Changeset 964

Timestamp:

19/05/06 14:33:28 (15 years ago)

Author:

pjkersha

Message:

Tests/SecurityClientTest?.py: get proxy cert from call to Session Manager WS connect call rather
than from a local file.

conf/myProxyProperties.xml: config file just for MyProxy? - contains settings copied from
sessionMgrProperties.xml. Isolate for use by new MyProxyAdmin?.py tool. Eventually MyProxy?
config settings may be removed and kept spearate from sessionMgrProperties.xml.

conf/gatekeeperProperties.xml: properties file for NDG Gatekeeper

bin/MyProxyAdmin.py: new command line tool for MyProxy? administration. It enables new users
to be added from the command line of the host running MyProxy?. This may replace the current
Session Manager WS addUser method.

NDG/AttAuthority.py: Make sure sys.path is copied by content rather than reference in init

NDG/log_services_server.py: added reposID var for recording of version from SVN.

NDG/Gatekeeper.py: added readAccess, writeAccess and executeAccess methods.

Location:

TI12-security/trunk/python

Files:

• NDG/AttAuthority.py (modified) (2 diffs)
• NDG/Gatekeeper.py (modified) (9 diffs)
• NDG/log_services_server.py (modified) (1 diff)
• Tests/SecurityClientTest.py (modified) (3 diffs)
• bin/MyProxyAdmin.py (added)
• conf/gatekeeperProperties.xml (modified) (1 diff)
• conf/myProxyProperties.xml (added)
• conf/sessionMgrProperties.xml (modified) (1 diff)

TI12-security/trunk/python/NDG/AttAuthority.py

@@ -157 +157 @@
             try:
                 # Temporarily extend system path ready for import
-                sysPathBak = sys.path
+                sysPathBak = sys.path[:]
                 sys.path.append(self.__prop['usrRolesModFilePath'])
                 
@@ -169 +169 @@
                                      self.__prop['usrRolesClassName'])
             finally:
-                sys.path = sysPathBak
+                sys.path[:] = sysPathBak
                                 
         except Exception, e:

TI12-security/trunk/python/NDG/Gatekeeper.py

@@ -16 +16 @@
 import cElementTree as ElementTree
 
-# Alter system path for dynamic import of user roles class
+# Alter system path for dynamic import of resource interface class
 import sys
 
@@ -39 +39 @@
     
     __validKeys = ( 'resrcURI',
-                    'resrcURImodFilePath',
-                    'resrcURImodName',
-                    'resrcURIclassName',
-                    'resrcURIpropFile')
+                    'resrcModFilePath',
+                    'resrcModName',
+                    'resrcClassName',
+                    'resrcPropFile',
+                    'caCertFilePath')
     
     #_________________________________________________________________________
@@ -48 +49 @@
          
         self.__propFilePath = propFilePath               
-        self.__resrcURIobj = None
+        self.__resrcObj = None
         self.__prop = {}.fromkeys(self.__validKeys)
         
@@ -65 +66 @@
         if max(self.__prop.values()) is not None:
             # Initialize if all required resource URI class properties are set
-            self.initResrcURIinterface()
+            self.initResrcinterface()
        
         
     #_________________________________________________________________________
-    def initResrcURIinterface(self):
+    def initResrcinterface(self):
         """Set-up Resource URI interface to Gatekeeper"""
         
@@ -75 +76 @@
             try:
                 # Temporarily extend system path ready for import
-                sysPathBak = sys.path
-                sys.path.append(self.__prop['resrcURImodFilePath'])
+                sysPathBak = sys.path[:]
+                sys.path.append(self.__prop['resrcModFilePath'])
                 
                 # Import module name specified in properties file
-                resrcURImod = __import__(self.__prop['resrcURImodName'],
-                                         globals(),
-                                         locals(),
-                                         [self.__prop['resrcURIclassName']])
-    
-                resrcURIclass = eval('resrcURImod.' + \
-                                        self.__prop['resrcURIclassName'])
+                resrcMod = __import__(self.__prop['resrcModName'],
+                                      globals(),
+                                      locals(),
+                                      [self.__prop['resrcClassName']])
+    
+                resrcClass = eval('resrcMod.' + self.__prop['resrcClassName'])
+                
             finally:
-                sys.path = sysPathBak
+                sys.path[:] = sysPathBak
                                 
         except KeyError, e:
@@ -97 +98 @@
 
 
-        # Check class inherits from GatekeeperResrcURI abstract base class
-        if not issubclass(resrcURIclass, GatekeeperResrcURI):
+        # Check class inherits from GatekeeperResrc abstract base class
+        if not issubclass(resrcClass, GatekeeperResrc):
             raise GatekeeperError(\
                 "Resource URI interface class %s must be derived from " + \
-                "GatekeeperResrcURI" % self.__prop['resrcURIclassName'])
+                "GatekeeperResrc" % self.__prop['resrcClassName'])
 
 
         # Instantiate custom class
         try:
-            self.__resrcURIobj = resrcURIclass(\
-                                    filePath=self.__prop['resrcURIpropFile'])            
+            self.__resrcObj = resrcClass(\
+                                    resrcID=self.__prop['resrcID'],
+                                    filePath=self.__prop['resrcPropFile'])            
         except Exception, e:
             raise GatekeeperError(\
@@ -123 +125 @@
         if propFilePath is not None:
             if not isinstance(propFilePath, basestring):
-                raise AttAuthorityError("Input Properties file path " + \
+                raise GatekeeperError("Input Properties file path " + \
                                         "must be a valid string.")
             
@@ -130 +132 @@
 
         try:
-            tree = ElementTree.parse(self.__propFilePath)
+            elems = ElementTree.parse(self.__propFilePath).getroot()
             
         except IOError, ioErr:
-            raise AttAuthorityError(\
+            raise GatekeeperError(\
                                 "Error parsing properties file \"%s\": %s" % \
                                 (ioErr.filename, ioErr.strerror))
-
-    
-    #_________________________________________________________________________
-    def __call__(self, input):
-        
-        if isinstance(input, basestring):
+                                
+        # Copy properties from file as dictionary
+        self.__prop = dict([(elem.tag, elem.text) for elem in elems])
+
+
+        # Check for missing properties
+        propKeys = self.__prop.keys()
+        missingKeys = [key for key in Gatekeeper.__validKeys \
+                       if key not in propKeys]
+        if missingKeys != []:
+            raise GatekeeperError("The following properties are " + \
+                                  "missing from the properties file: " + \
+                                  ', '.join(missingKeys))
+
+
+    def __formatInput(self, input):
+        """Convert generic input into a list of roles - use with access
+        routines"""
+        
+        if isinstance(input, list):
+            # Input is list of roles
+            return input
+              
+        elif isinstance(input, basestring):
             # Input is a role
-            roleList = [input]
-            
-        elif isinstance(input, list):
-            # Input is list of roles
-            roleList = input
+            return [input]
             
         elif isinstance(input, AttCert):
             # Input is an Attribute Certificate
-            roleList = input.getRoles()
+            # Check signature of AttCert
+            try:
+                attCert.isValid(raiseExcep=True, 
+                            certFilePathList=self.__prop['caCertFilePath'])                            
+            except Exception, e:
+                raise GateKeeperError, "Access denied for input: %s" % str(e)
+            
+            return input.getRoles()
         else:
             raise GatekeeperError("Input must be a role, role list or " + \
                                   "Attribute Certificate type")
-                                  
+
+   
+    #_________________________________________________________________________
+    def __call__(self, input):
+        """Get the permissions for the input rile, list of roles or 
+        Attribute Certificate containing roles.  A Dictionary of permissions
+        are returned indexed by role name.  Permissions are expressed as a 
+        tuple containing the relevant permissions flags e.g. ('r', 'w', 'x')
+        for read/write/execute permission or e.g. ('x') for exceute only
+        permission"""
+        
+        roleList = self.__formatInput(input)
                                       
-        return dict([(role, self.__resrcURIobj.getPermissions(role)) \
+        return dict([(role, self.__resrcObj.getPermissions(role)) \
                      for role in roleList])
         
     
     getPermissions = __call__
-
-
+    
+    
+    #_________________________________________________________________________
+    def readAccess(self, input):
+        """Determine read access permitted against the given
+        input role/role list or Attribute Certificate roles
+        
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        
+        roleList = self.__formatInput(input)
+        
+        return dict([(role, self.__resrcObj.readAccess(role)) \
+                     for role in roleList])
+    
+    
+    #_________________________________________________________________________
+    def writeAccess(self, input):
+        """Determine write access permitted against the given
+        input role/role list or Attribute Certificate roles
+        
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        
+        roleList = self.__formatInput(input)
+        
+        return dict([(role, self.__resrcObj.writeAccess(role)) \
+                     for role in roleList])
+    
+    
+    #_________________________________________________________________________
+    def executeAccess(self, input):
+        """Determine execute access permitted against the given
+        input role/role list or Attribute Certificate roles
+        
+        Return a dictionary of booleans for access granted/denied keyed
+        by role name"""
+        
+        roleList = self.__formatInput(input)
+        
+        return dict([(role, self.__resrcObj.executeAccess(role)) \
+                     for role in roleList])
+                     
 
 #_____________________________________________________________________________
-class GatekeeperResrcURIError(Exception):
-    """Exception handling for NDG Attribute Authority User Roles interface
+class GatekeeperResrcError(GateKeeperError):
+    """Exception handling for NDG Gatekeeper Resource interface class
     class."""
-    
-    def __init__(self, msg):
-        self.__msg = msg
-         
-    def __str__(self):
-        return self.__msg
-
+    pass
 
 
 #_____________________________________________________________________________
-class GatekeeperResrcURI:
-    """An abstract base class to define the resource URI -> role interface 
+class GatekeeperResrc:
+    """An abstract base class to define the resource -> role interface 
     for the Gatekeeper.
 
     Each NDG resource should implement a derived class which implements
-    the way a resource roles is served from the given resource URI."""
+    the way a resource roles is served from the given resource."""
 
     # User defined class may wish to specify a URI or path for a configuration
     # file
-    def __init__(self, uri=None, filePath=None):
-        """Roles abstract base class - derive from this class to define
+    def __init__(self, resrcID=None, filePath=None):
+        """Abstract base class - derive from this class to define
         resource role interface to Gatekeeper"""
         raise NotImplementedError(\
             self.__init__.__doc__.replace('\n       ',''))
-
-
-    def __getRole(self):
-        """Derived method should return the role for the resource
-        This method is not essential to interface with GateKeeper class"""
-        raise NotImplementedError(
-            self.__getRole.__doc__.replace('\n       ',''))
-    
-    role = property(fget=__getRole, doc="Access resource access role")
     
 
@@ -217 +277 @@
         raise NotImplementedError(
             self.__getPermissions.__doc__.replace('\n       ',''))
+
+
+    def readAccess(self, role):
+        """Derived method should return the role for read access to the 
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.readAccess.__doc__.replace('\n       ',''))
+
+
+    def writeAccess(self, role):
+        """Derived method should return the role for write access to the 
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.writeAccess.__doc__.replace('\n       ',''))
+
+
+    def executeAccess(self, role):
+        """Derived method should return the role for execute access to the 
+        resource - should return boolean for access granted/denied"""
+        raise NotImplementedError(
+            self.executeAccess.__doc__.replace('\n       ',''))
+    
+            

TI12-security/trunk/python/NDG/log_services_server.py

@@ -13 +13 @@
 version 1.0 or later.
 """
+reposID = '$Id$'
+
 import os
 

TI12-security/trunk/python/Tests/SecurityClientTest.py

@@ -105 +105 @@
         try:
             # Connect as a command line client - a proxyCert is returned        
-            proxyCert = self.sessClnt.connect(userName, 
+            self.proxyCert = self.sessClnt.connect(userName, 
                                           pPhraseFilePath="./tmp",
                                           createServerSess=True,
@@ -111 +111 @@
                                           clntPriKeyPwd=self.__clntPriKeyPwd)
             print "User '%s' connected to Session Manager:\n%s" % \
-                (userName, proxyCert)
+                (userName, self.proxyCert)
 
         except Exception, e:
@@ -196 +196 @@
         pdb.set_trace()
         try:
-            proxyCert = open("./proxy.pem").read().strip()
+            # Alternative means of getting proxy cert - from file
+            #self.proxyCert = open("./proxy.pem").read().strip()
+            self.proxyCertConnectTest()
             userAttCert = None
             
             ac = self.aaClnt.reqAuthorisation(
-                                       proxyCert=proxyCert,
+                                       proxyCert=self.proxyCert,
                                        userAttCert=userAttCert,
                                        clntPriKeyPwd=self.__clntPriKeyPwd)

TI12-security/trunk/python/conf/gatekeeperProperties.xml

@@ -1 +1 @@
 <?xml version="1.0" encoding="utf-8"?>
 <gatekeeperProp>
-    <resrcURI></resrcURI>
-    <resrcURImodFilePath></resrcURImodFilePath>
-    <resrcURImodName></resrcURImodName>
-    <resrcURIclassName></resrcURIclassName>
-    <resrcURIpropFile></resrcURIpropFile>
+        <!-- Resource identifier e.g. a URI -->
+    <resrcID></resrcID>
+        <!-- Resource interface class -->
+    <resrcModFilePath></resrcModFilePath>
+    <resrcModName></resrcModName>
+    <resrcClassName></resrcClassName>
+    <resrcPropFile></resrcPropFile>
+        <!-- CA Certificate used in validation of Attribute Certificate XML 
+        singature -->
+        <caCertFilePath></caCertFilePath>
 </gatekeeperProp>

TI12-security/trunk/python/conf/sessionMgrProperties.xml

@@ -9 +9 @@
     <cookieDomain></cookieDomain>
     <myProxyProp>
-        <myProxyServer></myProxyServer>
-        <gridSecurityDir></gridSecurityDir>
-        <credStorageDir></credStorageDir>
-        <openSSLConfFileName></openSSLConfFileName>
+        <myProxyServer></myProxyServer>
+        <gridSecurityDir></gridSecurityDir>
+        <credStorageDir></credStorageDir>
+        <openSSLConfFileName></openSSLConfFileName>
         <tmpDir></tmpDir>
-        <path></path>
-        <proxyCertMaxLifetime></proxyCertMaxLifetime>
-        <proxyCertLifetime></proxyCertLifetime> <!-- in hours -->
-        <simpleCACltProp>
-            <wsdl></wsdl>
-            <xmlSigKeyFile></xmlSigKeyFile>
+        <path></path>
+        <proxyCertMaxLifetime></proxyCertMaxLifetime>
+        <proxyCertLifetime></proxyCertLifetime> <!-- in hours -->
+        <simpleCACltProp>
+            <wsdl></wsdl>
+            <xmlSigKeyFile></xmlSigKeyFile>
             <xmlSigCertFile></xmlSigCertFile>
             <xmlSigCertPPhrase></xmlSigCertPPhrase>
-        </simpleCACltProp>
-        <!--
-        <simpleCASrvProp>
-            <certExpiryDate></certExpiryDate>
-            <certLifetimeDays></certLifetimeDays>
-            <certTmpDir></certTmpDir>
-            <caCertFile></caCertFile>
-            <signExe></signExe>
-            <path></path>
-        </simpleCASrvProp>
-        -->
+        </simpleCACltProp
+        <!--
+        <simpleCASrvProp>
+            <certExpiryDate></certExpiryDate>
+            <certLifetimeDays></certLifetimeDays>
+            <certTmpDir></certTmpDir>
+            <caCertFile></caCertFile>
+            <signExe></signExe>
+            <path></path>
+        </simpleCASrvProp>
+        -->
     </myProxyProp>
     <credReposProp>
-        <dbURI></dbURI>
+        <dbURI></dbURI>
     </credReposProp>
 </sessMgrProp>