X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=f3609b3f7f41d8999774ebd74ec846b7a4dc6f78;hb=9e6709319b71780b561046d5162271fdaa940cd6;hp=3b0af02ad1468ef0f06449ebb679864b3afdc01e;hpb=53cfd89c9fa5735ffd22b265d18e0dcf1d2cf106;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 3b0af02a..f3609b3f 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -15,6 +15,7 @@ from sfa.trust.hierarchy import Hierarchy from sfa.util.genitable import GeniTable from sfa.util.config import * from sfa.util.misc import * +from sfa.trust.gid import GID class Auth: """ @@ -24,10 +25,10 @@ class Auth: def __init__(self, peer_cert = None, config = None ): self.peer_cert = peer_cert self.hierarchy = Hierarchy() - self.trusted_cert_list = TrustedRootList().get_list() if not config: - self.config = Config() - + self.config = Config() + self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() + def check(self, cred, operation): """ @@ -44,11 +45,10 @@ class Auth: # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) - - # make sure the client_gid matches client's certificate - peer_cert = self.peer_cert - if not peer_cert.is_pubkey(self.client_gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(self.client_gid.get_subject()) + + # validate the client cert if it exists + if self.peer_cert: + self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: @@ -64,6 +64,80 @@ class Auth: return True + def verifyPeerCert(self, cert, gid): + # make sure the client_gid matches client's certificate + if not cert: + peer_cert = self.peer_cert + else: + peer_cert = cert + + if not gid: + peer_gid = self.client_gid + else: + peer_gid = gid + if not peer_cert.is_pubkey(peer_gid.get_pubkey()): + raise ConnectionKeyGIDMismatch(peer_gid.get_subject()) + + def verifyGidRequestHash(self, gid, hash, arglist): + key = gid.get_pubkey() + if not key.verify_string(str(arglist), hash): + raise BadRequestHash(hash) + + def verifyCredRequestHash(self, cred, hash, arglist): + gid = cred.get_gid_caller() + self.verifyGidRequestHash(gid, hash, arglist) + + def validateGid(self, gid): + if self.trusted_cert_list: + gid.verify_chain(self.trusted_cert_list) + + def validateCred(self, cred): + if self.trusted_cert_list: + cred.verify_chain(self.trusted_cert_list) + caller_gid = cred.get_gid_caller() + object_gid = cred.get_gid_object() + if caller_gid: + caller_gid.verify_chain(self.trusted_cert_list) + if object_gid: + object_gid.verify_chain(self.trusted_cert_list) + + def authenticateGid(self, gidStr, argList, requestHash=None): + gid = GID(string = gidStr) + self.validateGid(gid) + # request_hash is optional + if requestHash: + self.verifyGidRequestHash(gid, requestHash, argList) + return gid + + def authenticateCred(self, credStr, argList, requestHash=None): + cred = Credential(string = credStr) + self.validateCred(cred) + # request hash is optional + if requestHash: + self.verifyCredRequestHash(cred, requestHash, argList) + return cred + + def authenticateCert(self, certStr, requestHash): + cert = Certificate(string=certStr) + self.validateCert(self, cert) + + def gidNoop(self, gidStr, value, requestHash): + self.authenticateGid(gidStr, [gidStr, value], requestHash) + return value + + def credNoop(self, credStr, value, requestHash): + self.authenticateCred(credStr, [credStr, value], requestHash) + return value + + def verify_cred_is_me(self, credential): + is_me = False + cred = Credential(string=credential) + caller_gid = cred.get_gid_caller() + caller_hrn = caller_gid.get_hrn() + if caller_hrn != self.config.SFA_INTERFACE_HRN: + raise GeniPermissionError(self.config.SFA_INTEFACE_HRN) + + return def get_auth_info(self, auth_hrn): """ @@ -76,26 +150,6 @@ class Auth: return self.hierarchy.get_auth_info(auth_hrn) - def get_auth_table(self, auth_name): - """ - Given an authority name, return the database table for that authority. - If the databse table does not exist, then one will be automatically - created. - - @param auth_name human readable name of authority - """ - auth_info = self.get_auth_info(auth_name) - table = GeniTable(hrn=auth_name, - cninfo=auth_info.get_dbinfo()) - # if the table doesn't exist, then it means we haven't put any records - # into this authority yet. - - if not table.exists(): - print >> log, "Registry: creating table for authority", auth_name - table.create() - - return table - def veriry_auth_belongs_to_me(self, name): """ Verify that an authority belongs to our hierarchy. @@ -106,6 +160,7 @@ class Auth: @param auth_name human readable name of authority """ + # get auth info will throw an exception if the authority doesnt exist self.get_auth_info(name) @@ -119,8 +174,8 @@ class Auth: """ auth_name = self.get_authority(name) if not auth_name: - # the root authority belongs to the registry by default? - # TODO: is this true? + auth_name = name + if name == self.config.SFA_INTERFACE_HRN: return self.verify_auth_belongs_to_me(auth_name) @@ -143,8 +198,8 @@ class Auth: return if name.startswith(object_hrn + "."): return - if name.startswith(get_authority(name)): - return + #if name.startswith(get_authority(name)): + #return raise PermissionError(name) @@ -161,7 +216,7 @@ class Auth: verify_cancreate_credential() """ - type = record.get_type() + type = record['type'] if src_cred: cred_object_hrn = src_cred.get_gid_object().get_hrn() else: