certificate Verification "
+                                       "callable")
+    def setDefaultCACertDir(self):
+        '''Make default trust root setting - the directory containing the CA
+        certificates for verifying the MyProxy server's SSL certificate.
+        The setting is made by using standard Globus defined locations and
+        environment variable settings
+        '''
+        # Check for X509_CERT_DIR environment variable
+        x509CertDir = os.environ.get(MyProxyClient.X509_CERT_DIR_ENVVARNAME)
+        if x509CertDir is not None:
+            self.caCertDir = x509CertDir
+        # Check for running as root user
+        elif os.environ.get(MyProxyClient.ROOT_USERNAME) is not None:
+            self.caCertDir = MyProxyClient.ROOT_TRUSTROOT_DIR
+        # Default to non-root standard location
+        else:
+            self.caCertDir = os.path.expanduser(
+                                            MyProxyClient.USER_TRUSTROOT_DIR)
     def _getServerSSLCertVerify(self):
 …
                                  doc="Default proxy cert. lifetime used in "
                                      "logon request")
-    def _getCACertFilePath(self):
-        return self.__caCertFilePath
-    def _setCACertFilePath(self, val):
-        '''@type val: basestring
-        @param val: file path for CA certificate to be used to verify
-        MyProxy server certificate'''
-        if isinstance(val, basestring):
-            if val == '':
-                self.__caCertFilePath = None
-            else:
-                self.__caCertFilePath = os.path.expandvars(val)
-        elif isinstance(val, None):
-            raise TypeError("Expecting string type for caCertFilePath "
-                                 "attribute")
-    caCertFilePath = property(fget=_getCACertFilePath,
-                              fset=_setCACertFilePath,
-                              doc="CA certificate file path - MyProxy server "
-                                  "certificate must validate against it and/"
-                                  "or any present in caCertDir")
     def _getCACertDir(self):
 …
     caCertDir = property(fget=_getCACertDir,
                          fset=_setCACertDir,
                          doc="directory containing PEM encoded CA "
                              "certificates.  Use along with caCertFilePath "
                              "setting to validate MyProxy server certificate")
+                         doc="trust roots directory containing PEM encoded CA "
+                             "certificates to validate MyProxy server "
+                             "certificate")
 …
                         certFile=None,
                         keyFile=None,
+                        keyFilePassphrase=None):
+                        keyFilePassphrase=None,
+                        verifyPeerWithTrustRoots=True):
         """Initialise connection setting up SSL context and client and
         server side identity checks
 …
         @type keyFilePassphrase: basestring
         @param keyFilePassphrase: pass-phrase protecting private key if set
+        @type verifyPeerWithTrustRoots: bool
+        @param verifyPeerWithTrustRoots: verify MyProxy server's SSL certificate
+        against a list of trusted CA certificates in the CA certificate
+        directory set by the "CaCertDir" attribute.  This should always be set
+        to True for MyProxy client calls unless using the 'bootstrap' trust
+        roots mode available with logon and get trust roots calls
         """
         # Must be version 3 for MyProxy
         context = SSL.Context(SSL.SSLv3_METHOD)
+        if self.caCertFilePath or self.caCertDir:
+            context.load_verify_locations(self.caCertFilePath, self.caCertDir)
+        if verifyPeerWithTrustRoots:
+            context.load_verify_locations(None, self.caCertDir)
+            verifyMode = SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT
+        else:
+            log.warning("SSL Context verify mode set to SSL.VERIFY_NONE")
+            verifyMode = SSL.VERIFY_NONE
+        # Verify peer's (MyProxy server) certificate
+        context.set_verify(verifyMode, self.__serverSSLCertVerify)
         if certFile:
             try:
 …
                                 promptPassphraseTwice,
                                 passphrase):
+                    """Private key file password callback function"""
                     if len(passphrase) > passphraseMaxLen:
                         log.error('Passphrase length %d is greater than the '
 …
                                                "connection [also check CA "
                                                "certificate settings]: %s" %
+                                               traceback.format_exc())
+        # Verify peer's (MyProxy server) certificate
+        context.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
+                           self.__serverSSLCertVerify)
+                                               traceback.format_exc())
         # Disable for compatibility with myproxy server (er, globus)
 …
         @param nBitsForKey: number of bits for private key generation -
         default is 2048
         @rtype: string
+        @rtype: OpenSSL.crypto.PKey
         @return: public/private key pair
         """
 …
         @type messageDigest: basestring
         @param messageDigest: message digest type - default is MD5
         @rtype: tuple
+        @rtype: base string
         @return certificate request PEM text and private key PEM text
         """
 …
         private key is not password protected.
