'geni_api_versions': geni_api_versions,
'hrn':xrn.get_hrn(),
'urn':xrn.get_urn(),
+ 'geni_handles_speaksfor': True, # supports 'speaks for' credentials
}
version.update(version_generic)
testbed_version = self.driver.aggregate_version()
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn, speaking_for)
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# make sure users info is specified
def call(self, xrn, creds, options):
(hrn, type) = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
# get slice's hrn from options
xrn = options.get('geni_slice_urn', '')
(hrn, _) = urn_to_hrn(xrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn, speaking_for)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+
# Find the valid credentials
- valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn)
+ valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn, speaking_for)
# Validate that the time does not go beyond the credential's expiration time
requested_time = utcparse(expiration_time)
def call(self, slice_xrn, creds, options):
hrn, type = urn_to_hrn(slice_xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn, speaking_for)
self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
def call(self, xrn, creds):
hrn, type = urn_to_hrn(xrn)
- valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn)
+ (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
+ valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn, speaking_for)
#log the call
origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
-
-
- def checkCredentials(self, creds, operation, hrn = None):
+
+ def checkCredentials(self, creds, operation, hrn = None, speaking_for_hrn = None):
+
+ def log_invalid_cred(cred):
+ cred_obj=Credential(string=cred)
+ logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+ error = sys.exc_info()[:2]
+ return error
+
valid = []
+ speaks_for_cred = None
+
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds"%len(creds))
self.check(cred, operation, hrn)
valid.append(cred)
except:
- cred_obj=Credential(string=cred)
- logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
- error = sys.exc_info()[:2]
+ # check if credential is a 'speaks for credential'
+ if speaking_for_hrn:
+ try:
+ self.check(cred, operation, speaking_for_hrn)
+ speaks_for_cred = cred
+ valid.append(cred)
+ except:
+ error = log_invalid_cred(cred)
+ else:
+ error = log_invalid_cred(cred)
continue
if not len(valid):
raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+ if speaking_for_hrn and not speaks_for_cred:
+ raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
+
+
return valid