##########
all: keyconvert python wsdl
-install: keyconvert-install python-install wsdl-install xmlbuilder-install
+install: keyconvert-install python-install wsdl-install xmlbuilder-install
clean: keyconvert-clean python-clean wsdl-clean
+uninstall: python-uninstall
+
.PHONY: all install clean
##########
xmlbuilder-install:
cd xmlbuilder-0.9 && python setup.py install --root=$(DESTDIR) && cd -
-
+
python-install:
- python setup.py install --root=$(DESTDIR)
+ python setup.py install --root=$(DESTDIR)
chmod 444 $(DESTDIR)/etc/sfa/default_config.xml
python-clean:
-- test rpms: build/install
+- Tag
+* test rpm build/install
+
+- Trunk
+* use PLC shell instead of xmlrpc when communicating with local plc aggregate
+
+- Client
+ * update getNodes to use lxml.etree for parsing the rspec
- Stop invalid users
* a recently disabled/deleted user may still have a valid cred. Keep a list of valid/invalid users on the aggregate and check callers against this list
- Component manager
+ * GetGids - make this work for peer slices
* GetTicket - must verify_{site,slice,person,keys} on remote aggregate
* Redeem ticket - RedeemTicket/AdminTicket not working. Why?
* install the slice and node gid when the slice is created (create NM plugin to execute sfa_component_setup.py ?)
-- Protogeni
-* agree on standard set of functon calls
-* agree on standard set of privs
-* on permission error, return priv needed to make call
-* cache slice resource states (if aggregate goes down, how do we know what
- slices were on it and recreate them? do we make some sort of transaction log)
-
- Registry
-* sign peer gids
-* update call should attempt to push updates to federated peers if
- the peer has a record for an object that is updated locally
-* api.update_membership() shoudl behave more like resolve when looking up records (attempt to resolve records at federated registeries) instead of only looking in the local registry
* move db tables into db with less overhead (tokyocabinet?)
-* make resolve, fill_record_info more fault tolerent. Skip records with failures
-- Auth Service
+- GUI/Auth Service
* develop a simple service where users auth using username/passord and
receive their cred
* service manages users key/cert,creds
-
-- GUI
- * requires user's cred (depends on Auth Service above)
+ * gui requires user's cred (depends on Auth Service above)
- SM call routing
* sfi -a option should send request to sm with an extra argument to
specify which am to contact instead of connecting directly to the am
(am may not trust client directly)
+- Protogeni
+* merger josh's branch with trunk
+* agree on standard set of functon calls
+* agree on standard set of privs
+* on permission error, return priv needed to make call
+* cache slice resource states (if aggregate goes down, how do we know what
+ slices were on it and recreate them? do we make some sort of transaction log)
+
+
+Questions
+=========
+- SM/Aggregate
+* should the rspec contain only the resources a slice is using or all resources availa and mark what the slice is using.
+
- Initscripts on sfa / geniwrapper
* should sfa have native initscript support or should we piggyback off of myplc?
* should this be in the rspec
</variable>
</variablelist>
+ </category>
+ <!-- ======================================== -->
+ <category id="sfa_geni_aggregate">
+ <name>GENI Aggregate</name>
+ <description>The settings that affect the geni aggregate manager that will run
+ as part of this SFA instance.</description>
+
+ <variablelist>
+ <variable id="enabled" type="boolean">
+ <name>Enable GENI Aggregate</name>
+ <value>true</value>
+ <description>Allows this local SFA instance to run as an
+ GENI aggregate manager.</description>
+ </variable>
+
+ <variable id="type" type="string">
+ <name>GENI Aggregate type</name>
+ <value>pl</value>
+ <description>The type of backend server for this
+ aggregate. Some aggregates may not be myplc.</description>
+ </variable>
+
+ <variable id="host" type="hostname">
+ <name>Hostname</name>
+ <value>localhost</value>
+ <description>The hostname where the aggregate is expected to
+ be found.</description>
+ </variable>
+
+ <variable id="port" type="int">
+ <name>Port number</name>
+ <value>12348</value>
+ <description>The port where the aggregate is to be found.</description>
+ </variable>
+ </variablelist>
+
</category>
<!-- ======================================== -->
--- /dev/null
+<aggregates>
+ <aggregate addr="" hrn="" port=""/>
+</aggregates>
%post cm
chkconfig --add sfa-cm
%changelog
-* Thu Apr 08 2010 Tony Mack <tmack@cs.princeton.edu> - sfa-0.9-11
+* Thu May 11 2010 Tony Mack <tmack@cs.princeton.edu> - sfa-0.9-11
- SfaServer now uses a pool of threads to handle requests concurrently
- sfa.util.rspec no longer used to process/manage rspecs (deprecated). This is now handled by sfa.plc.network and is not backwards compatible
- PIs can now get a slice credential for any slice at their site without having to be a member of the slice
- Registry records for federated peers (defined in registries.xml, aggregates.xml) updated when sfa service is started
- Interfaces will try to fetch and install gids from peers listed in registries.xml/aggregates.xml if gid is not found in /etc/sfa/trusted_roots dir
- Component manager does not install gid files if slice already has them
-
+- Server automatically fetches and installs peer certificats (defined in registries/aggregates.xml) when service is restarted.
