def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._delegate_tools = pm.getService('delegatetools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
self._ma_cert_str = self._resource_manager_tools.read_file(
cert_path + '/' + OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(
cert_key_path + '/' + OMemberAuthorityResourceManager.MA_KEY_FILE)
self._hostname = self._resource_manager_tools.get_hostname(
self._ma_cert_str)
self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ self._hostname + '.authority.ma'
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
self._ma_cert_key_str)
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(
cert_path + '/' + OSliceAuthorityResourceManager.SA_CERT_FILE)
self._sa_pr = self._resource_manager_tools.read_file(
cert_key_path + '/' + OSliceAuthorityResourceManager.SA_KEY_FILE)
#<UT>
self._hostname = self._resource_manager_tools.get_hostname(self._sa_c)
self._delegate_tools = pm.getService('delegatetools')
self.gfed_ex = pm.getService('apiexceptionsv2')
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OSliceAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService("resourcemanagertools")
self._set_unique_keys()
# <UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
self._sa_c = self._resource_manager_tools.read_file(
cert_path + "/" + OSliceAuthorityResourceManager.SA_CERT_FILE
)
self._sa_pr = self._resource_manager_tools.read_file(
cert_key_path + "/" + OSliceAuthorityResourceManager.SA_KEY_FILE
)
# <UT>
self._hostname = self._resource_manager_tools.get_hostname(self._sa_c)
self._delegate_tools = pm.getService("delegatetools")
self.gfed_ex = pm.getService("apiexceptionsv2")
def __init__(self):
"""
Get plugins for use in other class methods.
Set unique keys.
"""
super(OMemberAuthorityResourceManager, self).__init__()
self._resource_manager_tools = pm.getService('resourcemanagertools')
self._set_unique_keys()
#<UT>
config = pm.getService("config")
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
self._ma_cert_str = self._resource_manager_tools.read_file(cert_path + '/' +
OMemberAuthorityResourceManager.MA_CERT_FILE)
self._ma_cert_key_str = self._resource_manager_tools.read_file(cert_key_path + '/' +
OMemberAuthorityResourceManager.MA_KEY_FILE)
self._hostname = self._resource_manager_tools.get_hostname(self._ma_cert_str)
self._ma_crl_path = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' \
+ self._hostname + '.authority.ma'
self.gfed_ex = pm.getService('apiexceptionsv2')
self._urn = self.urn()
self._cert_revoke_reasons = crypto.Revoked().all_reasons()
self._ma_cert = crypto.load_certificate(crypto.FILETYPE_PEM, self._ma_cert_str)
self._ma_cert_key = crypto.load_privatekey(crypto.FILETYPE_PEM, self._ma_cert_key_str)
def __init__(self):
"""
Get plugins for use in other class methods.
"""
super(SynchRootCerts, self).__init__()
config = pm.getService("config")
self._trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
self._ch_cert_file = os.path.join(self._trusted_cert_path, SynchRootCerts.CH_CERT_FILE)
self._ch_cert_key_file = os.path.join(expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path")),
SynchRootCerts.CH_KEY_FILE)
self._delegate_tools = pm.getService('delegatetools')
self._trusted_peers = self._delegate_tools.get_registry()["TRUSTED_PEERS"]
# No need to run daemon thread if there are no federating islands
if len(self._trusted_peers) == 0 or (len(self._trusted_peers) == 1 and self._trusted_peers[0]['host_ip'] == '0.0.0.0'):
logger.info('No valid entries for trusted peers. Daemon thread for synchronizing trusted certs will not start.')
return
# To avoid running daemon thread before reloader
e = os.environ.get('RELOADED', '0')
if e is '0':
os.environ['RELOADED'] = '1'
return
# Create a daemon thread and start it
th = threading.Thread(target=self.synch_certs)
th.daemon = True
th.start()
logger.info('Daemon thread for synchronizing trusted certs started.')
def runServer(self):
"""Starts up the server. It (will) support different config options via the config plugin."""
