Changeset 8057

Timestamp:

10/05/12 15:33:15 (9 years ago)

Author:

rwilkinson

Message:

Added processing of MyProxy? certifcate requests as OAuth resource requests.
Added login form with Genshi rendering of all forms.
Added checking of scope in OAuth requests.

Location:

trunk/ndg_oauth

Files:

• ndg_oauth_client/ndg/oauth/client/examples (added)
• ndg_oauth_client/ndg/oauth/client/examples/config (added)
• ndg_oauth_client/ndg/oauth/client/examples/config/cert_req_app.ini (added)
• ndg_oauth_client/ndg/oauth/client/examples/config/get_url_app_proxy.ini (moved) (moved from trunk/ndg_oauth/ndg_oauth_client/get_url_app_proxy.ini) (5 diffs)
• ndg_oauth_client/ndg/oauth/client/examples/config/get_url_app_proxy2.ini (added)
• ndg_oauth_client/ndg/oauth/client/examples/config/get_url_using_token_app.ini (added)
• ndg_oauth_client/ndg/oauth/client/examples/config/get_url_using_token_app2.ini (added)
• ndg_oauth_client/ndg/oauth/client/examples/config/test_app.ini (moved) (moved from trunk/ndg_oauth/ndg_oauth_client/test_app.ini) (2 diffs)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi (added)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi/cert_req_app.py (added)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi/get_url_app.py (moved) (moved from trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/wsgi/get_url_app.py) (2 diffs)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi/get_url_using_token_app.py (added)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi/get_url_using_token_app2.py (added)
• ndg_oauth_client/ndg/oauth/client/examples/wsgi/wsgi_test_app.py (moved) (moved from trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/wsgi/wsgi_test_app.py)
• ndg_oauth_client/ndg/oauth/client/lib/certificate_request.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/http_get_with_credential.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/oauth2client.py (modified) (2 diffs)
• ndg_oauth_client/ndg/oauth/client/lib/render (added)
• ndg_oauth_client/ndg/oauth/client/lib/render/__init__.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/render/configuration.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/render/factory.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/render/genshi_renderer.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/render/renderer_interface.py (added)
• ndg_oauth_client/ndg/oauth/client/lib/urlfetcher.py (deleted)
• ndg_oauth_client/ndg/oauth/client/templates (added)
• ndg_oauth_client/ndg/oauth/client/templates/base.html (added)
• ndg_oauth_client/ndg/oauth/client/templates/login_complete.html (added)
• ndg_oauth_client/ndg/oauth/client/templates/public (added)
• ndg_oauth_client/ndg/oauth/client/templates/public/layout (added)
• ndg_oauth_client/ndg/oauth/client/templates/public/layout/CEDA_RightButton60.png (added)
• ndg_oauth_client/ndg/oauth/client/templates/public/layout/default.css (added)
• ndg_oauth_client/ndg/oauth/client/templates/public/layout/icons (added)
• ndg_oauth_client/ndg/oauth/client/templates/public/layout/icons/help.png (added)
• ndg_oauth_client/ndg/oauth/client/wsgi/certificate_request.py (added)
• ndg_oauth_client/ndg/oauth/client/wsgi/oauth2_client.py (modified) (11 diffs)
• ndg_oauth_client/serve.py (modified) (1 diff)
• ndg_oauth_server/client_register.ini (modified) (1 diff)
• ndg_oauth_server/development.ini (modified) (9 diffs)
• ndg_oauth_server/ndg/oauth/server/lib/authorization_server.py (modified) (4 diffs)
• ndg_oauth_server/ndg/oauth/server/lib/register/access_token.py (modified) (5 diffs)
• ndg_oauth_server/ndg/oauth/server/lib/register/authorization_grant.py (modified) (1 diff)
• ndg_oauth_server/ndg/oauth/server/lib/register/client_authorization.py (modified) (3 diffs)
• ndg_oauth_server/ndg/oauth/server/lib/register/scopeutil.py (added)
• ndg_oauth_server/ndg/oauth/server/lib/render/configuration.py (added)
• ndg_oauth_server/ndg/oauth/server/lib/render/genshi_renderer.py (modified) (2 diffs)
• ndg_oauth_server/ndg/oauth/server/lib/resource_request (added)
• ndg_oauth_server/ndg/oauth/server/lib/resource_request/__init__.py (added)
• ndg_oauth_server/ndg/oauth/server/lib/resource_request/myproxy_cert_request.py (added)
• ndg_oauth_server/ndg/oauth/server/templates/auth_client_form.html (modified) (2 diffs)
• ndg_oauth_server/ndg/oauth/server/templates/base.html (added)
• ndg_oauth_server/ndg/oauth/server/templates/login_cancelled.html (added)
• ndg_oauth_server/ndg/oauth/server/templates/login_form.html (added)
• ndg_oauth_server/ndg/oauth/server/templates/public (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/js (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/js/toggleDiv.js (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/layout (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/layout/CEDA_RightButton60.png (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/layout/default.css (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/layout/icons (added)
• ndg_oauth_server/ndg/oauth/server/templates/public/layout/icons/help.png (added)
• ndg_oauth_server/ndg/oauth/server/wsgi/authentication_filter.py (added)
• ndg_oauth_server/ndg/oauth/server/wsgi/authorization_filter.py (modified) (6 diffs)
• ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py (modified) (12 diffs)
• ndg_oauth_server/repoze_who.ini (modified) (2 diffs)

trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/examples/config/get_url_app_proxy.ini

@@ -12 +12 @@
 error_email_from = paste@localhost
 
+# AuthKit Cookie secret used to secure it.  This secret must be the same as the
+# one used in the equivalent services application(s) ini file(s) that serve
+# the OpenID Relying Party and SSL authentication service.  This is
+# because the cookie is shared between this app and the services app(s)  so that
+# a user's OpenID can be communicated between them.
+authkitCookieSecret = 5dFZM97jBeWNsZUqee7TDnCrSicehfod
+baseURI = http://localhost:5002/
 beakerSessionKeyName = beaker.session.oauth2client
 #beakerSessionKeyName = ndg.security.session
@@ -22 +29 @@
 
 [pipeline:main]
-pipeline = BeakerSessionFilter OAuth2Client SSLCtxEnvironMiddleware NDGSecurityProxy App
+pipeline = BeakerSessionFilter
+           OAuth2Client
+           SSLCtxEnvironMiddleware
+           NDGSecurityProxy
+           CertificateSubjectEnvironMiddleware
+           SessionHandlerFilter
+           AuthorisationFilter
+           App
 
