#
-# GeniAPI authentication
-#
-### $Id$
-### $URL$
+# SfaAPI authentication
#
+import sys
-import time
+from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
+ BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
+from sfa.util.sfalogging import logger
+from sfa.util.config import Config
+from sfa.util.xrn import Xrn, get_authority
+from sfa.trust.gid import GID
+from sfa.trust.rights import Rights
+from sfa.trust.certificate import Keypair, Certificate
from sfa.trust.credential import Credential
-from sfa.trust.trustedroot import TrustedRootList
-from sfa.trust.rights import RightList
-from sfa.util.faults import *
+from sfa.trust.trustedroots import TrustedRoots
from sfa.trust.hierarchy import Hierarchy
-from sfa.util.genitable import GeniTable
-from sfa.util.config import *
-from sfa.util.misc import *
-from sfa.trust.gid import GID
+from sfa.trust.sfaticket import SfaTicket
+
class Auth:
"""
self.hierarchy = Hierarchy()
if not config:
self.config = Config()
- self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+ self.load_trusted_certs()
+ def load_trusted_certs(self):
+ self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
+ self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
- def check(self, cred, operation):
+
+
+ def checkCredentials(self, creds, operation, xrns=[]):
+ if not isinstance(xrns, list):
+ xrns = [xrns]
+ hrns = [Xrn(xrn).hrn for xrn in xrns]
+ valid = []
+ if not isinstance(creds, list):
+ creds = [creds]
+ logger.debug("Auth.checkCredentials with %d creds"%len(creds))
+ error=[ "no credential","was given"]
+ for cred in creds:
+ for hrn in hrns:
+ try:
+ self.check(cred, operation, hrn)
+ valid.append(cred)
+ except:
+ cred_obj=Credential(string=cred)
+ logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ error = sys.exc_info()[:2]
+ continue
+
+ if not len(valid):
+ raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+
+ return valid
+
+
+ def check(self, cred, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
HTTPS connection, check if the credential was signed by a
- trusted cert and check if the credential is allowd to perform
+ trusted cert and check if the credential is allowed to perform
the specified operation.
"""
self.client_cred = Credential(string = cred)
raise InsufficientRights(operation)
if self.trusted_cert_list:
- self.client_cred.verify_chain(self.trusted_cert_list)
- if self.client_gid:
- self.client_gid.verify_chain(self.trusted_cert_list)
- if self.object_gid:
- self.object_gid.verify_chain(self.trusted_cert_list)
-
+ self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+ else:
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+ # Make sure the credential's target matches the specified hrn.
+ # This check does not apply to trusted peers
+ trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
+ if hrn and self.client_gid.get_hrn() not in trusted_peers:
+ target_hrn = self.object_gid.get_hrn()
+ if not hrn == target_hrn:
+ raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+ (target_hrn, hrn) )
return True
- def verifyPeerCert(self, cert, gid):
- # make sure the client_gid matches client's certificate
- if not cert:
- peer_cert = self.peer_cert
+ def check_ticket(self, ticket):
+ """
+ Check if the tickt was signed by a trusted cert
+ """
+ if self.trusted_cert_list:
+ client_ticket = SfaTicket(string=ticket)
+ client_ticket.verify_chain(self.trusted_cert_list)
else:
- peer_cert = cert
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
- if not gid:
- peer_gid = self.client_gid
- else:
- peer_gid = gid
- if not peer_cert.is_pubkey(peer_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(peer_gid.get_subject())
+ return True
+
+ def verifyPeerCert(self, cert, gid):
+ # make sure the client_gid matches client's certificate
+ if not cert.is_pubkey(gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject())
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
def validateCred(self, cred):
if self.trusted_cert_list:
- cred.verify_chain(self.trusted_cert_list)
- caller_gid = cred.get_gid_caller()
- object_gid = cred.get_gid_object()
- if caller_gid:
- caller_gid.verify_chain(self.trusted_cert_list)
- if object_gid:
- object_gid.verify_chain(self.trusted_cert_list)
+ cred.verify(self.trusted_cert_file_list)
def authenticateGid(self, gidStr, argList, requestHash=None):
gid = GID(string = gidStr)
def authenticateCert(self, certStr, requestHash):
cert = Certificate(string=certStr)
- self.validateCert(self, cert)
+ # xxx should be validateCred ??
