From: Tony Mack Date: Wed, 22 Jan 2014 03:03:23 +0000 (-0500) Subject: adding support for geni_speaking_for option X-Git-Tag: sfa-3.1-2~8 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=0fe918467c52fd7b06abe8a92082c50ac282f470;p=sfa.git adding support for geni_speaking_for option --- diff --git a/sfa/managers/aggregate_manager.py b/sfa/managers/aggregate_manager.py index 5108c4ff..b10e441c 100644 --- a/sfa/managers/aggregate_manager.py +++ b/sfa/managers/aggregate_manager.py @@ -63,6 +63,7 @@ class AggregateManager: 'geni_single_allocation': 0, # Accept operations that act on as subset of slivers in a given state. 'geni_allocate': 'geni_many',# Multiple slivers can exist and be incrementally added, including those which connect or overlap in some way. 'geni_credential_types': cred_types, + 'geni_handles_speaksfor': True, # supports 'speaks for' credentials } version.update(version_generic) version.update(self.rspec_versions()) diff --git a/sfa/methods/Allocate.py b/sfa/methods/Allocate.py index 4105f31f..a9dac0db 100644 --- a/sfa/methods/Allocate.py +++ b/sfa/methods/Allocate.py @@ -37,9 +37,10 @@ class Allocate(Method): def call(self, xrn, creds, rspec, options): xrn = Xrn(xrn, type='slice') self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrn.get_hrn(), self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn()) + valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn(), speaking_for_hrn=speaking_for) # use the expiration from the first valid credential to determine when # the slivers should expire. expiration = datetime_to_string(Credential(cred=valid_creds[0]).expiration) diff --git a/sfa/methods/Delete.py b/sfa/methods/Delete.py index 94684b97..eed8a398 100644 --- a/sfa/methods/Delete.py +++ b/sfa/methods/Delete.py @@ -24,8 +24,10 @@ class Delete(Method): returns = Parameter(int, "1 if successful") def call(self, xrns, creds, options): + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() diff --git a/sfa/methods/Describe.py b/sfa/methods/Describe.py index 8485f796..ec604895 100644 --- a/sfa/methods/Describe.py +++ b/sfa/methods/Describe.py @@ -36,9 +36,10 @@ class Describe(Method): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') - + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \ - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py index b7ac0b72..a9ffe760 100644 --- a/sfa/methods/ListResources.py +++ b/sfa/methods/ListResources.py @@ -32,9 +32,11 @@ class ListResources(Method): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') + + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'listnodes') + valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', speaking_for_hrn=speaking_for) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) diff --git a/sfa/methods/PerformOperationalAction.py b/sfa/methods/PerformOperationalAction.py index 01d853d4..a2635142 100644 --- a/sfa/methods/PerformOperationalAction.py +++ b/sfa/methods/PerformOperationalAction.py @@ -31,9 +31,12 @@ class PerformOperationalAction(Method): def call(self, xrns, creds, action, options): self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name)) result = self.api.manager.PerformOperationalAction(self.api, xrns, creds, action, options) diff --git a/sfa/methods/Provision.py b/sfa/methods/Provision.py index a94c1bc3..a3fd0feb 100644 --- a/sfa/methods/Provision.py +++ b/sfa/methods/Provision.py @@ -31,9 +31,12 @@ class Provision(Method): def call(self, xrns, creds, options): self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name)) result = self.api.manager.Provision(self.api, xrns, creds, options) diff --git a/sfa/methods/Renew.py b/sfa/methods/Renew.py index 8f31786b..7b470f10 100644 --- a/sfa/methods/Renew.py +++ b/sfa/methods/Renew.py @@ -32,9 +32,12 @@ class Renew(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, urns, creds, self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + # Find the valid credentials valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', urns, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) # Validate that the time does not go beyond the credential's expiration time requested_time = utcparse(expiration_time) diff --git a/sfa/methods/Status.py b/sfa/methods/Status.py index 164093e7..36da58e1 100644 --- a/sfa/methods/Status.py +++ b/sfa/methods/Status.py @@ -19,8 +19,10 @@ class Status(Method): returns = Parameter(dict, "Status details") def call(self, xrns, creds, options): + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials, + speaking_for_hrn=speaking_for) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name)) return self.api.manager.Status(self.api, xrns, creds, options) diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index d217b1c8..35c76b78 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -35,7 +35,14 @@ class Auth: self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() - def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None): + def checkCredentials(self, creds, operation, xrns=[], check_sliver_callback=None, speaking_for_hrn=None): + + def log_invalid_cred(cred): + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + return error + # if xrns are specified they cannot be None or empty string if xrns: for xrn in xrns: @@ -53,6 +60,7 @@ class Auth: # we make sure not to include sliver urns/hrns in the core validation loop hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns] valid = [] + speaks_for_cred = None if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns)) @@ -65,10 +73,16 @@ class Auth: self.check(cred, operation, hrn) valid.append(cred) except: - cred_obj=Credential(cred=cred) - logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) - error = sys.exc_info()[:2] - continue + if speaking_for_hrn: + try: + self.check(cred, operation, speaking_for_hrn) + speaks_for_cred = cred + valid.append(cred) + except: + error = log_invalid_cred(cred) + else: + error = log_invalid_cred(cred) + continue # make sure all sliver xrns are validated against the valid credentials if sliver_xrns: @@ -81,6 +95,9 @@ class Auth: if not len(valid): raise Forbidden("Invalid credential") + if speaking_for_hrn and not speaks_for_cred: + raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1])) + return valid