config = pm.getService("config")
debug = config.get("flask.debug")
cFCGI = config.get("flask.fcgi")
host = config.get("flask.bind")
app_port = config.get("flask.app_port")
fcgi_port = config.get("flask.fcgi_port")
must_have_client_cert = config.get("flask.force_client_cert")
if cFCGI:
logger.info("registering fcgi server at %s:%i", host, fcgi_port)
from flup.server.fcgi import WSGIServer
WSGIServer(self._app, bindAddress=(host, fcgi_port)).run()
else:
logger.info("registering app server at %s:%i", host, app_port)
# do the following line manually, so we can intervene and adjust the ssl context
# self._app.run(host=host, port=app_port, ssl_context='adhoc', debug=debug, request_handler=ClientCertHTTPRequestHandler)
# the code from flask's `run...`
# see https://github.com/mitsuhiko/flask/blob/master/flask/app.py
options = {}
try:
# now the code from werkzeug's `run_simple(host, app_port, self._app, **options)`
# see https://github.com/mitsuhiko/werkzeug/blob/master/werkzeug/serving.py
from werkzeug.debug import DebuggedApplication
import socket
application = DebuggedApplication(self._app, True)
# Set up an SSL context
cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
cert_key_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_keys_path"))
context = SSL.Context(SSL.SSLv23_METHOD)
context_crt = os.path.join(cert_path, "ch-cert.pem")
context_key = os.path.join(cert_key_path, "ch-key.pem")
try:
context.use_certificate_file(context_crt)
context.use_privatekey_file(context_key)
except Exception as e:
logger.critical("error starting flask server. Cert or key is missing under %s", cert_path)
sys.exit(e)
def inner():
# server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, 'adhoc')
server = serving.make_server(host, app_port, self._app, False, 1, ClientCertHTTPRequestHandler, False, ssl_context=context)
# The following line is the reason why I copied all that code!
if must_have_client_cert:
server.ssl_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda a,b,c,d,e: True)
# That's it
server.serve_forever()
address_family = serving.select_ip_version(host, app_port)
test_socket = socket.socket(address_family, socket.SOCK_STREAM)
test_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
test_socket.bind((host, app_port))
test_socket.close()
serving.run_with_reloader(inner, None, 1)
finally:
self._app._got_first_request = False
def __init__(self):
"""
Load configuration files. Combine the default field names with the supplemenary fields to form a combined list.
"""
self.STATIC = {} #: holds static configuration and settings loaded from JSON files (config.json and defaults.json)
self._load_files()
self._combine_fields()
config = pm.getService("config")
self.TRUSTED_CERT_PATH = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) +'/' #<UT>
self.TRUSTED_CRL_PATH = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' #<UT>
def __init__(self):
"""
Load configuration files. Combine the default field names with the supplemenary fields to form a combined list.
"""
self.STATIC = {} #: holds static configuration and settings loaded from JSON files (config.json and defaults.json)
self._load_files()
self._combine_fields()
config = pm.getService("config")
self.TRUSTED_CERT_PATH = expand_eisoil_path(config.get("delegatetools.trusted_cert_path")) +'/' #<UT>
self.TRUSTED_CRL_PATH = expand_eisoil_path(config.get("delegatetools.trusted_crl_path")) + '/' #<UT>
def all_trusted_certs(self):
"""
Return all trusted certificates as defined in the registry config file (registry.json).
"""
certs = self._delegate_tools.get_registry()["TRUST_ROOTS"]
#TODO: Subsitute magic markers
if "INFER_SAs" in certs:
certs.remove("INFER_SAs")
for s in self.all_slice_authorities():
certs.append(s['SERVICE_CERT'])
if "INFER_MAs" in certs:
certs.remove("INFER_MAs")
for s in self.all_member_authorities():
certs.append(s['SERVICE_CERT'])
config = pm.getService('config')
trusted_cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
# Go through the dir and fetch trusted certificates
src_files = os.listdir(trusted_cert_path)
for file_name in src_files:
full_file_name = os.path.join(trusted_cert_path, file_name)
if os.path.isfile(full_file_name):
with open(full_file_name, "r") as cert_file:
cert_str = cert_file.read()
certs.append(cert_str)
return certs
def all_trusted_certs(self):
"""
Return all trusted certificates as defined in the registry config file (registry.json).
"""
certs = self._delegate_tools.get_registry()["TRUST_ROOTS"]
#TODO: Subsitute magic markers
if "INFER_SAs" in certs:
certs.remove("INFER_SAs")
for s in self.all_slice_authorities():
certs.append(s['SERVICE_CERT'])
if "INFER_MAs" in certs:
certs.remove("INFER_MAs")
for s in self.all_member_authorities():
certs.append(s['SERVICE_CERT'])
config = pm.getService('config')
trusted_cert_path = expand_eisoil_path(config.get("delegatetools.trusted_cert_path"))
# Go through the dir and fetch trusted certificates
src_files = os.listdir(trusted_cert_path)
for file_name in src_files:
full_file_name = os.path.join(trusted_cert_path, file_name)
if os.path.isfile(full_file_name):
with open (full_file_name, "r") as cert_file:
cert_str =cert_file.read()
certs.append(cert_str)
return certs
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
"""
This method authenticates and authorizes.
It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)"
Be aware, the email is not required in the certificate, hence it might be empty.
If the validation fails, an GENIv3ForbiddenError is thrown.
The credentials are checked so the user has all the required privileges (success if any credential fits all privileges).
The client certificate is not checked: this is usually done via the webserver configuration.
This method only treats certificates of type 'geni_sfa'.
Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]):
"authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
"refresh" : ["remove", "update"],
"resolve" : ["resolve", "list", "getcredential"],
"sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
"embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
"deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind" : ["getticket", "loanresources", "redeemticket"],
"control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
"deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info" : ["listslices", "listnodes", "getpolicy"],
"ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
"operator" : ["gettrustedcerts", "getgids"],
"*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]
When using the gcf clearinghouse implementation the credentials will have the rights:
- user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy").
- slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...)
"""
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_eisoil_path(config.get("geniv3rpc.cert_root"))
if client_cert == None:
raise GENIv3ForbiddenError("Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = ext.geni.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials, slice_urn, privileges)
except Exception as e:
raise GENIv3ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
def _get_paths(self):
"""
Get full file paths for JSON files to load (config.json and defaults.json).
Returns:
dictionary containing the loaded JSON content
"""
config = pm.getService("config")
config_path = config.get("delegatetools.config_path")
supplemetary_fields_path = config.get(
"delegatetools.supplemetary_fileds_path")
service_registry_path = config.get(
"delegatetools.service_registry_path")
defaults_path = config.get("delegatetools.defaults_path")
authz_path = config.get("delegatetools.authz_path") #<UT>
roles_path = config.get("delegatetools.roles_path") #<UT>
return {
'CONFIG': expand_eisoil_path(config_path),
'DEFAULTS': expand_eisoil_path(defaults_path),
'SUPPLEMENTARY_FIELDS':
expand_eisoil_path(supplemetary_fields_path),
'REGISTRY': expand_eisoil_path(service_registry_path),
'AUTHZ': expand_eisoil_path(authz_path), #<UT>
'ROLES': expand_eisoil_path(roles_path), #<UT>
}
def __init__(self):
"""
Get plugins for use in other class methods.
