def getCredential(self): """ Get our credential from a remote registry """ path = self.config.SFA_DATA_DIR config_dir = self.config.config_path cred_filename = path + os.sep + 'node.cred' try: credential = Credential(filename=cred_filename) return credential.save_to_string(save_parents=True) except IOError: node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" cert_filename = path + os.sep + 'server.cert' if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): self.get_node_key() # get node's hrn gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # get credential from registry cert_str = Certificate(filename=cert_filename).save_to_string( save_parents=True) registry = self.get_registry() cred = registry.GetSelfCredential(cert_str, hrn, 'node') # xxx credfile is undefined Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance (original_credential, str): original_credential = Credential (string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid (to_hrn,to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def getCredential(self): """ Get our credential from a remote registry """ path = self.config.SFA_DATA_DIR config_dir = self.config.config_path cred_filename = path + os.sep + 'node.cred' try: credential = Credential(filename = cred_filename) return credential.save_to_string(save_parents=True) except IOError: node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" cert_filename = path + os.sep + 'server.cert' if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): self.get_node_key() # get node's hrn gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # get credential from registry cert_str = Certificate(filename=cert_filename).save_to_string(save_parents=True) registry = self.get_registry() cred = registry.GetSelfCredential(cert_str, hrn, 'node') Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def get_cred(self, file, type, hrn): # attempt to load a cached credential cred = self.get_cached_credential(file) if not cred: if type in ['user']: cert_string = self.cert.save_to_string(save_parents=True) user_name = self.user.replace(self.authority + ".", '') if user_name.count(".") > 0: user_name = user_name.replace(".", '_') self.user = self.authority + "." + user_name cred_str = self.registry.GetSelfCredential(cert_string, hrn, "user") else: # bootstrap slice credential from user credential user_cred = self.get_user_cred().save_to_string(save_parents=True) cred_str = self.registry.GetCredential(user_cred, hrn, type) if not cred_str: self.logger.critical("Failed to get %s credential" % type) sys.exit(-1) cred = Credential(string=cred_str) cred.save_to_file(file, save_parents=True) self.logger.info("Writing %s credential to %s" %(type, file)) return cred
def call(self, cred, record_dict, origin_hrn=None): user_cred = Credential(string=cred) #log the call if not origin_hrn: origin_hrn = user_cred.get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, None, self.name)) # validate the cred self.api.auth.check(cred, "register") # make sure this is a peer record if 'peer_authority' not in record_dict or \ not record_dict['peer_authority']: raise SfaInvalidArgument, "peer_authority must be specified" record = SfaRecord(dict = record_dict) type, hrn, peer_authority = record['type'], record['hrn'], record['peer_authority'] record['authority'] = get_authority(record['hrn']) # verify permissions self.api.auth.verify_cred_is_me(cred) # check if record already exists table = SfaTable() existing_records = table.find({'type': type, 'hrn': hrn, 'peer_authority': peer_authority}) if existing_records: for existing_record in existing_records: if existing_record['pointer'] != record['pointer']: record['record_id'] = existing_record['record_id'] table.update(record) else: record_id = table.insert(record) return 1
def delegate_cred(self, object_cred, hrn, type='authority'): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): # XXX Yes here we give a string... object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error( "Object credential %s does not have delegate bit set" % object_hrn) return # the delegating user's gid # XXX done in bootstrap caller_gidfile = self.my_gid # already a string # XXX ERROR tell thierry # the gid of the user who will be delegated to delegee_gid = self.bootstrap.gid( hrn, 'user') # XXX bootstrap ERROR tell thierry delegee_hrn = GID(delegee_gid).get_hrn() # XXX pkey done in bootstrap dcred = object_cred.delegate(delegee_gid, self.private_key, caller_gidfile) return dcred.save_to_string(save_parents=True)
def validate_credential(self, filename): valid = True cred = Credential(filename=filename) # check if credential is expires if cred.get_expiration() < datetime.now(): valid = False return valid
def validate_credential(self, filename): valid = True cred = Credential(filename=filename) # check if credential is expires if cred.get_expiration() < datetime.utcnow(): valid = False return valid
