def determine_speaks_for_ex(logger, credentials, caller_gid, options, trusted_roots, schema=None): abac_cred_list = [] speaking_for_gid = None if not logger: logger = core.log.getLogger("speaks-for") for cred in credentials: # Skip things that aren't ABAC credentials if type(cred) == dict: if cred['geni_type'] != ABACCredential.ABAC_CREDENTIAL_TYPE: cred_ = CredentialFactory.createCred(credString=cred['geni_value']) speaking_for_gid = cred_.get_gid_caller() if cred_ else None continue cred_value = cred['geni_value'] elif isinstance(cred, Credential): if not isinstance(cred, ABACCredential): speaking_for_gid = cred.get_gid_caller() continue else: cred_value = cred else: if CredentialFactory.getType(cred) != ABACCredential.ABAC_CREDENTIAL_TYPE: cred_ = CredentialFactory.createCred(credString=cred) speaking_for_gid = cred_.get_gid_caller() if cred_ else None continue cred_value = cred # If the cred_value is xml, create the object if not isinstance(cred_value, ABACCredential): cred = CredentialFactory.createCred(cred_value) abac_cred_list.append(cred) # If speaking_for_gid is None or ABAC creds are absent then there is no point to proceed if not speaking_for_gid or len(abac_cred_list) == 0: if logger: logger.info("No point in checking speaks-for") else: print "No point in checking speaks-for" return caller_gid # See if this is a valid speaks_for is_valid_speaks_for, user_gid, msg = verify_speaks_for_ex(abac_cred_list, caller_gid, speaking_for_gid) if is_valid_speaks_for: logger.info("Speaks-for successfully validated ! ") return user_gid # speaks-for else: if logger: logger.info("Got speaks-for option but not a valid speaks_for with this credential: %s" % msg) else: print "Got a speaks-for option but not a valid speaks_for with this credential: " + msg return caller_gid # Not speaks-for
def determine_speaks_for(logger, credentials, caller_gid, options, \ trusted_roots, schema=None): if options and 'geni_speaking_for' in options: speaking_for_urn = options['geni_speaking_for'].strip() for cred in credentials: # Skip things that aren't ABAC credentials if type(cred) == dict: if cred['geni_type'] != ABACCredential.ABAC_CREDENTIAL_TYPE: continue cred_value = cred['geni_value'] elif isinstance(cred, Credential): if not isinstance(cred, ABACCredential): continue else: cred_value = cred else: if CredentialFactory.getType( cred) != ABACCredential.ABAC_CREDENTIAL_TYPE: continue cred_value = cred # If the cred_value is xml, create the object if not isinstance(cred_value, ABACCredential): cred = CredentialFactory.createCred(cred_value) # print "Got a cred to check speaksfor for: %s" % cred.get_summary_tostring() # #cred.dump(True, True) # print "Caller: %s" % caller_gid.dump_string(2, True) # See if this is a valid speaks_for is_valid_speaks_for, user_gid, msg = \ verify_speaks_for(cred, caller_gid, speaking_for_urn, \ trusted_roots, schema, logger) if is_valid_speaks_for: return user_gid # speaks-for else: if logger: logger.info( "Got speaks-for option but not a valid speaks_for with this credential: %s" % msg) else: print "Got a speaks-for option but not a valid speaks_for with this credential: " + msg return caller_gid # Not speaks-for
def determine_speaks_for(logger, credentials, caller_gid, options, trusted_roots, schema=None): if options and "geni_speaking_for" in options: speaking_for_urn = options["geni_speaking_for"].strip() for cred in credentials: # Skip things that aren't ABAC credentials if type(cred) == dict: if cred["geni_type"] != ABACCredential.ABAC_CREDENTIAL_TYPE: continue cred_value = cred["geni_value"] elif isinstance(cred, Credential): if not isinstance(cred, ABACCredential): continue else: cred_value = cred else: if CredentialFactory.getType(cred) != ABACCredential.ABAC_CREDENTIAL_TYPE: continue cred_value = cred # If the cred_value is xml, create the object if not isinstance(cred_value, ABACCredential): cred = CredentialFactory.createCred(cred_value) # print "Got a cred to check speaksfor for: %s" % cred.get_summary_tostring() # #cred.dump(True, True) # print "Caller: %s" % caller_gid.dump_string(2, True) # See if this is a valid speaks_for is_valid_speaks_for, user_gid, msg = verify_speaks_for( cred, caller_gid, speaking_for_urn, trusted_roots, schema, logger ) if is_valid_speaks_for: return user_gid # speaks-for else: if logger: logger.info("Got speaks-for option but not a valid speaks_for with this credential: %s" % msg) else: print "Got a speaks-for option but not a valid speaks_for with this credential: " + msg return caller_gid # Not speaks-for