+ self.validateCred(cert)
def gidNoop(self, gidStr, value, requestHash):
self.authenticateGid(gidStr, [gidStr, value], requestHash)
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
- raise GeniPermissionError(self.config.SFA_INTEFACE_HRN)
+ raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
return
raise PermissionError(name)
- def determine_user_rights(self, src_cred, record):
+ def determine_user_rights(self, caller_hrn, reg_record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
- Src_cred can be None when obtaining a user credential, but should be
- set to a valid user credential when obtaining a slice or authority
- credential.
-
- This is intended to replace determine_rights() and
+
+ This is intended to replace determine_user_rights() and
verify_cancreate_credential()
"""
- type = record['type']
- if src_cred:
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- else:
- # supplying src_cred==None is only valid when obtaining user
- # credentials.
- #assert(type == "user")
-
- cred_object_hrn = None
-
- rl = RightList()
-
- if type=="slice":
- researchers = record.get("researcher", [])
- if (cred_object_hrn in researchers):
- rl.add("refresh")
- rl.add("embed")
- rl.add("bind")
- rl.add("control")
- rl.add("info")
-
- elif type == "authority":
- pis = record.get("pi", [])
- operators = record.get("operator", [])
- if (cred_object_hrn in pis):
- rl.add("authority,sa")
- if (cred_object_hrn in operators):
- rl.add("authority,ma")
-
- elif type == "user":
- rl.add("refresh")
- rl.add("resolve")
- rl.add("info")
+ rl = Rights()
+ type = reg_record.type
+
+ logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
+
+ if type == 'slice':
+ # researchers in the slice are in the DB as-is
+ researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+ # locating PIs attached to that slice
+ slice_pis=reg_record.get_pis()
+ pi_hrns = [ user.hrn for user in slice_pis ]
+ if (caller_hrn in researcher_hrns + pi_hrns):
+ rl.add('refresh')
+ rl.add('embed')
+ rl.add('bind')
+ rl.add('control')
+ rl.add('info')
+
+ elif type == 'authority':
+ pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
+ if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+ rl.add('authority')
+ rl.add('sa')
+ rl.add('ma')
+ if (caller_hrn in pi_hrns):
+ rl.add('authority')
+ rl.add('sa')
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site
+ # it seems like this is not needed any longer, so for now I just drop that
+ # operator_hrns = reg_record.get('operator',[])
+ # if (caller_hrn in operator_hrns):
+ # rl.add('authority')
+ # rl.add('ma')
+
+ elif type == 'user':
+ rl.add('refresh')
+ rl.add('resolve')
+ rl.add('info')
+
+ elif type == 'node':
+ rl.add('operator')
return rl
- def verify_cancreate_credential(self, src_cred, record):
+ def get_authority(self, hrn):
+ return get_authority(hrn)
+
+ def filter_creds_by_caller(self, creds, caller_hrn_list):
"""
- Verify that a user can retrive a particular type of credential.
- For slices, the user must be on the researcher list. For SA and
- MA the user must be on the pi and operator lists respectively
+ Returns a list of creds who's gid caller matches the
+ specified caller hrn
"""
+ if not isinstance(creds, list):
+ creds = [creds]
+ creds = []
+ if not isinstance(caller_hrn_list, list):
+ caller_hrn_list = [caller_hrn_list]
+ for cred in creds:
+ try:
+ tmp_cred = Credential(string=cred)
+ if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]:
+ creds.append(cred)
+ except: pass
+ return creds
- type = record.get_type()
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]:
- return
- if type=="slice":
- researchers = record.get("researcher", [])
- if not (cred_object_hrn in researchers):
- raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
- elif type == "sa":
- pis = record.get("pi", [])
- if not (cred_object_hrn in pis):
- raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
- elif type == "ma":
- operators = record.get("operator", [])
- if not (cred_object_hrn in operators):
- raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
-
- def get_authority(self, hrn):
- return get_authority(hrn)
git://git.onelab.eu / sfa.git / blobdiff