Context Navigation

← Previous Change
Next Change →

Changeset 8196 for trunk/ndg_oauth/ndg_oauth_server

Timestamp:

19/10/12 22:18:42 (8 years ago)

Author:

pjkersha

Message:

Implemented resource server as separate middleware and started refactoring slcs e.g. to use + the python online ca

Location:

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server

Files:

: 4 added
: 6 edited

examples/bearer_tok/__init__.py (modified) (1 diff)
examples/bearer_tok/bearer_tok_server_app_serve.py (modified) (2 diffs)
examples/slcs/slcs_server_app.ini (modified) (9 diffs)
examples/slcs/slcs_server_app_serve.py (modified) (1 diff)
examples/slcs/test-ca.crt (added)
examples/slcs/test-ca.key (added)
examples/utils.py (added)
wsgi/authorization_filter.py (modified) (12 diffs)
wsgi/oauth2_server.py (modified) (5 diffs)
wsgi/resource_server.py (added)

Legend:

: Unmodified
: Added
: Removed

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/init.py

-                      r8080
+                      r8196
+"""NDG OAuth examples package
+"""
+__author__ = "P J Kershaw"
+__date__ = "20/11/08"
+__copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = "$Id:$"

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/bearer_tok_server_app_serve.py

-                      r8195
+                      r8196
-#from paste.script.serve import ServeCommand
+#
-#ServeCommand("serve").run(["bearer_tok_server_app.ini"])
 #!/usr/bin/env python
 """NDG Security test harness for security web services middleware stack
+"""NDG OAuth test harness for bearer token example
 """
 __author__ = "P J Kershaw"
 __date__ = "20/11/08"
 __copyright__ = "(C) 2009 Science and Technology Facilities Council"
+__copyright__ = "(C) 2012 Science and Technology Facilities Council"
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = "$Id:$"
+__revision__ = "$Id:$"
 from os import path
+import optparse
+from OpenSSL import SSL
+from OpenSSL import crypto
+from paste.deploy import loadapp
+from paste.script.util.logging_config import fileConfig
+THIS_DIR = path.dirname(__file__)
+SHARED_CONFIG_DIR  = path.join(THIS_DIR, '..', 'shared_config')
+PKI_DIR = path.join(SHARED_CONFIG_DIR, 'pki')
+CACERT_DIR = path.join(PKI_DIR, 'ca')
+import paste.httpserver
+from threading import Thread
+class PasteDeployAppServer(object):
+    """Wrapper to paste.httpserver to enable background threading"""
+    def __init__(self, app=None, cfgFilePath=None, port=7443, host='0.0.0.0',
+                 ssl_context=None):
+        """Load an application configuration from cfgFilePath ini file and
+        instantiate Paste server object
+        """
+        self.__thread = None
+        if cfgFilePath:
+            if app:
+                raise KeyError('Set either the "cfgFilePath" or "app" keyword '
+                               'but not both')
+            fileConfig(cfgFilePath, defaults={'here':path.dirname(cfgFilePath)})
+            app = loadapp('config:%s' % cfgFilePath)
+        elif app is None:
+            raise KeyError('Either the "cfgFilePath" or "app" keyword must be '
+                           'set')
+        self.__pasteServer = paste.httpserver.serve(app, host=host, port=port,
+                                                    start_loop=False,
+                                                    ssl_context=ssl_context)
+    @property
+    def pasteServer(self):
+        return self.__pasteServer
+    @property
+    def thread(self):
+        return self.__thread
+    def start(self):
+        """Start server"""
+        self.pasteServer.serve_forever()
+    def startThread(self):
+        """Start server in a separate thread"""
+        self.__thread = Thread(target=PasteDeployAppServer.start, args=(self,))
+        self.thread.start()
+    def terminateThread(self):
+        self.pasteServer.server_close()
+class OpenSSLVerifyCallbackMiddleware(object):
+    """Set peer certificate retrieved from PyOpenSSL SSL context callback in
+    environ dict SSL_CLIENT_CERT item
+    FOR TESTING PURPOSES ONLY - IT IS NOT THREAD SAFE
+    """
+    def __init__(self, app):
+        self._app = app
+        self.ssl_client_cert = None
+        self.ssl_client_cert_dn = None
+#        self.ignore_pat = 'localhost'
+        self.ignore_pat = None
+    def createSSLCallback(self):
+        """Make a SSL Context callback function and return it to the caller"""
+        def _callback(conn, x509, errnum, errdepth, ok):
+            if errdepth == 0:
+                subject = x509.get_subject()
+                components = subject.get_components()
+                if self.ignore_pat not in [i[-1] for i in components]:
+                    self.ssl_client_cert = crypto.dump_certificate(
+                                                    crypto.FILETYPE_PEM, x509)
+                    self.ssl_client_cert_dn = '/'+ '/'.join(
+                                        ['%s=%s' % i for i in components])
+            return ok
+        return _callback
+    def __call__(self, environ, start_response):
+        """Set the latest peer SSL client certificate from the SSL callback
+        into environ SSL_CLIENT_CERT key"""
+        if self.ssl_client_cert:
+            environ['SSL_CLIENT_CERT'] = self.ssl_client_cert
+            environ['SSL_CLIENT_S_DN'] = self.ssl_client_cert_dn
+            self.ssl_client_cert = None
+        return self._app(environ, start_response)
+class ApacheSSLVariablesMiddleware(object):
+    """Simulate Apache SSL environment setting relevant environ variables"""
+    def __init__(self, app):
+        self._app = app
+    def __call__(self, environ, start_response):
+        environ['HTTPS'] = '1'
+        return self._app(environ, start_response)
+from ndg.oauth.server.examples.utils import serve_app
 INI_FILENAME = 'bearer_tok_server_app.ini'
 …
 # $ ./securityservicesapp.py -h
 if __name__ == '__main__':
+    cfgFilePath = path.join(path.dirname(path.abspath(__file__)), INI_FILENAME)
+    defCertFilePath = path.join(PKI_DIR, 'host.pem')
+    defPriKeyFilePath = path.join(PKI_DIR, 'host.pem')
+    parser = optparse.OptionParser()
+    parser.add_option("-p",
+                      "--port",
+                      dest="port",
+                      default=5000,
+                      type='int',
+                      help="port number to run under")
+    parser.add_option("-s",
+                      "--with-ssl",
+                      dest="withSSL",
+                      default='True',
+                      help="Run with SSL")
+    parser.add_option("-c",
+                      "--cert-file",
+                      dest='certFilePath',
+                      default=defCertFilePath,
+                      help="SSL Certificate file")
+    parser.add_option("-k",
+                      "--private-key-file",
+                      default=defPriKeyFilePath,
+                      dest='priKeyFilePath',
+                      help="SSL private key file")
+    parser.add_option("-f",
+                      "--conf",
+                      dest="configFilePath",
+                      default=cfgFilePath,
+                      help="Configuration file path")
+    parser.add_option("-a",
+                      "--with-ssl-client-auth",
+                      dest="ssl_client_authn",
+                      action='store_true',
+                      default=True,
+                      help="Set client authentication with SSL (requires -s "
+                           "option")
+    opt = parser.parse_args()[0]
+    cfgFilePath = path.abspath(opt.configFilePath)
+    if opt.withSSL.lower() == 'true':
+        ssl_context = SSL.Context(SSL.SSLv23_METHOD)
+        ssl_context.set_session_id('oauthserver')
+        ssl_context.use_privatekey_file(opt.priKeyFilePath)
+        ssl_context.use_certificate_file(opt.certFilePath)
+        ssl_context.load_verify_locations(None, CACERT_DIR)
+        ssl_context.set_verify_depth(9)
+        # Load the application from the Paste ini file configuration
+        fileConfig(cfgFilePath, defaults={'here': path.dirname(cfgFilePath)})
+        app = loadapp('config:%s' % cfgFilePath)
+        if opt.ssl_client_authn:
+            # Wrap the application in middleware to set the SSL client certificate
+            # obtained from the SSL handshake in environ
+            app = OpenSSLVerifyCallbackMiddleware(app)
+            _callback = app.createSSLCallback()
+            # Wrap in middleware to simulate Apache environment
+            app = ApacheSSLVariablesMiddleware(app)
+            ssl_context.set_verify(SSL.VERIFY_PEER, _callback)
+        server = PasteDeployAppServer(app=app,
+                                      port=opt.port,
+                                      ssl_context=ssl_context)
+    else:
+        ssl_context = None
+        server = PasteDeployAppServer(cfgFilePath=cfgFilePath,
+                                      port=opt.port,
+                                      ssl_context=ssl_context)
+    server.start()
+    config_filepath = path.join(path.dirname(path.abspath(__file__)),
+                                INI_FILENAME)
+    serve_app(INI_FILENAME)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/slcs/slcs_server_app.ini

