def __set_domain_component_id(self, resource_cid): """ Retrieve domain URN from component ID. """ try: self.debug("Getting Domain info from resource-id: %s" % (resource_cid, )) # First part of the tuple resource_hrn = xrn.urn_to_hrn(resource_cid)[0] # Conversion from HRN to URN sometimes translates # "." by "\.". Corrected here resource_hrn = resource_hrn.replace("\.", ".") # Auth URN is already there #resource_auth = xrn.get_authority(resource_hrn) resource_auth = resource_hrn resource_cid = xrn.hrn_to_urn(resource_auth, "authority") self.domain_urn = resource_cid self.info("The URN is well-formed, update domain-urn: %s" % (self.domain_urn, )) except Exception as e: self.error("Malformed URN on resource_detector. Exception: %s" % str(e)) # XXX_FIXME_XXX: this is just a workaround. # We reuse the component-id as prefix of the "autority" string. # We also introduce "malformed" just to point out this case! self.domain_urn = resource_cid + "+malformed+" + "authority+sa" self.warning("Malformed Domain URN: %s" % (self.domain_urn, ))
def get_auth_ticket(self, xrn): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() ticket = SfaTicket(subject=hrn) ticket.set_gid_caller(gid) ticket.set_gid_object(gid) ticket.set_delegate(True) ticket.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion ticket.set_issuer(auth_info.get_pkey_object(), hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) ticket.set_parent(self.get_auth_cred(parent_hrn)) ticket.encode() ticket.sign() return ticket
def auth_exists(self, xrn): hrn, type = urn_to_hrn(xrn) (directory, gid_filename, privkey_filename) = \ self.get_auth_filenames(hrn) print directory, gid_filename, privkey_filename return os.path.exists(gid_filename) and os.path.exists(privkey_filename)
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825, email=None): self.uuid = None self.hrn = None self.urn = None self.email = None # for adding to the SubjectAltName Certificate.__init__(self, lifeDays, create, subject, string, filename) if subject: print "Creating GID for subject: %s" % subject if uuid: self.uuid = int(uuid) if hrn: self.hrn = hrn self.urn = hrn_to_urn(hrn, 'unknown') if urn: self.urn = urn self.hrn, type = urn_to_hrn(urn) if email: self.set_email(email)
def __set_domain_component_id(self, resource_cid): """ Retrieve domain URN from component ID. """ try: self.debug("Getting Domain info from resource-id: %s" % (resource_cid,)) # First part of the tuple resource_hrn = xrn.urn_to_hrn(resource_cid)[0] # Conversion from HRN to URN sometimes translates # "." by "\.". Corrected here resource_hrn = resource_hrn.replace("\.", ".") # Auth URN is already there #resource_auth = xrn.get_authority(resource_hrn) resource_auth = resource_hrn resource_cid = xrn.hrn_to_urn(resource_auth, "authority") self.domain_urn = resource_cid self.info("The URN is well-formed, update domain-urn: %s" % (self.domain_urn,)) except Exception as e: self.error("Malformed URN on resource_detector. Exception: %s" % str(e)) # XXX_FIXME_XXX: this is just a workaround. # We reuse the component-id as prefix of the "autority" string. # We also introduce "malformed" just to point out this case! self.domain_urn = resource_cid + "+malformed+" + "authority+sa" self.warning("Malformed Domain URN: %s" % (self.domain_urn,))
def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def auth_exists(self, xrn): hrn, type = urn_to_hrn(xrn) (directory, gid_filename, privkey_filename) = \ self.get_auth_filenames(hrn) print directory, gid_filename, privkey_filename return os.path.exists(gid_filename) and os.path.exists( privkey_filename)
def get_auth_filenames(self, xrn): hrn, type = urn_to_hrn(xrn) leaf = get_leaf(hrn) parent_hrn = get_authority(hrn) directory = os.path.join(self.basedir, hrn.replace(".", "/")) gid_filename = os.path.join(directory, leaf+".gid") privkey_filename = os.path.join(directory, leaf+".pkey") return (directory, gid_filename, privkey_filename)
