def checkCredentials(self,
creds,
operation,
xrns=[],
check_sliver_callback=None,
speaking_for_hrn=None):
def log_invalid_cred(cred):
cred_obj = Credential(string=cred)
logger.debug("failed to validate credential - dump=%s" %
cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
return error
# if xrns are specified they cannot be None or empty string
if xrns:
for xrn in xrns:
if not xrn:
raise BadArgs("Invalid urn or hrn")
if not isinstance(xrns, list):
xrns = [xrns]
slice_xrns = Xrn.filter_type(xrns, 'slice')
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
# we are not able to validate slivers in the traditional way so
# we make sure not to include sliver urns/hrns in the core validation loop
hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
valid = []
speaks_for_cred = None
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds on hrns=%s" %
(len(creds), hrns))
# won't work if either creds or hrns is empty - let's make it more explicit
if not creds:
raise BadArgs(
"no credential provided") #Forbidden("no credential provided")
if not hrns: hrns = [None]
for cred in creds:
for hrn in hrns:
try:
self.check(cred, operation, hrn)
valid.append(cred)
except:
if speaking_for_hrn:
try:
self.check(cred, operation, speaking_for_hrn)
speaks_for_cred = cred
valid.append(cred)
except:
error = log_invalid_cred(cred)
else:
error = log_invalid_cred(cred)
continue
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
msg = "sliver verification callback method not found."
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
if not len(valid):
raise Forbidden("Invalid credential")
if speaking_for_hrn and not speaks_for_cred:
raise InsufficientRights(
'Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s'
% (error[0], error[1]))
return valid
def checkCredentials(self, creds, operation, xrns=None,
check_sliver_callback=None,
speaking_for_xrn=None):
if xrns is None: xrns=[]
def log_invalid_cred(cred):
if not isinstance (cred, StringTypes):
logger.info("cannot validate credential %s - expecting a string"%cred)
error="checkCredentials: expected a string, received %s"%(type(cred))
else:
cred_obj=Credential(string=cred)
logger.info("failed to validate credential - dump=%s"%\
cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
return error
# if xrns are specified they cannot be None or empty string
if xrns:
for xrn in xrns:
if not xrn:
raise BadArgs("Invalid urn or hrn")
if not isinstance(xrns, list):
xrns = [xrns]
slice_xrns = Xrn.filter_type(xrns, 'slice')
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
# we are not able to validate slivers in the traditional way so
# we make sure not to include sliver urns/hrns in the core validation loop
hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
valid = []
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
# won't work if either creds or hrns is empty - let's make it more explicit
if not creds: raise Forbidden("no credential provided")
if not hrns: hrns = [None]
error=[None,None]
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
if self.peer_cert and \
not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
valid = creds
else:
for cred in creds:
for hrn in hrns:
try:
self.check(cred, operation, hrn)
valid.append(cred)
except:
error = log_invalid_cred(cred)
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
msg = "sliver verification callback method not found."
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
if not len(valid):
raise Forbidden("Invalid credential %s -- %s"%(error[0],error[1]))
return valid
def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None, speaking_for_hrn=None):
def log_invalid_cred(cred):
cred_obj=Credential(string=cred)
logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
return error
# if xrns are specified they cannot be None or empty string
if xrns:
for xrn in xrns:
if not xrn:
raise BadArgs("Invalid urn or hrn")
if not isinstance(xrns, list):
xrns = [xrns]
slice_xrns = Xrn.filter_type(xrns, 'slice')
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
# we are not able to validate slivers in the traditional way so
# we make sure not to include sliver urns/hrns in the core validation loop
hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
valid = []
speaks_for_cred = None
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
# won't work if either creds or hrns is empty - let's make it more explicit
if not creds: raise Forbidden("no credential provided")
if not hrns: hrns = [None]
for cred in creds:
for hrn in hrns:
try:
self.check(cred, operation, hrn)
valid.append(cred)
except:
if speaking_for_hrn:
try:
self.check(cred, operation, speaking_for_hrn)
speaks_for_cred = cred
valid.append(cred)
except:
error = log_invalid_cred(cred)
else:
error = log_invalid_cred(cred)
continue
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
msg = "sliver verification callback method not found."
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
if not len(valid):
raise Forbidden("Invalid credential")
if speaking_for_hrn and not speaks_for_cred:
raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
return valid
