def test_gapi_duplicate_slice_name(self):
"""Check that a slice with different urn but same name raises DuplicateSliceNameException."""
resv_rspec = self.test_gapi_CreateSliver()
# get new credentials with new urn
self.slice_cred = clearinghouse.CreateSlice(
self.user_cert.save_to_string())
self.slice_gid = credential.Credential(
string=self.slice_cred).get_gid_object()
# same slice different urn with same project name
try:
self.rpc.CreateSliver(
self.slice_gid.get_urn(),
[self.slice_cred],
resv_rspec,
{},
)
except xmlrpclib.Fault as e:
self.assertEqual(e.faultCode, "Duplicate slice name.")
else:
self.fail("Did not generate expected fault.")
# same slice different urn with different project name
root = et.fromstring(resv_rspec)
# change the project name
elem = root.find(".//project")
elem.set("name", "new proj name")
resv_rspec = et.tostring(root)
try:
self.rpc.CreateSliver(
self.slice_gid.get_urn(),
[self.slice_cred],
resv_rspec,
{},
)
except xmlrpclib.Fault as e:
self.assertEqual(e.faultCode, "Duplicate slice name.")
else:
self.fail("Did not generate expected fault.")
def create_credential(caller_gid, object_gid, life_secs, typename,
issuer_keyfile, issuer_certfile, trusted_roots):
'''Create and Return a Credential object issued by given key/cert for the given caller
and object GID objects, given life in seconds, and given type.
Privileges are determined by type per sfa/trust/rights.py'''
# FIXME: Validate args: my gids, >0 life,
# type of cred one I can issue
# and readable key and cert files
if caller_gid is None:
raise ValueError("Missing Caller GID")
if object_gid is None:
raise ValueError("Missing Object GID")
if life_secs is None or life_secs < 1:
raise ValueError("Credential life in seconds was 0")
if trusted_roots is None:
raise ValueError("Missing list of trusted roots")
if typename is None or typename.strip() == '':
raise ValueError("Missing credential type")
typename = typename.strip().lower()
if typename not in ("user", "sa", "ma", "authority", "slice", "component"):
raise ValueError("Unknown credential type %s" % typename)
if not os.path.isfile(issuer_keyfile):
raise ValueError("Cant read issuer key file %s" % issuer_keyfile)
if not os.path.isfile(issuer_certfile):
raise ValueError("Cant read issuer cert file %s" % issuer_certfile)
issuer_gid = gid.GID(filename=issuer_certfile)
if not (object_gid.get_urn() == issuer_gid.get_urn() or
(issuer_gid.get_type() == 'authority'
and object_gid.get_urn().split('+')[1].startswith(
issuer_gid.get_urn().split('+')[1]))):
raise ValueError(
"Issuer not authorized to issue credential: Issuer=%s Target=%s" %
(issuer_gid.get_urn(), object_gid.get_urn()))
ucred = cred.Credential()
# FIXME: Validate the caller_gid and object_gid
# are my user and slice
# Do get_issuer and compare to the issuer cert?
# Or do gid.is_signed_by_cert(issuer_certfile)?
ucred.set_gid_caller(caller_gid)
ucred.set_gid_object(object_gid)
ucred.set_lifetime(life_secs)
# Use sfa/trust/rights.py to figure out what privileges
# the credential should have.
# user means refresh, resolve, info
# per the privilege_table that lets users do
# remove, update, resolve, list, getcredential,
# listslices, listnodes, getpolicy
# Note that it does not allow manipulating slivers
privileges = rights.determine_rights(typename, None)
ucred.set_privileges(privileges)
ucred.encode()
ucred.set_issuer_keys(issuer_keyfile, issuer_certfile)
ucred.sign()
try:
ucred.verify(trusted_roots)
except Exception, exc:
raise Exception(
"Create Credential failed to verify new credential from trusted roots: %s"
% exc)
def make_cred(cred_string):
return cred.Credential(string=cred_string)
def setUp(self):
"""
Update settings, create DummyOMs and test models and login.
"""
# add the test application
self.settings_manager.set(
OPENFLOW_OTHER_RESOURCES=(("expedient.clearinghouse.resources",
"Resource"), ),
DEBUG_PROPAGATE_EXCEPTIONS=True,
)
self.su = User.objects.create_superuser("superuser", "*****@*****.**",
"password")
self.test_user_password = "******"
self.test_user = User.objects.create_user("test_user", "*****@*****.**",
self.test_user_password)
give_permission_to("can_add_aggregate", Aggregate, self.test_user)
give_permission_to("can_create_project", Project, self.test_user)
for i in range(NUM_DUMMY_OMS):
om = DummyOM.objects.create()
om.populate_links(NUM_SWITCHES_PER_AGG, NUM_LINKS_PER_AGG / 2)
username = "******" % i
password = "******"
u = User.objects.create_user(username, "*****@*****.**", password)
# Add the aggregate to the CH
url = SCHEME + "://%s/dummyom/%s/xmlrpc/" % (HOST, om.id)
proxy = PasswordXMLRPCServerProxy.objects.create(
username=username,
password=password,
url=url,
verify_certs=False,
)
# test availability
if not proxy.is_available():
raise Exception("Problem: Proxy not available")
proxy.delete()
# create user cert/keys
self.user_urn = get_user_urn(self.test_user.username)
self.user_cert, self.user_key = create_x509_cert(self.user_urn)
# get slice creds
self.slice_cred = clearinghouse.CreateSlice(
self.user_cert.save_to_string())
self.slice_gid = credential.Credential(
string=self.slice_cred).get_gid_object()
# xmlrpc client
self.rpc = xmlrpclib.ServerProxy(
"http://testserver" + reverse("openflow_gapi"),
transport=TestClientTransport(defaults={
"REMOTE_USER":
self.user_cert.save_to_string(),
"SSL_CLIENT_CERT":
self.user_cert.save_to_string(),
}, ),
)
def create_credential(caller_gid,
object_gid,
expiration,
typename,
issuer_keyfile,
issuer_certfile,
trusted_roots,
delegatable=False):
'''Create and Return a Credential object issued by given key/cert for the given caller
and object GID objects, given life in seconds, and given type.
Privileges are determined by type per sfa/trust/rights.py
Privileges are delegatable if requested.'''
# FIXME: Validate args: my gids, >0 life,
# type of cred one I can issue
# and readable key and cert files
if caller_gid is None:
raise ValueError("Missing Caller GID")
if object_gid is None:
raise ValueError("Missing Object GID")
if expiration is None:
raise ValueError("Missing expiration")
naive_expiration = naiveUTC(expiration)
duration = naive_expiration - datetime.datetime.utcnow()
life_secs = duration.seconds + duration.days * 24 * 3600
if life_secs < 1:
raise ValueError("Credential expiration is in the past")
if trusted_roots is None:
raise ValueError("Missing list of trusted roots")
if typename is None or typename.strip() == '':
raise ValueError("Missing credential type")
typename = typename.strip().lower()
if typename not in ("user", "sa", "ma", "authority", "slice", "component"):
raise ValueError("Unknown credential type %s" % typename)
if not os.path.isfile(issuer_keyfile):
raise ValueError("Cant read issuer key file %s" % issuer_keyfile)
if not os.path.isfile(issuer_certfile):
raise ValueError("Cant read issuer cert file %s" % issuer_certfile)
issuer_gid = gid.GID(filename=issuer_certfile)
if not (object_gid.get_urn() == issuer_gid.get_urn() or
(issuer_gid.get_type().find('authority') == 0
and hrn_authfor_hrn(issuer_gid.get_hrn(), object_gid.get_hrn()))):
raise ValueError(
"Issuer not authorized to issue credential: Issuer=%s Target=%s" %
(issuer_gid.get_urn(), object_gid.get_urn()))
ucred = cred.Credential()
# FIXME: Validate the caller_gid and object_gid
# are my user and slice
# Do get_issuer and compare to the issuer cert?
# Or do gid.is_signed_by_cert(issuer_certfile)?
ucred.set_gid_caller(caller_gid)
ucred.set_gid_object(object_gid)
ucred.set_expiration(expiration)
# Use sfa/trust/rights.py to figure out what privileges
# the credential should have.
# user means refresh, resolve, info
# per the privilege_table that lets users do
# remove, update, resolve, list, getcredential,
# listslices, listnodes, getpolicy
# Note that it does not allow manipulating slivers
# And every right is delegatable if any are delegatable (default False)
privileges = rights.determine_rights(typename, None)
privileges.delegate_all_privileges(delegatable)
ucred.set_privileges(privileges)
ucred.encode()
ucred.set_issuer_keys(issuer_keyfile, issuer_certfile)
ucred.sign()
try:
ucred.verify(trusted_roots)
except Exception, exc:
raise Exception(
"Create Credential failed to verify new credential from trusted roots: %s"
% exc)