Merged from trunk 17645:17739

diff --git a/sfa/methods/create_slice.py b/sfa/methods/create_slice.py
index a85e8e5..a55b96e 100644 (file)
--- a/sfa/methods/create_slice.py
+++ b/sfa/methods/create_slice.py
@@ -53,7 +53,7 @@ class create_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
          
         # validate the credential
-        self.api.auth.check(cred, 'createslice')
+        self.api.auth.check(cred, 'createslice', hrn)
 
         manager_base = 'sfa.managers'
         if self.api.interface in ['aggregate']:

diff --git a/sfa/methods/delete_slice.py b/sfa/methods/delete_slice.py
index 78baafa..3441998 100644 (file)
--- a/sfa/methods/delete_slice.py
+++ b/sfa/methods/delete_slice.py
@@ -38,7 +38,7 @@ class delete_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the credential
-        self.api.auth.check(cred, 'deleteslice')
+        self.api.auth.check(cred, 'deleteslice', hrn)
 
         # send the call to the right manager
         manager_base = 'sfa.managers'

diff --git a/sfa/methods/get_resources.py b/sfa/methods/get_resources.py
index 3904598..4a08c26 100644 (file)
--- a/sfa/methods/get_resources.py
+++ b/sfa/methods/get_resources.py
@@ -45,11 +45,7 @@ class get_resources(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred    
-        self.api.logger.info("Checking for %s" % self.api.interface)
-        #self.api.logger.info("Credential = %s" % cred)
-        self.api.auth.check(cred, 'listnodes')
-        self.api.logger.info("Checked out!")
-        
+        self.api.auth.check(cred, 'listnodes', hrn)
 
         # send the call to the right manager
         manager_base = 'sfa.managers'

diff --git a/sfa/methods/get_ticket.py b/sfa/methods/get_ticket.py
index 489bbea..bbcfdf6 100644 (file)
--- a/sfa/methods/get_ticket.py
+++ b/sfa/methods/get_ticket.py
@@ -53,7 +53,7 @@ class get_ticket(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, "getticket")
+        self.api.auth.check(cred, "getticket", hrn)
        
         # set the right outgoing rules
         manager_base = 'sfa.managers'

diff --git a/sfa/methods/reset_slice.py b/sfa/methods/reset_slice.py
index 9d0e0f0..cd9026c 100644 (file)
--- a/sfa/methods/reset_slice.py
+++ b/sfa/methods/reset_slice.py
@@ -30,7 +30,7 @@ class reset_slice(Method):
     
     def call(self, cred, xrn, origin_hrn=None):
         hrn, type = urn_to_hrn(xrn)
-        self.api.auth.check(cred, 'resetslice')
+        self.api.auth.check(cred, 'resetslice', hrn)
         # send the call to the right manager
         manager_base = 'sfa.managers'
         if self.api.interface in ['component']:

diff --git a/sfa/methods/start_slice.py b/sfa/methods/start_slice.py
index cbd7f4d..86f932f 100644 (file)
--- a/sfa/methods/start_slice.py
+++ b/sfa/methods/start_slice.py
@@ -37,7 +37,7 @@ class start_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, 'startslice')
+        self.api.auth.check(cred, 'startslice', hrn)
        
         # send the call to the right manager
         manager_base = 'sfa.managers'

diff --git a/sfa/methods/stop_slice.py b/sfa/methods/stop_slice.py
index e111098..184b27c 100644 (file)
--- a/sfa/methods/stop_slice.py
+++ b/sfa/methods/stop_slice.py
@@ -38,7 +38,7 @@ class stop_slice(Method):
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
 
         # validate the cred
-        self.api.auth.check(cred, 'stopslice')
+        self.api.auth.check(cred, 'stopslice', hrn)
        
         # send the call to the right manager
         manager_base = 'sfa.managers'

diff --git a/sfa/plc/network.py b/sfa/plc/network.py
index 01ed4f7..41c5f45 100644 (file)
--- a/sfa/plc/network.py
+++ b/sfa/plc/network.py
@@ -116,6 +116,7 @@ class Slice:
         self.network = network
         self.id = slice['slice_id']
         self.name = slice['name']
+        self.peer_id = slice['peer_id']
         self.node_ids = set(slice['node_ids'])
         self.slice_tag_ids = slice['slice_tag_ids']
     

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 1358547..abe76fd 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -26,12 +26,13 @@ class Auth:
         if not config:
             self.config = Config()
         self.load_trusted_certs()
-        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
 
     def load_trusted_certs(self):
         self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
+
         
-    def check(self, cred, operation):
+    def check(self, cred, operation, hrn = None):
         """
         Check the credential against the peer cert (callerGID included 
         in the credential matches the caller that is connected to the 
@@ -61,6 +62,13 @@ class Auth:
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
+        # Make sure the credential's target matches the specified hrn. 
+        # This check does not apply to trusted peers
+        trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
+        if hrn and client_gid.get_hrn() not in trusted_peers:
+            if not hrn == object_gid.get_hrn():
+                raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+                                       (object_gid.get_hrn(), hrn) )       
         return True
 
     def check_ticket(self, ticket):

diff --git a/sfa/util/table.py b/sfa/util/table.py
index 40386ee..c77e114 100644 (file)
--- a/sfa/util/table.py
+++ b/sfa/util/table.py
@@ -84,7 +84,9 @@ class SfaTable(list):
         self.db.do(querystr)
         for index in indexes:
             self.db.do(index)
-
+        
+        sefl.db.commit()
+    
     def remove(self, record):
         query_str = "DELETE FROM %s WHERE record_id = %s" % \
                     (self.tablename, record['record_id']) 
@@ -92,10 +94,11 @@ class SfaTable(list):
         
         # if this is a site, remove all records where 'authority' == the 
         # site's hrn
-        if record['type'] == 'site':
+        if record['type'] == 'authority':
             sql = " DELETE FROM %s WHERE authority = %s" % \
                     (self.tablename, record['hrn'])
-            self.db.do(sql) 
+            self.db.do(sql)
+            self.db.commit() 
 
     def insert(self, record):
         db_fields = self.db_fields(record)