Changeset 7472

Timestamp:

10/09/10 10:40:02 (10 years ago)

Author:

pjkersha

Message:

Incomplete - task 13: OpenID Provider doesn't validate OpenID against username

• Prepared 1.5.7 release fixing this loophole. The logon submit callback now verifies the previously set OpenID URL against the username entered to ensure they tie together in the database

Location:

TI12-security/branches/ndg-security-1.5.x

Files:

• . (modified) (1 prop)
• .project (added)
• .pydevproject (added)
• ndg_security/setup.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/authz/__init__.py (modified) (1 diff)
• ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (1 diff)
• ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml (modified) (2 diffs)
• ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg (modified) (1 diff)
• ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini (modified) (1 diff)

TI12-security/branches/ndg-security-1.5.x

@@ -3 +3 @@
 ndg_security.egg-info
 .metadata
+1_5_x-env.sh

@@ -3 +3 @@
 ndg_security.egg-info
 .metadata
+1_5_x-env.sh

TI12-security/branches/ndg-security-1.5.x/ndg_security/setup.py

@@ -42 +42 @@
 setup(
     name =                      'ndg_security',
-    version =                   '1.5.6',
+    version =                   '1.5.7',
     description =               'NERC DataGrid Security Utilities',
     long_description =          _longDescription,

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/authz/__init__.py

@@ -636 +636 @@
     ndg.security.server.wsgi.authn.AuthenticationMiddleware
     '''
-    PEP_PARAM_PREFIX = 'pep.filter.'
-    PIP_PARAM_PREFIX = 'pip.'
+    PEP_PARAM_PREFIX = 'pep.'
     PEP_RESULT_HANDLER_PARAMNAME = "pepResultHandler"
     PEP_RESULT_HANDLER_PARAM_PREFIX = PEP_RESULT_HANDLER_PARAMNAME + '.'
     PEP_RESULT_HANDLER_STATIC_CONTENT_DIR_PARAMNAME = 'staticContentDir'
+    PIP_PARAM_PREFIX = 'pip.'
     
     class PIP_MIDDLEWARE_CLASS(object):

TI12-security/branches/ndg-security-1.5.x/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -871 +871 @@
             identityURI = oidRequest.identity
             
+            # Check the username used to login with matches the identity URI 
+            # given.  This check is essential otherwise a user could impersonate
+            # someone else with an account with this provider
+            try:
+                userIdentifiers = self._authN.username2UserIdentifiers(
+                                                environ,
+                                                self.query['username'])
+                
+            except AuthNInterfaceInvalidCredentials:
+                log.error("No username %r matching an OpenID URL: %s",
+                          self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("No match was found for your account name.  Please "
+                       "check that your details are correct or contact the "
+                       "site administrator.")
+
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
+                return response
+            
+            except Exception:
+                log.error("Checking username %r association with OpenID URL: "
+                          "%s", self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("An error occured matching an OpenID to your account.  "
+                       "If the problem persists contact the site "
+                       "administrator.") 
+                
+            expectedIdentityURI = self.createIdentityURI(self.identityUriTmpl,
+                                                         userIdentifiers[0])
+            if identityURI != expectedIdentityURI:
+                log.error("OpenID given %r, doesn't match the expected "
+                          "OpenID %r for this account name %r" % 
+                          (identityURI, expectedIdentityURI, 
+                           self.query.get('username')))
+                
+                msg = ("The OpenID you provided earlier %r doesn't match the "
+                       "username %r you entered above.  Please check that your "
+                       "OpenID and username are correct or contact the site "
+                       "administrator." % 
+                       (identityURI, self.query.get('username', '')))
+
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
+                return response
+                           
         # Invoke custom authentication interface plugin
         try:

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/config/attributeauthority/sitea/attributeCertificateLog/ac.xml

@@ -9 +9 @@
         <userId>testuser</userId>
         <validity>
-            <notBefore>2010 06 29 11 52 40</notBefore> 
-            <notAfter>2010 06 29 19 52 40</notAfter> 
+            <notBefore>2010 09 10 09 33 05</notBefore> 
+            <notAfter>2010 09 10 17 33 05</notAfter> 
         </validity>
         <attributes>
@@ -33 +33 @@
         <provenance>original</provenance> 
     </acInfo>
-<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>g3i1NdV0/JdFgRZwMxgwcHLkp14=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>eDhUSCRfq7LcaadE8W01nQG6Cs9UjySmFB3UUhbgxpF2KOcwTajk6GidZp5ewE6Zle2iDNxzkXge
-XVT5UfORkHTSWG0Z+D6WlVLK3V7NnnKwYn58TxHOJAPGYNwgbcmd0zh3W1OAc+U2scvrGWfZSL41
-w+P+Gxr8wDjrwaee4nk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB+jCCAWOgAwIBAgIBFDANBgkqhkiG9w0BAQQFADAzMQwwCgYDVQQKEwNOREcx
+<ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ds"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xmlns"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>y3/SZ5I9Qc01pE1Vw+iUk7qMwjk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>gT9QCgi2HfJZfwxODDt4egD+2K7jjoW4jP50ZDwJrF7nOOxQEllz1fvkqLVkUj8CDZhRuCnPdWzi
+2QOF/YhU7sniqS8tdR9QIgx/GT6qRNsTwhBWTNsmE01zH7SVAoMuOASf19SYfoklEQ6ocC1Jmrg/
+eXqVgspjZ6nTriYXd/A=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB+jCCAWOgAwIBAgIBFDANBgkqhkiG9w0BAQQFADAzMQwwCgYDVQQKEwNOREcx
 ETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQDEwdUZXN0IENBMB4XDTEwMDYyOTEw
 NTQxOFoXDTExMDYyOTEwNTQxOFowPDEMMAoGA1UEChMDTkRHMQ8wDQYDVQQLEwZT

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/attributeauthority/test_attributeauthority.cfg

@@ -1 @@
-# NERC Data Grid Project
+# NERC DataGrid Project
 #
 # P J Kershaw 16/01/07

TI12-security/branches/ndg-security-1.5.x/ndg_security_test/ndg/security/test/unit/wsgi/attributeauthority/test.ini

@@ -52 +52 @@
 # user ID
 #attributeauthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
-attributeauthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
+attributeauthority.attributeInterface.modName: ndg.security.test.integration.authz_lite.attributeinterface
 attributeauthority.attributeInterface.className: TestUserRoles
 

@@ -3 +3 @@
 ndg_security.egg-info
 .metadata
+1_5_x-env.sh