Changeset 8236 for trunk/ndg_oauth/ndg_oauth_server

Timestamp:

26/10/12 22:44:00 (8 years ago)

Author:

pjkersha

Message:

Version now fully integrated with Python OnlineCA service. This is an alternative to using MyProxy? to create certificates made possible by using the ContrailOnlineCAService package, a Python CA implementation. The configuration is in the 'slcs' example. This configuration also uses the independent OAuthResourceServerMiddleware, middleware which applies the necessary checks on the access token before passing on the request to the underlying application. In this case, the OnlineCA.

Location:

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server

Files:

• examples/slcs/slcs_server_app.ini (modified) (6 diffs)
• lib/authorize/authorizer_storing_identifier.py (modified) (2 diffs)
• wsgi/oauth2_server.py (modified) (1 diff)
• wsgi/resource_server.py (modified) (5 diffs)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/slcs/slcs_server_app.ini

@@ -15 +15 @@
 smtp_server = localhost
 error_email_from = paste@localhost
+
+# These are common variables referenced by more than one section below.  They
+# set the paths for the OAuth services and the protected resources (just one in
+# this case - the OnlineCA's certificate issuing path)
+oauth_server_basepath = /oauth
+onlineca_issue_certpath = %(oauth_server_basepath)s/certificate/
+
+# The OAuth client to this service will request a resource on behalf of a user
+# based on an access token passed.  The resource server checks the token looking
+# it up in cached session information.  This session also holds the id of the 
+# user who granted the token.  This id can be made available from the resource 
+# server to the downstream application being protected.  In this case, this is 
+# the OnlineCA service.  The OnlineCA needs the id in order to create the 
+# correct certificate subject for the certificate to be issued.
+claimed_userid_environ_key = oauth_granting_userid
 
 beakerSessionKeyName = beaker.session.oauth2server
@@ -103 +118 @@
 #oauth2server.access_token_type=bearer
 #oauth2server.authorization_grant_lifetime=600
-oauth2server.base_url_path=/oauth
+oauth2server.base_url_path=%(oauth_server_basepath)s
 #oauth2server.certificate_request_parameter=certificate_request
 # Allowed values: certificate (default) or none.
@@ -130 +145 @@
 [filter:OAuth2ResourceServerFilter]
 paste.filter_app_factory = ndg.oauth.server.wsgi.resource_server:Oauth2ResourceServerMiddleware.filter_app_factory
-oauth2.resource_server.resource_uripaths: /certificate/
+
+# Sets which paths are protected by OAuth.  In this example, the OnlineCA's
+# certificate issuing service
+oauth2.resource_server.resource_uripaths: %(onlineca_issue_certpath)s
     
+# Scope required to access this resource.  More than one value can be set.  
+# Values should be space delimited.  In this case, the value has been set to the
+# path of the certificate issuing path for the OnlineCA but this is just a
+# convenient value.  Any arbitrary string could have been set.
+oauth2.resource_server.required_scope: https://localhost:5000/oauth/certificate/
+
+# Set the userid of the delegator as a key in environ.  This is useful for
+# access by the downstream app that the resource server middleware is 
+# protecting.  In this case, the OnlineCA service.
+oauth2.resource_server.claimed_userid_environ_key: %(claimed_userid_environ_key)s
+
 [app:OnlineCaApp]
-paste.app_factory = onlineca.server.wsgi.app:OnlineCaApp.app_factory
+paste.app_factory = contrail.security.onlineca.server.wsgi.app:OnlineCaApp.app_factory
 
 # Set an alternative prefix for settings - default is 'onlineca.server.'
@@ -139 +168 @@
 
 # Path to CA Python class constructor or factory function
-onlineca.server.ca_class_factory_path: onlineca.server.impl:CertificateAuthorityImpl
+onlineca.server.ca_class_factory_path: contrail.security.onlineca.server.impl:CertificateAuthorityImpl
 
 # onlineca.server.ca_class.* values correspond to settings for the CA class.
@@ -161 +190 @@
 
 # Template to set the form for the certificate subject name for output 
-# certificates.  This can reference any key name set in environ - in this case,
-# 'REMOTE_USER'
-onlineca.server.cert_subject_name_template: /O=NDG/OU=Security/CN=$REMOTE_USER
+# certificates.
+onlineca.server.cert_subject_name_template: /O=NDG/OU=Security/CN=$%(claimed_userid_environ_key)s
 
 # URI path for certificate issuing endpoint. e.g. if online ca app is mounted
@@ -172 +200 @@
 #
 # Default path is /certificate/
-#onlineca.server.issue_cert_uripath: /issue-cert/
+onlineca.server.issue_cert_uripath: %(onlineca_issue_certpath)s
 
 # URI path for trustroots retrieval endpoint.  The default path is

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/authorize/authorizer_storing_identifier.py

@@ -35 +35 @@
         self.lifetime = lifetime
         self.user_identifier_env_key = kw.get('user_identifier_env_key')
-        self.user_identifier_grant_data_key = kw.get('user_identifier_grant_data_key')
+        self.user_identifier_grant_data_key = kw.get(
+                                            'user_identifier_grant_data_key')
 
     def generate_authorization_grant(self, auth_request, request):
@@ -56 +57 @@
         user_identifier = request.environ.get(self.user_identifier_env_key)
         if not user_identifier:
-            log.error('Could not find user identifier key "%s" in environ', self.user_identifier_env_key)
-            raise OauthException('server_error', 'Authorization grant could not be created')
+            log.error('Could not find user identifier key "%s" in environ', 
+                      self.user_identifier_env_key)
+            raise OauthException('server_error', 
+                                 'Authorization grant could not be created')
 
         code = uuid.uuid4().hex
+        additional_data = {self.user_identifier_grant_data_key: user_identifier}
         grant = AuthorizationGrant(code, auth_request, self.lifetime,
-                                   additional_data={self.user_identifier_grant_data_key: user_identifier})
-        return (grant, code)
+                                   additional_data=additional_data)
+        return grant, code

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py

@@ -305 +305 @@
             return (None, url)
         
-        return (client_authorized, None)
+        return client_authorized, None
 
     def _make_client_authorization_url(self, req):

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/resource_server.py

@@ -15 +15 @@
 
 from ndg.oauth.server.wsgi.oauth2_server import Oauth2ServerMiddleware
+from ndg.oauth.server.lib.authorization_server import AuthorizationServer
 
 log = logging.getLogger(__name__)
@@ -40 +41 @@
     RESOURCE_URIPATHS_OPTNAME = 'resource_uripaths'
     
+    CLAIMED_USER_ID_ENVIRON_KEY_OPTNAME = 'claimed_userid_environ_key'
+    DEFAULT_CLAIMED_USER_ID_ENVIRON_KEYNAME = \
+        'oauth.resource_server.claimed_userid'
+    
     AUTHORISATION_SERVER_ENVIRON_KEYNAME = \
         Oauth2ServerMiddleware.AUTHORISATION_SERVER_ENVIRON_KEYNAME
         
+    __slots__ = (
+        '_app',
+        '__authorization_server',
+        'claimed_userid_environ_key',
+        '__resource_uripaths',
+        '__required_scope'
+    )
     def __init__(self, app):
         self._app = app
-        self._authorization_server = None
-        self.match_scope_to_client_dn = False
+        self.__authorization_server = None
+        self.claimed_userid_environ_key = \
+            self.__class__.DEFAULT_CLAIMED_USER_ID_ENVIRON_KEYNAME
         self.__resource_uripaths = []
+        
+        # Scope for this resource - multiple space delimited scope values may
+        # be set
+        self.__required_scope = None
         
     @classmethod
@@ -92 +109 @@
             raise TypeError('Expecting single string or space-separated URI '
                             'paths or an iterable; got %r instead' % type(val))
-            
+     
+    @property
+    def authorization_server(self):
+        return self.__authorization_server
+    
+    @authorization_server.setter
+    def authorization_server(self, val):
+        if not isinstance(val, AuthorizationServer):
+            raise TypeError('Expecting %r type for "authorization_server" '
+                            'attribute; got %r instead' % (AuthorizationServer, 
+                                                           type(val)))
+        self.__authorization_server = val
+     
+    @property
+    def required_scope(self):
+        return self.__required_scope
+    
+    @required_scope.setter
+    def required_scope(self, val):
+        if not isinstance(val, basestring):
+            raise TypeError('Expecting string type for "required_scope" '
+                            'attribute; got %r instead' % type(val))
+        self.__required_scope = val 
+                       
     def __call__(self, environ, start_response):
         '''Apply validation of access token for configured resource paths
@@ -103 +143 @@
         request = Request(environ)
         
-        self._authorization_server = environ.get(
+        self.authorization_server = environ.get(
                             self.__class__.AUTHORISATION_SERVER_ENVIRON_KEYNAME)
-        if self._authorization_server is None:
-            raise Oauth2ResourceServerMiddlewareConfigError(
-                'No %r key to authorisation server set in environ' %
-                    self.__class__.AUTHORISATION_SERVER_ENVIRON_KEYNAME)
         
         if self._match_uripath(request.path_info):
-            self.request_resource(request, start_response)
+            return self.request_resource(request, start_response)
         else:
             return self._app(environ, start_response)
@@ -133 +169 @@
                   "path %r", request.path_info)
 
-        status = httplib.OK
-        content_dict ={}
-        
-        if self.match_scope_to_client_dn:
-            provided_scope = request.environ.get(self.CERT_DN_ENVIRON_KEY)
-            if provided_scope:
-                log.debug("Found certificate DN: %s", provided_scope)
-            else:
-                # Client must be authenticated - no other error should be 
-                # included in this case.
-                status = httplib.UNAUTHORIZED
-                content_dict['error'] = (
-                    "Client certificate %r subject required to match with "
-                    "scope but none set") % provided_scope
-                    
-                log.error(content_dict['error'])
-        else:
-            provided_scope = None
-        
         # Check the token
-        if status == httplib.OK:    
-            status, error = self._authorization_server.get_registered_token(
+        token, status, error = self.authorization_server.get_registered_token(
                                                     request, 
-                                                    scope=provided_scope)[1:]
-            if error:
-                content_dict.setdefault('error', error)
-            else:
-                return None  # signal to caller that validation succeeded
-            
-        response = json.dumps(content_dict)
-        headers = [
-            ('Content-Type', 'application/json; charset=UTF-8'),
-            ('Cache-Control', 'no-store'),
-            ('Content-length', str(len(response))),
-            ('Pragma', 'no-store')
-        ]
-        status_str = "%d %s" % (status, httplib.responses[status])
-        start_response(status_str, headers)
-        return [response]
+                                                    scope=self.required_scope)
+        if not error:
+            request.environ[self.claimed_userid_environ_key
+                    ] = token.grant.additional_data.get('user_identifier')
+                            
+            return self._app(request.environ, start_response)
+        else:
+            status = httplib.OK
+            content_dict ={}
+            content_dict.setdefault('error', error)
+                        
+            response = json.dumps(content_dict)
+            headers = [
+                ('Content-Type', 'application/json; charset=UTF-8'),
+                ('Cache-Control', 'no-store'),
+                ('Content-length', str(len(response))),
+                ('Pragma', 'no-store')
+            ]
+            status_str = "%d %s" % (status, httplib.responses[status])
+            start_response(status_str, headers)
+            return [response]
     
     def _match_uripath(self, path):