X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=8e86eb42ce67d48d2be6a6806d4349ab05a2b3b3;hb=b8596ce95578bf77158db2a5dacbaab36bdf6b16;hp=b596d8d4ca0c5d740035aa8cd9acae7b09f4ccf6;hpb=eababa96fb603cdd552bc03091813544b099befd;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index b596d8d4..8e86eb42 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,20 +1,22 @@ # # SfaAPI authentication # -### $Id$ -### $URL$ -# +import sys +from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \ + BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied +from sfa.util.sfalogging import logger +from sfa.util.config import Config +from sfa.util.xrn import get_authority +from sfa.trust.gid import GID +from sfa.trust.rights import Rights from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import Credential -from sfa.trust.trustedroot import TrustedRootList -from sfa.util.faults import * +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import * -from sfa.util.namespace import * -from sfa.util.sfaticket import * -import sys +from sfa.trust.sfaticket import SfaTicket + class Auth: """ @@ -29,8 +31,8 @@ class Auth: self.load_trusted_certs() def load_trusted_certs(self): - self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() - self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list() + self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() @@ -38,11 +40,15 @@ class Auth: valid = [] if not isinstance(creds, list): creds = [creds] + #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn) + logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue @@ -57,13 +63,13 @@ class Auth: Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a - trusted cert and check if the credential is allowd to perform + trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() - + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn()) # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) @@ -73,19 +79,25 @@ class Auth: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation - if operation: + if operation: + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list) if not self.client_cred.can_perform(operation): + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)" raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify(self.trusted_cert_file_list) + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_cert_file_list %s self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] + #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers if hrn and self.client_gid.get_hrn() not in trusted_peers: + target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ @@ -144,7 +156,8 @@ class Auth: def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) - self.validateCert(self, cert) + # xxx should be validateCred ?? + self.validateCred(cert) def gidNoop(self, gidStr, value, requestHash): self.authenticateGid(gidStr, [gidStr, value], requestHash) @@ -219,13 +232,15 @@ class Auth: @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() - if object_hrn == name: + strname = str(name).strip("['']") + + if object_hrn == strname: return - if name.startswith(object_hrn + "."): + if strname.startswith((object_hrn + ".")) is True: return #if name.startswith(get_authority(name)): #return - + #print>>sys.stderr, " \r\n \t AUTH.PY verify_object_permission GROSECHECDELENFER " raise PermissionError(name) def determine_user_rights(self, caller_hrn, record): @@ -302,7 +317,7 @@ class Auth: def get_authority(self, hrn): return get_authority(hrn) - def filter_creds_by_caller(self, creds, caller_hrn): + def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn @@ -310,10 +325,12 @@ class Auth: if not isinstance(creds, list): creds = [creds] creds = [] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) - if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds