Exemplo n.º 1
0
    def test_gapi_duplicate_slice_name(self):
        """Check that a slice with different urn but same name raises DuplicateSliceNameException."""

        resv_rspec = self.test_gapi_CreateSliver()

        # get new credentials with new urn
        self.slice_cred = clearinghouse.CreateSlice(
            self.user_cert.save_to_string())
        self.slice_gid = credential.Credential(
            string=self.slice_cred).get_gid_object()

        # same slice different urn with same project name
        try:
            self.rpc.CreateSliver(
                self.slice_gid.get_urn(),
                [self.slice_cred],
                resv_rspec,
                {},
            )
        except xmlrpclib.Fault as e:
            self.assertEqual(e.faultCode, "Duplicate slice name.")
        else:
            self.fail("Did not generate expected fault.")

        # same slice different urn with different project name
        root = et.fromstring(resv_rspec)

        # change the project name
        elem = root.find(".//project")
        elem.set("name", "new proj name")
        resv_rspec = et.tostring(root)

        try:
            self.rpc.CreateSliver(
                self.slice_gid.get_urn(),
                [self.slice_cred],
                resv_rspec,
                {},
            )
        except xmlrpclib.Fault as e:
            self.assertEqual(e.faultCode, "Duplicate slice name.")
        else:
            self.fail("Did not generate expected fault.")
Exemplo n.º 2
0
def create_credential(caller_gid, object_gid, life_secs, typename,
                      issuer_keyfile, issuer_certfile, trusted_roots):
    '''Create and Return a Credential object issued by given key/cert for the given caller
    and object GID objects, given life in seconds, and given type.
    Privileges are determined by type per sfa/trust/rights.py'''
    # FIXME: Validate args: my gids, >0 life,
    # type of cred one I can issue
    # and readable key and cert files
    if caller_gid is None:
        raise ValueError("Missing Caller GID")
    if object_gid is None:
        raise ValueError("Missing Object GID")
    if life_secs is None or life_secs < 1:
        raise ValueError("Credential life in seconds was 0")
    if trusted_roots is None:
        raise ValueError("Missing list of trusted roots")

    if typename is None or typename.strip() == '':
        raise ValueError("Missing credential type")
    typename = typename.strip().lower()
    if typename not in ("user", "sa", "ma", "authority", "slice", "component"):
        raise ValueError("Unknown credential type %s" % typename)

    if not os.path.isfile(issuer_keyfile):
        raise ValueError("Cant read issuer key file %s" % issuer_keyfile)

    if not os.path.isfile(issuer_certfile):
        raise ValueError("Cant read issuer cert file %s" % issuer_certfile)

    issuer_gid = gid.GID(filename=issuer_certfile)

    if not (object_gid.get_urn() == issuer_gid.get_urn() or
            (issuer_gid.get_type() == 'authority'
             and object_gid.get_urn().split('+')[1].startswith(
                 issuer_gid.get_urn().split('+')[1]))):
        raise ValueError(
            "Issuer not authorized to issue credential: Issuer=%s  Target=%s" %
            (issuer_gid.get_urn(), object_gid.get_urn()))

    ucred = cred.Credential()
    # FIXME: Validate the caller_gid and object_gid
    # are my user and slice
    # Do get_issuer and compare to the issuer cert?
    # Or do gid.is_signed_by_cert(issuer_certfile)?
    ucred.set_gid_caller(caller_gid)
    ucred.set_gid_object(object_gid)
    ucred.set_lifetime(life_secs)
    # Use sfa/trust/rights.py to figure out what privileges
    # the credential should have.
    # user means refresh, resolve, info
    # per the privilege_table that lets users do
    # remove, update, resolve, list, getcredential,
    # listslices, listnodes, getpolicy
    # Note that it does not allow manipulating slivers
    privileges = rights.determine_rights(typename, None)
    ucred.set_privileges(privileges)
    ucred.encode()
    ucred.set_issuer_keys(issuer_keyfile, issuer_certfile)
    ucred.sign()

    try:
        ucred.verify(trusted_roots)
    except Exception, exc:
        raise Exception(
            "Create Credential failed to verify new credential from trusted roots: %s"
            % exc)
Exemplo n.º 3
0
 def make_cred(cred_string):
     return cred.Credential(string=cred_string)
Exemplo n.º 4
0
    def setUp(self):
        """
        Update settings, create DummyOMs and test models and login.
        """
        # add the test application
        self.settings_manager.set(
            OPENFLOW_OTHER_RESOURCES=(("expedient.clearinghouse.resources",
                                       "Resource"), ),
            DEBUG_PROPAGATE_EXCEPTIONS=True,
        )
        self.su = User.objects.create_superuser("superuser", "*****@*****.**",
                                                "password")
        self.test_user_password = "******"
        self.test_user = User.objects.create_user("test_user", "*****@*****.**",
                                                  self.test_user_password)
        give_permission_to("can_add_aggregate", Aggregate, self.test_user)
        give_permission_to("can_create_project", Project, self.test_user)

        for i in range(NUM_DUMMY_OMS):
            om = DummyOM.objects.create()
            om.populate_links(NUM_SWITCHES_PER_AGG, NUM_LINKS_PER_AGG / 2)
            username = "******" % i
            password = "******"
            u = User.objects.create_user(username, "*****@*****.**", password)

