import sys
from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
- BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
+ BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied, CredentialNotVerifiable, Forbidden, \
+ BadArgs
from sfa.util.sfalogging import logger
from sfa.util.config import Config
-from sfa.util.xrn import get_authority
+from sfa.util.xrn import Xrn, get_authority
from sfa.trust.gid import GID
from sfa.trust.rights import Rights
from sfa.trust.trustedroots import TrustedRoots
from sfa.trust.hierarchy import Hierarchy
from sfa.trust.sfaticket import SfaTicket
+from sfa.trust.speaksfor_util import determine_speaks_for
class Auth:
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
+ def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None, speaking_for_hrn=None):
+
+ def log_invalid_cred(cred):
+ cred_obj=Credential(string=cred)
+ logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ error = sys.exc_info()[:2]
+ return error
+
+ # if xrns are specified they cannot be None or empty string
+ if xrns:
+ for xrn in xrns:
+ if not xrn:
+ raise BadArgs("Invalid urn or hrn")
+
-
- def checkCredentials(self, creds, operation, hrn = None):
+ if not isinstance(xrns, list):
+ xrns = [xrns]
+
+ slice_xrns = Xrn.filter_type(xrns, 'slice')
+ sliver_xrns = Xrn.filter_type(xrns, 'sliver')
+
+ # we are not able to validate slivers in the traditional way so
+ # we make sure not to include sliver urns/hrns in the core validation loop
+ hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
valid = []
if not isinstance(creds, list):
creds = [creds]
- logger.debug("Auth.checkCredentials with %d creds"%len(creds))
- for cred in creds:
- try:
- self.check(cred, operation, hrn)
- valid.append(cred)
- except:
- cred_obj=Credential(string=cred)
- logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
- error = sys.exc_info()[:2]
- continue
-
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
+ # won't work if either creds or hrns is empty - let's make it more explicit
+ if not creds: raise Forbidden("no credential provided")
+ if not hrns: hrns = [None]
+ error=[None,None]
+
+ # if speaks for gid matches caller cert then we've found a valid
+ # speaks for credential
+ ### Thierry : we have no options to pass determine_speaks_for in this context
+ # so only as a workaround here:
+ options={}
+ speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \
+ options, self.trusted_cert_list)
+
+ if self.peer_cert and \
+ not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
+ valid = creds
+ else:
+ for cred in creds:
+ for hrn in hrns:
+ try:
+ self.check(cred, operation, hrn)
+ valid.append(cred)
+ except:
+ error = log_invalid_cred(cred)
+
+ # make sure all sliver xrns are validated against the valid credentials
+ if sliver_xrns:
+ if not check_sliver_callback:
+ msg = "sliver verification callback method not found."
+ msg += " Unable to validate sliver xrns: %s" % sliver_xrns
+ raise Forbidden(msg)
+ check_sliver_callback(valid, sliver_xrns)
+
if not len(valid):
- raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+ raise Forbidden("Invalid credential %s -- %s"%(error[0],error[1]))
+
+ if speaking_for_hrn and not speaks_for_cred:
+ raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
return valid
- def check(self, cred, operation, hrn = None):
+ def check(self, credential, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
trusted cert and check if the credential is allowed to perform
the specified operation.
"""
- self.client_cred = Credential(string = cred)
+ cred = Credential(cred=credential)
+ self.client_cred = cred
+ logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
+ (hrn,cred.get_summary_tostring()))
+
+ if cred.type not in ['geni_sfa']:
+ raise CredentialNotVerifiable(cred.type, "%s not supported" % cred.type)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
Given a user credential and a record, determine what set of rights the
user should have to that record.
- This is intended to replace determine_rights() and
+ This is intended to replace determine_user_rights() and
verify_cancreate_credential()
"""
rl = Rights()
type = reg_record.type
+ logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
- if type=='slice':
- researchers = reg_record.get('researcher',[])
- pis = reg_record.get('PI',[])
- if (caller_hrn in researchers + pis):
+ if type == 'slice':
+ # researchers in the slice are in the DB as-is
+ researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+ # locating PIs attached to that slice
+ slice_pis=reg_record.get_pis()
+ pi_hrns = [ user.hrn for user in slice_pis ]
+ if (caller_hrn in researcher_hrns + pi_hrns):
rl.add('refresh')
rl.add('embed')
rl.add('bind')
rl.add('info')
elif type == 'authority':
- pis = reg_record.get('PI',[])
- operators = reg_record.get('operator',[])
+ pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
if (caller_hrn == self.config.SFA_INTERFACE_HRN):
rl.add('authority')
rl.add('sa')
rl.add('ma')
- if (caller_hrn in pis):
+ if (caller_hrn in pi_hrns):
rl.add('authority')
rl.add('sa')
- if (caller_hrn in operators):
- rl.add('authority')
- rl.add('ma')
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site
+ # it seems like this is not needed any longer, so for now I just drop that
+ # operator_hrns = reg_record.get('operator',[])
+ # if (caller_hrn in operator_hrns):
+ # rl.add('authority')
+ # rl.add('ma')
elif type == 'user':
rl.add('refresh')
git://git.onelab.eu / sfa.git / blobdiff