from sfa.util.faults import InsufficientRights, MissingCallerGID, \
MissingTrustedRoots, PermissionError, BadRequestHash, \
ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
Forbidden, BadArgs
from sfa.util.sfalogging import logger
from sfa.util.faults import InsufficientRights, MissingCallerGID, \
MissingTrustedRoots, PermissionError, BadRequestHash, \
ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
Forbidden, BadArgs
from sfa.util.sfalogging import logger
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
# this convenience methods extracts speaking_for_xrn
# from the passed options using 'geni_speaking_for'
# this convenience methods extracts speaking_for_xrn
# from the passed options using 'geni_speaking_for'
- if options is None: speaking_for_xrn = None
- else: speaking_for_xrn = options.get('geni_speaking_for', None)
+ if options is None:
+ speaking_for_xrn = None
+ else:
+ speaking_for_xrn = options.get('geni_speaking_for', None)
kwds['speaking_for_xrn'] = speaking_for_xrn
return self.checkCredentials(*args, **kwds)
kwds['speaking_for_xrn'] = speaking_for_xrn
return self.checkCredentials(*args, **kwds)
- def checkCredentials(self, creds, operation, xrns=None,
- check_sliver_callback=None,
+ def checkCredentials(self, creds, operation, xrns=None,
+ check_sliver_callback=None,
- if not isinstance (cred, StringTypes):
- logger.info("cannot validate credential %s - expecting a string"%cred)
+ if not isinstance(cred, StringType):
+ logger.info(
+ "cannot validate credential %s - expecting a string" % cred)
error = ('TypeMismatch',
"checkCredentials: expected a string, received {} -- {}"
.format(type(cred), cred))
else:
cred_obj = Credential(string=cred)
error = ('TypeMismatch',
"checkCredentials: expected a string, received {} -- {}"
.format(type(cred), cred))
else:
cred_obj = Credential(string=cred)
- # we are not able to validate slivers in the traditional way so
- # we make sure not to include sliver urns/hrns in the core validation loop
- hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
+ # we are not able to validate slivers in the traditional way so
+ # we make sure not to include sliver urns/hrns in the core validation
+ # loop
+ hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
- logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
- # won't work if either creds or hrns is empty - let's make it more explicit
- if not creds: raise Forbidden("no credential provided")
- if not hrns: hrns = [None]
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s" %
+ (len(creds), hrns))
+ # won't work if either creds or hrns is empty - let's make it more
+ # explicit
+ if not creds:
+ raise Forbidden("no credential provided")
+ if not hrns:
+ hrns = [None]
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
-
- def check(self, credential, operation, hrn = None):
+
+ def check(self, credential, operation, hrn=None):
"""
Check the credential against the peer cert (callerGID) included
in the credential matches the caller that is connected to the
"""
Check the credential against the peer cert (callerGID) included
in the credential matches the caller that is connected to the
- logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
- (hrn,cred.pretty_cred()))
+ logger.debug("Auth.check: handling hrn=%s and credential=%s" %
+ (hrn, cred.pretty_cred()))
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
self.client_cred.verify(self.trusted_cert_file_list,
self.config.SFA_CREDENTIAL_SCHEMA)
else:
self.client_cred.verify(self.trusted_cert_file_list,
self.config.SFA_CREDENTIAL_SCHEMA)
else:
- raise MissingTrustedRoots(self.config.get_trustedroots_dir())
-
- # Make sure the credential's target matches the specified hrn.
- # This check does not apply to trusted peers
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+ # Make sure the credential's target matches the specified hrn.
+ # This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
return gid
def authenticateCred(self, credStr, argList, requestHash=None):
return gid
def authenticateCred(self, credStr, argList, requestHash=None):
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
# xxx should be validateCred ??
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
# xxx should be validateCred ??
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
cred = Credential(string=credential)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
cred = Credential(string=credential)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
def get_auth_info(self, auth_hrn):
"""
Given an authority name, return the information for that authority.
This is basically a stub that calls the hierarchy module.
def get_auth_info(self, auth_hrn):
"""
Given an authority name, return the information for that authority.
This is basically a stub that calls the hierarchy module.
def veriry_auth_belongs_to_me(self, name):
"""
Verify that an authority belongs to our hierarchy.
def veriry_auth_belongs_to_me(self, name):
"""
Verify that an authority belongs to our hierarchy.
def verify_object_belongs_to_me(self, name):
"""
Verify that an object belongs to our hierarchy. By extension,
this implies that the authority that owns the object belongs
to our hierarchy. If it does not an exception is thrown.
def verify_object_belongs_to_me(self, name):
"""
Verify that an object belongs to our hierarchy. By extension,
this implies that the authority that owns the object belongs
to our hierarchy. If it does not an exception is thrown.
def verify_auth_belongs_to_me(self, name):
# get auth info will throw an exception if the authority doesnt exist
def verify_auth_belongs_to_me(self, name):
# get auth info will throw an exception if the authority doesnt exist
allows permission to the object 'name'. This is done by a simple
prefix test. For example, an object_gid for plc.arizona would
match the objects plc.arizona.slice1 and plc.arizona.
allows permission to the object 'name'. This is done by a simple
prefix test. For example, an object_gid for plc.arizona would
match the objects plc.arizona.slice1 and plc.arizona.
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
(reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
(reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
- # NOTE: for the PL implementation, this 'operators' list
- # amounted to users with 'tech' role in that site
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site