rename get_summary_tostring into pretty_cred

[sfa.git] / sfa / trust / auth.py

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 3952272..2c5a447 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -2,17 +2,25 @@
 # SfaAPI authentication 
 #
 import sys
 # SfaAPI authentication 
 #
 import sys

-
+from types import StringTypes
+
+from sfa.util.faults import InsufficientRights, MissingCallerGID, \
+    MissingTrustedRoots, PermissionError, BadRequestHash, \
+    ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
+    Forbidden, BadArgs
+from sfa.util.sfalogging import logger
+from sfa.util.config import Config
+from sfa.util.xrn import Xrn, get_authority
+
+from sfa.trust.gid import GID
+from sfa.trust.rights import Rights

 from sfa.trust.certificate import Keypair, Certificate
 from sfa.trust.credential import Credential
 from sfa.trust.certificate import Keypair, Certificate
 from sfa.trust.credential import Credential

-from sfa.trust.trustedroot import TrustedRootList
-from sfa.util.faults import *
+from sfa.trust.trustedroots import TrustedRoots

 from sfa.trust.hierarchy import Hierarchy
 from sfa.trust.hierarchy import Hierarchy

-from sfa.util.config import *
-from sfa.util.namespace import get_authority
-from sfa.util.sfaticket import *
+from sfa.trust.sfaticket import SfaTicket
+from sfa.trust.speaksfor_util import determine_speaks_for

 
 

-from sfa.util.sfalogging import sfa_logger

 
 class Auth:
     """
 
 class Auth:
     """


@@ -27,41 +35,111 @@ class Auth:
         self.load_trusted_certs()
 
     def load_trusted_certs(self):
         self.load_trusted_certs()
 
     def load_trusted_certs(self):

-        self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
-        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
+        self.trusted_cert_list = \
+            TrustedRoots(self.config.get_trustedroots_dir()).get_list()
+        self.trusted_cert_file_list = \
+            TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
+
+    # this convenience methods extracts speaking_for_xrn
+    # from the passed options using 'geni_speaking_for'
+    def checkCredentialsSpeaksFor (self, *args, **kwds):
+        if 'options' not in kwds:
+            logger.error ("checkCredentialsSpeaksFor was not passed options=options")
+            return
+        # remove the options arg
+        options=kwds['options']; del kwds['options']
+        # compute the speaking_for_xrn arg and pass it to checkCredentials
+        if options is None: speaking_for_xrn=None
+        else:               speaking_for_xrn=options.get('geni_speaking_for',None)
+        kwds['speaking_for_xrn']=speaking_for_xrn
+        return self.checkCredentials (*args, **kwds)
+
+    # do not use mutable as default argument 
+    # http://docs.python-guide.org/en/latest/writing/gotchas/#mutable-default-arguments
+    def checkCredentials(self, creds, operation, xrns=None, 
+                         check_sliver_callback=None, 
+                         speaking_for_xrn=None):
+        if xrns is None: xrns=[]
+        def log_invalid_cred(cred):
+            if not isinstance (cred, StringTypes):
+                logger.info("cannot validate credential %s - expecting a string"%cred)
+                error="checkCredentials: expected a string, received %s"%(type(cred))
+            else:
+                cred_obj=Credential(string=cred)
+                logger.info("failed to validate credential - dump=%s"%\
+                            cred_obj.dump_string(dump_parents=True))
+                error = sys.exc_info()[:2]
+            return error
+
+        # if xrns are specified they cannot be None or empty string
+        if xrns:
+            for xrn in xrns:
+                if not xrn:
+                    raise BadArgs("Invalid urn or hrn")

 
         
 
         

-        
-    def checkCredentials(self, creds, operation, hrn = None):
+        if not isinstance(xrns, list):
+            xrns = [xrns]
+
+        slice_xrns  = Xrn.filter_type(xrns, 'slice')
+        sliver_xrns = Xrn.filter_type(xrns, 'sliver')
+
+        # we are not able to validate slivers in the traditional way so 
+        # we make sure not to include sliver urns/hrns in the core validation loop
+        hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns] 

         valid = []
         if not isinstance(creds, list):
             creds = [creds]
         valid = []
         if not isinstance(creds, list):
             creds = [creds]