-                      r8123
+                      r8196
+#
+# NDG OAuth Server - Pylons development environment configuration
+# NDG OAuth Server - consisting of
+# * a generic OAuth Authorisation Server which authenticates users by
+#   username/password on a web form
+# * a resource server.  This is a specialised one which enables delegated
+#   clients to obtain short-lived X.509 certificate credentials.  It does this
+#   by using the Contrail Online CA package
+#
 # The %(here)s variable will be replaced with the parent directory of this file
 …
 pipeline = BeakerSessionFilter
            repoze_who
+           AuthnForm
+           MyProxyClient
+           OAuth2Authz
+           OAuth2ServerFilterApp
+           AuthenticationFormFilter
+           OAuth2AuthorisationFilter
+           OAuth2ServerFilter
+           OAuth2ResourceServerFilter
+           OnlineCaFilterApp
 # This filter sets up a server side session linked to a cookie.  The session
 …
 log_level = debug
 [filter:AuthnForm]
+[filter:AuthenticationFormFilter]
 paste.filter_app_factory = ndg.oauth.server.wsgi.authentication_filter:AuthenticationFormMiddleware.filter_app_factory
 authenticationForm.base_url_path = /authentication
 …
 authenticationForm.layout.helpIcon = /layout/help.png
+[filter:MyProxyClient]
+paste.filter_app_factory = myproxy.server.wsgi.middleware:MyProxyClientMiddleware.filter_app_factory
+# Default environ key for MyProxy client
+# myproxy.client.clientEnvKeyName=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient
+# MyProxy server which this MyProxy WSGI app is a client to.  Set here to the
+# fully qualified domain name or else set the MYPROXY_SERVER environment
+# variable.  Setting here overrides any environment variable setting.  See the
+# documentation for the MyProxyClient package for details
+#myproxy.client.hostname = localhost
+#myproxy.client.port = 7512
+# CA Certificate directory to enable this application to trust the MyProxy
+# server that it fronts e.g. set to /etc/grid-security/certificates.  For these
+# tests set to local ca directory
+myproxy.client.caCertDir = %(here)s/../shared_config/pki/ca
+[filter:OAuth2Authz]
+[filter:OAuth2AuthorisationFilter]
 # Authorization filter configuration options - defaults are commented out.
 paste.filter_app_factory = ndg.oauth.server.wsgi.authorization_filter:Oauth2AuthorizationMiddleware.filter_app_factory
 oauth2authorization.base_url_path=/client_authorization
 oauth2authorization.client_authorization_form=%(here)s/ndg/oauth/server/templates/auth_client_form.html
+oauth2authorization.client_authorization_form=%(here)s/templates/auth_client_form.html
 #oauth2authorization.client_authorizations_key=client_authorizations
 oauth2authorization.client_register=%(here)s/client_register.ini
 …
 oauth2authorization.layout.helpIcon = /layout/icons/help.png
 [app:OAuth2Server]
 paste.app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.app_factory
+[filter:OAuth2ServerFilter]
+paste.filter_app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.filter_app_factory
 # OAuth2 server configuration options - defaults are commented out.
 #oauth2server.access_token_lifetime=86400
+# Allowed values: slcs (default) or bearer (which returns a UUID)
+oauth2server.access_token_type=slcs
+# Allowed values: slcs (returns a cert as access token) or bearer (which
