def verify(self, gid, credentials, target_urn, privileges): '''Verify that the given Source GID supplied at least one credential in the given list of credentials that has all the privileges required in the privileges list on the given target. IE if any of the supplied credentials has a caller that matches gid and a target that matches target_urn, and has all the privileges in the given list, then return the list of credentials that were ok. Throw an Exception if we fail to verify any credential.''' # Note that here we treat a list of credentials as being options # Alternatively could accumulate privileges for example # The semantics of the list of credentials is under specified. self.logger.debug('Verifying privileges') result = list() failure = "" tried_creds = "" for cred in credentials: if tried_creds != "": tried_creds = "%s, %s" % (tried_creds, cred.get_gid_caller().get_urn()) else: tried_creds = cred.get_gid_caller().get_urn() if not self.verify_source(gid, cred): failure = "Cred %s fails: Source URNs dont match" % cred.get_gid_caller().get_urn() continue if not self.verify_target(target_urn, cred): failure = "Cred %s on %s fails: Target URNs dont match" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn()) continue if not self.verify_privileges(privileges, cred): failure = "Cert %s doesn't have sufficient privileges" % cred.get_gid_caller().get_urn() continue print try: if not cred.verify(self.root_cert_files): failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files)) continue except Exception, exc: failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc) self.logger.info(failure) continue # If got here it verified result.append(cred)
def verify(self, gid, credentials, target_urn, privileges): '''Verify that the given Source GID supplied at least one credential in the given list of credentials that has all the privileges required in the privileges list on the given target. IE if any of the supplied credentials has a caller that matches gid and a target that matches target_urn, and has all the privileges in the given list, then return the list of credentials that were ok. Throw an Exception if we fail to verify any credential.''' # Note that here we treat a list of credentials as being options # Alternatively could accumulate privileges for example # The semantics of the list of credentials is under specified. result = list() failure = "" tried_creds = "" if len(credentials) == 0: failure = "No credentials found" for cred in credentials: if cred is None: failure = "Credential was unparseable" continue if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE: cS = cred.get_gid_caller().get_urn() elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE: cS = cred.get_summary_tostring() else: cS = "Unknown credential type %s" % cred.get_cred_type() if tried_creds != "": tried_creds = "%s, %s" % (tried_creds, cS) else: tried_creds = cS if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE: failure = "Not an SFA credential: " + cS continue #if not self.verify_source(gid, cred): # failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn()) # continue if not self.verify_target(target_urn, cred): failure = "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn) continue if not self.verify_privileges(privileges, cred): failure = "Cred for %s over %s doesn't provide sufficient privileges" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn()) continue try: if not cred.verify(self.root_cert_files): failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files)) continue except Exception, exc: failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc) continue # If got here it verified result.append(cred)
def verify(self, gid, credentials, target_urn, privileges): '''Verify that the given Source GID supplied at least one credential in the given list of credentials that has all the privileges required in the privileges list on the given target. IE if any of the supplied credentials has a caller that matches gid and a target that matches target_urn, and has all the privileges in the given list, then return the list of credentials that were ok. Throw an Exception if we fail to verify any credential.''' # Note that here we treat a list of credentials as being options # Alternatively could accumulate privileges for example # The semantics of the list of credentials is under specified. result = list() failure = "" tried_creds = "" if len(credentials) == 0: failure = "No credentials found" for cred in credentials: if cred is None: failure = "Credential was unparseable" continue if cred.get_cred_type() == cred.SFA_CREDENTIAL_TYPE: cS = cred.get_gid_caller().get_urn() elif cred.get_cred_type() == ABACCredential.ABAC_CREDENTIAL_TYPE: cS = cred.get_summary_tostring() else: cS = "Unknown credential type %s" % cred.get_cred_type() if tried_creds != "": tried_creds = "%s, %s" % (tried_creds, cS) else: tried_creds = cS if cred.get_cred_type() != cred.SFA_CREDENTIAL_TYPE: failure = "Not an SFA credential: " + cS continue # if not self.verify_source(gid, cred): # failure = "Cred %s fails: Credential doesn't grant rights to you (%s), but to %s (over object %s)" % (cred.get_gid_caller().get_urn(), gid.get_urn(), cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn()) # continue if not self.verify_target(target_urn, cred): failure = "Cred granting rights to %s on %s fails: It grants permissions over a different target, not %s (URNs dont match)" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), target_urn) continue if not self.verify_privileges(privileges, cred): failure = "Cred for %s over %s doesn't provide sufficient privileges" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn()) continue try: if not cred.verify(self.root_cert_files): failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files)) continue except Exception, exc: failure = "Couldn't validate credential for caller %s with target %s with any of %d known root certs: %s: %s" % (cred.get_gid_caller().get_urn(), cred.get_gid_object().get_urn(), len(self.root_cert_files), exc.__class__.__name__, exc) continue # If got here it verified result.append(cred)