X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=8e86eb42ce67d48d2be6a6806d4349ab05a2b3b3;hb=b8596ce95578bf77158db2a5dacbaab36bdf6b16;hp=b1db32aae571bb03c8a558c5ef2f1c5bdc4def61;hpb=2d55f658dce789be7a310f397d4096a8491955f5;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index b1db32aa..8e86eb42 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,20 +1,22 @@ # -# GeniAPI authentication -# -### $Id$ -### $URL$ +# SfaAPI authentication # +import sys -import time +from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \ + BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied +from sfa.util.sfalogging import logger +from sfa.util.config import Config +from sfa.util.xrn import get_authority +from sfa.trust.gid import GID +from sfa.trust.rights import Rights +from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import Credential -from sfa.trust.trustedroot import TrustedRootList -from sfa.trust.rights import RightList -from sfa.util.faults import * +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import * -from sfa.util.misc import * -from sfa.trust.gid import GID +from sfa.trust.sfaticket import SfaTicket + class Auth: """ @@ -26,21 +28,48 @@ class Auth: self.hierarchy = Hierarchy() if not config: self.config = Config() - self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() + self.load_trusted_certs() + def load_trusted_certs(self): + self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() - def check(self, cred, operation): + + + def checkCredentials(self, creds, operation, hrn = None): + valid = [] + if not isinstance(creds, list): + creds = [creds] + #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn) + logger.debug("Auth.checkCredentials with %d creds"%len(creds)) + for cred in creds: + try: + self.check(cred, operation, hrn) + valid.append(cred) + except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + continue + + if not len(valid): + raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) + + return valid + + + def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a - trusted cert and check if the credential is allowd to perform + trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() - + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn()) # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) @@ -50,32 +79,47 @@ class Auth: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation - if operation: + if operation: + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list) if not self.client_cred.can_perform(operation): + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)" raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify_chain(self.trusted_cert_list) - if self.client_gid: - self.client_gid.verify_chain(self.trusted_cert_list) - if self.object_gid: - self.object_gid.verify_chain(self.trusted_cert_list) - + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_cert_file_list %s self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + + else: + raise MissingTrustedRoots(self.config.get_trustedroots_dir()) + + # Make sure the credential's target matches the specified hrn. + # This check does not apply to trusted peers + trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers + if hrn and self.client_gid.get_hrn() not in trusted_peers: + + target_hrn = self.object_gid.get_hrn() + if not hrn == target_hrn: + raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ + (target_hrn, hrn) ) return True - def verifyPeerCert(self, cert, gid): - # make sure the client_gid matches client's certificate - if not cert: - peer_cert = self.peer_cert + def check_ticket(self, ticket): + """ + Check if the tickt was signed by a trusted cert + """ + if self.trusted_cert_list: + client_ticket = SfaTicket(string=ticket) + client_ticket.verify_chain(self.trusted_cert_list) else: - peer_cert = cert + raise MissingTrustedRoots(self.config.get_trustedroots_dir()) - if not gid: - peer_gid = self.client_gid - else: - peer_gid = gid - if not peer_cert.is_pubkey(peer_gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(peer_gid.get_subject()) + return True + + def verifyPeerCert(self, cert, gid): + # make sure the client_gid matches client's certificate + if not cert.is_pubkey(gid.get_pubkey()): + raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject()) def verifyGidRequestHash(self, gid, hash, arglist): key = gid.get_pubkey() @@ -92,13 +136,7 @@ class Auth: def validateCred(self, cred): if self.trusted_cert_list: - cred.verify_chain(self.trusted_cert_list) - caller_gid = cred.get_gid_caller() - object_gid = cred.get_gid_object() - if caller_gid: - caller_gid.verify_chain(self.trusted_cert_list) - if object_gid: - object_gid.verify_chain(self.trusted_cert_list) + cred.verify(self.trusted_cert_file_list) def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) @@ -118,7 +156,8 @@ class Auth: def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) - self.validateCert(self, cert) + # xxx should be validateCred ?? + self.validateCred(cert) def gidNoop(self, gidStr, value, requestHash): self.authenticateGid(gidStr, [gidStr, value], requestHash) @@ -134,7 +173,7 @@ class Auth: caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: - raise GeniPermissionError(self.config.SFA_INTEFACE_HRN) + raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return @@ -193,13 +232,15 @@ class Auth: @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() - if object_hrn == name: + strname = str(name).strip("['']") + + if object_hrn == strname: return - if name.startswith(object_hrn + "."): + if strname.startswith((object_hrn + ".")) is True: return #if name.startswith(get_authority(name)): #return - + #print>>sys.stderr, " \r\n \t AUTH.PY verify_object_permission GROSECHECDELENFER " raise PermissionError(name) def determine_user_rights(self, caller_hrn, record): @@ -211,12 +252,14 @@ class Auth: verify_cancreate_credential() """ - rl = RightList() + rl = Rights() type = record['type'] + if type=="slice": researchers = record.get("researcher", []) - if (caller_hrn in researchers): + pis = record.get("PI", []) + if (caller_hrn in researchers + pis): rl.add("refresh") rl.add("embed") rl.add("bind") @@ -227,19 +270,23 @@ class Auth: pis = record.get("PI", []) operators = record.get("operator", []) if (caller_hrn == self.config.SFA_INTERFACE_HRN): - rl.add("authority,sa,ma",) + rl.add("authority") + rl.add("sa") + rl.add("ma") if (caller_hrn in pis): - rl.add("authority,sa") + rl.add("authority") + rl.add("sa") if (caller_hrn in operators): - rl.add("authority,ma") + rl.add("authority") + rl.add("ma") elif type == "user": rl.add("refresh") rl.add("resolve") rl.add("info") - elif type == "component": - r1.add("operator") + elif type == "node": + rl.add("operator") return rl @@ -269,3 +316,22 @@ class Auth: def get_authority(self, hrn): return get_authority(hrn) + + def filter_creds_by_caller(self, creds, caller_hrn_list): + """ + Returns a list of creds who's gid caller matches the + specified caller hrn + """ + if not isinstance(creds, list): + creds = [creds] + creds = [] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] + for cred in creds: + try: + tmp_cred = Credential(string=cred) + if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: + creds.append(cred) + except: pass + return creds +