merge with geni_api branch
Tony Mack [Thu, 3 Jun 2010 20:12:08 +0000 (20:12 +0000)]
Makefile
TODO
config/default_config.xml
config/geni_aggregates.xml [new file with mode: 0644]
sfa.spec
tests/testCred.py
tests/testGid.py
xmlbuilder-0.9/xmlbuilder.egg-info/PKG-INFO
xmlbuilder-0.9/xmlbuilder.egg-info/SOURCES.txt

index 3d3fc9a..7932172 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -7,10 +7,12 @@ DESTDIR="/"
 ##########
 all: keyconvert python wsdl
 
-install: keyconvert-install python-install wsdl-install xmlbuilder-install
+install: keyconvert-install python-install wsdl-install xmlbuilder-install 
 
 clean: keyconvert-clean python-clean wsdl-clean
 
+uninstall: python-uninstall
+
 .PHONY: all install clean 
 
 ##########
@@ -30,9 +32,9 @@ python:
 
 xmlbuilder-install:
        cd xmlbuilder-0.9 && python setup.py install --root=$(DESTDIR) && cd -
-
 python-install:
-       python setup.py install --root=$(DESTDIR)
+       python setup.py install --root=$(DESTDIR)       
        chmod 444 $(DESTDIR)/etc/sfa/default_config.xml
 
 python-clean:
diff --git a/TODO b/TODO
index 7f442ee..96b2c72 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1,41 +1,49 @@
-- test rpms: build/install
+- Tag
+* test rpm build/install
+
+- Trunk
+* use PLC shell instead of xmlrpc when communicating with local plc aggregate
+
+- Client
+  * update getNodes to use lxml.etree for parsing the rspec
 
 - Stop invalid users
 * a recently disabled/deleted user may still have a valid cred. Keep a list of valid/invalid users on the aggregate and check callers against this list
 
 - Component manager
+  * GetGids - make this work for peer slices
   * GetTicket - must verify_{site,slice,person,keys} on remote aggregate 
   * Redeem ticket - RedeemTicket/AdminTicket not working. Why?
   * install the slice and node gid when the slice is created (create NM plugin to execute sfa_component_setup.py ?) 
 
-- Protogeni
-* agree on standard set of functon calls
-* agree on standard set of privs
-* on permission error, return priv needed to make call
-* cache slice resource states (if aggregate goes down, how do we know what
-  slices were on it and recreate them? do we make some sort of transaction log)   
-
 - Registry
-* sign peer gids 
-* update call should attempt to push updates to federated peers if 
-  the peer has a record for an object that is updated locally  
-* api.update_membership() shoudl behave more like resolve when looking up records (attempt to resolve records at federated registeries) instead of only looking in the local registry
 * move db tables into db with less overhead (tokyocabinet?)
-* make resolve, fill_record_info more fault tolerent. Skip records with failures
 
-- Auth Service
+- GUI/Auth Service
   * develop a simple service where users auth using username/passord and 
     receive their cred
   * service manages users key/cert,creds
-  
-- GUI
-  * requires user's cred (depends on Auth Service above)
+  * gui requires user's cred (depends on Auth Service above)
       
 -  SM call routing
 * sfi -a option should send request to sm with an extra argument to 
   specify which am to contact instead of connecting directly to the am 
   (am may not trust client directly)
 
+- Protogeni
+* merger josh's branch with trunk
+* agree on standard set of functon calls
+* agree on standard set of privs
+* on permission error, return priv needed to make call
+* cache slice resource states (if aggregate goes down, how do we know what
+  slices were on it and recreate them? do we make some sort of transaction log)
+
+
+Questions
+=========
+- SM/Aggregate
+* should the rspec contain only the resources a slice is using or all resources availa and mark what the slice is using.
+
 -  Initscripts on sfa / geniwrapper
 * should sfa have native initscript support or should we piggyback off of myplc?
 * should this be in the rspec
index d40fd6d..37cd6cc 100644 (file)
@@ -121,6 +121,42 @@ $URL$
       </variablelist>
 
     </category>
+    <!-- ======================================== -->
+    <category id="sfa_geni_aggregate">
+      <name>GENI Aggregate</name>
+      <description>The settings that affect the geni aggregate manager that will run
+      as part of this SFA instance.</description>
+
+      <variablelist>
+       <variable id="enabled" type="boolean">
+         <name>Enable GENI Aggregate</name>
+         <value>true</value>
+         <description>Allows this local SFA instance to run as an
+         GENI aggregate manager.</description>
+       </variable>
+
+       <variable id="type" type="string">
+         <name>GENI Aggregate type</name>
+         <value>pl</value>
+         <description>The type of backend server for this
+         aggregate. Some aggregates may not be myplc.</description>
+       </variable>
+
+       <variable id="host" type="hostname">
+         <name>Hostname</name>
+         <value>localhost</value>
+         <description>The hostname where the aggregate is expected to
+         be found.</description>
+       </variable>
+
+       <variable id="port" type="int">
+         <name>Port number</name>
+         <value>12348</value>
+         <description>The port where the aggregate is to be found.</description>
+       </variable>
+      </variablelist>
+
+    </category>
 
     <!-- ======================================== -->
     <category id="sfa_sm">
diff --git a/config/geni_aggregates.xml b/config/geni_aggregates.xml
new file mode 100644 (file)
index 0000000..4630736
--- /dev/null
@@ -0,0 +1,3 @@
+<aggregates>
+       <aggregate addr="" hrn="" port=""/>
+</aggregates>
index 88e7883..00cf3ec 100644 (file)
--- a/sfa.spec
+++ b/sfa.spec
@@ -155,14 +155,17 @@ chkconfig --add sfa
 %post cm
 chkconfig --add sfa-cm
 %changelog
-* Thu Apr 08 2010 Tony Mack <tmack@cs.princeton.edu> - sfa-0.9-11
+* Thu May 11 2010 Tony Mack <tmack@cs.princeton.edu> - sfa-0.9-11
 - SfaServer now uses a pool of threads to handle requests concurrently
 - sfa.util.rspec no longer used to process/manage rspecs (deprecated). This is now handled by sfa.plc.network and is not backwards compatible
 - PIs can now get a slice credential for any slice at their site without having to be a member of the slice
 - Registry records for federated peers (defined in registries.xml, aggregates.xml) updated when sfa service is started
 - Interfaces will try to fetch and install gids from peers listed in registries.xml/aggregates.xml if gid is not found in /etc/sfa/trusted_roots dir   
 - Component manager does not install gid files if slice already has them  
+- Server automatically fetches and installs peer certificats (defined in registries/aggregates.xml) when service is restarted.
+- fix credential verification exploit (verify that the trusted signer is a parent of the object it it signed)
+- made it easier for root authorities to sign their sub's certifiacate using the sfa-ca.py (sfa/server/sfa-ca.py) tool
+     
 * Thu Jan 21 2010 anil vengalil <avengali@sophia.inria.fr> - sfa-0.9-10
 - This tag is quite same as the previous one (sfa-0.9-9) except that the vini and max aggregate managers are also updated for urn support.  Other features are:
 - - sfa-config-tty now has the same features like plc-config-tty
index 68c9b74..32fac4a 100755 (executable)
@@ -2,6 +2,7 @@ import unittest
 from sfa.trust.credential import *
 from sfa.trust.rights import *
 from sfa.trust.gid import *
+from sfa.trust.certificate import *
 
 class TestCred(unittest.TestCase):
    def setUp(self):
@@ -23,7 +24,7 @@ class TestCred(unittest.TestCase):
       gidObject = GID(subject="object", uuid=create_uuid(), hrn="foo.object")
       lifeTime = 12345
       delegate = True
-      rights = "embed,bind"
+      rights = "embed:1,bind:1"
 
       cred.set_gid_caller(gidCaller)
       self.assertEqual(cred.get_gid_caller().get_subject(), gidCaller.get_subject())
@@ -32,26 +33,141 @@ class TestCred(unittest.TestCase):
       self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject())
 
       cred.set_lifetime(lifeTime)
-      self.assertEqual(cred.get_lifetime(), lifeTime)
-
-      cred.set_delegate(delegate)
-      self.assertEqual(cred.get_delegate(), delegate)
-
+      
       cred.set_privileges(rights)
       self.assertEqual(cred.get_privileges().save_to_string(), rights)
 
+      cred.get_privileges().delegate_all_privileges(delegate)
+
       cred.encode()
 
       cred_str = cred.save_to_string()
 
-      # re-load the credential from a string and make sure it's fields are
+      # re-load the credential from a string and make sure its fields are
       # intact
       cred2 = Credential(string = cred_str)
       self.assertEqual(cred2.get_gid_caller().get_subject(), gidCaller.get_subject())
       self.assertEqual(cred2.get_gid_object().get_subject(), gidObject.get_subject())
-      self.assertEqual(cred2.get_lifetime(), lifeTime)
-      self.assertEqual(cred2.get_delegate(), delegate)
+      self.assertEqual(cred2.get_privileges().get_all_delegate(), delegate)
       self.assertEqual(cred2.get_privileges().save_to_string(), rights)
 
+
+
+   def createSignedGID(self, subject, urn, issuer_pkey = None, issuer_gid = None):
+      gid = GID(subject=subject, uuid=1, urn=urn)
+      keys = Keypair(create=True)
+      gid.set_pubkey(keys)
+      if issuer_pkey:
+         gid.set_issuer(issuer_pkey, str(issuer_gid.get_issuer()))
+      else:
+         gid.set_issuer(keys, subject)
+
+      gid.encode()
+      gid.sign()
+      return gid, keys
+
+   
+   
+
+   def testDelegationAndVerification(self):
+      gidAuthority, keys = self.createSignedGID("site", "urn:publicid:IDN+plc+authority+site")
+      gidCaller, ckeys = self.createSignedGID("site.foo", "urn:publicid:IDN+plc:site+user+foo",
+                                          keys, gidAuthority)
+      gidObject, _ = self.createSignedGID("site.slice", "urn:publicid:IDN+plc:site+slice+bar_slice",
+                                          keys, gidAuthority)
+      gidDelegatee, _ = self.createSignedGID("site.delegatee", "urn:publicid:IDN+plc:site+user+delegatee",
+                                             keys, gidAuthority)
+
+      cred = Credential()
+      cred.set_gid_caller(gidCaller)
+      cred.set_gid_object(gidObject)
+      cred.set_lifetime(3600)
+      cred.set_privileges("embed:1, bind:1")
+      cred.encode()
+
+      gidAuthority.save_to_file("/tmp/auth_gid")
+      keys.save_to_file("/tmp/auth_key")
+      cred.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
+      cred.sign()
+
+
+      cred.verify(['/tmp/auth_gid'])
+
+      # Test copying
+      cred2 = Credential(string=cred.save_to_string())
+      cred2.verify(['/tmp/auth_gid'])
+
+
+      # Test delegation
+      delegated = Credential()
+      delegated.set_gid_caller(gidDelegatee)
+      delegated.set_gid_object(gidObject)      
+      delegated.set_parent(cred)
+      delegated.set_lifetime(600)
+      delegated.set_privileges("embed:1, bind:1")
+      gidCaller.save_to_file("/tmp/caller_gid")
+      ckeys.save_to_file("/tmp/caller_pkey")      
+      
+      delegated.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
+
+      delegated.encode()
+
+      delegated.sign()
+      
+      # This should verify
+      delegated.verify(['/tmp/auth_gid'])
+
+      backup = Credential(string=delegated.get_xml())
+
+      # Test that verify catches an incorrect lifetime      
+      delegated.set_lifetime(6000)
+      delegated.encode()
+      delegated.sign()
+      try:
+         delegated.verify(['/tmp/auth_gid'])
+         assert(1==0)
+      except CredentialNotVerifiable:
+         pass
+
+      # Test that verify catches an incorrect signer
+      delegated = Credential(string=backup.get_xml())
+      delegated.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
+      delegated.encode()
+      delegated.sign()
+
+      try:
+         delegated.verify(['/tmp/auth_gid'])
+         assert(1==0)
+      except CredentialNotVerifiable:
+         pass
+
+
+      # Test that verify catches a changed gid
+      delegated = Credential(string=backup.get_xml())
+      delegated.set_gid_object(delegated.get_gid_caller())
+      delegated.encode()
+      delegated.sign()
+
+      try:
+         delegated.verify(['/tmp/auth_gid'])
+         assert(1==0)
+      except CredentialNotVerifiable:
+         pass
+
+
+      # Test that verify catches a credential with the wrong authority for the object
+      test = Credential(string=cred.get_xml())
+      test.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
+      test.encode()
+      test.sign()
+
+      try:
+         test.verify(['/tmp/auth_gid'])
+         assert(1==0)
+      except CredentialNotVerifiable:
+         pass      
+      
+      # Test that * gets translated properly
+
 if __name__ == "__main__":
     unittest.main()
index 33406f5..85f9240 100755 (executable)
@@ -16,14 +16,14 @@ class TestGid(unittest.TestCase):
 