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc,
                                             *MyProxyClient._hostCertSubDirPath)
+                                            *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc,
                                             *MyProxyClient._hostKeySubDirPath)
+                                            *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
 …
         @return none
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
+                                           *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
+                                          *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
 …
         @return none
         """
         globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
+                                         *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
+                                         *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
 …
             passphrase = str(passphrase)
         globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostCertSubDirPath)
+                                           *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc,
                                          *MyProxyClient._hostKeySubDirPath)
+                                          *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 # Default so that the owner is the same as the ID of the
 …
     def logon(self, username, passphrase, lifetime=None, keyPair=None,
+              certReq=None, nBitsForKey=PRIKEY_NBITS):
+              certReq=None, nBitsForKey=PRIKEY_NBITS, bootstrap=False,
+              updateTrustRoots=False):
         """Retrieve a proxy credential from a MyProxy server
 …
         @type lifetime: int
         @param lifetime: lifetime for generated certificate
+        @type keyPair: OpenSSL.crypto.PKey
+        @param keyPair: Public/Private key pair.  This is ignored if a
+        certificate request is passed via the certReq keyword
+        @type certReq: string
+        @param certReq: ASN1 format certificate request, if none set, one is
+        created along with a key pair
+        @type nBitsForKey: int
+        @param nBitsForKey: number of bits to use when generating key pair,
+        defaults to the PRIKEY_NBITS class variable setting.  This keyword is
+        ignored if a key pair is passed in from an external source via the
+        keyPair keyword
         @rtype: tuple
 …
         user certificate, it's private key and the issuing certificate.  The
         issuing certificate is only set if the user certificate is a proxy
+        @type bootstrap: bool
+        @param bootstrap: If set to True, bootstrap trust roots i.e. connect to
+        MyProxy server without verification of the server's SSL certificate
+        against any CA certificates.  Set to False, for default behaviour:
+        verify server SSL certificate against CA certificates held in location
+        set by the "caCertDir" attribute.  If bootstrap is set, updateTrustRoots
+        will be forced to True also
+        @type updateTrustRoots: bool
+        @param updateTrustRoots: set to True to update the trust roots
         """
+        if bootstrap:
+            log.info('Bootstrapping MyProxy server root of trust.')
+            # Bootstrap implies update to trust roots
+            updateTrustRoots = True
+        if updateTrustRoots:
+            self.getTrustRoots(username,
+                               passphrase,
+                               writeToCACertDir=True,
+                               bootstrap=bootstrap)
         lifetime = lifetime or self.proxyCertLifetime
 …
         # send get command - ensure conversion from unicode before writing
         cmd = MyProxyClient.GET_CMD % (username, passphrase, lifetime)
         conn.write(str(cmd))
         # process server response
         dat = conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
         respCode, errorTxt = self._deserializeResponse(dat)
         if respCode:
 …
         respCode, errorTxt = self._deserializeResponse(resp)
         if respCode:
             raise MyProxyClientRetrieveError(errorTxt)
+            raise MyProxyClientRetrieveError(errorTxt)
         # deserialize certs from received cert data
 …
         return self.logon(*arg, **kw)
+    def getTrustRoots(self, username='', passphrase=''):
+    def getTrustRoots(self,
+                      username='',
+                      passphrase='',
+                      writeToCACertDir=False,
+                      bootstrap=False):
         """Get trust roots for the given MyProxy server
 …
         @param passphrase: pass-phrase (optional)
         server
+        @type writeToCACertDir: bool
+        @param writeToCACertDir: if set to True, write the retrieved trust roots
+        out to the directory specified by the "caCertDir" attribute
+        @type bootstrap: bool
+        @param bootstrap: If set to True, bootstrap trust roots i.e. connect to
+        MyProxy server without verification of the server's SSL certificate
+        against any CA certificates.  Set to False, for default behaviour:
+        verify server SSL certificate against CA certificates held in location
+        set by the "caCertDir" attribute.
