Added 'checkCredentials' to auth.py. Made various other small fixes.

diff --git a/sfa/managers/aggregate_manager_pl.py b/sfa/managers/aggregate_manager_pl.py
index 12b170b..9026f6a 100644 (file)
--- a/sfa/managers/aggregate_manager_pl.py
+++ b/sfa/managers/aggregate_manager_pl.py
@@ -66,16 +66,21 @@ def create_slice(api, xrn, xml):
 
     slice = network.get_slice(api, hrn)
     current = __get_hostnames(slice.get_nodes())
-
+    api.logger.info("Current = %s" % " ".join(current))
+    api.logger.info("before addrspec")
     network.addRSpec(xml, api.config.SFA_AGGREGATE_RSPEC_SCHEMA)
-    
+    api.logger.info("after addrspec")
     request = __get_hostnames(network.nodesWithSlivers())
     
     # remove nodes not in rspec
     deleted_nodes = list(set(current).difference(request))
+    api.logger.info("Deleted nodes = " + " ".join(deleted_nodes))
 
     # add nodes from rspec
     added_nodes = list(set(request).difference(current))
+    api.logger.info("Added nodes = " + " ".join(added_nodes))
+    
+
 
     if peer:
         api.plshell.UnBindObjectFromPeer(api.plauth, 'slice', slice.id, peer)

diff --git a/sfa/managers/registry_manager_pl.py b/sfa/managers/registry_manager_pl.py
index 6ed5da8..423cb1c 100644 (file)
--- a/sfa/managers/registry_manager_pl.py
+++ b/sfa/managers/registry_manager_pl.py
@@ -10,12 +10,6 @@ from sfa.trust.credential import *
 from sfa.trust.certificate import *
 from sfa.util.faults import *
 
-def GetVersion():
-    version = {}
-    version['geni_api'] = 1
-    return version
-
-
     
 
 def get_credential(api, xrn, type, is_self=False):
@@ -74,6 +68,15 @@ def get_credential(api, xrn, type, is_self=False):
 
     return new_cred.save_to_string(save_parents=True)
 
+
+# The GENI GetVersion call
+def GetVersion():
+    version = {}
+    version['geni_api'] = 1
+    return version
+
+
+
 # The GENI resolve call
 def Resolve(api, xrn, creds):
     records = resolve(api, xrn)
@@ -83,7 +86,7 @@ def Resolve(api, xrn, creds):
     
     record = records[0]
     if record.type == 'slice':
-        return {'geni_urn': xrn, 'geni_creator': record.gid}
+        return {'geni_urn': xrn, 'geni_creator': " ".join(record.PI)}
     if record.type == 'user':
         return {'geni_urn': xrn, 'geni_certificate': record.gid}
     

diff --git a/sfa/methods/CreateSliver.py b/sfa/methods/CreateSliver.py
index e873801..5961eb3 100644 (file)
--- a/sfa/methods/CreateSliver.py
+++ b/sfa/methods/CreateSliver.py
@@ -5,6 +5,7 @@ from sfa.util.parameter import Parameter
 from sfatables.runtime import SFATablesRules
 import sys
 from sfa.trust.credential import Credential
+from sfa.util.sfalogging import logger
 
 class CreateSliver(Method):
     """
@@ -40,24 +41,13 @@ class CreateSliver(Method):
     def call(self, slice_xrn, creds, rspec):
         hrn, type = urn_to_hrn(slice_xrn)
 
-        self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+        self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
+
+        # Find the valid credentials
+        ValidCreds = self.api.auth.checkCredentials(creds, 'createslice', hrn)
+
+        origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
 
-        # Validate that at least one of the credentials is good enough
-        found = False
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'createslice')
-                origin_hrn = Credential(string=cred).get_gid_caller().get_hrn()
-                found = True
-                break
-            except:
-                error = sys.exc_info()[:2]
-                continue
-            
-        if not found:
-            raise InsufficientRights('CreateSliver: Access denied: %s -- %s' % (error[0],error[1]))
-             
-        
         manager_base = 'sfa.managers'
 
         if self.api.interface in ['geni_am']:
@@ -66,7 +56,7 @@ class CreateSliver(Method):
             manager = __import__(manager_module, fromlist=[manager_base])
             rspec = self.__run_sfatables(manager, SFATablesRules('INCOMING'),
                                          hrn, origin_hrn, rspec)
-            return manager.CreateSliver(self.api, slice_xrn, creds, rspec)
-
+            logger.info("Calling with rspec = %s"% rspec)
+            return manager.CreateSliver(self.api, slice_xrn, ValidCreds, rspec)            
         return ''
     

diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py
index d57568f..94e9cfd 100644 (file)
--- a/sfa/methods/DeleteSliver.py
+++ b/sfa/methods/DeleteSliver.py
@@ -22,21 +22,10 @@ class DeleteSliver(Method):
     def call(self, slice_xrn, creds):
         hrn, type = urn_to_hrn(slice_xrn)
 
-        self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
+        self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name))
 
-        # Validate that at least one of the credentials is good enough
-        found = False
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'deleteslice')
-                found = True
-                break
-            except:
-                continue
-            
-        if not found:
-            raise InsufficientRights('DeleteSliver: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-            
+        # Find the valid credentials
+        ValidCreds = self.api.auth.checkCredentials(creds, 'deleteslice', hrn)
         
         manager_base = 'sfa.managers'
 
@@ -44,7 +33,7 @@ class DeleteSliver(Method):
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            return manager.DeleteSliver(self.api, slice_xrn, creds)
+            return manager.DeleteSliver(self.api, slice_xrn, ValidCreds)
 
         return ''
     

diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py
index 0007c25..7858172 100644 (file)
--- a/sfa/methods/ListResources.py
+++ b/sfa/methods/ListResources.py
@@ -9,7 +9,7 @@ import sys
 
 class ListResources(Method):
     """
-    Returns information about available resources or resources allocated to this    slice
+    Returns information about available resources or resources allocated to this slice
     @param credential list
     @param options dictionary
     @return string
@@ -24,22 +24,15 @@ class ListResources(Method):
     def call(self, creds, options):
         self.api.logger.info("interface: %s\tmethod-name: %s" % (self.api.interface, self.name))
             
-        # Validate that at least one of the credentials is good enough
-        found = False
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'listnodes')
-                found = True
-                user_cred = Credential(string=cred)
-                break
-            except:
-                error = sys.exc_info()[:2]
-                continue
+        # Find the valid credentials
+        hrn = None
+        if options.has_key('geni_slice_urn'):
+            xrn = options['geni_slice_urn']
+            hrn, _ = urn_to_hrn(xrn)        
+            
+        ValidCreds = self.api.auth.checkCredentials(creds, 'listnodes', hrn)
+        origin_hrn = Credential(string=ValidCreds[0]).get_gid_caller().get_hrn()
             
-        if not found:
-            raise InsufficientRights('ListResources: Access denied: %s -- %s' % (error[0],error[1]))
-        
-        origin_hrn = user_cred.get_gid_caller().get_hrn()
                     
         manager_base = 'sfa.managers'
 
@@ -47,7 +40,7 @@ class ListResources(Method):
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            rspec = manager.ListResources(self.api, creds, options)
+            rspec = manager.ListResources(self.api, ValidCreds, options)
             outgoing_rules = SFATablesRules('OUTGOING')
             
         

diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py
index 554926d..bce8a49 100644 (file)
--- a/sfa/methods/RenewSliver.py
+++ b/sfa/methods/RenewSliver.py
@@ -26,24 +26,12 @@ class RenewSliver(Method):
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
 
-        # Validate that at least one of the credentials is good enough
-        found = False
-        validCred = None
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'renewsliver')
-                validCred = cred
-                found = True
-                break
-            except:
-                continue
-            
-        if not found:
-            raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-            
+        # Find the valid credentials
+        ValidCreds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn)
+
         # Validate that the time does not go beyond the credential's expiration time
         requested_time = parse(expiration_time)
-        if requested_time > Credential(string=validCred).get_lifetime():
+        if requested_time > Credential(string=ValidCreds[0]).get_lifetime():
             raise InsufficientRights('SliverStatus: Credential expires before requested expiration time')
         
         manager_base = 'sfa.managers'
@@ -52,7 +40,7 @@ class RenewSliver(Method):
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            return manager.RenewSliver(self.api, slice_xrn, creds, expiration_time)
+            return manager.RenewSliver(self.api, slice_xrn, ValidCreds, expiration_time)
 
         return ''
     

diff --git a/sfa/methods/Resolve.py b/sfa/methods/Resolve.py
index b694bc8..0f7439c 100644 (file)
--- a/sfa/methods/Resolve.py
+++ b/sfa/methods/Resolve.py
@@ -2,7 +2,7 @@ from sfa.util.faults import *
 from sfa.util.namespace import *
 from sfa.util.method import Method
 from sfa.util.parameter import Parameter
-
+from sfa.trust.credential import Credential
 
 class Resolve(Method):
     """
@@ -22,11 +22,14 @@ class Resolve(Method):
         for cred in creds:
             try:
                 self.api.auth.check(cred, 'resolve')
+                # Make sure it's an authority and not a user
+                if cred.get_gid_caller().get_type() != 'authority':
+                    raise 'NotAuthority'
                 found = True
                 break
             except:
                 continue
-            
+                
         if not found:
             raise InsufficientRights('Resolve: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
         

diff --git a/sfa/methods/Shutdown.py b/sfa/methods/Shutdown.py
index 4445ae2..0cf52cb 100644 (file)
--- a/sfa/methods/Shutdown.py
+++ b/sfa/methods/Shutdown.py
@@ -24,26 +24,16 @@ class Shutdown(Method):
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
 
