コード例 #1
0
ファイル: cred_util.py プロジェクト: HalasNet/felix
    def verify(self, gid, credentials, target_urn, privileges):
        """Verify that the given Source GID supplied at least one credential
        in the given list of credentials that has all the privileges required 
        in the privileges list on the given target.
        IE if any of the supplied credentials has a caller that matches gid 
        and a target that matches target_urn, and has all the privileges in 
        the given list, then return the list of credentials that were ok.
        Throw an Exception if we fail to verify any credential."""

        # Note that here we treat a list of credentials as being options
        # Alternatively could accumulate privileges for example
        # The semantics of the list of credentials is under specified.

        result = list()
        failure = ""
        tried_creds = ""
        if len(credentials) == 0:
            failure = "No credentials found"
        for cred in credentials:
            if cred is None:
                failure = "Credential was unparseable"
                continue
            if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE:
                cS = cred.get_gid_caller().get_urn()
            elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE:
                cS = cred.get_summary_tostring()
            else:
                cS = "Unknown credential type %s" % cred.get_cred_type()

            if tried_creds != "":
                tried_creds = "%s, %s" % (tried_creds, cS)
            else:
                tried_creds = cS
            if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE:
                failure = "Not an SFA credential: " + cS
                continue

            # if not self.verify_source(gid, cred):
            #    failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
            #    continue

            if not self.verify_target(target_urn, cred):
                failure = (
                    "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)"
                    % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn)
                )
                continue
            if not self.verify_privileges(privileges, cred):
                failure = "Cred for %s over %s doesn't provide sufficient privileges" % (
                    cred.get_gid_caller().get_urn(),
                    cred.get_gid_object().get_urn(),
                )
                continue
            try:
                if not cred.verify(self.root_cert_files):
                    failure = (
                        "Couldn't validate credential for caller %s with target %s with any of %d known root certs"
                        % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
                    )
                    continue
            except Exception, exc:
                failure = (
                    "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s"
                    % (
                        cred.get_gid_caller().get_urn(),
                        cred.get_gid_object().get_urn(),
                        len(self.root_cert_files),
                        exc.__class__.__name__,
                        exc,
                    )
                )
                continue
            # If got here it verified
            result.append(cred)
コード例 #2
0
    def verify(self, gid, credentials, target_urn, privileges):
        '''Verify that the given Source GID supplied at least one credential
        in the given list of credentials that has all the privileges required 
        in the privileges list on the given target.
        IE if any of the supplied credentials has a caller that matches gid 
        and a target that matches target_urn, and has all the privileges in 
        the given list, then return the list of credentials that were ok.
        Throw an Exception if we fail to verify any credential.'''

        # Note that here we treat a list of credentials as being options
        # Alternatively could accumulate privileges for example
        # The semantics of the list of credentials is under specified.

        self.logger.debug('Verifying privileges')
        result = list()
        failure = ""
        tried_creds = ""
        for cred in credentials:
            if tried_creds != "":
                tried_creds = "%s, %s" % (tried_creds, cred.get_gid_caller().get_urn())
            else:
                tried_creds = cred.get_gid_caller().get_urn()

            if not self.verify_source(gid, cred):
                failure = "Cred %s fails: Source URNs dont match" % cred.get_gid_caller().get_urn()
                continue
            if not self.verify_target(target_urn, cred):
                failure = "Cred %s on %s fails: Target URNs dont match" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
                continue
            if not self.verify_privileges(privileges, cred):
                failure = "Cert %s doesn't have sufficient privileges" % cred.get_gid_caller().get_urn()
                continue


            print 
            try:
                if not cred.verify(self.root_cert_files):
                    failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
                    continue
            except Exception, exc:
                failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc)
                self.logger.info(failure)
                continue
            # If got here it verified
            result.append(cred)
コード例 #3
0
    def verify(self, gid, credentials, target_urn, privileges):
        '''Verify that the given Source GID supplied at least one credential
        in the given list of credentials that has all the privileges required 
        in the privileges list on the given target.
        IE if any of the supplied credentials has a caller that matches gid 
        and a target that matches target_urn, and has all the privileges in 
        the given list, then return the list of credentials that were ok.
        Throw an Exception if we fail to verify any credential.'''

        # Note that here we treat a list of credentials as being options
        # Alternatively could accumulate privileges for example
        # The semantics of the list of credentials is under specified.

        result = list()
        failure = ""
        tried_creds = ""
        if len(credentials) == 0:
            failure = "No credentials found"
        for cred in credentials:
            if cred is None:
                failure = "Credential was unparseable"
                continue
            if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE:
                cS = cred.get_gid_caller().get_urn()
            elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE:
                cS = cred.get_summary_tostring()
            else:
                cS = "Unknown credential type %s" % cred.get_cred_type()
            
            if tried_creds != "":
                tried_creds = "%s, %s" % (tried_creds, cS)
            else:
                tried_creds = cS
            if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE:
                failure = "Not an SFA credential: " + cS
                continue
         
            #if not self.verify_source(gid, cred):
            #    failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
            #    continue
         
            if not self.verify_target(target_urn, cred):
                failure = "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn)
                continue
            if not self.verify_privileges(privileges, cred):
                failure = "Cred for %s over %s doesn't provide sufficient privileges" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn())
                continue
            try:
                if not cred.verify(self.root_cert_files):
                    failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files))
                    continue
            except Exception, exc:
                failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc)
                continue
            # If got here it verified
            result.append(cred)