From 6b0890481fe49ef7368ed8a8991a42fbba0248da Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Mon, 26 Apr 2010 18:23:34 +0000
Subject: [PATCH] Updated rights so that each GENI AM call has a specific right
 associated with it.

---
 sfa/client/sfi.py            |  1 +
 sfa/managers/geni_am_pl.py   |  2 +-
 sfa/methods/CreateSliver.py  |  2 +-
 sfa/methods/DeleteSliver.py  |  2 +-
 sfa/methods/ListResources.py |  2 +-
 sfa/methods/SliverStatus.py  |  8 ++------
 sfa/trust/rights.py          | 14 +++++++-------
 7 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/sfa/client/sfi.py b/sfa/client/sfi.py
index 550edcfb..98abafa4 100755
--- a/sfa/client/sfi.py
+++ b/sfa/client/sfi.py
@@ -947,6 +947,7 @@ class Sfi:
         if args:
             xrn = args[0]
             cred = self.get_slice_cred(xrn).save_to_string(save_parents=True)
+
         if xrn:
             call_options['geni_slice_urn'] = xrn
             
diff --git a/sfa/managers/geni_am_pl.py b/sfa/managers/geni_am_pl.py
index 26e73f4a..01abcef4 100644
--- a/sfa/managers/geni_am_pl.py
+++ b/sfa/managers/geni_am_pl.py
@@ -70,7 +70,7 @@ def DeleteSliver(api, slice_xrn, creds):
     allocated = manager.delete_slice(api, slice_xrn)
     return allocated
 
-def SliverStatus(api, slice_xrn):
+def SliverStatus(api, slice_xrn, creds):
     result = {}
     result['geni_urn'] = slice_xrn
     result['geni_status'] = 'unknown'
diff --git a/sfa/methods/CreateSliver.py b/sfa/methods/CreateSliver.py
index 7415a736..920ecfbf 100644
--- a/sfa/methods/CreateSliver.py
+++ b/sfa/methods/CreateSliver.py
@@ -44,7 +44,7 @@ class CreateSliver(Method):
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
 
         # Find the valid credentials
-        ValidCreds = self.api.auth.checkCredentials(creds, 'createslice', hrn)
+        ValidCreds = self.api.auth.checkCredentials(creds, 'createsliver', hrn)
 
         origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
 
diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py
index 94e9cfd7..ed09a95e 100644
--- a/sfa/methods/DeleteSliver.py
+++ b/sfa/methods/DeleteSliver.py
@@ -25,7 +25,7 @@ class DeleteSliver(Method):
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
 
         # Find the valid credentials
-        ValidCreds = self.api.auth.checkCredentials(creds, 'deleteslice', hrn)
+        ValidCreds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn)
         
         manager_base = 'sfa.managers'
 
diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py
index ffc57cf7..6f8611d5 100644
--- a/sfa/methods/ListResources.py
+++ b/sfa/methods/ListResources.py
@@ -30,7 +30,7 @@ class ListResources(Method):
             xrn = options['geni_slice_urn']
             hrn, _ = urn_to_hrn(xrn)        
             
-        ValidCreds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+        ValidCreds = self.api.auth.checkCredentials(creds, 'listresources', hrn)
         origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
             
                     
diff --git a/sfa/methods/SliverStatus.py b/sfa/methods/SliverStatus.py
index 6b900964..24d6ff2a 100644
--- a/sfa/methods/SliverStatus.py
+++ b/sfa/methods/SliverStatus.py
@@ -2,7 +2,6 @@ from sfa.util.faults import *
 from sfa.util.namespace import *
 from sfa.util.method import Method
 from sfa.util.parameter import Parameter
-from sfa.server.aggregate import Aggregates
 
 class SliverStatus(Method):
     """
@@ -20,10 +19,7 @@ class SliverStatus(Method):
     def call(self, slice_xrn, creds):
         hrn, type = urn_to_hrn(slice_xrn)
         
-        # Make sure that this is a geni_aggregate talking to us
-        geni_aggs = Aggregates(self.api, '/etc/sfa/geni_aggregates.xml')
-        if not hrn in [agg['hrn'] for agg in geni_aggs]:
-            raise SfaPermissionDenied("Only GENI Aggregates may make this call")
+        ValidCreds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
 
@@ -33,7 +29,7 @@ class SliverStatus(Method):
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            return manager.SliverStatus(self.api, slice_xrn)
+            return manager.SliverStatus(self.api, slice_xrn, ValidCreds)
 
         return ''
     
diff --git a/sfa/trust/rights.py b/sfa/trust/rights.py
index ee840143..3c12df40 100644
--- a/sfa/trust/rights.py
+++ b/sfa/trust/rights.py
@@ -16,16 +16,16 @@
 # privilege_table is a list of priviliges and what operations are allowed
 # per privilege.
 
-privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
+privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "listresources", "getcredential", "*"],
                    "refresh": ["remove", "update"],
-                   "resolve": ["resolve", "list", "getcredential", "getversion"],
-                   "sa": ["getticket", "redeemslice", "redeemticket", "createslice", "deleteslice", "updateslice",  
+                   "resolve": ["resolve", "list", "listresources", "getcredential", "getversion"],
+                   "sa": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",  
                           "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
-                          "deleteslice", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
-                   "embed": ["getticket", "redeemslice", "redeemticket", "createslice",  "deleteslice", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
+                          "deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
+                   "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver",  "deleteslice", "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
                    "bind": ["getticket", "loanresources", "redeemticket"],
-                   "control": ["updateslice", "createslice", "sliverstatus", "stopslice", "startslice", "deleteslice", "resetslice", "getsliceresources", "getgids"],
-                   "info": ["listslices", "listnodes", "getpolicy"],
+                   "control": ["updateslice", "createslice", "createsliver", "sliverstatus", "stopslice", "startslice", "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
+                   "info": ["listslices", "listnodes", "getpolicy","listresources"],
                    "ma": ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
                    "operator": ["gettrustedcerts", "getgids"]}
 
-- 
2.47.0