-        sfa_logger().debug("Auth.checkCredentials with %d creds"%len(creds))
-        for cred in creds:
-            try:
-                self.check(cred, operation, hrn)
-                valid.append(cred)
-            except:
-                cred_obj=Credential(string=cred)
-                sfa_logger().debug("failed to validate credential - dump="+cred_obj.dump_string(dump_parents=True))
-                error = sys.exc_info()[:2]
-                continue
-            
+        logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
+        # won't work if either creds or hrns is empty - let's make it more explicit
+        if not creds: raise Forbidden("no credential provided")
+        if not hrns: hrns = [None]
+        error=[None,None]
+
+        speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
+                                              speaking_for_xrn, self.trusted_cert_list)
+
+        if self.peer_cert and \
+           not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
+            valid = creds
+        else:
+            for cred in creds:
+                for hrn in hrns:
+                    try:
+                        self.check(cred, operation, hrn)
+                        valid.append(cred)
+                    except:
+                        error = log_invalid_cred(cred)
+        
+        # make sure all sliver xrns are validated against the valid credentials
+        if sliver_xrns:
+            if not check_sliver_callback:
+                msg = "sliver verification callback method not found." 
+                msg += " Unable to validate sliver xrns: %s" % sliver_xrns
+                raise Forbidden(msg)
+            check_sliver_callback(valid, sliver_xrns)
+                

         if not len(valid):
         if not len(valid):

-            raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+            raise Forbidden("Invalid credential %s -- %s"%(error[0],error[1]))

         
         return valid
         
         
         
         return valid
         
         

-    def check(self, cred, operation, hrn = None):
+    def check(self, credential, operation, hrn = None):

         """
         """

-        Check the credential against the peer cert (callerGID included 
+        Check the credential against the peer cert (callerGID) included 

         in the credential matches the caller that is connected to the 
         HTTPS connection, check if the credential was signed by a 
         trusted cert and check if the credential is allowed to perform 
         the specified operation.    
         """
         in the credential matches the caller that is connected to the 
         HTTPS connection, check if the credential was signed by a 
         trusted cert and check if the credential is allowed to perform 
         the specified operation.    
         """

-        self.client_cred = Credential(string = cred)
+        cred = Credential(cred=credential)    
+        self.client_cred = cred
+        logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
+                         (hrn,cred.pretty_cred()))
+
+        if cred.type not in ['geni_sfa']:
+            raise CredentialNotVerifiable(cred.type, "%s not supported" % cred.type)

         self.client_gid = self.client_cred.get_gid_caller()
         self.object_gid = self.client_cred.get_gid_object()
         
         self.client_gid = self.client_cred.get_gid_caller()
         self.object_gid = self.client_cred.get_gid_object()
         


@@ -79,7 +157,8 @@ class Auth:
                 raise InsufficientRights(operation)
 
         if self.trusted_cert_list:
                 raise InsufficientRights(operation)
 
         if self.trusted_cert_list:

-            self.client_cred.verify(self.trusted_cert_file_list)
+            self.client_cred.verify(self.trusted_cert_file_list,
+                                    self.config.SFA_CREDENTIAL_SCHEMA)

         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        


@@ -95,7 +174,7 @@ class Auth:
 
     def check_ticket(self, ticket):
         """
 
     def check_ticket(self, ticket):
         """

-        Check if the tickt was signed by a trusted cert
+        Check if the ticket was signed by a trusted cert

         """
         if self.trusted_cert_list:
             client_ticket = SfaTicket(string=ticket)
         """
         if self.trusted_cert_list:
             client_ticket = SfaTicket(string=ticket)


@@ -145,7 +224,8 @@ class Auth:
 
     def authenticateCert(self, certStr, requestHash):
         cert = Certificate(string=certStr)
 
     def authenticateCert(self, certStr, requestHash):
         cert = Certificate(string=certStr)

-        self.validateCert(self, cert)   
+        # xxx should be validateCred ??
+        self.validateCred(cert)   

 
     def gidNoop(self, gidStr, value, requestHash):
         self.authenticateGid(gidStr, [gidStr, value], requestHash)
 
     def gidNoop(self, gidStr, value, requestHash):
         self.authenticateGid(gidStr, [gidStr, value], requestHash)


@@ -229,81 +309,65 @@ class Auth:
     
         raise PermissionError(name)
 
     
         raise PermissionError(name)
 

-    def determine_user_rights(self, caller_hrn, record):
+    def determine_user_rights(self, caller_hrn, reg_record):

         """
         Given a user credential and a record, determine what set of rights the
         user should have to that record.
         
         """
         Given a user credential and a record, determine what set of rights the
         user should have to that record.
         

-        This is intended to replace determine_rights() and
+        This is intended to replace determine_user_rights() and

         verify_cancreate_credential()
         """
 
         rl = Rights()
         verify_cancreate_credential()
         """
 
         rl = Rights()

-        type = record['type']
-
-
-        if type=="slice":
-            researchers = record.get("researcher", [])
-            pis = record.get("PI", [])
-            if (caller_hrn in researchers + pis):
-                rl.add("refresh")
-                rl.add("embed")
-                rl.add("bind")
-                rl.add("control")
-                rl.add("info")
-
-        elif type == "authority":
-            pis = record.get("PI", [])
-            operators = record.get("operator", [])
+        type = reg_record.type
+
+        logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%\
+                     (reg_record, caller_hrn))
+
+        if type == 'slice':
+            # researchers in the slice are in the DB as-is
+            researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+            # locating PIs attached to that slice
+            slice_pis=reg_record.get_pis()
+            pi_hrns = [ user.hrn for user in slice_pis ]
+            if (caller_hrn in researcher_hrns + pi_hrns):
+                rl.add('refresh')
+                rl.add('embed')
+                rl.add('bind')
+                rl.add('control')
+                rl.add('info')
+
+        elif type == 'authority':
+            pi_hrns = [ user.hrn for user in reg_record.reg_pis ]

             if (caller_hrn == self.config.SFA_INTERFACE_HRN):
             if (caller_hrn == self.config.SFA_INTERFACE_HRN):

-                rl.add("authority")
-                rl.add("sa")
-                rl.add("ma")
-            if (caller_hrn in pis):
-                rl.add("authority")
-                rl.add("sa")
-            if (caller_hrn in operators):
-                rl.add("authority")
-                rl.add("ma")
-
-        elif type == "user":
-            rl.add("refresh")
-            rl.add("resolve")
-            rl.add("info")
-
-        elif type == "node":
-            rl.add("operator")
+                rl.add('authority')
+                rl.add('sa')
+                rl.add('ma')
+            if (caller_hrn in pi_hrns):
+                rl.add('authority')
+                rl.add('sa')
+            # NOTE: for the PL implementation, this 'operators' list 
+            # amounted to users with 'tech' role in that site 
+            # it seems like this is not needed any longer, so for now I just drop that
+            # operator_hrns = reg_record.get('operator',[])
+            # if (caller_hrn in operator_hrns):
+            #    rl.add('authority')
+            #    rl.add('ma')
+
+        elif type == 'user':
+            rl.add('refresh')
+            rl.add('resolve')
+            rl.add('info')
+
+        elif type == 'node':
+            rl.add('operator')

 
         return rl
 
 
         return rl
 

-    def verify_cancreate_credential(self, src_cred, record):
-        """
-        Verify that a user can retrive a particular type of credential.
-        For slices, the user must be on the researcher list. For SA and
-        MA the user must be on the pi and operator lists respectively
-        """
-
-        type = record.get_type()
-        cred_object_hrn = src_cred.get_gid_object().get_hrn()
-        if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]:
-            return
-        if type=="slice":
-            researchers = record.get("researcher", [])
-            if not (cred_object_hrn in researchers):
-                raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
-        elif type == "sa":
-            pis = record.get("pi", [])
-            if not (cred_object_hrn in pis):
-                raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
-        elif type == "ma":
-            operators = record.get("operator", [])
-            if not (cred_object_hrn in operators):
-                raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
-

     def get_authority(self, hrn):
         return get_authority(hrn)
 
     def get_authority(self, hrn):
         return get_authority(hrn)
 

-    def filter_creds_by_caller(self, creds, caller_hrn):
+    def filter_creds_by_caller(self, creds, caller_hrn_list):

         """
         Returns a list of creds who's gid caller matches the 
         specified caller hrn
         """
         Returns a list of creds who's gid caller matches the 
         specified caller hrn


@@ -311,10 +375,12 @@ class Auth:
         if not isinstance(creds, list):
             creds = [creds]
         creds = []
         if not isinstance(creds, list):
             creds = [creds]
         creds = []

+        if not isinstance(caller_hrn_list, list):
+            caller_hrn_list = [caller_hrn_list]

         for cred in creds:
             try:
                 tmp_cred = Credential(string=cred)
         for cred in creds:
             try:
                 tmp_cred = Credential(string=cred)

-                if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
+                if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]:

                     creds.append(cred)
             except: pass
         return creds
                     creds.append(cred)
             except: pass
         return creds