From 924093f298e27bcf888d3bcccb90e2cb6e6fce37 Mon Sep 17 00:00:00 2001 From: Tony Mack Date: Thu, 3 Jun 2010 20:12:08 +0000 Subject: [PATCH] merge with geni_api branch --- Makefile | 8 +- TODO | 42 +++-- config/default_config.xml | 36 ++++ config/geni_aggregates.xml | 3 + sfa.spec | 7 +- tests/testCred.py | 134 ++++++++++++++- tests/testGid.py | 6 +- xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO | 160 +++++++++--------- .../xmlbuilder.egg-info/SOURCES.txt | 2 + 9 files changed, 284 insertions(+), 114 deletions(-) create mode 100644 config/geni_aggregates.xml diff --git a/Makefile b/Makefile index 3d3fc9a0..79321726 100644 --- a/Makefile +++ b/Makefile @@ -7,10 +7,12 @@ DESTDIR="/" ########## all: keyconvert python wsdl -install: keyconvert-install python-install wsdl-install xmlbuilder-install +install: keyconvert-install python-install wsdl-install xmlbuilder-install clean: keyconvert-clean python-clean wsdl-clean +uninstall: python-uninstall + .PHONY: all install clean ########## @@ -30,9 +32,9 @@ python: xmlbuilder-install: cd xmlbuilder-0.9 && python setup.py install --root=$(DESTDIR) && cd - - + python-install: - python setup.py install --root=$(DESTDIR) + python setup.py install --root=$(DESTDIR) chmod 444 $(DESTDIR)/etc/sfa/default_config.xml python-clean: diff --git a/TODO b/TODO index 7f442ee6..96b2c727 100644 --- a/TODO +++ b/TODO @@ -1,41 +1,49 @@ -- test rpms: build/install +- Tag +* test rpm build/install + +- Trunk +* use PLC shell instead of xmlrpc when communicating with local plc aggregate + +- Client + * update getNodes to use lxml.etree for parsing the rspec - Stop invalid users * a recently disabled/deleted user may still have a valid cred. Keep a list of valid/invalid users on the aggregate and check callers against this list - Component manager + * GetGids - make this work for peer slices * GetTicket - must verify_{site,slice,person,keys} on remote aggregate * Redeem ticket - RedeemTicket/AdminTicket not working. Why? * install the slice and node gid when the slice is created (create NM plugin to execute sfa_component_setup.py ?) -- Protogeni -* agree on standard set of functon calls -* agree on standard set of privs -* on permission error, return priv needed to make call -* cache slice resource states (if aggregate goes down, how do we know what - slices were on it and recreate them? do we make some sort of transaction log) - - Registry -* sign peer gids -* update call should attempt to push updates to federated peers if - the peer has a record for an object that is updated locally -* api.update_membership() shoudl behave more like resolve when looking up records (attempt to resolve records at federated registeries) instead of only looking in the local registry * move db tables into db with less overhead (tokyocabinet?) -* make resolve, fill_record_info more fault tolerent. Skip records with failures -- Auth Service +- GUI/Auth Service * develop a simple service where users auth using username/passord and receive their cred * service manages users key/cert,creds - -- GUI - * requires user's cred (depends on Auth Service above) + * gui requires user's cred (depends on Auth Service above) - SM call routing * sfi -a option should send request to sm with an extra argument to specify which am to contact instead of connecting directly to the am (am may not trust client directly) +- Protogeni +* merger josh's branch with trunk +* agree on standard set of functon calls +* agree on standard set of privs +* on permission error, return priv needed to make call +* cache slice resource states (if aggregate goes down, how do we know what + slices were on it and recreate them? do we make some sort of transaction log) + + +Questions +========= +- SM/Aggregate +* should the rspec contain only the resources a slice is using or all resources availa and mark what the slice is using. + - Initscripts on sfa / geniwrapper * should sfa have native initscript support or should we piggyback off of myplc? * should this be in the rspec diff --git a/config/default_config.xml b/config/default_config.xml index d40fd6d1..37cd6cce 100644 --- a/config/default_config.xml +++ b/config/default_config.xml @@ -120,6 +120,42 @@ $URL$ + + + + GENI Aggregate + The settings that affect the geni aggregate manager that will run + as part