From: Sandrine Avakian Date: Thu, 12 Jul 2012 12:27:07 +0000 (+0200) Subject: Merge branch 'master' into senslab2 X-Git-Tag: sfa-2.1-24~3^2~131 X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=b6dcfc034473c011988fba0d02bbeb6406925465;hp=5e20bae7c2007ed9349be7af53f1b6e342de1da7 Merge branch 'master' into senslab2 --- diff --git a/sfa.spec b/sfa.spec index 4943fce3..229379bc 100644 --- a/sfa.spec +++ b/sfa.spec @@ -1,6 +1,6 @@ %define name sfa %define version 2.1 -%define taglevel 11 +%define taglevel 13 %define release %{taglevel}%{?pldistro:.%{pldistro}}%{?date:.%{date}} %global python_sitearch %( python -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)" ) @@ -248,6 +248,15 @@ fi [ "$1" -ge "1" ] && service sfa-cm restart || : %changelog +* Wed Jul 11 2012 Thierry Parmentelat - sfa-2.1-13 +- bugfix that prevented to call 'sfi create' - (was broken in sfa-2.1-12) +- sfi to remove expired credentials + +* Tue Jul 10 2012 Tony Mack - sfa-2.1-12 +- Update Openstack driver to support Essex release/ +- Fix authority xrn bug. + + * Thu Jun 07 2012 Thierry Parmentelat - sfa-2.1-11 - review packaging - site-packages/planetlab now come with sfa-plc - new package sfa-federica diff --git a/sfa/client/candidates.py b/sfa/client/candidates.py new file mode 100644 index 00000000..f3a99ae3 --- /dev/null +++ b/sfa/client/candidates.py @@ -0,0 +1,50 @@ +### utility to match command-line args to names +class Candidates: + def __init__ (self, names): + self.names=names + # is an input string acceptable for one of the known names? + @staticmethod + def fits (input, name): + return name.find(input)==0 + # returns one of the names if the input name has a unique match + # or None otherwise + def only_match (self, input): + if input in self.names: return input + matches=[ name for name in self.names if Candidates.fits(input,name) ] + if len(matches)==1: return matches[0] + else: return None + +#################### minimal test +candidates_specs=[ +('create delete reset resources slices start status stop version create_gid', + [ ('ver','version'), + ('r',None), + ('re',None), + ('res',None), + ('rese','reset'), + ('reset','reset'), + ('reso','resources'), + ('sli','slices'), + ('st',None), + ('sta',None), + ('stop','stop'), + ('a',None), + ('cre',None), + ('create','create'), + ('create_','create_gid'), + ('create_g','create_gid'), + ('create_gi','create_gid'), + ('create_gid','create_gid'), +]) +] + +def test_candidates (): + for (names, tuples) in candidates_specs: + names=names.split() + for (input,expected) in tuples: + got=Candidates(names).only_match(input) + if got==expected: print '.', + else: print 'X FAIL','names[',names,'] input',input,'expected',expected,'got',got + +if __name__ == '__main__': + test_candidates() diff --git a/sfa/client/sfaadmin.py b/sfa/client/sfaadmin.py index 1e1d6758..c95f550a 100755 --- a/sfa/client/sfaadmin.py +++ b/sfa/client/sfaadmin.py @@ -12,8 +12,15 @@ from sfa.client.sfi import save_records_to_file from sfa.trust.hierarchy import Hierarchy from sfa.trust.gid import GID +from sfa.client.candidates import Candidates + pprinter = PrettyPrinter(indent=4) +try: + help_basedir=Hierarchy().basedir +except: + help_basedir='*unable to locate Hierarchy().basedir' + def optparse_listvalue_callback(option, opt, value, parser): setattr(parser.values, option.dest, value.split(',')) @@ -25,11 +32,11 @@ def args(*args, **kwargs): class Commands(object): def _get_commands(self): - available_methods = [] + command_names = [] for attrib in dir(self): if callable(getattr(self, attrib)) and not attrib.startswith('_'): - available_methods.append(attrib) - return available_methods + command_names.append(attrib) + return command_names class RegistryCommands(Commands): @@ -172,9 +179,9 @@ class RegistryCommands(Commands): importer.run() @args('-a', '--all', dest='all', metavar='', action='store_true', default=False, - help='Remove all registry records and all files in %s area' % Hierarchy().basedir) + help='Remove all registry records and all files in %s area' % help_basedir) @args('-c', '--certs', dest='certs', metavar='', action='store_true', default=False, - help='Remove all cached certs/gids found in %s' % Hierarchy().basedir ) + help='Remove all cached certs/gids found in %s' % help_basedir ) @args('-0', '--no-reinit', dest='reinit', metavar='', action='store_false', default=True, help='Prevents new DB schema from being installed after cleanup') def nuke(self, all=False, certs=False, reinit=True): @@ -348,15 +355,14 @@ class SfaAdmin: 'aggregate': AggregateCommands, 'slicemgr': SliceManagerCommands} - def find_category (self, string): - for (k,v) in SfaAdmin.CATEGORIES.items(): - if