def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def verify_cred_is_me(self, credential): cred = Credential(string=credential) caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return
def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string=credStr) self.validateCred(cred) # request hash is optional if requestHash: self.verifyCredRequestHash(cred, requestHash, argList) return cred
def checkCredentials(self, creds, operation, hrn=None): valid = [] error = None if not isinstance(creds, list): creds = [creds] for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except Exception as e: cred_obj = Credential(string=cred) error = e #sys.exc_info()[:2] continue if not len(valid): if not error: error = "No valid credentials found" raise InsufficientRights('Access denied: %s' % (str(error))) return valid
def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] creds = [] if not isinstance(caller_hrn_list, list): caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds
def check(self, cred, operation, hrn=None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string=cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True