+- fix credential verification exploit (verify that the trusted signer is a parent of the object it it signed)
+- made it easier for root authorities to sign their sub's certifiacate using the sfa-ca.py (sfa/server/sfa-ca.py) tool
+
* Thu Jan 21 2010 anil vengalil <avengali@sophia.inria.fr> - sfa-0.9-10
- This tag is quite same as the previous one (sfa-0.9-9) except that the vini and max aggregate managers are also updated for urn support. Other features are:
- - sfa-config-tty now has the same features like plc-config-tty
from sfa.trust.credential import *
from sfa.trust.rights import *
from sfa.trust.gid import *
+from sfa.trust.certificate import *
class TestCred(unittest.TestCase):
def setUp(self):
gidObject = GID(subject="object", uuid=create_uuid(), hrn="foo.object")
lifeTime = 12345
delegate = True
- rights = "embed,bind"
+ rights = "embed:1,bind:1"
cred.set_gid_caller(gidCaller)
self.assertEqual(cred.get_gid_caller().get_subject(), gidCaller.get_subject())
self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject())
cred.set_lifetime(lifeTime)
- self.assertEqual(cred.get_lifetime(), lifeTime)
-
- cred.set_delegate(delegate)
- self.assertEqual(cred.get_delegate(), delegate)
-
+
cred.set_privileges(rights)
self.assertEqual(cred.get_privileges().save_to_string(), rights)
+ cred.get_privileges().delegate_all_privileges(delegate)
+
cred.encode()
cred_str = cred.save_to_string()
- # re-load the credential from a string and make sure it's fields are
+ # re-load the credential from a string and make sure its fields are
# intact
cred2 = Credential(string = cred_str)
self.assertEqual(cred2.get_gid_caller().get_subject(), gidCaller.get_subject())
self.assertEqual(cred2.get_gid_object().get_subject(), gidObject.get_subject())
- self.assertEqual(cred2.get_lifetime(), lifeTime)
- self.assertEqual(cred2.get_delegate(), delegate)
+ self.assertEqual(cred2.get_privileges().get_all_delegate(), delegate)
self.assertEqual(cred2.get_privileges().save_to_string(), rights)
+
+
+ def createSignedGID(self, subject, urn, issuer_pkey = None, issuer_gid = None):
+ gid = GID(subject=subject, uuid=1, urn=urn)
+ keys = Keypair(create=True)
+ gid.set_pubkey(keys)
+ if issuer_pkey:
+ gid.set_issuer(issuer_pkey, str(issuer_gid.get_issuer()))
+ else:
+ gid.set_issuer(keys, subject)
+
+ gid.encode()
+ gid.sign()
+ return gid, keys
+
+
+
+
+ def testDelegationAndVerification(self):
+ gidAuthority, keys = self.createSignedGID("site", "urn:publicid:IDN+plc+authority+site")
+ gidCaller, ckeys = self.createSignedGID("site.foo", "urn:publicid:IDN+plc:site+user+foo",
+ keys, gidAuthority)
+ gidObject, _ = self.createSignedGID("site.slice", "urn:publicid:IDN+plc:site+slice+bar_slice",
+ keys, gidAuthority)
+ gidDelegatee, _ = self.createSignedGID("site.delegatee", "urn:publicid:IDN+plc:site+user+delegatee",
+ keys, gidAuthority)
+
+ cred = Credential()
+ cred.set_gid_caller(gidCaller)
+ cred.set_gid_object(gidObject)
+ cred.set_lifetime(3600)
+ cred.set_privileges("embed:1, bind:1")
+ cred.encode()
+
+ gidAuthority.save_to_file("/tmp/auth_gid")
+ keys.save_to_file("/tmp/auth_key")
+ cred.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
+ cred.sign()
+
+
+ cred.verify(['/tmp/auth_gid'])
+
+ # Test copying
+ cred2 = Credential(string=cred.save_to_string())
+ cred2.verify(['/tmp/auth_gid'])
+
+
+ # Test delegation
+ delegated = Credential()
+ delegated.set_gid_caller(gidDelegatee)
+ delegated.set_gid_object(gidObject)
