[Mpuls-commits] r3098 - in base/trunk: . mpulsweb/lib

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Jun 28 12:50:02 CEST 2010 

Author: bh
Date: 2010-06-28 12:50:01 +0200 (Mon, 28 Jun 2010)
New Revision: 3098

Modified:
   base/trunk/ChangeLog
   base/trunk/mpulsweb/lib/security.py
Log:
* mpulsweb/lib/security.py (getKAName): Refactor into several
functions.  Revert precedence to what it was before r2407,
analogous to the previous change to getDbName.  Values from the
SSL-certificates take precedence over the configuration again.
(get_kaname_from_http_header): New.  Contains the HTTP-Header
decoding part of getKAName().  The logic has changed a bit: the
value extracted from the DN is the value of the last OU field.
(get_kaname_from_config): New.  Contains the configuration based
part of getKAName().


Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog	2010-06-28 09:42:14 UTC (rev 3097)
+++ base/trunk/ChangeLog	2010-06-28 10:50:01 UTC (rev 3098)
@@ -1,5 +1,17 @@
 2010-06-28  Bernhard Herzog  <bh at intevation.de>
 
+	* mpulsweb/lib/security.py (getKAName): Refactor into several
+	functions.  Revert precedence to what it was before r2407,
+	analogous to the previous change to getDbName.  Values from the
+	SSL-certificates take precedence over the configuration again.
+	(get_kaname_from_http_header): New.  Contains the HTTP-Header
+	decoding part of getKAName().  The logic has changed a bit: the
+	value extracted from the DN is the value of the last OU field.
+	(get_kaname_from_config): New.  Contains the configuration based
+	part of getKAName().
+
+2010-06-28  Bernhard Herzog  <bh at intevation.de>
+
 	* mpulsweb/lib/security.py (getDbName): Refactor into several
 	functions.  Revert semantics back to the way they were before
 	r2407: The information from the SSL-client certificates takes

Modified: base/trunk/mpulsweb/lib/security.py
===================================================================
--- base/trunk/mpulsweb/lib/security.py	2010-06-28 09:42:14 UTC (rev 3097)
+++ base/trunk/mpulsweb/lib/security.py	2010-06-28 10:50:01 UTC (rev 3098)
@@ -282,47 +282,59 @@
     return NEW_DBS.get(dbname, dbname)
 
 
+def get_kaname_from_http_header():
+    """Return the KA-name given by HTTP-Header fields.
+
+    This function expects the Subject-DN from the SSL-client-certificate
+    in either the MPULS_APPNAME or the SSL_CLIENT_S_DN HTTP request
+    header field.  The return value is the value of the last OU
+    component of that DN.  Subject DNs used for MPuls installations
+    usually contain multuple OU fields with the last one describing the
+    institution the user works for.
+
+    If the value cannot be determined, which usually means that neither
+    of the header fields is set, the function returns None.
+    """
+
+    subject_dn = request.environ.get('MPULS_APPNAME')
+    if not subject_dn:
+        # MPULS_APPNAME not set or empty, fall back to older request
+        # header
+        log.info("HTTP-Header field MPULS_APPNAME not set or empty,"
+                 " falling back to SSL_CLIENT_S_DN")
+        subject_dn = request.environ.get('SSL_CLIENT_S_DN')
+    if not subject_dn:
+        return None
+
+    for f in slashSplit(subject_dn)[::-1]:
+        field = f.split('=')
+        if field[0] == "OU":
+            return field[1]
+
+    log.info("Subject DN found, but it did not contain an OU field")
+    return None
+
+
+def get_kaname_from_config():
+    """Return the KA-name from the configuration"""
+    return config.get('mpuls.app.name')
+
+
 def getKAName():
-    kaname = ""
-    # 1. Try to get app name from config.
-    try:
-        kaname = config.get('mpuls.app.name')
-        if kaname is not None: return kaname
-    except:
-        log.error("Could not fetch KA-name from client certificate")
+    kaname = get_kaname_from_http_header()
 
-    # 2. Try to get app name from http-header
-    try:
-        kaname = request.environ.get('MPULS_APPNAME')
-        if kaname is not None and len(kaname) > 0:
-            for f in slashSplit(kaname)[::-1]:
-                field = f.split('=')
-                # There are two OU. We want the one != WASKA
-                # TODO: Fetching kaname is application specific!
-                if field[0] == "OU" and field[1] != "WASKA":
-                    kaname = field[1]
-            return kaname
-        else: log.info("No appname defined in http-header file")
-    except:
-        log.exception("Could not get appbase name from http-headers")
+    if not kaname:
+        log.info("Could not determine KA-name from HTTP header,"
+                 " falling back to config file")
+        kaname = get_kaname_from_config()
 
-    # 3. Try to get the dbname from SSL_CLIENT_S_DN from client certificate 
-    # This code is obsolete and should not be executed. In current versions of
-    # mpuls the dbname is located in the MPULS_APPNAME http-header.
-    try:
-        log.warning('Trying obsolete method to fetch appname from client certificates')
-        for f in slashSplit(request.environ['SSL_CLIENT_S_DN'])[::-1]:
-            field = f.split('=')
-            # There are two OU. We want the one != WASKA
-            if field[0] == "OU" and field[1] != "WASKA":
-                kaname = field[1]
-    except Exception, e:
-        log.exception("Could not fetch KA-name from client certificate")
-        raise
+    if not kaname:
+        log.info("Could not determine KA-Name from configuration file")
+        raise RuntimeError("Could not determine KA-name name")
+
     return kaname
 
 
-
 def get_db_parameters(dbagency, login, password, host, port, dbtemplate,
                       usertemplate):
     """Determine database connection parameters from user-specific information.

More information about the Mpuls-commits mailing list