adding support for geni_speaking_for option

diff --git a/sfa/managers/aggregate_manager.py b/sfa/managers/aggregate_manager.py
index 2ad3f9c..36126c2 100644 (file)
--- a/sfa/managers/aggregate_manager.py
+++ b/sfa/managers/aggregate_manager.py
@@ -24,6 +24,7 @@ class AggregateManager:
             'geni_api_versions': geni_api_versions, 
             'hrn':xrn.get_hrn(),
             'urn':xrn.get_urn(),
+            'geni_handles_speaksfor': True,     # supports 'speaks for' credentials  
             }
         version.update(version_generic)
         testbed_version = self.driver.aggregate_version()

diff --git a/sfa/methods/CreateSliver.py b/sfa/methods/CreateSliver.py
index 2797489..bc9bf96 100644 (file)
--- a/sfa/methods/CreateSliver.py
+++ b/sfa/methods/CreateSliver.py
@@ -34,8 +34,10 @@ class CreateSliver(Method):
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
 
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+    
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn)
+        valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn, speaking_for)
         origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
 
         # make sure users info is specified

diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py
index c9e40a4..caa3694 100644 (file)
--- a/sfa/methods/DeleteSliver.py
+++ b/sfa/methods/DeleteSliver.py
@@ -26,7 +26,8 @@ class DeleteSliver(Method):
     
     def call(self, xrn, creds, options):
         (hrn, type) = urn_to_hrn(xrn)
-        valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn)
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+        valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn, speaking_for)
 
         #log the call
         origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()

diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py
index 04359a0..4fb0faf 100644 (file)
--- a/sfa/methods/ListResources.py
+++ b/sfa/methods/ListResources.py
@@ -36,9 +36,10 @@ class ListResources(Method):
         # get slice's hrn from options    
         xrn = options.get('geni_slice_urn', '')
         (hrn, _) = urn_to_hrn(xrn)
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
 
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+        valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn, speaking_for)
 
         # get hrn of the original caller 
         origin_hrn = options.get('origin_hrn', None)

diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py
index c64b884..735a566 100644 (file)
--- a/sfa/methods/RenewSliver.py
+++ b/sfa/methods/RenewSliver.py
@@ -32,8 +32,10 @@ class RenewSliver(Method):
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
 
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+        
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn)
+        valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn, speaking_for)
 
         # Validate that the time does not go beyond the credential's expiration time
         requested_time = utcparse(expiration_time)

diff --git a/sfa/methods/SliverStatus.py b/sfa/methods/SliverStatus.py
index deb7998..a3cff50 100644 (file)
--- a/sfa/methods/SliverStatus.py
+++ b/sfa/methods/SliverStatus.py
@@ -21,7 +21,8 @@ class SliverStatus(Method):
 
     def call(self, slice_xrn, creds, options):
         hrn, type = urn_to_hrn(slice_xrn)
-        valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+        valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn, speaking_for)
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
     

diff --git a/sfa/methods/Start.py b/sfa/methods/Start.py
index 1412222..b4d88ee 100644 (file)
--- a/sfa/methods/Start.py
+++ b/sfa/methods/Start.py
@@ -26,7 +26,8 @@ class Start(Method):
     
     def call(self, xrn, creds):
         hrn, type = urn_to_hrn(xrn)
-        valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn)
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+        valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn, speaking_for)
 
         #log the call
         origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()

diff --git a/sfa/methods/Stop.py b/sfa/methods/Stop.py
index 0d80282..654ac40 100644 (file)
--- a/sfa/methods/Stop.py
+++ b/sfa/methods/Stop.py
@@ -26,7 +26,8 @@ class Stop(Method):
     
     def call(self, xrn, creds):
         hrn, type = urn_to_hrn(xrn)
-        valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn)
+        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+        valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn, speaking_for)
 
         #log the call
         origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 0c03279..48ad5b2 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -34,10 +34,18 @@ class Auth:
         self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
         self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
-        
-        
-    def checkCredentials(self, creds, operation, hrn = None):
+       
+    def checkCredentials(self, creds, operation, hrn = None, speaking_for_hrn = None):
+
+        def log_invalid_cred(cred):
+            cred_obj=Credential(string=cred)
+            logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+            error = sys.exc_info()[:2]
+            return error
+
         valid = []
+        speaks_for_cred = None
+
         if not isinstance(creds, list):
             creds = [creds]
         logger.debug("Auth.checkCredentials with %d creds"%len(creds))
@@ -46,14 +54,25 @@ class Auth:
                 self.check(cred, operation, hrn)
                 valid.append(cred)
             except:
-                cred_obj=Credential(string=cred)
-                logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
-                error = sys.exc_info()[:2]
+                # check if credential is a 'speaks for  credential'
+                if speaking_for_hrn:
+                    try:
+                        self.check(cred, operation, speaking_for_hrn)
+                        speaks_for_cred = cred
+                        valid.append(cred)    
+                    except:
+                        error = log_invalid_cred(cred)
+                else:
+                    error = log_invalid_cred(cred)
                 continue
             
         if not len(valid):
             raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
         
+        if speaking_for_hrn and not speaks_for_cred:
+            raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
+            
+        
         return valid