def __init__(self, creds, options, **kwargs): # client must specify a version if not options.get('geni_rspec_version'): if options.get('rspec_version'): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') # get slice's hrn from options xrn = options.get('geni_slice_urn', '') (hrn, _) = urn_to_hrn(xrn) # Find the valid credentials #valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn) valid_creds = Auth().checkCredentials(creds, 'listnodes', hrn) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) if not origin_hrn: origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() origin_gid = Credential(string=valid_creds[0]).get_gid_caller() #rspec = AggregateManager(None).ListResources(self.api, creds, options) #chain_name = 'OUTGOING' #if options.has_key('geni_compressed') and options['geni_compressed'] == True: # rspec = zlib.compress(rspec).encode('base64') #return rspec #return True return
def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string = credStr) self.validateCred(cred) # request hash is optional if requestHash: self.verifyCredRequestHash(cred, requestHash, argList) return cred
def __init__(self, xrn, creds, **kwargs): hrn, type = urn_to_hrn(xrn) valid_creds = Auth().checkCredentials(creds, 'startslice', hrn) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() return
def __init__(self, xrn, creds, options, **kwargs): (hrn, type) = urn_to_hrn(xrn) valid_creds = Auth().checkCredentials(creds, 'deletesliver', hrn) origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() return #self.api.manager.DeleteSliver(self.api, xrn, creds, options)
def call(self, creds, xrn, cert=None): # TODO: is there a better right to check for or is 'update good enough? valid_creds = self.api.auth.checkCredentials(creds, 'update') # verify permissions hrn, type = urn_to_hrn(xrn) self.api.auth.verify_object_permission(hrn) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # log origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name)) return self.api.manager.CreateGid(self.api, xrn, cert)
def verify_cred_is_me(self, credential): is_me = False cred = Credential(string=credential) caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return
def call(self, creds, options): valid_creds = self.api.auth.checkCredentials(creds, 'listslices') #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, self.name)) return self.api.manager.ListSlices(self.api, creds, options)
def call(self, xrn, creds, options={}): hrn, type = urn_to_hrn(xrn) valid_creds = self.api.auth.checkCredentials(creds, 'list') #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.List(self.api, xrn, options=options)
def __init__(self, slice_xrn, creds, users, options, **kwargs): hrn, type = urn_to_hrn(slice_xrn) # Find the valid credentials valid_creds = Auth().checkCredentials(creds, 'createsliver', hrn) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # make sure users info is specified if not users: msg = "'users' must be specified and cannot be null. You may need to update your client." raise SfaInvalidArgument(name='users', extra=msg) return
def call(self, xrn, creds, type): xrn = Xrn(xrn, type=type) # validate the cred valid_creds = self.api.auth.checkCredentials(creds, "remove") self.api.auth.verify_object_permission(xrn.get_hrn()) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tmethod-name: %s\tcaller-hrn: %s\ttarget-urn: %s" % (self.api.interface, self.name, origin_hrn, xrn.get_urn())) return self.api.manager.Remove(self.api, xrn)
def call(self, record, creds): # validate cred valid_creds = self.api.auth.checkCredentials(creds, 'register') # verify permissions hrn = record.get('hrn', '') self.api.auth.verify_object_permission(hrn) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.Register(self.api, record)
def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] creds = [] if not isinstance(caller_hrn_list, list): caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds
def call(self, xrns, creds): # validate the credential valid_creds = self.api.auth.checkCredentials(creds, 'getgids') # xxxpylintxxx origin_hrn is unused.. origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # resolve the record records = self.api.manager.Resolve(self.api, xrns, details = False) if not records: raise RecordNotFound(xrns) allowed_fields = ['hrn', 'type', 'gid'] for record in records: for key in record.keys(): if key not in allowed_fields: del(record[key]) return records
def call(self, xrn, creds, rspec, users, options): hrn, type = urn_to_hrn(xrn) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'getticket', hrn) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() #log the call self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) # filter rspec through foam.sfa.ables if self.api.interface in ['aggregate']: chain_name = 'OUTGOING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-OUTGOING' rspec = run_foam.sfa.ables(chain_name, hrn, origin_hrn, rspec) # remove nodes that are not available at this interface from the rspec return self.api.manager.GetTicket(self.api, xrn, creds, rspec, users, options)
def checkCredentials(self, creds, operation, hrn = None): valid = [] error = None if not isinstance(creds, list): creds = [creds] for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except Exception as e: cred_obj=Credential(string=cred) error = e#sys.exc_info()[:2] continue if not len(valid): if not error: error = "No valid credentials found" raise InsufficientRights('Access denied: %s' % (str(error))) return valid
def call(self, creds, xrn, type): if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # check creds valid_creds = self.api.auth.checkCredentials(creds, 'getcredential') self.api.auth.verify_object_belongs_to_me(hrn) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.GetCredential( self.api, xrn, type, self.api.auth.client_gid.get_urn())
def call(self, xrns, creds, options={}): # use details=False by default, only when explicitly specified do we want # to mess with the testbed details if 'details' in options: details = options['details'] else: details = False type = None if not isinstance(xrns, types.ListType): type = Xrn(xrns).get_type() xrns = [xrns] hrns = [urn_to_hrn(xrn)[0] for xrn in xrns] #find valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'resolve') #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrns, self.name)) # send the call to the right manager return self.api.manager.Resolve(self.api, xrns, type, details=details)
def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True
def call(self, slice_xrn, creds, expiration_time, options): (hrn, type) = urn_to_hrn(slice_xrn) self.api.logger.info( "interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s" % (self.api.interface, hrn, creds, self.name)) # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn) # Validate that the time does not go beyond the credential's expiration time requested_time = utcparse(expiration_time) max_renew_days = int(self.api.config.SFA_MAX_SLICE_RENEW) if requested_time > Credential(string=valid_creds[0]).get_expiration(): raise InsufficientRights( 'Renewsliver: Credential expires before requested expiration time' ) if requested_time > datetime.datetime.utcnow() + datetime.timedelta( days=max_renew_days): raise Exception('Cannot renew > %s days from now' % max_renew_days) return self.api.manager.RenewSliver(self.api, slice_xrn, valid_creds, expiration_time, options)