def GetSelfCredential(certificate, xnr, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
origin_hrn = Certificate(string=cert).get_subject()
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
if hasattr (obj,'filename'):
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def GetSelfCredential(certificate, xnr, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
origin_hrn = Certificate(string=cert).get_subject()
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
if hasattr (obj,'filename'):
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def call(self, cert, xrn, type):
"""
GetSelfCredential a degenerate version of GetCredential used by a client
to get his initial credential when de doesnt have one. This is the same as
GetCredential(..., cred = None, ...)
The registry ensures that the client is the principal that is named by
(type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
it is impossible for one principal to retrieve another principal's
credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
@return string representation of a credential object
"""
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_belongs_to_me(hrn)
origin_hrn = Certificate(string=cert).get_subject()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
if hasattr (obj,'filename'):
self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def update_cert_records(gids):
"""
Make sure there is a record in the registry for the specified gids.
Removes old records from the db.
"""
# import db stuff here here so this module can be loaded by PlcComponentApi
from sfa.storage.alchemy import global_dbsession
from sfa.storage.model import RegRecord
dbsession = global_dbsession
if not gids:
return
# get records that actually exist in the db
gid_urns = [gid.get_urn() for gid in gids]
hrns_expected = [gid.get_hrn() for gid in gids]
records_found = dbsession.query(RegRecord).\
filter_by(pointer=-1).filter(RegRecord.hrn.in_(hrns_expected)).all()
# remove old records
for record in records_found:
if record.hrn not in hrns_expected and \
record.hrn != self.api.config.SFA_INTERFACE_HRN:
dbsession.delete(record)
# TODO: store urn in the db so we do this in 1 query
for gid in gids:
hrn, type = gid.get_hrn(), gid.get_type()
record = dbsession.query(RegRecord).filter_by(hrn=hrn,
type=type,
pointer=-1).first()
if not record:
record = RegRecord(
dict={
'type': type,
'hrn': hrn,
'authority': get_authority(hrn),
'gid': gid.save_to_string(save_parents=True),
})
dbsession.add(record)
dbsession.commit()
def call(self, cert, xrn, type):
"""
GetSelfCredential a degenerate version of GetCredential used by a client
to get his initial credential when de doesnt have one. This is the same as
GetCredential(..., cred = None, ...)
The registry ensures that the client is the principal that is named by
(type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
it is impossible for one principal to retrieve another principal's
credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
@return string representation of a credential object
"""
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_belongs_to_me(hrn)
origin_hrn = Certificate(string=cert).get_subject()
self.api.logger.info(
"interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" %
(self.api.interface, origin_hrn, hrn, self.name))
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord(dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj, name) in [
(certificate, "CERT"),
(gid, "GID"),
]:
self.api.logger.debug(
"ConnectionKeyGIDMismatch, %s pubkey: %s" %
(name, obj.get_pubkey().get_pubkey_string()))
self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s" %
(name, obj.dump_string()))
if hasattr(obj, 'filename'):
self.api.logger.debug(
"ConnectionKeyGIDMismatch, %s filename: %s" %
(name, obj.filename))
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)
def testCreate(self):
r = RegRecord(type='authority', hrn='foo.bar')