def get_auth_filenames(self, xrn): hrn, type = urn_to_hrn(xrn) leaf = get_leaf(hrn) parent_hrn = get_authority(hrn) directory = os.path.join(self.basedir, hrn.replace(".", "/")) gid_filename = os.path.join(directory, leaf + ".gid") privkey_filename = os.path.join(directory, leaf + ".pkey") return (directory, gid_filename, privkey_filename)
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): Certificate.__init__(self, lifeDays, create, subject, string, filename) if subject: logger.debug("Creating GID for subject: %s" % subject) if uuid: self.uuid = int(uuid) if hrn: self.hrn = hrn self.urn = hrn_to_urn(hrn, 'unknown') if urn: self.urn = urn self.hrn, type = urn_to_hrn(urn)
def nodes(self): nodes = [] # Retrieve interfaces from links and postprocess # the data before returning the links links = self.links() for n in self.rspec.iterchildren("{%s}node" % (self.xmlns)): # sliver = None available = n.find("{%s}available" % (self.xmlns)) if available is not None: available = available.attrib.get("now") node = Node(n.attrib.get("component_id"), n.attrib.get("component_manager_id"), n.attrib.get("component_name"), n.attrib.get("exclusive"), available) self.__update_protogeni_cm_uuid(n, node) # node_id = xrn.urn_to_hrn(n.get("component_id"))[0] for link in links: if len(link["links"]) <= 0: continue # Retrieve source_id of link to find the # interfaces of the current node node_interface = xrn.urn_to_hrn(link["links"][0]["source_id"]) # Otherwise, retrieve dest_id of link to find the interfaces # of the current node node_interface = node_interface or\ xrn.urn_to_hrn(link["links"][0]["dest_id"]) if node_interface: # Get last part of the interface resource node_interface =\ xrn.urn_to_hrn(node_interface[0])[0].split(".")[-1] node.add_interface(node_interface) nodes.append(node.serialize()) return nodes
def fetch_user_name_from_geni_users(geni_users): """ Given the GENI 'geni_users' structure, retrieves the proper client or user identifier (may be a name, hrn or urn). @param geni_users geni_users structure, passed from handler @return user identifier """ client_urn = None if len(geni_users) >= 1: # Any could be used #client_urn = geni_users[0]["urn"] client_urn = xrn.urn_to_hrn(geni_users[0]["urn"])[0].replace("\\","") #client_urn = xrn.get_leaf(xrn.urn_to_hrn(geni_users[0]["urn"])[0]) return client_urn
def fetch_user_name_from_geni_users(geni_users): """ Given the GENI 'geni_users' structure, retrieves the proper client or user identifier (may be a name, hrn or urn). @param geni_users geni_users structure, passed from handler @return user identifier """ client_urn = None if len(geni_users) >= 1: # Any could be used #client_urn = geni_users[0]["urn"] client_urn = xrn.urn_to_hrn(geni_users[0]["urn"])[0].replace( "\\", "") #client_urn = xrn.get_leaf(xrn.urn_to_hrn(geni_users[0]["urn"])[0]) return client_urn
def get_auth_info(self, xrn): hrn, type = urn_to_hrn(xrn) if not self.auth_exists(hrn): raise MissingAuthority(hrn) (directory, gid_filename, privkey_filename, ) = \ self.get_auth_filenames(hrn) auth_info = AuthInfo(hrn, gid_filename, privkey_filename) # check the GID and see if it needs to be refreshed gid = auth_info.get_gid_object() gid_refreshed = self.refresh_gid(gid) if gid != gid_refreshed: auth_info.update_gid_object(gid_refreshed) return auth_info
def get_felix_authority_from_urn(urn): authority = "" hrn, hrn_type = urn_to_hrn(urn) # Remove leaf (the component_manager part) hrn_list = hrn.split(".") hrn = ".".join(hrn_list[:-1]) for hrn_element in hrn_list: if hrn_element in URNUtils.FELIX_ORGS: authority = hrn_element break # URN may not follow the standard format... if len(authority) == 0: try: URNUtils.get_authority_from_urn(urn) except: pass return authority