+ delegated.set_parent(cred)
+ delegated.set_lifetime(600)
+ delegated.set_privileges("embed:1, bind:1")
+ gidCaller.save_to_file("/tmp/caller_gid")
+ ckeys.save_to_file("/tmp/caller_pkey")
+
+ delegated.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
+
+ delegated.encode()
+
+ delegated.sign()
+
+ # This should verify
+ delegated.verify(['/tmp/auth_gid'])
+
+ backup = Credential(string=delegated.get_xml())
+
+ # Test that verify catches an incorrect lifetime
+ delegated.set_lifetime(6000)
+ delegated.encode()
+ delegated.sign()
+ try:
+ delegated.verify(['/tmp/auth_gid'])
+ assert(1==0)
+ except CredentialNotVerifiable:
+ pass
+
+ # Test that verify catches an incorrect signer
+ delegated = Credential(string=backup.get_xml())
+ delegated.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
+ delegated.encode()
+ delegated.sign()
+
+ try:
+ delegated.verify(['/tmp/auth_gid'])
+ assert(1==0)
+ except CredentialNotVerifiable:
+ pass
+
+
+ # Test that verify catches a changed gid
+ delegated = Credential(string=backup.get_xml())
+ delegated.set_gid_object(delegated.get_gid_caller())
+ delegated.encode()
+ delegated.sign()
+
+ try:
+ delegated.verify(['/tmp/auth_gid'])
+ assert(1==0)
+ except CredentialNotVerifiable:
+ pass
+
+
+ # Test that verify catches a credential with the wrong authority for the object
+ test = Credential(string=cred.get_xml())
+ test.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
+ test.encode()
+ test.sign()
+
+ try:
+ test.verify(['/tmp/auth_gid'])
+ assert(1==0)
+ except CredentialNotVerifiable:
+ pass
+
+ # Test that * gets translated properly
+
if __name__ == "__main__":
unittest.main()
def testSetGetUuid(self):
gid = GID(subject="test")
- u = create_uuid()
+ u = uuid.uuid4().int
gid.set_uuid(u)
self.assertEqual(gid.get_uuid(), u)
def testEncodeDecode(self):
gid = GID(subject="test")
- u = str(uuid.uuid4().int)
+ u = uuid.uuid4().int
hrn = "test.hrn"
gid.set_uuid(u)
def testSaveAndLoadString(self):
gid = GID(subject="test")
- u = str(uuid.uuid4().int)
+ u = uuid.uuid4().int
hrn = "test.hrn"
gid.set_uuid(u)
-Metadata-Version: 1.0\r
-Name: xmlbuilder\r
-Version: 0.9\r
-Summary: Pythonic way to create xml files\r
-Home-page: http://pypi.python.org/pypi/xmlbuilder\r
-Author: koder\r
-Author-email: koder_dot_mail@gmail_dot_com\r
-License: MIT\r
-Download-URL: http://pypi.python.org/pypi/xmlbuilder\r
-Description: Example of usage:\r
- -----------------\r
- \r
- \r
- from __future__ import with_statement\r
- from xmlbuilder import XMLBuilder\r
- x = XMLBuilder(format=True)\r
- with x.root(a = 1):\r
- with x.data:\r
- [x << ('node',{'val':i}) for i in range(10)]\r
- \r
- print str(x)\r
- \r
- will print\r
- \r
- <root a="1">\r
- <data>\r
- <node val="0" />\r
- <node val="1" />\r
- <node val="2" />\r
- <node val="3" />\r
- <node val="4" />\r
- <node val="5" />\r
- <node val="6" />\r
- <node val="7" />\r
- <node val="8" />\r
- <node val="9" />\r
- </data>\r
- </root>\r
- \r
- Mercurial repo:http://hg.assembla.com/MyPackages/\r
- \r
- Documentations\r
- --------------\r
- `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to\r
- simplify xml files creation as much as possible. Althow it can produce\r
- structured result with identated child tags. `XMLBuilder` use python `with`\r
- statement to define xml tag levels and `<<` operator for simple cases -\r
- text and tag without childs.\r
- \r
- First we need to create xmlbuilder\r
- \r
- from xmlbuilder import XMLBuilder\r