def make_cred(cred_string): credO = None try: credO = CredentialFactory.createCred(credString=cred_string) except Exception, e: print(e)
class CredentialVerifier(object): """Utilities to verify signed credentials from a given set of root certificates. Will compare target and source URNs, and privileges. See verify and verify_from_strings methods in particular.""" CATEDCERTSFNAME = 'CATedCACerts.pem' # root_cert_fileordir is a trusted root cert file or directory of # trusted roots for verifying credentials def __init__(self, root_cert_fileordir): if root_cert_fileordir is None: raise Exception("Missing Root certs argument") elif os.path.isdir(root_cert_fileordir): files = os.listdir(root_cert_fileordir) self.root_cert_files = [] for file in files: # FIXME: exclude files that aren't cert files? #print file == CredentialVerifier.CATEDCERTSFNAME if file == CredentialVerifier.CATEDCERTSFNAME: continue self.root_cert_files.append(os.path.expanduser(os.path.join(root_cert_fileordir, file))) #self.root_cert_files = [root_cert_fileordir] else: raise Exception("Couldn't find Root certs in %s" % root_cert_fileordir) @classmethod def getCAsFileFromDir(cls, caCerts): '''Take a directory of CA certificates and concatenate them into a single file suitable for use by the Python SSL library to validate client credentials. Existing file is replaced.''' if caCerts is None: raise Exception ('Missing caCerts argument') if os.path.isfile(os.path.expanduser(caCerts)): return caCerts if not os.path.isdir(os.path.expanduser(caCerts)): raise Exception ('caCerts arg Not a file or a dir: %s' % caCerts) # Now we have a dir of caCerts files # For each file in the dir (isfile), concatenate them into a new file comboFullPath = os.path.join(caCerts, CredentialVerifier.CATEDCERTSFNAME) caFiles = os.listdir(caCerts) #logger.debug('Got %d potential caCert files in the dir', len(caFiles)) outfile = open(comboFullPath, "w") okFileCount = 0 for filename in caFiles: filepath = os.path.join(caCerts, filename) # Confirm it's a CA file? # if not file.endswith('.pem'): # continue if not os.path.isfile(os.path.expanduser(filepath)): continue if filename == CredentialVerifier.CATEDCERTSFNAME: # logger.debug('Skipping previous cated certs file') continue okFileCount += 1 certfile = open(filepath) for line in certfile: outfile.write(line) certfile.close() outfile.close() if okFileCount == 0: sys.exit('Found NO trusted certs in %s!' % caCerts) return comboFullPath def verify_from_strings(self, gid_string, cred_strings, target_urn, privileges, options=None): '''Create Credential and GID objects from the given strings, and then verify the GID has the right privileges according to the given credentials on the given target.''' def make_cred(cred_string): credO = None try: credO = CredentialFactory.createCred(credString=cred_string) except Exception, e: print(e) return credO root_certs = \ [Certificate(filename=root_cert_file) \ for root_cert_file in self.root_cert_files] caller_gid = gid.GID(string=gid_string) # Potentially, change gid_string to be the cert of the actual user # if this is a 'speaks-for' invocation speaksfor_gid = \ determine_speaks_for(None, \ cred_strings, # May include ABAC speaks_for credential caller_gid, # Caller cert (may be the tool 'speaking for' user) options, # May include 'geni_speaking_for' option with user URN root_certs ) if caller_gid.get_subject() != speaksfor_gid.get_subject(): speaksfor_urn = speaksfor_gid.get_urn() caller_gid = speaksfor_gid # Remove the abac credentials cred_strings = [cred_string for cred_string in cred_strings \ if CredentialFactory.getType(cred_string) == cred.Credential.SFA_CREDENTIAL_TYPE] return self.verify(caller_gid, map(make_cred, cred_strings), target_urn, privileges)