of this SFA instance. + + + + Enable GENI Aggregate + true + Allows this local SFA instance to run as an + GENI aggregate manager. + + + + GENI Aggregate type + pl + The type of backend server for this + aggregate. Some aggregates may not be myplc. + + + + Hostname + localhost + The hostname where the aggregate is expected to + be found. + + + + Port number + 12348 + The port where the aggregate is to be found. + + + diff --git a/config/geni_aggregates.xml b/config/geni_aggregates.xml new file mode 100644 index 00000000..4630736c --- /dev/null +++ b/config/geni_aggregates.xml @@ -0,0 +1,3 @@ + + + diff --git a/sfa.spec b/sfa.spec index 88e7883c..00cf3ec3 100644 --- a/sfa.spec +++ b/sfa.spec @@ -155,14 +155,17 @@ chkconfig --add sfa %post cm chkconfig --add sfa-cm %changelog -* Thu Apr 08 2010 Tony Mack - sfa-0.9-11 +* Thu May 11 2010 Tony Mack - sfa-0.9-11 - SfaServer now uses a pool of threads to handle requests concurrently - sfa.util.rspec no longer used to process/manage rspecs (deprecated). This is now handled by sfa.plc.network and is not backwards compatible - PIs can now get a slice credential for any slice at their site without having to be a member of the slice - Registry records for federated peers (defined in registries.xml, aggregates.xml) updated when sfa service is started - Interfaces will try to fetch and install gids from peers listed in registries.xml/aggregates.xml if gid is not found in /etc/sfa/trusted_roots dir - Component manager does not install gid files if slice already has them - +- Server automatically fetches and installs peer certificats (defined in registries/aggregates.xml) when service is restarted. +- fix credential verification exploit (verify that the trusted signer is a parent of the object it it signed) +- made it easier for root authorities to sign their sub's certifiacate using the sfa-ca.py (sfa/server/sfa-ca.py) tool + * Thu Jan 21 2010 anil vengalil - sfa-0.9-10 - This tag is quite same as the previous one (sfa-0.9-9) except that the vini and max aggregate managers are also updated for urn support. Other features are: - - sfa-config-tty now has the same features like plc-config-tty diff --git a/tests/testCred.py b/tests/testCred.py index 68c9b743..32fac4af 100755 --- a/tests/testCred.py +++ b/tests/testCred.py @@ -2,6 +2,7 @@ import unittest from sfa.trust.credential import * from sfa.trust.rights import * from sfa.trust.gid import * +from sfa.trust.certificate import * class TestCred(unittest.TestCase): def setUp(self): @@ -23,7 +24,7 @@ class TestCred(unittest.TestCase): gidObject = GID(subject="object", uuid=create_uuid(), hrn="foo.object") lifeTime = 12345 delegate = True - rights = "embed,bind" + rights = "embed:1,bind:1" cred.set_gid_caller(gidCaller) self.assertEqual(cred.get_gid_caller().get_subject(), gidCaller.get_subject()) @@ -32,26 +33,141 @@ class TestCred(unittest.TestCase): self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject()) cred.set_lifetime(lifeTime) - self.assertEqual(cred.get_lifetime(), lifeTime) - - cred.set_delegate(delegate) - self.assertEqual(cred.get_delegate(), delegate) - + cred.set_privileges(rights) self.assertEqual(cred.get_privileges().save_to_string(), rights) + cred.get_privileges().delegate_all_privileges(delegate) + cred.encode() cred_str = cred.save_to_string() - # re-load the credential from a string and make sure it's fields are + # re-load the credential from a string and make sure its fields are # intact cred2 = Credential(string = cred_str) self.assertEqual(cred2.get_gid_caller().get_subject(), gidCaller.get_subject()) self.assertEqual(cred2.get_gid_object().get_subject(), gidObject.get_subject()) - self.assertEqual(cred2.get_lifetime(), lifeTime) - self.assertEqual(cred2.get_delegate(), delegate) + self.assertEqual(cred2.get_privileges().get_all_delegate(), delegate) self.assertEqual(cred2.get_privileges().save_to_string(), rights) + + + def createSignedGID(self, subject, urn, issuer_pkey = None, issuer_gid = None): + gid = GID(subject=subject, uuid=1, urn=urn) + keys = Keypair(create=True) + gid.set_pubkey(keys) + if issuer_pkey: + gid.set_issuer(issuer_pkey, str(issuer_gid.get_issuer())) + else: + gid.set_issuer(keys, subject) + + gid.encode() + gid.sign() + return gid, keys + + + + + def testDelegationAndVerification(self): + gidAuthority, keys = self.createSignedGID("site", "urn:publicid:IDN+plc+authority+site") + gidCaller, ckeys = self.createSignedGID("site.foo", "urn:publicid:IDN+plc:site+user+foo", + keys, gidAuthority) + gidObject, _ = self.createSignedGID("site.slice", "urn:publicid:IDN+plc:site+slice+bar_slice", + keys, gidAuthority) + gidDelegatee, _ = self.createSignedGID("site.delegatee", "urn:publicid:IDN+plc:site+user+delegatee", + keys, gidAuthority) + + cred = Credential() + cred.set_gid_caller(gidCaller) + cred.set_gid_object(gidObject) + cred.set_lifetime(3600) + cred.set_privileges("embed:1, bind:1") + cred.encode() + + gidAuthority.save_to_file("/tmp/auth_gid") + keys.save_to_file("/tmp/auth_key") + cred.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid") + cred.sign() + + + cred.verify(['/tmp/auth_gid']) + + # Test copying + cred2 = Credential(string=cred.save_to_string()) + cred2.verify(['/tmp/auth_gid']) + + + # Test delegation + delegated = Credential() + delegated.set_gid_caller(gidDelegatee) + delegated.set_gid_object(gidObject) + delegated.set_parent(cred) + delegated.set_lifetime(600) + delegated.set_privileges("embed:1, bind:1") + gidCaller.save_to_file("/tmp/caller_gid") + ckeys.save_to_file("/tmp/caller_pkey") + + delegated.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid") + + delegated.encode() + + delegated.sign() + + # This should verify + delegated.verify(['/tmp/auth_gid']) + + backup = Credential(string=delegated.get_xml()) + + # Test that verify catches an incorrect lifetime + delegated.set_lifetime(6000) + delegated.encode() + delegated.sign() + try: + delegated.verify(['/tmp/auth_gid']) + assert(1==0) + except CredentialNotVerifiable: + pass + + # Test that verify catches an incorrect signer + delegated = Credential(string=backup.get_xml()) + delegated.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid") + delegated.encode() + delegated.sign() + + try: + delegated.verify(['/tmp/auth_gid']) + assert(1==0) + except CredentialNotVerifiable: + pass + + + # Test that verify catches a changed gid + delegated = Credential(string=backup.get_xml()) + delegated.set_gid_object(delegated.get_gid_caller()) + delegated.encode() + delegated.sign() + + try: + delegated.verify(['/tmp/auth_gid']) + assert(1==0) + except CredentialNotVerifiable: + pass + + + # Test that verify catches a credential with the wrong authority for the object + test = Credential(string=cred.get_xml()) + test.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid") + test.encode() + test.sign() + + try: + test.verify(['/tmp/auth_gid']) + assert(1==0) + except CredentialNotVerifiable: + pass + + # Test that * gets translated properly + if __name__ == "__main__": unittest.main() diff --git a/tests/testGid.py b/tests/testGid.py index 33406f51..85f92407 100755 --- a/tests/testGid.py +++ b/tests/testGid.py @@ -16,14 +16,14 @@ class TestGid(unittest.TestCase): def testSetGetUuid(self): gid = GID(subject="test") - u = create_uuid() + u = uuid.uuid4().int gid.set_uuid(u) self.assertEqual(gid.get_uuid(), u) def testEncodeDecode(self): gid = GID(subject="test") - u = str(uuid.uuid4().int) + u = uuid.uuid4().int hrn = "test.hrn" gid.set_uuid(u) @@ -38,7 +38,7 @@ class TestGid(unittest.TestCase): def testSaveAndLoadString(self): gid = GID(subject="test") - u = str(uuid.uuid4().int) + u = uuid.uuid4().int hrn = "test.hrn" gid.set_uuid(u) diff --git a/xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO b/xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO index d931c15a..bb65a9de 100644 --- a/xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO +++ b/xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO @@ -1,80 +1,80 @@ -Metadata-Version: 1.0 -Name: xmlbuilder -Version: 0.9 -Summary: Pythonic way to create xml files -Home-page: http://pypi.python.org/pypi/xmlbuilder -Author: koder -Author-email: koder_dot_mail@gmail_dot_com -License: MIT -Download-URL: http://pypi.python.org/pypi/xmlbuilder -Description: Example of usage: - ----------------- - - - from __future__ import with_statement - from xmlbuilder import XMLBuilder - x = XMLBuilder(format=True) - with x.root(a = 1): - with x.data: - [x << ('node',{'val':i}) for i in range(10)] - - print str(x) - - will print - - <root a="1"> - <data> - <node val="0" /> - <node val="1" /> - <node val="2" /> - <node val="3" /> - <node val="4" /> - <node val="5" /> - <node val="6" /> - <node val="7" /> - <node val="8" /> - <node val="9" /> - </data> - </root> - - Mercurial repo:http://hg.assembla.com/MyPackages/ - - Documentations - -------------- - `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to - simplify xml files creation as much as possible. Althow it can produce - structured result with identated child tags. `XMLBuilder` use python `with` - statement to define xml tag levels and `<<` operator for simple cases - - text and tag without childs. - - First we need to create xmlbuilder - - from xmlbuilder import XMLBuilder - # params - encoding = 'utf8', - # builder = None, - ElementTree.TreeBuilder - # tab_level = None, - current tab l;evel - for formatted output only - # format = False, - create formatted output - # tab_step = " " * 4 - indentation step - xml = XMLBuilder() - - - Use `with` statement to make document structure - #create and open tag 'root_tag' with text 'text' and attributes - with xml.root_tag(text,attr1=val1,attr2=val2): - #create and open tag 'sub_tag' - with xml.sub_tag(text,attr3=val3): - #create tag which are not valid python identificator - with xml('one-more-sub-tag',attr7=val37): - xml << "Some textual data" - #here tag 'one-more-sub-tag' are closed - #Tags without children can be created using `<<` operator - for val in range(15): - xml << ('message',"python rocks!"[:i]) - #create 15 child tag like <message> python r</message> - #all tags closed - node = ~x # get etree.ElementTree object - xml_data = str(x) - unicode_xml_data = unicode(x) - -Keywords: xml -Platform: UNKNOWN +Metadata-Version: 1.0 +Name: xmlbuilder +Version: 0.9 +Summary: Pythonic way to create xml files +Home-page: http://pypi.python.org/pypi/xmlbuilder +Author: koder +Author-email: koder_dot_mail@gmail_dot_com +License: MIT +Download-URL: http://pypi.python.org/pypi/xmlbuilder +Description: Example of usage: + ----------------- + + + from __future__ import with_statement + from xmlbuilder import XMLBuilder + x = XMLBuilder(format=True) + with x.root(a = 1): + with x.data: + [x << ('node',{'val':i}) for i in range(10)] + + print str(x) + + will print + + <root a="1"> + <data> + <node val="0" /> + <node val="1" /> + <node val="2" /> + <node val="3" /> + <node val="4" /> + <node val="5" /> + <node val="6" /> + <node val="7" /> + <node val="8" /> + <node val="9" /> + </data> + </root> + + Mercurial repo:http://hg.assembla.com/MyPackages/ + + Documentations + -------------- + `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to + simplify xml files creation as much as possible. Althow it can produce + structured result with identated child tags. `XMLBuilder` use python `with` + statement to define xml tag levels and `<<` operator for simple cases - + text and tag without childs. + + First we need to create xmlbuilder + + from xmlbuilder import XMLBuilder + # params - encoding = 'utf8', + # builder = None, - ElementTree.TreeBuilder + # tab_level = None, - current tab l;evel - for formatted output only + # format = False, - create formatted output + # tab_step = " " * 4 - indentation step + xml = XMLBuilder() + + + Use `with` statement to make document structure + #create and open tag 'root_tag' with text 'text' and attributes + with xml.root_tag(text,attr1=val1,attr2=val2): + #create and open tag 'sub_tag' + with xml.sub_tag(text,attr3=val3): + #create tag which are not valid python identificator + with xml('one-more-sub-tag',attr7=val37): + xml << "Some textual data" + #here tag 'one-more-sub-tag' are closed + #Tags without children can be created using `<<` operator + for val in range(15): + xml << ('message',"python rocks!"[:i]) + #create 15 child tag like <message> python r</message> + #all tags closed + node = ~x # get etree.ElementTree object + xml_data = str(x) + unicode_xml_data = unicode(x) + +Keywords: xml +Platform: UNKNOWN diff --git a/xmlbuilder-0.9/xmlbuilder.egg-info/SOURCES.txt b/xmlbuilder-0.9/xmlbuilder.egg-info/SOURCES.txt index 57272a81..4cc27de9 100644 --- a/xmlbuilder-0.9/xmlbuilder.egg-info/SOURCES.txt +++ b/xmlbuilder-0.9/xmlbuilder.egg-info/SOURCES.txt @@ -1,6 +1,8 @@ LICENSE MANIFEST.in +PKG-INFO README.txt +setup.cfg setup.py xmlbuilder/__init__.py xmlbuilder.egg-info/PKG-INFO -- 2.43.0