From bd88466c612d5da9d5b104a5b8788b0b788429cf Mon Sep 17 00:00:00 2001 From: Josh Karlin Date: Tue, 20 Apr 2010 20:19:33 +0000 Subject: [PATCH] Added 'checkCredentials' to auth.py. Made various other small fixes. --- sfa/managers/aggregate_manager_pl.py | 9 +++++++-- sfa/managers/registry_manager_pl.py | 17 ++++++++++------- sfa/methods/CreateSliver.py | 28 +++++++++------------------- sfa/methods/DeleteSliver.py | 19 ++++--------------- sfa/methods/ListResources.py | 27 ++++++++++----------------- sfa/methods/RenewSliver.py | 22 +++++----------------- sfa/methods/Resolve.py | 7 +++++-- sfa/methods/Shutdown.py | 18 ++++-------------- sfa/methods/SliverStatus.py | 17 +++-------------- sfa/plc/network.py | 8 ++++++-- sfa/trust/auth.py | 25 ++++++++++++++++++++++--- sfa/trust/gid.py | 6 ++++++ 12 files changed, 91 insertions(+), 112 deletions(-) diff --git a/sfa/managers/aggregate_manager_pl.py b/sfa/managers/aggregate_manager_pl.py index 12b170b9..9026f6a1 100644 --- a/sfa/managers/aggregate_manager_pl.py +++ b/sfa/managers/aggregate_manager_pl.py @@ -66,16 +66,21 @@ def create_slice(api, xrn, xml): slice = network.get_slice(api, hrn) current = __get_hostnames(slice.get_nodes()) - + api.logger.info("Current = %s" % " ".join(current)) + api.logger.info("before addrspec") network.addRSpec(xml, api.config.SFA_AGGREGATE_RSPEC_SCHEMA) - + api.logger.info("after addrspec") request = __get_hostnames(network.nodesWithSlivers()) # remove nodes not in rspec deleted_nodes = list(set(current).difference(request)) + api.logger.info("Deleted nodes = " + " ".join(deleted_nodes)) # add nodes from rspec added_nodes = list(set(request).difference(current)) + api.logger.info("Added nodes = " + " ".join(added_nodes)) + + if peer: api.plshell.UnBindObjectFromPeer(api.plauth, 'slice', slice.id, peer) diff --git a/sfa/managers/registry_manager_pl.py b/sfa/managers/registry_manager_pl.py index 6ed5da8d..423cb1cc 100644 --- a/sfa/managers/registry_manager_pl.py +++ b/sfa/managers/registry_manager_pl.py @@ -10,12 +10,6 @@ from sfa.trust.credential import * from sfa.trust.certificate import * from sfa.util.faults import * -def GetVersion(): - version = {} - version['geni_api'] = 1 - return version - - def get_credential(api, xrn, type, is_self=False): @@ -74,6 +68,15 @@ def get_credential(api, xrn, type, is_self=False): return new_cred.save_to_string(save_parents=True) + +# The GENI GetVersion call +def GetVersion(): + version = {} + version['geni_api'] = 1 + return version + + + # The GENI resolve call def Resolve(api, xrn, creds): records = resolve(api, xrn) @@ -83,7 +86,7 @@ def Resolve(api, xrn, creds): record = records[0] if record.type == 'slice': - return {'geni_urn': xrn, 'geni_creator': record.gid} + return {'geni_urn': xrn, 'geni_creator': " ".join(record.PI)} if record.type == 'user': return {'geni_urn': xrn, 'geni_certificate': record.gid} diff --git a/sfa/methods/CreateSliver.py b/sfa/methods/CreateSliver.py index e8738018..5961eb33 100644 --- a/sfa/methods/CreateSliver.py +++ b/sfa/methods/CreateSliver.py @@ -5,6 +5,7 @@ from sfa.util.parameter import Parameter from sfatables.runtime import SFATablesRules import sys from sfa.trust.credential import Credential +from sfa.util.sfalogging import logger class CreateSliver(Method): """ @@ -40,24 +41,13 @@ class CreateSliver(Method): def call(self, slice_xrn, creds, rspec): hrn, type = urn_to_hrn(slice_xrn) - self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) + self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name)) + + # Find the valid credentials + ValidCreds = self.api.auth.checkCredentials(creds, 'createslice', hrn) + + origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn() - # Validate that at least one of the credentials is good enough - found = False - for cred in creds: - try: - self.api.auth.check(cred, 'createslice') - origin_hrn = Credential(string=cred).get_gid_caller().get_hrn() - found = True - break - except: - error = sys.exc_info()[:2] - continue - - if not found: - raise InsufficientRights('CreateSliver: Access denied: %s -- %s' % (error[0],error[1])) - - manager_base = 'sfa.managers' if self.api.interface in ['geni_am']: @@ -66,7 +56,7 @@ class CreateSliver(Method): manager = __import__(manager_module, fromlist=[manager_base]) rspec = self.