Changeset 6950

Timestamp:

08/06/10 16:33:29 (11 years ago)

Author:

pjkersha

Message:

Incomplete - task 5: MyProxy? Logon HTTPS Interface

• Finished epydoc ready for first release to PyPI.

Location:

TI12-security/trunk/MyProxyWebService

Files:

• documentation/Makefile (added)
• myproxy/server/test/myproxywsgi.ini (modified) (1 diff)
• myproxy/server/test/test_httpbasicauth.py (modified) (4 diffs)
• myproxy/server/test/test_myproxywsgi.cfg (modified) (2 diffs)
• myproxy/server/test/test_myproxywsgi_with_paster.py (modified) (3 diffs)
• myproxy/server/wsgi/httpbasicauth.py (modified) (9 diffs)
• myproxy/server/wsgi/middleware.py (modified) (12 diffs)
• setup.py (modified) (3 diffs)

TI12-security/trunk/MyProxyWebService/myproxy/server/test/myproxywsgi.ini

@@ -20 +20 @@
 paste.app_factory = myproxy.server.wsgi.app:MyProxyApp.app_factory
 prefix = myproxy.
+
+# HTTP Basic Auth authentication realm used with MyProxy logon requests.
 myproxy.httpbasicauth.realm = myproxy-realm
+
+# The key name in the WSGI environ dictionary which holds the MyProxy logon
+# function.  This is used by the HTTP Basic Auth middleware
 myproxy.logon.logonFuncEnvKeyName = MYPROXY_LOGON_FUNC
+
+# Path for logon requests
+#
+# The URI path or paths that will be matched to a logobn request.  Regular
+# expression may be entered but typically only a single path would be expected
+# for the logon request.  The format of this option is inherited from the more
+# generic HTTP Basic Auth middleware which the MyProxyApp uses.
 myproxy.logon.rePathMatchList = /logon
+
+# Path for get trust roots call.  This should be a single path.  Regular 
+# expressions are not supported.
 myproxy.getTrustRoots.path = /get-trustroots
+
+# MyProxy server which this MyProxy WSGI app is a client to.  Set here to the 
+# fully qualified domain name or else set the MYPROXY_SERVER environment
+# variable.  See the documentation for the MyProxyClient egg for details
 #myproxy.client.hostname = localhost
 myproxy.client.caCertDir = /etc/grid-security/certificates

TI12-security/trunk/MyProxyWebService/myproxy/server/test/test_httpbasicauth.py

@@ -22 +22 @@
 
 class TestApp(object):
+    """Test WSGI Application for use with the unit tests for the HTTP Basic
+    Auth middleware developed for the myproxy.server.app.MyProxyApp application
+    """
     def __init__(self, global_conf, **app_conf):
-        pass
+        """Follow standard Paste Deploy app factory function signature"""
     
     def __call__(self, environ, start_response):
+        """Make a simple response for unit test code to trap and validate 
+        against.  If this method is executed then the HTTP Basic Auth step in
+        the upstream middleware has succeeded.
+        """
         contentType = 'text/plain'
         response = 'Authenticated!'
@@ -45 +52 @@
     
     def __init__(self, app, global_conf, **app_conf):
+        """Follow standard Paste Deploy app factory function signature"""
         self.app = app
         
@@ -79 +87 @@
     
     def __init__(self, app, global_conf, **app_conf):
+        """Follow standard Paste Deploy app factory function signature"""
         self.app = app
         
     def __call__(self, environ, start_response):
+        """Create HTTP Basic Auth callback"""
         def authenticate(environ, start_response, username, password):
+            """HTTP Basic Auth callback function"""
             if (username != self.__class__.USERNAME or
                 password != self.__class__.PASSWORD):
@@ -93 +104 @@
 
 class HttpBasicAuthMiddlewareTestCase(unittest.TestCase):
+    """Unit tests for HTTP Basic Auth middleware used with the MyProxyWebService
+    package
+    """
     CONFIG_FILE = 'httpbasicauth.ini'
     
     def __init__(self, *args, **kwargs):
+        """Set-up Paste fixture from ini file settings"""
         here_dir = os.path.dirname(os.path.abspath(__file__))
         configFilePath = ('config:%s' % 

TI12-security/trunk/MyProxyWebService/myproxy/server/test/test_myproxywsgi.cfg

@@ -13 +13 @@
 #
 [MyProxyLogonAppTestCase.test01Logon]
+# Edit these setting for your own environment.  Password can be prompted for
+# from tty by commenting out or removing the password option here
 username: pjk
 password = mypassword
@@ -18 +20 @@
 
 [MyProxyLogonAppWithPasterTestCase.test02LogonScript]
+# Edit these setting for your own environment.  Password can be prompted for
+# from tty by commenting out or removing the password option here
 username: pjk
 password = mypassword

TI12-security/trunk/MyProxyWebService/myproxy/server/test/test_myproxywsgi_with_paster.py

@@ -28 +28 @@
 class MyProxyLogonAppWithPasterTestCase(unittest.TestCase):
     """Test MyProxy Logon App WSGI in Paster web application server container
+    with bash shell script clients.  For POSIX-like systems ONLY
     """
     THIS_DIR = path.dirname(__file__)
@@ -51 +52 @@
     
     def __init__(self, *arg, **kw):
+        """Read settings from a config file and create thread for paster 
+        based MyProxy Web Service app running over HTTPS
+        """
         super(MyProxyLogonAppWithPasterTestCase, self).__init__(*arg, **kw)
         self.services = []
@@ -123 +127 @@
         unit tests
         
-        @param cfgFilePath: ini file containing configuration for the service
-        @type cfgFilePath: basestring
-        @param port: port number to run the service from
-        @type port: int
+        @param arg: tuple contains ini file path setting for the service
+        @type arg: tuple
+        @param kw: keywords including "port" - port number to run the service 
+        from
+        @type kw: dict
         """
         if self.disableServiceStartup:

TI12-security/trunk/MyProxyWebService/myproxy/server/wsgi/httpbasicauth.py

@@ -45 +45 @@
 class HttpBasicAuthMiddleware(object):
     '''HTTP Basic Authentication Middleware 
+
+    @cvar AUTHN_FUNC_ENV_KEYNAME: key name for referencing Authentication
+    callback function in environ.  Upstream middleware must set this.
+    @type AUTHN_FUNC_ENV_KEYNAME: string
+    @cvar AUTHN_FUNC_ENV_KEYNAME_OPTNAME: in file option name for setting the
+    Authentication callback environ key
+    @type AUTHN_FUNC_ENV_KEYNAME_OPTNAME: string
+    @cvar REALM_OPTNAME: ini file option name for setting the HTTP Basic Auth
+    authentication realm
+    @type REALM_OPTNAME: string
+    @cvar PARAM_PREFIX: prefix for ini file options
+    @type PARAM_PREFIX: string
+    @cvar AUTHENTICATE_HDR_FIELDNAME: HTTP header field name 'WWW-Authenticate'
+    @type AUTHENTICATE_HDR_FIELDNAME: string
+    @cvar AUTHENTICATE_HDR_FIELDNAME_LOWER: lowercase version of 
+    AUTHENTICATE_HDR_FIELDNAME class variable included for convenience with
+    string matching 
+    @type AUTHENTICATE_HDR_FIELDNAME_LOWER: string
+    @cvar AUTHN_SCHEME_HDR_FIELDNAME: HTTP Authentication scheme identifier
+    @type AUTHN_SCHEME_HDR_FIELDNAME: string
+    @cvar FIELD_SEP: field separator for username/password header string
+    @type FIELD_SEP: string
+    @cvar AUTHZ_ENV_KEYNAME: WSGI environ key name for HTTP Basic Auth header
+    content
+    @type AUTHZ_ENV_KEYNAME: string
+    
+    @ivar __rePathMatchList: list of regular expression patterns used to match
+    incoming requests and enforce HTTP Basic Auth against
+    @type __rePathMatchList: list
+    @ivar __authnFuncEnvironKeyName: __authnFuncEnvironKeyName
+    @type __authnFuncEnvironKeyName: string
+    @ivar __realm: HTTP Basic Auth authentication realm
+    @type __realm: string
+    @ivar __app: next WSGI app/middleware in call chain
+    @type __app: function
     '''
     AUTHN_FUNC_ENV_KEYNAME = (
@@ -76 +111 @@
     