- # params - encoding = 'utf8',\r
- # builder = None, - ElementTree.TreeBuilder\r
- # tab_level = None, - current tab l;evel - for formatted output only\r
- # format = False, - create formatted output\r
- # tab_step = " " * 4 - indentation step\r
- xml = XMLBuilder()\r
- \r
- \r
- Use `with` statement to make document structure\r
- #create and open tag 'root_tag' with text 'text' and attributes\r
- with xml.root_tag(text,attr1=val1,attr2=val2):\r
- #create and open tag 'sub_tag'\r
- with xml.sub_tag(text,attr3=val3):\r
- #create tag which are not valid python identificator\r
- with xml('one-more-sub-tag',attr7=val37):\r
- xml << "Some textual data"\r
- #here tag 'one-more-sub-tag' are closed\r
- #Tags without children can be created using `<<` operator\r
- for val in range(15):\r
- xml << ('message',"python rocks!"[:i])\r
- #create 15 child tag like <message> python r</message>\r
- #all tags closed\r
- node = ~x # get etree.ElementTree object\r
- xml_data = str(x)\r
- unicode_xml_data = unicode(x)\r
- \r
-Keywords: xml\r
-Platform: UNKNOWN\r
+Metadata-Version: 1.0
+Name: xmlbuilder
+Version: 0.9
+Summary: Pythonic way to create xml files
+Home-page: http://pypi.python.org/pypi/xmlbuilder
+Author: koder
+Author-email: koder_dot_mail@gmail_dot_com
+License: MIT
+Download-URL: http://pypi.python.org/pypi/xmlbuilder
+Description: Example of usage:
+ -----------------
+
+
+ from __future__ import with_statement
+ from xmlbuilder import XMLBuilder
+ x = XMLBuilder(format=True)
+ with x.root(a = 1):
+ with x.data:
+ [x << ('node',{'val':i}) for i in range(10)]
+
+ print str(x)
+
+ will print
+
+ <root a="1">
+ <data>
+ <node val="0" />
+ <node val="1" />
+ <node val="2" />
+ <node val="3" />
+ <node val="4" />
+ <node val="5" />
+ <node val="6" />
+ <node val="7" />
+ <node val="8" />
+ <node val="9" />
+ </data>
+ </root>
+
+ Mercurial repo:http://hg.assembla.com/MyPackages/
+
+ Documentations
+ --------------
+ `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to
+ simplify xml files creation as much as possible. Althow it can produce
+ structured result with identated child tags. `XMLBuilder` use python `with`
+ statement to define xml tag levels and `<<` operator for simple cases -
+ text and tag without childs.
+
+ First we need to create xmlbuilder
+
+ from xmlbuilder import XMLBuilder
+ # params - encoding = 'utf8',
+ # builder = None, - ElementTree.TreeBuilder
+ # tab_level = None, - current tab l;evel - for formatted output only
+ # format = False, - create formatted output
+ # tab_step = " " * 4 - indentation step
+ xml = XMLBuilder()
+
+
+ Use `with` statement to make document structure
+ #create and open tag 'root_tag' with text 'text' and attributes
+ with xml.root_tag(text,attr1=val1,attr2=val2):
+ #create and open tag 'sub_tag'
+ with xml.sub_tag(text,attr3=val3):
+ #create tag which are not valid python identificator
+ with xml('one-more-sub-tag',attr7=val37):
+ xml << "Some textual data"
+ #here tag 'one-more-sub-tag' are closed
+ #Tags without children can be created using `<<` operator
+ for val in range(15):
+ xml << ('message',"python rocks!"[:i])
+ #create 15 child tag like <message> python r</message>
+ #all tags closed
+ node = ~x # get etree.ElementTree object
+ xml_data = str(x)
+ unicode_xml_data = unicode(x)
+
+Keywords: xml
+Platform: UNKNOWN
LICENSE
MANIFEST.in
+PKG-INFO
README.txt
+setup.cfg
setup.py
xmlbuilder/__init__.py
xmlbuilder.egg-info/PKG-INFO