def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
self._ma_cert_str = self._resource_manager_tools.read_file(cert_path + '/' +
OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(cert_key_path + '/' +
OMemberAuthorityResourceManager.MA_KEY_FILE)
self._hostname = self._resource_manager_tools.get_hostname(self._ma_cert_str)
self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ self._hostname + '.authority.ma'
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM, self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM, self._ma_cert_key_str)
def verify_project_credentials_context(self, credentials, method, fields=None, target_urn=None):
"""
Verify project to slice relationship
:param credentials: credential string in SFA format
:param method: Name of the method e.g., CREATE, UPDATE, LOOKUP, DELETE, CHANGE_ROLE etc.
"""
geniutil = pm.getService('geniutil')
slice_authority_resource_manager = pm.getService('osliceauthorityrm')
_, target_urn_from_cred = geniutil.get_privileges_and_target_urn(credentials)
verification_passed = True
if method == 'CREATE':
if not fields['SLICE_PROJECT_URN'] == target_urn_from_cred:
verification_passed = False
elif method == 'UPDATE':
lookup_result = slice_authority_resource_manager.lookup_slice(credentials,
{'SLICE_URN': str(target_urn)}, [], {})
if not lookup_result or not lookup_result[0]['SLICE_PROJECT_URN'] == target_urn_from_cred:
verification_passed = False
elif method == 'LOOKUP':
pass
elif method == 'DELETE':
pass
if not verification_passed:
raise GFedv2AuthorizationError("Your project credentials do not provide enough privileges to execute "+ method + " call on slice object")
def check_if_ma_info_update_authorized(self, credentials, owner_cert, type_, target_urn):
"""
Performs authorization check on member/key info update
:param credentials:
:param options:
:param type_:
:return:
"""
if credentials is None or len(credentials) <= 0 or not isinstance(credentials[0], dict):
raise GFedv2ArgumentError("Passed invalid or no credentials")
geniutil = pm.getService('geniutil')
member_authority_resource_manager = pm.getService('omemberauthorityrm')
user_urn_from_cert, _, _ = geniutil.extract_certificate_info(owner_cert)
# Update is allowed for owner himself. Otherwise, proper credentials should be presented
if type_ == 'KEY':
lookup_values = member_authority_resource_manager.lookup_key(credentials, {'KEY_ID':target_urn}, [], None)
if lookup_values:
target_urn = lookup_values[0]['KEY_MEMBER']
else:
raise GFedv2ArgumentError("Could not find the specified key with KEY_ID: "+str(target_urn))
if user_urn_from_cert == target_urn:
geniutil.verify_credential_ex(credentials, owner_cert, target_urn, self.TRUSTED_CERT_PATH, crl_path=self.TRUSTED_CRL_PATH)
else:
self.check_if_authorized(credentials=credentials, owner_cert=owner_cert, method='UPDATE', type_=type_, target_urn=None)
def setup():
xmlrpc = pm.getService('xmlrpc')
api_tools = pm.getService('apitools')
greg_handler = GRegistryv2Handler()
pm.registerService('gregistryv2handler', greg_handler)
pm.registerService('gregistryv2delegatebase', GRegistryv2DelegateBase)
xmlrpc.registerXMLRPC('gregv2', greg_handler, '/reg/2') # name, handlerObj, endpoint
api_tools.register_endpoint(name='gregv2', type='reg', version='2', url='/reg/2')
gma_handler = GMAv2Handler()
pm.registerService('gmav2handler', gma_handler)
pm.registerService('gmav2delegatebase', GMAv2DelegateBase)
xmlrpc.registerXMLRPC('gmav2', gma_handler, '/ma/2') # name, handlerObj, endpoint
api_tools.register_endpoint(name='gmav2', type='ma', version='2', url='/ma/2')
gsa_handler = GSAv2Handler()
pm.registerService('gsav2handler', gsa_handler)
pm.registerService('gsav2delegatebase', GSAv2DelegateBase)
xmlrpc.registerXMLRPC('gsav2', gsa_handler, '/sa/2') # name, handlerObj, endpoint
api_tools.register_endpoint(name='gsav2', type='sa', version='2', url='/sa/2')
glog_handler = GLoggingHandler()
pm.registerService('glogginghandler', glog_handler)
pm.registerService('gloggingdelegatebase', GLoggingDelegateBase)
xmlrpc.registerXMLRPC('glogging', glog_handler, '/logging') # name, handlerObj, endpoint
api_tools.register_endpoint(name='glogging', type='logging', version='1', url='/logging')
def check_if_ma_info_update_authorized(self, credentials, owner_cert, type_, target_urn):
"""
Performs authorization check on member/key info update
:param credentials:
:param options:
:param type_:
:return:
"""
if credentials is None or len(credentials) <= 0 or not isinstance(credentials[0], dict):
raise GFedv2ArgumentError("Passed invalid or no credentials")
geniutil = pm.getService('geniutil')
member_authority_resource_manager = pm.getService('omemberauthorityrm')
user_urn_from_cert, _, _ = geniutil.extract_certificate_info(owner_cert)
# Update is allowed for owner himself. Otherwise, proper credentials should be presented
if type_ == 'KEY':
lookup_values = member_authority_resource_manager.lookup_key(credentials, {'KEY_ID':target_urn}, [], None)
if lookup_values:
target_urn = lookup_values[0]['KEY_MEMBER']
else:
raise GFedv2ArgumentError("Could not find the specified key with KEY_ID: "+str(target_urn))
if user_urn_from_cert == target_urn:
geniutil.verify_credential_ex(credentials, owner_cert, target_urn, self.TRUSTED_CERT_PATH, crl_path=self.TRUSTED_CRL_PATH)
else:
self.check_if_authorized(credentials=credentials, owner_cert=owner_cert, method='UPDATE', type_=type_, target_urn=None)
def lookup_services(self):
"""
Return all service types as defined in the registry config file (registry.json).