k.startswith(string): return k - for (k,v) in SfaAdmin.CATEGORIES.items(): - if k.find(string) >=1: return k - return None + # returns (name,class) or (None,None) + def find_category (self, input): + full_name=Candidates (SfaAdmin.CATEGORIES.keys()).only_match(input) + if not full_name: return (None,None) + return (full_name,SfaAdmin.CATEGORIES[full_name]) def summary_usage (self, category=None): - print "Usage:", self.script_name + " category action []" + print "Usage:", self.script_name + " category command []" if category and category in SfaAdmin.CATEGORIES: categories=[category] else: @@ -390,33 +396,32 @@ class SfaAdmin: self.summary_usage() # ensure category is valid - category_str = argv.pop(0) - category=self.find_category (category_str) - if not category: - self.summary_usage() + category_input = argv.pop(0) + (category_name, category_class) = self.find_category (category_input) + if not category_name or not category_class: + self.summary_usage(category_name) - usage = "%%prog %s action [options]" % (category) + usage = "%%prog %s command [options]" % (category_name) parser = OptionParser(usage=usage) - command_class = SfaAdmin.CATEGORIES.get(category, None) - if not command_class: - self.summary_usage(category) # ensure command is valid - command_instance = command_class() - actions = command_instance._get_commands() + category_instance = category_class() + commands = category_instance._get_commands() if len(argv) < 1: - action = '__call__' + # xxx what is this about ? + command_name = '__call__' else: - action = argv.pop(0) + command_input = argv.pop(0) + command_name = Candidates (commands).only_match (command_input) - if hasattr(command_instance, action): - command = getattr(command_instance, action) + if command_name and hasattr(category_instance, command_name): + command = getattr(category_instance, command_name) else: - self.summary_usage(category) + self.summary_usage(category_name) # ensure options are valid options = getattr(command, 'options', []) - usage = "%%prog %s %s [options]" % (category, action) + usage = "%%prog %s %s [options]" % (category_name, command_name) parser = OptionParser(usage=usage) for arg, kwd in options: parser.add_option(*arg, **kwd) @@ -443,3 +448,4 @@ class SfaAdmin: except Exception: print "Command failed, please check log for more info" raise + diff --git a/sfa/client/sfaclientlib.py b/sfa/client/sfaclientlib.py index f4b9a7e5..521a220b 100644 --- a/sfa/client/sfaclientlib.py +++ b/sfa/client/sfaclientlib.py @@ -9,6 +9,7 @@ import sys import os,os.path +from datetime import datetime import sfa.util.sfalogging # importing sfa.utils.faults does pull a lot of stuff @@ -19,7 +20,7 @@ from sfa.client.sfaserverproxy import SfaServerProxy # see optimizing dependencies below from sfa.trust.certificate import Keypair, Certificate - +from sfa.trust.credential import Credential ########## # a helper class to implement the bootstrapping of crypto. material # assuming we are starting from scratch on the client side @@ -185,6 +186,17 @@ class SfaClientBootstrap: self.logger.debug("SfaClientBootstrap: Wrote GID for %s (%s) in %s"% (hrn,type,output)) return output + + # Returns True if credential file is valid. Otherwise return false. + def validate_credential(self, filename): + valid = True + cred = Credential(filename=filename) + # check if credential is expires + if cred.get_expiration() < datetime.now(): + valid = False + return valid + + #################### public interface # return my_gid, run all missing steps in the bootstrap sequence @@ -271,11 +283,20 @@ class SfaClientBootstrap: # decorator to make up the other methods - def get_or_produce (filename_method, produce_method): + def get_or_produce (filename_method, produce_method, validate_method=None): + # default validator returns true def wrap (f): def wrapped (self, *args, **kw): filename=filename_method (self, *args, **kw) - if os.path.isfile ( filename ): return filename + if os.path.isfile ( filename ): + if not validate_method: + return filename + elif validate_method(self, filename): + return filename + else: + # remove invalid file + self.logger.warning ("Removing %s - has expired"%filename) + os.unlink(filename) try: produce_method (self, filename, *args, **kw) return filename @@ -293,19 +314,19 @@ class SfaClientBootstrap: @get_or_produce (self_signed_cert_filename, self_signed_cert_produce) def self_signed_cert (self): pass - @get_or_produce (my_credential_filename, my_credential_produce) + @get_or_produce (my_credential_filename, my_credential_produce, validate_credential) def my_credential (self): pass @get_or_produce (my_gid_filename, my_gid_produce) def my_gid (self): pass - @get_or_produce (credential_filename, credential_produce) + @get_or_produce (credential_filename, credential_produce, validate_credential) def credential (self, hrn, type): pass - @get_or_produce (slice_credential_filename, slice_credential_produce) + @get_or_produce (slice_credential_filename, slice_credential_produce, validate_credential) def slice_credential (self, hrn): pass - @get_or_produce (authority_credential_filename, authority_credential_produce) + @get_or_produce (authority_credential_filename, authority_credential_produce, validate_credential) def authority_credential (self, hrn): pass @get_or_produce (gid_filename, gid_produce) diff --git a/sfa/client/sfi.py b/sfa/client/sfi.py index 512bf9a3..a9725f4f 100644 --- a/sfa/client/sfi.py +++ b/sfa/client/sfi.py @@ -40,6 +40,7 @@ from sfa.client.sfaclientlib import SfaClientBootstrap from sfa.client.sfaserverproxy import SfaServerProxy, ServerException from sfa.client.client_helper import pg_users_arg, sfa_users_arg from sfa.client.return_value import ReturnValue +from sfa.client.candidates import Candidates CM_PORT=12346 @@ -112,6 +113,21 @@ def filter_records(type, records): return filtered_records +def credential_printable (credential_string): + credential=Credential(string=credential_string) + result="" + result += credential.get_summary_tostring() + result += "\n" + rights = credential.get_privileges() + result += "rights=%s"%rights + result += "\n" + return result + +def show_credentials (cred_s): + if not isinstance (cred_s,list): cred_s = [cred_s] + for cred in cred_s: + print "Using Credential %s"%credential_printable(cred) + # save methods def save_raw_to_file(var, filename, format="text", banner=None): if filename == "-": @@ -278,8 +294,8 @@ class Sfi: ("get_ticket", "slice_hrn rspec"), ("redeem_ticket", "ticket"), ("delegate", "name"), - ("create_gid", "[name]"), - ("get_trusted_certs", "cred"), + ("gid", "[name]"), + ("trusted", "cred"), ("config", ""), ] @@ -350,6 +366,10 @@ class Sfi: help="Include a credential delegated to the user's root"+\ "authority in set of credentials for this call") + # show_credential option + if command in ("list","resources","create","add","update","remove","slices","delete","status","renew"): + parser.add_option("-C","--credential",dest='show_credential',action='store_true',default=False, + help="show credential(s) used in human-readable form") # registy filter option if command in ("list", "show", "remove"): parser.add_option("-t", "--type", dest="type", type="choice", @@ -381,7 +401,7 @@ class Sfi: # 'create' does return the new rspec, makes sense to save that too - if command in ("resources", "show", "list", "create_gid", 'create'): + if command in ("resources", "show", "list", "gid", 'create'): parser.add_option("-o", "--output", dest="file", help="output XML to file", metavar="FILE", default=None) @@ -483,14 +503,21 @@ class Sfi: self.print_command_help(options) return -1 - command = args[0] + # complete / find unique match with command set + command_candidates = Candidates (self.available_names) + input = args[0] + command = command_candidates.only_match(input) + if not command: + self.print_command_help(options) + sys.exit(1) + # second pass options parsing self.command_parser = self.create_command_parser(command) (command_options, command_args) = self.command_parser.parse_args(args[1:]) self.command_options = command_options self.read_config () self.bootstrap () - self.logger.info("Command=%s" % command) + self.logger.debug("Command=%s" % command) try: self.dispatch(command, command_options, command_args) @@ -581,7 +608,8 @@ class Sfi: # init self-signed cert, user credentials and gid def bootstrap (self): - client_bootstrap = SfaClientBootstrap (self.user, self.reg_url, self.options.sfi_dir) + client_bootstrap = SfaClientBootstrap (self.user, self.reg_url, self.options.sfi_dir, + logger=self.logger) # if -k is provided, use this to initialize private key if self.options.user_private_key: client_bootstrap.init_private_key_if_missing (self.options.user_private_key) @@ -802,6 +830,8 @@ or version information about sfi itself if options.recursive: opts['recursive'] = options.recursive + if options.show_credential: + show_credentials(self.my_credential_string) try: list = self.registry().List(hrn, self.my_credential_string, options) except IndexError: @@ -849,6 +879,8 @@ or version information about sfi itself def add(self, options, args): "add record into registry from xml file (Register)" auth_cred = self.my_authority_credential_string() + if options.show_credential: + show_credentials(auth_cred) record_dict = {} if len(args) > 0: record_filepath = args[0] @@ -906,6 +938,8 @@ or