def create_auth(self, xrn, create_parents=False): hrn, type = urn_to_hrn(str(xrn)) # create the parent authority if necessary parent_hrn = get_authority(hrn) parent_urn = hrn_to_urn(parent_hrn, 'authority') if (parent_hrn) and (not self.auth_exists(parent_urn)) and (create_parents): self.create_auth(parent_urn, create_parents) (directory, gid_filename, privkey_filename,) = \ self.get_auth_filenames(hrn) # create the directory to hold the files try: os.makedirs(directory) # if the path already exists then pass except OSError, (errno, strerr): if errno == 17: pass
def create_auth(self, xrn, create_parents=False): hrn, type = urn_to_hrn(str(xrn)) # create the parent authority if necessary parent_hrn = get_authority(hrn) parent_urn = hrn_to_urn(parent_hrn, 'authority') if (parent_hrn) and (not self.auth_exists(parent_urn)) and ( create_parents): self.create_auth(parent_urn, create_parents) (directory, gid_filename, privkey_filename,) = \ self.get_auth_filenames(hrn) # create the directory to hold the files try: os.makedirs(directory) # if the path already exists then pass except OSError, (errno, strerr): if errno == 17: pass
def create_gid(self, xrn, uuid, pkey, CA=False, email=None): hrn, type = urn_to_hrn(xrn) if not type: type = 'authority' parent_hrn = get_authority(hrn) # Using hrn_to_urn() here to make sure the urn is in the right format # If xrn was a hrn instead of a urn, then the gid's urn will be # of type None urn = hrn_to_urn(hrn, type) subject = self.get_subject(hrn) if not subject: subject = hrn gid = GID(subject=subject, uuid=uuid, hrn=hrn, urn=urn, email=email) # is this a CA cert if hrn == self.config.SFA_INTERFACE_HRN or not parent_hrn: # root or sub authority gid.set_intermediate_ca(True) elif type and 'authority' in type: # authority type gid.set_intermediate_ca(False) elif CA: gid.set_intermediate_ca(True) else: gid.set_intermediate_ca(False) # set issuer if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion gid.set_issuer(pkey, subject) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) parent_gid = parent_auth_info.get_gid_object() gid.set_issuer(parent_auth_info.get_pkey_object(), parent_gid.get_extended_subject()) gid.set_parent(parent_auth_info.get_gid_object()) gid.set_pubkey(pkey) gid.encode() gid.sign() return gid
def decode(self): data = self.get_data('subjectAltName') dict = {} if data: if data.lower().startswith('uri:http://<params>'): dict = xmlrpclib.loads(data[11:])[0][0] else: spl = data.split(', ') for val in spl: if val.lower().startswith('uri:urn:uuid:'): dict['uuid'] = uuid.UUID(val[4:]).int elif val.lower().startswith('uri:urn:publicid:idn+'): dict['urn'] = val[4:] elif val.lower().startswith('email:'): # FIXME: Ensure there isn't cruft in that address... # EG look for email:copy,.... dict['email'] = val[6:] self.uuid = dict.get("uuid", None) self.urn = dict.get("urn", None) self.hrn = dict.get("hrn", None) self.email = dict.get("email", None) if self.urn: self.hrn = urn_to_hrn(self.urn)[0]
def decode(self): if not self.xml: return doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") # Is this a signed-cred or just a cred? if len(signed_cred) > 0: creds = signed_cred[0].getElementsByTagName("credential") signatures = signed_cred[0].getElementsByTagName("signatures") if len(signatures) > 0: sigs = signatures[0].getElementsByTagName("Signature") else: creds = doc.getElementsByTagName("credential") if creds is None or len(creds) == 0: # malformed cred file raise CredentialNotVerifiable("Malformed XML: No credential tag found") # Just take the first cred if there are more than one cred = creds[0] self.set_refid(cred.getAttribute("xml:id")) self.set_expiration(utcparse(getTextNode(cred, "expires"))) self.gidCaller = GID(string=getTextNode(cred, "owner_gid")) self.gidObject = GID(string=getTextNode(cred, "target_gid")) # Process privileges privs = cred.getElementsByTagName("privileges")[0] rlist = Rights() for priv in privs.getElementsByTagName("privilege"): kind = getTextNode(priv, "name") deleg = str2bool(getTextNode(priv, "can_delegate")) if kind == '*': # Convert * into the default privileges for the credential's type # Each inherits the delegatability from the * above _ , type = urn_to_hrn(self.gidObject.get_urn()) rl = determine_rights(type, self.gidObject.get_urn()) for r in rl.rights: r.delegate = deleg rlist.add(r) else: rlist.add(Right(kind.strip(), deleg)) self.set_privileges(rlist) # Is there a parent? parent = cred.getElementsByTagName("parent") if len(parent) > 0: parent_doc = parent[0].getElementsByTagName("credential")[0] parent_xml = parent_doc.toxml() self.parent = Credential(string=parent_xml) self.updateRefID() # Assign the signatures to the credentials for sig in sigs: Sig = Signature(string=sig.toxml()) for cur_cred in self.get_credential_list(): if cur_cred.get_refid() == Sig.get_refid(): cur_cred.set_signature(Sig)
def set_urn(self, urn): self.urn = urn self.hrn, type = urn_to_hrn(urn)
def get_type(self): if not self.urn: self.decode() _, t = urn_to_hrn(self.urn) return t
def decode(self): if not self.xml: return doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") # Is this a signed-cred or just a cred? if len(signed_cred) > 0: creds = signed_cred[0].getElementsByTagName("credential") signatures = signed_cred[0].getElementsByTagName("signatures") if len(signatures) > 0: sigs = signatures[0].getElementsByTagName("Signature") else: creds = doc.getElementsByTagName("credential") if creds is None or len(creds) == 0: # malformed cred file raise CredentialNotVerifiable("Malformed XML: No credential tag found") # Just take the first cred if there are more than one cred = creds[0] self.set_refid(cred.getAttribute("xml:id")) self.set_expiration(utcparse(getTextNode(cred, "expires"))) # import traceback # stack = traceback.extract_stack() og = getTextNode(cred, "owner_gid") # ABAC creds will have this be None and use this method # if og is None: # found = False # for frame in stack: # if 'super(ABACCredential, self).decode()' in frame: # found = True # break # if not found: # raise CredentialNotVerifiable("Malformed XML: No owner_gid found") self.gidCaller = GID(string=og) tg = getTextNode(cred, "target_gid") # if tg is None: # found = False # for frame in stack: # if 'super(ABACCredential, self).decode()' in frame: # found = True # break # if not found: # raise CredentialNotVerifiable("Malformed XML: No target_gid found") self.gidObject = GID(string=tg) # Process privileges rlist = Rights() priv_nodes = cred.getElementsByTagName("privileges") if len(priv_nodes) > 0: privs = priv_nodes[0] for priv in privs.getElementsByTagName("privilege"): kind = getTextNode(priv, "name") deleg = str2bool(getTextNode(priv, "can_delegate")) if kind == '*': # Convert * into the default privileges for the credential's type # Each inherits the delegatability from the * above _ , type = urn_to_hrn(self.gidObject.get_urn()) rl = determine_rights(type, self.gidObject.get_urn()) for r in rl.rights: r.delegate = deleg rlist.add(r) else: rlist.add(Right(kind.strip(), deleg)) self.set_privileges(rlist) # Is there a parent? parent = cred.getElementsByTagName("parent") if len(parent) > 0: parent_doc = parent[0].getElementsByTagName("credential")[0] parent_xml = parent_doc.toxml("utf-8") if parent_xml is None or parent_xml.strip() == "": raise CredentialNotVerifiable("Malformed XML: Had parent tag but it is empty") self.parent = Credential(string=parent_xml) self.updateRefID() # Assign the signatures to the credentials for sig in sigs: Sig = Signature(string=sig.toxml("utf-8")) for cur_cred in self.get_credential_list(): if cur_cred.get_refid() == Sig.get_refid(): cur_cred.set_signature(Sig)
def __init__(self, xrn, gid_filename, privkey_filename): hrn, type = urn_to_hrn(xrn) self.hrn = hrn self.set_gid_filename(gid_filename) self.privkey_filename = privkey_filename