Changeset 6988

Timestamp:

11/06/10 13:25:00 (11 years ago)

Author:

pjkersha

Message:

Fix to WSGI SSL authn module for proxy cert support with Apache.

Location:

TI12-security/trunk/NDGSecurity/python

Files:

• Tests (modified) (1 prop)
• Tests/saml_eg.py (added)
• ndg_security_server/ndg/security/server/wsgi/ssl.py (modified) (6 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

@@ -81 +81 @@
 
     def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf):
-        
+        """Read configuration settings from the global and application specific
+        ini file settings
+        """
         super(ApacheSSLAuthnMiddleware, self).__init__(app, 
                                                        global_conf, 
@@ -104 +106 @@
                     ApacheSSLAuthnMiddleware.CACERT_FILEPATH_LIST_OPTNAME
                         
+        # Verify against trust root if set.  Alternatively, the verification
+        # step can be configured in the Apache config file.  The latter will
+        # correctly verify proxy certificates if the environment variable
+        # OPENSSL_ALLOW_PROXY_CERTS is set in the start up.  The verification
+        # code in isValidClientCert can't correctly verify proxy certificates 
+        # because only a single certificate is passed in the SSL_CLIENT_CERT 
+        # environ variable and not the complete certificate chain
         self.caCertStack = app_conf.get(caCertFilePathListParamName, [])
         
@@ -109 +118 @@
                     ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME
                     
+        # Specify a restricted list of DNs of which the input client certificate
+        # DN must match at least one
         self.clientCertDNMatchList = app_conf.get(
                                         clientCertDNMatchListParamName, [])
@@ -341 +352 @@
             return False
         
-        # Verify against trust root if set
+        # Verify against trust root if set.  Alternatively, the verification
+        # step can be configured in the Apache config file.  The latter will
+        # correctly verify proxy certificates if the environment variable
+        # OPENSSL_ALLOW_PROXY_CERTS is set in the start up.  The verification
+        # code HERE can't correctly verify proxy certificates because only a
+        # single certificate is passed in the SSL_CLIENT_CERT environ variable 
+        # and not the complete certificate chain
         if len(self.caCertStack) == 0:
             log.warning("No CA certificates set for Client certificate "
@@ -361 +378 @@
            
         # Verify against list of acceptable DNs if set
-        
         if len(self.clientCertDNMatchList) > 0:
             dn = self.__clientCert.dn
@@ -440 +456 @@
         """Set user ID in AuthKit cookie from client certificate submitted
         """
-        userId = self.clientCert.dn['CN']
+        commonName = self.clientCert.dn['CN']
+        if len(commonName) > 0:
+            # Proxy certificate will have multiple CNs
+            userId = commonName[0]
+        else:
+            userId = commonName
         
         self.environ[