 # This filter sets up a server side session linked to a cookie.  The session
@@ -43 +57 @@
 paste.filter_app_factory = ndg.oauth.client.wsgi.oauth2_client:Oauth2ClientMiddleware.filter_app_factory
 oauth2.session_key = %(beakerSessionKeyName)s
+oauth2.authentication_trigger = unauthorized
 # Default:
 #oauth2.oauth2_token_key = oauth2client.token
 # OAuth client configuration
-oauth2.client_cert = /home/rwilkinson_local/dev/ndg_oauth/certificate/usercert.pem
-oauth2.client_key = /home/rwilkinson_local/dev/ndg_oauth/certificate/userkey.pem
-oauth2.ca_dir = /home/rwilkinson_local/dev/ndg_oauth/ca
-# ca_cert_file = /home/rwilkinson_local/dev/oauthclient/ca.pem
+oauth2.client_cert = %(here)s/certificate/usercert.pem
+oauth2.client_key = %(here)s/certificate/userkey.pem
+oauth2.ca_dir = %(here)s/ca
+# ca_cert_file =
 oauth2.client_id=22
 # OAuth authorization server URLs
@@ -62 +77 @@
 #ssl_ctx.ctxEnvKeyName = ssl_ctx
 #ssl_ctx.caCertFilePath = 
-ssl_ctx.caCertDir = /home/rwilkinson_local/dev/ndg_oauth/ca
+ssl_ctx.caCertDir = %(here)s/ca
 #ssl_ctx.verifyPeer = True
 
@@ -76 +91 @@
 # These can be specified here to override values set in environment variables
 # needed to direct requests through the proxy.
-ndg_security_proxy.proxy.http_proxy = http://cache.inst.ac.uk:8888
-ndg_security_proxy.proxy.https_proxy = http://cache.inst.ac.uk:8888
+ndg_security_proxy.proxy.http_proxy = http://wwwcache.rl.ac.uk:8080
+ndg_security_proxy.proxy.https_proxy = http://wwwcache.rl.ac.uk:8080
 ndg_security_proxy.proxy.no_proxy = localhost
 
+################################################################################
+
+[filter:CertificateSubjectEnvironMiddleware]
+paste.filter_app_factory = ndg.security.server.wsgi.client_proxy.environ_certificate:CertificateSubjectEnvironMiddleware.filter_app_factory
+cert_subject.certEnvKeyName = oauth2client.token
+#cert_subject.remoteUserKeyName = REMOTE_USER
+
+########################################
+
+[filter:SessionHandlerFilter]
+paste.filter_app_factory=ndg.security.server.wsgi.session:SessionHandlerMiddleware.filter_app_factory
+
+# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
+# passed return to query argument
+sessionHandler.defaultLogoutReturnToURI = %(baseURI)s
+sessionHandler.sessionKey = %(beakerSessionKeyName)s
+sessionHandler.signoutPath = /logout
+
+########################################
+
+#
+# Authorisation filter contains a Policy Enforcement Point which enforces access
+# control decisions made by a separate Authorisation Service 
+[filter:AuthorisationFilter]
+# XACML-SAML Profile:
+paste.filter_app_factory=ndg.security.server.wsgi.authz:XACMLAuthorisationFilter.filter_app_factory
+# SAML requests and responses:
+#paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory
+
+# Result handler handles the response for HTTP 403 responses set by the 
+# application or the PEP.
+resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
+#resultHandler.staticContentDir = %(here)s/ndg-security/pep_result_handler
+resultHandler.baseURL = %(baseURI)s
+resultHandler.staticContentDir = %(here)s/pep_result_handler
+resultHandler.heading = Access Denied
+resultHandler.templateRootDir = %(here)s/pep_result_handler/templates
+resultHandler.footerText = CEDA WPS Service
+
+# Settings for the PEP (Policy Enforcement Point)
+pep.sessionKey = %(beakerSessionKeyName)s
+# Test authorisation service
+pep.authzServiceURI = https://localhost/authz/AuthorisationService/
+# This cannot be enabled currently for XACMLAuthorisationFilter:
+pep.cacheDecisions = False
+pep.subjectIdFormat = urn:esg:openid
+
+# Including this setting activates a simple PDP local to this PEP which filters 
+# requests to cut down on calls to the authorisation service.  This is useful
+# for example to avoid calling the authorisation service for non-secure content
+# such as HTML CSS or graphics.  Note that filters based on resource URI 
+# requested alone.  Subject, action and environment settings are not passed in 
+# the request context to the local PDP.
+#
+# The policy content should be set carefully to avoid unintended override of the
+# authorisation service's policy
+pep.localPolicyFilePath = %(here)s/ndg-security/request-filter.xml
+
+# Settings for Policy Information Point used by the Policy Decision Point to
+# retrieve subject attributes from the Attribute Authority associated with the
+# resource to be accessed
+
+# If omitted, DN of SSL Cert is used
+pep.authzDecisionQuery.issuerName = /C=GB/O=Science and Technology Facilities Council/OU=RAL-SPBU/CN=localhost.badc.rl.ac.uk
+pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+# This is a pep parameter when using XACML profile:
+#pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
+pep.authzDecisionQuery.clockSkewTolerance = 2.
+pep.authzDecisionQuery.sslCACertDir=%(here)s/certificates
+pep.authzDecisionQuery.sslCertFilePath=%(here)s/certificates/localhost.crt
+pep.authzDecisionQuery.sslPriKeyFilePath=%(here)s/certificates/localhost.key
+
+#############################################################################
+
 [app:App]
-paste.app_factory = ndg.oauth.client.wsgi.get_url_app:GetUrlApp.app_factory
+paste.app_factory = ndg.oauth.client.examples.wsgi.get_url_app:GetUrlApp.app_factory
 url = http://localhost:8080/thredds/dodsC/test/testData.nc.ascii
 

trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/examples/config/test_app.ini

@@ -44 +44 @@
 #oauth2.oauth2_token_key = oauth2client.token
 # OAuth client configuration
-oauth2.client_cert = /home/rwilkinson_local/dev/ndg_oauth/certificate/usercert.pem
-oauth2.client_key = /home/rwilkinson_local/dev/ndg_oauth/certificate/userkey.pem
-oauth2.ca_dir = /home/rwilkinson_local/dev/ndg_oauth/ca
-# ca_cert_file = /home/rwilkinson_local/dev/oauthclient/ca.pem
+oauth2.client_cert = %(here)s/certificate/usercert.pem
+oauth2.client_key = %(here)s/certificate/userkey.pem
+oauth2.ca_dir = %(here)s/ca
+# ca_cert_file =
 oauth2.client_id=22
 # OAuth authorization server URLs
@@ -56 +56 @@
 
 [app:App]
-paste.app_factory = ndg.oauth.client.wsgi.wsgi_test_app:WsgiTestApp.app_factory
+paste.app_factory = ndg.oauth.client.examples.wsgi.wsgi_test_app:WsgiTestApp.app_factory
 
 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*

trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/examples/wsgi/get_url_app.py

@@ -26 +26 @@
         "/get": 'get'
     }
-    TOKEN_ENV_KEYNAME = 'oauth2client.token'
     def __init__(self, app, globalConfig, **localConfig):
         self.beakerSessionKeyName = globalConfig['beakerSessionKeyName']
@@ -54 +53 @@
         response = ["<h2>WSGI Test Application - Get URL</h2>"]
 
-        # Unprotected:
+        # Access to proxy doesn't require certificate.
         ssl_context = ssl_context_util.make_ssl_context()
 

trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/lib/oauth2client.py

@@ -13 +13 @@
 import uuid
 
-import ndg.oauth.client.lib.urlfetcher as urlfetcher
+import ndg.httpsclient.utils as httpsclient_utils
+import ndg.httpsclient.ssl_context_util as ssl_context_util
 
 log = logging.getLogger(__name__)
@@ -228 +229 @@
         log.debug("Requesting access token - parameters: %s", parameters)
         data = urllib.urlencode(parameters)
-        response_json = urlfetcher.fetch_stream_from_url(
-            self.client_config.access_token_endpoint, data, ssl_config)
+        response_json = httpsclient_utils.fetch_stream_from_url(
+            self.client_config.access_token_endpoint,
+            httpsclient_utils.Configuration(
+                    ssl_context_util.make_ssl_context_from_config(ssl_config)),
+            data)
         response = json.load(response_json)
         access_token = response.get('access_token', None)

trunk/ndg_oauth/ndg_oauth_client/ndg/oauth/client/wsgi/oauth2_client.py

@@ -13 +13 @@
 from webob import Request
 
+from ndg.httpsclient.ssl_context_util import SSlContextConfig
+from ndg.oauth.client.lib.oauth2client import Oauth2Client
 from ndg.oauth.client.lib.oauth2client import Oauth2ClientConfig
 from ndg.oauth.client.lib.oauth2_myproxy_client import Oauth2MyProxyClient
-from ndg.httpsclient.ssl_context_util import SSlContextConfig
+from ndg.oauth.client.lib.render.configuration import RenderingConfiguration
+from ndg.oauth.client.lib.render.factory import callModuleObject
+from ndg.oauth.client.lib.render.renderer_interface import RendererInterface
 
 log = logging.getLogger(__name__)
@@ -24 +28 @@
     """
     PARAM_PREFIX = 'oauth2.'
+    LAYOUT_PREFIX = 'layout.'
+    ACCESS_TOKEN_TYPE_OPTION = 'access_token_type'
+    AUTHENTICATION_TRIGGER_OPTION = 'authentication_trigger'
+    AUTHENTICATION_TRIGGER_ALWAYS = 'always'
+    AUTHENTICATION_TRIGGER_UNAUTHORIZED = 'unauthorized'
+    AUTHENTICATION_TRIGGER_URL = 'url'
+    AUTHENTICATION_TRIGGER_OPTIONS = [AUTHENTICATION_TRIGGER_ALWAYS,
+                                      AUTHENTICATION_TRIGGER_UNAUTHORIZED,
+                                      AUTHENTICATION_TRIGGER_URL]
+    AUTHENTICATION_URL_OPTION = 'authentication_url'
+    AUTHENTICATION_COMPLETE_OPTION = 'login_complete'
     BASE_URL_PATH_OPTION = 'base_url_path'
     CERTIFICATE_REQUEST_PARAMETER_OPTION = 'certificate_request_parameter'
+    REDIRECT_URI = 'oauth_redirect'
+    RENDERER_CLASS_OPTION = 'renderer_class'
+    SCOPE_OPTION = 'scope'
     SESSION_KEY_OPTION = 'session_key'
     SESSION_CALL_CONTEXT_KEY = 'oauth2_call_context'
     TOKEN_KEY_OPTION = 'oauth2_token_key'
     propertyDefaults = {
+        ACCESS_TOKEN_TYPE_OPTION: 'myproxy',
+        AUTHENTICATION_COMPLETE_OPTION: '',
+        AUTHENTICATION_TRIGGER_OPTION: AUTHENTICATION_TRIGGER_ALWAYS,
+        AUTHENTICATION_URL_OPTION: 'oauth_authenticate',
         BASE_URL_PATH_OPTION: '',
         CERTIFICATE_REQUEST_PARAMETER_OPTION: 'certificate_request',
+        RENDERER_CLASS_OPTION: 'ndg.oauth.client.lib.render.genshi_renderer.GenshiRenderer',
+        SCOPE_OPTION: '',
         SESSION_KEY_OPTION: 'beaker.session.oauth2client',
         TOKEN_KEY_OPTION: 'oauth2client.token',
     }
+    LAYOUT_PARAMETERS = ['heading',
+                         'title',
+                         'message',
+                         'leftLogo',
+                         'leftAlt',
+                         'leftImage',
+                         'leftLink',
+                         'rightAlt',
+                         'rightImage',
+                         'rightLink',
+                         'footerText',
+                         'helpIcon',
+                         'client_id',
+                         'client_name',
+                         'scope']
+
     client_instances = {}
 
@@ -53 +93 @@
         self._app = app
         self._set_configuration(prefix, local_conf)
-        self._oauth_client_class = Oauth2MyProxyClient
+        if self.access_token_type == 'myproxy':
+            log.debug("Setting client as Oauth2MyProxyClient")
+            self._oauth_client_class = Oauth2MyProxyClient
+            self._token_retriever_class = MyProxyTokenRetriever
+        else:
+            log.debug("Setting client as Oauth2Client")
+            self._oauth_client_class = Oauth2Client
+            self._token_retriever_class = TokenRetriever
+
+        self._renderingConfiguration = RenderingConfiguration(
+                                                    self.LAYOUT_PARAMETERS,
+                                                    prefix + self.LAYOUT_PREFIX,
+                                                    local_conf)
+        self.renderer = callModuleObject(self.renderer_class,
+                                         objectName=None, moduleFilePath=None, 
+                                         objectType=RendererInterface,
+                                         objectArgs=None, objectProperties=None)
 
     def __call__(self, environ, start_response):
@@ -70 +126 @@
         log.debug("Request host_url: %s", req.host_url)
         log.debug("Request application_url: %s", req.application_url)
+        is_redirect_back = False
         original_environ = {'PATH_INFO': environ['PATH_INFO'],
                             'QUERY_STRING': environ['QUERY_STRING'],
-                            'SCRIPT_NAME': environ['SCRIPT_NAME']}
-        log.debug("Request environ: %s", environ)
+                            'SCRIPT_NAME': environ['SCRIPT_NAME'],
+                            'url': req.url}
+        #log.debug("Request environ: %s", environ)
 