+# returns a UUID).  bearer is the default
+#oauth2server.access_token_type=slcs
 #oauth2server.access_token_type=bearer
 #oauth2server.authorization_grant_lifetime=600
 …
 #oauth2server.client_authorizations_key=client_authorizations
 oauth2server.client_register=%(here)s/client_register.ini
-#oauth2server.myproxy_client_key=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient
-oauth2server.myproxy_global_password=testpassword
 #oauth2server.session_key_name=beaker.session.oauth2server
 #oauth2server.user_identifier_key=REMOTE_USER
 …
 #oauth2server.cache.authorizationgrantregister.lock_dir
+[filter-app:OAuth2ServerFilterApp]
+[filter:OAuth2ResourceServerFilter]
+paste.filter_app_factory = ndg.oauth.server.wsgi.resource_server:Oauth2ResourceServerMiddleware.filter_app_factory
+oauth2.resource_server.resource_uripaths: /certificate/
+[app:OnlineCaApp]
+paste.app_factory = onlineca.server.wsgi.app:OnlineCaApp.app_factory
+# Set an alternative prefix for settings - default is 'onlineca.server.'
+#prefix: online-ca.
+# Path to CA Python class constructor or factory function
+onlineca.server.ca_class_factory_path: onlineca.server.impl:CertificateAuthorityImpl
+# onlineca.server.ca_class.* values correspond to settings for the CA class.
+# The CA class is embedded into the online CA via an interface.  It is used to
+# issue certificates. The settings below apply to the
+# ca.impl.CertificateAuthority class
+# CA certificate file location
+onlineca.server.ca_class.cert_filepath: %(here)s/test-ca.crt
+# CA certificate private key file location
+onlineca.server.ca_class.key_filepath: %(here)s/test-ca.key
+# Password for CA private key file.  Omit this option if no password is set
+#onlineca.server.ca_class.key_passwd:
+# Default number of bits for key pair.  Certificate signing requests submitted
+# with public keys with less than this minimum will be rejected.  The default is
+# 2048
+onlineca.server.min_key_nbits: 2048
+# Template to set the form for the certificate subject name for output
+# certificates.  This can reference any key name set in environ - in this case,
+# 'REMOTE_USER'
+onlineca.server.cert_subject_name_template: /O=NDG/OU=Security/CN=$REMOTE_USER
+# URI path for certificate issuing endpoint. e.g. if online ca app is mounted
+# at https://myonlineca.somewhere.ac.uk/onlineca and issue_cert_uripath is
+# /issue_cert/, then the full path would be,
+#
+# https://myonlineca.somewhere.ac.uk/onlineca/issue_cert/
+#
+# Default path is /certificate/
+#onlineca.server.issue_cert_uripath: /issue-cert/
+# URI path for trustroots retrieval endpoint.  The default path is
+# /trustroots/
+#onlineca.server.trustroots_uripath: /trusted-cas/
+# Directory where trustroots should be read from and returned via the
+# trustroots call.  It is vital that this is path is carefully selected and
+# checked.
+onlineca.server.trustroots_dir: %(here)s/ca/
+[filter-app:OnlineCaFilterApp]
 use = egg:Paste#httpexceptions
 next = cascade
 …
 [composit:cascade]
 use = egg:Paste#cascade
 app1 = OAuth2Server
+app1 = OnlineCaApp
 app2 = StaticContent
 catch = 404
 …
 use = egg:Paste#static
 document_root = %(here)s/static
-# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
-# Debug mode will enable the interactive debugging tool, allowing ANYONE to
-# execute malicious code after an exception is raised.
-#set debug = false

