From 24f04841b33b0026a925caefdd1e48419dea36a8 Mon Sep 17 00:00:00 2001 From: Tony Mack Date: Tue, 21 Jan 2014 21:50:11 -0500 Subject: [PATCH] adding support for geni_speaking_for option --- sfa/managers/aggregate_manager.py | 1 + sfa/methods/CreateSliver.py | 4 +++- sfa/methods/DeleteSliver.py | 3 ++- sfa/methods/ListResources.py | 3 ++- sfa/methods/RenewSliver.py | 4 +++- sfa/methods/SliverStatus.py | 3 ++- sfa/methods/Start.py | 3 ++- sfa/methods/Stop.py | 3 ++- sfa/trust/auth.py | 31 +++++++++++++++++++++++++------ 9 files changed, 42 insertions(+), 13 deletions(-) diff --git a/sfa/managers/aggregate_manager.py b/sfa/managers/aggregate_manager.py index 2ad3f9cc..36126c26 100644 --- a/sfa/managers/aggregate_manager.py +++ b/sfa/managers/aggregate_manager.py @@ -24,6 +24,7 @@ class AggregateManager: 'geni_api_versions': geni_api_versions, 'hrn':xrn.get_hrn(), 'urn':xrn.get_urn(), + 'geni_handles_speaksfor': True, # supports 'speaks for' credentials } version.update(version_generic) testbed_version = self.driver.aggregate_version() diff --git a/sfa/methods/CreateSliver.py b/sfa/methods/CreateSliver.py index 27974891..bc9bf961 100644 --- a/sfa/methods/CreateSliver.py +++ b/sfa/methods/CreateSliver.py @@ -34,8 +34,10 @@ class CreateSliver(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn) + valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', hrn, speaking_for) origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() # make sure users info is specified diff --git a/sfa/methods/DeleteSliver.py b/sfa/methods/DeleteSliver.py index c9e40a4a..caa3694f 100644 --- a/sfa/methods/DeleteSliver.py +++ b/sfa/methods/DeleteSliver.py @@ -26,7 +26,8 @@ class DeleteSliver(Method): def call(self, xrn, creds, options): (hrn, type) = urn_to_hrn(xrn) - valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', hrn, speaking_for) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() diff --git a/sfa/methods/ListResources.py b/sfa/methods/ListResources.py index 04359a04..4fb0fafc 100644 --- a/sfa/methods/ListResources.py +++ b/sfa/methods/ListResources.py @@ -36,9 +36,10 @@ class ListResources(Method): # get slice's hrn from options xrn = options.get('geni_slice_urn', '') (hrn, _) = urn_to_hrn(xrn) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn) + valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', hrn, speaking_for) # get hrn of the original caller origin_hrn = options.get('origin_hrn', None) diff --git a/sfa/methods/RenewSliver.py b/sfa/methods/RenewSliver.py index c64b8841..735a566c 100644 --- a/sfa/methods/RenewSliver.py +++ b/sfa/methods/RenewSliver.py @@ -32,8 +32,10 @@ class RenewSliver(Method): self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, hrn, creds, self.name)) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + # Find the valid credentials - valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn) + valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', hrn, speaking_for) # Validate that the time does not go beyond the credential's expiration time requested_time = utcparse(expiration_time) diff --git a/sfa/methods/SliverStatus.py b/sfa/methods/SliverStatus.py index deb79983..a3cff50d 100644 --- a/sfa/methods/SliverStatus.py +++ b/sfa/methods/SliverStatus.py @@ -21,7 +21,8 @@ class SliverStatus(Method): def call(self, slice_xrn, creds, options): hrn, type = urn_to_hrn(slice_xrn) - valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', hrn, speaking_for) self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, hrn, self.name)) diff --git a/sfa/methods/Start.py b/sfa/methods/Start.py index 14122225..b4d88ee0 100644 --- a/sfa/methods/Start.py +++ b/sfa/methods/Start.py @@ -26,7 +26,8 @@ class Start(Method): def call(self, xrn, creds): hrn, type = urn_to_hrn(xrn) - valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + valid_creds = self.api.auth.checkCredentials(creds, 'startslice', hrn, speaking_for) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() diff --git a/sfa/methods/Stop.py b/sfa/methods/Stop.py index 0d802827..654ac403 100644 --- a/sfa/methods/Stop.py +++ b/sfa/methods/Stop.py @@ -26,7 +26,8 @@ class Stop(Method): def call(self, xrn, creds): hrn, type = urn_to_hrn(xrn) - valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn) + (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for')) + valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', hrn, speaking_for) #log the call origin_hrn = Credential(string=valid_creds[0]).get_gid_caller().get_hrn() diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 0c032792..48ad5b26 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -34,10 +34,18 @@ class Auth: self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() - - - def checkCredentials(self, creds, operation, hrn = None): + + def checkCredentials(self, creds, operation, hrn = None, speaking_for_hrn = None): + + def log_invalid_cred(cred): + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + return error + valid = [] + speaks_for_cred = None + if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) @@ -46,14 +54,25 @@ class Auth: self.check(cred, operation, hrn) valid.append(cred) except: - cred_obj=Credential(string=cred) - logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) - error = sys.exc_info()[:2] + # check if credential is a 'speaks for credential' + if speaking_for_hrn: + try: + self.check(cred, operation, speaking_for_hrn) + speaks_for_cred = cred + valid.append(cred) + except: + error = log_invalid_cred(cred) + else: + error = log_invalid_cred(cred) continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) + if speaking_for_hrn and not speaks_for_cred: + raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1])) + + return valid -- 2.43.0