def __get_registry_objects(slice_xrn, creds, users): """ """ hrn, type = urn_to_hrn(slice_xrn) hrn_auth = get_authority(hrn) # Build up objects that an SFA registry would return if SFA # could contact the slice's registry directly reg_objects = None if users: # dont allow special characters in the site login base #only_alphanumeric = re.compile('[^a-zA-Z0-9]+') #login_base = only_alphanumeric.sub('', hrn_auth[:20]).lower() slicename = hrn_to_pl_slicename(hrn) login_base = slicename.split('_')[0] reg_objects = {} site = {} site['site_id'] = 0 site['name'] = 'geni.%s' % login_base site['enabled'] = True site['max_slices'] = 100 # Note: # Is it okay if this login base is the same as one already at this myplc site? # Do we need uniqueness? Should use hrn_auth instead of just the leaf perhaps? site['login_base'] = login_base site['abbreviated_name'] = login_base site['max_slivers'] = 1000 reg_objects['site'] = site slice = {} # get_expiration always returns a normalized datetime - no need to utcparse extime = Credential(string=creds[0]).get_expiration() # If the expiration time is > 60 days from now, set the expiration time to 60 days from now if extime > datetime.datetime.utcnow() + datetime.timedelta(days=60): extime = datetime.datetime.utcnow() + datetime.timedelta(days=60) slice['expires'] = int(time.mktime(extime.timetuple())) slice['hrn'] = hrn slice['name'] = hrn_to_pl_slicename(hrn) slice['url'] = hrn slice['description'] = hrn slice['pointer'] = 0 reg_objects['slice_record'] = slice reg_objects['users'] = {} for user in users: user['key_ids'] = [] hrn, _ = urn_to_hrn(user['urn']) user['email'] = hrn_to_pl_slicename(hrn) + "@geni.net" user['first_name'] = hrn user['last_name'] = hrn reg_objects['users'][user['email']] = user return reg_objects
def verify_cred_is_me(self, credential): is_me = False cred = Credential(string=credential) caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return
def log_invalid_cred(cred): if not isinstance (cred, StringTypes): logger.info("cannot validate credential %s - expecting a string"%cred) error="checkCredentials: expected a string, received %s"%(type(cred)) else: cred_obj=Credential(string=cred) logger.info("failed to validate credential - dump=%s"%\ cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error
def get_cached_credential(self, file): """ Return a cached credential only if it hasn't expired. """ if (os.path.isfile(file)): credential = Credential(filename=file) # make sure it isnt expired if not credential.get_expiration or \ datetime.datetime.today() < credential.get_expiration(): return credential return None
def Delete(self, api, xrn, creds, options): call_id = options.get('call_id') if Callids().already_handled(call_id): return "" def _Delete(server, xrn, creds, options): return server.Delete(xrn, creds, options) (hrn, type) = urn_to_hrn(xrn[0]) # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'deletesliver', hrn)[0] caller_hrn = Credential(cred=valid_cred).get_gid_caller().get_hrn() # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential() multiclient = MultiClient() for aggregate in api.aggregates: # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.server_proxy(interface, cred) multiclient.run(_Delete, server, xrn, [cred], options) results = [] for result in multiclient.get_results(): results += ReturnValue.get_value(result) return results
def call(self, urns, creds, options): self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name)) # client must specify a version if not options.get('geni_rspec_version'): if options.get('rspec_version'): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \ check_sliver_callback = self.api.driver.check_sliver_credentials, speaking_for_hrn=speaking_for) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) if not origin_hrn: origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() desc = self.api.manager.Describe(self.api, creds, urns, options) # filter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'OUTGOING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-OUTGOING' self.api.logger.debug("ListResources: sfatables on chain %s"%chain_name) desc['geni_rspec'] = run_sfatables(chain_name, '', origin_hrn, desc['geni_rspec']) if options.has_key('geni_compressed') and options['geni_compressed'] == True: desc['geni_rspec'] = zlib.compress(desc['geni_rspec']).encode('base64') return desc
def determine_sfa_filekind(fn): if fn.endswith('.gid'): return 'gid' elif fn.endswith('.cert'): return 'certificate' elif fn.endswith('cred'): return 'credential' try: cred=Credential(filename=fn) return 'credential' except: pass try: gid=GID(filename=fn) if gid.uuid: return 'gid' except: pass try: cert = Certificate(filename = fn) return 'certificate' except: pass # to be completed # if "gidCaller" in dict: # return "credential" # # if "uuid" in dict: # return "gid" return "unknown"
def check_sliver_credentials(self, creds, urns): # build list of cred object hrns slice_cred_names = [] for cred in creds: slice_cred_hrn = Credential(cred=cred).get_gid_object().get_hrn() slice_cred_names.append( DummyXrn(xrn=slice_cred_hrn).dummy_slicename()) # look up slice name of slivers listed in urns arg slice_ids = [] for urn in urns: sliver_id_parts = Xrn(xrn=urn).get_sliver_id_parts() try: slice_ids.append(int(sliver_id_parts[0])) except ValueError: pass if not slice_ids: raise Forbidden("sliver urn not provided") slices = self.shell.GetSlices({'slice_ids': slice_ids}) sliver_names = [slice['slice_name'] for slice in slices] # make sure we have a credential for every specified sliver ierd for sliver_name in sliver_names: if sliver_name not in slice_cred_names: msg = "Valid credential not found for target: %s" % sliver_name raise Forbidden(msg)
