return filtered_records
-def credential_printable (credential_string):
- credential=Credential(string=credential_string)
+def credential_printable (cred):
+ credential=Credential(cred=cred)
result=""
result += credential.get_summary_tostring()
result += "\n"
rights = credential.get_privileges()
- result += "rights=%s"%rights
- result += "\n"
+ result += "type=%s\n" % credential.type
+ result += "version=%s\n" % credential.version
+ result += "rights=%s\n"%rights
return result
def show_credentials (cred_s):
# extract what's needed
self.private_key = client_bootstrap.private_key()
self.my_credential_string = client_bootstrap.my_credential_string ()
+ self.my_credential = {'geni_type': 'geni_sfa',
+ 'geni_version': '3.0',
+ 'geni_value': self.my_credential_string}
self.my_gid = client_bootstrap.my_gid ()
self.client_bootstrap = client_bootstrap
def slice_credential_string(self, name):
return self.client_bootstrap.slice_credential_string (name)
+ def slice_credential(self, name):
+ return {'geni_type': 'geni_sfa',
+ 'geni_version': '3.0',
+ 'geni_value': self.slice_credential_string(name)}
+
# xxx should be supported by sfaclientbootstrap as well
def delegate_cred(self, object_cred, hrn, type='authority'):
# the gid and hrn of the object we are delegating
creds.append(delegated_cred)
# options and call_id when supported
api_options = {}
- api_options['call_id']=unique_call_id()
+ api_options['call_id']=unique_call_id()
if options.show_credential:
show_credentials(creds)
result = server.ListSlices(creds, *self.ois(server,api_options))
server = self.sliceapi()
# set creds
- creds = [self.my_credential_string]
+ creds = [self.my_credential]
if options.delegate:
creds.append(self.delegate_cred(cred, get_authority(self.authority)))
if options.show_credential:
server = self.sliceapi()
# set creds
- creds = [self.slice_credential_string(args[0])]
+ creds = [self.slice_credential(args[0])]
if options.delegate:
creds.append(self.delegate_cred(cred, get_authority(self.authority)))
if options.show_credential:
slice_urn = hrn_to_urn(slice_hrn, 'slice')
# creds
- slice_cred = self.slice_credential_string(slice_hrn)
+ slice_cred = self.slice_credential(slice_hrn)
creds = [slice_cred]
if options.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
slice_urn = Xrn(slice_hrn, type='slice').get_urn()
# credentials
- creds = [self.slice_credential_string(slice_hrn)]
+ creds = [self.slice_credential(slice_hrn)]
delegated_cred = None
if server_version.get('interface') == 'slicemgr':
slice_urn = Xrn(slice_hrn, type='slice').get_urn()
# credentials
- creds = [self.slice_credential_string(slice_hrn)]
+ creds = [self.slice_credential(slice_hrn)]
delegated_cred = None
if server_version.get('interface') == 'slicemgr':
# delegate our cred to the slice manager
slice_urn = hrn_to_urn(slice_hrn, 'slice')
# creds
- slice_cred = self.slice_credential_string(slice_hrn)
+ slice_cred = self.slice_credential(slice_hrn)
creds = [slice_cred]
if options.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
action = args[1]
slice_urn = Xrn(slice_hrn, type='slice').get_urn()
# cred
- slice_cred = self.slice_credential_string(args[0])
+ slice_cred = self.slice_credential(args[0])
creds = [slice_cred]
if options.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
slice_urn = hrn_to_urn(slice_hrn, 'slice')
# time: don't try to be smart on the time format, server-side will
# creds
- slice_cred = self.slice_credential_string(args[0])
+ slice_cred = self.slice_credential(args[0])
creds = [slice_cred]
if options.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
slice_hrn = args[0]
slice_urn = hrn_to_urn(slice_hrn, 'slice')
# creds
- slice_cred = self.slice_credential_string(slice_hrn)
+ slice_cred = self.slice_credential(slice_hrn)
creds = [slice_cred]
if options.delegate:
delegated_cred = self.delegate_cred(slice_cred, get_authority(self.authority))
elif self.api.interface in ['slicemgr']:
chain_name = 'FORWARD-INCOMING'
self.api.logger.debug("Allocate: sfatables on chain %s"%chain_name)
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
+ self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name))
rspec = run_sfatables(chain_name, xrn.get_hrn(), origin_hrn, rspec)
slivers = RSpec(rspec).version.get_nodes_with_slivers()
if not slivers:
valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', xrns)
#log the call
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name))
return self.api.manager.Delete(self.api, xrns, creds, options)
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
if not origin_hrn:
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
desc = self.api.manager.Describe(self.api, creds, urns, options)
# filter rspec through sfatables
# get hrn of the original caller
origin_hrn = options.get('origin_hrn', None)
if not origin_hrn:
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
rspec = self.api.manager.ListResources(self.api, creds, options)
# filter rspec through sfatables
# Find the valid credentials
valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns)
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
+ self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name))
result = self.api.manager.Provision(self.api, xrns, creds, options)
return result
# Validate that the time does not go beyond the credential's expiration time
requested_time = utcparse(expiration_time)
max_renew_days = int(self.api.config.SFA_MAX_SLICE_RENEW)
- if requested_time > Credential(string=valid_creds[0]).get_expiration():
+ if requested_time > Credential(cred=valid_creds[0]).get_expiration():
raise InsufficientRights('Renewsliver: Credential expires before requested expiration time')
if requested_time > datetime.datetime.utcnow() + datetime.timedelta(days=max_renew_days):
raise Exception('Cannot renew > %s days from now' % max_renew_days)
valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', xrn)
#log the call
- origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn()
+ origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name))
return self.api.manager.Shutdown(self.api, xrn, creds)
self.check(cred, operation, hrn)
valid.append(cred)
except:
- cred_obj=Credential(string=cred)
+ cred_obj=Credential(cred=cred)
logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
continue
return valid
- def check(self, cred_string, operation, hrn = None):
+ def check(self, credential, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
trusted cert and check if the credential is allowed to perform
the specified operation.
"""
- cred = Credential(string = cred_string)
+ cred = Credential(cred=credential)
self.client_cred = cred
logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
(hrn,cred.get_summary_tostring()))
# @param string If string!=None, load the credential from the string
# @param filename If filename!=None, load the credential from the file
# FIXME: create and subject are ignored!
- def __init__(self, create=False, subject=None, string=None, filename=None):
+ def __init__(self, create=False, subject=None, string=None, filename=None, cred=None):
self.gidCaller = None
self.gidObject = None
self.expiration = None
self.xml = None
self.refid = None
self.legacy = None
+ self.type = None
+ self.version = None
+
+ if cred:
+ if isinstance(cred, StringTypes):
+ string = cred
+ elif isinstance(cred, dict):
+ string = cred['geni_value']
+ self.type = cred['geni_type']
+ self.version = cred['geni_version']
+
# Check if this is a legacy credential, translate it if so
if string or filename: