[Mpuls-commits] r3098 - in base/trunk: . mpulsweb/lib
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Mon Jun 28 12:50:02 CEST 2010
Author: bh
Date: 2010-06-28 12:50:01 +0200 (Mon, 28 Jun 2010)
New Revision: 3098
Modified:
base/trunk/ChangeLog
base/trunk/mpulsweb/lib/security.py
Log:
* mpulsweb/lib/security.py (getKAName): Refactor into several
functions. Revert precedence to what it was before r2407,
analogous to the previous change to getDbName. Values from the
SSL-certificates take precedence over the configuration again.
(get_kaname_from_http_header): New. Contains the HTTP-Header
decoding part of getKAName(). The logic has changed a bit: the
value extracted from the DN is the value of the last OU field.
(get_kaname_from_config): New. Contains the configuration based
part of getKAName().
Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog 2010-06-28 09:42:14 UTC (rev 3097)
+++ base/trunk/ChangeLog 2010-06-28 10:50:01 UTC (rev 3098)
@@ -1,5 +1,17 @@
2010-06-28 Bernhard Herzog <bh at intevation.de>
+ * mpulsweb/lib/security.py (getKAName): Refactor into several
+ functions. Revert precedence to what it was before r2407,
+ analogous to the previous change to getDbName. Values from the
+ SSL-certificates take precedence over the configuration again.
+ (get_kaname_from_http_header): New. Contains the HTTP-Header
+ decoding part of getKAName(). The logic has changed a bit: the
+ value extracted from the DN is the value of the last OU field.
+ (get_kaname_from_config): New. Contains the configuration based
+ part of getKAName().
+
+2010-06-28 Bernhard Herzog <bh at intevation.de>
+
* mpulsweb/lib/security.py (getDbName): Refactor into several
functions. Revert semantics back to the way they were before
r2407: The information from the SSL-client certificates takes
Modified: base/trunk/mpulsweb/lib/security.py
===================================================================
--- base/trunk/mpulsweb/lib/security.py 2010-06-28 09:42:14 UTC (rev 3097)
+++ base/trunk/mpulsweb/lib/security.py 2010-06-28 10:50:01 UTC (rev 3098)
@@ -282,47 +282,59 @@
return NEW_DBS.get(dbname, dbname)
+def get_kaname_from_http_header():
+ """Return the KA-name given by HTTP-Header fields.
+
+ This function expects the Subject-DN from the SSL-client-certificate
+ in either the MPULS_APPNAME or the SSL_CLIENT_S_DN HTTP request
+ header field. The return value is the value of the last OU
+ component of that DN. Subject DNs used for MPuls installations
+ usually contain multuple OU fields with the last one describing the
+ institution the user works for.
+
+ If the value cannot be determined, which usually means that neither
+ of the header fields is set, the function returns None.
+ """
+
+ subject_dn = request.environ.get('MPULS_APPNAME')
+ if not subject_dn:
+ # MPULS_APPNAME not set or empty, fall back to older request
+ # header
+ log.info("HTTP-Header field MPULS_APPNAME not set or empty,"
+ " falling back to SSL_CLIENT_S_DN")
+ subject_dn = request.environ.get('SSL_CLIENT_S_DN')
+ if not subject_dn:
+ return None
+
+ for f in slashSplit(subject_dn)[::-1]:
+ field = f.split('=')
+ if field[0] == "OU":
+ return field[1]
+
+ log.info("Subject DN found, but it did not contain an OU field")
+ return None
+
+
+def get_kaname_from_config():
+ """Return the KA-name from the configuration"""
+ return config.get('mpuls.app.name')
+
+
def getKAName():
- kaname = ""
- # 1. Try to get app name from config.
- try:
- kaname = config.get('mpuls.app.name')
- if kaname is not None: return kaname
- except:
- log.error("Could not fetch KA-name from client certificate")
+ kaname = get_kaname_from_http_header()
- # 2. Try to get app name from http-header
- try:
- kaname = request.environ.get('MPULS_APPNAME')
- if kaname is not None and len(kaname) > 0:
- for f in slashSplit(kaname)[::-1]:
- field = f.split('=')
- # There are two OU. We want the one != WASKA
- # TODO: Fetching kaname is application specific!
- if field[0] == "OU" and field[1] != "WASKA":
- kaname = field[1]
- return kaname
- else: log.info("No appname defined in http-header file")
- except:
- log.exception("Could not get appbase name from http-headers")
+ if not kaname:
+ log.info("Could not determine KA-name from HTTP header,"
+ " falling back to config file")
+ kaname = get_kaname_from_config()
- # 3. Try to get the dbname from SSL_CLIENT_S_DN from client certificate
- # This code is obsolete and should not be executed. In current versions of
- # mpuls the dbname is located in the MPULS_APPNAME http-header.
- try:
- log.warning('Trying obsolete method to fetch appname from client certificates')
- for f in slashSplit(request.environ['SSL_CLIENT_S_DN'])[::-1]:
- field = f.split('=')
- # There are two OU. We want the one != WASKA
- if field[0] == "OU" and field[1] != "WASKA":
- kaname = field[1]
- except Exception, e:
- log.exception("Could not fetch KA-name from client certificate")
- raise
+ if not kaname:
+ log.info("Could not determine KA-Name from configuration file")
+ raise RuntimeError("Could not determine KA-name name")
+
return kaname
-
def get_db_parameters(dbagency, login, password, host, port, dbtemplate,
usertemplate):
"""Determine database connection parameters from user-specific information.
More information about the Mpuls-commits
mailing list