Changeset 6918 for TI12-security/trunk/MyProxyClient/myproxy/client.py

Timestamp:

02/06/10 15:01:16 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 5: MyProxy? Logon HTTPS Interface

• Updated MyProxyClient with bootstrap capability for get trust roots and logon methods.

File:

• TI12-security/trunk/MyProxyClient/myproxy/client.py (modified) (30 diffs)

TI12-security/trunk/MyProxyClient/myproxy/client.py

@@ -243 +243 @@
     environment variable name
     
+    @type GLOBUS_LOCATION_ENVVARNAME: string
+    @param GLOBUS_LOCATION_ENVVARNAME: 'GLOBUS_LOCATION' environment variable
+    name
+    
     @type GET_CMD: string
     @cvar GET_CMD: get command string
@@ -261 +265 @@
     @cvar GET_TRUST_ROOTS_CMD: get trust roots command string
     
-    @type _hostCertSubDirPath: string
-    @cvar _hostCertSubDirPath: sub-directory path host certificate (as tuple)
-    
-    @type _hostKeySubDirPath: string
-    @cvar _hostKeySubDirPath: sub-directory path to host key (as tuple)
+    @type TRUSTED_CERTS_FIELDNAME: string
+    @param TRUSTED_CERTS_FIELDNAME: field name in get trust roots response for
+    trusted certificate file names
+    
+    @type TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX: string
+    @param TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX: field name prefix in get 
+    trust roots response for trusted certificate file contents
+    
+    @type HOSTCERT_SUBDIRPATH: string
+    @cvar HOSTCERT_SUBDIRPATH: sub-directory path host certificate (as tuple)
+    
+    @type HOSTKEY_SUBDIRPATH: string
+    @cvar HOSTKEY_SUBDIRPATH: sub-directory path to host key (as tuple)
     
     @type PRIKEY_NBITS: int
@@ -290 +302 @@
     @cvar PROPERTY_DEFAULTS: sets permissable element names for MyProxy config 
     file
+
+    @type ROOT_USERNAME: string
+    @cvar ROOT_USERNAME: root username - used to determine output directory
+    for trust roots
+
+    @type ROOT_TRUSTROOT_DIR: string
+    @param ROOT_TRUSTROOT_DIR: default trust root directory if running as root
+    user 
+
+    @type USER_TRUSTROOT_DIR: string
+    @param USER_TRUSTROOT_DIR: default trust root directory for users other
+    than root
+    
+    @type X509_CERT_DIR_ENVVARNAME: string
+    @param X509_CERT_DIR_ENVVARNAME: environment variable name 'X509_CERT_DIR',
+    which if set points to the location of the trust roots 
     """
     MYPROXY_SERVER_ENVVARNAME = 'MYPROXY_SERVER'
     MYPROXY_SERVER_PORT_ENVVARNAME = 'MYPROXY_SERVER_PORT'
     MYPROXY_SERVER_DN_ENVVARNAME = 'MYPROXY_SERVER_DN'
-      
+    
+    GLOBUS_LOCATION_ENVVARNAME = 'GLOBUS_LOCATION'
+    
     GET_CMD="""VERSION=MYPROXYv2
 COMMAND=0
@@ -339 +369 @@
 TRUSTED_CERTS=1"""
 
-    _hostCertSubDirPath = ('etc', 'hostcert.pem')
-    _hostKeySubDirPath = ('etc', 'hostkey.pem')
+    TRUSTED_CERTS_FIELDNAME = 'TRUSTED_CERTS'
+    TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX = 'FILEDATA_'
+    
+    HOSTCERT_SUBDIRPATH = ('etc', 'hostcert.pem')
+    HOSTKEY_SUBDIRPATH = ('etc', 'hostkey.pem')
     
     PROXY_FILE_PERMISSIONS = 0600
@@ -360 +393 @@
        'hostname':              'localhost',
        'port':                  7512,
+       'cnPrefix':          MyProxyServerSSLCertVerification.SERVER_CN_PREFIX,
        'serverDN':              None,
        'openSSLConfFilePath':   '',
        'proxyCertMaxLifetime':  43200,
        'proxyCertLifetime':     43200,
-       'caCertFilePath':        None,
        'caCertDir':             None
     }
+
+    ROOT_USERNAME = 'root'
+    ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
+    USER_TRUSTROOT_DIR = '~/.globus/certificates'    
+    X509_CERT_DIR_ENVVARNAME = 'X509_CERT_DIR'
     
     # Restrict attributes to the above properties, their equivalent 
@@ -395 +433 @@
         self.__proxyCertLifetime = MyProxyClient.PROPERTY_DEFAULTS[
                                                         'proxyCertLifetime']
-        self.__caCertFilePath = None
         self.__caCertDir = None
         
@@ -419 +456 @@
             self.serverDN = serverDN
         
+        # Set trust root - the directory containing the CA certificates for 
+        # verifying the MyProxy server's SSL certificate
+        self.setDefaultCACertDir()
+        
         # Any keyword settings override the defaults above
         for opt, val in prop.items():
@@ -427 +468 @@
         if cfgFilePath is not None:
             self.parseConfig(cfg=cfgFilePath)
-
-    def _getServerSSLCertVerify(self):
-        return self.__serverSSLCertVerify
-
-    serverSSLCertVerify = property(_getServerSSLCertVerify, 
-                                   doc="Server SSL Certificate Verification "
-                                       "callable")
-
+            
+    def setDefaultCACertDir(self):
+        '''Make default trust root setting - the directory containing the CA 
+        certificates for verifying the MyProxy server's SSL certificate.
+        
+        The setting is made by using standard Globus defined locations and
+        environment variable settings
+        '''
+        
+        # Check for X509_CERT_DIR environment variable
+        x509CertDir = os.environ.get(MyProxyClient.X509_CERT_DIR_ENVVARNAME)
+        if x509CertDir is not None:
+            self.caCertDir = x509CertDir
+            
+        # Check for running as root user
+        elif os.environ.get(MyProxyClient.ROOT_USERNAME) is not None:
+            self.caCertDir = MyProxyClient.ROOT_TRUSTROOT_DIR
+            
+        # Default to non-root standard location
+        else:
+            self.caCertDir = os.path.expanduser(
+                                            MyProxyClient.USER_TRUSTROOT_DIR)
 
     def _getServerSSLCertVerify(self):
@@ -582 +637 @@
                                  doc="Default proxy cert. lifetime used in "
                                      "logon request")
-    
-    def _getCACertFilePath(self):
-        return self.__caCertFilePath
-    
-    def _setCACertFilePath(self, val):
-        '''@type val: basestring
-        @param val: file path for CA certificate to be used to verify 
-        MyProxy server certificate'''
-        
-        if isinstance(val, basestring):
-            if val == '':
-                self.__caCertFilePath = None
-            else:
-                self.__caCertFilePath = os.path.expandvars(val)
-                
-        elif isinstance(val, None):
-            raise TypeError("Expecting string type for caCertFilePath "
-                                 "attribute")       
-        
-    caCertFilePath = property(fget=_getCACertFilePath,
-                              fset=_setCACertFilePath,
-                              doc="CA certificate file path - MyProxy server "
-                                  "certificate must validate against it and/"
-                                  "or any present in caCertDir")
 
     def _getCACertDir(self):
@@ -634 +665 @@
     caCertDir = property(fget=_getCACertDir,
                          fset=_setCACertDir,
-                         doc="directory containing PEM encoded CA "
-                             "certificates.  Use along with caCertFilePath "
-                             "setting to validate MyProxy server certificate")
+                         doc="trust roots directory containing PEM encoded CA "
+                             "certificates to validate MyProxy server "
+                             "certificate")
 
 
@@ -648 +679 @@
                         certFile=None, 
                         keyFile=None,
-                        keyFilePassphrase=None):
+                        keyFilePassphrase=None,
+                        verifyPeerWithTrustRoots=True):
         """Initialise connection setting up SSL context and client and
         server side identity checks
@@ -661 +693 @@
         @type keyFilePassphrase: basestring
         @param keyFilePassphrase: pass-phrase protecting private key if set
+        @type verifyPeerWithTrustRoots: bool
+        @param verifyPeerWithTrustRoots: verify MyProxy server's SSL certificate
+        against a list of trusted CA certificates in the CA certificate 
+        directory set by the "CaCertDir" attribute.  This should always be set 
+        to True for MyProxy client calls unless using the 'bootstrap' trust
+        roots mode available with logon and get trust roots calls
         """
         # Must be version 3 for MyProxy
         context = SSL.Context(SSL.SSLv3_METHOD)
         
-        if self.caCertFilePath or self.caCertDir:
-            context.load_verify_locations(self.caCertFilePath, self.caCertDir)
-            
+        if verifyPeerWithTrustRoots:
+            context.load_verify_locations(None, self.caCertDir)
+            verifyMode = SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT
+        else:
+            log.warning("SSL Context verify mode set to SSL.VERIFY_NONE")
+            verifyMode = SSL.VERIFY_NONE
+            
+        # Verify peer's (MyProxy server) certificate
+        context.set_verify(verifyMode, self.__serverSSLCertVerify)
+             
         if certFile:
             try:
@@ -674 +719 @@
                                 promptPassphraseTwice,
                                 passphrase):
+                    """Private key file password callback function"""
                     if len(passphrase) > passphraseMaxLen:
                         log.error('Passphrase length %d is greater than the '
@@ -691 +737 @@
                                                "connection [also check CA "
                                                "certificate settings]: %s" % 
-                                               traceback.format_exc()) 
-            
-        # Verify peer's (MyProxy server) certificate
-        context.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, 
-                           self.__serverSSLCertVerify) 
-        
+                                               traceback.format_exc())
            
         # Disable for compatibility with myproxy server (er, globus)
@@ -713 +754 @@
         @param nBitsForKey: number of bits for private key generation - 
         default is 2048
-        @rtype: string
+        @rtype: OpenSSL.crypto.PKey
         @return: public/private key pair
         """
@@ -731 +772 @@
         @type messageDigest: basestring
         @param messageDigest: message digest type - default is MD5
-        @rtype: tuple
+        @rtype: base string
         @return certificate request PEM text and private key PEM text
         """
@@ -949 +990 @@
         private key is not password protected.
         """
-        globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc, 
-                                            *MyProxyClient._hostCertSubDirPath)
+                                            *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc, 
-                                            *MyProxyClient._hostKeySubDirPath)
+                                            *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
@@ -1011 +1052 @@
         @return none
         """
-        globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostCertSubDirPath)
+                                           *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostKeySubDirPath)
+                                          *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
@@ -1067 +1108 @@
         @return none
         """
-        globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostCertSubDirPath)
+                                         *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostKeySubDirPath)
+                                         *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 raise MyProxyClientError(
@@ -1153 +1194 @@
             passphrase = str(passphrase)
         
-        globusLoc = os.environ.get('GLOBUS_LOCATION')
+        globusLoc = os.environ.get(MyProxyClient.GLOBUS_LOCATION_ENVVARNAME)
         if not sslCertFile or not sslKeyFile:
             if globusLoc:
                 sslCertFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostCertSubDirPath)
+                                           *MyProxyClient.HOSTCERT_SUBDIRPATH)
                 sslKeyFile = os.path.join(globusLoc, 
-                                         *MyProxyClient._hostKeySubDirPath)
+                                          *MyProxyClient.HOSTKEY_SUBDIRPATH)
             else:
                 # Default so that the owner is the same as the ID of the 
@@ -1211 +1252 @@
         
     def logon(self, username, passphrase, lifetime=None, keyPair=None, 
-              certReq=None, nBitsForKey=PRIKEY_NBITS):
+              certReq=None, nBitsForKey=PRIKEY_NBITS, bootstrap=False,
+              updateTrustRoots=False):
         """Retrieve a proxy credential from a MyProxy server
         
@@ -1225 +1267 @@
         @type lifetime: int
         @param lifetime: lifetime for generated certificate
+        
+        @type keyPair: OpenSSL.crypto.PKey
+        @param keyPair: Public/Private key pair.  This is ignored if a 
+        certificate request is passed via the certReq keyword
+        
+        @type certReq: string
+        @param certReq: ASN1 format certificate request, if none set, one is 
+        created along with a key pair
+        
+        @type nBitsForKey: int
+        @param nBitsForKey: number of bits to use when generating key pair,
+        defaults to the PRIKEY_NBITS class variable setting.  This keyword is
+        ignored if a key pair is passed in from an external source via the
+        keyPair keyword
         
         @rtype: tuple
@@ -1230 +1286 @@
         user certificate, it's private key and the issuing certificate.  The
         issuing certificate is only set if the user certificate is a proxy
+        
+        @type bootstrap: bool
+        @param bootstrap: If set to True, bootstrap trust roots i.e. connect to
+        MyProxy server without verification of the server's SSL certificate
+        against any CA certificates.  Set to False, for default behaviour:
+        verify server SSL certificate against CA certificates held in location
+        set by the "caCertDir" attribute.  If bootstrap is set, updateTrustRoots
+        will be forced to True also
+        
+        @type updateTrustRoots: bool
+        @param updateTrustRoots: set to True to update the trust roots
         """
-        
+        if bootstrap:
+            log.info('Bootstrapping MyProxy server root of trust.')
+            
+            # Bootstrap implies update to trust roots
+            updateTrustRoots = True
+        
+        if updateTrustRoots:
+            self.getTrustRoots(username, 
+                               passphrase, 
+                               writeToCACertDir=True, 
+                               bootstrap=bootstrap)
+            
         lifetime = lifetime or self.proxyCertLifetime
 
@@ -1255 +1333 @@
         # send get command - ensure conversion from unicode before writing
         cmd = MyProxyClient.GET_CMD % (username, passphrase, lifetime)
+            
         conn.write(str(cmd))
-    
+        
         # process server response
         dat = conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
+                   
         respCode, errorTxt = self._deserializeResponse(dat)
         if respCode:
@@ -1278 +1358 @@
         respCode, errorTxt = self._deserializeResponse(resp)
         if respCode:
-            raise MyProxyClientRetrieveError(errorTxt)
+            raise MyProxyClientRetrieveError(errorTxt)     
     
         # deserialize certs from received cert data
@@ -1304 +1384 @@
         return self.logon(*arg, **kw)
     
-    def getTrustRoots(self, username='', passphrase=''):
+    def getTrustRoots(self, 
+                      username='', 
+                      passphrase='', 
+                      writeToCACertDir=False,
+                      bootstrap=False):
         """Get trust roots for the given MyProxy server
         
@@ -1313 +1397 @@
         @param passphrase: pass-phrase (optional)
         server
+        
+        @type writeToCACertDir: bool
+        @param writeToCACertDir: if set to True, write the retrieved trust roots
+        out to the directory specified by the "caCertDir" attribute
+        
+        @type bootstrap: bool
+        @param bootstrap: If set to True, bootstrap trust roots i.e. connect to
+        MyProxy server without verification of the server's SSL certificate
+        against any CA certificates.  Set to False, for default behaviour:
+        verify server SSL certificate against CA certificates held in location
+        set by the "caCertDir" attribute.
         
         @return: trust root files as a dictionary keyed by file name with each 
@@ -1318 +1413 @@
         @rtype: dict
         """
+        if bootstrap:
+            log.info('Bootstrapping MyProxy server root of trust.')
+            
         # Set-up SSL connection
-        conn = self._initConnection()
+        conn = self._initConnection(verifyPeerWithTrustRoots=(not bootstrap))
         conn.connect((self.hostname, self.port))
         
@@ -1331 +1429 @@
         # process server response chunks until all consumed
         dat = ''
+        tries = 0
         try:
             for tries in range(MyProxyClient.MAX_RECV_TRIES):
@@ -1344 +1443 @@
                         MyProxyClient.MAX_RECV_TRIES,
                         MyProxyClient.SERVER_RESP_BLK_SIZE)
-            
+         
+        fieldName = MyProxyClient.TRUSTED_CERTS_FIELDNAME
+        prefix = MyProxyClient.TRUSTED_CERTS_FILEDATA_FIELDNAME_PREFIX  
         respCode, errorTxt, fileData = self._deserializeResponse(dat, 
-                                                                'TRUSTED_CERTS',
-                                                                'FILEDATA_')
+                                                                 fieldName,
+                                                                 prefix)
         if respCode:
             raise MyProxyClientGetTrustRootsError(errorTxt)
         
-        filesDict = dict([(k, base64.b64decode(v)) 
-                          for k, v in fileData.items() if k != 'TRUSTED_CERTS'])
-        
+        filesDict = dict([(k.split(prefix, 1)[1], base64.b64decode(v)) 
+                          for k, v in fileData.items() if k != fieldName])
+        
+        if writeToCACertDir:
+            for fileName, fileContents in filesDict.items():
+                filePath = os.path.join(self.caCertDir, fileName)
+                open(filePath, 'wb').write(fileContents)
+                
         return filesDict