def delegate_cred(self, object_cred, hrn, type='authority'): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): # XXX Yes here we give a string... object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error( "Object credential %s does not have delegate bit set" % object_hrn) return # the delegating user's gid # XXX done in bootstrap caller_gidfile = self.my_gid # already a string # XXX ERROR tell thierry # the gid of the user who will be delegated to delegee_gid = self.bootstrap.gid( hrn, 'user') # XXX bootstrap ERROR tell thierry delegee_hrn = GID(delegee_gid).get_hrn() # XXX pkey done in bootstrap dcred = object_cred.delegate(delegee_gid, self.private_key, caller_gidfile) return dcred.save_to_string(save_parents=True)
def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance (original_credential, str): original_credential = Credential (string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid (to_hrn,to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def delegate_cred(self, object_cred, hrn): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error("Object credential %s does not have delegate bit set"%object_hrn) return # the delegating user's gid caller_gid = self._get_gid(self.user) caller_gidfile = os.path.join(self.options.sfi_dir, self.user + ".gid") # the gid of the user who will be delegated to delegee_gid = self._get_gid(hrn) delegee_hrn = delegee_gid.get_hrn() delegee_gidfile = os.path.join(self.options.sfi_dir, delegee_hrn + ".gid") delegee_gid.save_to_file(filename=delegee_gidfile) dcred = object_cred.delegate(delegee_gidfile, self.get_key_file(), caller_gidfile) return dcred.save_to_string(save_parents=True)
def delegate_credential_string(self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance(original_credential, str): original_credential = Credential(string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): #self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid(to_hrn, to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate( to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def delegate(self, opts, args): delegee_hrn = args[0] if opts.delegate_user: user_cred = self.get_user_cred() cred = self.delegate_cred(user_cred, delegee_hrn) elif opts.delegate_slice: slice_cred = self.get_slice_cred(opts.delegate_slice) cred = self.delegate_cred(slice_cred, delegee_hrn) else: self.logger.warning("Must specify either --user or --slice <hrn>") return delegated_cred = Credential(string=cred) object_hrn = delegated_cred.get_gid_object().get_hrn() if opts.delegate_user: dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_" + get_leaf(object_hrn) + ".cred") elif opts.delegate_slice: dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_slice_" + get_leaf(object_hrn) + ".cred") delegated_cred.save_to_file(dest_fn, save_parents=True) self.logger.info("delegated credential for %s to %s and wrote to %s"%(object_hrn, delegee_hrn,dest_fn))
def process_params(params, filters, user): # PARAMS # added by Loic, based on the process_filters functions user_params = params.get('user') if user_params: del params['user'] #print "user_params=",user_params ret = db.query(User.user_id) ret = ret.filter(User.email == user_params) ret = ret.one() params['user_id'] = ret[0] platform_params = params.get('platform') if platform_params: del params['platform'] #print "platform_params=", platform_params ret = db.query(Platform.platform_id) ret = ret.filter(Platform.platform == platform_params) ret = ret.one() params['platform_id'] = ret[0] # JSON ENCODED FIELDS are constructed into the json_fields variable given = set(params.keys()) accepted = set([c.name for c in Account.__table__.columns]) given_json_fields = given - accepted if given_json_fields: if 'config' in given_json_fields: raise Exception, "Cannot mix full JSON specification & JSON encoded fields" r = db.query(Account.config) for filter in filters: r = r.filter(filter) if user: r = r.filter(Account.user_id == user['user_id']) #r = r.filter(filters) #Account.platform_id == platform_id) r = r.one() try: json_fields = json.loads(r.config) except Exception, e: json_fields = {} # We First look at convenience fields for field in given_json_fields: if field == 'credential': # We'll determine the type of credential # XXX NOTE This is SFA specific... it should be hooked by gateways # @loic modified according to the SFA Gateway, to handle delegation # XXX TODO need to be improved... c = Credential(string=params[field]) c_type = c.get_gid_object().get_type() if c_type == 'user': new_field = 'delegated_%s_credential' % c_type json_fields[new_field] = params[field] else: cred_name = 'delegated_%s_credentials' % c_type if not cred_name in json_fields: json_fields[cred_name] = {} c_target = c.get_gid_object().get_hrn() json_fields[cred_name][c_target] = params[field] else: json_fields[field] = params[field] del params[field] params['config'] = json.dumps(json_fields)
class Auth: """ Credential based authentication """ def __init__(self, peer_cert = None, config = None ): self.peer_cert = peer_cert self.hierarchy = Hierarchy() if not config: self.config = Config() self.load_trusted_certs() def load_trusted_certs(self): self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() def checkCredentials(self, creds, operation, hrn = None): valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: cred_obj=Credential(string=cred) logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) return valid def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ (target_hrn, hrn) ) return True def check_ticket(self, ticket): """ Check if the tickt was signed by a trusted cert """ if self.trusted_cert_list: client_ticket = SfaTicket(string=ticket) client_ticket.verify_chain(self.trusted_cert_list) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True def verifyPeerCert(self, cert, gid): # make sure the client_gid matches client's certificate if not cert.is_pubkey(gid.get_pubkey()): raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject()) def verifyGidRequestHash(self, gid, hash, arglist): key = gid.get_pubkey() if not key.verify_string(str(arglist), hash): raise BadRequestHash(hash) def verifyCredRequestHash(self, cred, hash, arglist): gid = cred.get_gid_caller() self.verifyGidRequestHash(gid, hash, arglist) def validateGid(self, gid): if self.trusted_cert_list: gid.verify_chain(self.trusted_cert_list) def validateCred(self, cred): if self.trusted_cert_list: cred.verify(self.trusted_cert_file_list) def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) self.validateGid(gid) # request_hash is optional if requestHash: self.verifyGidRequestHash(gid, requestHash, argList) return gid def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string = credStr) self.validateCred(cred) # request hash is optional if requestHash: self.verifyCredRequestHash(cred, requestHash, argList) return cred def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) # xxx should be validateCred ?? self.validateCred(cert) def gidNoop(self, gidStr, value, requestHash): self.authenticateGid(gidStr, [gidStr, value], requestHash) return value def credNoop(self, credStr, value, requestHash): self.authenticateCred(credStr, [credStr, value], requestHash) return value def verify_cred_is_me(self, credential): is_me = False cred = Credential(string=credential) caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return def get_auth_info(self, auth_hrn): """ Given an authority name, return the information for that authority. This is basically a stub that calls the hierarchy module. @param auth_hrn human readable name of authority """ return self.hierarchy.get_auth_info(auth_hrn) def veriry_auth_belongs_to_me(self, name): """ Verify that an authority belongs to our hierarchy. This is basically left up to the implementation of the hierarchy module. If the specified name does not belong, ane exception is thrown indicating the caller should contact someone else. @param auth_name human readable name of authority """ # get auth info will throw an exception if the authority doesnt exist self.get_auth_info(name) def verify_object_belongs_to_me(self, name): """ Verify that an object belongs to our hierarchy. By extension, this implies that the authority that owns the object belongs to our hierarchy. If it does not an exception is thrown. @param name human readable name of object """ auth_name = self.get_authority(name) if not auth_name: auth_name = name if name == self.config.SFA_INTERFACE_HRN: return self.verify_auth_belongs_to_me(auth_name) def verify_auth_belongs_to_me(self, name): # get auth info will throw an exception if the authority doesnt exist self.get_auth_info(name) def verify_object_permission(self, name): """ Verify that the object gid that was specified in the credential allows permission to the object 'name'. This is done by a simple prefix test. For example, an object_gid for plc.arizona would match the objects plc.arizona.slice1 and plc.arizona. @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() if object_hrn == name: return if name.startswith(object_hrn + "."): return #if name.startswith(get_authority(name)): #return raise PermissionError(name) def determine_user_rights(self, caller_hrn, reg_record): """ Given a user credential and a record, determine what set of rights the user should have to that record. This is intended to replace determine_user_rights() and verify_cancreate_credential() """ rl = Rights() type = reg_record.type logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) if type == 'slice': # researchers in the slice are in the DB as-is researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] # locating PIs attached to that slice slice_pis=reg_record.get_pis() pi_hrns = [ user.hrn for user in slice_pis ] if (caller_hrn in researcher_hrns + pi_hrns): rl.add('refresh') rl.add('embed') rl.add('bind') rl.add('control') rl.add('info') elif type == 'authority': pi_hrns = [ user.hrn for user in reg_record.reg_pis ] if (caller_hrn == self.config.SFA_INTERFACE_HRN): rl.add('authority') rl.add('sa') rl.add('ma') if (caller_hrn in pi_hrns): rl.add('authority') rl.add('sa') # NOTE: for the PL implementation, this 'operators' list # amounted to users with 'tech' role in that site # it seems like this is not needed any longer, so for now I just drop that # operator_hrns = reg_record.get('operator',[]) # if (caller_hrn in operator_hrns): # rl.add('authority') # rl.add('ma') elif type == 'user': rl.add('refresh') rl.add('resolve') rl.add('info') elif type == 'node': rl.add('operator') return rl def get_authority(self, hrn): return get_authority(hrn) def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] creds = [] if not isinstance(caller_hrn_list, list): caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds
def account_process(request): from sfa.trust.credential import Credential from sfa.trust.certificate import Keypair user_query = Query().get('local:user').select('user_id','email','password','config') user_details = execute_query(request, user_query) account_query = Query().get('local:account').select('user_id','platform_id','auth_type','config') account_details = execute_query(request, account_query) platform_query = Query().get('local:platform').select('platform_id','platform') platform_details = execute_query(request, platform_query) # getting the user_id from the session for user_detail in user_details: user_id = user_detail['user_id'] user_email = user_detail['email'] try: if user_email == request.user.email: authorize_query = True else: logger.error("SECURITY: {} tried to update {}".format(user_email, request.user.email)) messages.error(request, 'You are not authorized to modify another user.') return HttpResponseRedirect("/portal/account/") except Exception as e: logger.error("exception in account_process {}".format(e)) for account_detail in account_details: for platform_detail in platform_details: # Add reference account to the platforms if 'add_'+platform_detail['platform'] in request.POST\ or request.POST['button_value'] == 'add_'+platform_detail['platform']: platform_id = platform_detail['platform_id'] user_params = {'platform_id': platform_id, 'user_id': user_id, 'auth_type': "reference", 'config': '{"reference_platform": "myslice"}'} manifold_add_account(request,user_params) messages.info(request, 'Reference Account is added to the selected platform successfully!') return HttpResponseRedirect("/portal/account/") # Delete reference account from the platforms if 'delete_'+platform_detail['platform'] in request.POST\ or request.POST['button_value'] == 'delete_'+platform_detail['platform']: platform_id = platform_detail['platform_id'] user_params = {'user_id':user_id} manifold_delete_account(request,platform_id, user_id, user_params) messages.info(request, 'Reference Account is removed from the selected platform') return HttpResponseRedirect("/portal/account/") if platform_detail['platform_id'] == account_detail['platform_id']: if 'myslice' in platform_detail['platform']: account_config = json.loads(account_detail['config']) acc_slice_cred = account_config.get('delegated_slice_credentials','N/A') acc_auth_cred = account_config.get('delegated_authority_credentials','N/A') # adding the slices and corresponding credentials to list if 'N/A' not in acc_slice_cred: slice_list = [] slice_cred = [] for key, value in acc_slice_cred.iteritems(): slice_list.append(key) slice_cred.append(value) # special case: download each slice credentials separately for i in range(0, len(slice_list)): if 'dl_'+slice_list[i] in request.POST or request.POST['button_value'] == 'dl_'+slice_list[i]: slice_detail = "Slice name: " + slice_list[i] +"\nSlice Credentials: \n"+ slice_cred[i] response = HttpResponse(slice_detail, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="slice_credential.txt"' return response # adding the authority and corresponding credentials to list if 'N/A' not in acc_auth_cred: auth_list = [] auth_cred = [] for key, value in acc_auth_cred.iteritems(): auth_list.append(key) auth_cred.append(value) # special case: download each slice credentials separately for i in range(0, len(auth_list)): if 'dl_'+auth_list[i] in request.POST or request.POST['button_value'] == 'dl_'+auth_list[i]: auth_detail = "Authority: " + auth_list[i] +"\nAuthority Credentials: \n"+ auth_cred[i] response = HttpResponse(auth_detail, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="auth_credential.txt"' return response account_detail = get_myslice_account(request) if 'submit_name' in request.POST: edited_first_name = request.POST['fname'] edited_last_name = request.POST['lname'] config={} for user_config in user_details: if user_config['config']: config = json.loads(user_config['config']) config['firstname'] = edited_first_name config['lastname'] = edited_last_name config['authority'] = config.get('authority','Unknown Authority') updated_config = json.dumps(config) user_params = {'config': updated_config} else: # it's needed if the config is empty user_config['config'] = '{{"firstname":"{}", "lastname":"{}", "authority": "Unknown Authority"}}'\ .format(edited_first_name, edited_last_name) user_params = {'config': user_config['config']} # updating config local:user in manifold manifold_update_user(request, request.user.email,user_params) # this will be depricated, we will show the success msg in same page # Redirect to same page with success message messages.success(request, 'Sucess: First Name and Last Name Updated.') return HttpResponseRedirect("/portal/account/") elif 'submit_pass' in request.POST: edited_password = request.POST['password'] for user_pass in user_details: user_pass['password'] = edited_password #updating password in local:user user_params = { 'password' : user_pass['password']} manifold_update_user(request, request.user.email, user_params) # return HttpResponse('Success: Password Changed!!') messages.success(request, 'Success: Password Updated.') return HttpResponseRedirect("/portal/account/") # XXX TODO: Factorize with portal/registrationview.py # XXX TODO: Factorize with portal/registrationview.py # XXX TODO: Factorize with portal/joinview.py elif 'generate' in request.POST: try: private = RSA.generate(1024) private_key = json.dumps(private.exportKey()) public = private.publickey() public_key = json.dumps(public.exportKey(format='OpenSSH')) # updating manifold local:account table account_config = json.loads(account_detail['config']) # preserving user_hrn user_hrn = account_config.get('user_hrn','N/A') keypair = '{"user_public_key":'+ public_key + ', "user_private_key":'+ private_key + ', "user_hrn":"'+ user_hrn + '"}' #updated_config = json.dumps(account_config) # updating manifold #user_params = { 'config': keypair, 'auth_type':'managed'} #manifold_update_account(request, user_id, user_params) # updating sfa public_key = public_key.replace('"', ''); user_pub_key = {'keys': public_key} sfa_update_user(request, user_hrn, user_pub_key) result_sfa_user = sfa_get_user(request, user_hrn, public_key) try: if 'keys' in result_sfa_user and result_sfa_user['keys'][0] == public_key: # updating manifold updated_config = json.dumps(account_config) user_params = { 'config': keypair, 'auth_type':'managed'} manifold_update_account(request, user_id, user_params) messages.success(request, 'Sucess: New Keypair Generated! Delegation of your credentials will be automatic.') else: raise Exception,"Keys are not matching" except Exception as e: messages.error(request, 'Error: An error occured during the update of your public key at the Registry, or your public key is not matching the one stored.') logger.error("Exception in accountview {}".format(e)) return HttpResponseRedirect("/portal/account/") except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") elif 'upload_key' in request.POST: try: up_file = request.FILES['pubkey'] file_content = up_file.read() file_name = up_file.name file_extension = os.path.splitext(file_name)[1] allowed_extension = ['.pub','.txt'] if file_extension in allowed_extension and re.search(r'ssh-rsa',file_content): account_config = json.loads(account_detail['config']) # preserving user_hrn user_hrn = account_config.get('user_hrn','N/A') file_content = '{"user_public_key":"'+ file_content + '", "user_hrn":"'+ user_hrn +'"}' #file_content = re.sub("\r", "", file_content) #file_content = re.sub("\n", "\\n",file_content) file_content = ''.join(file_content.split()) #update manifold local:account table user_params = { 'config': file_content, 'auth_type':'user'} manifold_update_account(request, user_id, user_params) # updating sfa user_pub_key = {'keys': file_content} sfa_update_user(request, user_hrn, user_pub_key) messages.success(request, 'Publickey uploaded! Please delegate your credentials using SFA: http://trac.myslice.info/wiki/DelegatingCredentials') return HttpResponseRedirect("/portal/account/") else: messages.error(request, 'RSA key error: Please upload a valid RSA public key [.txt or .pub].') return HttpResponseRedirect("/portal/account/") except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") elif 'dl_pubkey' in request.POST or request.POST['button_value'] == 'dl_pubkey': try: account_config = json.loads(account_detail['config']) public_key = account_config['user_public_key'] response = HttpResponse(public_key, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="pubkey.txt"' return response except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") elif 'dl_pkey' in request.POST or request.POST['button_value'] == 'dl_pkey': try: account_config = json.loads(account_detail['config']) if 'user_private_key' in account_config: private_key = account_config['user_private_key'] response = HttpResponse(private_key, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="privkey.txt"' return response else: messages.error(request, 'Download error: Private key is not stored in the server') return HttpResponseRedirect("/portal/account/") except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") elif 'delete' in request.POST or request.POST['button_value'] == 'delete': try: account_config = json.loads(account_detail['config']) if 'user_private_key' in account_config: for key in account_config.keys(): if key == 'user_private_key': del account_config[key] updated_config = json.dumps(account_config) user_params = { 'config': updated_config, 'auth_type':'user'} manifold_update_account(request, user_id, user_params) messages.success(request, 'Private Key deleted. You need to delegate credentials manually once it expires.') messages.success(request, 'Once your credentials expire, Please delegate manually using SFA: http://trac.myslice.info/wiki/DelegatingCredentials') return HttpResponseRedirect("/portal/account/") else: messages.error(request, 'Delete error: Private key is not stored in the server') return HttpResponseRedirect("/portal/account/") except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") # download identity for jfed elif 'dl_identity' in request.POST or request.POST['button_value'] == 'dl_identity': try: jfed_identity = get_jfed_identity(request) if jfed_identity is not None: response = HttpResponse(jfed_identity, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="jfed_identity.txt"' return response else: messages.error(request, 'Download error: Private key is not stored in the server') return HttpResponseRedirect("/portal/account/") except Exception as e: messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") # Download sfi_config elif 'dl_sfi_config' in request.POST or request.POST['button_value'] == 'dl_sfi_config': platform_detail = get_myslice_platform(request) platform_config = json.loads(platform_detail['config']) account_detail = get_myslice_account(request) account_config = json.loads(account_detail['config']) user_hrn = account_config.get('user_hrn','N/A') t_user_hrn = user_hrn.split('.') authority_hrn = t_user_hrn[0] + '.' + t_user_hrn[1] registry = get_registry_url(request) import socket hostname = socket.gethostbyaddr(socket.gethostname())[0] admin_user = platform_config.get('user','N/A') manifold_host = ConfigEngine().manifold_url() if 'localhost' in manifold_host: manifold_host = manifold_host.replace('localhost',hostname) sfi_config = '[sfi]\n' sfi_config += 'auth = '+ authority_hrn +'\n' sfi_config += 'user = '******'\n' sfi_config += 'registry = '+ registry +'\n' sfi_config += 'sm = http://sfa3.planet-lab.eu:12346/\n\n' sfi_config += '[myslice]\n' sfi_config += 'backend = '+ manifold_host +'\n' sfi_config += 'delegate = '+ admin_user +'\n' sfi_config += 'platform = myslice\n' sfi_config += 'username = '******'\n' response = HttpResponse(sfi_config, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="sfi_config"' return response #clear all creds elif 'clear_cred' in request.POST or request.POST['button_value'] == 'clear_cred': try: result = clear_user_creds(request, user_email) if result is not None: messages.success(request, 'All Credentials cleared') else: messages.error(request, 'Delete error: Credentials are not stored in the server') except Exception as e: logger.error("Exception in accountview.py in clear_user_creds {}".format(e)) messages.error(request, 'Account error: You need an account in myslice platform to perform this action') return HttpResponseRedirect("/portal/account/") # Download delegated_user_cred elif 'dl_user_cred' in request.POST or request.POST['button_value'] == 'dl_user_cred': if 'delegated_user_credential' in account_config: user_cred = account_config['delegated_user_credential'] response = HttpResponse(user_cred, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="user_cred.txt"' return response else: messages.error(request, 'Download error: User credential is not stored in the server') return HttpResponseRedirect("/portal/account/") # Download user_cert elif 'dl_user_cert' in request.POST or request.POST['button_value'] == 'dl_user_cert': if 'user_credential' in account_config: user_cred = account_config['user_credential'] obj_cred = Credential(string=user_cred) obj_gid = obj_cred.get_gid_object() str_cert = obj_gid.save_to_string() response = HttpResponse(str_cert, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="user_certificate.pem"' return response elif 'delegated_user_credential' in account_config: user_cred = account_config['delegated_user_credential'] obj_cred = Credential(string=user_cred) obj_gid = obj_cred.get_gid_object() str_cert = obj_gid.save_to_string() response = HttpResponse(str_cert, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="user_certificate.pem"' return response else: messages.error(request, 'Download error: User credential is not stored in the server') return HttpResponseRedirect("/portal/account/") # Download user p12 = private_key + Certificate elif 'dl_user_p12' in request.POST or request.POST['button_value'] == 'dl_user_p12': if 'user_credential' in account_config and 'user_private_key' in account_config: user_cred = account_config['user_credential'] obj_cred = Credential(string=user_cred) obj_gid = obj_cred.get_gid_object() str_cert = obj_gid.save_to_string() cert = crypto.load_certificate(crypto.FILETYPE_PEM, str_cert) user_private_key = account_config['user_private_key'].encode('ascii') pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, user_private_key) p12 = crypto.PKCS12() p12.set_privatekey(pkey) p12.set_certificate(cert) pkcs12 = p12.export() response = HttpResponse(pkcs12, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="user_pkcs.p12"' return response elif 'delegated_user_credential' in account_config and 'user_private_key' in account_config: user_cred = account_config['delegated_user_credential'] obj_cred = Credential(string=user_cred) obj_gid = obj_cred.get_gid_object() str_cert = obj_gid.save_to_string() cert = crypto.load_certificate(crypto.FILETYPE_PEM, str_cert) user_private_key = account_config['user_private_key'].encode('ascii') pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, user_private_key) p12 = crypto.PKCS12() p12.set_privatekey(pkey) p12.set_certificate(cert) pkcs12 = p12.export() response = HttpResponse(pkcs12, content_type='text/plain') response['Content-Disposition'] = 'attachment; filename="user_pkcs.p12"' return response else: messages.error(request, 'Download error: User private key or credential is not stored in the server') return HttpResponseRedirect("/portal/account/") else: messages.info(request, 'Under Construction. Please try again later!') return HttpResponseRedirect("/portal/account/")