From 8fafde90c2adc18c9057767c16f6a571e3b170b8 Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Tue, 20 Apr 2010 15:32:51 +0000
Subject: [PATCH] Merged from trunk 17645:17739

---
 sfa/methods/create_slice.py  |  2 +-
 sfa/methods/delete_slice.py  |  2 +-
 sfa/methods/get_resources.py |  6 +-----
 sfa/methods/get_ticket.py    |  2 +-
 sfa/methods/reset_slice.py   |  2 +-
 sfa/methods/start_slice.py   |  2 +-
 sfa/methods/stop_slice.py    |  2 +-
 sfa/plc/network.py           |  1 +
 sfa/trust/auth.py            | 12 ++++++++++--
 sfa/util/table.py            |  9 ++++++---
 10 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/sfa/methods/create_slice.py b/sfa/methods/create_slice.py
index a85e8e50..a55b96e2 100644
--- a/sfa/methods/create_slice.py
+++ b/sfa/methods/create_slice.py
@@ -53,7 +53,7 @@ class create_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
          
         # validate the credential
-        self.api.auth.check(cred, 'createslice')
+        self.api.auth.check(cred, 'createslice', hrn)
 
         manager_base = 'sfa.managers'
         if self.api.interface in ['aggregate']:
diff --git a/sfa/methods/delete_slice.py b/sfa/methods/delete_slice.py
index 78baafac..3441998a 100644
--- a/sfa/methods/delete_slice.py
+++ b/sfa/methods/delete_slice.py
@@ -38,7 +38,7 @@ class delete_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the credential
-        self.api.auth.check(cred, 'deleteslice')
+        self.api.auth.check(cred, 'deleteslice', hrn)
 
         # send the call to the right manager
         manager_base = 'sfa.managers'
diff --git a/sfa/methods/get_resources.py b/sfa/methods/get_resources.py
index 39045988..4a08c264 100644
--- a/sfa/methods/get_resources.py
+++ b/sfa/methods/get_resources.py
@@ -45,11 +45,7 @@ class get_resources(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred    
-        self.api.logger.info("Checking for %s" % self.api.interface)
-        #self.api.logger.info("Credential = %s" % cred)
-        self.api.auth.check(cred, 'listnodes')
-        self.api.logger.info("Checked out!")
-        
+        self.api.auth.check(cred, 'listnodes', hrn)
 
         # send the call to the right manager
         manager_base = 'sfa.managers'
diff --git a/sfa/methods/get_ticket.py b/sfa/methods/get_ticket.py
index 489bbea4..bbcfdf64 100644
--- a/sfa/methods/get_ticket.py
+++ b/sfa/methods/get_ticket.py
@@ -53,7 +53,7 @@ class get_ticket(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, "getticket")
+        self.api.auth.check(cred, "getticket", hrn)
 	
         # set the right outgoing rules
         manager_base = 'sfa.managers'
diff --git a/sfa/methods/reset_slice.py b/sfa/methods/reset_slice.py
index 9d0e0f09..cd9026c4 100644
--- a/sfa/methods/reset_slice.py
+++ b/sfa/methods/reset_slice.py
@@ -30,7 +30,7 @@ class reset_slice(Method):
     
     def call(self, cred, xrn, origin_hrn=None):
         hrn, type = urn_to_hrn(xrn)
-        self.api.auth.check(cred, 'resetslice')
+        self.api.auth.check(cred, 'resetslice', hrn)
         # send the call to the right manager
         manager_base = 'sfa.managers'
         if self.api.interface in ['component']:
diff --git a/sfa/methods/start_slice.py b/sfa/methods/start_slice.py
index cbd7f4d5..86f932fc 100644
--- a/sfa/methods/start_slice.py
+++ b/sfa/methods/start_slice.py
@@ -37,7 +37,7 @@ class start_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, 'startslice')
+        self.api.auth.check(cred, 'startslice', hrn)
        
         # send the call to the right manager
         manager_base = 'sfa.managers'
diff --git a/sfa/methods/stop_slice.py b/sfa/methods/stop_slice.py
index e1110983..184b27c4 100644
--- a/sfa/methods/stop_slice.py
+++ b/sfa/methods/stop_slice.py
@@ -38,7 +38,7 @@ class stop_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, 'stopslice')
+        self.api.auth.check(cred, 'stopslice', hrn)
        
         # send the call to the right manager
         manager_base = 'sfa.managers'
diff --git a/sfa/plc/network.py b/sfa/plc/network.py
index 01ed4f77..41c5f459 100644
--- a/sfa/plc/network.py
+++ b/sfa/plc/network.py
@@ -116,6 +116,7 @@ class Slice:
         self.network = network
         self.id = slice['slice_id']
         self.name = slice['name']
+        self.peer_id = slice['peer_id']
         self.node_ids = set(slice['node_ids'])
         self.slice_tag_ids = slice['slice_tag_ids']
     
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 1358547c..abe76fd0 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -26,12 +26,13 @@ class Auth:
         if not config:
             self.config = Config()
         self.load_trusted_certs()
-        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
 
     def load_trusted_certs(self):
         self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
+
         
-    def check(self, cred, operation):
+    def check(self, cred, operation, hrn = None):
         """
         Check the credential against the peer cert (callerGID included 
         in the credential matches the caller that is connected to the 
@@ -61,6 +62,13 @@ class Auth:
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
+        # Make sure the credential's target matches the specified hrn. 
+        # This check does not apply to trusted peers
+        trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
+        if hrn and client_gid.get_hrn() not in trusted_peers:
+            if not hrn == object_gid.get_hrn():
+                raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+                                       (object_gid.get_hrn(), hrn) )       
         return True
 
     def check_ticket(self, ticket):
diff --git a/sfa/util/table.py b/sfa/util/table.py
index 40386ee4..c77e114f 100644
--- a/sfa/util/table.py
+++ b/sfa/util/table.py
@@ -84,7 +84,9 @@ class SfaTable(list):
         self.db.do(querystr)
         for index in indexes:
             self.db.do(index)
-
+        
+        sefl.db.commit()
+    
     def remove(self, record):
         query_str = "DELETE FROM %s WHERE record_id = %s" % \
                     (self.tablename, record['record_id']) 
@@ -92,10 +94,11 @@ class SfaTable(list):
         
         # if this is a site, remove all records where 'authority' == the 
         # site's hrn
-        if record['type'] == 'site':
+        if record['type'] == 'authority':
             sql = " DELETE FROM %s WHERE authority = %s" % \
                     (self.tablename, record['hrn'])
-            self.db.do(sql) 
+            self.db.do(sql)
+            self.db.commit() 
 
     def insert(self, record):
         db_fields = self.db_fields(record)
-- 
2.47.0