LDAP modifications to add entries in LDAP. REmoved fill_record_sfa_info (unused).
# slice belongs to out local plc or a myplc peer. We will assume it
# is a local site, unless we find out otherwise
peer = None
- print>>sys.stderr, " \r\n \r\n \tplslices.py get_peer slice_authority "
# get this slice's authority (site)
slice_authority = get_authority(hrn)
# get this site's authority (sfa root authority or sub authority)
site_authority = get_authority(slice_authority).lower()
- print>>sys.stderr, " \r\n \r\n \tplslices.py get_peer slice_authority %s site_authority %s" %(slice_authority,site_authority)
# check if we are already peered with this site_authority, if so
peers = self.driver.shell.GetPeers({}, ['peer_id', 'peername', 'shortname', 'hrn_root'])
for peer_record in peers:
-
+import string
from sfa.util.xrn import Xrn,get_authority
import ldap
from sfa.util.config import *
from sfa.trust.hierarchy import *
from sfa.trust.auth import *
from sfa.trust.certificate import *
+import ldap.modlist as modlist
+
+class ldap_co:
+ def __init__(self):
+ #def __init__(self, param, level):
+ """
+ Constructeur permettant l'initialisation des attributs de la classe
+ :param param: Parametres de connexion au serveur LDAP
+ :type param: dictionnary.
+ :param level: Niveau de criticite de l'execution de l'objet ('critical, warning')
+ :type level: string.
+ """
+ self.__level = 'warning'
+ #self.__param = param
+ #self.__level = level
+ self.login = 'cn=admin,dc=senslab,dc=info'
+
+ self.passwd='sfa'
+ print "\r\n INIT OK !"
+
+ def connect(self, bind = True):
+ """
+ Methode permettant la connexion a un serveur LDAP
+ @param bool bind : Force ou non l'authentification au serveur
+ @return array : Retour d'un tableau
+ """
+ try:
+ self.ldapserv = ldap.open("192.168.0.251")
+ except ldap.LDAPError, e:
+ return {'bool' : False, 'message' : e }
+
+ # Bind non anonyme avec authentification
+ if(bind):
+ return self.bind()
+
+ else:
+ return {'bool': True}
+
+
+ def bind(self):
+ """
+ Methode permettant l'authentification a un serveur LDAP
+ @return array : Retour d'un tableau
+ """
+ try:
+ print "\r\n BIND ??!"
+ # Open a connection
+ self.ldapserv = ldap.initialize("ldap://192.168.0.251")
+ ## Bind/authenticate with a user with apropriate rights to add objects
+ self.ldapserv.simple_bind_s(self.login, self.passwd)
+ print "\r\n BIND ???"
+ except ldap.LDAPError, e:
+ return {'bool' : False, 'message' : e }
+
+ print "\r\n BIND OK !"
+ return {'bool': True}
+
+ def close(self):
+ """
+ Methode permettant la deconnexion a un serveur LDAP
+ """
+ # Fermeture de la connexion
+ try:
+ self.ldapserv.unbind_s()
+ except ldap.LDAPError, e:
+ pass
+
+
class LDAPapi :
def __init__(self, record_filter = None):
self.senslabauth=Hierarchy()
'pointer' ,
'hrn']
self.baseDN = "ou=people,dc=senslab,dc=info"
-
- def connect (self):
- self.ldapserv=ldap.open("192.168.0.251")
+ self.conn = ldap_co()
+
+ #def connect (self):
+ #self.ldapserv=ldap.open("192.168.0.251")
- def authenticate(self):
- self.l = ldap.initialize("ldaps://192.168.0.251:636/")
-
- # Bind/authenticate with a user with apropriate rights to add objects
- self.l = simple_bind_s(" ","")
+ #def authenticate(self):
+ #self.l = ldap.initialize("ldaps://192.168.0.251:636/")
+ #login = 'cn=admin,dc=senslab,dc=info'
+
+ #passwd='sfa-ldap'
