X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=54fd9d23b92f15c07a4f798ec70fc631cb3040e2;hb=f2282434e40e06365e0fdd3f9bc273a793f41235;hp=66887670b55d941c2981c245773a572da9960995;hpb=3d7237fa0b5f2b4a60cb97c7fb3b6aecfd94558a;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 66887670..54fd9d23 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,21 +1,22 @@ # # SfaAPI authentication # -### $Id$ -### $URL$ -# +import sys -import time +from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \ + BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied +from sfa.util.sfalogging import logger +from sfa.util.config import Config +from sfa.util.xrn import get_authority +from sfa.trust.gid import GID +from sfa.trust.rights import Rights +from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import Credential -from sfa.trust.trustedroot import TrustedRootList -from sfa.trust.rights import RightList -from sfa.util.faults import * +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import * -from sfa.util.namespace import * -from sfa.trust.gid import GID -from sfa.util.sfaticket import * +from sfa.trust.sfaticket import SfaTicket + class Auth: """ @@ -27,15 +28,41 @@ class Auth: self.hierarchy = Hierarchy() if not config: self.config = Config() - self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() + self.load_trusted_certs() + def load_trusted_certs(self): + self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() - def check(self, cred, operation): + + + def checkCredentials(self, creds, operation, hrn = None): + valid = [] + if not isinstance(creds, list): + creds = [creds] + logger.debug("Auth.checkCredentials with %d creds"%len(creds)) + for cred in creds: + try: + self.check(cred, operation, hrn) + valid.append(cred) + except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + continue + + if not len(valid): + raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) + + return valid + + + def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a - trusted cert and check if the credential is allowd to perform + trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) @@ -56,14 +83,18 @@ class Auth: raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify_chain(self.trusted_cert_list) - if self.client_gid: - self.client_gid.verify_chain(self.trusted_cert_list) - if self.object_gid: - self.object_gid.verify_chain(self.trusted_cert_list) + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) - + + # Make sure the credential's target matches the specified hrn. + # This check does not apply to trusted peers + trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] + if hrn and self.client_gid.get_hrn() not in trusted_peers: + target_hrn = self.object_gid.get_hrn() + if not hrn == target_hrn: + raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ + (target_hrn, hrn) ) return True def check_ticket(self, ticket): @@ -80,17 +111,8 @@ class Auth: def verifyPeerCert(self, cert, gid): # make sure the client_gid matches client's certificate - if not cert: - peer_cert = self.peer_cert - else: - peer_cert = cert - - if not gid: - peer_gid = self.client_gid - else: - peer_gid = gid - if not peer_cert.is_pubkey(peer_gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(peer_gid.get_subject()) + if not cert.is_pubkey(gid.get_pubkey()): + raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject()) def verifyGidRequestHash(self, gid, hash, arglist): key = gid.get_pubkey() @@ -107,13 +129,7 @@ class Auth: def validateCred(self, cred): if self.trusted_cert_list: - cred.verify_chain(self.trusted_cert_list) - caller_gid = cred.get_gid_caller() - object_gid = cred.get_gid_object() - if caller_gid: - caller_gid.verify_chain(self.trusted_cert_list) - if object_gid: - object_gid.verify_chain(self.trusted_cert_list) + cred.verify(self.trusted_cert_file_list) def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) @@ -133,7 +149,8 @@ class Auth: def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) - self.validateCert(self, cert) + # xxx should be validateCred ?? + self.validateCred(cert) def gidNoop(self, gidStr, value, requestHash): self.authenticateGid(gidStr, [gidStr, value], requestHash) @@ -208,80 +225,90 @@ class Auth: @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() - if object_hrn == name: - return - if name.startswith(object_hrn + "."): + #strname = str(name).strip("['']") + if object_hrn == name: + #if object_hrn == strname: + return + if name.startswith(object_hrn + ".") : + #if strname.startswith((object_hrn + ".")) is True: return #if name.startswith(get_authority(name)): #return raise PermissionError(name) - def determine_user_rights(self, caller_hrn, record): + def determine_user_rights(self, caller_hrn, reg_record): """ Given a user credential and a record, determine what set of rights the user should have to that record. - This is intended to replace determine_rights() and + This is intended to replace determine_user_rights() and verify_cancreate_credential() """ - rl = RightList() - type = record['type'] - - if type=="slice": - researchers = record.get("researcher", []) - pis = record.get("PI", []) - if (caller_hrn in researchers + pis): - rl.add("refresh") - rl.add("embed") - rl.add("bind") - rl.add("control") - rl.add("info") - - elif type == "authority": - pis = record.get("PI", []) - operators = record.get("operator", []) + rl = Rights() + type = reg_record.type + + logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) + + if type == 'slice': + # researchers in the slice are in the DB as-is + researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] + # locating PIs attached to that slice + slice_pis=reg_record.get_pis() + pi_hrns = [ user.hrn for user in slice_pis ] + if (caller_hrn in researcher_hrns + pi_hrns): + rl.add('refresh') + rl.add('embed') + rl.add('bind') + rl.add('control') + rl.add('info') + + elif type == 'authority': + pi_hrns = [ user.hrn for user in reg_record.reg_pis ] if (caller_hrn == self.config.SFA_INTERFACE_HRN): - rl.add("authority,sa,ma",) - if (caller_hrn in pis): - rl.add("authority,sa") - if (caller_hrn in operators): - rl.add("authority,ma") - - elif type == "user": - rl.add("refresh") - rl.add("resolve") - rl.add("info") - - elif type == "node": - rl.add("operator") + rl.add('authority') + rl.add('sa') + rl.add('ma') + if (caller_hrn in pi_hrns): + rl.add('authority') + rl.add('sa') + # NOTE: for the PL implementation, this 'operators' list + # amounted to users with 'tech' role in that site + # it seems like this is not needed any longer, so for now I just drop that + # operator_hrns = reg_record.get('operator',[]) + # if (caller_hrn in operator_hrns): + # rl.add('authority') + # rl.add('ma') + + elif type == 'user': + rl.add('refresh') + rl.add('resolve') + rl.add('info') + + elif type == 'node': + rl.add('operator') return rl - def verify_cancreate_credential(self, src_cred, record): + def get_authority(self, hrn): + return get_authority(hrn) + + def filter_creds_by_caller(self, creds, caller_hrn_list): """ - Verify that a user can retrive a particular type of credential. - For slices, the user must be on the researcher list. For SA and - MA the user must be on the pi and operator lists respectively + Returns a list of creds who's gid caller matches the + specified caller hrn """ + if not isinstance(creds, list): + creds = [creds] + creds = [] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] + for cred in creds: + try: + tmp_cred = Credential(string=cred) + if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: + creds.append(cred) + except: pass + return creds - type = record.get_type() - cred_object_hrn = src_cred.get_gid_object().get_hrn() - if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]: - return - if type=="slice": - researchers = record.get("researcher", []) - if not (cred_object_hrn in researchers): - raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name()) - elif type == "sa": - pis = record.get("pi", []) - if not (cred_object_hrn in pis): - raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name()) - elif type == "ma": - operators = record.get("operator", []) - if not (cred_object_hrn in operators): - raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name()) - - def get_authority(self, hrn): - return get_authority(hrn)