     def __init__(self, app):
+        """Create instance variables
+        @param app: next middleware/app in WSGI stack
+        @type app: function
+        """
         self.__rePathMatchList = None
         self.__authnFuncEnvironKeyName = None
@@ -92 +131 @@
         @type prefix: basestring
         @param prefix: prefix for configuration items
-        @type app_conf: dict        
-        @param app_conf: PasteDeploy application specific configuration 
+        @type local_conf: dict        
+        @param local_conf: PasteDeploy application specific configuration 
         dictionary
+        @rtype: myproxy.server.wsgi.httpbasicauth.HttpBasicAuthMiddleware
+        @return: an instance of this middleware
         """
         httpBasicAuthFilter = cls(app)
@@ -125 +166 @@
 
     def _getAuthnFuncEnvironKeyName(self):
+        """Get authentication callback function environ key name
+        
+        @rtype: basestring
+        @return: callback function environ key name
+        """
         return self.__authnFuncEnvironKeyName
 
     def _setAuthnFuncEnvironKeyName(self, value):
+        """Set authentication callback environ key name
+        
+        @type value: basestring
+        @param value: callback function environ key name
+        """
         if not isinstance(value, basestring):
             raise TypeError('Expecting string type for '
                             '"authnFuncEnvironKeyName"; got %r type' % 
                             type(value))
+            
         self.__authnFuncEnvironKeyName = value
 
@@ -141 +193 @@
 
     def _getRePathMatchList(self):
+        """Get regular expression path match list
+        
+        @rtype: tuple or list
+        @return: list of regular expressions used to match incoming request 
+        paths and apply HTTP Basic Auth to
+        """
         return self.__rePathMatchList
 
     def _setRePathMatchList(self, value):
+        """Set regular expression path match list
+        
+        @type value: tuple or list
+        @param value: list of regular expressions used to match incoming request 
+        paths and apply HTTP Basic Auth to
+        """
         if not isinstance(value, (list, tuple)):
             raise TypeError('Expecting list or tuple type for '
@@ -156 +220 @@
 
     def _getRealm(self):
+        """Get realm
+        
+        @rtype: basestring
+        @return: HTTP Authentication realm to set in responses
+        """
         return self.__realm
 
     def _setRealm(self, value):
+        """Set realm
+        
+        @type value: basestring
+        @param value: HTTP Authentication realm to set in responses
+        """
         if not isinstance(value, basestring):
             raise TypeError('Expecting string type for '
@@ -188 +262 @@
     def _parseCredentials(self, environ):
         """Extract username and password from HTTP_AUTHORIZATION environ key
+        
+        @param environ: WSGI environ dict
+        @type environ: dict
         
         @rtype: tuple
@@ -222 +299 @@
         @return: response
         @rtype: iterable
+        @raise HttpBasicAuthMiddlewareConfigError: no authentication callback
+        found in environ
         """
         log.debug("HttpBasicAuthNMiddleware.__call__ ...")
@@ -296 +375 @@
         @param contentType: set 'Content-type' HTTP header field - defaults to
         'text/plain'
+        @rtype: list
+        @return: HTTP error response
         '''                        
         status = '%d %s' % (code, httplib.responses[code])

TI12-security/trunk/MyProxyWebService/myproxy/server/wsgi/middleware.py

@@ -33 +33 @@
 
 class MyProxyClientMiddlewareBase(object):
-    """Base class for common functionality"""
-    __slots__ = ('__app', '__clientEnvironKeyName',)
+    """Base class for common functionality
+    
+    @cvar CLIENT_ENV_KEYNAME_OPTNAME: ini file option which sets the key name
+    in the WSGI environ for referring to the MyProxy client instance shared
+    between MyProxy* middleware/apps
+    @type CLIENT_ENV_KEYNAME_OPTNAME: string
+    
+    @cvar DEFAULT_CLIENT_ENV_KEYNAME: default value for key name set in the
+    WSGI environ dict which refers to the MyProxy client instance shared
+    between MyProxy* middleware/apps
+    @type DEFAULT_CLIENT_ENV_KEYNAME: string
+    
+    @ivar __app: WSGI callable for next middleware or app in the WSGI stack
+    @type __app: function
+    
+    @ivar __clientEnvironKeyName: key name set in the WSGI environ dict which 
+    refers to the MyProxy client instance shared between MyProxy* middleware/
+    apps
+    @type __clientEnvironKeyName: string
+    """
+    __slots__ = (
+        '__app', 
+        '__clientEnvironKeyName',
+    )
     