+ ## Bind/authenticate with a user with apropriate rights to add objects
+ #self.l = simple_bind_s(login,passwd)
- def ldapAdd(self, record) :
- self.authenticate()
+ def ldapAdd(self, recordix = None) :
+ attrs = {'cn': ['Bruce Wayne'], 'objectClass': ['top', 'inetOrgPerson', 'posixAccount', 'systemQuotas', 'ldapPublicKey'], 'loginShell': '/senslab/users/.ssh/welcome.sh', 'sshPublicKey': '', 'quota': '/dev/sda3:2000000:2500000:0:0', 'gidNumber': '2000', 'sn': 'Wayne', 'homeDirectory': '/senslab/users/batman', 'mail': 'bw@gotham.com', 'givenName': 'Bruce', 'uid': 'batman','description' :'SFA USER FROM OUTSIDE SENSLAB'}
+ result = self.conn.connect()
+ if(result['bool']):
+ # The dn of our new entry/object
+ dn = self.baseDN
+ print >>sys.stderr, "\r\n \r\n \t LDAP.PY \t\t ldapAdd attrs %s " %(attrs)
+ # A dict to help build the "body" of the object
+ #attrs = {}
+ #attrs['objectclass'] = ['top','inetOrgPerson','posixAccount', 'systemQuotas','ldapPuclicKey']
+ #attrs['cn'] = str(record['first_name'])+' ' + str(record['last_name'])
+ #attrs['sn'] = str(record['last_name'])
+ #attrs['givenName'] = str(record['first_name'])
+ #attrs['gidNumber'] = '2000'
+ #loginslab =str(record['first_name'])+ str(record['last_name'])
+ #loginslab= loginslab.lower()
+ ##loginslab = loginslab[0:12]
+ #attrs['uid']= loginslab
+ #attrs['mail'] = record['mail']
+ #attrs['quota'] = '/dev/sda3:2000000:2500000:0:0'
+ #attrs['homeDirectory'] = '/senslab/users/' + loginslab
+ #attrs['loginShell'] = '/senslab/users/.ssh/welcome.sh'
+ #attrs['sshPublicKey'] = ''
+ #attrs['description'] = 'SFA USER FROM OUTSIDE SENSLAB'
+ category ="ou=people, dc=senslab, dc=info"
+ try:
+ ldif = modlist.addModlist(attrs)
+ print " \r\n \r\n LDAPTEST.PY add attrs %s \r\n ldif %s " %(attrs,ldif)
+ self.conn.ldapserv.add_s('%s,%s' %(dn, category),ldif)
+ except ldap.LDAPError, e:
+ return {'bool' : False, 'message' : e }
- return
+ self.close()
+ return {'bool': True}
+ else:
+ return result
+ return
def parse_record(self, record):
req_ldapdict = {}
req_ldapdict['cn'] = str(record['first_name'])+" "+str(record['last_name'])
if 'email' in record :
req_ldapdict['mail'] = record['email']
+ if 'hrn' in record :
+ splited_hrn = record['hrn'].split(".")
+ if splited_hrn[0] != self.authname :
+ print >>sys.stderr,"i know nothing about",record['hrn'], " my authname is ", self.authname, " not ", splited_hrn[0]
+ login=splited_hrn[1]
+ req_ldapdict['uid'] = login
req_ldap=''
print >>sys.stderr, "\r\n \r\n \t LDAP.PY \t\t parse_record record %s req_ldapdict %s" %(record,req_ldapdict)
def ldapSearch (self, record ):
-
- self.connect()
+ self.conn.connect(bind = False)
+ #self.connect()
req_ldap = self.parse_record(record)
print >>sys.stderr, "\r\n \r\n \t LDAP.PY \t\t ldapSearch req_ldap %s" %(req_ldap)
try:
- msg_id=self.ldapserv.search(self.baseDN,ldap.SCOPE_SUBTREE,req_ldap, ['mail','givenName', 'sn', 'uid','sshPublicKey'])
+ msg_id=self.conn.ldapserv.search(self.baseDN,ldap.SCOPE_SUBTREE,req_ldap, ['mail','givenName', 'sn', 'uid','sshPublicKey'])
#Get all the results matching the search from ldap in one shot (1 value)
- result_type, result_data=self.ldapserv.result(msg_id,1)
+ result_type, result_data=self.conn.ldapserv.result(msg_id,1)
results = []
print >>sys.stderr, "\r\n \r\n \t LDAP.PY \t\t ldapSearch result_data %s" %(result_data)
- #Dafuq is this result_data shit ??
+
ldapentry = result_data[0][1]
- #print>>sys.stderr, " \r\n \t LDAP : ! mail ldapentry[1]['mail'][0] %s " %(ldapentry[1]['mail'][0])
print >>sys.stderr, "\r\n \r\n \t LDAP.PY \t\t ldapSearch ldapentry %s" %(ldapentry)
tmpname = ldapentry['uid'][0]
def ldapFindHrn(self, record_filter = None):
#def ldapFindHrn(self, record_filter = None, columns=None):
- results = []
- self.connect()
+ results = []
+ self.conn.connect(bind = False)
+ #self.connect()
if 'authority' in record_filter:
# ask for authority
if record_filter['authority']==self.authname:
ldapfilter+=")"
ldapfilter+=")"
-
- rindex=self.ldapserv.search(self.baseDN,ldap.SCOPE_SUBTREE,ldapfilter, ['mail','givenName', 'sn', 'uid','sshPublicKey'])
- ldapresponse=self.ldapserv.result(rindex,1)
- #print>>sys.stderr, " \r\n \t LDAP : ldapresponse %s " %(ldapresponse)
+ rindex=self.conn.ldapserv.search(self.baseDN,ldap.SCOPE_SUBTREE,ldapfilter, ['mail','givenName', 'sn', 'uid','sshPublicKey'])
+ #rindex=self.ldapserv.search(self.baseDN,ldap.SCOPE_SUBTREE,ldapfilter, ['mail','givenName', 'sn', 'uid','sshPublicKey'])
+ ldapresponse=self.conn.ldapserv.result(rindex,1)
for ldapentry in ldapresponse[1]:
- #print>>sys.stderr, " \r\n \t LDAP : ! mail ldapentry[1]['mail'][0] %s " %(ldapentry[1]['mail'][0])
tmpname = ldapentry[1]['uid'][0]
print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI username",username
try:
self.oarserver['uri'] = OARrequest_post_uri_dict[request]['uri']
- #print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI rq %s datadict %s " % ( self.oarserver['uri'] ,datadict)
except:
print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI request not in OARrequest_post_uri_dict"
return
try:
- #print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI %s " %( 'strval' in datadict)
if datadict and 'strval' in datadict:
self.oarserver['uri'] = self.oarserver['uri'].replace("id",str(datadict['strval']))
- #print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI REPLACE OK %s"%(self.oarserver['uri'])
del datadict['strval']
- #print>>sys.stderr, " \r\n \r\n \t POSTRequestToOARRestAPI datadict %s rq %s" %(datadict, self.oarserver['uri'] )
except:
print>>sys.stderr, " \r\n \r\n POSTRequestToOARRestAPI ERRRRRORRRRRR "
return
try :
#self.oarserver['postformat'] = POSTformat[format]
- #print>>sys.stderr, "\r\n POSTRequestToOARRestAPI headers %s uri %s" %(headers,self.oarserver['uri'])
conn = httplib.HTTPConnection(self.oarserver['ip'],self.oarserver['port'])
conn.request("POST",self.oarserver['uri'],data,headers )
resp = ( conn.getresponse()).read()
#node['hrn'] = self.hostname_to_hrn(self.interface_hrn, node['site_login_base'],node['hostname'])
self.node_dictlist.update({node_id:node})
#if node_id is 1:
- #print>>sys.stderr, " \r\n \r\n \t \t\t\t OARESTAPI Parse Sites self.node_dictlist %s " %(self.node_dictlist)
if node['site'] not in self.site_dict:
self.site_dict[node['site']] = {'site':node['site'],
'node_ids':nodes_per_site[node['site']],
def SendRequest(self,request, strval = None , username = None):
if request in OARrequests_get_uri_dict:
self.raw_json = self.server.GETRequestToOARRestAPI(request,strval,username)
- #print>>sys.stderr, "\r\n OARGetParse __init__ : request %s result %s "%(request,self.raw_json)
return self.OARrequests_uri_dict[request]['parse_func'](self)
else:
print>>sys.stderr, "\r\n OARGetParse __init__ : ERROR_REQUEST " ,request
def filter_return_fields( dict_to_filter, return_fields):
filtered_dict = {}
- #print>>sys.stderr, " \r\n \t \tfilter_return_fields return fields %s " %(return_fields)
for field in return_fields:
- #print>>sys.stderr, " \r\n \t \tfield %s " %(field)
if field in dict_to_filter:
filtered_dict[field] = dict_to_filter[field]
- #print>>sys.stderr, " \r\n \t\t filter_return_fields filtered_dict %s " %(filtered_dict)
return filtered_dict
'slice':{'str':'slice_hrn','int':'record_id_slice'},\
'peers':{'str':'hrn'}}
- #print>>sys.stderr, " \r\n ___ parse_filter param_filter %s type %s return fields %s " %(param_filter,type_of_list, return_fields)
if param_filter is None and return_fields is None:
return list_to_filter
if type_of_list not in list_type:
- #print>>sys.stderr, " \r\n type_of_list Error parse_filter %s " %(type_of_list)
return []
return_filtered_list= []
tmp_item = {}
