def __init__(self): """ Get plugins for use in other class methods. Set unique keys. """ super(OMemberAuthorityResourceManager, self).__init__() self._resource_manager_tools = pm.getService('resourcemanagertools') self._delegate_tools = pm.getService('delegatetools') self._set_unique_keys() #<UT> config = pm.getService("config") cert_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_path")) cert_key_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_keys_path")) self._ma_cert_str = self._resource_manager_tools.read_file( cert_path + '/' + OMemberAuthorityResourceManager.MA_CERT_FILE) self._ma_cert_key_str = self._resource_manager_tools.read_file( cert_key_path + '/' + OMemberAuthorityResourceManager.MA_KEY_FILE) self._hostname = self._resource_manager_tools.get_hostname( self._ma_cert_str) self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \ + self._hostname + '.authority.ma' self.gfed_ex = pm.getService('apiexceptionsv2') self._urn = self.urn() self._cert_revoke_reasons = crypto.Revoked().all_reasons() self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM, self._ma_cert_str) self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM, self._ma_cert_key_str)
def __init__(self): """ Get plugins for use in other class methods. Set unique keys. """ super(OSliceAuthorityResourceManager, self).__init__() self._resource_manager_tools = pm.getService('resourcemanagertools') self._set_unique_keys() #<UT> config = pm.getService("config") cert_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_path")) cert_key_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_keys_path")) self._sa_c = self._resource_manager_tools.read_file( cert_path + '/' + OSliceAuthorityResourceManager.SA_CERT_FILE) self._sa_pr = self._resource_manager_tools.read_file( cert_key_path + '/' + OSliceAuthorityResourceManager.SA_KEY_FILE) #<UT> self._hostname = self._resource_manager_tools.get_hostname(self._sa_c) self._delegate_tools = pm.getService('delegatetools') self.gfed_ex = pm.getService('apiexceptionsv2')
def __init__(self): """ Get plugins for use in other class methods. Set unique keys. """ super(OSliceAuthorityResourceManager, self).__init__() self._resource_manager_tools = pm.getService("resourcemanagertools") self._set_unique_keys() # <UT> config = pm.getService("config") cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")) self._sa_c = self._resource_manager_tools.read_file( cert_path + "/" + OSliceAuthorityResourceManager.SA_CERT_FILE ) self._sa_pr = self._resource_manager_tools.read_file( cert_key_path + "/" + OSliceAuthorityResourceManager.SA_KEY_FILE ) # <UT> self._hostname = self._resource_manager_tools.get_hostname(self._sa_c) self._delegate_tools = pm.getService("delegatetools") self.gfed_ex = pm.getService("apiexceptionsv2")
def __init__(self): """ Get plugins for use in other class methods. Set unique keys. """ super(OMemberAuthorityResourceManager, self).__init__() self._resource_manager_tools = pm.getService('resourcemanagertools') self._set_unique_keys() #<UT> config = pm.getService("config") cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")) self._ma_cert_str = self._resource_manager_tools.read_file(cert_path + '/' + OMemberAuthorityResourceManager.MA_CERT_FILE) self._ma_cert_key_str = self._resource_manager_tools.read_file(cert_key_path + '/' + OMemberAuthorityResourceManager.MA_KEY_FILE) self._hostname = self._resource_manager_tools.get_hostname(self._ma_cert_str) self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \ + self._hostname + '.authority.ma' self.gfed_ex = pm.getService('apiexceptionsv2') self._urn = self.urn() self._cert_revoke_reasons = crypto.Revoked().all_reasons() self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM, self._ma_cert_str) self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM, self._ma_cert_key_str)
def __init__(self): """ Get plugins for use in other class methods. """ super(SynchRootCerts, self).__init__() config = pm.getService("config") self._trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) self._ch_cert_file = os.path.join(self._trusted_cert_path, SynchRootCerts.CH_CERT_FILE) self._ch_cert_key_file = os.path.join(expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")), SynchRootCerts.CH_KEY_FILE) self._delegate_tools = pm.getService('delegatetools') self._trusted_peers = self._delegate_tools.get_registry()["TRUSTED_PEERS"] # No need to run daemon thread if there are no federating islands if len(self._trusted_peers) == 0 or (len(self._trusted_peers) == 1 and self._trusted_peers[0]['host_ip'] == '0.0.0.0'): logger.info('No valid entries for trusted peers. Daemon thread for synchronizing trusted certs will not start.') return # To avoid running daemon thread before reloader e = os.environ.get('RELOADED', '0') if e is '0': os.environ['RELOADED'] = '1' return # Create a daemon thread and start it th = threading.Thread(target=self.synch_certs) th.daemon = True th.start() logger.info('Daemon thread for synchronizing trusted certs started.')
def runServer(self): """Starts up the server. It (will) support different config options via the config plugin.""" config = pm.getService("config") debug = config.get("flask.debug") cFCGI = config.get("flask.fcgi") host = config.get("flask.bind") app_port = config.get("flask.app_port") fcgi_port = config.get("flask.fcgi_port") must_have_client_cert = config.get("flask.force_client_cert") if cFCGI: logger.info("registering fcgi server at %s:%i", host, fcgi_port) from flup.server.fcgi import WSGIServer WSGIServer(self._app, bindAddress=(host, fcgi_port)).run() else: logger.info("registering app server at %s:%i", host, app_port) # do the following line manually, so we can intervene and adjust the ssl context # self._app.run(host=host, port=app_port, ssl_context='adhoc', debug=debug, request_handler=ClientCertHTTPRequestHandler) # the code from flask's `run...` # see https://github.com/mitsuhiko/flask/blob/master/flask/app.py options = {} try: # now the code from werkzeug's `run_simple(host, app_port, self._app, **options)` # see https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/serving.py from werkzeug.debug import DebuggedApplication import socket application = DebuggedApplication(self._app, True) # Set up an SSL context cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")) context = SSL.Context(SSL.SSLv23_METHOD) context_crt = os.path.join(cert_path, "ch-cert.pem") context_key = os.path.join(cert_key_path, "ch-key.pem") try: context.use_certificate_file(context_crt) context.use_privatekey_file(context_key) except Exception as e: logger.critical("error starting flask server. Cert or key is missing under %s", cert_path) sys.exit(e) def inner(): # server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, 'adhoc') server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, ssl_context=context) # The following line is the reason why I copied all that code! if must_have_client_cert: server.ssl_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda a,b,c,d,e: True) # That's it server.serve_forever() address_family = serving.select_ip_version(host, app_port) test_socket = socket.socket(address_family, socket.SOCK_STREAM) test_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) test_socket.bind((host, app_port)) test_socket.close() serving.run_with_reloader(inner, None, 1) finally: self._app._got_first_request = False
def __init__(self): """ Load configuration files. Combine the default field names with the supplemenary fields to form a combined list. """ self.STATIC = {} #: holds static configuration and settings loaded from JSON files (config.json and defaults.json) self._load_files() self._combine_fields() config = pm.getService("config") self.TRUSTED_CERT_PATH = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) +'/' #<UT> self.TRUSTED_CRL_PATH = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' #<UT>
def all_trusted_certs(self): """ Return all trusted certificates as defined in the registry config file (registry.json). """ certs = self._delegate_tools.get_registry()["TRUST_ROOTS"] #TODO: Subsitute magic markers if "INFER_SAs" in certs: certs.remove("INFER_SAs") for s in self.all_slice_authorities(): certs.append(s['SERVICE_CERT']) if "INFER_MAs" in certs: certs.remove("INFER_MAs") for s in self.all_member_authorities(): certs.append(s['SERVICE_CERT']) config = pm.getService('config') trusted_cert_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_path")) # Go through the dir and fetch trusted certificates src_files = os.listdir(trusted_cert_path) for file_name in src_files: full_file_name = os.path.join(trusted_cert_path, file_name) if os.path.isfile(full_file_name): with open(full_file_name, "r") as cert_file: cert_str = cert_file.read() certs.append(cert_str) return certs
def all_trusted_certs(self): """ Return all trusted certificates as defined in the registry config file (registry.json). """ certs = self._delegate_tools.get_registry()["TRUST_ROOTS"] #TODO: Subsitute magic markers if "INFER_SAs" in certs: certs.remove("INFER_SAs") for s in self.all_slice_authorities(): certs.append(s['SERVICE_CERT']) if "INFER_MAs" in certs: certs.remove("INFER_MAs") for s in self.all_member_authorities(): certs.append(s['SERVICE_CERT']) config = pm.getService('config') trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) # Go through the dir and fetch trusted certificates src_files = os.listdir(trusted_cert_path) for file_name in src_files: full_file_name = os.path.join(trusted_cert_path, file_name) if os.path.isfile(full_file_name): with open (full_file_name, "r") as cert_file: cert_str =cert_file.read() certs.append(cert_str) return certs