     CLIENT_ENV_KEYNAME_OPTNAME = 'clientEnvKeyName'
@@ -41 +63 @@
         
     def __init__(self, app):
+        """Create WSGI app and MyProxy client attributes
+        @type app: function
+        @param app: WSGI callable for next middleware or app in the WSGI stack
+        """
         self.__app = app
         self.__clientEnvironKeyName = None
@@ -82 +108 @@
         @type statusCode: int
         @param statusCode: HTTP status code
-        @rtype: str
+        @rtype: string
         @return: status code with standard message
         @raise KeyError: for invalid status code
@@ -90 +116 @@
     
 class MyProxyClientMiddleware(MyProxyClientMiddlewareBase):
-    '''
-    Create a MyProxy client and make it available to other middleware in the 
+    '''Create a MyProxy client and make it available to other middleware in the 
     WSGI stack
+    
+    @cvar LOGON_FUNC_ENV_KEYNAME_OPTNAME: ini file option name to set the key 
+    name in WSGI environ dict to assign to the Logon function created by this
+    middleware
+    @type LOGON_FUNC_ENV_KEYNAME_OPTNAME: string
+    
+    @cvar DEFAULT_LOGON_FUNC_ENV_KEYNAME: default value for the key name in 
+    WSGI environ dict to assign to the Logon function created by this
+    middleware
+    @type DEFAULT_LOGON_FUNC_ENV_KEYNAME: string
+    
+    @cvar CERT_REQ_POST_PARAM_KEYNAME: HTTP POST field name for the 
+    certificate request posted in logon calls
+    @type CERT_REQ_POST_PARAM_KEYNAME: string
+    
+    @cvar PARAM_PREFIX: prefix for ini file option names 
+    @type PARAM_PREFIX: string
+    
+    @cvar MYPROXY_CLIENT_PARAM_PREFIX: default value for ini file sub-prefix 
+    used for MyProxyClient initialisation settings such as MyProxy server 
+    hostname, CA cert directory etc.  The prefix is such that option names 
+    will look like this e.g.
+    <PARAM_PREFIX><MYPROXY_CLIENT_PARAM_PREFIX>hostname
+    ...
+    @type MYPROXY_CLIENT_PARAM_PREFIX: string
+    
+    @ivar __myProxyClient: MyProxy client interface object to enable this
+    middleware to communicate with a backend MyProxy server using the MyProxy
+    protocol
+    @type __myProxyClient: myproxy.client.MyProxyClient
+    
+    @ivar __logonFuncEnvironKeyName: 
+    @type __logonFuncEnvironKeyName: string
     '''
     # Options for ini file
@@ -108 +166 @@
     
     __slots__ = (
-        '__app',
         '__myProxyClient', 
         '__logonFuncEnvironKeyName',
@@ -136 +193 @@
         @type prefix: basestring
         @param prefix: prefix for configuration items
+        @type myProxyClientPrefix: ini file sub-prefix used for MyProxyClient 
+        initialisation settings such as MyProxy server  hostname, CA cert. 
+        directory etc.  
+        @param myProxyClientPrefix: basestring
         @type app_conf: dict        
         @param app_conf: PasteDeploy application specific configuration 
         dictionary
+        
+        @rtype: myproxy.server.wsgi.middleware.MyProxyClientMiddleware
+        @return: an instance of this application
         """
         app = cls(app)
@@ -152 +216 @@
         @type prefix: basestring
         @param prefix: prefix for configuration items
-        @type prefix: basestring
-        @param prefix: explicit prefix for MyProxyClient class specific 
-        configuration items
+        @type myProxyClientPrefix: basestring
+        @param myProxyClientPrefix: explicit prefix for MyProxyClient class 
+        specific configuration items
         @type app_conf: dict        
         @param app_conf: PasteDeploy application specific configuration 
@@ -247 +311 @@
         """Return the MyProxy logon method wrapped as a HTTP Basic Auth 
         authenticate interface function
+        
+        @rtype: function
+        @return: MyProxy logon HTTP Basic Auth Callback
         """
         def _myProxylogon(environ, start_response, username, password):
             """Wrap MyProxy logon method as a WSGI app
+            @type environ: dict
+            @param environ: WSGI environment variables dictionary
+            @type start_response: function
+            @param start_response: standard WSGI start response function
+            @type username: basestring
+            @param username: username credential to MyProxy logon
+            @type password: basestring
+            @param password: pass-phrase for MyProxy logon call
+            @raise HttpBasicAuthResponseException: invalid client request
+            @raise MyProxyClientMiddlewareError: socket error for backend
+            MyProxy server
             """  
             requestMethod = environ.get('REQUEST_METHOD')             
@@ -323 +401 @@
     upstream in the WSGI stack to set up a MyProxyClient instance and make it 
     available in the environ to call its getTrustRoots method.
+    
+    @cvar PATH_OPTNAME: ini file option to set the URI path for this service
+    @type PATH_OPTNAME: string
+    
+    @cvar DEFAULT_PATH: default URI path setting
+    @type DEFAULT_PATH: string
+
+    @cvar PARAM_PREFIX: prefix for ini file option names 
+    @type PARAM_PREFIX: string
+    
+    @ivar __path: URI path setting for this service
+    @type __path: basestring
     """
-    
-    # Options for ini file
-    CLIENT_ENV_KEYNAME_OPTNAME = \
-        MyProxyClientMiddleware.CLIENT_ENV_KEYNAME_OPTNAME
         
     PATH_OPTNAME = 'path'     
-    
-    DEFAULT_CLIENT_ENV_KEYNAME = \
-        MyProxyClientMiddleware.DEFAULT_CLIENT_ENV_KEYNAME
-    
     DEFAULT_PATH = '/myproxy/get-trustroots'
     
@@ -366 +448 @@
         @param app_conf: PasteDeploy application specific configuration 
         dictionary
+        
+        @rtype: myproxy.server.wsgi.middleware.MyProxyGetTrustRootsMiddleware
+        @return: an instance of this middleware
         """
         app = cls(app)
@@ -421 +506 @@
         @type start_response: function
         @param start_response: standard WSGI start response function
+        
+        @rtype: list
+        @return: get trust roots response
         '''
         # Skip if path doesn't match
@@ -463 +551 @@
         
         @rtype: basestring
-        @return: trust roots formatted as a HTTP response
+        @return: trust roots base64 encoded and concatenated together
+        @raise MyProxyGetTrustRootsMiddlewareError: socket error with backend
+        MyProxy server
+        @raise MyProxyClientError: error response received by MyProxyClient
+        instance
         """
         try:

TI12-security/trunk/MyProxyWebService/setup.py

@@ -20 +20 @@
 
 setup(
-    name =              'MyProxyServerUtils',
+    name =              'MyProxyWebService',
     version =           '0.1.0',
-    description =       'MyProxy Server Utilities',
-    long_description =  '''Provides a HTTPS interface to myproxy-logon 
-implemented as a WSGI application fronting calls to a MyProxy server.
-    
-MyProxy is an application available from the Globus Toolkit which enables the
-management of PKI based credentials.
+    description =       'MyProxy Web Service',
+    long_description =  '''\
+Provides a simple web service interface to MyProxy.  MyProxy is a Service for 
+managing PKI based credentials which is part of the Globus Toolkit.  Providing
+a HTTP based interface enables HTTP based clients to connect to a MyProxy server
+and retrieve credentials.
+
+The interface is implemented as a WSGI application which fronts a normal 
+MyProxy server.  myproxy-logon and myproxy-get-trustroots are expressed as web 
+service calls.  The WSGI application forwards the requests on to the MyProxy 
+server over the usual MyProxy protocol.  The web service interface is RESTful 
+using GET and POST operations and the logon interface makes uses of HTTP Basic 
+Auth to pass username and pass-phrase credentials.  The service is hosted over 
+HTTPS.
+
+The unit tests include a test application served using paster.  Client scripts
+are also available which need no specialised installation or applications, only
+openssl and curl which are typically available on Linux/UNIX based systems.
     ''',
     author =            'Philip Kershaw',
@@ -33 +45 @@
     maintainer =        'Philip Kershaw',
     maintainer_email =  'Philip.Kershaw@stfc.ac.uk',
-    url =               'http://proj.badc.rl.ac.uk/ndg/wiki/Security/MyProxyClient',
+    url =               'http://proj.badc.rl.ac.uk/ndg/wiki/Security/MyProxyWebService',
     platforms =         ['POSIX', 'Linux', 'Windows'],
     install_requires =  ['PasteDeploy', 
@@ -46 +58 @@
     },
     classifiers = [
-        'Development Status :: 5 - Production/Stable',
+        'Development Status :: 3 - Alpha',
         'Environment :: Console',
         'Environment :: Web Environment',