from sfa.trust.rights import RightList
from sfa.util.faults import *
from sfa.trust.hierarchy import Hierarchy
-from sfa.util.genitable import *
from sfa.util.config import *
from sfa.util.misc import *
+from sfa.trust.gid import GID
class Auth:
"""
def __init__(self, peer_cert = None, config = None ):
self.peer_cert = peer_cert
self.hierarchy = Hierarchy()
- self.trusted_cert_list = TrustedRootList().get_list()
if not config:
- self.config = Config()
-
+ self.config = Config()
+ self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+
def check(self, cred, operation):
"""
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
-
- # make sure the client_gid matches client's certificate
- peer_cert = self.peer_cert
- if not peer_cert.is_pubkey(self.client_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(self.client_gid.get_subject())
+
+ # validate the client cert if it exists
+ if self.peer_cert:
+ self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
if operation:
self.client_gid.verify_chain(self.trusted_cert_list)
if self.object_gid:
self.object_gid.verify_chain(self.trusted_cert_list)
+ else:
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
return True
+ def verifyPeerCert(self, cert, gid):
+ # make sure the client_gid matches client's certificate
+ if not cert:
+ peer_cert = self.peer_cert
+ else:
+ peer_cert = cert
+
+ if not gid:
+ peer_gid = self.client_gid
+ else:
+ peer_gid = gid
+ if not peer_cert.is_pubkey(peer_gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(peer_gid.get_subject())
+
+ def verifyGidRequestHash(self, gid, hash, arglist):
+ key = gid.get_pubkey()
+ if not key.verify_string(str(arglist), hash):
+ raise BadRequestHash(hash)
+
+ def verifyCredRequestHash(self, cred, hash, arglist):
+ gid = cred.get_gid_caller()
+ self.verifyGidRequestHash(gid, hash, arglist)
+
+ def validateGid(self, gid):
+ if self.trusted_cert_list:
+ gid.verify_chain(self.trusted_cert_list)
+
+ def validateCred(self, cred):
+ if self.trusted_cert_list:
+ cred.verify_chain(self.trusted_cert_list)
+ caller_gid = cred.get_gid_caller()
+ object_gid = cred.get_gid_object()
+ if caller_gid:
+ caller_gid.verify_chain(self.trusted_cert_list)
+ if object_gid:
+ object_gid.verify_chain(self.trusted_cert_list)
+
+ def authenticateGid(self, gidStr, argList, requestHash=None):
+ gid = GID(string = gidStr)
+ self.validateGid(gid)
+ # request_hash is optional
+ if requestHash:
+ self.verifyGidRequestHash(gid, requestHash, argList)
+ return gid
+
+ def authenticateCred(self, credStr, argList, requestHash=None):
+ cred = Credential(string = credStr)
+ self.validateCred(cred)
+ # request hash is optional
+ if requestHash:
+ self.verifyCredRequestHash(cred, requestHash, argList)
+ return cred
+
+ def authenticateCert(self, certStr, requestHash):
+ cert = Certificate(string=certStr)
+ self.validateCert(self, cert)
+
+ def gidNoop(self, gidStr, value, requestHash):
+ self.authenticateGid(gidStr, [gidStr, value], requestHash)
+ return value
+
+ def credNoop(self, credStr, value, requestHash):
+ self.authenticateCred(credStr, [credStr, value], requestHash)
+ return value
+
+ def verify_cred_is_me(self, credential):
+ is_me = False
+ cred = Credential(string=credential)
+ caller_gid = cred.get_gid_caller()
+ caller_hrn = caller_gid.get_hrn()
+ if caller_hrn != self.config.SFA_INTERFACE_HRN:
+ raise GeniPermissionError(self.config.SFA_INTEFACE_HRN)
+
+ return
def get_auth_info(self, auth_hrn):
"""
return self.hierarchy.get_auth_info(auth_hrn)
- def get_auth_table(self, auth_name):
- """
- Given an authority name, return the database table for that authority.
- If the databse table does not exist, then one will be automatically
- created.
-
- @param auth_name human readable name of authority
- """
- auth_info = self.get_auth_info(auth_name)
- table = GeniTable(hrn=auth_name,
- cninfo=auth_info.get_dbinfo())
- # if the table doesn't exist, then it means we haven't put any records
- # into this authority yet.
-
- if not table.exists():
- print >> log, "Registry: creating table for authority", auth_name
- table.create()
-
- return table
-
def veriry_auth_belongs_to_me(self, name):
"""
Verify that an authority belongs to our hierarchy.
@param auth_name human readable name of authority
"""
+ # get auth info will throw an exception if the authority doesnt exist
self.get_auth_info(name)
"""
auth_name = self.get_authority(name)
if not auth_name:
- # the root authority belongs to the registry by default?
- # TODO: is this true?
+ auth_name = name
+ if name == self.config.SFA_INTERFACE_HRN:
return
self.verify_auth_belongs_to_me(auth_name)
return
if name.startswith(object_hrn + "."):
return
- if name.startswith(get_authority(name)):
- return
+ #if name.startswith(get_authority(name)):
+ #return
raise PermissionError(name)
- def determine_user_rights(self, src_cred, record):
+ def determine_user_rights(self, caller_hrn, record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
- Src_cred can be None when obtaining a user credential, but should be
- set to a valid user credential when obtaining a slice or authority
- credential.
-
+
This is intended to replace determine_rights() and
verify_cancreate_credential()
"""
- type = record.get_type()
- if src_cred:
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- else:
- # supplying src_cred==None is only valid when obtaining user
- # credentials.
- #assert(type == "user")
-
- cred_object_hrn = None
-
rl = RightList()
+ type = record['type']
if type=="slice":
researchers = record.get("researcher", [])
- if (cred_object_hrn in researchers):
+ if (caller_hrn in researchers):
rl.add("refresh")
rl.add("embed")
rl.add("bind")
rl.add("info")
elif type == "authority":
- pis = record.get("pi", [])
+ pis = record.get("PI", [])
operators = record.get("operator", [])
- rl.add("authority,sa,ma")
- if (cred_object_hrn in pis):
- rl.add("sa")
- if (cred_object_hrn in operators):
- rl.add("ma")
+ if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+ rl.add("authority,sa,ma",)
+ if (caller_hrn in pis):
+ rl.add("authority,sa")
+ if (caller_hrn in operators):
+ rl.add("authority,ma")
elif type == "user":
rl.add("refresh")
rl.add("resolve")
rl.add("info")
+ elif type == "node":
+ rl.add("operator")
+
return rl
def verify_cancreate_credential(self, src_cred, record):
type = record.get_type()
cred_object_hrn = src_cred.get_gid_object().get_hrn()
- if cred_object_hrn in [self.config.GENI_REGISTRY_ROOT_AUTH]:
+ if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]:
return
if type=="slice":
researchers = record.get("researcher", [])