version information about sfi itself cred = self.my_authority_credential_string() else: raise "unknown record type" + record_dict['type'] + if options.show_credential: + show_credentials(cred) return self.registry().Update(record_dict, cred) def remove(self, options, args): @@ -918,6 +952,8 @@ or version information about sfi itself type = options.type if type in ['all']: type = '*' + if options.show_credential: + show_credentials(auth_cred) return self.registry().Remove(hrn, auth_cred, type) # ================================================================== @@ -935,6 +971,8 @@ or version information about sfi itself # options and call_id when supported api_options = {} api_options['call_id']=unique_call_id() + if options.show_credential: + show_credentials(creds) result = server.ListSlices(creds, *self.ois(server,api_options)) value = ReturnValue.get_value(result) if self.options.raw: @@ -959,6 +997,8 @@ or with an slice hrn, shows currently provisioned resources creds.append(self.my_credential_string) if options.delegate: creds.append(self.delegate_cred(cred, get_authority(self.authority))) + if options.show_credential: + show_credentials(creds) # no need to check if server accepts the options argument since the options has # been a required argument since v1 API @@ -1013,6 +1053,7 @@ or with an slice hrn, shows currently provisioned resources # credentials creds = [self.slice_credential_string(slice_hrn)] + delegated_cred = None server_version = self.get_cached_server_version(server) if server_version.get('interface') == 'slicemgr': @@ -1024,6 +1065,9 @@ or with an slice hrn, shows currently provisioned resources #elif server_version.get('urn'): # delegated_cred = self.delegate_cred(slice_cred, urn_to_hrn(server_version['urn'])) + if options.show_credential: + show_credentials(creds) + # rspec rspec_file = self.get_rspec_file(args[1]) rspec = open(rspec_file).read() @@ -1090,6 +1134,8 @@ or with an slice hrn, shows currently provisioned resources # options and call_id when supported api_options = {} api_options ['call_id'] = unique_call_id() + if options.show_credential: + show_credentials(creds) result = server.DeleteSliver(slice_urn, creds, *self.ois(server, api_options ) ) value = ReturnValue.get_value(result) if self.options.raw: @@ -1118,6 +1164,8 @@ or with an slice hrn, shows currently provisioned resources # options and call_id when supported api_options = {} api_options['call_id']=unique_call_id() + if options.show_credential: + show_credentials(creds) result = server.SliverStatus(slice_urn, creds, *self.ois(server,api_options)) value = ReturnValue.get_value(result) if self.options.raw: @@ -1216,6 +1264,8 @@ or with an slice hrn, shows currently provisioned resources # options and call_id when supported api_options = {} api_options['call_id']=unique_call_id() + if options.show_credential: + show_credentials(creds) result = server.RenewSliver(slice_urn, creds, input_time, *self.ois(server,api_options)) value = ReturnValue.get_value(result) if self.options.raw: @@ -1317,7 +1367,7 @@ or with an slice hrn, shows currently provisioned resources self.logger.log_exc(e.message) return - def create_gid(self, options, args): + def gid(self, options, args): """ Create a GID (CreateGid) """ @@ -1360,7 +1410,7 @@ or with an slice hrn, shows currently provisioned resources self.logger.info("delegated credential for %s to %s and wrote to %s"%(object_hrn, delegee_hrn,dest_fn)) - def get_trusted_certs(self, options, args): + def trusted(self, options, args): """ return uhe trusted certs at this interface (get_trusted_certs) """ @@ -1369,7 +1419,7 @@ or with an slice hrn, shows currently provisioned resources gid = GID(string=trusted_cert) gid.dump() cert = Certificate(string=trusted_cert) - self.logger.debug('Sfi.get_trusted_certs -> %r'%cert.get_subject()) + self.logger.debug('Sfi.trusted -> %r'%cert.get_subject()) return def config (self, options, args): diff --git a/sfa/importer/__init__.py b/sfa/importer/__init__.py index bc6c7f22..6d3d4827 100644 --- a/sfa/importer/__init__.py +++ b/sfa/importer/__init__.py @@ -27,6 +27,9 @@ class Importer: else: self.logger = _SfaLogger(logfile='/var/log/sfa_import.log', loggername='importlog') self.logger.setLevelFromOptVerbose(self.config.SFA_API_LOGLEVEL) +# ugly side effect so that other modules get it right + import sfa.util.sfalogging + sfa.util.sfalogging.logger=logger # self.TrustedRoots = TrustedRoots(self.config.get_trustedroots_dir()) # check before creating a RegRecord entry as we run this over and over diff --git a/sfa/importer/openstackimporter.py b/sfa/importer/openstackimporter.py index 62f29efc..1f2af928 100644 --- a/sfa/importer/openstackimporter.py +++ b/sfa/importer/openstackimporter.py @@ -54,7 +54,8 @@ class OpenstackImporter: hrn = OSXrn(name=user.name, auth=auth_hrn, type='user').get_hrn() users_dict[hrn] = user old_keys = old_user_keys.get(hrn, []) - keys = [k.public_key for k in self.shell.nova_manager.keypairs.findall(name=hrn)] + keyname = OSXrn(xrn=hrn, type='user').get_slicename() + keys = [k.public_key for k in self.shell.nova_manager.keypairs.findall(name=keyname)] user_keys[hrn] = keys update_record = False if old_keys != keys: diff --git a/sfa/managers/registry_manager.py b/sfa/managers/registry_manager.py index a94a039c..f3f75f79 100644 --- a/sfa/managers/registry_manager.py +++ b/sfa/managers/registry_manager.py @@ -311,6 +311,7 @@ class RegistryManager: api.auth.hierarchy.create_auth(hrn_to_urn(hrn,'authority')) # get the GID from the newly created authority + auth_info = api.auth.get_auth_info(hrn) gid = auth_info.get_gid_object() record.gid=gid.save_to_string(save_parents=True) diff --git a/sfa/openstack/nova_driver.py b/sfa/openstack/nova_driver.py index 98a67239..638811e9 100644 --- a/sfa/openstack/nova_driver.py +++ b/sfa/openstack/nova_driver.py @@ -118,7 +118,8 @@ class NovaDriver(Driver): self.shell.auth_manager.roles.add_user_role(user, slice_tenant, 'user') keys = sfa_records.get('keys', []) for key in keys: - self.shell.nova_client.keypairs.create(name, key) + keyname = OSXrn(xrn=hrn, type='user').get_slicename() + self.shell.nova_client.keypairs.create(keyname, key) return user def register_authority(self, sfa_record, hrn): @@ -411,9 +412,11 @@ class NovaDriver(Driver): res['geni_urn'] = sliver_id if instance.vm_state == 'running': - res['boot_state'] = 'ready'; + res['boot_state'] = 'ready' + res['geni_status'] = 'ready' else: res['boot_state'] = 'unknown' + res['geni_status'] = 'unknown' resources.append(res) result['geni_status'] = top_level_status diff --git a/sfa/trust/gid.py b/sfa/trust/gid.py index 470757bd..8d1017fc 100644 --- a/sfa/trust/gid.py +++ b/sfa/trust/gid.py @@ -1,260 +1,260 @@ -#---------------------------------------------------------------------- -# Copyright (c) 2008 Board of Trustees, Princeton University -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and/or hardware specification (the "Work") to -# deal in the Work without restriction, including without limitation the -# rights to use, copy, modify, merge, publish, distribute, sublicense, -# and/or sell copies of the Work, and to permit persons to whom the Work -# is furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Work. -# -# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS -# IN THE WORK. -#---------------------------------------------------------------------- -## -# Implements SFA GID. GIDs are based on certificates, and the GID class is a -# descendant of the certificate class. -## - -import xmlrpclib -import uuid - -from sfa.trust.certificate import Certificate - -from sfa.util.faults import GidInvalidParentHrn, GidParentHrn -from sfa.util.sfalogging import logger -from sfa.util.xrn import hrn_to_urn, urn_to_hrn, hrn_authfor_hrn - -## -# Create a new uuid. Returns the UUID as a string. - -def create_uuid(): - return str(uuid.uuid4().int) - -## -# GID is a tuple: -# (uuid, urn, public_key) -# -# UUID is a unique identifier and is created by the python uuid module -# (or the utility function create_uuid() in gid.py). -# -# HRN is a human readable name. It is a dotted form similar to a backward domain -# name. For example, planetlab.us.arizona.bakers. -# -# URN is a human readable identifier of form: -# "urn:publicid:IDN+toplevelauthority[:sub-auth.]*[\res. type]\ +object name" -# For example, urn:publicid:IDN+planetlab:us:arizona+user+bakers -# -# PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. -# It is a Keypair object as defined in the cert.py module. -# -# It is expected that there is a one-to-one pairing between UUIDs and HRN, -# but it is uncertain how this would be inforced or if it needs to be enforced. -# -# These fields are encoded using xmlrpc into the subjectAltName field of the -# x509 certificate. Note: Call encode() once the fields have been filled in -# to perform this encoding. - - -class GID(Certificate): - uuid = None - hrn = None - urn = None - email = None # for adding to the SubjectAltName - - ## - # Create a new GID object - # - # @param create If true, create the X509 certificate - # @param subject If subject!=None, create the X509 cert and set the subject name - # @param string If string!=None, load the GID from a string - # @param filename If filename!=None, load the GID from a file - # @param lifeDays life of GID in days - default is 1825==5 years - - def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): - - Certificate.