if type(param_filter) is list :
- #print>>sys.stderr, " \r\n p_filter LIST %s " %(param_filter)
for p_filter in param_filter:
- #print>>sys.stderr, " \r\n p_filter %s \t item %s " %(p_filter,item)
if type(p_filter) is int:
if item[list_type[type_of_list]['int']] == p_filter :
if return_fields:
else:
tmp_item = item
return_filtered_list.append(tmp_item)
- #print>>sys.stderr, " \r\n 1tmp_item",tmp_item
if type(p_filter) is str:
if item[list_type[type_of_list]['str']] == str(p_filter) :
- #print>>sys.stderr, " \r\n p_filter %s \t item %s "%(p_filter,item[list_type[type_of_list]['str']])
if return_fields:
tmp_item = filter_return_fields(item,return_fields)
else:
tmp_item = item
return_filtered_list.append(tmp_item)
- #print>>sys.stderr, " \r\n 2tmp_item",tmp_item
elif type(param_filter) is dict:
#stripped_filterdict = strip_dictionnary(param_filter)
#tmp_copy = {}
#tmp_copy = item.copy()
- #print>>sys.stderr, " \r\n \t\t ________tmp_copy %s " %(tmp_copy)
#key_list = tmp_copy.keys()
#for key in key_list:
- #print>>sys.stderr, " \r\n \t\t key %s " %(key)
#if key not in stripped_filterdict:
#del tmp_copy[key]
if founditem:
if return_fields:
- #print>>sys.stderr, " \r\n \r\n parsing.py param_filter dflt %s founditem %s " %(dflt, founditem)
tmp_item = filter_return_fields(founditem[0],return_fields)
else:
tmp_item = founditem[0]
return_filtered_list.append(tmp_item)
- #print>>sys.stderr, " \r\n tmp_copy %s param_filter %s cmp = %s " %(tmp_copy, param_filter,cmp(tmp_copy, stripped_filterdict))
#if cmp(tmp_copy, stripped_filterdict) == 0:
#if return_fields:
#filter.update({'peer_id': None})
#nodes = self.driver.GetNodes(filter['hostname'])
- #print>>sys.stderr, "\r\n \r\n \t get_nodes nodes %s" %(nodes)
#site_ids = []
#interface_ids = []
aggregate = SlabAggregate(self)
origin_hrn = Credential(string=creds[0]).get_gid_caller().get_hrn()
- #print>>sys.stderr, " \r\n \r\n \t SLABDRIVER list_resources origin_hrn %s" %(origin_hrn)
options.update({'origin_hrn':origin_hrn})
- #print>>sys.stderr, " \r\n \r\n \t SLABDRIVER list_resources options %s" %(options)
rspec = aggregate.get_rspec(slice_xrn=slice_urn, version=rspec_version,
options=options)
print>>sys.stderr, " \r\n \r\n \t SLABDRIVER list_resources rspec "
def GetPersons(self, person_filter=None, return_fields=None):
+ #if isinstance(person_filter,list):
+ #for f in person_filter:
+ #person = self.ldap.ldapSearch(f)
+ #if isinstance(person_filter,dict):
person_list = self.ldap.ldapFindHrn({'authority': self.root_auth })
#check = False
node_dict = dict(zip(node_hostname_list,node_list))
try :
liste =job_info[node_list_k]
- #print>>sys.stderr, "\r\n \r\n \t\t GetJobs resources job_info liste%s" %(liste)
for k in range(len(liste)):
job_info[node_list_k][k] = node_dict[job_info[node_list_k][k]]['hostname']
- #print>>sys.stderr, "\r\n \r\n \t\t YYYYYYYYYYYYGetJobs resources job_info %s" %(job_info)
#Replaces the previous entry "assigned_network_address" / "reserved_resources"
#with "node_ids"
job_info.update({'node_ids':job_info[node_list_k]})
- def fill_record_sfa_info(self, records):
-
- def startswith(prefix, values):
- return [value for value in values if value.startswith(prefix)]
-
- # get person ids
- person_ids = []
- site_ids = []
- for record in records:
- person_ids.extend(record.get("person_ids", []))
- site_ids.extend(record.get("site_ids", []))
- if 'site_id' in record:
- site_ids.append(record['site_id'])
-
- #print>>sys.stderr, "\r\n \r\n _fill_record_sfa_info ___person_ids %s \r\n \t\t site_ids %s " %(person_ids, site_ids)
-
- # get all pis from the sites we've encountered
- # and store them in a dictionary keyed on site_id
- site_pis = {}
- if site_ids:
- pi_filter = {'|roles': ['pi'], '|site_ids': site_ids}
- pi_list = self.GetPersons( pi_filter, ['person_id', 'site_ids'])
- #print>>sys.stderr, "\r\n \r\n _fill_record_sfa_info ___ GetPersons ['person_id', 'site_ids'] pi_ilist %s" %(pi_list)
-
- for pi in pi_list:
- # we will need the pi's hrns also
- person_ids.append(pi['person_id'])
-
- # we also need to keep track of the sites these pis
- # belong to
- for site_id in pi['site_ids']:
- if site_id in site_pis:
- site_pis[site_id].append(pi)
- else:
- site_pis[site_id] = [pi]
-
- # get sfa records for all records associated with these records.
- # we'll replace pl ids (person_ids) with hrns from the sfa records
- # we obtain
-
- # get the sfa records
- #table = SfaTable()
- existing_records = {}
- all_records = dbsession.query(RegRecord).all()
- for record in all_records:
- existing_records[(record.type,record.pointer)] = record
-
- print >>sys.stderr, " \r\r\n SLABDRIVER fill_record_sfa_info existing_records %s " %(existing_records)
- person_list, persons = [], {}
- #person_list = table.find({'type': 'user', 'pointer': person_ids})
- try:
- for p_id in person_ids:
- person_list.append( existing_records.get(('user',p_id)))
- except KeyError:
- print >>sys.stderr, " \r\r\n SLABDRIVER fill_record_sfa_info ERRRRRRRRRROR"
-
- # create a hrns keyed on the sfa record's pointer.
- # Its possible for multiple records to have the same pointer so
- # the dict's value will be a list of hrns.
- persons = defaultdict(list)
- for person in person_list:
- persons[person['pointer']].append(person)
-
- # get the pl records
- slab_person_list, slab_persons = [], {}
- slab_person_list = self.GetPersons(person_ids, ['person_id', 'roles'])
- slab_persons = list_to_dict(slab_person_list, 'person_id')
- #print>>sys.stderr, "\r\n \r\n _fill_record_sfa_info ___ _list %s \r\n \t\t SenslabUsers.GetPersons ['person_id', 'roles'] slab_persons %s \r\n records %s" %(slab_person_list, slab_persons,records)
- # fill sfa info
-
- for record in records:
- # skip records with no pl info (top level authorities)
- #Sandrine 24 oct 11 2 lines
- #if record['pointer'] == -1:
- #continue
- sfa_info = {}
- type = record['type']
- if (type == "slice"):
- # all slice users are researchers
- #record['geni_urn'] = hrn_to_urn(record['hrn'], 'slice') ? besoin ou pas ?
- record['PI'] = []
- record['researcher'] = []
- for person_id in record.get('person_ids', []):
- #Sandrine 24 oct 11 line
- #for person_id in record['person_ids']:
- hrns = [person['hrn'] for person in persons[person_id]]
- record['researcher'].extend(hrns)
-
- # pis at the slice's site
- slab_pis = site_pis[record['site_id']]
- pi_ids = [pi['person_id'] for pi in slab_pis]
- for person_id in pi_ids:
- hrns = [person['hrn'] for person in persons[person_id]]
- record['PI'].extend(hrns)
- record['geni_urn'] = hrn_to_urn(record['hrn'], 'slice')
- record['geni_creator'] = record['PI']
-
- elif (type == "authority"):
- record['PI'] = []
- record['operator'] = []
- record['owner'] = []
- for pointer in record['person_ids']:
- if pointer not in persons or pointer not in slab_persons:
- # this means there is not sfa or pl record for this user
- continue
- hrns = [person['hrn'] for person in persons[pointer]]
- roles = slab_persons[pointer]['roles']
- if 'pi' in roles:
- record['PI'].extend(hrns)
- if 'tech' in roles:
- record['operator'].extend(hrns)
- if 'admin' in roles:
- record['owner'].extend(hrns)
- # xxx TODO: OrganizationName
- elif (type == "node"):
- sfa_info['dns'] = record.get("hostname", "")
- # xxx TODO: URI, LatLong, IP, DNS
-
- elif (type == "user"):
- sfa_info['email'] = record.get("email", "")
- sfa_info['geni_urn'] = hrn_to_urn(record['hrn'], 'user')
- sfa_info['geni_certificate'] = record['gid']
- # xxx TODO: PostalAddress, Phone
-
- #print>>sys.stderr, "\r\n \r\rn \t\t \t <<<<<<<<<<<<<<<<<<<<<<<< fill_record_sfa_info sfa_info %s \r\n record %s : "%(sfa_info,record)
- record.update(sfa_info)
+
def augment_records_with_testbed_info (self, sfa_records):
return self.fill_record_info (sfa_records)
#reclist = []
##for rec in Q.all():
#reclist.append(dict(zip(['record_id_user','oar_job_id', 'record_id_slice','slice_hrn'],[rec.record_id_user,rec.oar_job_id,rec.record_id_slice, rec.slice_hrn])))
- #print>>sys.stderr, " \r\n \r\n \t SLABPOSTGRES find reclist %s" %(reclist)
#return reclist
- #def get_slivers(self, xrn, node=None):
- #hrn, type = urn_to_hrn(xrn)
-
- #slice_name = hrn_to_pl_slicename(hrn)
- ## XX Should we just call PLCAPI.GetSliceTicket(slice_name) instead
- ## of doing all of this?
- ##return self.api.driver.GetSliceTicket(self.auth, slice_name)
-
- ## from PLCAPI.GetSlivers.get_slivers()
- #slice_fields = ['slice_id', 'name', 'instantiation', 'expires', 'person_ids', 'slice_tag_ids']
- #slices = self.api.driver.GetSlices(slice_name, slice_fields)
- ## Build up list of users and slice attributes
- #person_ids = set()
- #all_slice_tag_ids = set()
- #for slice in slices:
- #person_ids.update(slice['person_ids'])
- #all_slice_tag_ids.update(slice['slice_tag_ids'])
- #person_ids = list(person_ids)
- #all_slice_tag_ids = list(all_slice_tag_ids)
- ## Get user information
- #all_persons_list = self.api.driver.GetPersons({'person_id':person_ids,'enabled':True}, ['person_id', 'enabled', 'key_ids'])
- #all_persons = {}
- #for person in all_persons_list:
- #all_persons[person['person_id']] = person
-
- ## Build up list of keys
- #key_ids = set()
- #for person in all_persons.values():
- #key_ids.update(person['key_ids'])
- #key_ids = list(key_ids)
- ## Get user account keys
- #all_keys_list = self.api.driver.GetKeys(key_ids, ['key_id', 'key', 'key_type'])
- #all_keys = {}
- #for key in all_keys_list:
- #all_keys[key['key_id']] = key
- ## Get slice attributes
- #all_slice_tags_list = self.api.driver.GetSliceTags(all_slice_tag_ids)
- #all_slice_tags = {}
- #for slice_tag in all_slice_tags_list:
- #all_slice_tags[slice_tag['slice_tag_id']] = slice_tag
-
- #slivers = []
- #for slice in slices:
- #keys = []
- #for person_id in slice['person_ids']:
- #if person_id in all_persons:
- #person = all_persons[person_id]
- #if not person['enabled']:
- #continue
- #for key_id in person['key_ids']:
- #if key_id in all_keys:
- #key = all_keys[key_id]
- #keys += [{'key_type': key['key_type'],
- #'key': key['key']}]
- #attributes = []
- ## All (per-node and global) attributes for this slice
- #slice_tags = []
- #for slice_tag_id in slice['slice_tag_ids']:
- #if slice_tag_id in all_slice_tags:
- #slice_tags.append(all_slice_tags[slice_tag_id])
- ## Per-node sliver attributes take precedence over global
- ## slice attributes, so set them first.
- ## Then comes nodegroup slice attributes
- ## Followed by global slice attributes
- #sliver_attributes = []
-
- #if node is not None:
- #for sliver_attribute in filter(lambda a: a['node_id'] == node['node_id'], slice_tags):
- #sliver_attributes.append(sliver_attribute['tagname'])
- #attributes.append({'tagname': sliver_attribute['tagname'],
- #'value': sliver_attribute['value']})
-
- ## set nodegroup slice attributes
- #for slice_tag in filter(lambda a: a['nodegroup_id'] in node['nodegroup_ids'], slice_tags):
- ## Do not set any nodegroup slice attributes for
- ## which there is at least one sliver attribute
- ## already set.
- #if slice_tag not in slice_tags:
- #attributes.append({'tagname': slice_tag['tagname'],
- #'value': slice_tag['value']})
-
- #for slice_tag in filter(lambda a: a['node_id'] is None, slice_tags):
- ## Do not set any global slice attributes for
- ## which there is at least one sliver attribute
- ## already set.