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/slcs/slcs_server_app_serve.py

-                      r8122
+                      r8196
+from paste.script.serve import ServeCommand
+#!/usr/bin/env python
+"""NDG OAuth test harness for Short-Lived Credential Service bearer token
+example
+ServeCommand("serve").run(["slcs_server_app.ini"])
+"""
+__author__ = "P J Kershaw"
+__date__ = "20/11/08"
+__copyright__ = "(C) 2012 Science and Technology Facilities Council"
+__contact__ = "Philip.Kershaw@stfc.ac.uk"
+__revision__ = "$Id:$"
+from os import path
+from ndg.oauth.server.examples.utils import serve_app
+INI_FILENAME = "slcs_server_app.ini"
+if __name__ == '__main__':
+    config_filepath = path.join(path.dirname(path.abspath(__file__)),
+                                INI_FILENAME)
+    serve_app(INI_FILENAME)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/authorization_filter.py

-                      r8057
+                      r8196
 log = logging.getLogger(__name__)
 class Oauth2AuthorizationMiddleware(object):
 …
     propertyDefaults = {
         BASE_URL_PATH_OPTION: 'client_authorization',
+        RENDERER_CLASS_OPTION: 'ndg.oauth.server.lib.render.genshi_renderer.GenshiRenderer',
+        RENDERER_CLASS_OPTION: \
+            'ndg.oauth.server.lib.render.genshi_renderer.GenshiRenderer',
         SESSION_KEY_OPTION: 'beaker.session.oauth2authorization',
         CLIENT_AUTHORIZATIONS_KEY_OPTION: 'client_authorizations',
 …
         if req.path_info.startswith(self.base_path):
             actionPath = req.path_info[len(self.base_path):]
         methodName = self.__class__.method.get(actionPath, '')
         if methodName:
 …
             action = getattr(self, methodName)
             return action(req, session, start_response)
         elif self._app is not None:
             log.debug("Delegating to lower filter/application.")
             self._set_client_authorizations_in_environ(session, environ)
             return self._app(environ, start_response)
         else:
             response = "OAuth 2.0 Authorization Filter - Invalid URL"
 …
         client_authorizations = session.get(self.CLIENT_AUTHORIZATIONS_SESSION_KEY)
         if client_authorizations:
+            log.debug("_set_client_authorizations_in_environ %s", client_authorizations.__repr__())
+            log.debug("_set_client_authorizations_in_environ %r",
+                      client_authorizations)
             environ[self.client_authorizations_env_key] = client_authorizations
         else:
+            log.debug("%s not found in session", self.CLIENT_AUTHORIZATIONS_SESSION_KEY)
+            log.debug("%s not found in session",
+                      self.CLIENT_AUTHORIZATIONS_SESSION_KEY)
     def authorize(self, req, session, start_response):
 …
         user = req.params.get('user')
         original_url = req.params.get('original_url')
+        log.debug("Client authorization request for client_id: %s  scope: %s  user: %s", client_id, scope, user)
+        client_authorizations = session.get(self.CLIENT_AUTHORIZATIONS_SESSION_KEY)
+        log.debug("Client authorization request for client_id: %s  scope: %s  "
+                  "user: %s", client_id, scope, user)
+        client_authorizations = session.get(
+                                        self.CLIENT_AUTHORIZATIONS_SESSION_KEY)
         client_authorized = None
         if client_authorizations:
+            client_authorized = client_authorizations.is_client_authorized_by_user(user, client_id, scope)
+            client_authorized = \
+                client_authorizations.is_client_authorized_by_user(user,
+                                                                   client_id,
+                                                                   scope)
         if client_authorized is None:
             # No existing decision - let user decide.
 …
+                }
             session.save()
+            log.debug("Client not authorized by user - returning authorization form.")
+            log.debug("Client not authorized by user - returning authorization "
+                      "form.")
             return self._client_auth_form(client_id, scope, req, start_response)
         else:
+            log.debug("Client already %s authorization by user.", ("granted" if client_authorized else "denied"))
+            log.debug("Client already %s authorization by user.",
+                      ("granted" if client_authorized else "denied"))
             log.debug("Redirecting to %s", original_url)
             return self._redirect(original_url, start_response)
 …
     def _client_auth_form(self, client_id, scope, req, start_response):
         """
         Returns a form for the user to enter an authorization desicion.
+        Returns a form for the user to enter an authorization decision.
         @type client_id: str
 …
             log.error("No session context.")