__init__(self, lifeDays, create, subject, string, filename) - if subject: - logger.debug("Creating GID for subject: %s" % subject) - if uuid: - self.uuid = int(uuid) - if hrn: - self.hrn = hrn - self.urn = hrn_to_urn(hrn, 'unknown') - if urn: - self.urn = urn - self.hrn, type = urn_to_hrn(urn) - - def set_uuid(self, uuid): - if isinstance(uuid, str): - self.uuid = int(uuid) - else: - self.uuid = uuid - - def get_uuid(self): - if not self.uuid: - self.decode() - return self.uuid - - def set_hrn(self, hrn): - self.hrn = hrn - - def get_hrn(self): - if not self.hrn: - self.decode() - return self.hrn - - def set_urn(self, urn): - self.urn = urn - self.hrn, type = urn_to_hrn(urn) - - def get_urn(self): - if not self.urn: - self.decode() - return self.urn - - # Will be stuffed into subjectAltName - def set_email(self, email): - self.email = email - - def get_email(self): - if not self.email: - self.decode() - return self.email - - def get_type(self): - if not self.urn: - self.decode() - _, t = urn_to_hrn(self.urn) - return t - - ## - # Encode the GID fields and package them into the subject-alt-name field - # of the X509 certificate. This must be called prior to signing the - # certificate. It may only be called once per certificate. - - def encode(self): - if self.urn: - urn = self.urn - else: - urn = hrn_to_urn(self.hrn, None) - - str = "URI:" + urn - - if self.uuid: - str += ", " + "URI:" + uuid.UUID(int=self.uuid).urn - - if self.email: - str += ", " + "email:" + self.email - - self.set_data(str, 'subjectAltName') - - - - - ## - # Decode the subject-alt-name field of the X509 certificate into the - # fields of the GID. This is automatically called by the various get_*() - # functions in this class. - - def decode(self): - data = self.get_data('subjectAltName') - dict = {} - if data: - if data.lower().startswith('uri:http://'): - dict = xmlrpclib.loads(data[11:])[0][0] - else: - spl = data.split(', ') - for val in spl: - if val.lower().startswith('uri:urn:uuid:'): - dict['uuid'] = uuid.UUID(val[4:]).int - elif val.lower().startswith('uri:urn:publicid:idn+'): - dict['urn'] = val[4:] - elif val.lower().startswith('email:'): - # FIXME: Ensure there isn't cruft in that address... - # EG look for email:copy,.... - dict['email'] = val[6:] - - self.uuid = dict.get("uuid", None) - self.urn = dict.get("urn", None) - self.hrn = dict.get("hrn", None) - self.email = dict.get("email", None) - if self.urn: - self.hrn = urn_to_hrn(self.urn)[0] - - ## - # Dump the credential to stdout. - # - # @param indent specifies a number of spaces to indent the output - # @param dump_parents If true, also dump the parents of the GID - - def dump(self, *args, **kwargs): - print self.dump_string(*args,**kwargs) - - def dump_string(self, indent=0, dump_parents=False): - result=" "*(indent-2) + "GID\n" - result += " "*indent + "hrn:" + str(self.get_hrn()) +"\n" - result += " "*indent + "urn:" + str(self.get_urn()) +"\n" - result += " "*indent + "uuid:" + str(self.get_uuid()) + "\n" - if self.get_email() is not None: - result += " "*indent + "email:" + str(self.get_email()) + "\n" - filename=self.get_filename() - if filename: result += "Filename %s\n"%filename - - if self.parent and dump_parents: - result += " "*indent + "parent:\n" - result += self.parent.dump_string(indent+4, dump_parents) - return result - - ## - # Verify the chain of authenticity of the GID. First perform the checks - # of the certificate class (verifying that each parent signs the child, - # etc). In addition, GIDs also confirm that the parent's HRN is a prefix - # of the child's HRN, and the parent is of type 'authority'. - # - # Verifying these prefixes prevents a rogue authority from signing a GID - # for a principal that is not a member of that authority. For example, - # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo. - - def verify_chain(self, trusted_certs = None): - # do the normal certificate verification stuff - trusted_root = Certificate.verify_chain(self, trusted_certs) - - if self.parent: - # make sure the parent's hrn is a prefix of the child's hrn - if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): - raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) - - # Parent must also be an authority (of some type) to sign a GID - # There are multiple types of authority - accept them all here - if not self.parent.get_type().find('authority') == 0: - raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) - - # Then recurse up the chain - ensure the parent is a trusted - # root or is in the namespace of a trusted root - self.parent.verify_chain(trusted_certs) - else: - # make sure that the trusted root's hrn is a prefix of the child's - trusted_gid = GID(string=trusted_root.save_to_string()) - trusted_type = trusted_gid.get_type() - trusted_hrn = trusted_gid.get_hrn() - #if trusted_type == 'authority': - # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] - cur_hrn = self.get_hrn() - if not hrn_authfor_hrn(trusted_hrn, cur_hrn): - raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert %s" % (trusted_hrn, cur_hrn)) - - # There are multiple types of authority - accept them all here - if not trusted_type.find('authority') == 0: - raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) - - return +#---------------------------------------------------------------------- +# Copyright (c) 2008 Board of Trustees, Princeton University +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and/or hardware specification (the "Work") to +# deal in the Work without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Work, and to permit persons to whom the Work +# is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Work. +# +# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS +# IN THE WORK. +#---------------------------------------------------------------------- +## +# Implements SFA GID. GIDs are based on certificates, and the GID class is a +# descendant of the certificate class. +## + +import xmlrpclib +import uuid + +from sfa.trust.certificate import Certificate + +from sfa.util.faults import GidInvalidParentHrn, GidParentHrn +from sfa.util.sfalogging import logger +from sfa.util.xrn import hrn_to_urn, urn_to_hrn, hrn_authfor_hrn + +## +# Create a new uuid. Returns the UUID as a string. + +def create_uuid(): + return str(uuid.uuid4().int) + +## +# GID is a tuple: +# (uuid, urn, public_key) +# +# UUID is a unique identifier and is created by the python uuid module +# (or the utility function create_uuid() in gid.py). +# +# HRN is a human readable name. It is a dotted form similar to a backward domain +# name. For example, planetlab.us.arizona.bakers. +# +# URN is a human readable identifier of form: +# "urn:publicid:IDN+toplevelauthority[:sub-auth.]*[\res. type]\ +object name" +# For example, urn:publicid:IDN+planetlab:us:arizona+user+bakers +# +# PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. +# It is a Keypair object as defined in the cert.py module. +# +# It is expected that there is a one-to-one pairing between UUIDs and HRN, +# but it is uncertain how this would be inforced or if it needs to be enforced. +# +# These fields are encoded using xmlrpc into the subjectAltName field of the +# x509 certificate. Note: Call encode() once the fields have been filled in +# to perform this encoding. + + +class GID(Certificate): + uuid = None + hrn = None + urn = None + email = None # for adding to the SubjectAltName + + ## + # Create a new GID object + # + # @param create If true, create the X509 certificate + # @param subject If subject!=None, create the X509 cert and set the subject name + # @param string If string!=None, load the GID from a string + # @param filename If filename!=None, load the GID from a file + # @param lifeDays life of GID in days - default is 1825==5 years + + def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None, lifeDays=1825): + + Certificate.__init__(self, lifeDays, create, subject, string, filename) + if subject: + logger.debug("Creating GID for subject: %s" % subject) + if uuid: + self.uuid = int(uuid) + if hrn: + self.hrn = hrn + self.urn = hrn_to_urn(hrn, 'unknown') + if urn: + self.urn = urn + self.hrn, type = urn_to_hrn(urn) + + def set_uuid(self, uuid): + if isinstance(uuid, str): + self.uuid = int(uuid) + else: + self.uuid = uuid + + def get_uuid(self): + if not self.uuid: + self.decode() + return self.uuid + + def set_hrn(self, hrn): + self.hrn = hrn + + def get_hrn(self): + if not self.hrn: + self.decode() + return self.hrn + + def set_urn(self, urn): + self.urn = urn + self.hrn, type = urn_to_hrn(urn) + + def get_urn(self): + if not self.urn: + self.decode() + return self.urn + + # Will be stuffed into subjectAltName + def set_email(self, email): + self.email = email + + def get_email(self): + if not self.email: + self.decode() + return self.email + + def get_type(self): + if not self.urn: + self.decode() + _, t = urn_to_hrn(self.urn) + return t + + ## + # Encode the GID fields and package them into the subject-alt-name field + # of the X509 certificate. This must be called prior to signing the + # certificate. It may only be called once per certificate. + + def encode(self): + if self.urn: + urn = self.urn + else: + urn = hrn_to_urn(self.hrn, None) + + str = "URI:" + urn + + if self.uuid: + str += ", " + "URI:" + uuid.UUID(int=self.uuid).urn + + if self.email: + str += ", " + "email:" + self.email + + self.set_data(str, 'subjectAltName') + + + + + ## + # Decode the subject-alt-name field of the X509 certificate into the + # fields of the GID. This is automatically called by the various get_*() + # functions in this class. + + def decode(self): + data = self.get_data('subjectAltName') + dict = {} + if data: + if data.lower().startswith('uri:http://'): + dict = xmlrpclib.loads(data[11:])[0][0] + else: + spl = data.split(', ') + for val in spl: + if val.lower().startswith('uri:urn:uuid:'): + dict['uuid'] = uuid.UUID(val[4:]).int + elif val.lower().startswith('uri:urn:publicid:idn+'): + dict['urn'] = val[4:] + elif val.lower().startswith('email:'): + # FIXME: Ensure there isn't cruft in that address... + # EG look for email:copy,.... + dict['email'] = val[6:] + + self.uuid = dict.get("uuid", None) + self.urn = dict.get("urn", None) + self.hrn = dict.get("hrn", None) + self.email = dict.get("email", None) + if self.urn: + self.hrn = urn_to_hrn(self.urn)[0] + + ## + # Dump the credential to stdout. + # + # @param indent specifies a number of spaces to indent the output + # @param dump_parents If true, also dump the parents of the GID + + def dump(self, *args, **kwargs): + print self.dump_string(*args,**kwargs) + + def dump_string(self, indent=0, dump_parents=False): + result=" "*(indent-2) + "GID\n" + result += " "*indent + "hrn:" + str(self.get_hrn()) +"\n" + result += " "*indent + "urn:" + str(self.get_urn()) +"\n" + result += " "*indent + "uuid:" + str(self.get_uuid()) + "\n" + if self.get_email() is not None: + result += " "*indent + "email:" + str(self.get_email()) + "\n" + filename=self.get_filename() + if filename: result += "Filename %s\n"%filename + + if self.parent and dump_parents: + result += " "*indent + "parent:\n" + result += self.parent.dump_string(indent+4, dump_parents) + return result + + ## + # Verify the chain of authenticity of the GID. First perform the checks + # of the certificate class (verifying that each parent signs the child, + # etc). In addition, GIDs also confirm that the parent's HRN is a prefix + # of the child's HRN, and the parent is of type 'authority'. + # + # Verifying these prefixes prevents a rogue authority from signing a GID + # for a principal that is not a member of that authority. For example, + # planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo. + + def verify_chain(self, trusted_certs = None): + # do the normal certificate verification stuff + trusted_root = Certificate.verify_chain(self, trusted_certs) + + if self.parent: + # make sure the parent's hrn is a prefix of the child's hrn + if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()): + raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn())) + + # Parent must also be an authority (of some type) to sign a GID + # There are multiple types of authority - accept them all here + if not self.parent.get_type().find('authority') == 0: + raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type())) + + # Then recurse up the chain - ensure the parent is a trusted + # root or is in the namespace of a trusted root + self.parent.verify_chain(trusted_certs) + else: + # make sure that the trusted root's hrn is a prefix of the child's + trusted_gid = GID(string=trusted_root.save_to_string()) + trusted_type = trusted_gid.get_type() + trusted_hrn = trusted_gid.get_hrn() + #if trusted_type == 'authority': + # trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')] + cur_hrn = self.get_hrn() + if not hrn_authfor_hrn(trusted_hrn, cur_hrn): + raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert %s" % (trusted_hrn, cur_hrn)) + + # There are multiple types of authority - accept them all here + if not trusted_type.find('authority') == 0: + raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type)) + + return diff --git a/sfa/util/xrn.py b/sfa/util/xrn.py index e3871b5f..08a257da 100644 --- a/sfa/util/xrn.py +++ b/sfa/util/xrn.py @@ -227,14 +227,15 @@ class Xrn: if self.type and self.type.startswith('authority'): self.authority = Xrn.hrn_auth_list(self.hrn) leaf = self.get_leaf() - if not self.authority: - self.authority = [self.hrn] + #if not self.authority: + # self.authority = [self.hrn] type_parts = self.type.split("+") self.type = type_parts[0] name = 'sa' if len(type_parts) > 1: name = type_parts[1] - authority_string = ":".join([self.get_authority_urn(), leaf]) + auth_parts = [part for part in [self.get_authority_urn(), leaf] if part] + authority_string = ":".join(auth_parts) else: self.authority = Xrn.hrn_auth_list(self.hrn) name = Xrn.hrn_leaf(self.hrn)