def get_auth_cred(self, xrn, kind="authority"): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() cred = Credential(subject=hrn) cred.set_gid_caller(gid) cred.set_gid_object(gid) cred.set_privileges(kind) cred.get_privileges().delegate_all_privileges(True) #cred.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) cred.set_issuer_keys(parent_auth_info.get_privkey_filename(), parent_auth_info.get_gid_filename()) cred.set_parent(self.get_auth_cred(parent_hrn, kind)) cred.encode() cred.sign() return cred
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first() if not record: raise RecordNotFound("hrn=%s, type=%s"%(hrn,type)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) if caller_type: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first() else: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first() if not caller_record: raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid)i object_hrn = record.get_gid_object().get_hrn() # call the builtin authorization/credential generation engine rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError("%s has no rights to %s (%s)" % \ (caller_hrn, object_hrn, xrn)) object_gid = GID(string=record.gid) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record,'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info record=dbsession.query(RegRecord).filter_by(type=type,hrn=hrn).first() if not record: raise RecordNotFound("hrn=%s, type=%s"%(hrn,type)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) if caller_type: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn,type=caller_type).first() else: caller_record = dbsession.query(RegRecord).filter_by(hrn=caller_hrn).first() if not caller_record: raise RecordNotFound("Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)"%(caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid) object_hrn = record.get_gid_object().get_hrn() # call the builtin authorization/credential generation engine rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError("%s has no rights to %s (%s)" % \ (caller_hrn, object_hrn, xrn)) object_gid = GID(string=record.gid) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record,'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def get_credential(api, xrn, type, is_self=False): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn # get record info auth_info = api.auth.get_auth_info(auth_hrn) table = SfaTable() records = table.findObjects({'type': type, 'hrn': hrn}) if not records: raise RecordNotFound(hrn) record = records[0] # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in api.fill_record_info(record) if record['type']=='user': if not record['enabled']: raise AccountNotEnabled(": PlanetLab account %s is not enabled. Please contact your site PI" %(record['email'])) # get the callers gid # if this is a self cred the record's gid is the caller's gid if is_self: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_gid = api.auth.client_cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record['name']) object_gid = GID(string=record['gid']) new_cred = Credential(subject = object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if 'expires' in record: new_cred.set_expiration(int(record['expires'])) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def delegate_cred(self, object_cred, hrn, type='authority'): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): # XXX Yes here we give a string... object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error( "Object credential %s does not have delegate bit set" % object_hrn) return # the delegating user's gid # XXX done in bootstrap caller_gidfile = self.my_gid # already a string # XXX ERROR tell thierry # the gid of the user who will be delegated to delegee_gid = self.bootstrap.gid( hrn, 'user') # XXX bootstrap ERROR tell thierry delegee_hrn = GID(delegee_gid).get_hrn() # XXX pkey done in bootstrap dcred = object_cred.delegate(delegee_gid, self.private_key, caller_gidfile) return dcred.save_to_string(save_parents=True)
def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance (original_credential, str): original_credential = Credential (string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid (to_hrn,to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def delegate_cred(self, object_cred, hrn): # the gid and hrn of the object we are delegating if isinstance(object_cred, str): object_cred = Credential(string=object_cred) object_gid = object_cred.get_gid_object() object_hrn = object_gid.get_hrn() if not object_cred.get_privileges().get_all_delegate(): self.logger.error("Object credential %s does not have delegate bit set"%object_hrn) return # the delegating user's gid caller_gid = self._get_gid(self.user) caller_gidfile = os.path.join(self.options.sfi_dir, self.user + ".gid") # the gid of the user who will be delegated to delegee_gid = self._get_gid(hrn) delegee_hrn = delegee_gid.get_hrn() delegee_gidfile = os.path.join(self.options.sfi_dir, delegee_hrn + ".gid") delegee_gid.save_to_file(filename=delegee_gidfile) dcred = object_cred.delegate(delegee_gidfile, self.get_key_file(), caller_gidfile) return dcred.save_to_string(save_parents=True)
def delegate_credential_string(self, original_credential, to_hrn, to_type='authority'): """ sign a delegation credential to someone else original_credential : typically one's user- or slice- credential to be delegated to s/b else to_hrn : the hrn of the person that will be allowed to do stuff on our behalf to_type : goes with to_hrn, usually 'user' or 'authority' returns a string with the delegated credential this internally uses self.my_gid() it also retrieves the gid for to_hrn/to_type and uses Credential.delegate()""" # the gid and hrn of the object we are delegating if isinstance(original_credential, str): original_credential = Credential(string=original_credential) original_gid = original_credential.get_gid_object() original_hrn = original_gid.get_hrn() if not original_credential.get_privileges().get_all_delegate(): #self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn) return # the delegating user's gid my_gid = self.my_gid() # retrieve the GID for the entity that we're delegating to to_gidfile = self.gid(to_hrn, to_type) # to_gid = GID ( to_gidfile ) # to_hrn = delegee_gid.get_hrn() # print 'to_hrn',to_hrn delegated_credential = original_credential.delegate( to_gidfile, self.private_key(), my_gid) return delegated_credential.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info filter = {'hrn': hrn} if type: filter['type'] = type record = dbsession.query(RegRecord).filter_by(**filter).first() if not record: raise RecordNotFound("hrn=%s, type=%s" % (hrn, type)) # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in logger.debug("get credential before augment dict, keys=%s" % record.__dict__.keys()) self.driver.augment_records_with_testbed_info(record.__dict__) logger.debug("get credential after augment dict, keys=%s" % record.__dict__.keys()) if not self.driver.is_enabled(record.__dict__): raise AccountNotEnabled( ": PlanetLab account %s is not enabled. Please contact your site PI" % (record.email)) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) caller_filter = {'hrn': caller_hrn} if caller_type: caller_filter['type'] = caller_type caller_record = dbsession.query(RegRecord).filter_by( **caller_filter).first() if not caller_record: raise RecordNotFound( "Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)" % (caller_hrn, caller_type, hrn, type)) caller_gid = GID(string=caller_record.gid) object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record.todict()) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record.hrn) object_gid = GID(string=record.gid) new_cred = Credential(subject=object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) #new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record, 'expires'): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs #new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)
def GetCredential(self, api, xrn, type, caller_xrn=None): # convert xrn to hrn if type: hrn = urn_to_hrn(xrn)[0] else: hrn, type = urn_to_hrn(xrn) # Is this a root or sub authority auth_hrn = api.auth.get_authority(hrn) if not auth_hrn or hrn == api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = api.auth.get_auth_info(auth_hrn) # get record info filter = {"hrn": hrn} if type: filter["type"] = type record = dbsession.query(RegRecord).filter_by(**filter).first() if not record: raise RecordNotFound("hrn=%s, type=%s" % (hrn, type)) # verify_cancreate_credential requires that the member lists # (researchers, pis, etc) be filled in logger.debug("get credential before augment dict, keys=%s" % record.__dict__.keys()) api.driver.augment_records_with_testbed_info(record.__dict__) logger.debug("get credential after augment dict, keys=%s" % record.__dict__.keys()) if not api.driver.is_enabled(record.__dict__): raise AccountNotEnabled( ": PlanetLab account %s is not enabled. Please contact your site PI" % (record.email) ) # get the callers gid # if caller_xrn is not specified assume the caller is the record # object itself. if not caller_xrn: caller_hrn = hrn caller_gid = record.get_gid_object() else: caller_hrn, caller_type = urn_to_hrn(caller_xrn) caller_filter = {"hrn": caller_hrn} if caller_type: caller_filter["type"] = caller_type caller_record = dbsession.query(RegRecord).filter_by(**caller_filter).first() if not caller_record: raise RecordNotFound( "Unable to associated caller (hrn=%s, type=%s) with credential for (hrn: %s, type: %s)" % (caller_hrn, caller_type, hrn, type) ) caller_gid = GID(string=caller_record.gid) object_hrn = record.get_gid_object().get_hrn() rights = api.auth.determine_user_rights(caller_hrn, record) # make sure caller has rights to this object if rights.is_empty(): raise PermissionError(caller_hrn + " has no rights to " + record.hrn) object_gid = GID(string=record.gid) new_cred = Credential(subject=object_gid.get_subject()) new_cred.set_gid_caller(caller_gid) new_cred.set_gid_object(object_gid) new_cred.set_issuer_keys(auth_info.get_privkey_filename(), auth_info.get_gid_filename()) # new_cred.set_pubkey(object_gid.get_pubkey()) new_cred.set_privileges(rights) new_cred.get_privileges().delegate_all_privileges(True) if hasattr(record, "expires"): date = utcparse(record.expires) expires = datetime_to_epoch(date) new_cred.set_expiration(int(expires)) auth_kind = "authority,ma,sa" # Parent not necessary, verify with certs # new_cred.set_parent(api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) new_cred.encode() new_cred.sign() return new_cred.save_to_string(save_parents=True)