         @return: trust root files as a dictionary keyed by file name with each
 …
         @rtype: dict
         """
+        if bootstrap:
+            log.info('Bootstrapping MyProxy server root of trust.')
         # Set-up SSL connection
         conn = self._initConnection()
+        conn = self._initConnection(verifyPeerWithTrustRoots=(not bootstrap))
         conn.connect((self.hostname, self.port))
 …
         # process server response chunks until all consumed
         dat = ''
+        tries = 0
         try:
             for tries in range(MyProxyClient.MAX_RECV_TRIES):
 …
                         MyProxyClient.MAX_RECV_TRIES,
                         MyProxyClient.SERVER_RESP_BLK_SIZE)
+        fieldName = MyProxyClient.TRUSTED_CERTS_FIELDNAME
+        prefix = MyProxyClient.TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX
         respCode, errorTxt, fileData = self._deserializeResponse(dat,
                                                                 'TRUSTED_CERTS',
                                                                 'FILEDATA_')
+                                                                 fieldName,
+                                                                 prefix)
         if respCode:
             raise MyProxyClientGetTrustRootsError(errorTxt)
+        filesDict = dict([(k, base64.b64decode(v))
+                          for k, v in fileData.items() if k != 'TRUSTED_CERTS'])
+        filesDict = dict([(k.split(prefix, 1)[1], base64.b64decode(v))
+                          for k, v in fileData.items() if k != fieldName])
+        if writeToCACertDir:
+            for fileName, fileContents in filesDict.items():
+                filePath = os.path.join(self.caCertDir, fileName)
+                open(filePath, 'wb').write(fileContents)
         return filesDict

TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClient.cfg

-                      r6840
+                      r6918
 # Delete this element and take setting from MYPROXY_SERVER environment
 # variable if required
 hostname=localhost
+#hostname=localhost
 # Delete this element to take default setting 7512 or read
 …
 # MYPROXY_SERVER_DN environment variable if preferred
 #serverDN=/O=NDG/OU=Raphael/CN=raphael
+# MyProxy Server CommonName prefix e.g. 'myproxy/' in order to match certificate
+# CN 'myproxy/<fqdn>'.  The default value is 'host/'
+serverCNPrefix=
 # This directory path is used to locate the OpenSSL configuration file
 …
 proxyCertLifetime=64800
+#caCertFilePath=$MYPROXYCLIENT_UNITTEST_DIR/ndg-test-ca.crt
+caCertFilePath=$MYPROXYCLIENT_UNITTEST_DIR/test-ca.crt
+# Trust roots directory defaults to X509_CERT_DIR environment variable setting
+# or ~/.globus/certificates if not set here
+caCertDir=$MYPROXYCLIENT_UNITTEST_DIR/ca

TI12-security/trunk/MyProxyClient/myproxy/test/myProxyClientTest.cfg

-                      r6844
+                      r6918
 # terminal.  To set a null password, leave the field in place but set to
 # blank
 [test01Store]
+[test02Store]
 username: testuser
 passphrase: testpassword
 …
 sslKeyFilePassphrase: testpassword
 [test02GetDelegation]
+[test03GetDelegation]
 username: testuser
 passphrase: testpassword
 …
 proxyKeyFileOut: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
 [test03Info]
+[test04Info]
 username: testuser
 sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
 …
 sslKeyFilePassphrase: testpassword
+[test04ChangePassphrase]
+[test05GetDelegationWithBootstrappedTrustRoots]
+username: testuser
+passphrase: testpassword
+[test06ChangePassphrase]
 username: testuser
 sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
 …
 sslKeyFilePassphrase: testpassword
+[test05Destroy]
+[test07Destroy]
 username: testuser
 sslCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt

TI12-security/trunk/MyProxyClient/myproxy/test/test_myproxyclient.py

-                      r6847
+                      r6918
 import os
 import sys
 import getpass
+from getpass import getpass
 import traceback
 from os import path
 …
 class MyProxyClientLiveTestCase(_MyProxyClientTestCase):
+    '''Tests require a connection to a real MyProxy service running on a host
+    '''Tests require a connection to a real MyProxy service running on a host.