def auth(self, client_cert, credentials, slice_urn=None, privileges=()): """ This method authenticates and authorizes. It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)" Be aware, the email is not required in the certificate, hence it might be empty. If the validation fails, an GENIv3ForbiddenError is thrown. The credentials are checked so the user has all the required privileges (success if any credential fits all privileges). The client certificate is not checked: this is usually done via the webserver configuration. This method only treats certificates of type 'geni_sfa'. Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]): "authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"], "refresh" : ["remove", "update"], "resolve" : ["resolve", "list", "getcredential"], "sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice", "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver", "deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"], "embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice", "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"], "bind" : ["getticket", "loanresources", "redeemticket"], "control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice", "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"], "info" : ["listslices", "listnodes", "getpolicy"], "ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"], "operator" : ["gettrustedcerts", "getgids"], "*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"] When using the gcf clearinghouse implementation the credentials will have the rights: - user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy"). - slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...) """ # check variables if not isinstance(privileges, tuple): raise TypeError("Privileges need to be a tuple.") # collect credentials (only GENI certs, version ignored) geni_credentials = [] for c in credentials: if c['geni_type'] == 'geni_sfa': geni_credentials.append(c['geni_value']) # get the cert_root config = pm.getService("config") cert_root = expand_eisoil_path(config.get("geniv3rpc.cert_root")) if client_cert == None: raise GENIv3ForbiddenError("Could not determine the client SSL certificate") # test the credential try: cred_verifier = ext.geni.CredentialVerifier(cert_root) cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges) except Exception as e: raise GENIv3ForbiddenError(str(e)) user_gid = gid.GID(string=client_cert) user_urn = user_gid.get_urn() user_uuid = user_gid.get_uuid() user_email = user_gid.get_email() return user_urn, user_uuid, user_email # TODO document return
def _get_paths(self): """ Get full file paths for JSON files to load (config.json and defaults.json). Returns: dictionary containing the loaded JSON content """ config = pm.getService("config") config_path = config.get("delegatetools.config_path") supplemetary_fields_path = config.get( "delegatetools.supplemetary_fileds_path") service_registry_path = config.get( "delegatetools.service_registry_path") defaults_path = config.get("delegatetools.defaults_path") authz_path = config.get("delegatetools.authz_path") #<UT> roles_path = config.get("delegatetools.roles_path") #<UT> return { 'CONFIG': expand_eisoil_path(config_path), 'DEFAULTS': expand_eisoil_path(defaults_path), 'SUPPLEMENTARY_FIELDS': expand_eisoil_path(supplemetary_fields_path), 'REGISTRY': expand_eisoil_path(service_registry_path), 'AUTHZ': expand_eisoil_path(authz_path), #<UT> 'ROLES': expand_eisoil_path(roles_path), #<UT> }
def __init__(self): """ Get plugins for use in other class methods. """ super(SynchRootCerts, self).__init__() config = pm.getService("config") self._trusted_cert_path = expand_eisoil_path( config.get("delegatetools.trusted_cert_path")) self._ch_cert_file = os.path.join(self._trusted_cert_path, SynchRootCerts.CH_CERT_FILE) self._ch_cert_key_file = os.path.join( expand_eisoil_path( config.get("delegatetools.trusted_cert_keys_path")), SynchRootCerts.CH_KEY_FILE) self._delegate_tools = pm.getService('delegatetools') self._trusted_peers = self._delegate_tools.get_registry( )["TRUSTED_PEERS"] # No need to run daemon thread if there are no federating islands if len(self._trusted_peers) == 0 or ( len(self._trusted_peers) == 1 and self._trusted_peers[0]['host_ip'] == '0.0.0.0'): logger.info( 'No valid entries for trusted peers. Daemon thread for synchronizing trusted certs will not start.' ) return # To avoid running daemon thread before reloader e = os.environ.get('RELOADED', '0') if e is '0': os.environ['RELOADED'] = '1' return # Create a daemon thread and start it th = threading.Thread(target=self.synch_certs) th.daemon = True th.start() logger.info('Daemon thread for synchronizing trusted certs started.')
def _authorize_dict_list(self, client_cert, credentials, result, options): client_cert = geniutil.infer_client_cert(client_cert, credentials) try: trusted_cert_path = expand_eisoil_path(config.get("ofed.cert_root")) geniutil.verify_certificate(client_cert, trusted_cert_path) # TODO remove this (only for testing) # BEGING REMOVE client_urn, client_uuid, client_email = geniutil.extract_certificate_info(client_cert) client_auth, client_type, client_name = geniutil.decode_urn(client_urn) if not client_name == "admin": # only test if the name is not admin # END REMOVE for urn, info in result.iteritems(): geniutil.verify_credential(credentials, client_cert, urn, trusted_cert_path, ('list',)) except Exception as e: raise gfed_ex.GFedv1AuthorizationError(str(e))
def _authorize_dict_list(self, client_cert, credentials, result, options): client_cert = geniutil.infer_client_cert(client_cert, credentials) try: trusted_cert_path = expand_eisoil_path( config.get("ofed.cert_root")) geniutil.verify_certificate(client_cert, trusted_cert_path) # TODO remove this (only for testing) # BEGING REMOVE client_urn, client_uuid, client_email = geniutil.extract_certificate_info( client_cert) client_auth, client_type, client_name = geniutil.decode_urn( client_urn) if not client_name == "admin": # only test if the name is not admin # END REMOVE for urn, info in result.iteritems(): geniutil.verify_credential(credentials, client_cert, urn, trusted_cert_path, ('list', )) except Exception as e: raise gfed_ex.GFedv1AuthorizationError(str(e))
def main(): # set home environment variable to something (needed for apache deployment) os.environ['HOME'] = config.expand_eisoil_path('~') # load plugins pm.init(config.PLUGINS_PATH) try: opts, args = getopt.getopt(sys.argv[1:], 'hw', ['help', 'worker']) except getopt.GetoptError as e: print "Wrong arguments: " + str(e) print print_usage() return for option, opt_arg in opts: if option in ['-h', '--help']: print_usage() sys.exit(0) if option in ['-w', '--worker']: worker = pm.getService('worker') worker.WorkerServer().runServer() sys.exit(0) rpcserver = pm.getService('rpcserver') rpcserver.runServer()
def _get_paths(self): """ Get full file paths for JSON files to load (config.json and defaults.json). Returns: dictionary containing the loaded JSON content """ config = pm.getService("config") config_path = config.get("delegatetools.config_path") supplemetary_fields_path = config.get("delegatetools.supplemetary_fileds_path") service_registry_path = config.get("delegatetools.service_registry_path") defaults_path = config.get("delegatetools.defaults_path") authz_path = config.get("delegatetools.authz_path") #<UT> roles_path = config.get("delegatetools.roles_path") #<UT> return {'CONFIG' : expand_eisoil_path(config_path), 'DEFAULTS' : expand_eisoil_path(defaults_path), 'SUPPLEMENTARY_FIELDS' : expand_eisoil_path(supplemetary_fields_path), 'REGISTRY' : expand_eisoil_path(service_registry_path), 'AUTHZ' : expand_eisoil_path(authz_path), #<UT> 'ROLES' : expand_eisoil_path(roles_path), #<UT> }
# ---------------------------------------------------- # ------------------ database stuff ------------------ # ---------------------------------------------------- from sqlalchemy import Column, Integer, String, DateTime, PickleType, create_engine from sqlalchemy.orm import scoped_session, sessionmaker from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.sql import exists from sqlalchemy.sql.expression import and_, or_, not_ from eisoil.config import expand_eisoil_path # initialize sqlalchemy DB_PATH = expand_eisoil_path(pm.getService('config').get('schedule.dbpath')) DB_ENGINE = create_engine("sqlite:///%s" % (DB_PATH, )) # please see the wiki for more info DB_SESSION_FACTORY = sessionmaker(autoflush=True, bind=DB_ENGINE, expire_on_commit=False) db_session = scoped_session(DB_SESSION_FACTORY) DB_Base = declarative_base( ) # get the base class for the ORM, which includes the metadata object (collection of table descriptions) class ReservationRecord(DB_Base): """Encapsulates a record in the database.""" __tablename__ = 'reservations' reservation_id = Column(Integer, primary_key=True)
return AttributeDict(result_dict) # ---------------------------------------------------- # ------------------ database stuff ------------------ # ---------------------------------------------------- from sqlalchemy import Column, Integer, String, DateTime, PickleType, create_engine from sqlalchemy.orm import scoped_session, sessionmaker from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.sql import exists from sqlalchemy.sql.expression import and_, or_, not_ from eisoil.config import expand_eisoil_path # initialize sqlalchemy DB_PATH = expand_eisoil_path(pm.getService('config').get('schedule.dbpath')) DB_ENGINE = create_engine("sqlite:///%s" % (DB_PATH,)) # please see the wiki for more info DB_SESSION_FACTORY = sessionmaker(autoflush=True, bind=DB_ENGINE, expire_on_commit=False) db_session = scoped_session(DB_SESSION_FACTORY) DB_Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions) class ReservationRecord(DB_Base): """Encapsulates a record in the database.""" __tablename__ = 'reservations' reservation_id = Column(Integer, primary_key=True) schedule_subject = Column(String(255)) resource_id = Column(String(255)) start_time = Column(DateTime)
import os.path from datetime import datetime from sqlalchemy import Table, Column, MetaData, ForeignKey, PickleType, DateTime, String, Integer, Text, create_engine, select, and_, or_, not_, event from sqlalchemy.orm import scoped_session, sessionmaker, mapper from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound from sqlalchemy.ext.declarative import declarative_base import eisoil.core.pluginmanager as pm import eisoil.core.log logger = eisoil.core.log.getLogger('worker') from eisoil.config import expand_eisoil_path WORKERDB_PATH = expand_eisoil_path( pm.getService('config').get('worker.dbpath')) WORKERDB_ENGINE = "sqlite:///%s" % (WORKERDB_PATH, ) # initialize sqlalchemy db_engine = create_engine( WORKERDB_ENGINE, pool_recycle=6000) # please see the wiki for more info db_session_factory = sessionmaker( autoflush=True, bind=db_engine, expire_on_commit=False ) # the class which can create sessions (factory pattern) db_session = scoped_session( db_session_factory ) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it # we could limit the session's scope (lifetime) to one request, but for this plugin it is not necessary Base = declarative_base( ) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
import os.path from datetime import datetime from sqlalchemy import Table, Column, MetaData, ForeignKey, PickleType, DateTime, String, Integer, Text, create_engine, select, and_, or_, not_, event from sqlalchemy.orm import scoped_session, sessionmaker, mapper from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound from sqlalchemy.ext.declarative import declarative_base import eisoil.core.pluginmanager as pm import eisoil.core.log logger=eisoil.core.log.getLogger('worker') from eisoil.config import expand_eisoil_path WORKERDB_PATH = expand_eisoil_path(pm.getService('config').get('worker.dbpath')) WORKERDB_ENGINE = "sqlite:///%s" % (WORKERDB_PATH,) # initialize sqlalchemy db_engine = create_engine(WORKERDB_ENGINE, pool_recycle=6000) # please see the wiki for more info db_session_factory = sessionmaker(autoflush=True, bind=db_engine, expire_on_commit=False) # the class which can create sessions (factory pattern) db_session = scoped_session(db_session_factory) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it # we could limit the session's scope (lifetime) to one request, but for this plugin it is not necessary Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions) class JobDBEntry(Base): __tablename__ = 'worker_jobs' id = Column(Integer, primary_key=True) service_name = Column(String) callable_attr_str = Column(String) params = Column(PickleType) recurring_interval = Column(Integer)
def auth(self, client_cert, credentials, slice_urn=None, privileges=()): """ This method authenticates and authorizes. It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)" Be aware, the email is not required in the certificate, hence it might be empty. If the validation fails, an GENIv3ForbiddenError is thrown. The credentials are checked so the user has all the required privileges (success if any credential fits all privileges). The client certificate is not checked: this is usually done via the webserver configuration. This method only treats certificates of type 'geni_sfa'. Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]): "authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"], "refresh" : ["remove", "update"], "resolve" : ["resolve", "list", "getcredential"], "sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice", "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver", "deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"], "embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice", "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"], "bind" : ["getticket", "loanresources", "redeemticket"], "control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice", "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"], "info" : ["listslices", "listnodes", "getpolicy"], "ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"], "operator" : ["gettrustedcerts", "getgids"], "*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"] When using the gcf clearinghouse implementation the credentials will have the rights: - user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy"). - slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...) """ # check variables if not isinstance(privileges, tuple): raise TypeError("Privileges need to be a tuple.") # collect credentials (only GENI certs, version ignored) geni_credentials = [] for c in credentials: if c['geni_type'] == 'geni_sfa': geni_credentials.append(c['geni_value']) # get the cert_root config = pm.getService("config") cert_root = expand_eisoil_path(config.get("geniv3rpc.cert_root")) if client_cert == None: raise GENIv3ForbiddenError( "Could not determine the client SSL certificate") # test the credential try: cred_verifier = ext.geni.CredentialVerifier(cert_root) cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges) except Exception as e: raise GENIv3ForbiddenError(str(e)) user_gid = gid.GID(string=client_cert) user_urn = user_gid.get_urn() user_uuid = user_gid.get_uuid() user_email = user_gid.get_email() return user_urn, user_uuid, user_email # TODO document return