"""
super(SynchRootCerts, self).__init__()
config = pm.getService("config")
self._trusted_cert_path = expand_eisoil_path(
config.get("delegatetools.trusted_cert_path"))
self._ch_cert_file = os.path.join(self._trusted_cert_path,
SynchRootCerts.CH_CERT_FILE)
self._ch_cert_key_file = os.path.join(
expand_eisoil_path(
config.get("delegatetools.trusted_cert_keys_path")),
SynchRootCerts.CH_KEY_FILE)
self._delegate_tools = pm.getService('delegatetools')
self._trusted_peers = self._delegate_tools.get_registry(
)["TRUSTED_PEERS"]
# No need to run daemon thread if there are no federating islands
if len(self._trusted_peers) == 0 or (
len(self._trusted_peers) == 1
and self._trusted_peers[0]['host_ip'] == '0.0.0.0'):
logger.info(
'No valid entries for trusted peers. Daemon thread for synchronizing trusted certs will not start.'
)
return
# To avoid running daemon thread before reloader
e = os.environ.get('RELOADED', '0')
if e is '0':
os.environ['RELOADED'] = '1'
return
# Create a daemon thread and start it
th = threading.Thread(target=self.synch_certs)
th.daemon = True
th.start()
logger.info('Daemon thread for synchronizing trusted certs started.')
def _authorize_dict_list(self, client_cert, credentials, result, options):
client_cert = geniutil.infer_client_cert(client_cert, credentials)
try:
trusted_cert_path = expand_eisoil_path(config.get("ofed.cert_root"))
geniutil.verify_certificate(client_cert, trusted_cert_path)
# TODO remove this (only for testing)
# BEGING REMOVE
client_urn, client_uuid, client_email = geniutil.extract_certificate_info(client_cert)
client_auth, client_type, client_name = geniutil.decode_urn(client_urn)
if not client_name == "admin": # only test if the name is not admin
# END REMOVE
for urn, info in result.iteritems():
geniutil.verify_credential(credentials, client_cert, urn, trusted_cert_path, ('list',))
except Exception as e:
raise gfed_ex.GFedv1AuthorizationError(str(e))
def _authorize_dict_list(self, client_cert, credentials, result, options):
client_cert = geniutil.infer_client_cert(client_cert, credentials)
try:
trusted_cert_path = expand_eisoil_path(
config.get("ofed.cert_root"))
geniutil.verify_certificate(client_cert, trusted_cert_path)
# TODO remove this (only for testing)
# BEGING REMOVE
client_urn, client_uuid, client_email = geniutil.extract_certificate_info(
client_cert)
client_auth, client_type, client_name = geniutil.decode_urn(
client_urn)
if not client_name == "admin": # only test if the name is not admin
# END REMOVE
for urn, info in result.iteritems():
geniutil.verify_credential(credentials, client_cert, urn,
trusted_cert_path, ('list', ))
except Exception as e:
raise gfed_ex.GFedv1AuthorizationError(str(e))
def main():
# set home environment variable to something (needed for apache deployment)
os.environ['HOME'] = config.expand_eisoil_path('~')
# load plugins
pm.init(config.PLUGINS_PATH)
try:
opts, args = getopt.getopt(sys.argv[1:], 'hw', ['help', 'worker'])
except getopt.GetoptError as e:
print "Wrong arguments: " + str(e)
print
print_usage()
return
for option, opt_arg in opts:
if option in ['-h', '--help']:
print_usage()
sys.exit(0)
if option in ['-w', '--worker']:
worker = pm.getService('worker')
worker.WorkerServer().runServer()
sys.exit(0)
rpcserver = pm.getService('rpcserver')
rpcserver.runServer()
def main():
# set home environment variable to something (needed for apache deployment)
os.environ['HOME'] = config.expand_eisoil_path('~')
# load plugins
pm.init(config.PLUGINS_PATH)
try:
opts, args = getopt.getopt(sys.argv[1:], 'hw', ['help', 'worker'])
except getopt.GetoptError as e:
print "Wrong arguments: " + str(e)
print
print_usage()
return
for option, opt_arg in opts:
if option in ['-h', '--help']:
print_usage()
sys.exit(0)
if option in ['-w', '--worker']:
worker = pm.getService('worker')
worker.WorkerServer().runServer()
sys.exit(0)
rpcserver = pm.getService('rpcserver')
rpcserver.runServer()
def _get_paths(self):
"""
Get full file paths for JSON files to load (config.json and defaults.json).
Returns:
dictionary containing the loaded JSON content
"""
config = pm.getService("config")
config_path = config.get("delegatetools.config_path")
supplemetary_fields_path = config.get("delegatetools.supplemetary_fileds_path")
service_registry_path = config.get("delegatetools.service_registry_path")
defaults_path = config.get("delegatetools.defaults_path")
authz_path = config.get("delegatetools.authz_path") #<UT>
roles_path = config.get("delegatetools.roles_path") #<UT>
return {'CONFIG' : expand_eisoil_path(config_path),
'DEFAULTS' : expand_eisoil_path(defaults_path),
'SUPPLEMENTARY_FIELDS' : expand_eisoil_path(supplemetary_fields_path),
'REGISTRY' : expand_eisoil_path(service_registry_path),
'AUTHZ' : expand_eisoil_path(authz_path), #<UT>
'ROLES' : expand_eisoil_path(roles_path), #<UT>
}
# ----------------------------------------------------
# ------------------ database stuff ------------------
# ----------------------------------------------------
from sqlalchemy import Column, Integer, String, DateTime, PickleType, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.sql import exists
from sqlalchemy.sql.expression import and_, or_, not_
from eisoil.config import expand_eisoil_path
# initialize sqlalchemy
DB_PATH = expand_eisoil_path(pm.getService('config').get('schedule.dbpath'))
DB_ENGINE = create_engine("sqlite:///%s" %
(DB_PATH, )) # please see the wiki for more info
DB_SESSION_FACTORY = sessionmaker(autoflush=True,
bind=DB_ENGINE,
expire_on_commit=False)
db_session = scoped_session(DB_SESSION_FACTORY)
DB_Base = declarative_base(
) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
class ReservationRecord(DB_Base):
"""Encapsulates a record in the database."""
__tablename__ = 'reservations'
reservation_id = Column(Integer, primary_key=True)
return AttributeDict(result_dict)
# ----------------------------------------------------
# ------------------ database stuff ------------------
# ----------------------------------------------------
from sqlalchemy import Column, Integer, String, DateTime, PickleType, create_engine
from sqlalchemy.orm import scoped_session, sessionmaker
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.sql import exists
from sqlalchemy.sql.expression import and_, or_, not_
from eisoil.config import expand_eisoil_path
# initialize sqlalchemy
DB_PATH = expand_eisoil_path(pm.getService('config').get('schedule.dbpath'))
DB_ENGINE = create_engine("sqlite:///%s" % (DB_PATH,)) # please see the wiki for more info
DB_SESSION_FACTORY = sessionmaker(autoflush=True, bind=DB_ENGINE, expire_on_commit=False)
db_session = scoped_session(DB_SESSION_FACTORY)
DB_Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
class ReservationRecord(DB_Base):
"""Encapsulates a record in the database."""
__tablename__ = 'reservations'
reservation_id = Column(Integer, primary_key=True)
schedule_subject = Column(String(255))
resource_id = Column(String(255))
start_time = Column(DateTime)
import os.path
from datetime import datetime
from sqlalchemy import Table, Column, MetaData, ForeignKey, PickleType, DateTime, String, Integer, Text, create_engine, select, and_, or_, not_, event
from sqlalchemy.orm import scoped_session, sessionmaker, mapper
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
import eisoil.core.pluginmanager as pm
import eisoil.core.log
logger = eisoil.core.log.getLogger('worker')
from eisoil.config import expand_eisoil_path
WORKERDB_PATH = expand_eisoil_path(
pm.getService('config').get('worker.dbpath'))
WORKERDB_ENGINE = "sqlite:///%s" % (WORKERDB_PATH, )
# initialize sqlalchemy
db_engine = create_engine(
WORKERDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(
autoflush=True, bind=db_engine, expire_on_commit=False
) # the class which can create sessions (factory pattern)
db_session = scoped_session(
db_session_factory
) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
# we could limit the session's scope (lifetime) to one request, but for this plugin it is not necessary
Base = declarative_base(
) # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
import os.path
from datetime import datetime
from sqlalchemy import Table, Column, MetaData, ForeignKey, PickleType, DateTime, String, Integer, Text, create_engine, select, and_, or_, not_, event
from sqlalchemy.orm import scoped_session, sessionmaker, mapper
from sqlalchemy.orm.exc import MultipleResultsFound, NoResultFound
from sqlalchemy.ext.declarative import declarative_base
import eisoil.core.pluginmanager as pm
import eisoil.core.log
logger=eisoil.core.log.getLogger('worker')
from eisoil.config import expand_eisoil_path
WORKERDB_PATH = expand_eisoil_path(pm.getService('config').get('worker.dbpath'))
WORKERDB_ENGINE = "sqlite:///%s" % (WORKERDB_PATH,)
# initialize sqlalchemy
db_engine = create_engine(WORKERDB_ENGINE, pool_recycle=6000) # please see the wiki for more info
db_session_factory = sessionmaker(autoflush=True, bind=db_engine, expire_on_commit=False) # the class which can create sessions (factory pattern)
db_session = scoped_session(db_session_factory) # still a session creator, but it will create _one_ session per thread and delegate all method calls to it
# we could limit the session's scope (lifetime) to one request, but for this plugin it is not necessary
Base = declarative_base() # get the base class for the ORM, which includes the metadata object (collection of table descriptions)
class JobDBEntry(Base):
__tablename__ = 'worker_jobs'
id = Column(Integer, primary_key=True)
service_name = Column(String)
callable_attr_str = Column(String)
params = Column(PickleType)
recurring_interval = Column(Integer)
def auth(self, client_cert, credentials, slice_urn=None, privileges=()):
"""
This method authenticates and authorizes.
It returns the client's urn, uuid, email (extracted from the {client_cert}). Example call: "urn, uuid, email = self.auth(...)"
Be aware, the email is not required in the certificate, hence it might be empty.
If the validation fails, an GENIv3ForbiddenError is thrown.
The credentials are checked so the user has all the required privileges (success if any credential fits all privileges).
The client certificate is not checked: this is usually done via the webserver configuration.
This method only treats certificates of type 'geni_sfa'.
Here a list of possible privileges (format: right_in_credential: [privilege1, privilege2, ...]):
"authority" : ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
"refresh" : ["remove", "update"],
"resolve" : ["resolve", "list", "getcredential"],
"sa" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
"embed" : ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
"deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind" : ["getticket", "loanresources", "redeemticket"],
"control" : ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
"deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info" : ["listslices", "listnodes", "getpolicy"],
"ma" : ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
"operator" : ["gettrustedcerts", "getgids"],
"*" : ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]
When using the gcf clearinghouse implementation the credentials will have the rights:
- user: "******", "resolve", "info" (which resolves to the privileges: "remove", "update", "resolve", "list", "getcredential", "listslices", "listnodes", "getpolicy").
- slice: "refresh", "embed", "bind", "control", "info" (well, do the resolving yourself...)
"""
# check variables
if not isinstance(privileges, tuple):
raise TypeError("Privileges need to be a tuple.")
# collect credentials (only GENI certs, version ignored)
geni_credentials = []
for c in credentials:
if c['geni_type'] == 'geni_sfa':
geni_credentials.append(c['geni_value'])
# get the cert_root
config = pm.getService("config")
cert_root = expand_eisoil_path(config.get("geniv3rpc.cert_root"))
if client_cert == None:
raise GENIv3ForbiddenError(
"Could not determine the client SSL certificate")
# test the credential
try:
cred_verifier = ext.geni.CredentialVerifier(cert_root)
cred_verifier.verify_from_strings(client_cert, geni_credentials,
slice_urn, privileges)
except Exception as e:
raise GENIv3ForbiddenError(str(e))
user_gid = gid.GID(string=client_cert)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email # TODO document return