             response = 'Internal server error'
+            start_response(self._get_http_status_string(httplib.INTERNAL_SERVER_ERROR),
+               [('Content-type', 'text/html'),
+                ('Content-length', str(len(response)))
+                ])
+            status_str = self._get_http_status_string(
+                                                httplib.INTERNAL_SERVER_ERROR)
+            start_response(status_str,
+                           [('Content-type', 'text/html'),
+                            ('Content-length', str(len(response)))
+                            ])
             return [response]
         if ('submit' in req.params) and ('cancel' not in req.params):
+        if 'submit' in req.params and 'cancel' not in req.params:
             log.debug("User authorized client.")
             granted = True
 …
         # Add authorization to those for the user.
+        client_authorizations = session.setdefault(self.CLIENT_AUTHORIZATIONS_SESSION_KEY, ClientAuthorizationRegister())
+        client_authorizations = session.setdefault(
+                                        self.CLIENT_AUTHORIZATIONS_SESSION_KEY,
+                                        ClientAuthorizationRegister())
         client_id = call_context['client_id']
         scope = call_context['scope']
         user = call_context['user']
+        log.debug("Adding client authorization for client_id: %s  scope: %s  user: %s", client_id, scope, user)
+        client_authorizations.add_client_authorization(ClientAuthorization(user, client_id, scope, granted))
+        log.debug("Adding client authorization for client_id: %s  scope: %s  "
+                  "user: %s", client_id, scope, user)
+        client_authorization = ClientAuthorization(user, client_id, scope,
+                                                   granted)
+        client_authorizations.add_client_authorization(client_authorization)
         session[self.CLIENT_AUTHORIZATIONS_SESSION_KEY] = client_authorizations
         log.debug("### client_auth: %s", client_authorizations.__repr__())
+        log.debug("### client_auth: %r", client_authorizations)
         session.save()
 …
         """
         cls = self.__class__
+        self.base_path = cls._get_config_option(prefix, local_conf, cls.BASE_URL_PATH_OPTION)
+        self.client_register_file = cls._get_config_option(prefix, local_conf, cls.CLIENT_REGISTER_OPTION)
+        self.renderer_class = cls._get_config_option(prefix, local_conf, cls.RENDERER_CLASS_OPTION)
+        self.session_env_key = cls._get_config_option(prefix, local_conf, cls.SESSION_KEY_OPTION)
+        self.client_authorization_form = cls._get_config_option(prefix, local_conf, cls.CLIENT_AUTHORIZATION_FORM_OPTION)
+        self.client_authorizations_env_key = cls._get_config_option(prefix, local_conf, cls.CLIENT_AUTHORIZATIONS_KEY_OPTION)
+        self.user_identifier_env_key = cls._get_config_option(prefix, local_conf, cls.USER_IDENTIFIER_KEY_OPTION)
+        self.base_path = cls._get_config_option(
+                                            prefix,
+                                            local_conf,
+                                            cls.BASE_URL_PATH_OPTION)
+        self.client_register_file = cls._get_config_option(
+                                            prefix,
+                                            local_conf,
+                                            cls.CLIENT_REGISTER_OPTION)
+        self.renderer_class = cls._get_config_option(
+                                            prefix,
+                                            local_conf,
+                                            cls.RENDERER_CLASS_OPTION)
+        self.session_env_key = cls._get_config_option(
+                                            prefix, local_conf,
+                                            cls.SESSION_KEY_OPTION)
+        self.client_authorization_form = cls._get_config_option(
+                                            prefix,
+                                            local_conf,
+                                            cls.CLIENT_AUTHORIZATION_FORM_OPTION)
+        self.client_authorizations_env_key = cls._get_config_option(prefix,
+                                            local_conf,
+                                            cls.CLIENT_AUTHORIZATIONS_KEY_OPTION)
+        self.user_identifier_env_key = cls._get_config_option(
+                                                prefix,
+                                                local_conf,
+                                                cls.USER_IDENTIFIER_KEY_OPTION)
     @staticmethod
 …
         log.debug("Redirecting to %s", url)
         start_response(self._get_http_status_string(httplib.FOUND),
                [('Location', url.encode('ascii', 'ignore'))])
+                       [('Location', url.encode('ascii', 'ignore'))])
         return []

