Changeset 8251 for trunk/ndg_oauth/ndg_oauth_server

Timestamp:

30/10/12 16:34:39 (8 years ago)

Author:

pjkersha

Message:

• Preparing revised simple bearer token example
• fixed resource server middleware to take token from Authorization header.

Location:

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server

Files:

• examples/bearer_tok/bearer_tok_server_app.ini (modified) (11 diffs)
• examples/bearer_tok/static/resource1.html (added)
• lib/authorization_server.py (modified) (2 diffs)
• wsgi/oauth2_server.py (modified) (2 diffs)

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/bearer_tok_server_app.ini

@@ -5 +5 @@
 # * a resource server.  This is a specialised one which enables delegated 
 #   clients to obtain short-lived X.509 certificate credentials.  It does this
-#   by using MyProxyCA as a backend certificate issuing service.  A MyProxyCA
-#   instance is required to demonstrate this but not to demonstrate the 
-#   authorisation service.
+#   by using the Contrail Online CA package
 #
 # The %(here)s variable will be replaced with the parent directory of this file
@@ -18 +16 @@
 error_email_from = paste@localhost
 
+# These are common variables referenced by more than one section below.  They
+# set the paths for the OAuth services and the protected resources (just one in
+# this case - the OnlineCA's certificate issuing path)
+oauth_server_basepath = /oauth
+secured_resource_path = /resource1.html
+
+# The OAuth client to this service will request a resource on behalf of a user
+# based on an access token passed.  The resource server checks the token looking
+# it up in cached session information.  This session also holds the id of the 
+# user who granted the token.  This id can be made available from the resource 
+# server to the downstream application being protected.  In this case, this is 
+# the OnlineCA service.  The OnlineCA needs the id in order to create the 
+# correct certificate subject for the certificate to be issued.
+claimed_userid_environ_key = oauth_granting_userid
+
 beakerSessionKeyName = beaker.session.oauth2server
 
@@ -30 +43 @@
 pipeline = BeakerSessionFilter
            repoze_who
-           AuthnForm
-           MyProxyClient
-           OAuth2Authz
-           OAuth2ServerFilterApp
+           AuthenticationFormFilter
+           OAuth2AuthorisationFilter
+           OAuth2ServerFilter
+           OAuth2ResourceServerFilter
+           FilterApp
 
 # This filter sets up a server side session linked to a cookie.  The session
@@ -56 +70 @@
 log_level = debug
 
-[filter:AuthnForm]
+[filter:AuthenticationFormFilter]
 paste.filter_app_factory = ndg.oauth.server.wsgi.authentication_filter:AuthenticationFormMiddleware.filter_app_factory
 authenticationForm.base_url_path = /authentication
@@ -76 +90 @@
 authenticationForm.layout.helpIcon = /layout/help.png
 
-[filter:OAuth2Authz]
+[filter:OAuth2AuthorisationFilter]
 # Authorization filter configuration options - defaults are commented out.
 paste.filter_app_factory = ndg.oauth.server.wsgi.authorization_filter:Oauth2AuthorizationMiddleware.filter_app_factory
@@ -94 +108 @@
 oauth2authorization.layout.helpIcon = /layout/icons/help.png
 
-# Add a MyProxy Client into WSGI environ so that OAuth resource server can
-# request certificates
-[filter:MyProxyClient]
-paste.filter_app_factory = myproxy.server.wsgi.middleware:MyProxyClientMiddleware.filter_app_factory
-# Default environ key for MyProxy client
-# myproxy.client.clientEnvKeyName=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient
-
-# MyProxy server which this MyProxy WSGI app is a client to.  Set here to the
-# fully qualified domain name or else set the MYPROXY_SERVER environment
-# variable.  See the documentation for the MyProxyClient egg for details
-myproxy.client.hostname = pampero.badc.rl.ac.uk
-#myproxy.client.port = 7512
-
-# CA Certificate directory to enable this application to trust the MyProxy
-# server that it fronts e.g. set to /etc/grid-security/certificates.  For these
-# tests set to local ca directory
-MyProxy.client.caCertDir = %(here)s/pki/ca
-
-[app:OAuth2Server]
-paste.app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.app_factory
+[filter:OAuth2ServerFilter]
+paste.filter_app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.filter_app_factory
 
 # OAuth2 server configuration options - defaults are commented out.
@@ -122 +118 @@
 #oauth2server.access_token_type=bearer
 #oauth2server.authorization_grant_lifetime=600
-oauth2server.base_url_path=/oauth
+oauth2server.base_url_path=%(oauth_server_basepath)s
 #oauth2server.certificate_request_parameter=certificate_request
 # Allowed values: certificate (default) or none.
@@ -133 +129 @@
 #oauth2server.user_identifier_key=REMOTE_USER
 
-# This is specific to the special configuration of a resource server protecting
-# a MyProxyCA short-lived credential service (SLCS).  The resource server will 
-# accept a bearer token and SLCS specific input: a certificate signing request  
-# (CSR).  Provided that the token is accepted, the CSR is passed on to the 
-# underlying MyProxy server along with the special password below.  On success,
-# the MyProxyCA server returns a signed certificate.  A MyProxyCA instance
-# is required to support this resource request.  The OAuth app can be extended
-# as needed to support access to other more generic resource types.  This is 
-# just an example
-oauth2server.myproxy_global_password=testpassword
-
 # Configuration of access token cache
 oauth2server.cache.accesstokenregister.expire=86400
@@ -158 +143 @@
 #oauth2server.cache.authorizationgrantregister.lock_dir
 
-[filter-app:OAuth2ServerFilterApp]
+[filter:OAuth2ResourceServerFilter]
+paste.filter_app_factory = ndg.oauth.server.wsgi.resource_server:Oauth2ResourceServerMiddleware.filter_app_factory
+
+# Sets which paths are protected by OAuth.  In this example, the OnlineCA's
+# certificate issuing service
+oauth2.resource_server.resource_uripaths: %(secured_resource_path)s
+    
+# Scope required to access this resource.  More than one value can be set.  
+# Values should be space delimited.  In this case, the value has been set to the
+# path of the certificate issuing path for the OnlineCA but this is just a
+# convenient value.  Any arbitrary string could have been set.
+oauth2.resource_server.required_scope: https://localhost:5000/resource1.html
+
+# Set the userid of the delegator as a key in environ.  This is useful for
+# access by the downstream app that the resource server middleware is 
+# protecting.  In this case, the OnlineCA service.
+oauth2.resource_server.claimed_userid_environ_key: %(claimed_userid_environ_key)s
+
+[filter-app:FilterApp]
 use = egg:Paste#httpexceptions
 next = cascade
@@ -164 +167 @@
 [composit:cascade]
 use = egg:Paste#cascade
-app1 = OAuth2Server
-app2 = StaticContent
+app1 = StaticContent
 catch = 404
 
@@ -171 +173 @@
 use = egg:Paste#static
 document_root = %(here)s/static
-
-# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
-# Debug mode will enable the interactive debugging tool, allowing ANYONE to
-# execute malicious code after an exception is raised.
-#set debug = false
 
 

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/authorization_server.py

@@ -34 +34 @@
     Provides the core OAuth 2.0 server functions.
     """
+    AUTHZ_HDR_ENV_KEYNAME = 'HTTP_AUTHORIZATION'
+     
     def __init__(self, client_register_file, authorizer, client_authenticator,
                  access_token_generator, config):
@@ -509 +511 @@
                  )
         """
-        params = request.params
-        token = None
-        if 'access_token' not in params:
+        authorization_hdr = request.environ.get(
+                                        self.__class__.AUTHZ_HDR_ENV_KEYNAME)
+        try:
+            token_type, access_token = authorization_hdr.split()
+            
+        except AttributeError:
+            log.error('No Authorization header present for request to %r', 
+                      request.path_url)
             error = 'invalid_request'
+            
+        except ValueError:
+            log.error('Unexpected Authorization header values %r for request '
+                      'to %r', authorization_hdr, request.path_url)
+            error = 'invalid_request'
+            
         else:
-            access_token = params['access_token']
-            if scope:
-                required_scope = scope
-            else:
-                required_scope = params.get('scope', None)
-                
-            token, error = self.access_token_register.get_token(access_token,
-                                                                required_scope)
+            if token_type != 'Bearer':
+                log.error('Token type retrieved is %r, expecting "Bearer" type',
+                          token_type)
+                error = 'invalid_request'
+            else:   
+                token, error = self.access_token_register.get_token(
+                                                                access_token, 
+                                                                None)
 
         status = {'invalid_request': httplib.BAD_REQUEST,

trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py

@@ -67 +67 @@
     USER_IDENTIFIER_GRANT_DATA_KEY = 'user_identifier'
 
-    AUTHORISATION_SERVER_ENVIRON_KEYNAME = 'ndg.server.authorisation.server'
+    AUTHORISATION_SERVER_ENVIRON_KEYNAME = \
+                                        'ndg.oauth.server.authorisation.server'
     
     # Configuration option defaults
@@ -238 +239 @@
 
         # User authorization for the client is also required.
-        (client_authorized, authz_uri) = self._check_client_authorization(user, 
-                                                                          req)
+        client_authorized, authz_uri = self._check_client_authorization(user, 
+                                                                        req)
         if authz_uri:
             log.debug("Redirecting to %s", authz_uri)