pvl-verkko: pvl/login/ssl.py@e77e967d59b0 (annotated)

373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	1	# encoding: utf-8
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	2
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	3	import base64
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	4	import datetime
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	5	import hashlib
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	6	import os
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	7	import os.path
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	8	import string
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	9
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	10	import pvl.invoke
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	11
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	12	import logging; log = logging.getLogger('pvl.login.ssl')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	13
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	14	class Error (Exception) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	15	pass
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	16
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	17	class UsersCA (object) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	18	OPENSSL = '/usr/bin/openssl'
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	19
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	20	SIGN_DAYS = 1
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	21
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	22	VALID_USER = set(string.letters + string.digits + '-.')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	23
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	24	O = u"Päivölän Kansanopisto"
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	25	OU = u"People"
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	26	DC = ('paivola', 'fi')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	27
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	28	def __init__ (self, ca, users) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	29	self.ca = ca
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	30	self.users = users
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	31
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	32	self.ca_config = os.path.join(ca, 'openssl.cnf')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	33
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	34	def sign_spkac (self, out, spkac, days=SIGN_DAYS) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	35	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	36	Sign given request file (path).
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	37
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	38	Creates the given output file (path). Empty file on errors..
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	39	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	40
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	41	pvl.invoke.invoke(self.OPENSSL, ('ca',
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	42	'-config', self.ca_config,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	43	'-spkac', spkac,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	44	'-out', out,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	45	'-policy', 'policy_user',
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	46	'-days', str(days),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	47	'-utf8',
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	48	),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	49	setenv={
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	50	'CA': self.ca,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	51	},
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	52	)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	53
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	54	def generate_dn (self, uid, cn=None) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	55	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	56	Generate OpenSSL (rdn, value) pairs for given user.
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	57	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	58
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	59	if self.O :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	60	yield 'O', self.O
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	61
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	62	elif self.DC :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	63	for index, dc in enumerate(self.DC, 1) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	64	yield '{index}.DC'.format(index=index), dc
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	65
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	66	yield 'OU', self.OU
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	67
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	68	yield 'UID', uid
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	69
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	70	if cn :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	71	yield 'CN', cn
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	72
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	73	def write_spkac (self, path, spkac, dn) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	74	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	75	Write out a spkac file to the given path, containing the given base64-encoded spkac and DN.
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	76	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	77
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	78	# roundtrip the spkac for consistent formatting
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	79	spkac = base64.b64encode(base64.b64decode(spkac))
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	80
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	81	file = open(path, 'w')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	82
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	83	file.write('SPKAC=')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	84	file.write(spkac)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	85	file.write('\n')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	86
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	87	for rdn, value in dn :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	88	file.write(u'{rdn}={value}\n'.format(rdn=rdn, value=value).encode('utf-8'))
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	89
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	90	file.close()
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	91
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	92	def sign_user (self, user, spkac, userinfo=None) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	93	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	94	Sign given spkac string (base64-encoded) for given user.
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	95
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	96	Returns a name for the signed cert.
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	97	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	98
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	99	if not set(user).issubset(self.VALID_USER) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	100	raise Error("Invalid username: {user}".format(user=user))
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	101
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	102	dir = os.path.join(self.users, user)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	103
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	104	if not os.path.exists(dir) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	105	os.mkdir(dir)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	106
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	107	name = hashlib.sha1(user + spkac).hexdigest()
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	108	spkac_file = os.path.join(dir, name) + '.spkac'
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	109	cert_file = os.path.join(dir, name)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	110	tmp_file = os.path.join(dir, name) + '.tmp'
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	111
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	112	# the req to sign
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	113	if os.path.exists(spkac_file) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	114	log.warning("spkac already exists: %s", spkac_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	115	else :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	116	log.info("%s: write spkac: %s", user, spkac_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	117	self.write_spkac(os.path.join(dir, name) + '.spkac', spkac, self.generate_dn(user, userinfo))
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	118
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	119	# sign it
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	120	if os.path.exists(cert_file) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	121	log.warning("cert already exists: %s", cert_file)
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	122	return name
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	123
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	124	if os.path.exists(tmp_file) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	125	log.warning("cleaning out previous tmp file: %s", tmp_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	126	os.unlink(tmp_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	127
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	128	log.info("%s: sign cert: %s", user, cert_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	129	self.sign_spkac(tmp_file, spkac_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	130
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	131	log.debug("%s: rename %s -> %s", user, tmp_file, cert_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	132	os.rename(tmp_file, cert_file)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: diff changeset	133
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	134	return name
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	135
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	136	def open_cert (self, user, name) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	137	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	138	Return an opened cert file by username / cert name.
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	139	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	140
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	141	if not set(user).issubset(self.VALID_USER) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	142	raise Error("Invalid username: {user}".format(user=user))
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	143
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	144	path = os.path.join(self.users, user, name)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	145
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	146	if not os.path.exists(path) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	147	raise Error("No cert found on server")
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	148
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	149	return open(path)

author	Tero Marttila <terom@paivola.fi>
	Sun, 07 Sep 2014 14:21:56 +0300
changeset 424	e77e967d59b0
parent 375	df3bf49634a1
permissions	-rw-r--r--