def verify(self, gid, credentials, target_urn, privileges):
'''Verify that the given Source GID supplied at least one credential
in the given list of credentials that has all the privileges required
in the privileges list on the given target.
IE if any of the supplied credentials has a caller that matches gid
and a target that matches target_urn, and has all the privileges in
the given list, then return the list of credentials that were ok.
Throw an Exception if we fail to verify any credential.'''
# Note that here we treat a list of credentials as being options
# Alternatively could accumulate privileges for example
# The semantics of the list of credentials is under specified.
self.logger.debug('Verifying privileges')
result = list()
failure = ""
tried_creds = ""
for cred in credentials:
if tried_creds != "":
tried_creds = "%s, %s" % (tried_creds, cred.get_gid_caller().get_urn())
else:
tried_creds = cred.get_gid_caller().get_urn()
if not self.verify_source(gid, cred):
failure = "Cred %s fails: Source URNs dont match" % cred.get_gid_caller().get_urn()
continue
if not self.verify_target(target_urn, cred):
failure = "Cred %s on %s fails: Target URNs dont match" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
continue
if not self.verify_privileges(privileges, cred):
failure = "Cert %s doesn't have sufficient privileges" % cred.get_gid_caller().get_urn()
continue
print
try:
if not cred.verify(self.root_cert_files):
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
continue
except Exception, exc:
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc)
self.logger.info(failure)
continue
# If got here it verified
result.append(cred)
def verify(self, gid, credentials, target_urn, privileges):
'''Verify that the given Source GID supplied at least one credential
in the given list of credentials that has all the privileges required
in the privileges list on the given target.
IE if any of the supplied credentials has a caller that matches gid
and a target that matches target_urn, and has all the privileges in
the given list, then return the list of credentials that were ok.
Throw an Exception if we fail to verify any credential.'''
# Note that here we treat a list of credentials as being options
# Alternatively could accumulate privileges for example
# The semantics of the list of credentials is under specified.
result = list()
failure = ""
tried_creds = ""
if len(credentials) == 0:
failure = "No credentials found"
for cred in credentials:
if cred is None:
failure = "Credential was unparseable"
continue
if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE:
cS = cred.get_gid_caller().get_urn()
elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE:
cS = cred.get_summary_tostring()
else:
cS = "Unknown credential type %s" % cred.get_cred_type()
if tried_creds != "":
tried_creds = "%s, %s" % (tried_creds, cS)
else:
tried_creds = cS
if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE:
failure = "Not an SFA credential: " + cS
continue
#if not self.verify_source(gid, cred):
# failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
# continue
if not self.verify_target(target_urn, cred):
failure = "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn)
continue
if not self.verify_privileges(privileges, cred):
failure = "Cred for %s over %s doesn't provide sufficient privileges" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
continue
try:
if not cred.verify(self.root_cert_files):
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
continue
except Exception, exc:
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc)
continue
# If got here it verified
result.append(cred)
def verify(self, gid, credentials, target_urn, privileges):
'''Verify that the given Source GID supplied at least one credential
in the given list of credentials that has all the privileges required
in the privileges list on the given target.
IE if any of the supplied credentials has a caller that matches gid
and a target that matches target_urn, and has all the privileges in
the given list, then return the list of credentials that were ok.
Throw an Exception if we fail to verify any credential.'''
# Note that here we treat a list of credentials as being options
# Alternatively could accumulate privileges for example
# The semantics of the list of credentials is under specified.
result = list()
failure = ""
tried_creds = ""
if len(credentials) == 0:
failure = "No credentials found"
for cred in credentials:
if cred is None:
failure = "Credential was unparseable"
continue
if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE:
cS = cred.get_gid_caller().get_urn()
elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE:
cS = cred.get_summary_tostring()
else:
cS = "Unknown credential type %s" % cred.get_cred_type()
if tried_creds != "":
tried_creds = "%s, %s" % (tried_creds, cS)
else:
tried_creds = cS
if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE:
failure = "Not an SFA credential: " + cS
continue
# if not self.verify_source(gid, cred):
# failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
# continue
if not self.verify_target(target_urn, cred):
failure = "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn)
continue
if not self.verify_privileges(privileges, cred):
failure = "Cred for %s over %s doesn't provide sufficient privileges" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
continue
try:
if not cred.verify(self.root_cert_files):
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
continue
except Exception, exc:
failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc)
continue
# If got here it verified
result.append(cred)