"""
# return self._uppercase_keys_in_list([e for e in self._delegate_tools.get_registry()["SERVICES"] if (e['service_type'] in self.TYPES)])
# Current deployments assume single SA and MA authorities
services = []
for e in self._delegate_tools.get_registry()["SERVICES"]:
if e['service_type'] in [
self.SA_SERVICE_TYPE, self.MA_SERVICE_TYPE
]:
rm = pm.getService('osliceauthorityrm') if e[
'service_type'] == self.SA_SERVICE_TYPE else pm.getService(
'omemberauthorityrm')
endpoints = pm.getService('apitools').get_endpoints(
type=rm.AUTHORITY_NAME)
if endpoints:
e['service_url'] = "https://" + pm.getService(
'gregistryv2handler').bindAddress(
) + endpoints[0]['url']
e['service_urn'] = rm.urn()
e['service_cert'] = '<certificate>' + rm.authority_certificate(
) + '</certificate>'
services.append(e)
return self._uppercase_keys_in_list(services)
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(
cert_path + '/' + OSliceAuthorityResourceManager.SA_CERT_FILE)
self._sa_pr = self._resource_manager_tools.read_file(
cert_key_path + '/' + OSliceAuthorityResourceManager.SA_KEY_FILE)
#<UT>
self._hostname = self._resource_manager_tools.get_hostname(self._sa_c)
self._delegate_tools = pm.getService('delegatetools')
self.gfed_ex = pm.getService('apiexceptionsv2')
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._delegate_tools = pm.getService('delegatetools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
self._ma_cert_str = self._resource_manager_tools.read_file(
cert_path + '/' + OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(
cert_key_path + '/' + OMemberAuthorityResourceManager.MA_KEY_FILE)
self._hostname = self._resource_manager_tools.get_hostname(
self._ma_cert_str)
self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ self._hostname + '.authority.ma'
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
self._ma_cert_key_str)
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService("resourcemanagertools")
self._set_unique_keys()
# <UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(
cert_path + "/" + OSliceAuthorityResourceManager.SA_CERT_FILE
)
self._sa_pr = self._resource_manager_tools.read_file(
cert_key_path + "/" + OSliceAuthorityResourceManager.SA_KEY_FILE
)
# <UT>
self._hostname = self._resource_manager_tools.get_hostname(self._sa_c)
self._delegate_tools = pm.getService("delegatetools")
self.gfed_ex = pm.getService("apiexceptionsv2")
def verify_project_credentials_context(self,
credentials,
method,
fields=None,
target_urn=None):
"""
Verify project to slice relationship
:param credentials: credential string in SFA format
:param method: Name of the method e.g., CREATE, UPDATE, LOOKUP, DELETE, CHANGE_ROLE etc.
"""
geniutil = pm.getService('geniutil')
slice_authority_resource_manager = pm.getService('osliceauthorityrm')
_, target_urn_from_cred = geniutil.get_privileges_and_target_urn(
credentials)
verification_passed = True
if method == 'CREATE':
if not fields['SLICE_PROJECT_URN'] == target_urn_from_cred:
verification_passed = False
elif method == 'UPDATE':
lookup_result = slice_authority_resource_manager.lookup_slice(
credentials, {'SLICE_URN': str(target_urn)}, [], {})
if not lookup_result or not lookup_result[0][
'SLICE_PROJECT_URN'] == target_urn_from_cred:
verification_passed = False
elif method == 'LOOKUP':
pass
elif method == 'DELETE':
pass
if not verification_passed:
raise GFedv2AuthorizationError(
"Your project credentials do not provide enough privileges to execute "
+ method + " call on slice object")
def __init__(self):
"""
Get plugins for use in other class methods.
"""
super(SynchRootCerts, self).__init__()
config = pm.getService("config")
self._trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
self._ch_cert_file = os.path.join(self._trusted_cert_path, SynchRootCerts.CH_CERT_FILE)
self._ch_cert_key_file = os.path.join(expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")),
SynchRootCerts.CH_KEY_FILE)
self._delegate_tools = pm.getService('delegatetools')
self._trusted_peers = self._delegate_tools.get_registry()["TRUSTED_PEERS"]
# No need to run daemon thread if there are no federating islands
if len(self._trusted_peers) == 0 or (len(self._trusted_peers) == 1 and self._trusted_peers[0]['host_ip'] == '0.0.0.0'):
logger.info('No valid entries for trusted peers. Daemon thread for synchronizing trusted certs will not start.')
return
# To avoid running daemon thread before reloader
e = os.environ.get('RELOADED', '0')
if e is '0':
os.environ['RELOADED'] = '1'
return
# Create a daemon thread and start it
th = threading.Thread(target=self.synch_certs)
th.daemon = True
th.start()
logger.info('Daemon thread for synchronizing trusted certs started.')
def setup():
# setup config keys
# config = pm.getService("config")
xmlrpc = pm.getService('xmlrpc')
handler = pm.getService('geniv3handler')
xmlrpc.registerXMLRPC('tn_rm_geni_v3', handler, '/xmlrpc/geni/3/')
delegate = TNRMGENI3Delegate()
handler.setDelegate(delegate)
def setup():
# setup config keys
# config = pm.getService("config")
xmlrpc = pm.getService('xmlrpc')
handler = pm.getService('geniv3handler')
xmlrpc.registerXMLRPC('tn_rm_geni_v3', handler, '/xmlrpc/geni/3/')
delegate = TNRMGENI3Delegate()
handler.setDelegate(delegate)
def check_if_authorized(self, credentials, owner_cert, method, type_, target_urn=None, fields=None):
"""
Check if credentials have any of the given privileges
:param credentials: credential string in SFA format
:param method: Name of the method e.g., CREATE, UPDATE, LOOKUP, DELETE, CHANGE_ROLE etc.
:param type_: Type of Object e.g., SLICE, SLICE_MEMBER, PROJECT, PROJECT_MEMBER etc.
"""
if credentials is None or len(credentials) <= 0:
raise GFedv2AuthorizationError("Passed invalid or no credentials")
required_privileges = self.get_required_privilege_for(method, type_)
geniutil = pm.getService('geniutil')
slice_authority_resource_manager = pm.getService('osliceauthorityrm')
cred_accepted = False
for cred in credentials:
try:
priv_from_cred, target_urn_from_cred = geniutil.get_privileges_and_target_urn([cred])
user_urn_from_cert, _, _ = geniutil.extract_certificate_info(owner_cert)
_, cred_typ, _ = geniutil.decode_urn(target_urn_from_cred)
if cred_typ == 'slice':
target_urn_for_validation = target_urn
else:
target_urn_for_validation = user_urn_from_cert
geniutil.verify_credential_ex([cred], owner_cert, target_urn_for_validation, self.TRUSTED_CERT_PATH, crl_path=self.TRUSTED_CRL_PATH)
# Fetch privileges
privileges = []
if type_ == 'SLICE':
if method == 'CREATE':
privileges = slice_authority_resource_manager.lookup_privileges_for_project_membership(member_urn=user_urn_from_cert, project_urn=fields['SLICE_PROJECT_URN'])
else:
privileges = slice_authority_resource_manager.lookup_privileges_for_slice_membership(member_urn=user_urn_from_cert, slice_urn= target_urn)
elif type_ == 'SLICE_MEMBER':
privileges = slice_authority_resource_manager.lookup_privileges_for_slice_membership(member_urn=user_urn_from_cert, slice_urn= target_urn)
elif type_ == 'PROJECT' or type_ == 'PROJECT_MEMBER':
if not method == 'CREATE':
privileges = slice_authority_resource_manager.lookup_privileges_for_project_membership(member_urn=user_urn_from_cert, project_urn=target_urn)
elif type_ == 'PROJECT_MEMBER':
privileges = slice_authority_resource_manager.lookup_privileges_for_project_membership(member_urn=user_urn_from_cert, project_urn=target_urn)
elif type_ == 'KEY':
if fields and 'KEY_MEMBER' in fields.keys() and user_urn_from_cert == fields['KEY_MEMBER']: # A member is allowed to execute actions on his own key
required_privileges = []
if not required_privileges or set(privileges+priv_from_cred).intersection(required_privileges):
cred_accepted = True
break
except Exception as e:
import traceback
traceback.print_exc()
#print e
if not cred_accepted:
raise GFedv2AuthorizationError("Your credentials do not provide enough privileges to execute "+ method + " call on " + type_ + " object")
def __init__(self):
"""
Get plugins for use in other class methods.
"""
super(ORegistryResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
# TODO: this isn't a delegate!
self._delegate_tools = pm.getService('delegatetools')
# Initialize SynchRootCerts
synch = SynchRootCerts()
def setup():
config = pm.getService('config')
config.install("ofed.cert_root", "deploy/trusted", "Folder which includes trusted certificates (in .pem format). If relative path, the root is assumed to be git repo root.")
reg_delegate = ORegistryv1Delegate()
reg_handler = pm.getService('gregistryv1handler')
reg_handler.setDelegate(reg_delegate)
ma_delegate = OMAv1DelegateGuard()
ma_handler = pm.getService('gmav1handler')
ma_handler.setDelegate(ma_delegate)
def __init__(self):
"""
Get plugins for use in other class methods.
"""
super(ORegistryResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
# TODO: this isn't a delegate!
self._delegate_tools = pm.getService('delegatetools')
# Initialize SynchRootCerts
synch = SynchRootCerts()
def api_versions(self):
"""
Get the different endpoints (of type 'sa'), registered with eiSoil.
Form these endpoints into a dictionary suitable for the API call response.
"""
config = pm.getService("config")
hostname = config.get("flask.hostname")
port = str(config.get("flask.app_port"))
endpoints = pm.getService("apitools").get_endpoints(type=self.AUTHORITY_NAME)
return self._resource_manager_tools.form_api_versions(hostname, port, endpoints)
def __init__(self):
"""
Get plugins for use in other class methods.
Retrieve whitelists for use in validity checking.
"""
self._member_authority_resource_manager = pm.getService('omemberauthorityrm')
self._delegate_tools = pm.getService('delegatetools')
self._member_whitelist = self._delegate_tools.get_whitelist('MEMBER')
self._key_whitelist = self._delegate_tools.get_whitelist('KEY')
self._logging_authority_resource_manager = pm.getService('ologgingauthorityrm')
self._gmav2handler = pm.getService('gmav2handler')
def api_versions(self):
"""
Get the different endpoints (of type 'sa'), registered with eiSoil.
Form these endpoints into a dictionary suitable for the API call response.
"""
config = pm.getService('config')
hostname = config.get('flask.hostname')
port = str(config.get('flask.app_port'))
endpoints = pm.getService('apitools').get_endpoints(type=self.AUTHORITY_NAME)
return self._resource_manager_tools.form_api_versions(hostname, port, endpoints)
def setup():
# setup config keys
config = pm.getService("config")
config.install("geniv3rpc.cert_root", "deploy/trusted", "Folder which includes trusted clearinghouse certificates for GENI API v3 (in .pem format). If relative path, the root is assumed to be git repo root.")
config.install("geniv3rpc.rspec_validation", True, "Determines if RSpec shall be validated by the given xs:schemaLocations in the document (may cause downloads of the given schema from the given URL per request).")
# register xmlrpc endpoint
xmlrpc = pm.getService('xmlrpc')
geni_handler = GENIv3Handler()
pm.registerService('geniv3handler', geni_handler)
pm.registerService('geniv3delegatebase', GENIv3DelegateBase)
pm.registerService('geniv3exceptions', geni_exceptions)
xmlrpc.registerXMLRPC('geni3', geni_handler, '/RPC2') # name, handlerObj, endpoint
def __init__(self):
"""
Get plugins for use in other class methods.
Checks consistency of 'SERVICES' fields defined in configuration
(config.json).