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py

-                      r8195
+                      r8196
     USER_IDENTIFIER_GRANT_DATA_KEY = 'user_identifier'
+    AUTHORISATION_SERVER_ENVIRON_KEYNAME = 'ndg.server.authorisation.server'
     # Configuration option defaults
     propertyDefaults = {
+    PROPERTY_DEFAULTS = {
         ACCESS_TOKEN_LIFETIME_OPTION: 86400,
         ACCESS_TOKEN_TYPE_OPTION: 'bearer',
 …
         CLIENT_AUTHORIZATION_URL_OPTION: '/client_authorization/authorize',
         CLIENT_AUTHORIZATIONS_KEY_OPTION: 'client_authorizations',
+        MYPROXY_CLIENT_KEY_OPTION: 'myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient',
+        MYPROXY_CLIENT_KEY_OPTION: \
+        'myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient',
         USER_IDENTIFIER_KEY_OPTION: 'REMOTE_USER'
+    }
 …
         log.debug("Request path_info: %s", req.path_info)
+        # Set Authorisation Server as key in environ for access by downstream
+        # middleware or app.  For example, a resource server can use it to
+        # check access tokens presented to it from clients against ones issued
+        # by the authorisation server
+        environ[self.__class__.AUTHORISATION_SERVER_ENVIRON_KEYNAME
+                ] = self._authorizationServer
         # Determine what operation the URL specifies.
         actionPath = None
 …
                 conf[k[plen:]] = v
         cls = self.__class__
         self.base_path = cls._get_config_option(conf, cls.BASE_URL_PATH_OPTION)
+        self.authorization_grant_lifetime_seconds = cls._get_config_option(conf, cls.AUTHORIZATION_GRANT_LIFETIME_OPTION)
+        self.access_token_lifetime_seconds = cls._get_config_option(conf, cls.ACCESS_TOKEN_LIFETIME_OPTION)
+        self.access_token_type = cls._get_config_option(conf, cls.ACCESS_TOKEN_TYPE_OPTION)
+        self.certificate_request_parameter = cls._get_config_option(conf, cls.CERTIFICATE_REQUEST_PARAMETER_OPTION)
+        self.client_authorization_url  = cls._get_config_option(conf, cls.CLIENT_AUTHORIZATION_URL_OPTION)
+        self.client_authentication_method  = cls._get_config_option(conf, cls.CLIENT_AUTHENTICATION_METHOD_OPTION)
+        self.client_authorizations_env_key = cls._get_config_option(conf, cls.CLIENT_AUTHORIZATIONS_KEY_OPTION)
+        self.client_register_file = cls._get_config_option(conf, cls.CLIENT_REGISTER_OPTION)
+        self.myproxy_client_env_key = cls._get_config_option(conf, cls.MYPROXY_CLIENT_KEY_OPTION)
+        self.myproxy_global_password = cls._get_config_option(conf, cls.MYPROXY_GLOBAL_PASSWORD_OPTION)
+        self.user_identifier_env_key = cls._get_config_option(conf, cls.USER_IDENTIFIER_KEY_OPTION)
+        self.authorization_grant_lifetime_seconds = cls._get_config_option(
+                                conf, cls.AUTHORIZATION_GRANT_LIFETIME_OPTION)
+        self.access_token_lifetime_seconds = cls._get_config_option(
+                                conf, cls.ACCESS_TOKEN_LIFETIME_OPTION)
+        self.access_token_type = cls._get_config_option(
+                                conf, cls.ACCESS_TOKEN_TYPE_OPTION)
+        self.certificate_request_parameter = cls._get_config_option(
+                                conf, cls.CERTIFICATE_REQUEST_PARAMETER_OPTION)
+        self.client_authorization_url  = cls._get_config_option(
+                                conf, cls.CLIENT_AUTHORIZATION_URL_OPTION)
+        self.client_authentication_method  = cls._get_config_option(
+                                conf, cls.CLIENT_AUTHENTICATION_METHOD_OPTION)
+        self.client_authorizations_env_key = cls._get_config_option(
+                                conf, cls.CLIENT_AUTHORIZATIONS_KEY_OPTION)
+        self.client_register_file = cls._get_config_option(
+                                conf, cls.CLIENT_REGISTER_OPTION)
+        self.myproxy_client_env_key = cls._get_config_option(
+                                conf, cls.MYPROXY_CLIENT_KEY_OPTION)
+        self.myproxy_global_password = cls._get_config_option(
+                                conf, cls.MYPROXY_GLOBAL_PASSWORD_OPTION)
+        self.user_identifier_env_key = cls._get_config_option(
+                                conf, cls.USER_IDENTIFIER_KEY_OPTION)
         # Return any options that start with the prefix but haven't been read
         # above.
 …
     @classmethod
     def _get_config_option(cls, conf, key):
         value = conf.pop(key, cls.propertyDefaults.get(key, None))
+        value = conf.pop(key, cls.PROPERTY_DEFAULTS.get(key, None))
         log.debug("Oauth2ServerMiddleware configuration %s=%s", key, value)
         return value

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: