#
-# SfaAPI authentication
+# SfaAPI authentication
#
import sys
Credential based authentication
"""
- def __init__(self, peer_cert = None, config = None ):
+ def __init__(self, peer_cert=None, config=None):
self.peer_cert = peer_cert
self.hierarchy = Hierarchy()
if not config:
# this convenience methods extracts speaking_for_xrn
# from the passed options using 'geni_speaking_for'
- def checkCredentialsSpeaksFor (self, *args, **kwds):
+ def checkCredentialsSpeaksFor(self, *args, **kwds):
if 'options' not in kwds:
- logger.error ("checkCredentialsSpeaksFor was not passed options=options")
+ logger.error(
+ "checkCredentialsSpeaksFor was not passed options=options")
return
# remove the options arg
- options = kwds['options']; del kwds['options']
+ options = kwds['options']
+ del kwds['options']
# compute the speaking_for_xrn arg and pass it to checkCredentials
- if options is None: speaking_for_xrn = None
- else: speaking_for_xrn = options.get('geni_speaking_for', None)
+ if options is None:
+ speaking_for_xrn = None
+ else:
+ speaking_for_xrn = options.get('geni_speaking_for', None)
kwds['speaking_for_xrn'] = speaking_for_xrn
return self.checkCredentials(*args, **kwds)
- # do not use mutable as default argument
+ # do not use mutable as default argument
# http://docs.python-guide.org/en/latest/writing/gotchas/#mutable-default-arguments
- def checkCredentials(self, creds, operation, xrns=None,
- check_sliver_callback=None,
+ def checkCredentials(self, creds, operation, xrns=None,
+ check_sliver_callback=None,
speaking_for_xrn=None):
- if xrns is None: xrns = []
+ if xrns is None:
+ xrns = []
error = (None, None)
+
def log_invalid_cred(cred):
- if not isinstance (cred, StringType):
- logger.info("cannot validate credential %s - expecting a string"%cred)
+ if not isinstance(cred, StringType):
+ logger.info(
+ "cannot validate credential %s - expecting a string" % cred)
error = ('TypeMismatch',
"checkCredentials: expected a string, received {} -- {}"
.format(type(cred), cred))
else:
cred_obj = Credential(string=cred)
- logger.info("failed to validate credential - dump=%s"%\
+ logger.info("failed to validate credential - dump=%s" %
cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
return error
if not xrn:
raise BadArgs("Invalid urn or hrn")
-
if not isinstance(xrns, list):
xrns = [xrns]
- slice_xrns = Xrn.filter_type(xrns, 'slice')
+ slice_xrns = Xrn.filter_type(xrns, 'slice')
sliver_xrns = Xrn.filter_type(xrns, 'sliver')
- # we are not able to validate slivers in the traditional way so
- # we make sure not to include sliver urns/hrns in the core validation loop
- hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
+ # we are not able to validate slivers in the traditional way so
+ # we make sure not to include sliver urns/hrns in the core validation
+ # loop
+ hrns = [Xrn(xrn).hrn for xrn in xrns if xrn not in sliver_xrns]
valid = []
if not isinstance(creds, list):
creds = [creds]
- logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
- # won't work if either creds or hrns is empty - let's make it more explicit
- if not creds: raise Forbidden("no credential provided")
- if not hrns: hrns = [None]
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s" %
+ (len(creds), hrns))
+ # won't work if either creds or hrns is empty - let's make it more
+ # explicit
+ if not creds:
+ raise Forbidden("no credential provided")
+ if not hrns:
+ hrns = [None]
speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
speaking_for_xrn, self.trusted_cert_list)
valid.append(cred)
except:
error = log_invalid_cred(cred)
-
+
# make sure all sliver xrns are validated against the valid credentials
if sliver_xrns:
if not check_sliver_callback:
- msg = "sliver verification callback method not found."
+ msg = "sliver verification callback method not found."
msg += " Unable to validate sliver xrns: %s" % sliver_xrns
raise Forbidden(msg)
check_sliver_callback(valid, sliver_xrns)
-
+
if not len(valid):
- raise Forbidden("Invalid credential %s -- %s"%(error[0],error[1]))
-
+ raise Forbidden("Invalid credential %s -- %s" %
+ (error[0], error[1]))
+
return valid
-
- def check(self, credential, operation, hrn = None):
+
+ def check(self, credential, operation, hrn=None):
"""
Check the credential against the peer cert (callerGID) included
in the credential matches the caller that is connected to the
trusted cert and check if the credential is allowed to perform
the specified operation.
"""
- cred = Credential(cred=credential)
+ cred = Credential(cred=credential)
self.client_cred = cred
- logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
- (hrn,cred.pretty_cred()))
+ logger.debug("Auth.check: handling hrn=%s and credential=%s" %
+ (hrn, cred.pretty_cred()))
if cred.type not in ['geni_sfa']:
- raise CredentialNotVerifiable(cred.type, "%s not supported" % cred.type)
+ raise CredentialNotVerifiable(
+ cred.type, "%s not supported" % cred.type)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
-
+
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.pretty_subject())
-
+
# validate the client cert if it exists
if self.peer_cert:
- self.verifyPeerCert(self.peer_cert, self.client_gid)
+ self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
if operation:
self.client_cred.verify(self.trusted_cert_file_list,
self.config.SFA_CREDENTIAL_SCHEMA)
else:
- raise MissingTrustedRoots(self.config.get_trustedroots_dir())
-
- # Make sure the credential's target matches the specified hrn.
- # This check does not apply to trusted peers
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+ # Make sure the credential's target matches the specified hrn.
+ # This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
- raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
- (target_hrn, hrn) )
+ raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " %
+ (target_hrn, hrn))
return True
def check_ticket(self, ticket):
client_ticket = SfaTicket(string=ticket)
client_ticket.verify_chain(self.trusted_cert_list)
else:
- raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
- return True
+ return True
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject())
+ raise ConnectionKeyGIDMismatch(
+ gid.get_subject() + ":" + cert.get_subject())
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
- gid = GID(string = gidStr)
+ gid = GID(string=gidStr)
self.validateGid(gid)
# request_hash is optional
if requestHash:
return gid
def authenticateCred(self, credStr, argList, requestHash=None):
- cred = Credential(string = credStr)
+ cred = Credential(string=credStr)
self.validateCred(cred)
# request hash is optional
if requestHash:
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
# xxx should be validateCred ??
- self.validateCred(cert)
+ self.validateCred(cert)
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
return value
def verify_cred_is_me(self, credential):
- is_me = False
+ is_me = False
cred = Credential(string=credential)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
- return
-
+ return
+
def get_auth_info(self, auth_hrn):
"""
Given an authority name, return the information for that authority.
This is basically a stub that calls the hierarchy module.
-
+
@param auth_hrn human readable name of authority
"""
return self.hierarchy.get_auth_info(auth_hrn)
-
def veriry_auth_belongs_to_me(self, name):
"""
Verify that an authority belongs to our hierarchy.
# get auth info will throw an exception if the authority doesnt exist
self.get_auth_info(name)
-
def verify_object_belongs_to_me(self, name):
"""
Verify that an object belongs to our hierarchy. By extension,
this implies that the authority that owns the object belongs
to our hierarchy. If it does not an exception is thrown.
-
+
@param name human readable name of object
"""
auth_name = self.get_authority(name)
if not auth_name:
- auth_name = name
+ auth_name = name
if name == self.config.SFA_INTERFACE_HRN:
return
- self.verify_auth_belongs_to_me(auth_name)
-
+ self.verify_auth_belongs_to_me(auth_name)
+
def verify_auth_belongs_to_me(self, name):
# get auth info will throw an exception if the authority doesnt exist
- self.get_auth_info(name)
-
+ self.get_auth_info(name)
def verify_object_permission(self, name):
"""
allows permission to the object 'name'. This is done by a simple
prefix test. For example, an object_gid for plc.arizona would
match the objects plc.arizona.slice1 and plc.arizona.
-
+
@param name human readable name to test
"""
object_hrn = self.object_gid.get_hrn()
return
if name.startswith(object_hrn + "."):
return
- #if name.startswith(get_authority(name)):
- #return
-
+ # if name.startswith(get_authority(name)):
+ # return
+
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
+
This is intended to replace determine_user_rights() and
verify_cancreate_credential()
"""
rl = Rights()
type = reg_record.type
- logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%\
+ logger.debug("entering determine_user_rights with record %s and caller_hrn %s" %
(reg_record, caller_hrn))
if type == 'slice':
# researchers in the slice are in the DB as-is
- researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+ researcher_hrns = [user.hrn for user in reg_record.reg_researchers]
# locating PIs attached to that slice
slice_pis = reg_record.get_pis()
- pi_hrns = [ user.hrn for user in slice_pis ]
+ pi_hrns = [user.hrn for user in slice_pis]
if (caller_hrn in researcher_hrns + pi_hrns):
rl.add('refresh')
rl.add('embed')
rl.add('info')
elif type == 'authority':
- pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
+ pi_hrns = [user.hrn for user in reg_record.reg_pis]
if (caller_hrn == self.config.SFA_INTERFACE_HRN):
rl.add('authority')
rl.add('sa')
if (caller_hrn in pi_hrns):
rl.add('authority')
rl.add('sa')
- # NOTE: for the PL implementation, this 'operators' list
- # amounted to users with 'tech' role in that site
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site
# it seems like this is not needed any longer, so for now I just drop that
- # operator_hrns = reg_record.get('operator',[])
+ # operator_hrns = reg_record.get('operator', [])
# if (caller_hrn in operator_hrns):
# rl.add('authority')
# rl.add('ma')
tmp_cred = Credential(string=cred)
if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]:
creds.append(cred)
- except: pass
+ except:
+ pass
return creds
-
git://git.onelab.eu / sfa.git / blobdiff