"""
self._federation_registry_resource_manager = pm.getService('oregistryrm')
self._delegate_tools = pm.getService('delegatetools')
for service in self._delegate_tools.get_registry()['SERVICES']:
self._delegate_tools.object_consistency_check('SERVICE', service)
self._gregv2handler = pm.getService('gregistryv2handler')
self._service_whitelist = self._delegate_tools.get_whitelist('SERVICE')
def __init__(self):
"""
Get plugins for use in other class methods.
Retrieve whitelists for use in validity checking.
"""
self._slice_authority_resource_manager = pm.getService('osliceauthorityrm')
self._delegate_tools = pm.getService('delegatetools')
self._api_tools = pm.getService('apitools')
self._logging_authority_resource_manager = pm.getService('ologgingauthorityrm')
self._slice_whitelist = self._delegate_tools.get_whitelist('SLICE')
self._sliver_info_whitelist = self._delegate_tools.get_whitelist('SLIVER_INFO')
self._project_whitelist = self._delegate_tools.get_whitelist('PROJECT')
self._gsav2handler = pm.getService('gsav2handler')
def __init__(self):
"""
Get plugins for use in other class methods.
Checks consistency of 'SERVICES' fields defined in configuration
(config.json).
"""
self._federation_registry_resource_manager = pm.getService(
'oregistryrm')
self._delegate_tools = pm.getService('delegatetools')
for service in self._delegate_tools.get_registry()['SERVICES']:
self._delegate_tools.object_consistency_check('SERVICE', service)
self._gregv2handler = pm.getService('gregistryv2handler')
self._service_whitelist = self._delegate_tools.get_whitelist('SERVICE')
def __init__(self):
"""
Get plugins for use in other class methods.
Retrieve whitelists for use in validity checking.
"""
self._member_authority_resource_manager = pm.getService(
'omemberauthorityrm')
self._delegate_tools = pm.getService('delegatetools')
self._member_whitelist = self._delegate_tools.get_whitelist('MEMBER')
self._key_whitelist = self._delegate_tools.get_whitelist('KEY')
self._logging_authority_resource_manager = pm.getService(
'ologgingauthorityrm')
self._gmav2handler = pm.getService('gmav2handler')
def lxml_parse_rspec(self, rspec_string):
"""Returns a the root element of the given {rspec_string} as lxml.Element.
If the config key is set, the rspec is validated with the schemas found at the URLs specified in schemaLocation of the the given RSpec."""
# parse
rspec_root = etree.fromstring(rspec_string)
# validate RSpec against specified schemaLocations
config = pm.getService("config")
should_validate = config.get("geniv3rpc.rspec_validation")
if should_validate:
schema_locations = rspec_root.get(
"{http://www.w3.org/2001/XMLSchema-instance}schemaLocation")
if schema_locations:
schema_location_list = schema_locations.split(" ")
schema_location_list = map(
lambda x: x.strip(),
schema_location_list) # strip whitespaces
for sl in schema_location_list:
try:
xmlschema_contents = urllib2.urlopen(
sl) # try to download the schema
xmlschema_doc = etree.parse(xmlschema_contents)
xmlschema = etree.XMLSchema(xmlschema_doc)
xmlschema.validate(rspec_root)
except Exception as e:
logger.warning(
"RSpec validation failed failed (%s: %s)" % (
sl,
str(e),
))
else:
logger.warning("RSpec does not specify any schema locations")
return rspec_root
def update_slice_credentials_for_member(self, member_urn, credentials, options):
"""
updates slice credentials after member certificate update due to membership renewal or revocation
"""
member_cert = options["MEMBER_CERTIFICATE"]
slice_memberships = self.lookup_slice_membership_for_member(member_urn, credentials, None)
geniutil = pm.getService("geniutil")
for membership in slice_memberships:
slice_cert = membership["SLICE_CERTIFICATE"]
slice_creds_old = membership["SLICE_CREDENTIALS"]
slice_prvlg, slice_urn = geniutil.get_privileges_and_target_urn(slice_creds_old)
slice_exp = geniutil.get_expiration(slice_creds_old)
slice_creds_new = geniutil.create_credential_ex(
owner_cert=member_cert,
target_cert=slice_cert,
issuer_key=self._sa_pr,
issuer_cert=self._sa_c,
privileges_list=slice_prvlg,
expiration=slice_exp,
)
update_data = {"members_to_change": [{"SLICE_CREDENTIALS": slice_creds_new}]}
self._resource_manager_tools.member_modify(
self.AUTHORITY_NAME, "slice_member", slice_urn, update_data, "SLICE_MEMBER", "SLICE_URN"
)
def setup():
# setup config keys
# config = pm.getService("config")
delegate = DHCPGENI3Delegate()
handler = pm.getService('geniv3handler')
handler.setDelegate(delegate)
def all_trusted_certs(self):
"""
Return all trusted certificates as defined in the registry config file (registry.json).
"""
certs = self._delegate_tools.get_registry()["TRUST_ROOTS"]
#TODO: Subsitute magic markers
if "INFER_SAs" in certs:
certs.remove("INFER_SAs")
for s in self.all_slice_authorities():
certs.append(s['SERVICE_CERT'])
if "INFER_MAs" in certs:
certs.remove("INFER_MAs")
for s in self.all_member_authorities():
certs.append(s['SERVICE_CERT'])
config = pm.getService('config')
trusted_cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
# Go through the dir and fetch trusted certificates
src_files = os.listdir(trusted_cert_path)
for file_name in src_files:
full_file_name = os.path.join(trusted_cert_path, file_name)
if os.path.isfile(full_file_name):
with open(full_file_name, "r") as cert_file:
cert_str = cert_file.read()
certs.append(cert_str)
return certs
def assign_privileges(self, member_urn, credentials, privileges):
"""
Assigns given privileges to a system member
:param member_urn: URN of member
:param credentials: Actor's credentials usually root
:param privileges_list: list of privileges to be assigned
:return: Updated member credential
"""
geniutil = pm.getService('geniutil')
member_lookup_result = self._resource_manager_tools.object_lookup(
self.AUTHORITY_NAME, 'member', {'MEMBER_URN': member_urn}, [])
if member_lookup_result:
member_details = member_lookup_result[0]
u_c = member_details['MEMBER_CERTIFICATE']
cred_expiry = dt.datetime.utcnow() + dt.timedelta(
days=self.CERT_VALIDITY_PERIOD)
u_cred = geniutil.create_credential_ex(
owner_cert=u_c,
target_cert=u_c,
issuer_key=self._ma_cert_key_str,
issuer_cert=self._ma_cert_str,
privileges_list=privileges,
expiration=cred_expiry)
member_details['MEMBER_CREDENTIALS'] = u_cred
self._resource_manager_tools.object_update(
self.AUTHORITY_NAME, member_details, 'member',
{'MEMBER_URN': member_urn})
return u_cred
def append_event_log(self, authority, method, fields, options, target_type, actor_urn=None, target_urn=None,
certificate=None, credentials=None):
"""
Append an event to log
"""
geniutil = pm.getService('geniutil')
# Regarding URNs following sequence is enforced: 1) actor_urn, target_urn from argument,
# 2) actor_urn from certificate, 3a) actor_urn from credential 3b) target_urn from credentials
if not actor_urn and certificate:
actor_urn, _, _ = geniutil.extract_certificate_info(certificate)
if credentials:
_actor_urn, _target_urn = geniutil.get_owner_and_target_urn(credentials)
if not actor_urn:
actor_urn = _actor_urn
if not target_urn:
target_urn = _target_urn
# timestamp = dt.datetime.utcnow().strftime('%Y%m%d%H%M%SZ') # GMT time in UTC format
timestamp = time.time() # GMT time in UTC format
entry = dict(TIMESTAMP=timestamp,
ACTOR=actor_urn,
TARGET=target_urn,
AUTHORITY=authority,
METHOD=method,
OPTIONS=options,
FIELDS=fields)
return self._resource_manager_tools.object_create(self.AUTHORITY_NAME, entry, target_type)
def setup():
pm.registerService('apiexceptionsv1', apiexceptionsv1)
pm.registerService('apiexceptionsv2', apiexceptionsv2)
api_tools = APITools()
pm.registerService('apitools', api_tools)
resource_manager_tools = ResourceManagerTools()
pm.registerService('resourcemanagertools', resource_manager_tools)
config = pm.getService("config")
config.install("delegatetools.config_path", "deploy/config.json", "JSON file with configuration data for CH, SA, MA")
config.install("delegatetools.supplemetary_fileds_path", "deploy/supplementary_fields.json", "JSON file with Supplementary Fields for CH, SA, MA",True)
config.install("delegatetools.service_registry_path","deploy/registry.json", "JSON file with Services supported by the registry",True)
config.install("delegatetools.defaults_path", "src/plugins/fedtools/defaults.json", "JSON file with default data for CH, SA, MA", True)
#<UT>
config.install("delegatetools.authz_path", "src/plugins/fedtools/authz.json", "JSON file with mapping between privileges and methods", True)
config.install("delegatetools.roles_path", "src/plugins/fedtools/roles.json", "JSON file with default privileges for CH roles", True)
config.install("delegatetools.trusted_cert_path", "deploy/trusted/certs/", "Path to trusted certificates", True)
config.install("delegatetools.trusted_cert_keys_path", "deploy/trusted/cert_keys", "Path to trusted certificate keys", True)
config.install("delegatetools.trusted_crl_path", "deploy/trusted/crl", "Path to CRLs", True)
delegate_tools = DelegateTools()
pm.registerService('delegatetools', delegate_tools)
def delegate_credentials(self, delegetee_cert, issuer_cert, issuer_key,
privileges_list, expiration, delegatable,
credentials):
"""
Creates delegated credentials
"""
if credentials is None or len(credentials) <= 0 or not isinstance(
credentials[0], dict):
raise GFedv2ArgumentError("Passed invalid or no credentials")
geniutil = pm.getService('geniutil')
priv_from_cred, target_urn_from_cred = geniutil.get_privileges_and_target_urn(
credentials)
certificate = geniutil.extract_owner_certificate(credentials)
self.verify_credentials(credentials, issuer_cert, target_urn_from_cred)
if not set(priv_from_cred).issuperset(privileges_list):
raise GFedv2AuthorizationError(
"You cannot delegate privileges that you don't own")
object_cert = geniutil.extract_object_certificate(credentials)
return geniutil.create_credential_ex(delegetee_cert, object_cert,
issuer_key, certificate,
privileges_list, expiration,
delegatable, credentials)
def lxml_parse_rspec(self, rspec_string):
"""Returns a the root element of the given {rspec_string} as lxml.Element.
If the config key is set, the rspec is validated with the schemas found at the URLs specified in schemaLocation of the the given RSpec."""
# parse
rspec_root = etree.fromstring(rspec_string)
# validate RSpec against specified schemaLocations
config = pm.getService("config")
should_validate = config.get("geniv3rpc.rspec_validation")
if should_validate:
schema_locations = rspec_root.get("{http://www.w3.org/2001/XMLSchema-instance}schemaLocation")
if schema_locations:
schema_location_list = schema_locations.split(" ")
schema_location_list = map(lambda x: x.strip(), schema_location_list) # strip whitespaces
for sl in schema_location_list:
try:
xmlschema_contents = urllib2.urlopen(sl) # try to download the schema
xmlschema_doc = etree.parse(xmlschema_contents)
xmlschema = etree.XMLSchema(xmlschema_doc)
xmlschema.validate(rspec_root)
except Exception as e:
logger.warning("RSpec validation failed failed (%s: %s)" % (sl, str(e),))
else:
logger.warning("RSpec does not specify any schema locations")
return rspec_root
def lookup_authorities_for_urns(self, client_cert, urns):
regrm = pm.getService('oregistryrm')
try:
result = regrm.get_authory_mappings(urns)
except ValueError as e:
raise gfed_ex.GFedv1ArgumentError(str(e))
return result
def lookup_authorities_for_urns(self, client_cert, urns):
regrm = pm.getService("oregistryrm")
try:
result = regrm.get_authory_mappings(urns)
except ValueError as e:
raise gfed_ex.GFedv1ArgumentError(str(e))
return result
def __init__(self):
"""
Initialise logger and clear delegate.
"""
super(GMAv2Handler, self).__init__(logger)
self._api_tools = pm.getService('apitools')
self._delegate = None
def _get_paths(self):
"""
Get full file paths for JSON files to load (config.json and defaults.json).
Returns:
dictionary containing the loaded JSON content
"""
config = pm.getService("config")
config_path = config.get("delegatetools.config_path")
supplemetary_fields_path = config.get(
"delegatetools.supplemetary_fileds_path")
service_registry_path = config.get(
"delegatetools.service_registry_path")
defaults_path = config.get("delegatetools.defaults_path")
authz_path = config.get("delegatetools.authz_path") #<UT>
roles_path = config.get("delegatetools.roles_path") #<UT>
return {
'CONFIG': expand_eisoil_path(config_path),
'DEFAULTS': expand_eisoil_path(defaults_path),
'SUPPLEMENTARY_FIELDS':
expand_eisoil_path(supplemetary_fields_path),
'REGISTRY': expand_eisoil_path(service_registry_path),
'AUTHZ': expand_eisoil_path(authz_path), #<UT>
'ROLES': expand_eisoil_path(roles_path), #<UT>
}
def update_slice_credentials_for_member(self, member_urn, credentials,
options):
"""
updates slice credentials after member certificate update due to membership renewal or revocation
"""
member_cert = options['MEMBER_CERTIFICATE']
slice_memberships = self.lookup_slice_membership_for_member(
member_urn, credentials, None)
geniutil = pm.getService('geniutil')
for membership in slice_memberships:
slice_cert = membership['SLICE_CERTIFICATE']
slice_creds_old = membership['SLICE_CREDENTIALS']
slice_prvlg, slice_urn = geniutil.get_privileges_and_target_urn(
slice_creds_old)
slice_exp = geniutil.get_expiration(slice_creds_old)
slice_creds_new = geniutil.create_credential_ex(
owner_cert=member_cert,
target_cert=slice_cert,
issuer_key=self._sa_pr,
issuer_cert=self._sa_c,
privileges_list=slice_prvlg,
expiration=slice_exp)
update_data = {
'members_to_change': [{
'SLICE_CREDENTIALS': slice_creds_new
}]
}
self._resource_manager_tools.member_modify(self.AUTHORITY_NAME,
'slice_member',
slice_urn, update_data,
'SLICE_MEMBER',
'SLICE_URN')
def verify_credentials(self, credentials, owner_cert, target_urn=None):
"""
Verifies if credentials are valid and trusted. If yes, then returns a list of associated privileges
:param credentials: credentials to verify
:param target_urn: Target object's urn of these credentials
:return: If verification passed, the a list of privileges associated with the passed credentials
"""
if credentials is None or len(credentials) <= 0 or not isinstance(
credentials[0], dict):
raise GFedv2ArgumentError("Passed invalid or no credentials")
geniutil = pm.getService('geniutil')
priv_from_cred, target_urn_from_cred = geniutil.get_privileges_and_target_urn(
credentials)
user_urn_from_cert, _, _ = geniutil.extract_certificate_info(
owner_cert)
#If given are system member credentials then target_urn cannot be used in verification
if user_urn_from_cert == target_urn_from_cred:
geniutil.verify_credential_ex(credentials,
owner_cert,
user_urn_from_cert,
self.TRUSTED_CERT_PATH,
crl_path=self.TRUSTED_CRL_PATH)
else:
geniutil.verify_credential_ex(credentials,
owner_cert,
target_urn,
self.TRUSTED_CERT_PATH,
crl_path=self.TRUSTED_CRL_PATH)
return priv_from_cred
def synch_certs(self):
"""
Runs forever in order to synchronize root certs with trusted peer
"""
time.sleep(SynchRootCerts.SELF_WARMUP_TIME_SEC)
self_authority = self.get_self_authority()
geniutil = pm.getService('geniutil')
while True:
for peer in self._trusted_peers:
cert_list = self.pull_certs(peer['host_endpoint'], peer['host_ip'], peer['host_port'])
if cert_list:
for cert in cert_list:
info = geniutil.extract_certificate_info(cert)
if info:
auth, typ, name = geniutil.decode_urn(info[0])
if (not auth == self_authority) and name in ['ca', 'sa', 'ma']:
file_name = "+".join([auth, typ, name])+'-cert.pem'
file_path = os.path.join(self._trusted_cert_path, file_name)
if not os.path.isfile(file_path):
with open(file_path,"w") as f:
f.write(cert)
logger.info("Wrote pulled cert file %s from %s", file_name, peer['host_ip'])
time.sleep(SynchRootCerts.PULL_REQUEST_INTERVAL_SEC)
def setup():
# setup config keys
# config = pm.getService("config")
delegate = DHCPGENI3Delegate()
handler = pm.getService('geniv3handler')
handler.setDelegate(delegate)
def setup():
config = pm.getService("config")
#print "*** "+ str(config.get('flask.app_port'))
# create default configurations (if they are not already in the database)
config.install("flask.bind", "0.0.0.0", "IP to bind the Flask RPC to.")
config.install("flask.hostname", _get_hostname(config.get('flask.bind')),
"Hostname of Flask RPC server.")
config.install("flask.cbas_hostname", "cbas.eict.de",
"Hostname of Flask RPC server.")
config.install("flask.fcgi_port", 9009,
"Port to bind the Flask RPC to (FCGI server).")
config.install("flask.app_port", 8008,
"Port to bind the Flask RPC to (standalone server).")
config.install("flask.debug", True,
"Write logging messages for the Flask RPC server.")
config.install("flask.fcgi", False,
"Use FCGI server instead of the development server.")
config.install(
"flask.force_client_cert", True,
"Only applies if flask.debug is set: Determines if the client _must_ present a certificate. No validation is performed."
)
# create and register the RPC server
flaskserver = FlaskServer()
pm.registerService('rpcserver', flaskserver)
# create and register the XML-RPC server
xmlrpc = FlaskXMLRPC(flaskserver)
pm.registerService('xmlrpc', xmlrpc)
def __init__(self):
"""
Initialise logger and clear delegate.
"""
super(GRegistryv2Handler, self).__init__(logger)
self._api_tools = pm.getService('apitools')
self._delegate = None
def all_trusted_certs(self):
"""
Return all trusted certificates as defined in the registry config file (registry.json).
"""
certs = self._delegate_tools.get_registry()["TRUST_ROOTS"]
#TODO: Subsitute magic markers
if "INFER_SAs" in certs:
certs.remove("INFER_SAs")
for s in self.all_slice_authorities():
certs.append(s['SERVICE_CERT'])
if "INFER_MAs" in certs:
certs.remove("INFER_MAs")
for s in self.all_member_authorities():
certs.append(s['SERVICE_CERT'])
config = pm.getService('config')
trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
# Go through the dir and fetch trusted certificates
src_files = os.listdir(trusted_cert_path)
for file_name in src_files:
full_file_name = os.path.join(trusted_cert_path, file_name)
if os.path.isfile(full_file_name):
with open (full_file_name, "r") as cert_file:
cert_str =cert_file.read()
certs.append(cert_str)
return certs
def synch_certs(self):
"""
Runs forever in order to synchronize root certs with trusted peer
"""
time.sleep(SynchRootCerts.SELF_WARMUP_TIME_SEC)
self_authority = self.get_self_authority()
geniutil = pm.getService('geniutil')
while True:
for peer in self._trusted_peers:
cert_list = self.pull_certs(peer['host_endpoint'],
peer['host_ip'], peer['host_port'])
if cert_list:
for cert in cert_list:
info = geniutil.extract_certificate_info(cert)
if info:
auth, typ, name = geniutil.decode_urn(info[0])
if (not auth == self_authority) and name in [
'ca', 'sa', 'ma'
]:
file_name = "+".join([auth, typ, name
]) + '-cert.pem'
file_path = os.path.join(
self._trusted_cert_path, file_name)
if not os.path.isfile(file_path):
with open(file_path, "w") as f:
f.write(cert)
logger.info(
"Wrote pulled cert file %s from %s",
file_name, peer['host_ip'])
time.sleep(SynchRootCerts.PULL_REQUEST_INTERVAL_SEC)
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
"""
This method authenticates and authorizes.
It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)"
Be aware, the email is not required in the certificate, hence it might be empty.
If the validation fails, an GENIv3ForbiddenError is thrown.
The credentials are checked so the user has all the required privileges (success if any credential fits all privileges).
The client certificate is not checked: this is usually done via the webserver configuration.
This method only treats certificates of type 'geni_sfa'.
Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]):
"authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
"refresh" : ["remove", "update"],
"resolve" : ["resolve", "list", "getcredential"],
"sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
"embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
"deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind" : ["getticket", "loanresources", "redeemticket"],
"control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
"deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info" : ["listslices", "listnodes", "getpolicy"],
"ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
"operator" : ["gettrustedcerts", "getgids"],
"*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]
When using the gcf clearinghouse implementation the credentials will have the rights:
- user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy").
- slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...)
"""
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_eisoil_path(config.get("geniv3rpc.cert_root"))
if client_cert == None:
raise GENIv3ForbiddenError("Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = ext.geni.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges)
except Exception as e:
raise GENIv3ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
class DHCPResourceManager(object):
"""
This class provides the necessary functions to manage DHCP leases.
Please see the wiki for more information on Resource Managers.
In this resource manager, we are using simple python dicts to pass the data to the delegate.
In a more sophisticated AM, one should probably define a decent class for passing the data.
"""
config = pm.getService("config")
RESERVATION_TIMEOUT = config.get(
"dhcprm.max_reservation_duration") # sec in the allocated state
MAX_LEASE_DURATION = config.get(
"dhcprm.max_lease_duration"
) # sec in the provisioned state (you can always call renew)
EXPIRY_CHECK_INTERVAL = 10 # sec
ip_schedule = Schedule("DHCPLease", MAX_LEASE_DURATION)
def __init__(self):
super(DHCPResourceManager, self).__init__()
# register callback for regular updates
worker.addAsReccurring("dhcpresourcemanager", "expire_leases", None,
self.EXPIRY_CHECK_INTERVAL)
def get_all_leases(self):
valuedicts = []
for ip in IP([192, 168, 1, 1]).upto(
IP([192, 168, 1, 20])
): # for the sake of simplicity, we set the ip range statically (should be a config option)
ip_str = str(ip)
# is there any current reservation for that lease?
records = self.ip_schedule.find(resource_id=ip_str,
start_time=datetime.utcnow())
if not records: # empty list
valuedicts.append(self._convert_reservation_to_dict(ip_str))
else: # there should only be one record
valuedicts.append(
self._convert_reservation_to_dict(ip_str, records[0]))
return valuedicts
def reserve_lease(self,
ip_str,
slice_name,
owner_uuid,
owner_email=None,
end_time=None):
end_time = self._revise_end_time(end_time, ip_str)
reservation = None
try:
reservation = self.ip_schedule.reserve(
resource_id=ip_str,
resource_spec={"additional_information": "unused"},
slice_id=slice_name,
user_id=owner_email,
end_time=end_time)
except sex.ScheduleOverbookingError, e:
raise DHCPLeaseAlreadyTaken(ip_str)
return self._convert_reservation_to_dict(ip_str, reservation)
def runServer(self):
"""Starts up the server. It (will) support different config options via the config plugin."""
config = pm.getService("config")
debug = config.get("flask.debug")
cFCGI = config.get("flask.fcgi")
host = config.get("flask.bind")
app_port = config.get("flask.app_port")
fcgi_port = config.get("flask.fcgi_port")
must_have_client_cert = config.get("flask.force_client_cert")
if cFCGI:
logger.info("registering fcgi server at %s:%i", host, fcgi_port)
from flup.server.fcgi import WSGIServer
WSGIServer(self._app, bindAddress=(host, fcgi_port)).run()
else:
logger.info("registering app server at %s:%i", host, app_port)
# do the following line manually, so we can intervene and adjust the ssl context
# self._app.run(host=host, port=app_port, ssl_context='adhoc', debug=debug, request_handler=ClientCertHTTPRequestHandler)
# the code from flask's `run...`
# see https://github.com/mitsuhiko/flask/blob/master/flask/app.py
options = {}
try:
# now the code from werkzeug's `run_simple(host, app_port, self._app, **options)`
# see https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/serving.py
from werkzeug.debug import DebuggedApplication
import socket
application = DebuggedApplication(self._app, True)
# Set up an SSL context
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
context = SSL.Context(SSL.SSLv23_METHOD)
context_crt = os.path.join(cert_path, "ch-cert.pem")
context_key = os.path.join(cert_key_path, "ch-key.pem")
try:
context.use_certificate_file(context_crt)
context.use_privatekey_file(context_key)
except Exception as e:
logger.critical("error starting flask server. Cert or key is missing under %s", cert_path)
sys.exit(e)
def inner():
# server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, 'adhoc')
server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, ssl_context=context)
# The following line is the reason why I copied all that code!
if must_have_client_cert:
server.ssl_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda a,b,c,d,e: True)
# That's it
server.serve_forever()
address_family = serving.select_ip_version(host, app_port)
test_socket = socket.socket(address_family, socket.SOCK_STREAM)
test_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
test_socket.bind((host, app_port))
test_socket.close()
serving.run_with_reloader(inner, None, 1)
finally:
self._app._got_first_request = False
def setup():
config = pm.getService("config")
config.install("schedule.dbpath", "deploy/schedule.db", "Path to the schedule database (if relative, eiSoil's root will be assumed as base).")
from schedulep import Schedule
pm.registerService('schedule', Schedule)
import scheduleexceptions as exceptions_package
pm.registerService('scheduleexceptions', exceptions_package)
def __init__(self):
"""
Get plugins for use in other class methods.
Retrieve whitelists for use in validity checking.
"""
self._slice_authority_resource_manager = pm.getService(
'osliceauthorityrm')
self._delegate_tools = pm.getService('delegatetools')
self._api_tools = pm.getService('apitools')
self._logging_authority_resource_manager = pm.getService(
'ologgingauthorityrm')
self._slice_whitelist = self._delegate_tools.get_whitelist('SLICE')
self._sliver_info_whitelist = self._delegate_tools.get_whitelist(
'SLIVER_INFO')
self._project_whitelist = self._delegate_tools.get_whitelist('PROJECT')
self._gsav2handler = pm.getService('gsav2handler')
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OLoggingAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
def __init__(self):
"""
Get plugins for use in other class methods.
Checks consistency of 'SERVICES' fields defined in configuration
(config.json).
"""
self._logging_authority_resource_manager = pm.getService(
'ologgingauthorityrm')
def renew_membership(self, urn):
"""
Renew membership through certificate and credential renewal
:param urn: user urn
:return:
"""
lookup_result = self._resource_manager_tools.object_lookup(
self.AUTHORITY_NAME, 'member', {'MEMBER_URN': urn}, [])
if not lookup_result:
raise self.gfed_ex.GFedv2ArgumentError(
"Specified user does not exist")
member_details = lookup_result[0]
user_email = member_details['MEMBER_EMAIL']
user_uuid = member_details['MEMBER_UID']
geniutil = pm.getService('geniutil')
cred_expiry = dt.datetime.utcnow() + dt.timedelta(
days=self.CERT_VALIDITY_PERIOD)
u_c, u_pu, u_pr = geniutil.create_certificate(
urn=urn,
issuer_key=self._ma_cert_key_str,
issuer_cert=self._ma_cert_str,
email=str(user_email),
uuidarg=str(user_uuid),
serial_number=self._issue_cert_serial_num(),
life_days=self.CERT_VALIDITY_PERIOD)
logger.warning("renew_membership certificate = {}".format())
privileges, _ = geniutil.get_privileges_and_target_urn([{
'geni_type':
'geni_sfa',
'geni_version':
'3',
'geni_value':
member_details['MEMBER_CREDENTIALS']
}])
u_cred = geniutil.create_credential_ex(
owner_cert=u_c,
target_cert=u_c,
issuer_key=self._ma_cert_key_str,
issuer_cert=self._ma_cert_str,
privileges_list=privileges,
expiration=cred_expiry)
self.revoke_certificate(urn, 'superseded')
member_details['MEMBER_CERTIFICATE'] = u_c
member_details['MEMBER_CREDENTIALS'] = u_cred
self._resource_manager_tools.object_update(self.AUTHORITY_NAME,
member_details, 'member',
{'MEMBER_URN': urn})
# Add certificate key to return values
member_details['MEMBER_CERTIFICATE_KEY'] = u_pr
return member_details
def urn(self):
"""
Get the URN for this Federation Registry.
Retrieve the hostname from the Flask eiSoil plugin and use this to build
the URN.
"""
oma = pm.getService('omemberauthorityrm')
return 'urn:publicid:IDN+' + oma._hostname + '+authority+fr'
def _find_service(self, typ, authority):
"""
Returns the first service dictionary matching the {typ}e and {urn}. None if none is found.
"""
geniutil = pm.getService('geniutil')
for service in self._delegate_tools.get_registry()['SERVICES']:
sauth, styp, sname = geniutil.decode_urn(service['service_urn'])
if (service['service_type'] == typ) and (sauth == authority):
return service
return None
