From 0eb8d56df7ee56f2ffebeef43c55cc7416fdf278 Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Wed, 28 May 2014 12:30:26 +0200 Subject: [PATCH] review and clean up the speaks_for mess some methods seem to need this addition too but for now I'd rather not mix both issues --- sfa/methods/Allocate.py | 2 +- sfa/methods/Delete.py | 7 +++---- sfa/methods/Describe.py | 7 +++---- sfa/methods/ListResources.py | 2 +- sfa/methods/PerformOperationalAction.py | 6 +++--- sfa/methods/Provision.py | 8 +++----- sfa/methods/Renew.py | 6 +++--- sfa/methods/Shutdown.py | 2 +- sfa/methods/Status.py | 6 +++--- sfa/trust/auth.py | 22 +++++++++++++++++----- sfa/trust/speaksfor_util.py | 7 +++---- 11 files changed, 41 insertions(+), 34 deletions(-) diff --git a/sfa/methods/Allocate.py b/sfa/methods/Allocate.py index c55769d6..055b4fcb 100644 --- a/sfa/methods/Allocate.py +++ b/sfa/methods/Allocate.py @@ -39,7 +39,7 @@ class Allocate(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrn.get_hrn(), self.name)) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn(), options=options) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrn.get_hrn(), options=options) the_credential = Credential(cred=valid_creds[0]) # use the expiration from the first valid credential to determine when diff --git a/sfa/methods/Delete.py b/sfa/methods/Delete.py index eed8a398..593de28f 100644 --- a/sfa/methods/Delete.py +++ b/sfa/methods/Delete.py @@ -24,10 +24,9 @@ class Delete(Method): returns = Parameter(int, "1 if successful") def call(self, xrns, creds, options): - (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) - valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials, - speaking_for_hrn=speaking_for) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'deletesliver', xrns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() diff --git a/sfa/methods/Describe.py b/sfa/methods/Describe.py index ec604895..018f8034 100644 --- a/sfa/methods/Describe.py +++ b/sfa/methods/Describe.py @@ -36,10 +36,9 @@ class Describe(Method): options['geni_rspec_version'] = options['rspec_version'] else: raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') - (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) - valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \ - check_sliver_callback = self.api.driver.check_sliver_credentials, - speaking_for_hrn=speaking_for) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'listnodes', urns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py index e7f16318..33777fd7 100644 --- a/sfa/methods/ListResources.py +++ b/sfa/methods/ListResources.py @@ -34,7 +34,7 @@ class ListResources(Method): raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null') # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', options=options) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'listnodes', options=options) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) diff --git a/sfa/methods/PerformOperationalAction.py b/sfa/methods/PerformOperationalAction.py index a2635142..41bf58fd 100644 --- a/sfa/methods/PerformOperationalAction.py +++ b/sfa/methods/PerformOperationalAction.py @@ -34,9 +34,9 @@ class PerformOperationalAction(Method): (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials, - speaking_for_hrn=speaking_for) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name)) result = self.api.manager.PerformOperationalAction(self.api, xrns, creds, action, options) diff --git a/sfa/methods/Provision.py b/sfa/methods/Provision.py index 578f6d23..7177854d 100644 --- a/sfa/methods/Provision.py +++ b/sfa/methods/Provision.py @@ -31,12 +31,10 @@ class Provision(Method): def call(self, xrns, creds, options): self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name)) - (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) - # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials, - options=options) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name)) result = self.api.manager.Provision(self.api, xrns, creds, options) diff --git a/sfa/methods/Renew.py b/sfa/methods/Renew.py index 5aef4578..ee76dc8f 100644 --- a/sfa/methods/Renew.py +++ b/sfa/methods/Renew.py @@ -33,9 +33,9 @@ class Renew(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, urns, creds, self.name)) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', urns, - check_sliver_callback = self.api.driver.check_sliver_credentials, - options=options) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'renewsliver', urns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) # Validate that the time does not go beyond the credential's expiration time requested_time = utcparse(expiration_time) diff --git a/sfa/methods/Shutdown.py b/sfa/methods/Shutdown.py index 3eee8785..f6f1841f 100644 --- a/sfa/methods/Shutdown.py +++ b/sfa/methods/Shutdown.py @@ -20,7 +20,7 @@ class Shutdown(Method): def call(self, xrn, creds): valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', xrn, - check_sliver_callback = self.api.driver.check_sliver_credentials) + check_sliver_callback = self.api.driver.check_sliver_credentials) #log the call origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn() self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name)) diff --git a/sfa/methods/Status.py b/sfa/methods/Status.py index 76e967d2..68d928e6 100644 --- a/sfa/methods/Status.py +++ b/sfa/methods/Status.py @@ -19,9 +19,9 @@ class Status(Method): returns = Parameter(dict, "Status details") def call(self, xrns, creds, options): - valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', xrns, - check_sliver_callback = self.api.driver.check_sliver_credentials, - options=options) + valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'sliverstatus', xrns, + check_sliver_callback = self.api.driver.check_sliver_credentials, + options=options) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name)) return self.api.manager.Status(self.api, xrns, creds, options) diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 5ff6ba64..0b9f0812 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -36,10 +36,24 @@ class Auth: self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() + # this convenience methods extracts speaking_for_xrn from the passed options using 'geni_speaking_for' + def checkCredentialsSpeaksFor (self, *args, **kwds): + if 'options' not in kwds: + logger.error ("checkCredentialsSpeaksFor was not passed options=options") + return + # remove the options arg + options=kwds['options']; del kwds['options'] + # compute the speaking_for_xrn arg and pass it to checkCredentials + if options is None: speaking_for_xrn=None + else: speaking_for_xrn=options.get('geni_speaking_for',None) + kwds['speaking_for_xrn']=speaking_for_xrn + return self.checkCredentials (*args, **kwds) + # do not use mutable as default argument # http://docs.python-guide.org/en/latest/writing/gotchas/#mutable-default-arguments def checkCredentials(self, creds, operation, xrns=None, - check_sliver_callback=None, options=None): + check_sliver_callback=None, + speaking_for_xrn=None): if xrns is None: xrns=[] def log_invalid_cred(cred): cred_obj=Credential(string=cred) @@ -72,10 +86,8 @@ class Auth: if not hrns: hrns = [None] error=[None,None] - # if speaks for gid matches caller cert then we've found a valid - # speaks for credential - speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \ - options, self.trusted_cert_list) + speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, + speaking_for_xrn, self.trusted_cert_list) if self.peer_cert and \ not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()): diff --git a/sfa/trust/speaksfor_util.py b/sfa/trust/speaksfor_util.py index ad2e97f5..5a5fd443 100644 --- a/sfa/trust/speaksfor_util.py +++ b/sfa/trust/speaksfor_util.py @@ -229,10 +229,9 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn, # trusted_roots is a list of Certificate objects from the system # trusted_root directory # Optionally, provide an XML schema against which to validate the credential -def determine_speaks_for(logger, credentials, caller_gid, options, - trusted_roots, schema=None): - if options and 'geni_speaking_for' in options: - speaking_for_urn = options['geni_speaking_for'].strip() +def determine_speaks_for(logger, credentials, caller_gid, speaking_for_xrn, trusted_roots, schema=None): + if speaking_for_xrn: + speaking_for_urn = Xrn (speaking_for_xrn.strip()).get_urn() for cred in credentials: # Skip things that aren't ABAC credentials if type(cred) == dict: -- 2.43.0