         # Get session.
@@ -82 +140 @@
                 '"%s" found in environ' % self.session_env_key)
 
+        # Determine trigger for starting authentication process.
+        authenticate_before_delegating = False
+        authenticate_on_unauthorized = False
+        is_authentication_url = (environ['PATH_INFO'].strip('/') ==
+                                                        self.authentication_url)
+        if (self.authentication_trigger ==
+            self.__class__.AUTHENTICATION_TRIGGER_ALWAYS):
+            authenticate_before_delegating = True
+        elif (self.authentication_trigger ==
+              self.__class__.AUTHENTICATION_TRIGGER_URL):
+            if is_authentication_url:
+                authenticate_before_delegating = True
+        elif (self.authentication_trigger ==
+              self.__class__.AUTHENTICATION_TRIGGER_UNAUTHORIZED):
+            authenticate_on_unauthorized = True
+
         # Check whether redirecting back after requesting authorization.
+        redirect_url = None
         if self.client_config.is_redirect_uri(req.application_url, req.url):
             log.debug("Redirected back after requesting authorization.")
+            is_redirect_back = True
             token = self._get_token_after_redirect(session, req)
             original_environ = session[self.__class__.SESSION_CALL_CONTEXT_KEY]
         else:
-            # Start the OAuth2 transaction to get a certificate.
+            # Start the OAuth2 transaction to get a token.
             log.debug("Starting OAuth2 protocol")
-            (token, redirect_url) = self._get_token(session, req.application_url)
-            if redirect_url:
-                session[self.__class__.SESSION_CALL_CONTEXT_KEY] = original_environ
+            (token, redirect_url) = self._get_token(session,
+                                                    req.application_url)
+            if authenticate_before_delegating and redirect_url:
+                session[self.__class__.SESSION_CALL_CONTEXT_KEY
+                                                            ] = original_environ
                 session.save()
+                log.debug("Redirecting to %s", redirect_url)
                 start_response(self._get_http_status_string(httplib.FOUND),
                                [('Location', redirect_url)])
                 return []
 
+        local_start_response = start_response
         if token:
+            log.debug("Setting token in environ[%s]=%s", self.token_env_key,
+                      token)
             environ[self.token_env_key] = token
+        elif authenticate_on_unauthorized and redirect_url:
+            def local_start_response(status, response_headers, exc_info=None):
+                status_code = status.split(' ')[0]
+                log.debug("Response HTTP status %s", status_code)
+                if status_code == str(httplib.UNAUTHORIZED):
+                    session[self.__class__.SESSION_CALL_CONTEXT_KEY
+                                                            ] = original_environ
+                    session.save()
+                    log.debug("Redirecting to %s", redirect_url)
+                    start_response(self._get_http_status_string(httplib.FOUND),
+                                   [('Location', redirect_url)])
+                    return []
+                else:
+                    return start_response(status, response_headers, exc_info)
+
+        if is_authentication_url:
+            c = {'baseURL': req.application_url}
+            response = self.renderer.render(self.authentication_complete,
+                            self._renderingConfiguration.merged_parameters(c))
+            start_response(self._get_http_status_string(httplib.OK),
+               [('Content-type', 'text/html'),
+                ('Content-length', str(len(response)))
+                ])
+            return [response]
+#            response = "OAuth authentication complete"
+#            start_response(("%d %s" %
+#                                (httplib.OK, httplib.responses[httplib.OK])),
+#                           [('Content-type', 'text/plain'),
+#                            ('Content-length', str(len(response)))
+#                            ])
+#            return [response]
 
         # Ensure that the URL is that prior to authentication redirection.
-        environ['PATH_INFO'] = original_environ['PATH_INFO']
-        environ['QUERY_STRING'] = original_environ['QUERY_STRING']
-
-        app_iter = self._app(environ, start_response)
+        if is_redirect_back:
+            original_url = original_environ['url']
+            log.debug("Redirecting to %s", original_url)
+            start_response(self._get_http_status_string(httplib.FOUND),
+                           [('Location', original_url)])
+            return []
+#            environ['PATH_INFO'] = original_environ['PATH_INFO']
+#            environ['QUERY_STRING'] = original_environ['QUERY_STRING']
+#            environ['SCRIPT_NAME'] = original_environ['SCRIPT_NAME']
+
+        app_iter = self._app(environ, local_start_response)
         return app_iter
 
@@ -119 +239 @@
         """
         cls = self.__class__
+        self.access_token_type = cls._get_config_option(prefix, local_conf,
+                                                cls.ACCESS_TOKEN_TYPE_OPTION)
+        self.authentication_complete = cls._get_config_option(prefix,
+                                local_conf, cls.AUTHENTICATION_COMPLETE_OPTION)
+        self.authentication_trigger = cls._get_config_option(
+                prefix, local_conf, cls.AUTHENTICATION_TRIGGER_OPTION).lower()
+        if self.authentication_trigger not in cls.AUTHENTICATION_TRIGGER_OPTIONS:
+            raise Exception("Illegal value for %s option; expected one of %s" %
+                            self.authentication_trigger_str,
+                            cls.AUTHENTICATION_TRIGGER_OPTIONS)
+        self.authentication_url = cls._get_config_option(
+                prefix, local_conf, cls.AUTHENTICATION_URL_OPTION).strip('/')
+        self.renderer_class = cls._get_config_option(prefix, local_conf, cls.RENDERER_CLASS_OPTION)
+        self.scope = cls._get_config_option(prefix, local_conf, cls.SCOPE_OPTION)
         self.session_env_key = cls._get_config_option(prefix, local_conf, cls.SESSION_KEY_OPTION)
         self.token_env_key = self._get_config_option(prefix, local_conf, cls.TOKEN_KEY_OPTION)
@@ -136 +270 @@
         access_token_endpoint = cls._get_config_option(prefix, local_conf, 'access_token_endpoint')
         base_url_path = cls._get_config_option(prefix, local_conf, cls.BASE_URL_PATH_OPTION)
-        redirect_uri = 'oauth_redirect'
+        redirect_uri = cls.REDIRECT_URI
         self.client_config = Oauth2ClientConfig(
             client_id, authorization_endpoint, access_token_endpoint,
@@ -173 +307 @@
                                                 self.client_config, create=True)
 
-        callback = TokenRetriever(client)
+        callback = self._token_retriever_class(client)
 
         (result, redirect_url) = client.call_with_access_token(
-            scope='', application_url=application_url, callback=callback)
+            self.scope, application_url, callback)
         session.save()
 
@@ -193 +327 @@
         if client:
             # Return callback result.
-            callback = TokenRetriever(client)
+            callback = self._token_retriever_class(client)
             result = client.call_with_access_token_redirected_back(req,
                                                                    callback,
@@ -210 +344 @@
 
 class TokenRetriever(object):
+    def __init__(self, client):
+        self.client = client
+
+    def __call__(self, access_token, error, error_description):
+        """
+        Returns authorization token.
+        @type access_token: type of access token
+        @param access_token: access token
+        @type error: str
+        @param error: OAuth error string
+        @type error_description: str
+        @param error_description: error description
+        @rtype: type of access token
+        @return: access token
+        """
+        if error:
+            return None
+        return self.client.access_token
+
+class MyProxyTokenRetriever(object):
     def __init__(self, client):
         self.client = client
@@ -231 +385 @@
         """
         if error:
-            return ("", ("Token not available because of error: %s - %s" % (error, error_description)))
+            return None
+#            return ("", ("Token not available because of error: %s - %s" % (error, error_description)))
         return (self.client.private_key, self.client.access_token)

trunk/ndg_oauth/ndg_oauth_client/serve.py

@@ -1 +1 @@
 from paste.script.serve import ServeCommand
 
-ServeCommand("serve").run(["get_url_app_proxy.ini"])
+ServeCommand("serve").run(["get_url_using_token_app2.ini"])
+#ServeCommand("serve").run(["req_cert_app.ini"])
+#ServeCommand("serve").run(["get_url_app_proxy2.ini"])
+#ServeCommand("serve").run(["get_url_app_proxy.ini"])
 #ServeCommand("serve").run(["test_app.ini"])
 #ServeCommand("serve").run(["development.ini"])

trunk/ndg_oauth/ndg_oauth_server/client_register.ini

@@ -10 +10 @@
 #id=477bfc8c-a739-45b3-a63b-5b1662cc12d7
 type=confidential
-redirect_uris=http://localhost:5001/client/redirect_target
-authentication_data=/O=STFC/OU=BADC/OU=simpleCA-localhost/OU=badc.rl.ac.uk/CN=test1.client
+redirect_uris=http://ice.badc.rl.ac.uk:5001/client/redirect_target
+authentication_data=/O=STFC/OU=BADC/OU=simpleCA-ice.badc.rl.ac.uk/OU=badc.rl.ac.uk/CN=test1.client
 
 [client:test2]
-name=test2
+name=WPS on Ice
 id=22
 #id=691ad8cc-293c-4fbe-b8eb-980fcd621157
 type=confidential
-redirect_uris=http://localhost:5002/oauth2/oauth_redirect
-authentication_data=/O=STFC/OU=BADC/OU=simpleCA-localhost/OU=badc.rl.ac.uk/CN=test.client
+redirect_uris=http://ice.badc.rl.ac.uk:5002/oauth2/oauth_redirect,http://ice.badc.rl.ac.uk:5005/oauth2/oauth_redirect
+authentication_data=/O=STFC/OU=BADC/OU=simpleCA-ice.badc.rl.ac.uk/OU=badc.rl.ac.uk/CN=test.client

trunk/ndg_oauth/ndg_oauth_server/development.ini

@@ -18 +18 @@
 host = 0.0.0.0
 port = 5000
-ssl_pem = /home/rwilkinson_local/dev/MyProxyWebService/host0.pem
+ssl_pem = %(here)s/host.pem
 
 [pipeline:main]
-pipeline = BeakerSessionFilter repoze_who MyProxyClient OAuth2Authz OAuth2Server
+pipeline = BeakerSessionFilter
+           repoze_who
+           AuthnForm
+           MyProxyClient
+           OAuth2Authz
+           OAuth2ServerFilterApp
+#           OAuth2Server
 
 # This filter sets up a server side session linked to a cookie.  The session
@@ -34 +40 @@
 environ_key = %(beakerSessionKeyName)s
 beaker.session.secret = somesecret
-beaker.cache.data_dir = %(here)s/authn/beaker/cache
+#beaker.cache.data_dir = %(here)s/authn/beaker/cache
+beaker.session.type = file
 beaker.session.data_dir = %(here)s/authn/beaker/sessions
 
@@ -42 +49 @@
 log_file = stdout
 log_level = debug
+
+[filter:AuthnForm]
+paste.filter_app_factory = ndg.oauth.server.wsgi.authentication_filter:AuthenticationFormMiddleware.filter_app_factory
+authenticationForm.base_url_path = /authentication
+authenticationForm.client_register=%(here)s/client_register.ini
+# If true, client authorization included on login form, otherwise the separate
+# client authorization form is always used.
+authenticationForm.combined_authorization = True
+authenticationForm.login_cancelled = %(here)s/ndg/oauth/server/templates/login_cancelled.html
+authenticationForm.login_form = %(here)s/ndg/oauth/server/templates/login_form.html
+authenticationForm.return_url_param = returnurl
+authenticationForm.session_key_name = %(beakerSessionKeyName)s
+# Authentication form configuration
+authenticationForm.layout.heading = OAuth Login
+authenticationForm.layout.title = OAuth Login
+authenticationForm.layout.rightLink = http://ceda.ac.uk/
+authenticationForm.layout.rightImage = /oas/layout/CEDA_RightButton60.png
+#authenticationForm.layout.rightImage = /layout/CEDA_RightButton60.png
+authenticationForm.layout.rightAlt = Centre for Environmental Data Archival
+authenticationForm.layout.footerText = This site is for test purposes only.
+authenticationForm.layout.helpIcon = /oas/layout/icons/help.png
+#authenticationForm.layout.helpIcon = /layout/icons/help.png
 
 [filter:MyProxyClient]
@@ -51 +80 @@
 # fully qualified domain name or else set the MYPROXY_SERVER environment
 # variable.  See the documentation for the MyProxyClient egg for details
-myproxy.client.hostname = localhost
+myproxy.client.hostname = myproxy.ac.uk
 #myproxy.client.port = 7512
 
@@ -57 +86 @@
 # server that it fronts e.g. set to /etc/grid-security/certificates.  For these
 # tests set to local ca directory
-#MyProxy.client.caCertDir = %(here)s/ca
-myproxy.client.caCertDir = /home/users/rwilkinson/.esg/certificates_ice
+myproxy.client.caCertDir = %(here)s/ca
 
 [filter:OAuth2Authz]
@@ -69 +97 @@
 oauth2authorization.session_key_name = %(beakerSessionKeyName)s
 #oauth2authorization.user_identifier_key=REMOTE_USER
+# Authorization form configuration
+oauth2authorization.layout.heading = OAuth Authorisation
+oauth2authorization.layout.title = OAuth Authorisation
+oauth2authorization.layout.rightLink = http://ceda.ac.uk/
+oauth2authorization.layout.rightImage = /layout/CEDA_RightButton60.png
+oauth2authorization.layout.rightAlt = Centre for Environmental Data Archival
+oauth2authorization.layout.footerText = This site is for test purposes only.
+oauth2authorization.layout.helpIcon = /layout/icons/help.png
 
 [app:OAuth2Server]
@@ -75 +111 @@
 # OAuth2 server configuration options - defaults are commented out.
 #oauth2server.access_token_lifetime=86400
-# Allowed values: myproxy (default) or bearer (which returns a UUID for testing purposes only)
+# Allowed values: myproxy (default) or bearer (which returns a UUID)
 #oauth2server.access_token_type=myproxy
+oauth2server.access_token_type=bearer
 #oauth2server.authorization_grant_lifetime=600
 oauth2server.base_url_path=/oauth
@@ -82 +119 @@
 # Allowed values: certificate (default) or none.
 #oauth2server.client_authentication_method=certificate
+oauth2server.client_authentication_method=none
 #oauth2server.client_authorization_url=client_authorization/authorize
 #oauth2server.client_authorizations_key=client_authorizations
 oauth2server.client_register=%(here)s/client_register.ini
 #oauth2server.myproxy_client_key=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient
-oauth2server.myproxy_global_password=changeme
+oauth2server.myproxy_global_password=i93rRugz
 #oauth2server.session_key_name=beaker.session.oauth2server
 #oauth2server.user_identifier_key=REMOTE_USER
@@ -103 +141 @@
 # data_dir is used if lock_dir not set:
 #oauth2server.cache.authorizationgrantregister.lock_dir
+
+[filter-app:OAuth2ServerFilterApp]
+use = egg:Paste#httpexceptions
+next = cascade
+
+[composit:cascade]
+use = egg:Paste#cascade
+app1 = OAuth2Server
+app2 = StaticContent
+catch = 404
+
+[app:StaticContent]
+use = egg:Paste#static
+document_root = %(here)s/static
 
 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/authorization_server.py

@@ -364 +364 @@
         return
 
-    def check_token(self, request):
+    def check_token(self, request, scope=None):
         """
         Simple service that could be used to validate bearer tokens. It would
@@ -388 +388 @@
         @param request: HTTP request object
 
+        @type scope: str
+        @param scope: required scope
+
         @rtype: tuple: (str, int, str)
         @return: tuple (
                      OAuth JSON response
-                     HTTP status if error
+                     HTTP status
                      error description
                  )
@@ -399 +402 @@
             error = 'invalid_request'
         else:
-            access_token = request.params['access_token']
-            scope = request.params.get('scope', None)
-            (token, error) = self.access_token_register.get_token(access_token, scope)
-        
+            access_token = params['access_token']
+            if scope:
+                required_scope = scope
+            else:
+                required_scope = params.get('scope', None)
+            (token, error) = self.access_token_register.get_token(access_token,
+                                                                required_scope)
+
         status = {'invalid_request': httplib.BAD_REQUEST,
-                  'invalid_token': httplib.UNAUTHORIZED,
+                  'invalid_token': httplib.FORBIDDEN,
                   None: httplib.OK}.get(error, httplib.BAD_REQUEST)
 
@@ -411 +418 @@
             content_dict['error'] = error
         content = json.dumps(content_dict)
-        return (content, None, None)
+        return (content, status, error)
+
+    def get_registered_token(self, request, scope=None):
+        """
+        Checks that a token in the request is valid. It would
+        be called from a resource service that trusts this authorization
+        service. This is not part of the OAuth specification.
+
+        Request parameters
+
+        access_token
+              REQUIRED.  Bearer token
+        scope
+              OPTIONAL.  Scope 
+
+        Response:
+              application/json format:
+        status
+              HTTP status indicating the access control decision
+        error
+              error as described in
+              http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.2
+
+        @type request: webob.Request
+        @param request: HTTP request object
+
+        @type scope: str
+        @param scope: required scope
+
+        @rtype: tuple: (str, int, str)
+        @return: tuple (
+                     access token
+                     HTTP status
+                     error description
+                 )
+        """
+        params = request.params
+        token = None
+        if 'access_token' not in params:
+            error = 'invalid_request'
+        else:
+            access_token = params['access_token']
+            if scope:
+                required_scope = scope
+            else:
+                required_scope = params.get('scope', None)
+            (token, error) = self.access_token_register.get_token(access_token,
+                                                                required_scope)
+
+        status = {'invalid_request': httplib.BAD_REQUEST,
+                  'invalid_token': httplib.FORBIDDEN,
+                  'insufficient_scope': httplib.FORBIDDEN,
+                  None: httplib.OK}.get(error, httplib.BAD_REQUEST)
+
+        return (token, status, error)
 
     def is_registered_client(self, request):

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/register/access_token.py

@@ -12 +12 @@
 
 from ndg.oauth.server.lib.register.register_base import RegisterBase
+import ndg.oauth.server.lib.register.scopeutil as scopeutil
 
 log = logging.getLogger(__name__)
@@ -23 +24 @@
         self.token_type = token_type
         self.grant = grant
-        self.scope = grant.scope.split() if grant.scope else []
+        self.scope = scopeutil.scopeStringToList(grant.scope_str)
         self.timestamp = datetime.now()
         self.lifetime = lifetime
@@ -41 +42 @@
 
     def add_token(self, token):
+        """Adds a token to the register.
+        @type token: AccessToken
+        @param token: access token
+        """
         if self.has_key(token.token_id):
             # Internal error
@@ -47 +52 @@
 
         self.set_value(token.token_id, token)
+        log.debug("Added token of ID: %s", token.token_id)
         return True
 
     def get_token(self, token_id, scope):
+        """Retrieves a registered token by token ID and required scope.
+        @type token_id: basestring
+        @param token_id: token ID
+        @type scope: basestring
+        @param scope: required scopes as space separated string
+        """
         try:
             token = self.get_value(token_id)
         except KeyError:
+            log.debug("Request for token of ID that is not registered: %s",
+                      token_id)
             return (None, 'invalid_token')
 
@@ -62 +76 @@
             return (None, 'invalid_token')
         # Check scope
-        if scope and (scope not in token.scope):
+        if not scopeutil.isScopeGranted(token.scope,
+                                        scopeutil.scopeStringToList(scope)):
             log.debug("Request for token of ID: %s - token was not granted scope %s",
                       token_id, scope)
-            return (None, 'invalid_token')
+            return (None, 'insufficient_scope')
         return (token, None)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/register/authorization_grant.py

@@ -24 +24 @@
         self.redirect_uri = request.redirect_uri
         # Allow for authorized scope to be different from requested scope.
-        self.scope = (scope if scope is not None else request.scope)
+        self.scope_str = (scope if scope is not None else request.scope)
         self.additional_data = additional_data
         self.timestamp = datetime.utcnow()

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/register/client_authorization.py

@@ -8 +8 @@
 __revision__ = "$Id$"
 
+import ndg.oauth.server.lib.register.scopeutil as scopeutil
+
 class ClientAuthorization(object):
     """
@@ -15 +17 @@
         self.user = user
         self.client_id = client_id
-        self.scope = scope
+        self.scope = scopeutil.scopeStringToList(scope)
         self.is_authorized = is_authorized
 
     def eq_authz_basis(self, other):
+        """Determines whether a requested client authorization is equivalent to
+        a granted one.
+        @type other: ClientAuthorization
+        @param other: requested authorization
+        @rtype: bool
+        @return: True if the user and client ID are the same and if there are no
+        requested scopes that are not granted, otherwise False
+        """
         return ((self.user == other.user)
                 and (self.client_id == other.client_id)
-                and (self.scope == other.scope))
+                and scopeutil.isScopeGranted(self.scope, other.scope))
 
     def __repr__(self):
@@ -56 +66 @@
     def __repr__(self):
         s = []
-        for u, uv in self.register.iteritems():
-            for c, cv in uv.iteritems():
+        for uv in self.register.itervalues():
+            for cv in uv.itervalues():
                 s.append(cv.__repr__())
         return ' '.join(s)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/render/genshi_renderer.py

@@ -8 +8 @@
 __revision__ = "$Id$"
 
-from genshi.template import MarkupTemplate
+import os
+
+#from genshi.template import MarkupTemplate
+from genshi.template import TemplateLoader
 
 from ndg.oauth.server.lib.render.renderer_interface import RendererInterface
@@ -24 +27 @@
         @return: rendered template
         """
-        tmpl_file = open(filename)
-        tmpl = MarkupTemplate(tmpl_file)
-        tmpl_file.close()
+        fname = os.path.basename(filename)
+        dirname = os.path.dirname(filename)
+        loader = TemplateLoader(dirname, auto_reload=True)
+        tmpl = loader.load(fname)
         response = tmpl.generate(c=parameters).render('html')
         return response
+
+#    def render(self, filename, parameters):
+#        """Render a page from a template.
+#        @type filename: basestring
+#        @param filename: filename of template
+#        @type parameters: dict
+#        @param parameters: parameters to substitute into template
+#        @rtype: basestring
+#        @return: rendered template
+#        """
+#        tmpl_file = open(filename)
+#        tmpl = MarkupTemplate(tmpl_file)
+#        tmpl_file.close()
+#        response = tmpl.generate(c=parameters).render('html')
+#        return response

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/templates/auth_client_form.html

@@ -1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xmlns:py="http://genshi.edgewall.org/"
-      xmlns:xi="http://www.w3.org/2001/XInclude"
-      lang="en">
-  <head>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
-    <title>Login</title>
-  </head>
-  <body>
-    <form method="post" action="${c.submit_url}">
-      <table border="0" style="margin-left: auto; margin-right: auto;">
-        <tr>
-          <td align="center" colspan="2">
-            Do you grant permission to client "${c.client_name}"?
-          </td>
-        </tr>
-        <tr>
-          <td align="center" colspan="2">
-            &nbsp;
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html xmlns:xi="http://www.w3.org/2001/XInclude"
+      xmlns="http://www.w3.org/1999/xhtml"
+      xmlns:py="http://genshi.edgewall.org/">
+  <div py:def="oauthAuthClient()" id="oauthAuthClient">
+    <form action="$c.submit_url" method="post">
+      <table cellspacing="0" border="0" cellpadding="5" style="align: left">
+        <tr align="left">
+          <td colspan="2">
+            <p>If you press the OK button you are granting permission to client "${c.client_name}" to use your credentials.
+            Press the cancel button if you do not want to do that.</p>
+            <p>Client details:</p>
           </td>
         </tr>
@@ -29 +21 @@
           </td>
         </tr>
-        <tr>
-          <td align="center" colspan="2">
-            &nbsp;
+        <tr py:if="c.scope">
+          <td>
+            Scope in which credentials are to be used:
+          </td>
+          <td>
+            ${c.scope}
           </td>
         </tr>
         <tr>
-          <td colspan="2">
-            <table border="0" width="100%">
-              <tr>
-                <td align="center"><input type="submit" value="Yes" name="yes-button"/></td>
-                <td align="center"><input type="submit" value="No" name="no-button"/></td>
-              </tr>
-            </table>
+          <td colspan="2" align="right">
+            <input type="submit" name="submit" value="OK"/>
+            <input type="submit" name="cancel" value="Cancel"/>
+            <span>
+              <a href="javascript:;" title="Toggle help" onclick="toggleDiv(1,'aboutOpenID','shown','hidden','div'); return false;">
+              <img src="$c.helpIcon" alt="Toggle help" class="helpicon"/></a>
+            </span>
           </td>
         </tr>
       </table>
-    </form>         
+      <div id="aboutOpenID" class="hidden">
+        <div class="helptxt">
+          <p>You are being asked to log in to an OAuth server. OAuth is a protocol that allows you
+          to grant access to services to act on your behalf while only logging in to the OAuth
+          server. You will be asked to confirm that you wish to delegate authority to the service.
+          </p>
+          <p>
+          This server uses OAuth version 2.0. The latest specification at the time of writing is
+          <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-24">The OAuth 2.0 Authorization Protocol</a>
+          </p>
+        </div>
+      </div>
+    </form>
+  </div>
+
+  <xi:include href="base.html" />
+  <head>
+    <replace py:replace="pagehead()"/>
+  </head>
+  <body>
+    <div id="main">
+      <div py:replace="header()"/>
+      <replace py:replace="oauthAuthClient()"/>
+      <div py:replace="footer(showLoginStatus=False)"/>
+    </div>
   </body>
 </html>

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/authorization_filter.py

@@ -16 +16 @@
 from ndg.oauth.server.lib.register.client_authorization import (
                             ClientAuthorization, ClientAuthorizationRegister)
+from ndg.oauth.server.lib.render.configuration import RenderingConfiguration
 from ndg.oauth.server.lib.render.factory import callModuleObject
 from ndg.oauth.server.lib.render.renderer_interface import RendererInterface
@@ -31 +32 @@
     SESSION_CALL_CONTEXT_KEY = 'oauth2_client_authorizations_context'
     PARAM_PREFIX = 'oauth2authorization.'
+    LAYOUT_PREFIX = 'layout.'
     # Configuration options
     BASE_URL_PATH_OPTION = 'base_url_path'
@@ -51 +53 @@
         USER_IDENTIFIER_KEY_OPTION: 'REMOTE_USER'
     }
+    LAYOUT_PARAMETERS = ['heading',
+                         'title',
+                         'message',
+                         'leftLogo',
+                         'leftAlt',
+                         'leftImage',
+                         'leftLink',
+                         'rightAlt',
+                         'rightImage',
+                         'rightLink',
+                         'footerText',
+                         'helpIcon']
 
     def __init__(self, app, app_conf, prefix=PARAM_PREFIX, **local_conf):
@@ -73 +87 @@
         """
         self._app = app
+        self._renderingConfiguration = RenderingConfiguration(
+                                                    self.LAYOUT_PARAMETERS,
+                                                    prefix + self.LAYOUT_PREFIX,
+                                                    local_conf)
         self._set_configuration(prefix, local_conf)
         self.client_register = ClientRegister(self.client_register_file)
@@ -217 +235 @@
                  'client_id': client_id,
                  'scope': scope,
-                 'submit_url': submit_url}
-            response = self.renderer.render(self.client_authorization_form, c)
+                 'submit_url': submit_url,
+                 'baseURL': req.application_url}
+            response = self.renderer.render(self.client_authorization_form,
+                            self._renderingConfiguration.merged_parameters(c))
         start_response(self._get_http_status_string(httplib.OK),
            [('Content-type', 'text/html'),
@@ -249 +269 @@
             return [response]
 
-        if ('yes-button' in req.params) and ('no-button' not in req.params):
+        if ('submit' in req.params) and ('cancel' not in req.params):
             log.debug("User authorized client.")
             granted = True

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py

@@ -9 +9 @@
 
 import httplib
+import json
 import logging
 import urllib
@@ -20 +21 @@
 from ndg.oauth.server.lib.authenticate.noop_client_authenticator import NoopClientAuthenticator
 from ndg.oauth.server.lib.authorization_server import AuthorizationServer
-from ndg.oauth.server.lib.authorize.authorizer import Authorizer
 from ndg.oauth.server.lib.authorize.authorizer_storing_identifier import AuthorizerStoringIdentifier
+from ndg.oauth.server.lib.resource_request.myproxy_cert_request import MyproxyCertRequest
 
 log = logging.getLogger(__name__)
@@ -37 +38 @@
     """
     PARAM_PREFIX = 'oauth2server.'
+    CERT_DN_ENVIRON_KEY = 'SSL_CLIENT_S_DN'
     # Configuration options
     ACCESS_TOKEN_LIFETIME_OPTION = 'access_token_lifetime'
@@ -68 +70 @@
         '/access_token': 'access_token',
         '/authorize': 'authorize',
-        '/check_token': 'check_token'
+        '/check_token': 'check_token',
+        '/request_certificate': 'request_certificate'
     }
 
@@ -96 +99 @@
         if self.access_token_type == 'bearer':
             # Simple bearer token configuration.
-            authorizer = Authorizer(self.authorization_grant_lifetime_seconds)
             access_token_generator = BearerTokenGenerator(self.access_token_lifetime_seconds, self.access_token_type)
         elif self.access_token_type == 'myproxy':
             # Configure authorization server to use MyProxy certificates as access tokens.
-            authorizer = AuthorizerStoringIdentifier(
-                self.authorization_grant_lifetime_seconds,
-                user_identifier_env_key=self.user_identifier_env_key,
-                user_identifier_grant_data_key=self.USER_IDENTIFIER_GRANT_DATA_KEY)
-
             access_token_generator = MyProxyCertTokenGenerator(
                 self.access_token_lifetime_seconds, self.access_token_type,
@@ -115 +112 @@
                              (self.access_token_type,
                               self.ACCESS_TOKEN_TYPE_OPTION))
+        # Store user identifier with grant - this isn't needed for the OAuth
+        # protocol but is needed to return certificates using MyProxy.
+        authorizer = AuthorizerStoringIdentifier(
+            self.authorization_grant_lifetime_seconds,
+            user_identifier_env_key=self.user_identifier_env_key,
+            user_identifier_grant_data_key=self.USER_IDENTIFIER_GRANT_DATA_KEY)
 
         # Determine client authentication type. A 'none' options is allowed so
@@ -130 +133 @@
             self.client_register_file, authorizer, client_authenticator,
             access_token_generator, conf)
+
+        self._myproxy_cert_request = MyproxyCertRequest(
+            certificate_request_parameter=self.certificate_request_parameter,
+            myproxy_client_env_key=self.myproxy_client_env_key,
+            myproxy_global_password=self.myproxy_global_password,
+            user_identifier_grant_data_key=self.USER_IDENTIFIER_GRANT_DATA_KEY)
 
     def __call__(self, environ, start_response):
@@ -177 +186 @@
         @return: WSGI response
         """
+        log.debug("authorize called")
+        # Stop immediately if the client is not registered.
+        (error, error_description
+                        ) = self._authorizationServer.is_registered_client(req)
+        if error:
+            log.debug("Error checking if client registered: %s - %s", error,
+                      error_description)
+            return self._error_response(error, error_description,
+                                        start_response)
+
         # User authentication is required before authorization can proceed.
         user = req.environ.get(self.user_identifier_env_key)
@@ -183 +202 @@
             start_response(self._get_http_status_string(httplib.UNAUTHORIZED), [])
             return []
-
-        # Stop immediately if the client is not registered.
-        (error, error_description
-                        ) = self._authorizationServer.is_registered_client(req)
-        if error:
-            return self._error_response(error, error_description,
-                                        start_response)
 
         # User authorization for the client is also required.
@@ -270 +282 @@
         @return: WSGI response
         """
+        log.debug("access_token called")
         (response, error_status, error_description) = self._authorizationServer.access_token(req)
-        log.debug("Access token response is of type %s", type(response))
         if response is None:
             response = ''
@@ -281 +293 @@
         ]
         status_str = self._get_http_status_string(error_status if error_status else httplib.OK)
-            
+        if error_status:
+            log.debug("Error obtaining access token: %s - %s", status_str,
+                      error_description)
+
         start_response(status_str, headers)
         return [response]
@@ -304 +319 @@
             ('Content-Type', 'application/json; charset=UTF-8'),
             ('Cache-Control', 'no-store'),
-            ('Content-length', str(len(response)))
+            ('Content-length', str(len(response))),
             ('Pragma', 'no-store')
         ]
         status_str = self._get_http_status_string(error_status if error_status else httplib.OK)
-            
+
+        start_response(status_str, headers)
+        return [response]
+
+    def request_certificate(self, req, start_response):
+        """
+        Resource service to issue a certificate based on a certificate request
+        contained in the request and the identity of the client for whom the
+        access token was issued.
+        @type req: webob.Request
+        @param req: HTTP request object
+
+        @type start_response: 
+        @param start_response: WSGI start response function
+
+        @rtype: iterable
+        @return: WSGI response
+        """
+        log.debug("request_certificate called")
+        cert = None
+        error = None
+        status = httplib.OK
+        dn = req.environ.get(self.CERT_DN_ENVIRON_KEY)
+        if dn:
+            log.debug("Found certificate DN: %s", dn)
+        else:
+            # Client must be authenticated - no other error should be included
+            # in this case.
+            status = httplib.FORBIDDEN
+
+        if status == httplib.OK:
+            (token, status,
+                error) = self._authorizationServer.get_registered_token(req, dn)
+
+        if status == httplib.OK:
+            # Token is valid so get a certificate.
+            cert = self._myproxy_cert_request.get_resource(token, req)
+            if not cert:
+                status = httplib.INTERNAL_SERVER_ERROR
+
+        content_dict = {'status': status}
+        if error:
+            content_dict['error'] = error
+        if cert:
+            content_dict['certificate'] = cert
+        response = json.dumps(content_dict)
+
+        headers = [
+            ('Content-Type', 'application/json; charset=UTF-8'),
+            ('Cache-Control', 'no-store'),
+            ('Content-length', str(len(response))),
+            ('Pragma', 'no-store')
+        ]
+        status_str = self._get_http_status_string(status if status
+                                                  else httplib.OK)
+        if error:
+            log.debug("Error obtaining certificate: %s - %s", status_str, error)
+
         start_response(status_str, headers)
         return [response]

trunk/ndg_oauth/ndg_oauth_server/repoze_who.ini

@@ -2 +2 @@
 # identificaion and challenge
 use = repoze.who.plugins.redirector:make_plugin
-login_url = /login.html
+login_url = /authentication/login_form
+came_from_param = returnurl
 
 [plugin:auth_tkt]
@@ -58 +59 @@
 # plugin_name;classifier_name:.. or just plugin_name (good for any)
 plugins =
-#      redirector;browser
+      redirector;browser
       basicauth