+    The server must be set up as a credential repository - i.e. able to receive
+    and store credentials
     '''
     CONFIG_FILENAME = "myProxyClientTest.cfg"
 …
         configFilePath = path.expandvars(self.cfg['setUp']['cfgFilePath'])
         self.clnt = MyProxyClient(cfgFilePath=configFilePath)
+    def test01Store(self):
+        # upload X509 cert and private key to repository
+        thisSection = self.cfg['test01Store']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass.getpass(prompt="\ntest1Store credential "
+                                                "pass-phrase: ")
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(
+                        prompt="\ntest1Store credential owner pass-phrase: ")
+        certFile = path.expandvars(thisSection['ownerCertFile'])
+        keyFile = path.expandvars(thisSection['ownerKeyFile'])
+        sslCertFile = path.expandvars(thisSection['sslCertFile'])
+        sslKeyFile = path.expandvars(thisSection['sslKeyFile'])
+        self.clnt.store(thisSection['username'],
+                        passphrase,
+                        certFile,
+                        keyFile,
+                        sslCertFile=sslCertFile,
+                        sslKeyFile=sslKeyFile,
+                        sslKeyFilePassphrase=sslKeyFilePassphrase,
+                        force=False)
+        print("Store creds for user %s" % thisSection['username'])
+    def test02GetDelegation(self):
+        # retrieve proxy cert./private key
+        thisSection = self.cfg['test02GetDelegation']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass.getpass(prompt="\ntest2GetDelegation "
+                                                "passphrase: ")
+        proxyCertFile = path.expandvars(thisSection['proxyCertFileOut'])
+        proxyKeyFile = path.expandvars(thisSection['proxyKeyFileOut'])
+        creds = self.clnt.getDelegation(thisSection['username'], passphrase)
+        print "proxy credentials:"
+        print ''.join(creds)
+        open(proxyCertFile, 'w').write(creds[0]+''.join(creds[2:]))
+        open(proxyKeyFile, 'w').write(creds[1])
+    def test03Info(self):
+        # Retrieve information about a given credential
+        thisSection = self.cfg['test03Info']
+        # sslKeyFilePassphrase can be omitted from the congif file in which case
+        # the get call below would return None
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(prompt="\ntest3Info owner "
+                                              "credentials passphrase: ")
+        credExists, errorTxt, fields = self.clnt.info(
+                                 thisSection['username'],
+                                 path.expandvars(thisSection['sslCertFile']),
+                                 path.expandvars(thisSection['sslKeyFile']),
+                                 sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print "test3Info... "
+        print "credExists: %s" % credExists
+        print "errorTxt: " + errorTxt
+        print "fields: %s" % fields
+    def test04ChangePassphrase(self):
+        # change pass-phrase protecting a given credential
+        thisSection = self.cfg['test04ChangePassphrase']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass.getpass(prompt="test4ChangePassphrase - "
+                                                "passphrase: ")
+        newPassphrase = thisSection.get('newPassphrase')
+        if newPassphrase is None:
+            newPassphrase = getpass.getpass(prompt="test4ChangePassphrase "
+                                                   "- new passphrase: ")
+            confirmNewPassphrase = getpass.getpass(prompt=\
+                                                   "test4ChangePassphrase "
+                                                   "- confirm new "
+                                                   "passphrase: ")
+            if newPassphrase != confirmNewPassphrase:
+                self.fail("New and confirmed new password don't match")
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase') or passphrase
+        self.clnt.changePassphrase(thisSection['username'],
+                               passphrase,
+                               newPassphrase,
+                               path.expandvars(thisSection['sslCertFile']),
+                               path.expandvars(thisSection['sslKeyFile']),