def check_sliver_credentials(self, creds, urns): # build list of cred object hrns slice_cred_names = [] for cred in creds: slice_cred_hrn = Credential(cred=cred).get_gid_object().get_hrn() slice_cred_names.append(OSXrn(xrn=slice_cred_hrn).get_slicename()) # look up slice name of slivers listed in urns arg slice_ids = [] for urn in urns: sliver_id_parts = Xrn(xrn=urn).get_sliver_id_parts() slice_ids.append(sliver_id_parts[0]) if not slice_ids: raise Forbidden("sliver urn not provided") sliver_names = [] for slice_id in slice_ids: slice = self.shell.auth_manager.tenants.find(slice_id) sliver_names.append(slice['name']) # make sure we have a credential for every specified sliver ierd for sliver_name in sliver_names: if sliver_name not in slice_cred_names: msg = "Valid credential not found for target: %s" % sliver_name raise Forbidden(msg)
def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string=credStr) self.validateCred(cred) # request hash is optional if requestHash: self.verifyCredRequestHash(cred, requestHash, argList) return cred
def check(self, credential, operation, hrn=None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ cred = Credential(cred=credential) self.client_cred = cred logger.debug("Auth.check: handling hrn=%s and credential=%s"%\ (hrn,cred.get_summary_tostring())) if cred.type not in ['geni_sfa']: raise CredentialNotVerifiable(cred.type, "%s not supported" % cred.type) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True
def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] creds = [] if not isinstance(caller_hrn_list, list): caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds
def check(self, credential, operation, hrn = None): """ Check the credential against the peer cert (callerGID) included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ cred = Credential(cred=credential) self.client_cred = cred logger.debug("Auth.check: handling hrn=%s and credential=%s"%\ (hrn,cred.pretty_cred())) if cred.type not in ['geni_sfa']: raise CredentialNotVerifiable(cred.type, "%s not supported" % cred.type) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.pretty_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True
def server_proxy(self, interface, cred, timeout=30): """ Returns a connection to the specified interface. Use the specified credential to determine the caller and look for the caller's key/cert in the registry hierarchy cache. """ from sfa.trust.hierarchy import Hierarchy if not isinstance(cred, Credential): cred_obj = Credential(string=cred) else: cred_obj = cred caller_gid = cred_obj.get_gid_caller() hierarchy = Hierarchy() auth_info = hierarchy.get_auth_info(caller_gid.get_hrn()) key_file = auth_info.get_privkey_filename() cert_file = auth_info.get_gid_filename() server = interface.server_proxy(key_file, cert_file, timeout) return server
def Provision(self, api, xrn, creds, options): call_id = options.get('call_id') if Callids().already_handled(call_id): return "" version_manager = VersionManager() def _Provision(aggregate, server, xrn, credential, options): tStart = time.time() try: # Need to call GetVersion at an aggregate to determine the supported # rspec type/format beofre calling CreateSliver at an Aggregate. server_version = api.get_cached_server_version(server) result = server.Provision(xrn, credential, options) return {"aggregate": aggregate, "result": result, "elapsed": time.time()-tStart, "status": "success"} except: logger.log_exc('Something wrong in _Allocate with URL %s'%server.url) return {"aggregate": aggregate, "elapsed": time.time()-tStart, "status": "exception", "exc_info": sys.exc_info()} # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential() # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'createsliver', xrn)[0] caller_hrn = Credential(cred=valid_cred).get_gid_caller().get_hrn() multiclient = MultiClient() for aggregate in api.aggregates: # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.server_proxy(interface, cred) # Just send entire RSpec to each aggregate multiclient.run(_Provision, aggregate, server, xrn, [cred], options) results = multiclient.get_results() manifest_version = version_manager._get_version('GENI', '3', 'manifest') result_rspec = RSpec(version=manifest_version) geni_slivers = [] geni_urn = None for result in results: self.add_slicemgr_stat(result_rspec, "Provision", result["aggregate"], result["elapsed"], result["status"], result.get("exc_info",None)) if result["status"]=="success": try: res = result['result']['value'] geni_urn = res['geni_urn'] result_rspec.version.merge(ReturnValue.get_value(res['geni_rspec'])) geni_slivers.extend(res['geni_slivers']) except: api.logger.log_exc("SM.Provision: Failed to merge aggregate rspec") return { 'geni_urn': geni_urn, 'geni_rspec': result_rspec.toxml(), 'geni_slivers': geni_slivers }
def checkCredentials(self, creds, operation, hrn = None): valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: cred_obj=Credential(string=cred) logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) return valid
def call(self, xrn, creds, rspec, options): xrn = Xrn(xrn, type='slice') self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, xrn.get_hrn(), self.name)) (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials valid_creds = self.api.auth.checkCredentials( creds, 'createsliver', xrn.get_hrn(), speaking_for_hrn=speaking_for) # use the expiration from the first valid credential to determine when # the slivers should expire. expiration = datetime_to_string( Credential(cred=valid_creds[0]).expiration) # make sure request is not empty slivers = RSpec(rspec).version.get_nodes_with_slivers() if not slivers: raise InvalidRSpec( "Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers" ) # flter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'INCOMING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-INCOMING' self.api.logger.debug("Allocate: sfatables on chain %s" % chain_name) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrn, self.name)) rspec = run_sfatables(chain_name, xrn.get_hrn(), origin_hrn, rspec) slivers = RSpec(rspec).version.get_nodes_with_slivers() if not slivers: raise SfatablesRejected(slice_xrn) result = self.api.manager.Allocate(self.api, xrn.get_urn(), creds, rspec, expiration, options) return result
def GetCredential(registry=None, force=False, verbose=False): config = Config() hierarchy = Hierarchy() key_dir = hierarchy.basedir data_dir = config.data_path config_dir = config.config_path credfile = data_dir + os.sep + 'node.cred' # check for existing credential if not force and os.path.exists(credfile): if verbose: print "Loading Credential from %(credfile)s " % locals() cred = Credential(filename=credfile).save_to_string(save_parents=True) else: if verbose: print "Getting credential from registry" # make sure node private key exists node_pkey_file = config_dir + os.sep + "node.key" node_gid_file = config_dir + os.sep + "node.gid" if not os.path.exists(node_pkey_file) or \ not os.path.exists(node_gid_file): get_node_key(registry=registry, verbose=verbose) gid = GID(filename=node_gid_file) hrn = gid.get_hrn() # create server key and certificate keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" key = Keypair(filename=node_pkey_file) key.save_to_file(keyfile) create_server_keypair(keyfile, certfile, hrn, verbose) # get credential from registry registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) cert = Certificate(filename=certfile) cert_str = cert.save_to_string(save_parents=True) cred = registry.GetSelfCredential(cert_str, 'node', hrn) Credential(string=cred).save_to_file(credfile, save_parents=True) return cred
def handle_input_kind (filename, options, kind): # dump methods current do 'print' so let's go this road for now if kind=="certificate": cert=Certificate (filename=filename) print '--------------------',filename,'IS A',kind cert.dump(show_extensions=options.show_extensions) elif kind=="credential": cred = Credential(filename = filename) print '--------------------',filename,'IS A',kind cred.dump(dump_parents = options.dump_parents, show_xml=options.show_xml) if options.extract_gids: print '--------------------',filename,'embedded GIDS' extract_gids(cred, extract_parents = options.dump_parents) elif kind=="gid": gid = GID(filename = filename) print '--------------------',filename,'IS A',kind gid.dump(dump_parents = options.dump_parents) else: print "%s: unknown filekind '%s'"% (filename,kind)
def call(self, xrn, creds, options={}): hrn, type = urn_to_hrn(xrn) valid_creds = self.api.auth.checkCredentials(creds, 'list') #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.List(self.api, xrn, options=options)
def delegate_cred(self, object_cred, hrn): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error("Object credential %s does not have delegate bit set"%object_hrn) return # the delegating user's gid caller_gid = self._get_gid(self.user) caller_gidfile = os.path.join(self.options.sfi_dir, self.user + ".gid") # the gid of the user who will be delegated to delegee_gid = self._get_gid(hrn) delegee_hrn = delegee_gid.get_hrn() delegee_gidfile = os.path.join(self.options.sfi_dir, delegee_hrn + ".gid") delegee_gid.save_to_file(filename=delegee_gidfile) dcred = object_cred.delegate(delegee_gidfile, self.get_key_file(), caller_gidfile) return dcred.save_to_string(save_parents=True)
def delegate_credential_string(self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance(original_credential, str): original_credential = Credential(string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): #self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid(to_hrn, to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate( to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def call(self, cred, record, origin_hrn=None): user_cred = Credential(string=cred) #log the call if not origin_hrn: origin_hrn = user_cred.get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, record['hrn'], self.name)) self.api.auth.check(cred, "remove") # Only allow the local interface or record owner to delete peer_records try: self.api.auth.verify_object_permission(record['hrn']) except: self.api.auth.verify_cred_is_me(cred) table = SfaTable() hrn, type = record['hrn'], record['type'] records = table.find({'hrn': hrn, 'type': type }) for record in records: if record['peer_authority']: self.remove_plc_record(record) table.remove(record) return 1
def call(self, xrn, creds): valid_creds = self.api.auth.checkCredentials( creds, 'stopslice', xrn, check_sliver_callback=self.api.driver.check_sliver_credentials) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrn, self.name)) return self.api.manager.Shutdown(self.api, xrn, creds)
def call(self, xrn, creds, rspec, options): xrn = Xrn(xrn, type='slice') # Find the valid credentials valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrn.get_hrn(), options=options) the_credential = Credential(cred=valid_creds[0]) # use the expiration from the first valid credential to determine when # the slivers should expire. expiration = datetime_to_string(the_credential.expiration) self.api.logger.debug("Allocate, received expiration from credential: %s"%expiration) # turned off, as passing an empty rspec is indeed useful for cleaning up the slice # # make sure request is not empty # slivers = RSpec(rspec).version.get_nodes_with_slivers() # if not slivers: # raise InvalidRSpec("Missing <sliver_type> or <sliver> element. Request rspec must explicitly allocate slivers") # flter rspec through sfatables if self.api.interface in ['aggregate']: chain_name = 'INCOMING' elif self.api.interface in ['slicemgr']: chain_name = 'FORWARD-INCOMING' self.api.logger.debug("Allocate: sfatables on chain %s"%chain_name) actual_caller_hrn = the_credential.actual_caller_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, actual_caller_hrn, xrn.get_hrn(), self.name)) rspec = run_sfatables(chain_name, xrn.get_hrn(), actual_caller_hrn, rspec) # turned off, as passing an empty rspec is indeed useful for cleaning up the slice # slivers = RSpec(rspec).version.get_nodes_with_slivers() # if not slivers: # raise SfatablesRejected(slice_xrn) # pass this to the driver code in case they need it options['actual_caller_hrn'] = actual_caller_hrn result = self.api.manager.Allocate(self.api, xrn.get_urn(), creds, rspec, expiration, options) return result
def call(self, urns, creds, expiration_time, options): # Find the valid credentials valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'renewsliver', urns, check_sliver_callback = self.api.driver.check_sliver_credentials, options=options) the_credential = Credential(cred=valid_creds[0]) actual_caller_hrn = the_credential.actual_caller_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-urns: %s\texpiration:%s\tmethod-name: %s"%\ (self.api.interface, actual_caller_hrn, urns, expiration_time,self.name)) # extend as long as possible : take the min of requested and now+SFA_MAX_SLICE_RENEW if options.get('geni_extend_alap'): # ignore requested time and set to max expiration_time = add_datetime(datetime.datetime.utcnow(), days=int(self.api.config.SFA_MAX_SLICE_RENEW)) # Validate that the time does not go beyond the credential's expiration time requested_expire = utcparse(expiration_time) self.api.logger.info("requested_expire = %s"%requested_expire) credential_expire = the_credential.get_expiration() self.api.logger.info("credential_expire = %s"%credential_expire) max_renew_days = int(self.api.config.SFA_MAX_SLICE_RENEW) max_expire = datetime.datetime.utcnow() + datetime.timedelta (days=max_renew_days) if requested_expire > credential_expire: # used to throw an InsufficientRights exception here, this was not right self.api.logger.warning("Requested expiration %s, after credential expiration (%s) -> trimming to the latter/sooner"%\ (requested_expire, credential_expire)) requested_expire = credential_expire if requested_expire > max_expire: # likewise self.api.logger.warning("Requested expiration %s, after maximal expiration %s days (%s) -> trimming to the latter/sooner"%\ (requested_expire, self.api.config.SFA_MAX_SLICE_RENEW,max_expire)) requested_expire = max_expire return self.api.manager.Renew(self.api, urns, creds, requested_expire, options)
def _getCredential(self): """ Get our credential from a remote registry """ from sfa.server.registry import Registries registries = Registries() registry = registries.server_proxy(self.hrn, self.key_file, self.cert_file) cert_string = self.cert.save_to_string(save_parents=True) # get self credential self_cred = registry.GetSelfCredential(cert_string, self.hrn, 'authority') # get credential cred = registry.GetCredential(self_cred, self.hrn, 'authority') return Credential(string=cred)
def call(self, xrn, creds, type): xrn = Xrn(xrn, type=type) # validate the cred valid_creds = self.api.auth.checkCredentials(creds, "remove") self.api.auth.verify_object_permission(xrn.get_hrn()) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tmethod-name: %s\tcaller-hrn: %s\ttarget-urn: %s" % (self.api.interface, self.name, origin_hrn, xrn.get_urn())) return self.api.manager.Remove(self.api, xrn)
def check_sliver_credentials(self, creds, urns): # build list of cred object hrns slice_cred_names = [] for cred in creds: slice_cred_hrn = Credential(cred=cred).get_gid_object().get_hrn() top_auth_hrn = top_auth(slice_cred_hrn) site_hrn = '.'.join(slice_cred_hrn.split('.')[:-1]) slice_part = slice_cred_hrn.split('.')[-1] if top_auth_hrn == self.hrn: login_base = slice_cred_hrn.split('.')[-2][:12] else: login_base = hash_loginbase(site_hrn) slicename = '_'.join([login_base, slice_part]) slice_cred_names.append(slicename) # look up slice name of slivers listed in urns arg slice_ids = [] for urn in urns: sliver_id_parts = Xrn(xrn=urn).get_sliver_id_parts() try: slice_ids.append(int(sliver_id_parts[0])) except ValueError: pass if not slice_ids: raise Forbidden("sliver urn not provided") slices = self.shell.GetSlices(slice_ids) sliver_names = [slice['name'] for slice in slices] # make sure we have a credential for every specified sliver ierd for sliver_name in sliver_names: if sliver_name not in slice_cred_names: msg = "Valid credential not found for target: %s" % sliver_name raise Forbidden(msg)
def loadCredential(self): """ Attempt to load credential from file if it exists. If it doesnt get credential from registry. """ # see if this file exists # XX This is really the aggregate's credential. Using this is easier than getting # the registry's credential from iteslf (ssl errors). filename = self.interface + self.hrn + ".ma.cred" ma_cred_path = os.path.join(self.config.SFA_DATA_DIR, filename) try: self.credential = Credential(filename=ma_cred_path) except IOError: self.credential = self.getCredentialFromRegistry()
