BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
from sfa.util.sfalogging import logger
from sfa.util.config import Config
-from sfa.util.xrn import get_authority
+from sfa.util.xrn import get_authority, Xrn
from sfa.trust.gid import GID
from sfa.trust.rights import Rights
from sfa.trust.trustedroots import TrustedRoots
from sfa.trust.hierarchy import Hierarchy
from sfa.trust.sfaticket import SfaTicket
+from sfa.trust.speaksfor_util import determine_speaks_for
class Auth:
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
-
-
- def checkCredentials(self, creds, operation, hrn = None):
+
+ def checkCredentials(self, creds, operation, hrn = None, options = {}):
+
+ def log_invalid_cred(cred):
+ #cred_obj=Credential(string=cred)
+ #logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ error = sys.exc_info()[:2]
+ return error
+
valid = []
if not isinstance(creds, list):
creds = [creds]
- #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn)
- logger.debug("Auth.checkCredentials with %d creds"%len(creds))
- for cred in creds:
- try:
- self.check(cred, operation, hrn)
- valid.append(cred)
- except:
- cred_obj=Credential(string=cred)
- logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
- error = sys.exc_info()[:2]
- continue
+
+ # if speaks for gid matches caller cert then we've found a valid
+ # speaks for credential
+ speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \
+ options, self.trusted_cert_list)
+ if self.peer_cert and \
+ self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
+ valid = creds
+ else:
+ for cred in creds:
+ try:
+ self.check(cred, operation, hrn)
+ valid.append(cred)
+ except:
+ error = log_invalid_cred(cred)
+
+ if not len(valid):
+ raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
- if not len(valid):
- raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
-
return valid
self.client_cred = Credential(string = cred)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn())
+
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
- if operation:
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list)
+ if operation:
if not self.client_cred.can_perform(operation):
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)"
raise InsufficientRights(operation)
if self.trusted_cert_list:
self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_cert_file_list %s self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
-
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
# Make sure the credential's target matches the specified hrn.
# This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers
if hrn and self.client_gid.get_hrn() not in trusted_peers:
-
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
@param name human readable name to test
"""
object_hrn = self.object_gid.get_hrn()
- #strname = str(name).strip("['']")
- if object_hrn == name:
- #if object_hrn == strname:
- return
- if name.startswith(object_hrn + ".") :
- #if strname.startswith((object_hrn + ".")) is True:
+ if object_hrn == name:
+ return
+ if name.startswith(object_hrn + "."):
return
#if name.startswith(get_authority(name)):
#return
-
+
raise PermissionError(name)
- def determine_user_rights(self, caller_hrn, record):
+ def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
- This is intended to replace determine_rights() and
+ This is intended to replace determine_user_rights() and
verify_cancreate_credential()
"""
rl = Rights()
- type = record['type']
-
-
- if type=="slice":
- researchers = record.get("researcher", [])
- pis = record.get("PI", [])
- if (caller_hrn in researchers + pis):
- rl.add("refresh")
- rl.add("embed")
- rl.add("bind")
- rl.add("control")
- rl.add("info")
-
- elif type == "authority":
- pis = record.get("PI", [])
- operators = record.get("operator", [])
+ type = reg_record.type
+
+ logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
+
+ if type == 'slice':
+ # researchers in the slice are in the DB as-is
+ researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+ # locating PIs attached to that slice
+ slice_pis=reg_record.get_pis()
+ pi_hrns = [ user.hrn for user in slice_pis ]
+ if (caller_hrn in researcher_hrns + pi_hrns):
+ rl.add('refresh')
+ rl.add('embed')
+ rl.add('bind')
+ rl.add('control')
+ rl.add('info')
+
+ elif type == 'authority':
+ pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
if (caller_hrn == self.config.SFA_INTERFACE_HRN):
- rl.add("authority")
- rl.add("sa")
- rl.add("ma")
- if (caller_hrn in pis):
- rl.add("authority")
- rl.add("sa")
- if (caller_hrn in operators):
- rl.add("authority")
- rl.add("ma")
-
- elif type == "user":
- rl.add("refresh")
- rl.add("resolve")
- rl.add("info")
-
- elif type == "node":
- rl.add("operator")
+ rl.add('authority')
+ rl.add('sa')
+ rl.add('ma')
+ if (caller_hrn in pi_hrns):
+ rl.add('authority')
+ rl.add('sa')
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site
+ # it seems like this is not needed any longer, so for now I just drop that
+ # operator_hrns = reg_record.get('operator',[])
+ # if (caller_hrn in operator_hrns):
+ # rl.add('authority')
+ # rl.add('ma')
+
+ elif type == 'user':
+ rl.add('refresh')
+ rl.add('resolve')
+ rl.add('info')
+
+ elif type == 'node':
+ rl.add('operator')
return rl
- def verify_cancreate_credential(self, src_cred, record):
- """
- Verify that a user can retrive a particular type of credential.
- For slices, the user must be on the researcher list. For SA and
- MA the user must be on the pi and operator lists respectively
- """
-
- type = record.get_type()
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]:
- return
- if type=="slice":
- researchers = record.get("researcher", [])
- if not (cred_object_hrn in researchers):
- raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
- elif type == "sa":
- pis = record.get("pi", [])
- if not (cred_object_hrn in pis):
- raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
- elif type == "ma":
- operators = record.get("operator", [])
- if not (cred_object_hrn in operators):
- raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
-
def get_authority(self, hrn):
return get_authority(hrn)
git://git.onelab.eu / sfa.git / blobdiff