+                               sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print("Changed pass-phrase")
+    def test05Destroy(self):
+        # destroy credentials for a given user
+        thisSection = self.cfg['test05Destroy']
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass.getpass(prompt="\ntest5Destroy "
+                                              "credential owner passphrase: ")
+        self.clnt.destroy(thisSection['username'],
+                      sslCertFile=path.expandvars(thisSection['sslCertFile']),
+                      sslKeyFile=path.expandvars(thisSection['sslKeyFile']),
+                      sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print("Destroy creds for user %s" % thisSection['username'])
+    def test06GetTrustRoots(self):
+        # Test get trust roots command
+        trustRoots = self.clnt.getTrustRoots()
+    def __del__(self):
+        """Clear up CA certs retrieved in test01GetTrustRoots call ready for
+        next run of these unit tests
+        """
+        self._deleteTrustRootFiles()
+    def _deleteTrustRootFiles(self):
+        """Helper method clears up CA certs in trust roots directory set from
+        previous call to test01GetTrustRoots()
+        """
+        if hasattr(self, 'trustRootFiles'):
+            for fileName in self.trustRootFiles:
+                os.remove(fileName)
+    def test01GetTrustRoots(self):
+        # Test get trust roots command bootstrapping trust
+        trustRoots = self.clnt.getTrustRoots(writeToCACertDir=True,
+                                             bootstrap=True)
         self.assert_(trustRoots)
         self.assert_(isinstance(trustRoots, dict))
 …
                 subj = cert.get_subject()
                 self.assert_(subj)
+                print("Trust root certificate retrieved with DN=%s" % subj)
+                print("Trust root certificate retrieved with DN=%s" % subj)
+        # Keep for __del__ tidy up
+        self.trustRootFiles = []
+        dirContents = os.listdir(self.clnt.caCertDir)
+        for fileName in trustRoots:
+            self.assert_(fileName in dirContents)
+            self.trustRootFiles.append(os.path.join(self.clnt.caCertDir,
+                                                    fileName))
+    def test02Store(self):
+        # upload X509 cert and private key to repository
+        thisSection = self.cfg['test02Store']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass("\ntest02Store credential pass-phrase: ")
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass("\ntest02Store credential owner "
+                                           "pass-phrase: ")
+        certFile = path.expandvars(thisSection['ownerCertFile'])
+        keyFile = path.expandvars(thisSection['ownerKeyFile'])
+        sslCertFile = path.expandvars(thisSection['sslCertFile'])
+        sslKeyFile = path.expandvars(thisSection['sslKeyFile'])
+        self.clnt.store(thisSection['username'],
+                        passphrase,
+                        certFile,
+                        keyFile,
+                        sslCertFile=sslCertFile,
+                        sslKeyFile=sslKeyFile,
+                        sslKeyFilePassphrase=sslKeyFilePassphrase,
+                        force=False)
+        print("Store creds for user %s" % thisSection['username'])
+    def test03GetDelegation(self):
+        # retrieve proxy cert./private key
+        thisSection = self.cfg['test03GetDelegation']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass("\ntest03GetDelegation passphrase: ")
+        proxyCertFile = path.expandvars(thisSection['proxyCertFileOut'])
+        proxyKeyFile = path.expandvars(thisSection['proxyKeyFileOut'])
+        creds = self.clnt.getDelegation(thisSection['username'], passphrase)
+        print "proxy credentials:"
+        print ''.join(creds)
+        open(proxyCertFile, 'w').write(creds[0]+''.join(creds[2:]))
+        open(proxyKeyFile, 'w').write(creds[1])
+    def test04Info(self):
+        # Retrieve information about a given credential
+        thisSection = self.cfg['test04Info']
+        # sslKeyFilePassphrase can be omitted from the congif file in which case
+        # the get call below would return None
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass("\ntest04Info owner credentials "
+                                           "passphrase: ")
+        credExists, errorTxt, fields = self.clnt.info(
+                                 thisSection['username'],
+                                 path.expandvars(thisSection['sslCertFile']),
+                                 path.expandvars(thisSection['sslKeyFile']),
+                                 sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print "test04Info... "
+        print "credExists: %s" % credExists
+        print "errorTxt: " + errorTxt
+        print "fields: %s" % fields
+    def test06ChangePassphrase(self):
+        # change pass-phrase protecting a given credential
+        thisSection = self.cfg['test06ChangePassphrase']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass("test06ChangePassphrase - passphrase: ")
+        newPassphrase = thisSection.get('newPassphrase')
+        if newPassphrase is None:
+            newPassphrase = getpass("test06ChangePassphrase - new passphrase: ")
+            confirmNewPassphrase = getpass("test06ChangePassphrase - confirm "
+                                           "new passphrase: ")
+            if newPassphrase != confirmNewPassphrase:
+                self.fail("New and confirmed new password don't match")
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase') or \
+                            passphrase
+        self.clnt.changePassphrase(thisSection['username'],
+                               passphrase,
+                               newPassphrase,
+                               path.expandvars(thisSection['sslCertFile']),
+                               path.expandvars(thisSection['sslKeyFile']),
+                               sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print("Changed pass-phrase")
+    def test05GetDelegationWithBootstrappedTrustRoots(self):
+        # Get delegation call whilst simulataneously bootstrapping trust roots
+        thisSection = self.cfg['test05GetDelegationWithBootstrappedTrustRoots']
+        passphrase = thisSection.get('passphrase')
+        if passphrase is None:
+            passphrase = getpass("\n"
+                                 "test05GetDelegationWithBootstrappedTrustRoots"
+                                 "passphrase: ")
+        # Ensure any previously set trust root files are removed
+        self._deleteTrustRootFiles()
+        creds = self.clnt.getDelegation(thisSection['username'], passphrase,
+                                        bootstrap=True)
+        print "proxy credentials:"
+        print ''.join(creds)
+    def test07Destroy(self):
+        # destroy credentials for a given user
+        thisSection = self.cfg['test07Destroy']
+        sslKeyFilePassphrase = thisSection.get('sslKeyFilePassphrase')
+        if sslKeyFilePassphrase is None:
+            sslKeyFilePassphrase = getpass("\ntest07Destroy credential owner "
+                                           "passphrase: ")
+        self.clnt.destroy(thisSection['username'],
+                      sslCertFile=path.expandvars(thisSection['sslCertFile']),
+                      sslKeyFile=path.expandvars(thisSection['sslKeyFile']),
+                      sslKeyFilePassphrase=sslKeyFilePassphrase)
+        print("Destroy creds for user %s" % thisSection['username'])
 …
                                    proxyCertMaxLifetime=60000,
                                    proxyCertLifetime=30000,
                                    caCertFilePath=mkPath('ndg-test-ca.crt'))
+                                   caCertDir=mkPath(''))
             self.assert_(client.port == 20000)
 …
             self.assert_(client.proxyCertLifetime == 30000)
             self.assert_(client.openSSLConfFilePath == mkPath('openssl.conf'))
             self.assert_(client.caCertFilePath == mkPath('ndg-test-ca.crt'))
+            self.assert_(client.caCertDir == mkPath(''))
         finally:
             os.environ = environBackup
 …
             pass
-        client.caCertFilePath = mkPath('ca.pem')
         client.caCertDir = mkPath('/etc/grid-security/certificates')
 …
         self.assert_(client.proxyCertLifetime == 70000)
         self.assert_(client.openSSLConfFilePath == mkPath('ssl.cnf'))
-        self.assert_(client.caCertFilePath == mkPath('ca.pem'))
         self.assert_(
                 client.caCertDir == mkPath('/etc/grid-security/certificates'))

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: