def test_authorisation(): key = PrivateKey() resource = uuid.uuid4() auth = Authorisation(resource=resource, testing_key=key) auth.verify(resource=resource, testing_key=key.public_key()) wrong_key = PrivateKey() with pytest.raises(PermissionError): auth.verify(resource=resource, testing_key=wrong_key.public_key()) wrong_resource = uuid.uuid4() with pytest.raises(PermissionError): auth.verify(resource=wrong_resource, testing_key=key.public_key()) data = auth.to_data() new_auth = Authorisation.from_data(data) new_auth.verify(resource=resource, testing_key=key.public_key()) with pytest.raises(PermissionError): new_auth.verify(resource=resource, testing_key=wrong_key.public_key()) with pytest.raises(PermissionError): new_auth.verify(resource=wrong_resource, testing_key=key.public_key())
def run(args): """This function is used to handle requests to access resources Args: args (dict): contains data for authorisation service Returns: dict: a dictionary containing the status of the authorisation and a status message """ status = 0 message = None request = None authorisation = None if "request" in args: request = Request.from_data(args["request"]) if "authorisation" in args: authorisation = Authorisation.from_data(args["authorisation"]) if request is None: status = 0 message = "No request" if authorisation is None: raise AuthorisationError( "You must provide a valid authorisation to make the request %s" % str(request)) authorisation.verify(request.signature())
def run(args): """Call this function to open and return a handle to the user's requested CloudDrive. This will create the drive (and the all intermediate drives) unless the user sets autocreate to false """ authorisation = Authorisation.from_data(args["authorisation"]) name = args["name"] try: autocreate = args["autocreate"] if autocreate is False: autocreate = False else: autocreate = True except: autocreate = True if autocreate and "aclrules" in args: aclrules = ACLRules.from_data(args["aclrules"]) else: aclrules = None drives = UserDrives(authorisation=authorisation) drive = drives.get_drive(name=name, aclrules=aclrules, autocreate=autocreate) return_value = {} return_value["drive"] = drive.to_data() return return_value
def from_data(data): """Return a DebitNote that has been extracted from the passed json-decoded dictionary Args: data (dict): Dictionary from which to create object Returns: DebitNote: Created from dictionary """ d = DebitNote() if (data and len(data) > 0): from Acquire.Accounting import Transaction as _Transaction from Acquire.Identity import Authorisation as _Authorisation from Acquire.ObjectStore import string_to_datetime \ as _string_to_datetime d._transaction = _Transaction.from_data(data["transaction"]) d._account_uid = data["account_uid"] d._authorisation = _Authorisation.from_data(data["authorisation"]) d._is_provisional = data["is_provisional"] d._datetime = _string_to_datetime(data["datetime"]) d._uid = data["uid"] if d._is_provisional: d._receipt_by = _string_to_datetime(data["receipt_by"]) return d
def run(args): """This function will allow the current user to authorise a logout from the current session - this will be authorised by signing the request to logout Args: args (dict): contains identifying information about the session Returns: dict: contains data on the success of the logout request """ session_uid = args["session_uid"] try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None try: signature = string_to_bytes(args["signature"]) except: signature = None login_session = LoginSession.load(uid=session_uid) login_session.set_logged_out(authorisation=authorisation, signature=signature)
def from_data(data): """ Create a request from a JSON object Args: data (str) : an object serialised as a JSON object Returns: FileWriteRequest: a FileWriteRequest object created from the JSON data """ if (data and len(data) > 0): from Acquire.Identity import Authorisation as _Authorisation f = FileWriteRequest() f._uid = data["uid"] f._destination_keys = data["destination_keys"] f._file_sizes = data["file_sizes"] f._checksums = data["checksums"] f._authorisation = _Authorisation.from_data(data["authorisation"]) f._account_uid = data["account_uid"] f._accounting_service_url = data["accounting_service_url"] f._from_data(data) return f else: return None
def from_data(data): """Return a Refund from the passed json-decoded dictionary""" r = Refund() if (data and len(data) > 0): r._credit_note = _CreditNote.from_data(data["credit_note"]) r._authorisation = _Authorisation.from_data(data["authorisation"]) return r
def from_data(data): """Return a Receipt from the passed json-decoded dictionary""" r = Receipt() if (data and len(data) > 0): r._credit_note = _CreditNote.from_data(data["credit_note"]) r._authorisation = _Authorisation.from_data(data["authorisation"]) r._receipted_value = _create_decimal(data["receipted_value"]) return r
def test_service(service_url, aaai_services): # get the public service from the default API frontend privkey = get_private_key("testing") response = call_function(service_url, response_key=privkey) service = Service.from_data(response["service_info"]) # also read the service from the object store directly push_testing_objstore(aaai_services["_services"][service_url]) push_is_running_service() private_service = get_this_service(need_private_access=True) pop_is_running_service() pop_testing_objstore() # create some test data that contain unicode characters for # testing encryption, signing and both encryption and signing data = {"hello": "'å∫ç∂ƒ©˙˚'", "key": privkey.public_key().to_data()} encrypted = service.encrypt_data(data) decrypted = private_service.decrypt_data(encrypted) assert(data == decrypted) signed = private_service.sign_data(data) verified = service.verify_data(signed) assert(data == verified) enc_sign = service.encrypt_data(private_service.sign_data(data)) dec_ver = service.verify_data(private_service.decrypt_data(enc_sign)) assert(data == dec_ver) service.call_function("admin/test") admin_user = aaai_services[service_url]["user"] auth = Authorisation(user=admin_user, resource="dump_keys %s" % service.uid()) service.call_function( function="dump_keys", args={"authorisation": auth.to_data()})
def run(args): """This function is called to handle requests for information about particular accounts Args: args (dict): data for account query Returns: dict: contains status, status message and details regarding the account including balance (if available), overdraft limit and a description of the account """ status = 0 message = None account = None balance_status = None try: account_name = str(args["account_name"]) except: account_name = None try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None if account_name is None: raise AccountError("You must supply the account_name") if authorisation is None: raise AccountError("You must supply a valid authorisation") # load the account bucket = get_service_account_bucket() accounts = Accounts(user_guid=authorisation.user_guid()) account = accounts.get_account(account_name, bucket=bucket) # validate the authorisation for this account authorisation.verify(resource="get_info %s" % account.uid()) balance = account.balance() return_value = {} return_value["description"] = account.description() return_value["overdraft_limit"] = str(account.get_overdraft_limit()) return_value["balance"] = balance.to_data() return return_value
def from_data(data): f = FileWriteRequest() if (data and len(data) > 0): f._uid = data["uid"] f._destination_keys = data["destination_keys"] f._file_sizes = data["file_sizes"] f._checksums = data["checksums"] f._authorisation = _Authorisation.from_data(data["authorisation"]) f._account_uid = data["account_uid"] f._accounting_service_url = data["accounting_service_url"] return f
def perform_transaction(key, result): delta1 = zero delta2 = zero # need to work with thread-local copies of the accounts my_account1 = Account(uid=account1.uid()) my_account2 = Account(uid=account2.uid()) for i in range(0, 10): transaction = Transaction(value=create_decimal(random.random()), description="Transaction %d" % i) if random.randint(0, 1): auth = Authorisation( resource=transaction.fingerprint(), testing_key=testing_key, testing_user_guid=my_account1.group_name()) Ledger.perform(transaction=transaction, debit_account=my_account1, credit_account=my_account2, authorisation=auth) delta1 -= transaction.value() delta2 += transaction.value() else: auth = Authorisation( resource=transaction.fingerprint(), testing_key=testing_key, testing_user_guid=my_account2.group_name()) Ledger.perform(transaction=transaction, debit_account=my_account2, credit_account=my_account1, authorisation=auth) delta1 += transaction.value() delta2 -= transaction.value() with rlock: result[key] = (delta1, delta2)
def run(args): """This function is called to handle requests for information about particular accounts """ status = 0 message = None account = None balance_status = None try: account_name = str(args["account_name"]) except: account_name = None try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None if account_name is None: raise AccountError("You must supply the account_name") if authorisation is None: raise AccountError("You must supply a valid authorisation") # load the account bucket = login_to_service_account() account = Accounts(authorisation.user_uid()).get_account(account_name, bucket=bucket) # validate the authorisation for this account authorisation.verify(resource=account.uid()) balance_status = account.balance_status(bucket=bucket) status = 0 message = "Success" return_value = create_return_value(status, message) if account: return_value["description"] = account.description() return_value["overdraft_limit"] = str(account.get_overdraft_limit()) if balance_status: for key in balance_status.keys(): return_value[key] = str(balance_status[key]) return return_value
def from_data(data): """Return a LineItem constructed from the json-decoded dictionary""" l = LineItem() if (data and len(data) > 0): l._uid = data["uid"] if "authorisation" in data: l._authorisation = _Authorisation.from_data( data["authorisation"]) else: l._authorisation = None return l
def run(args): """This function is called to handle creating accounts for users""" status = 0 message = None account_uid = None try: account_name = args["account_name"] except: account_name = None try: description = args["description"] except: description = None try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None if account_name is None or description is None \ or authorisation is None: raise CreateAccountError("You must supply both an account name " "and a description to create an account") if not isinstance(authorisation, Authorisation): raise TypeError("The passed authorisation must be of type " "Authorisation") authorisation.verify() # try to create a 'main' account for this user accounts = Accounts(authorisation.user_uid()) account = accounts.create_account(name=account_name, description=description) account_uid = account.uid() status = 0 message = "Success" return_value = create_return_value(status, message) if account_uid: return_value["account_uid"] = account_uid return return_value
def from_data(data): """Return a DebitNote that has been extracted from the passed json-decoded dictionary """ d = DebitNote() if (data and len(data) > 0): d._transaction = _Transaction.from_data(data["transaction"]) d._account_uid = data["account_uid"] d._authorisation = _Authorisation.from_data(data["authorisation"]) d._is_provisional = data["is_provisional"] d._timestamp = data["timestamp"] d._uid = data["uid"] return d
def run(args): """This function is used to handle requests to run compute jobs using the system. This will be passed in the RunRequest with a valid authorisation and also a Cheque to pay for the calculation. This will return the UID of the running job plus the location to which the output will be written """ request = None authorisation = None cheque = None if "request" in args: request = RunRequest.from_data(args["request"]) if "authorisation" in args: authorisation = Authorisation.from_data(args["authorisation"]) if "cheque" in args: cheque = Cheque.from_data(args["cheque"]) if request is None: return if authorisation is None: raise AuthorisationError( "You must provide a valid authorisation to make the request %s" % str(request)) if cheque is None: raise AuthorisationError( "You must provide a valid cheque to pay for the request %s" % str(request)) # create a job sheet to record all stages of the job worksheet = WorkSheet(request=request, authorisation=authorisation) # submit the job, recording everything necessary to the JobSheet worksheet.execute(cheque=cheque) # Return to the user the UID of the job and also the location # to which all output from the job is being written return {"uid": worksheet.uid(), "output": worksheet.output_location().to_string()}
def from_data(data): """Return a Refund from the passed JSON-decoded dictionary Args: dict: JSON-decoded dictionary Returns: Refund: Refund object created from JSON """ r = Refund() if (data and len(data) > 0): from Acquire.Accounting import CreditNote as _CreditNote from Acquire.Identity import Authorisation as _Authorisation r._credit_note = _CreditNote.from_data(data["credit_note"]) r._authorisation = _Authorisation.from_data(data["authorisation"]) return r
def from_data(data): """Return a Receipt from the passed JSON-decoded dictionary Args: data (dict): JSON dictionary to create object Returns: Receipt: Receipt created from JSON """ r = Receipt() if (data and len(data) > 0): from Acquire.Accounting import CreditNote as _CreditNote from Acquire.Accounting import create_decimal as _create_decimal from Acquire.Identity import Authorisation as _Authorisation r._credit_note = _CreditNote.from_data(data["credit_note"]) r._authorisation = _Authorisation.from_data(data["authorisation"]) r._receipted_value = _create_decimal(data["receipted_value"]) return r
def from_data(data): """Return a WorkSheet constructed from the passed JSON-deserialised dictionary """ if data is None or len(data) == 0: return j = WorkSheet() from Acquire.Access import RunRequest as _RunRequest from Acquire.Client import Authorisation as _Authorisation from Acquire.Client import Location as _Location from Acquire.Client import Cheque as _Cheque from Acquire.Accounting import CreditNote as _CreditNote from Acquire.ObjectStore import string_to_list \ as _string_to_list j._uid = str(data["uid"]) if "request" in data: j._request = _RunRequest.from_data(data["request"]) if "authorisation" in data: j._authorisation = _Authorisation.from_data(data["authorisation"]) if "credit_notes" in data: j._credit_notes = _string_to_list(data["credit_notes"], _CreditNote) j._status = data["status"] if "output_location" in data: j._output_loc = _Location.from_string(data["output_location"]) if "compute_cheque" in data: j._compute_cheque = _Cheque.from_data(data["compute_cheque"]) if "storage_cheque" in data: j._storage_cheque = _Cheque.from_data(data["storage_cheque"]) return j
def run(args): """Call this function to return a list of DriveMetas for the top-level drives accessible to the authorising user, or the list of DriveMetas contained in the drive with passed UID """ authorisation = Authorisation.from_data(args["authorisation"]) drives = UserDrives(authorisation=authorisation) try: drive_uid = args["drive_uid"] except: drive_uid = None return_value = {} return_value["drives"] = list_to_string( drives.list_drives(drive_uid=drive_uid)) return return_value
def test_accounts(bucket): for user_guid in [None, "chris@something", "ƒ˚®ø©∆∂µ@¨^ø¨^ø"]: if user_guid is None: accounts = Accounts(group=user_guid, aclrules=ACLRules.owner(user_guid=None)) else: accounts = Accounts(user_guid=user_guid) account_names = [ "new account", "chris's checking account", "å∫ç∂´® account" ] created_accounts = {} testing_key = get_private_key("testing") for name in account_names: authorisation = Authorisation(resource="create_account %s" % name, testing_key=testing_key, testing_user_guid=user_guid) account = accounts.create_account(name, description="Account: %s" % name, bucket=bucket, authorisation=authorisation) assert (name == account.name()) created_accounts[name] = account names = accounts.list_accounts() for name in account_names: assert (name in names) for name in account_names: account = accounts.get_account(name, bucket=bucket) assert (name == account.name()) assert (account == created_accounts[name])
def run(args): """Call this function to force the service to regenerate its keys Args: args (dict): contains authorisaton details for key refresh """ try: authorisation = Authorisation.from_data(args["authorisation"]) except: raise PermissionError("Only an authorised admin can dump the keys") service = get_this_service(need_private_access=True) service.assert_admin_authorised(authorisation, "refresh_keys %s" % service.uid()) service = refresh_service_keys_and_certs(service=service, force_refresh=True) return_value = {} return_value["service_info"] = service.to_data() return return_value
def run(args): """This function return the status and service info Args: args (dict): containing data on the service we want to trust Returns: dict: containing status, status message and passed in args """ try: service_url = args["service_url"] except: service_url = None try: public_cert = PublicKey.from_data(args["public_certificate"]) except: public_cert = None try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None if service_url is not None: service = get_checked_remote_service(service_url, public_cert) else: service = None if service is not None: trust_service(service, authorisation) return_value = {} return_value["args"] = args return return_value
def run(args): """Call this function to trust the passed accounting service, specifically to trust that we can move money using that service. Args: args(dict): containing data on the service we want to trust Returns: dict: containing status, status message and passed in args """ service_url = args["service_url"] authorisation = Authorisation.from_data(args["authorisation"]) accounting_service = get_trusted_service(service_url=service_url) if not accounting_service.is_accounting_service(): raise ServiceAccountError( "%s is not an accounting service, so should not be " "trusted as one" % str(accounting_service)) service = get_this_service(need_private_access=True) service.assert_admin_authorised( authorisation, "trust_accounting_service %s" % accounting_service.uid()) url = accounting_service.canonical_url() create_service_user_account(service=service, accounting_service_url=url) return_value = {} return_value["args"] = args return return_value
def perform_transaction(key, result): delta1 = zero delta2 = zero auth = Authorisation() # need to work with thread-local copies of the accounts my_account1 = Account(uid=account1.uid()) my_account2 = Account(uid=account2.uid()) for i in range(0, 5): transaction = Transaction(value=create_decimal(random.random()), description="Transaction %d" % i) if random.randint(0, 1): Ledger.perform(transaction, my_account1, my_account2, auth) delta1 -= transaction.value() delta2 += transaction.value() else: Ledger.perform(transaction, my_account2, my_account1, auth) delta1 += transaction.value() delta2 -= transaction.value() with rlock: result[key] = (delta1, delta2)
def test_login(username, password, aaai_services, tmpdir): # register the new user result = User.register(username=username, password=password, identity_url="identity") assert(type(result) is dict) otpsecret = result["otpsecret"] otp = OTP(otpsecret) user = User(username=username, identity_url="identity", auto_logout=False) result = user.request_login() assert(type(result) is dict) login_url = result["login_url"] print(login_url) wallet = Wallet() wallet.send_password(url=login_url, username=username, password=password, otpcode=otp.generate(), remember_password=True) user.wait_for_login() assert(user.is_logged_in()) auth = Authorisation(user=user, resource="test") auth.verify("test") user.logout() # now try to log in, using the remembered password user = User(username=username, identity_url="identity", auto_logout=False) result = user.request_login() login_url = result["login_url"] # the test has to specify the username as we can't choose... wallet.send_password(url=login_url, username=username, otpcode=otp.generate(), remember_device=True) user.wait_for_login() assert(user.is_logged_in()) auth = Authorisation(user=user, resource="test") auth.verify("test") user.logout() # now see if the wallet can send all login info # now try to log in, using the remembered password user = User(username=username, identity_url="identity", auto_logout=False) result = user.request_login() login_url = result["login_url"] # the test has to specify the username as we can't choose... wallet.send_password(url=login_url, username=username) user.wait_for_login() assert(user.is_logged_in()) auth = Authorisation(user=user, resource="test") auth.verify("test") user.logout()
def run(args): """Call this function to initiate the two-step file-upload process. Step 1: upload - tells the service that a file of specific size and checksum will be uploaded. This gives the service the chance to decide whether this will be allowed. If the file is small, and was thus included in the FileHandle, then it is uploaded immediately and the operation completes. If the file is large, then we now returns a OSPar that can be used for this upload (Step 2) Step 2: after the user has used the OSPar to upload the file, they should call OSPar.close() to notify the service that the file has been successfully uploaded. This will verify that the file has been uploaded correctly, will receipt the storage cost and will delete the OSPar """ filehandle = FileHandle.from_data(args["filehandle"]) try: authorisation = Authorisation.from_data(args["authorisation"]) except: authorisation = None try: par_uid = args["par_uid"] except: par_uid = None try: secret = args["secret"] except: secret = None try: public_key = PublicKey.from_data(args["encryption_key"]) except: public_key = None if par_uid is not None: registry = PARRegistry() (par, identifiers) = registry.load(par_uid=par_uid, secret=secret) else: par = None identifiers = None drive_uid = filehandle.drive_uid() drive = DriveInfo(drive_uid=drive_uid) return_value = {} (filemeta, par) = drive.upload(filehandle=filehandle, authorisation=authorisation, encrypt_key=public_key, par=par, identifiers=identifiers) if filemeta is not None: return_value["filemeta"] = filemeta.to_data() if par is not None: return_value["upload_par"] = par.to_data() return return_value
def aaai_services(tmpdir_factory): """This function creates mocked versions of all of the main services of the system, returning the json describing each service as a dictionary (which is passed to the test functions as the fixture) """ from Acquire.Identity import Authorisation from Acquire.Crypto import PrivateKey, OTP from Acquire.Service import call_function, Service _services = {} _services["registry"] = tmpdir_factory.mktemp("registry") _services["identity"] = tmpdir_factory.mktemp("identity") _services["accounting"] = tmpdir_factory.mktemp("accounting") _services["access"] = tmpdir_factory.mktemp("access") _services["storage"] = tmpdir_factory.mktemp("storage") _services["userdata"] = tmpdir_factory.mktemp("userdata") _services["compute"] = tmpdir_factory.mktemp("compute") _services["hugs"] = tmpdir_factory.mktemp("hugs") wallet_dir = tmpdir_factory.mktemp("wallet") wallet_password = PrivateKey.random_passphrase() _set_services(_services, wallet_dir, wallet_password) password = PrivateKey.random_passphrase() args = {"password": password} responses = {} os.environ["SERVICE_PASSWORD"] = "******" os.environ["STORAGE_COMPARTMENT"] = str(_services["userdata"]) args["canonical_url"] = "registry" args["service_type"] = "registry" args["registry_uid"] = "Z9-Z9" # UID of testing registry response = call_function("registry", function="admin/setup", args=args) registry_service = Service.from_data(response["service"]) registry_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) registry_user = _login_admin("registry", "admin", password, registry_otp) responses["registry"] = { "service": registry_service, "user": registry_user, "response": response, } assert registry_service.registry_uid() == registry_service.uid() service_uids = [registry_service.uid()] args["canonical_url"] = "identity" args["service_type"] = "identity" response = call_function("identity", function="admin/setup", args=args) identity_service = Service.from_data(response["service"]) identity_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) identity_user = _login_admin("identity", "admin", password, identity_otp) responses["identity"] = { "service": identity_service, "user": identity_user, "response": response, } assert identity_service.registry_uid() == registry_service.uid() assert identity_service.uid() not in service_uids service_uids.append(identity_service.uid()) args["canonical_url"] = "accounting" args["service_type"] = "accounting" response = call_function("accounting", function="admin/setup", args=args) accounting_service = Service.from_data(response["service"]) accounting_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) accounting_user = _login_admin("accounting", "admin", password, accounting_otp) responses["accounting"] = { "service": accounting_service, "user": accounting_user, "response": response, } assert accounting_service.registry_uid() == registry_service.uid() assert accounting_service.uid() not in service_uids service_uids.append(accounting_service.uid()) args["canonical_url"] = "access" args["service_type"] = "access" response = call_function("access", function="admin/setup", args=args) responses["access"] = response access_service = Service.from_data(response["service"]) access_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) access_user = _login_admin("access", "admin", password, access_otp) responses["access"] = { "service": access_service, "user": access_user, "response": response, } assert access_service.registry_uid() == registry_service.uid() assert access_service.uid() not in service_uids service_uids.append(access_service.uid()) args["canonical_url"] = "compute" args["service_type"] = "compute" response = call_function("compute", function="admin/setup", args=args) responses["compute"] = response compute_service = Service.from_data(response["service"]) compute_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) compute_user = _login_admin("compute", "admin", password, compute_otp) responses["compute"] = { "service": compute_service, "user": compute_user, "response": response, } assert compute_service.registry_uid() == registry_service.uid() assert compute_service.uid() not in service_uids service_uids.append(compute_service.uid()) args["canonical_url"] = "storage" args["service_type"] = "storage" response = call_function("storage", function="admin/setup", args=args) storage_service = Service.from_data(response["service"]) storage_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) storage_user = _login_admin("storage", "admin", password, storage_otp) responses["storage"] = { "service": storage_service, "user": storage_user, "response": response, } assert storage_service.registry_uid() == registry_service.uid() assert storage_service.uid() not in service_uids service_uids.append(storage_service.uid()) args["canonical_url"] = "hugs" args["service_type"] = "hugs" response = call_function("hugs", function="admin/setup", args=args) responses["hugs"] = response hugs_service = Service.from_data(response["service"]) hugs_otp = OTP(OTP.extract_secret(response["provisioning_uri"])) hugs_user = _login_admin("hugs", "admin", password, hugs_otp) responses["hugs"] = { "service": hugs_service, "user": hugs_user, "response": response, } resource = "trust_accounting_service %s" % accounting_service.uid() args = { "service_url": accounting_service.canonical_url(), "authorisation": Authorisation(user=access_user, resource=resource).to_data(), } access_service.call_function(function="admin/trust_accounting_service", args=args) responses["_services"] = _services return responses
def read(self, spend, resource, receipt_by): """Read the cheque - this will read the cheque to return the decrypted contents. This will only work if this function is called on the accounting service that will cash the cheque, if the signature on the cheque matches the service that is authorised to cash the cheque, and if the passed resource matches the resource encoded in the cheque. If this is all correct, then the returned dictionary will contain; {"recipient_url": The URL of the service which was sent the cheque, "recipient_key_fingerprint": Verified fingerprint of the service key that signed this cheque "spend": The amount authorised by this cheque, "uid": The unique ID for this cheque, "resource": String that identifies the resource this cheque will be used to pay for, "account_uid": UID of the account from which funds will be drawn "authorisation" : Verified authorisation from the user who says they own the account for the spend "receipt_by" : Time when we must receipt the cheque, or we will lose the money } You must pass in the spend you want to draw from the cheque, a string representing the resource this cheque will be used to pay for, and the time by which you promise to receipt the cheque after cashing Args: spend (Decimal): Amount authorised by cheque resource (str): Resource to pay for receipt_by (datetime): Time cheque must be receipted by Returns: dict: Dictionary described above """ if self._cheque is None: raise PaymentError("You cannot read a null cheque") from Acquire.ObjectStore import string_to_decimal \ as _string_to_decimal from Acquire.ObjectStore import string_to_datetime \ as _string_to_datetime from Acquire.ObjectStore import datetime_to_string \ as _datetime_to_string from Acquire.Service import get_this_service as _get_this_service spend = _string_to_decimal(spend) resource = str(resource) receipt_by = _string_to_datetime(receipt_by) service = _get_this_service(need_private_access=True) # get the cheque data - this may have been signed try: cheque_data = _json.loads(self._cheque["signed_data"]) except: cheque_data = self._cheque # decrypt the cheque's data - only possible on the accounting service cheque_data = service.decrypt_data(cheque_data) # the date comprises the user-authorisation that acts as a # signature that the user wrote this cheque, and the info # for the cheque to say how it is valid from Acquire.Identity import Authorisation as _Authorisation auth = _Authorisation.from_data(cheque_data["authorisation"]) info = cheque_data["info"] # the json.dumps version is the resource used to verify # the above authorisation auth_resource = info # validate that the user authorised this cheque try: auth.verify(resource=info) except Exception as e: raise PaymentError( "The user's signature/authorisation for this cheque " "is not valid! ERROR: %s" % str(e)) info = _json.loads(info) # the user signed this cheque :-) info["authorisation"] = auth # check the signature if one was needed try: recipient_url = info["recipient_url"] except: recipient_url = None if recipient_url: # the recipient was specified - verify that we trust # the recipient, and that they have signed the cheque recipient_service = service.get_trusted_service( service_url=recipient_url) recipient_service.verify_data(self._cheque) info["recipient_key_fingerprint"] = self._cheque["fingerprint"] # validate that the item signature is correct try: cheque_resource = info["resource"] except: cheque_resource = None if cheque_resource is not None: if resource != resource: raise PaymentError( "Disagreement over the resource for which " "this cheque has been signed") info["resource"] = resource info["auth_resource"] = auth_resource try: max_spend = info["max_spend"] del info["max_spend"] except: max_spend = None if max_spend is not None: max_spend = _string_to_decimal(max_spend) if max_spend < spend: raise PaymentError( "The requested spend (%s) exceeds the authorised " "maximum value of the cheque" % (spend)) info["spend"] = spend try: expiry_date = info["expiry_date"] del expiry_date["expiry_date"] except: expiry_date = None if expiry_date is not None: expiry_date = _string_to_datetime(expiry_date) # validate that the cheque will not have expired # when we receipt it from Acquire.ObjectStore import get_datetime_now \ as _get_datetime_now now = _get_datetime_now() if now > receipt_by: raise PaymentError( "The time when you promised to receipt the cheque " "has already passed!") if receipt_by > expiry_date: raise PaymentError( "The cheque will have expired after you plan to " "receipt it!: %s versus %s" % (_datetime_to_string(receipt_by), _datetime_to_string(expiry_date))) info["receipt_by"] = receipt_by return info