from sfa.util.faults import InsufficientRights, MissingCallerGID, \
MissingTrustedRoots, PermissionError, BadRequestHash, \
ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
Forbidden, BadArgs
from sfa.util.sfalogging import logger
from sfa.util.faults import InsufficientRights, MissingCallerGID, \
MissingTrustedRoots, PermissionError, BadRequestHash, \
ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, \
Forbidden, BadArgs
from sfa.util.sfalogging import logger
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
from sfa.util.config import Config
from sfa.util.xrn import Xrn, get_authority
# this convenience methods extracts speaking_for_xrn
# from the passed options using 'geni_speaking_for'
# this convenience methods extracts speaking_for_xrn
# from the passed options using 'geni_speaking_for'
- if options is None: speaking_for_xrn = None
- else: speaking_for_xrn = options.get('geni_speaking_for', None)
+ if options is None:
+ speaking_for_xrn = None
+ else:
+ speaking_for_xrn = options.get('geni_speaking_for', None)
kwds['speaking_for_xrn'] = speaking_for_xrn
return self.checkCredentials(*args, **kwds)
kwds['speaking_for_xrn'] = speaking_for_xrn
return self.checkCredentials(*args, **kwds)
- def checkCredentials(self, creds, operation, xrns=None,
- check_sliver_callback=None,
+ def checkCredentials(self, creds, operation, xrns=None,
+ check_sliver_callback=None,
- def log_invalid_cred(cred):
- if not isinstance (cred, StringTypes):
- logger.info("cannot validate credential %s - expecting a string"%cred)
+
+ def log_invalid_cred(cred, exception):
+ if not isinstance(cred, StringType):
+ logger.info(
+ "{}: cannot validate credential {}"
+ .format(exception, cred))
.format(type(cred), cred))
else:
cred_obj = Credential(string=cred)
.format(type(cred), cred))
else:
cred_obj = Credential(string=cred)
- # we are not able to validate slivers in the traditional way so
- # we make sure not to include sliver urns/hrns in the core validation loop
- hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
+ # we are not able to validate slivers in the traditional way so
+ # we make sure not to include sliver urns/hrns in the core validation
+ # loop
+ hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
- logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
- # won't work if either creds or hrns is empty - let's make it more explicit
- if not creds: raise Forbidden("no credential provided")
- if not hrns: hrns = [None]
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s" %
+ (len(creds), hrns))
+ # won't work if either creds or hrns is empty - let's make it more
+ # explicit
+ if not creds:
+ raise Forbidden("no credential provided")
+ if not hrns:
+ hrns = [None]
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
-
- def check(self, credential, operation, hrn = None):
+
+ def check(self, credential, operation, hrn=None):
- Check the credential against the peer cert (callerGID) included
- in the credential matches the caller that is connected to the
- HTTPS connection, check if the credential was signed by a
- trusted cert and check if the credential is allowed to perform
- the specified operation.
+ Check the credential against the peer cert (callerGID) included
+ in the credential matches the caller that is connected to the
+ HTTPS connection, check if the credential was signed by a
+ trusted cert and check if the credential is allowed to perform
+ the specified operation.
- logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
- (hrn,cred.pretty_cred()))
+ logger.debug("Auth.check: handling hrn=%s and credential=%s" %
+ (hrn, cred.pretty_cred()))
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
self.client_cred.verify(self.trusted_cert_file_list,
self.config.SFA_CREDENTIAL_SCHEMA)
else:
self.client_cred.verify(self.trusted_cert_file_list,
self.config.SFA_CREDENTIAL_SCHEMA)
else:
- raise MissingTrustedRoots(self.config.get_trustedroots_dir())
-
- # Make sure the credential's target matches the specified hrn.
- # This check does not apply to trusted peers
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+ # Make sure the credential's target matches the specified hrn.
+ # This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
return gid
def authenticateCred(self, credStr, argList, requestHash=None):
return gid
def authenticateCred(self, credStr, argList, requestHash=None):
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
# xxx should be validateCred ??
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
# xxx should be validateCred ??
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
cred = Credential(string=credential)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
cred = Credential(string=credential)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
def get_auth_info(self, auth_hrn):
"""
Given an authority name, return the information for that authority.
This is basically a stub that calls the hierarchy module.
def get_auth_info(self, auth_hrn):
"""
Given an authority name, return the information for that authority.
This is basically a stub that calls the hierarchy module.
thrown indicating the caller should contact someone else.
@param auth_name human readable name of authority
thrown indicating the caller should contact someone else.
@param auth_name human readable name of authority
def verify_object_belongs_to_me(self, name):
"""
Verify that an object belongs to our hierarchy. By extension,
this implies that the authority that owns the object belongs
to our hierarchy. If it does not an exception is thrown.
def verify_object_belongs_to_me(self, name):
"""
Verify that an object belongs to our hierarchy. By extension,
this implies that the authority that owns the object belongs
to our hierarchy. If it does not an exception is thrown.
def verify_auth_belongs_to_me(self, name):
# get auth info will throw an exception if the authority doesnt exist
def verify_auth_belongs_to_me(self, name):
# get auth info will throw an exception if the authority doesnt exist
def verify_object_permission(self, name):
"""
Verify that the object gid that was specified in the credential
allows permission to the object 'name'. This is done by a simple
def verify_object_permission(self, name):
"""
Verify that the object gid that was specified in the credential
allows permission to the object 'name'. This is done by a simple
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
(reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
(reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
- # NOTE: for the PL implementation, this 'operators' list
- # amounted to users with 'tech' role in that site
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site