-        # Validate that at least one of the credentials is good enough
-        found = False
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'shutdown')
-                found = True
-                break
-            except:
-                continue
-            
-        if not found:
-            raise InsufficientRights('Shutdown: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-            
+        # Find the valid credentials
+        ValidCreds = self.api.auth.checkCredentials(creds, 'shutdown', hrn)
+
         manager_base = 'sfa.managers'
 
         if self.api.interface in ['geni_am']:
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            return manager.Shutdown(self.api, slice_xrn, creds)
+            return manager.Shutdown(self.api, slice_xrn, ValidCreds)
 
         return ''
     

diff --git a/sfa/methods/SliverStatus.py b/sfa/methods/SliverStatus.py
index e56793b..2d4164e 100644 (file)
--- a/sfa/methods/SliverStatus.py
+++ b/sfa/methods/SliverStatus.py
@@ -23,19 +23,8 @@ class SliverStatus(Method):
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name))
 
-        # Validate that at least one of the credentials is good enough
-        found = False
-        for cred in creds:
-            try:
-                self.api.auth.check(cred, 'sliverstatus')
-                found = True
-                break
-            except:
-                continue
-            
-        if not found:
-            raise InsufficientRights('SliverStatus: Credentials either did not verify, were no longer valid, or did not have appropriate privileges')
-            
+        # Find the valid credentials
+        ValidCreds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn)
         
         manager_base = 'sfa.managers'
 
@@ -43,7 +32,7 @@ class SliverStatus(Method):
             mgr_type = self.api.config.SFA_GENI_AGGREGATE_TYPE
             manager_module = manager_base + ".geni_am_%s" % mgr_type
             manager = __import__(manager_module, fromlist=[manager_base])
-            return manager.SliverStatus(self.api, slice_xrn, creds)
+            return manager.SliverStatus(self.api, slice_xrn, ValidCreds)
 
         return ''
     

diff --git a/sfa/plc/network.py b/sfa/plc/network.py
index 41c5f45..9a1bdb1 100644 (file)
--- a/sfa/plc/network.py
+++ b/sfa/plc/network.py
@@ -7,7 +7,7 @@ from xmlbuilder import XMLBuilder
 from lxml import etree
 import sys
 from StringIO import StringIO
-
+from sfa.util.sfalogging import logger
 
 class Sliver:
     def __init__(self, node):
@@ -16,6 +16,7 @@ class Sliver:
         self.slice = node.network.slice
         
     def toxml(self, xml):
+        logger.info("sliver to xml!")
         with xml.sliver:
             self.slice.tags_to_xml(xml, self.node)
 
@@ -64,6 +65,7 @@ class Node:
         self.sliver = Sliver(self)
 
     def toxml(self, xml):
+        logger.info("node.toxml(I)")
         slice = self.network.slice
         if self.whitelist and not self.sliver:
             if not slice or slice.id not in self.whitelist:
@@ -197,6 +199,8 @@ class Slice:
                             xml << (tag.tagname, tag.value)
 
     def toxml(self, xml):
+        logger.info("slice to xml!")
+
         with xml.sliver_defaults:
             self.tags_to_xml(xml)
 
@@ -442,10 +446,10 @@ class Network:
                 raise InvalidRSpec(message)
 
         self.rspec = rspec
-
         defaults = rspec.find(".//sliver_defaults")
         self.__process_attributes(defaults)
 
+
         # Find slivers under node elements
         for sliver in rspec.iterfind("./network/site/node/sliver"):
             elem = sliver.getparent()

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index abe76fd..73dae3d 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -15,6 +15,8 @@ from sfa.util.namespace import *
 from sfa.util.sfaticket import *
 from sfa.util.sfalogging import logger
 
+import sys
+
 class Auth:
     """
     Credential based authentication
@@ -32,6 +34,23 @@ class Auth:
         self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
 
         
+        
+    def checkCredentials(self, creds, operation, hrn = None):
+        valid = []
+        for cred in creds:
+            try:
+                self.check(cred, operation, hrn)
+                valid.append(cred)
+            except:
+                error = sys.exc_info()[:2]
+                continue
+            
+        if not len(valid):
+            raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
+        
+        return valid
+        
+        
     def check(self, cred, operation, hrn = None):
         """
         Check the credential against the peer cert (callerGID included 
@@ -65,10 +84,10 @@ class Auth:
         # Make sure the credential's target matches the specified hrn. 
         # This check does not apply to trusted peers
         trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
-        if hrn and client_gid.get_hrn() not in trusted_peers:
-            if not hrn == object_gid.get_hrn():
+        if hrn and self.client_gid.get_hrn() not in trusted_peers:
+            if not hrn == self.object_gid.get_hrn():
                 raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
-                                       (object_gid.get_hrn(), hrn) )       
+                                       (self.object_gid.get_hrn(), hrn) )       
         return True
 
     def check_ticket(self, ticket):

diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py
index 97c6d8c..72d657c 100644 (file)
--- a/sfa/trust/gid.py
+++ b/sfa/trust/gid.py
@@ -98,6 +98,12 @@ class GID(Certificate):
             self.decode()
         return self.urn            
 
+    def get_type(self):
+        if not self.urn:
+            self.decode()
+        _, t = urn_to_hrn(self.urn)
+        return t
+    
     ##
     # Encode the GID fields and package them into the subject-alt-name field
     # of the X509 certificate. This must be called prior to signing the