- #if slice_tag['tagname'] not in sliver_attributes:
- #attributes.append({'tagname': slice_tag['tagname'],
- #'value': slice_tag['value']})
-
- ## XXX Sanity check; though technically this should be a system invariant
- ## checked with an assertion
- #if slice['expires'] > MAXINT: slice['expires']= MAXINT
-
- #slivers.append({
- #'hrn': hrn,
- #'name': slice['name'],
- #'slice_id': slice['slice_id'],
- #'instantiation': slice['instantiation'],
- #'expires': slice['expires'],
- #'keys': keys,
- #'attributes': attributes
- #})
+
#return slivers
def get_peer(self, xrn):
# add nodes from rspec
added_nodes = list(set(requested_slivers).difference(current_slivers))
- #print>>sys.stderr , "\r\n \r\n \t slices.py verify_slice_nodes added_nodes %s slice %s" %( added_nodes,slice)
try:
#if peer:
#self.driver.UnBindObjectFromPeer('slice', slice['slice_id'], peer['shortname'])
#for k in users_dict[user['hrn']] :
existing_user_hrns.append (users_dict[user['hrn']]['hrn'])
existing_user_ids.append (users_dict[user['hrn']]['person_id'])
- #print>>sys.stderr, " \r\n \r\n \t slabslices.py verify_person existing_user_ids.append (users_dict[user['hrn']][k]) %s \r\n existing_users %s " %( existing_user_ids,existing_users)
#User from another federated site , does not have a senslab account yet?
#or have multiple SFA accounts
existing_slice_user_hrns = [user['hrn'] for user in existing_slice_users]
- #print>>sys.stderr, " \r\n \r\n slices.py verify_person requested_user_ids %s existing_slice_user_hrns %s " %(requested_user_ids,existing_slice_user_hrns)
# users to be added, removed or updated
added_user_hrns = set(requested_user_hrns).difference(set(existing_user_hrns))
updated_user_hrns = set(existing_slice_user_hrns).intersection(requested_user_hrns)
- #print>>sys.stderr, " \r\n \r\n slices.py verify_persons added_user_ids %s added_slice_user_ids %s " %(added_user_ids,added_slice_user_ids)
- #print>>sys.stderr, " \r\n \r\n slices.py verify_persons removed_user_hrns %s updated_user_hrns %s " %(removed_user_hrns,updated_user_hrns)
# Remove stale users (only if we are not appending)
append = options.get('append', True)
if append == False:
# update_existing users
updated_users_list = [user for user in existing_slice_users if user['hrn'] in \
updated_user_hrns]
- #print>>sys.stderr, " \r\n \r\n slices.py verify_persons removed_user_hrns %s updated_users_list %s " %(removed_user_hrns,updated_users_list)
#self.verify_keys(existing_slice_users, updated_users_list, peer, append)
added_persons = []
#'key_ids': added_user.get('key_ids', []),
}
- #print>>sys.stderr, " \r\n \r\n slices.py verify_persons added_user_ids %s " %(added_user_ids)
person['person_id'] = self.driver.AddPerson(person)
if peer:
person['peer_person_id'] = added_user['person_id']
# There should be a gid file in /etc/sfa/trusted_roots for every
# peer registry found in in the registries.xml config file. If there
# are any missing gids, request a new one from the peer registry.
- print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs server_key_file %s server_cert_file %s"%(server_key_file,server_cert_file)
api = SfaApi(key_file = server_key_file, cert_file = server_cert_file)
registries = Registries()
aggregates = Aggregates()
peer_gids = []
if not new_hrns:
return
- print>>sys.stderr," \r\n \r\n \t=============================================== install_peer_certs interfaces %s api.config.SFA_INTERFACE_HRN %s new_hrns %s" %( interfaces,api.config.SFA_INTERFACE_HRN,new_hrns)
trusted_certs_dir = api.config.get_trustedroots_dir()
for new_hrn in new_hrns:
if not new_hrn: continue
url = interfaces[new_hrn].get_url()
interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30)
# skip non sfa aggregates
- print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs IIIinterface %s url %s" %(interface,url)
server_version = api.get_cached_server_version(interface)
- print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs server_version %s \r\n \r\rn \t\t =============================================== server_version['sfa'] %s, " %(server_version, server_version['sfa'])
if 'sfa' not in server_version:
logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn)
continue
message += "unable to install trusted gid for %s" % \
(new_hrn)
gid = GID(string=trusted_gid)
- print>>sys.stderr, " \r\n \r\n \t=============================================== install_peer_certs gid %s " %(gid)
peer_gids.append(gid)
if gid.get_hrn() == new_hrn:
gid_filename = os.path.join(trusted_certs_dir, '%s.gid' % new_hrn)
auth_info = hierarchy.get_interface_auth_info()
server_key_file = auth_info.get_privkey_filename()
server_cert_file = auth_info.get_gid_filename()
- print>>sys.stderr, " \r\n \t\t\t\t\t SFA-START MAIN auth_info %s server_key_file %s server_cert_file %s "%(auth_info, server_key_file,server_cert_file)
# ensure interface cert is present in trusted roots dir
trusted_roots = TrustedRoots(config.get_trustedroots_dir())
trusted_roots.add_gid(GID(filename=server_cert_file))
valid = []
if not isinstance(creds, list):
creds = [creds]
- #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn)
logger.debug("Auth.checkCredentials with %d creds"%len(creds))
for cred in creds:
try:
self.client_cred = Credential(string = cred)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn())
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
# make sure the client is allowed to perform the operation
if operation:
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list)
if not self.client_cred.can_perform(operation):
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)"
raise InsufficientRights(operation)
if self.trusted_cert_list:
self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_cert_file_list %s self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
