review and clean up the speaks_for mess
Thierry Parmentelat [Wed, 28 May 2014 10:30:26 +0000 (12:30 +0200)]
some methods seem to need this addition too but for now I'd rather not mix both issues

sfa/methods/Allocate.py
sfa/methods/Delete.py
sfa/methods/Describe.py
sfa/methods/ListResources.py
sfa/methods/PerformOperationalAction.py
sfa/methods/Provision.py
sfa/methods/Renew.py
sfa/methods/Shutdown.py
sfa/methods/Status.py
sfa/trust/auth.py
sfa/trust/speaksfor_util.py

index c55769d..055b4fc 100644 (file)
@@ -39,7 +39,7 @@ class Allocate(Method):
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrn.get_hrn(), self.name))
 
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrn.get_hrn(), options=options)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrn.get_hrn(), options=options)
         the_credential = Credential(cred=valid_creds[0])
 
         # use the expiration from the first valid credential to determine when 
index eed8a39..593de28 100644 (file)
@@ -24,10 +24,9 @@ class Delete(Method):
     returns = Parameter(int, "1 if successful")
     
     def call(self, xrns, creds, options):
-        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
-        valid_creds = self.api.auth.checkCredentials(creds, 'deletesliver', xrns,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      speaking_for_hrn=speaking_for)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'deletesliver', xrns,
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options)
 
         #log the call
         origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
index ec60489..018f803 100644 (file)
@@ -36,10 +36,9 @@ class Describe(Method):
                 options['geni_rspec_version'] = options['rspec_version']
             else:
                 raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null')
-        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
-        valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', urns, \
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      speaking_for_hrn=speaking_for)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'listnodes', urns, 
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options)
 
         # get hrn of the original caller 
         origin_hrn = options.get('origin_hrn', None)
index e7f1631..33777fd 100644 (file)
@@ -34,7 +34,7 @@ class ListResources(Method):
                 raise SfaInvalidArgument('Must specify an rspec version option. geni_rspec_version cannot be null')
 
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'listnodes', options=options)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'listnodes', options=options)
 
         # get hrn of the original caller 
         origin_hrn = options.get('origin_hrn', None)
index a263514..41bf58f 100644 (file)
@@ -34,9 +34,9 @@ class PerformOperationalAction(Method):
         (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
         
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      speaking_for_hrn=speaking_for) 
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrns,
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options) 
         origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name))
         result = self.api.manager.PerformOperationalAction(self.api, xrns, creds, action, options)
index 578f6d2..7177854 100644 (file)
@@ -31,12 +31,10 @@ class Provision(Method):
     def call(self, xrns, creds, options):
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name))
 
-        (speaking_for, _) = urn_to_hrn(options.get('geni_speaking_for'))
-        
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'createsliver', xrns,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      options=options) 
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'createsliver', xrns,
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options)
         origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrns, self.name))
         result = self.api.manager.Provision(self.api, xrns, creds, options)
index 5aef457..ee76dc8 100644 (file)
@@ -33,9 +33,9 @@ class Renew(Method):
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tcaller-creds: %s\tmethod-name: %s"%(self.api.interface, urns, creds, self.name))
 
         # Find the valid credentials
-        valid_creds = self.api.auth.checkCredentials(creds, 'renewsliver', urns,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      options=options)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'renewsliver', urns,
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options)
 
         # Validate that the time does not go beyond the credential's expiration time
         requested_time = utcparse(expiration_time)
index 3eee878..f6f1841 100644 (file)
@@ -20,7 +20,7 @@ class Shutdown(Method):
     def call(self, xrn, creds):
 
         valid_creds = self.api.auth.checkCredentials(creds, 'stopslice', xrn,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials)
+                                                     check_sliver_callback = self.api.driver.check_sliver_credentials)
         #log the call
         origin_hrn = Credential(cred=valid_creds[0]).get_gid_caller().get_hrn()
         self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, xrn, self.name))
index 76e967d..68d928e 100644 (file)
@@ -19,9 +19,9 @@ class Status(Method):
     returns = Parameter(dict, "Status details")
 
     def call(self, xrns, creds, options):
-        valid_creds = self.api.auth.checkCredentials(creds, 'sliverstatus', xrns,
-                      check_sliver_callback = self.api.driver.check_sliver_credentials,
-                      options=options)
+        valid_creds = self.api.auth.checkCredentialsSpeaksFor(creds, 'sliverstatus', xrns,
+                                                              check_sliver_callback = self.api.driver.check_sliver_credentials,
+                                                              options=options)
 
         self.api.logger.info("interface: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, xrns, self.name))
         return self.api.manager.Status(self.api, xrns, creds, options)
index 5ff6ba6..0b9f081 100644 (file)
@@ -36,10 +36,24 @@ class Auth:
         self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
         self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
+    # this convenience methods extracts speaking_for_xrn from the passed options using 'geni_speaking_for'
+    def checkCredentialsSpeaksFor (self, *args, **kwds):
+        if 'options' not in kwds:
+            logger.error ("checkCredentialsSpeaksFor was not passed options=options")
+            return
+        # remove the options arg
+        options=kwds['options']; del kwds['options']
+        # compute the speaking_for_xrn arg and pass it to checkCredentials
+        if options is None: speaking_for_xrn=None
+        else:               speaking_for_xrn=options.get('geni_speaking_for',None)
+        kwds['speaking_for_xrn']=speaking_for_xrn
+        return self.checkCredentials (*args, **kwds)
+
     # do not use mutable as default argument 
     # http://docs.python-guide.org/en/latest/writing/gotchas/#mutable-default-arguments
     def checkCredentials(self, creds, operation, xrns=None, 
-                         check_sliver_callback=None, options=None):
+                         check_sliver_callback=None, 
+                         speaking_for_xrn=None):
         if xrns is None: xrns=[]
         def log_invalid_cred(cred):
             cred_obj=Credential(string=cred)
@@ -72,10 +86,8 @@ class Auth:
         if not hrns: hrns = [None]
         error=[None,None]
 
-        # if speaks for gid matches caller cert then we've found a valid
-        # speaks for credential
-        speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \
-                                              options, self.trusted_cert_list)
+        speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert,
+                                              speaking_for_xrn, self.trusted_cert_list)
 
         if self.peer_cert and \
            not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
index ad2e97f..5a5fd44 100644 (file)
@@ -229,10 +229,9 @@ def verify_speaks_for(cred, tool_gid, speaking_for_urn,
 # trusted_roots is a list of Certificate objects from the system
 #   trusted_root directory
 # Optionally, provide an XML schema against which to validate the credential
-def determine_speaks_for(logger, credentials, caller_gid, options,
-                         trusted_roots, schema=None):
-    if options and 'geni_speaking_for' in options:
-        speaking_for_urn = options['geni_speaking_for'].strip()
+def determine_speaks_for(logger, credentials, caller_gid, speaking_for_xrn, trusted_roots, schema=None):
+    if speaking_for_xrn:
+        speaking_for_urn = Xrn (speaking_for_xrn.strip()).get_urn()
         for cred in credentials:
             # Skip things that aren't ABAC credentials
             if type(cred) == dict: