def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None, speaking_for_hrn=None): def log_invalid_cred(cred): cred_obj = Credential(string=cred) logger.debug("failed to validate credential - dump=%s" % cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error # if xrns are specified they cannot be None or empty string if xrns: for xrn in xrns: if not xrn: raise BadArgs("Invalid urn or hrn") if not isinstance(xrns, list): xrns = [xrns] slice_xrns = Xrn.filter_type(xrns, 'slice') sliver_xrns = Xrn.filter_type(xrns, 'sliver') # we are not able to validate slivers in the traditional way so # we make sure not to include sliver urns/hrns in the core validation loop hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns] valid = [] speaks_for_cred = None if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds on hrns=%s" % (len(creds), hrns)) # won't work if either creds or hrns is empty - let's make it more explicit if not creds: raise BadArgs( "no credential provided") #Forbidden("no credential provided") if not hrns: hrns = [None] for cred in creds: for hrn in hrns: try: self.check(cred, operation, hrn) valid.append(cred) except: if speaking_for_hrn: try: self.check(cred, operation, speaking_for_hrn) speaks_for_cred = cred valid.append(cred) except: error = log_invalid_cred(cred) else: error = log_invalid_cred(cred) continue # make sure all sliver xrns are validated against the valid credentials if sliver_xrns: if not check_sliver_callback: msg = "sliver verification callback method not found." msg += " Unable to validate sliver xrns: %s" % sliver_xrns raise Forbidden(msg) check_sliver_callback(valid, sliver_xrns) if not len(valid): raise Forbidden("Invalid credential") if speaking_for_hrn and not speaks_for_cred: raise InsufficientRights( 'Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0], error[1])) return valid
def checkCredentials(self, creds, operation, xrns=None, check_sliver_callback=None, speaking_for_xrn=None): if xrns is None: xrns=[] def log_invalid_cred(cred): if not isinstance (cred, StringTypes): logger.info("cannot validate credential %s - expecting a string"%cred) error="checkCredentials: expected a string, received %s"%(type(cred)) else: cred_obj=Credential(string=cred) logger.info("failed to validate credential - dump=%s"%\ cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error # if xrns are specified they cannot be None or empty string if xrns: for xrn in xrns: if not xrn: raise BadArgs("Invalid urn or hrn") if not isinstance(xrns, list): xrns = [xrns] slice_xrns = Xrn.filter_type(xrns, 'slice') sliver_xrns = Xrn.filter_type(xrns, 'sliver') # we are not able to validate slivers in the traditional way so # we make sure not to include sliver urns/hrns in the core validation loop hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns] valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns)) # won't work if either creds or hrns is empty - let's make it more explicit if not creds: raise Forbidden("no credential provided") if not hrns: hrns = [None] error=[None,None] speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, speaking_for_xrn, self.trusted_cert_list) if self.peer_cert and \ not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()): valid = creds else: for cred in creds: for hrn in hrns: try: self.check(cred, operation, hrn) valid.append(cred) except: error = log_invalid_cred(cred) # make sure all sliver xrns are validated against the valid credentials if sliver_xrns: if not check_sliver_callback: msg = "sliver verification callback method not found." msg += " Unable to validate sliver xrns: %s" % sliver_xrns raise Forbidden(msg) check_sliver_callback(valid, sliver_xrns) if not len(valid): raise Forbidden("Invalid credential %s -- %s"%(error[0],error[1])) return valid
def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None, speaking_for_hrn=None): def log_invalid_cred(cred): cred_obj=Credential(string=cred) logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error # if xrns are specified they cannot be None or empty string if xrns: for xrn in xrns: if not xrn: raise BadArgs("Invalid urn or hrn") if not isinstance(xrns, list): xrns = [xrns] slice_xrns = Xrn.filter_type(xrns, 'slice') sliver_xrns = Xrn.filter_type(xrns, 'sliver') # we are not able to validate slivers in the traditional way so # we make sure not to include sliver urns/hrns in the core validation loop hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns] valid = [] speaks_for_cred = None if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns)) # won't work if either creds or hrns is empty - let's make it more explicit if not creds: raise Forbidden("no credential provided") if not hrns: hrns = [None] for cred in creds: for hrn in hrns: try: self.check(cred, operation, hrn) valid.append(cred) except: if speaking_for_hrn: try: self.check(cred, operation, speaking_for_hrn) speaks_for_cred = cred valid.append(cred) except: error = log_invalid_cred(cred) else: error = log_invalid_cred(cred) continue # make sure all sliver xrns are validated against the valid credentials if sliver_xrns: if not check_sliver_callback: msg = "sliver verification callback method not found." msg += " Unable to validate sliver xrns: %s" % sliver_xrns raise Forbidden(msg) check_sliver_callback(valid, sliver_xrns) if not len(valid): raise Forbidden("Invalid credential") if speaking_for_hrn and not speaks_for_cred: raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1])) return valid