# Make sure the credential's target matches the specified hrn.
# This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
- #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
def get_refid(self):
- #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid\ self.refid %s " %(self.refid)
if not self.refid:
self.decode()
- #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid self.refid %s " %(self.refid)
return self.refid
def get_xml(self):
def updateRefID(self):
if not self.parent:
self.set_refid('ref0')
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred ref0 "
return []
refs = []
refs.append(next_cred.get_refid())
if next_cred.parent:
next_cred = next_cred.parent
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred "
else:
next_cred = None
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred NONE"
# Find a unique refid for this credential
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs %s" %(GID(filename=f).get_hrn())
ok_trusted_certs.append(f)
except Exception, exc:
logger.error("Failed to load trusted cert from %s: %r", f, exc)
trusted_certs = ok_trusted_certs
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs elemnebts %s" %(len(trusted_certs))
# Use legacy verification if this is a legacy credential
if self.legacy:
for cur_cred in self.get_credential_list():
cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify cur_cred get_gid_object hrn %s get_gid_caller %s" %(cur_cred.get_gid_object().get_hrn(),cur_cred.get_gid_caller().get_hrn())
refs = []
refs.append("Sig_%s" % self.get_refid())
parentRefs = self.updateRefID()
for ref in parentRefs:
refs.append("Sig_%s" % ref)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs refs", ref
for ref in refs:
# If caller explicitly passed in None that means skip xmlsec1 validation.
# Strange and not typical
# (self.xmlsec_path, ref, cert_args, filename)
verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
% (self.xmlsec_path, ref, cert_args, filename)).read()
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify filename %s verified %s " %(filename,verified)
if not verified.strip().startswith("OK"):
# xmlsec errors have a msg= which is the interesting bit.
mstart = verified.find("msg=")
raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
os.remove(filename)
- #print>>sys.stderr, " \r\n \t\t\t credential.py HUMMM parents %s", self.parent
# Verify the parents (delegation)
if self.parent:
self.verify_parent(self.parent)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs parents"
# Make sure the issuer is the target's authority, and is
# itself a valid GID
self.verify_issuer(trusted_cert_objects)
# . The expiry time on the child must be no later than the parent
# . The signer of the child must be the owner of the parent
def verify_parent(self, parent_cred):
- #print>>sys.stderr, " \r\n\r\n \t verify_parent parent_cred.get_gid_caller().save_to_string(False) %s self.get_signature().get_issuer_gid().save_to_string(False) %s" %(parent_cred.get_gid_caller().get_hrn(),self.get_signature().get_issuer_gid().get_hrn())
# make sure the rights given to the child are a subset of the
# parents rights (and check delegate bits)
if not parent_cred.get_privileges().is_superset(self.get_privileges()):
self.hrn=None
self.urn=xrn
self.urn_to_hrn()
- #print>>sys.stderr, " \r\n \r\n \t XRN.PY init xrn.startswith(Xrn.URN_PREFIX) hrn %s urn %s type %s" %( self.hrn, self.urn, self.type)
else:
self.urn=None
self.hrn=xrn
self.type=type
self.hrn_to_urn()
- #print>>sys.stderr, " \r\n \r\n \t XRN.PY init ELSE hrn %s urn %s type %s" %( self.hrn, self.urn, self.type)
# happens all the time ..
# if not type:
# debug_logger.debug("type-less Xrn's are not safe")
def get_hrn_type(self): return (self.hrn, self.type)
def _normalize(self):
- #print>>sys.stderr, " \r\n \r\n \t XRN.PY _normalize self.hrn %s ",self.hrn
if self.hrn is None: raise SfaAPIError, "Xrn._normalize"
if not hasattr(self,'leaf'):
self.leaf=Xrn.hrn_split(self.hrn)[-1]
# self.authority keeps a list
if not hasattr(self,'authority'):
self.authority=Xrn.hrn_auth_list(self.hrn)
- #print>>sys.stderr, " \r\n \r\n \t XRN.PY _normalize self.hrn %s leaf %s authority %s"%(self.hrn, self.leaf, self.authority)
def get_leaf(self):