def getCredential(self, minimumExpiration=0): """ Return a valid credential for this interface. """ type = 'authority' path = self.config.SFA_DATA_DIR filename = ".".join([self.interface, self.hrn, type, "cred"]) cred_filename = os.path.join(path,filename) cred = None if os.path.isfile(cred_filename): cred = Credential(filename = cred_filename) # make sure cred isnt expired if not cred.get_expiration or \ datetime.datetime.utcnow() + datetime.timedelta(seconds=minimumExpiration) < cred.get_expiration(): return cred.save_to_string(save_parents=True) # get a new credential if self.interface in ['registry']: cred = self._getCredentialRaw() else: cred = self._getCredential() cred.save_to_file(cred_filename, save_parents=True) return cred.save_to_string(save_parents=True)
def handle_input (filename, options): kind = determine_sfa_filekind(filename) # dump methods current do 'print' so let's go this road for now if kind=="certificate": cert=Certificate (filename=filename) print '--------------------',filename,'IS A',kind cert.dump(show_extensions=options.show_extensions) verify_input_object (cert, kind, options) elif kind=="credential": cred = Credential(filename = filename) print '--------------------',filename,'IS A',kind cred.dump(dump_parents = options.dump_parents, show_xml=options.show_xml) if options.extract_gids: print '--------------------',filename,'embedded GIDs' extract_gids(cred, extract_parents = options.dump_parents) verify_input_object (cred, kind, options) elif kind=="gid": gid = GID(filename = filename) print '--------------------',filename,'IS A',kind gid.dump(dump_parents = options.dump_parents) verify_input_object (gid, kind, options) else: print "%s: unknown filekind '%s'"% (filename,kind)
def delegate(self, opts, args): delegee_hrn = args[0] if opts.delegate_user: user_cred = self.get_user_cred() cred = self.delegate_cred(user_cred, delegee_hrn) elif opts.delegate_slice: slice_cred = self.get_slice_cred(opts.delegate_slice) cred = self.delegate_cred(slice_cred, delegee_hrn) else: self.logger.warning("Must specify either --user or --slice <hrn>") return delegated_cred = Credential(string=cred) object_hrn = delegated_cred.get_gid_object().get_hrn() if opts.delegate_user: dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_" + get_leaf(object_hrn) + ".cred") elif opts.delegate_slice: dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_slice_" + get_leaf(object_hrn) + ".cred") delegated_cred.save_to_file(dest_fn, save_parents=True) self.logger.info("delegated credential for %s to %s and wrote to %s"%(object_hrn, delegee_hrn,dest_fn))
def Renew(self, api, xrn, creds, expiration_time, options): call_id = options.get('call_id') if Callids().already_handled(call_id): return True def _Renew(aggregate, server, xrn, creds, expiration_time, options): try: result=server.Renew(xrn, creds, expiration_time, options) if type(result)!=dict: result = {'code': {'geni_code': 0}, 'value': result} result['aggregate'] = aggregate return result except: logger.log_exc('Something wrong in _Renew with URL %s'%server.url) return {'aggregate': aggregate, 'exc_info': traceback.format_exc(), 'code': {'geni_code': -1}, 'value': False, 'output': ""} # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'renewsliver', xrn)[0] caller_hrn = Credential(cred=valid_cred).get_gid_caller().get_hrn() # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential(minimumExpiration=31*86400) multiclient = MultiClient() for aggregate in api.aggregates: # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.server_proxy(interface, cred) multiclient.run(_Renew, aggregate, server, xrn, [cred], expiration_time, options) results = multiclient.get_results() geni_code = 0 geni_output = ",".join([x.get('output',"") for x in results]) geni_value = reduce (lambda x,y: x and y, [result.get('value',False) for result in results], True) for agg_result in results: agg_geni_code = agg_result['code'].get('geni_code',0) if agg_geni_code: geni_code = agg_geni_code results = {'aggregates': results, 'code': {'geni_code': geni_code}, 'value': geni_value, 'output': geni_output} return results
def call(self, record, creds): # validate cred valid_creds = self.api.auth.checkCredentials(creds, 'register') # verify permissions hrn = record.get('hrn', '') self.api.auth.verify_object_permission(hrn) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.Register(self.api, record)
def call(self, creds, xrn, cert=None): # TODO: is there a better right to check for or is 'update good enough? valid_creds = self.api.auth.checkCredentials(creds, 'update') # verify permissions hrn, type = urn_to_hrn(xrn) self.api.auth.verify_object_permission(hrn) #log the call origin_hrn = Credential( string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrn, self.name)) return self.api.manager.CreateGid(self.api, xrn, cert)
def call(self, creds, xrn, type): if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # check creds valid_creds = self.api.auth.checkCredentials(creds, 'getcredential') self.api.auth.verify_object_belongs_to_me(hrn) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) return self.api.manager.GetCredential(self.api, xrn, type, self.api.auth.client_gid.get_urn())
def call(self, xrns, creds, options): (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials( creds, 'deletesliver', xrns, check_sliver_callback=self.api.driver.check_sliver_credentials, speaking_for_hrn=speaking_for) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info( "interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s" % (self.api.interface, origin_hrn, xrns, self.name)) return self.api.manager.Delete(self.api, xrns, creds, options)
def getDelegatedCredential(self, creds): """ Attempt to find a credential delegated to us in the specified list of creds. """ from sfa.trust.hierarchy import Hierarchy if creds and not isinstance(creds, list): creds = [creds] hierarchy = Hierarchy() delegated_cred = None for cred in creds: if hierarchy.auth_exists( Credential(cred=cred).get_gid_caller().get_hrn()): delegated_cred = cred break return delegated_cred
def __getCredentialRaw(self): """ Get our current credential directly from the local registry. """ hrn = self.hrn auth_hrn = self.auth.get_authority(hrn) # is this a root or sub authority if not auth_hrn or hrn == self.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = self.auth.get_auth_info(auth_hrn) table = self.SfaTable() records = table.findObjects({'hrn': hrn, 'type': 'authority+sa'}) if not records: raise RecordNotFound record = records[0] type = record['type'] object_gid = record.get_gid_object() new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(object_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) r1 = determine_rights(type, hrn) new_cred.set_privileges(r1) new_cred.encode() new_cred.sign() return new_cred
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info filter = {"hrn": hrn} if type: filter["type"] = type record = dbsession.query(RegRecord).filter_by(**filter).first() if not record: raise RecordNotFound("hrn=%s, type=%s" % (hrn, type)) # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in logger.debug("get credential before augment dict, keys=%s" % record.__dict__.keys()) api.driver.augment_records_with_testbed_info(record.__dict__) logger.debug("get credential after augment dict, keys=%s" % record.__dict__.keys()) if not api.driver.is_enabled(record.__dict__): raise AccountNotEnabled( ": PlanetLab account %s is not enabled. Please contact your site PI" % (record.email) ) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) caller_filter = {"hrn": caller_hrn} if caller_type: caller_filter["type"] = caller_type caller_record = dbsession.query(RegRecord).filter_by(**caller_filter).first() if not caller_record: raise RecordNotFound( "Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)" % (caller_hrn, caller_type, hrn, type) ) caller_gid = GID(string=caller_record.gid) object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record.hrn) object_gid = GID(string=record.gid) new_cred = Credential(subject=object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) # new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record, "expires"): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs # new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def _getCredentialRaw(self): """ Get our current credential directly from the local registry. """ hrn = self.hrn auth_hrn = self.auth.get_authority(hrn) # is this a root or sub authority if not auth_hrn or hrn == self.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = self.auth.get_auth_info(auth_hrn) # xxx although unlikely we might want to check for a potential leak dbsession=self.dbsession() from sfa.storage.model import RegRecord record = dbsession.query(RegRecord).filter_by(type='authority+sa', hrn=hrn).first() if not record: raise RecordNotFound(hrn) type = record.type object_gid = record.get_gid_object() new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(object_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) r1 = determine_rights(type, hrn) new_cred.set_privileges(r1) new_cred.encode() new_cred.sign() return new_cred
def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first() if not record: raise RecordNotFound("hrn=%s, type=%s"%(hrn,type)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) if caller_type: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first() else: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first() if not caller_record: raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid)i object_hrn = record.get_gid_object().get_hrn() # call the builtin authorization/credential generation engine rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError("%s has no rights to %s (%s)" % \ (caller_hrn, object_hrn, xrn)) object_gid = GID(string=record.gid) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record,'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def get_credential(api, xrn, type, is_self=False): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn # get record info auth_info = api.auth.get_auth_info(auth_hrn) table = SfaTable() records = table.findObjects({'type': type, 'hrn': hrn}) if not records: raise RecordNotFound(hrn) record = records[0] # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in api.fill_record_info(record) if record['type']=='user': if not record['enabled']: raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email'])) # get the callers gid # if this is a self cred the record's gid is the caller's gid if is_self: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_gid = api.auth.client_cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record['name']) object_gid = GID(string=record['gid']) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if 'expires' in record: new_cred.set_expiration(int(record['expires'])) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
class Auth: """ Credential based authentication """ def __init__(self, peer_cert = None, config = None ): self.peer_cert = peer_cert self.hierarchy = Hierarchy() if not config: self.config = Config() self.load_trusted_certs() def load_trusted_certs(self): self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() def checkCredentials(self, creds, operation, hrn = None): valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: cred_obj=Credential(string=cred) logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) return valid def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True def check_ticket(self, ticket): """ Check if the tickt was signed by a trusted cert """ if self.trusted_cert_list: client_ticket = SfaTicket(string=ticket) client_ticket.verify_chain(self.trusted_cert_list) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True def verifyPeerCert(self, cert, gid): # make sure the client_gid matches client's certificate if not cert.is_pubkey(gid.get_pubkey()): raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject()) def verifyGidRequestHash(self, gid, hash, arglist): key = gid.get_pubkey() if not key.verify_string(str(arglist), hash): raise BadRequestHash(hash) def verifyCredRequestHash(self, cred, hash, arglist): gid = cred.get_gid_caller() self.verifyGidRequestHash(gid, hash, arglist) def validateGid(self, gid): if self.trusted_cert_list: gid.verify_chain(self.trusted_cert_list) def validateCred(self, cred): if self.trusted_cert_list: cred.verify(self.trusted_cert_file_list) def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) self.validateGid(gid) # request_hash is optional if requestHash: self.verifyGidRequestHash(gid, requestHash, argList) return gid def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string = credStr) self.validateCred(cred) # request hash is optional if requestHash: self.verifyCredRequestHash(cred, requestHash, argList) return cred def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) # xxx should be validateCred ?? self.validateCred(cert) def gidNoop(self, gidStr, value, requestHash): self.authenticateGid(gidStr, [gidStr, value], requestHash) return value def credNoop(self, credStr, value, requestHash): self.authenticateCred(credStr, [credStr, value], requestHash) return value def verify_cred_is_me(self, credential): is_me = False cred = Credential(string=credential) caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return def get_auth_info(self, auth_hrn): """ Given an authority name, return the information for that authority. This is basically a stub that calls the hierarchy module. @param auth_hrn human readable name of authority """ return self.hierarchy.get_auth_info(auth_hrn) def veriry_auth_belongs_to_me(self, name): """ Verify that an authority belongs to our hierarchy. This is basically left up to the implementation of the hierarchy module. If the specified name does not belong, ane exception is thrown indicating the caller should contact someone else. @param auth_name human readable name of authority """ # get auth info will throw an exception if the authority doesnt exist self.get_auth_info(name) def verify_object_belongs_to_me(self, name): """ Verify that an object belongs to our hierarchy. By extension, this implies that the authority that owns the object belongs to our hierarchy. If it does not an exception is thrown. @param name human readable name of object """ auth_name = self.get_authority(name) if not auth_name: auth_name = name if name == self.config.SFA_INTERFACE_HRN: return self.verify_auth_belongs_to_me(auth_name) def verify_auth_belongs_to_me(self, name): # get auth info will throw an exception if the authority doesnt exist self.get_auth_info(name) def verify_object_permission(self, name): """ Verify that the object gid that was specified in the credential allows permission to the object 'name'. This is done by a simple prefix test. For example, an object_gid for plc.arizona would match the objects plc.arizona.slice1 and plc.arizona. @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() if object_hrn == name: return if name.startswith(object_hrn + "."): return #if name.startswith(get_authority(name)): #return raise PermissionError(name) def determine_user_rights(self, caller_hrn, reg_record): """ Given a user credential and a record, determine what set of rights the user should have to that record. This is intended to replace determine_user_rights() and verify_cancreate_credential() """ rl = Rights() type = reg_record.type logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) if type == 'slice': # researchers in the slice are in the DB as-is researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] # locating PIs attached to that slice slice_pis=reg_record.get_pis() pi_hrns = [ user.hrn for user in slice_pis ] if (caller_hrn in researcher_hrns + pi_hrns): rl.add('refresh') rl.add('embed') rl.add('bind') rl.add('control') rl.add('info') elif type == 'authority': pi_hrns = [ user.hrn for user in reg_record.reg_pis ] if (caller_hrn == self.config.SFA_INTERFACE_HRN): rl.add('authority') rl.add('sa') rl.add('ma') if (caller_hrn in pi_hrns): rl.add('authority') rl.add('sa') # NOTE: for the PL implementation, this 'operators' list # amounted to users with 'tech' role in that site # it seems like this is not needed any longer, so for now I just drop that # operator_hrns = reg_record.get('operator',[]) # if (caller_hrn in operator_hrns): # rl.add('authority') # rl.add('ma') elif type == 'user': rl.add('refresh') rl.add('resolve') rl.add('info') elif type == 'node': rl.add('operator') return rl def get_authority(self, hrn): return get_authority(hrn) def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] creds = [] if not isinstance(caller_hrn_list, list): caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds
def log_invalid_cred(cred): cred_obj=Credential(string=cred) logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] return error