            # Add the aggregate to the CH
            url = SCHEME + "://%s/dummyom/%s/xmlrpc/" % (HOST, om.id)

            proxy = PasswordXMLRPCServerProxy.objects.create(
                username=username,
                password=password,
                url=url,
                verify_certs=False,
            )

            # test availability
            if not proxy.is_available():
                raise Exception("Problem: Proxy not available")

            proxy.delete()

        # create user cert/keys
        self.user_urn = get_user_urn(self.test_user.username)
        self.user_cert, self.user_key = create_x509_cert(self.user_urn)

        # get slice creds
        self.slice_cred = clearinghouse.CreateSlice(
            self.user_cert.save_to_string())
        self.slice_gid = credential.Credential(
            string=self.slice_cred).get_gid_object()

        # xmlrpc client
        self.rpc = xmlrpclib.ServerProxy(
            "http://testserver" + reverse("openflow_gapi"),
            transport=TestClientTransport(defaults={
                "REMOTE_USER":
                self.user_cert.save_to_string(),
                "SSL_CLIENT_CERT":
                self.user_cert.save_to_string(),
            }, ),
        )
Exemplo n.º 5
0
def create_credential(caller_gid,
                      object_gid,
                      expiration,
                      typename,
                      issuer_keyfile,
                      issuer_certfile,
                      trusted_roots,
                      delegatable=False):
    '''Create and Return a Credential object issued by given key/cert for the given caller
    and object GID objects, given life in seconds, and given type.
    Privileges are determined by type per sfa/trust/rights.py
    Privileges are delegatable if requested.'''
    # FIXME: Validate args: my gids, >0 life,
    # type of cred one I can issue
    # and readable key and cert files
    if caller_gid is None:
        raise ValueError("Missing Caller GID")
    if object_gid is None:
        raise ValueError("Missing Object GID")
    if expiration is None:
        raise ValueError("Missing expiration")
    naive_expiration = naiveUTC(expiration)
    duration = naive_expiration - datetime.datetime.utcnow()
    life_secs = duration.seconds + duration.days * 24 * 3600
    if life_secs < 1:
        raise ValueError("Credential expiration is in the past")
    if trusted_roots is None:
        raise ValueError("Missing list of trusted roots")

    if typename is None or typename.strip() == '':
        raise ValueError("Missing credential type")
    typename = typename.strip().lower()
    if typename not in ("user", "sa", "ma", "authority", "slice", "component"):
        raise ValueError("Unknown credential type %s" % typename)

    if not os.path.isfile(issuer_keyfile):
        raise ValueError("Cant read issuer key file %s" % issuer_keyfile)

    if not os.path.isfile(issuer_certfile):
        raise ValueError("Cant read issuer cert file %s" % issuer_certfile)

    issuer_gid = gid.GID(filename=issuer_certfile)

    if not (object_gid.get_urn() == issuer_gid.get_urn() or
            (issuer_gid.get_type().find('authority') == 0
             and hrn_authfor_hrn(issuer_gid.get_hrn(), object_gid.get_hrn()))):
        raise ValueError(
            "Issuer not authorized to issue credential: Issuer=%s  Target=%s" %
            (issuer_gid.get_urn(), object_gid.get_urn()))

    ucred = cred.Credential()
    # FIXME: Validate the caller_gid and object_gid
    # are my user and slice
    # Do get_issuer and compare to the issuer cert?
    # Or do gid.is_signed_by_cert(issuer_certfile)?
    ucred.set_gid_caller(caller_gid)
    ucred.set_gid_object(object_gid)
    ucred.set_expiration(expiration)
    # Use sfa/trust/rights.py to figure out what privileges
    # the credential should have.
    # user means refresh, resolve, info
    # per the privilege_table that lets users do
    # remove, update, resolve, list, getcredential,
    # listslices, listnodes, getpolicy
    # Note that it does not allow manipulating slivers

    # And every right is delegatable if any are delegatable (default False)
    privileges = rights.determine_rights(typename, None)
    privileges.delegate_all_privileges(delegatable)
    ucred.set_privileges(privileges)
    ucred.encode()
    ucred.set_issuer_keys(issuer_keyfile, issuer_certfile)
    ucred.sign()

    try:
        ucred.verify(trusted_roots)
    except Exception, exc:
        raise Exception(
            "Create Credential failed to verify new credential from trusted roots: %s"
            % exc)