__run_sfatables(manager, SFATablesRules('INCOMING'), hrn, origin_hrn, rspec) - return manager.CreateSliver(self.api, slice_xrn, creds, rspec) - + logger.info("Calling with rspec = %s"% rspec) + return manager.CreateSliver(self.api, slice_xrn, ValidCreds, rspec) return '' diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py index d57568fa..94e9cfd7 100644 --- a/sfa/methods/DeleteSliver.py +++ b/sfa/methods/DeleteSliver.py @@ -22,21 +22,10 @@ class DeleteSliver(Method): def call(self, slice_xrn, creds): hrn, type = urn_to_hrn(slice_xrn) - self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) + self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name)) - # Validate that at least one of the credentials is good enough - found = False - for cred in creds: - try: - self.api.auth.check(cred, 'deleteslice') - found = True - break - except: - continue - - if not found: - raise InsufficientRights('DeleteSliver: Credentials either did not verify, were no longer valid, or did not have appropriate privileges') - + # Find the valid credentials + ValidCreds = self.api.auth.checkCredentials(creds, 'deleteslice', hrn) manager_base = 'sfa.managers' @@ -44,7 +33,7 @@ class DeleteSliver(Method): mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE manager_module = manager_base + ".geni_am_%s" % mgr_type manager = __import__(manager_module, fromlist=[manager_base]) - return manager.DeleteSliver(self.api, slice_xrn, creds) + return manager.DeleteSliver(self.api, slice_xrn, ValidCreds) return '' diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py index 0007c255..78581726 100644 --- a/sfa/methods/ListResources.py +++ b/sfa/methods/ListResources.py @@ -9,7 +9,7 @@ import sys class ListResources(Method): """ - Returns information about available resources or resources allocated to this slice + Returns information about available resources or resources allocated to this slice @param credential list @param options dictionary @return string @@ -24,22 +24,15 @@ class ListResources(Method): def call(self, creds, options): self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name)) - # Validate that at least one of the credentials is good enough - found = False - for cred in creds: - try: - self.api.auth.check(cred, 'listnodes') - found = True - user_cred = Credential(string=cred) - break - except: - error = sys.exc_info()[:2] - continue + # Find the valid credentials + hrn = None + if options.has_key('geni_slice_urn'): + xrn = options['geni_slice_urn'] + hrn, _ = urn_to_hrn(xrn) + + ValidCreds = self.api.auth.checkCredentials(creds, 'listnodes', hrn) + origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn() - if not found: - raise InsufficientRights('ListResources: Access denied: %s -- %s' % (error[0],error[1])) - - origin_hrn = user_cred.get_gid_caller().get_hrn() manager_base = 'sfa.managers' @@ -47,7 +40,7 @@ class ListResources(Method): mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE manager_module = manager_base + ".geni_am_%s" % mgr_type manager = __import__(manager_module, fromlist=[manager_base]) - rspec = manager.ListResources(self.api, creds, options) + rspec = manager.ListResources(self.api, ValidCreds, options) outgoing_rules = SFATablesRules('OUTGOING') diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py index 554926df..bce8a495 100644 --- a/sfa/methods/RenewSliver.py +++ b/sfa/methods/RenewSliver.py @@ -26,24 +26,12 @@ class RenewSliver(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) - # Validate that at least one of the credentials is good enough - found = False - validCred = None - for cred in creds: - try: - self.api.auth.check(cred, 'renewsliver') - validCred = cred - found = True - break - except: - continue - - if not found: - raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges') - + # Find the valid credentials + ValidCreds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn) + # Validate that the time does not go beyond the credential's expiration time requested_time = parse(expiration_time) - if requested_time > Credential(string=validCred).get_lifetime(): + if requested_time > Credential(string=ValidCreds[0]).get_lifetime(): raise InsufficientRights('SliverStatus: Credential expires before requested expiration time') manager_base = 'sfa.managers' @@ -52,7 +40,7 @@ class RenewSliver(Method): mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE manager_module = manager_base + ".geni_am_%s" % mgr_type manager = __import__(manager_module, fromlist=[manager_base]) - return manager.RenewSliver(self.api, slice_xrn, creds, expiration_time) + return manager.RenewSliver(self.api, slice_xrn, ValidCreds, expiration_time) return '' diff --git a/sfa/methods/Resolve.py b/sfa/methods/Resolve.py index b694bc8a..0f7439ca 100644 --- a/sfa/methods/Resolve.py +++ b/sfa/methods/Resolve.py @@ -2,7 +2,7 @@ from sfa.util.faults import * from sfa.util.namespace import * from sfa.util.method import Method from sfa.util.parameter import Parameter - +from sfa.trust.credential import Credential class Resolve(Method): """ @@ -22,11 +22,14 @@ class Resolve(Method): for cred in creds: try: self.api.auth.check(cred, 'resolve') + # Make sure it's an authority and not a user + if cred.get_gid_caller().get_type() != 'authority': + raise 'NotAuthority' found = True break except: continue - + if not found: raise InsufficientRights('Resolve: Credentials either did not verify, were no longer valid, or did not have appropriate privileges') diff --git a/sfa/methods/Shutdown.py b/sfa/methods/Shutdown.py index 4445ae2f..0cf52cbf 100644 --- a/sfa/methods/Shutdown.py +++ b/sfa/methods/Shutdown.py @@ -24,26 +24,16 @@ class Shutdown(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) - # Validate that at least one of the credentials is good enough - found = False - for cred in creds: - try: - self.api.auth.check(cred, 'shutdown') - found = True - break - except: - continue - - if not found: - raise InsufficientRights('Shutdown: Credentials either did not verify, were no longer valid, or did not have appropriate privileges') - + # Find the valid credentials + ValidCreds = self.api.auth.checkCredentials(creds, 'shutdown', hrn) + manager_base = 'sfa.managers' if self.api.interface in ['geni_am']: mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE manager_module = manager_base + ".geni_am_%s" % mgr_type manager = __import__(manager_module, fromlist=[manager_base]) - return manager.Shutdown(self.api, slice_xrn, creds) + return manager.Shutdown(self.api, slice_xrn, ValidCreds) return '' diff --git a/sfa/methods/SliverStatus.py b/sfa/methods/SliverStatus.py index e56793bf..2d4164ed 100644 --- a/sfa/methods/SliverStatus.py +++ b/sfa/methods/SliverStatus.py @@ -23,19 +23,8 @@ class SliverStatus(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) - # Validate that at least one of the credentials is good enough - found = False - for cred in creds: - try: - self.api.auth.check(cred, 'sliverstatus') - found = True - break - except: - continue - - if not found: - raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges') - + # Find the valid credentials + ValidCreds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn) manager_base = 'sfa.managers' @@ -43,7 +32,7 @@ class SliverStatus(Method): mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE manager_module = manager_base + ".geni_am_%s" % mgr_type manager = __import__(manager_module, fromlist=[manager_base]) - return manager.SliverStatus(self.api, slice_xrn, creds) + return manager.SliverStatus(self.api, slice_xrn, ValidCreds) return '' diff --git a/sfa/plc/network.py b/sfa/plc/network.py index 41c5f459..9a1bdb1c 100644 --- a/sfa/plc/network.py +++ b/sfa/plc/network.py @@ -7,7 +7,7 @@ from xmlbuilder import XMLBuilder from lxml import etree import sys from StringIO import StringIO - +from sfa.util.sfalogging import logger class Sliver: def __init__(self, node): @@ -16,6 +16,7 @@ class Sliver: self.slice = node.network.slice def toxml(self, xml): + logger.info("sliver to xml!") with xml.sliver: self.slice.tags_to_xml(xml, self.node) @@ -64,6 +65,7 @@ class Node: self.sliver = Sliver(self) def toxml(self, xml): + logger.info("node.toxml(I)") slice = self.network.slice if self.whitelist and not self.sliver: if not slice or slice.id not in self.whitelist: @@ -197,6 +199,8 @@ class Slice: xml << (tag.tagname, tag.value) def toxml(self, xml): + logger.info("slice to xml!") + with xml.sliver_defaults: self.tags_to_xml(xml) @@ -442,10 +446,10 @@ class Network: raise InvalidRSpec(message) self.rspec = rspec - defaults = rspec.find(".//sliver_defaults") self.__process_attributes(defaults) + # Find slivers under node elements for sliver in rspec.iterfind("./network/site/node/sliver"): elem = sliver.getparent() diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index abe76fd0..73dae3d1 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -15,6 +15,8 @@ from sfa.util.namespace import * from sfa.util.sfaticket import * from sfa.util.sfalogging import logger +import sys + class Auth: """ Credential based authentication @@ -32,6 +34,23 @@ class Auth: self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list() + + def checkCredentials(self, creds, operation, hrn = None): + valid = [] + for cred in creds: + try: + self.check(cred, operation, hrn) + valid.append(cred) + except: + error = sys.exc_info()[:2] + continue + + if not len(valid): + raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) + + return valid + + def check(self, cred, operation, hrn = None): """ Check the credential against the peer cert (callerGID included @@ -65,10 +84,10 @@ class Auth: # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] - if hrn and client_gid.get_hrn() not in trusted_peers: - if not hrn == object_gid.get_hrn(): + if hrn and self.client_gid.get_hrn() not in trusted_peers: + if not hrn == self.object_gid.get_hrn(): raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ - (object_gid.get_hrn(), hrn) ) + (self.object_gid.get_hrn(), hrn) ) return True def check_ticket(self, ticket): diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py index 97c6d8cb..72d657c1 100644 --- a/sfa/trust/gid.py +++ b/sfa/trust/gid.py @@ -98,6 +98,12 @@ class GID(Certificate): self.decode() return self.urn + def get_type(self): + if not self.urn: + self.decode() + _, t = urn_to_hrn(self.urn) + return t + ## # Encode the GID fields and package them into the subject-alt-name field # of the X509 certificate. This must be called prior to signing the -- 2.43.0