    def testSetGetUuid(self):
       gid = GID(subject="test")
-      u = create_uuid()
+      u = uuid.uuid4().int
 
       gid.set_uuid(u)
       self.assertEqual(gid.get_uuid(), u)
 
    def testEncodeDecode(self):
       gid = GID(subject="test")
-      u = str(uuid.uuid4().int)
+      u = uuid.uuid4().int
       hrn = "test.hrn"
 
       gid.set_uuid(u)
@@ -38,7 +38,7 @@ class TestGid(unittest.TestCase):
    def testSaveAndLoadString(self):
       gid = GID(subject="test")
 
-      u = str(uuid.uuid4().int)
+      u = uuid.uuid4().int
       hrn = "test.hrn"
 
       gid.set_uuid(u)
index d931c15..bb65a9d 100644 (file)
@@ -1,80 +1,80 @@
-Metadata-Version: 1.0\r
-Name: xmlbuilder\r
-Version: 0.9\r
-Summary: Pythonic way to create xml files\r
-Home-page: http://pypi.python.org/pypi/xmlbuilder\r
-Author: koder\r
-Author-email: koder_dot_mail@gmail_dot_com\r
-License: MIT\r
-Download-URL: http://pypi.python.org/pypi/xmlbuilder\r
-Description: Example of usage:\r
-        -----------------\r
-        \r
-        \r
-        from __future__ import with_statement\r
-        from xmlbuilder import XMLBuilder\r
-        x = XMLBuilder(format=True)\r
-        with x.root(a = 1):\r
-        with x.data:\r
-        [x &lt;&lt; ('node',{'val':i}) for i in range(10)]\r
-        \r
-        print str(x)\r
-        \r
-        will print\r
-        \r
-        &lt;root a="1"&gt;\r
-        &lt;data&gt;\r
-        &lt;node val="0" /&gt;\r
-        &lt;node val="1" /&gt;\r
-        &lt;node val="2" /&gt;\r
-        &lt;node val="3" /&gt;\r
-        &lt;node val="4" /&gt;\r
-        &lt;node val="5" /&gt;\r
-        &lt;node val="6" /&gt;\r
-        &lt;node val="7" /&gt;\r
-        &lt;node val="8" /&gt;\r
-        &lt;node val="9" /&gt;\r
-        &lt;/data&gt;\r
-        &lt;/root&gt;\r
-        \r
-        Mercurial repo:http://hg.assembla.com/MyPackages/\r
-        \r
-        Documentations\r
-        --------------\r
-        `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to\r
-        simplify xml files creation as much as possible. Althow it can produce\r
-        structured result with identated child tags. `XMLBuilder` use python `with`\r
-        statement to define xml tag levels and `&lt;&lt;` operator for simple cases -\r
-        text and tag without childs.\r
-        \r
-        First we need to create xmlbuilder\r
-        \r
-        from xmlbuilder import XMLBuilder\r
-        # params - encoding = 'utf8',\r
-        # builder = None, - ElementTree.TreeBuilder\r
-        # tab_level = None, - current tab l;evel - for formatted output only\r
-        # format = False, - create formatted output\r
-        # tab_step = " " * 4 - indentation step\r
-        xml = XMLBuilder()\r
-        \r
-        \r
-        Use `with` statement to make document structure\r
-        #create and open tag 'root_tag' with text 'text' and attributes\r
-        with xml.root_tag(text,attr1=val1,attr2=val2):\r
-        #create and open tag 'sub_tag'\r
-        with xml.sub_tag(text,attr3=val3):\r
-        #create tag which are not valid python identificator\r
-        with xml('one-more-sub-tag',attr7=val37):\r
-        xml &lt;&lt; "Some textual data"\r
-        #here tag 'one-more-sub-tag' are closed\r
-        #Tags without children can be created using `&lt;&lt;` operator\r
-        for val in range(15):\r
-        xml &lt;&lt; ('message',"python rocks!"[:i])\r
-        #create 15 child tag like &lt;message&gt; python r&lt;/message&gt;\r
-        #all tags closed\r
-        node = ~x # get etree.ElementTree object\r
-        xml_data = str(x)\r
-        unicode_xml_data = unicode(x)\r
-        \r
-Keywords: xml\r
-Platform: UNKNOWN\r
+Metadata-Version: 1.0
+Name: xmlbuilder
+Version: 0.9
+Summary: Pythonic way to create xml files
+Home-page: http://pypi.python.org/pypi/xmlbuilder
+Author: koder
+Author-email: koder_dot_mail@gmail_dot_com
+License: MIT
+Download-URL: http://pypi.python.org/pypi/xmlbuilder
+Description: Example of usage:
+        -----------------
+        
+        
+        from __future__ import with_statement
+        from xmlbuilder import XMLBuilder
+        x = XMLBuilder(format=True)
+        with x.root(a = 1):
+        with x.data:
+        [x &lt;&lt; ('node',{'val':i}) for i in range(10)]
+        
+        print str(x)
+        
+        will print
+        
+        &lt;root a="1"&gt;
+        &lt;data&gt;
+        &lt;node val="0" /&gt;
+        &lt;node val="1" /&gt;
+        &lt;node val="2" /&gt;
+        &lt;node val="3" /&gt;
+        &lt;node val="4" /&gt;
+        &lt;node val="5" /&gt;
+        &lt;node val="6" /&gt;
+        &lt;node val="7" /&gt;
+        &lt;node val="8" /&gt;
+        &lt;node val="9" /&gt;
+        &lt;/data&gt;
+        &lt;/root&gt;
+        
+        Mercurial repo:http://hg.assembla.com/MyPackages/
+        
+        Documentations
+        --------------
+        `XMLBuilder` is simple library build on top of `ElementTree.TreeBuilder` to
+        simplify xml files creation as much as possible. Althow it can produce
+        structured result with identated child tags. `XMLBuilder` use python `with`
+        statement to define xml tag levels and `&lt;&lt;` operator for simple cases -
+        text and tag without childs.
+        
+        First we need to create xmlbuilder
+        
+        from xmlbuilder import XMLBuilder
+        # params - encoding = 'utf8',
+        # builder = None, - ElementTree.TreeBuilder
+        # tab_level = None, - current tab l;evel - for formatted output only
+        # format = False, - create formatted output
+        # tab_step = " " * 4 - indentation step
+        xml = XMLBuilder()
+        
+        
+        Use `with` statement to make document structure
+        #create and open tag 'root_tag' with text 'text' and attributes
+        with xml.root_tag(text,attr1=val1,attr2=val2):
+        #create and open tag 'sub_tag'
+        with xml.sub_tag(text,attr3=val3):
+        #create tag which are not valid python identificator
+        with xml('one-more-sub-tag',attr7=val37):
+        xml &lt;&lt; "Some textual data"
+        #here tag 'one-more-sub-tag' are closed
+        #Tags without children can be created using `&lt;&lt;` operator
+        for val in range(15):
+        xml &lt;&lt; ('message',"python rocks!"[:i])
+        #create 15 child tag like &lt;message&gt; python r&lt;/message&gt;
+        #all tags closed
+        node = ~x # get etree.ElementTree object
+        xml_data = str(x)
+        unicode_xml_data = unicode(x)
+        
+Keywords: xml
+Platform: UNKNOWN
index 57272a8..4cc27de 100644 (file)
@@ -1,6 +1,8 @@
 LICENSE
 MANIFEST.in
+PKG-INFO
 README.txt
+setup.cfg
 setup.py
 xmlbuilder/__init__.py
 xmlbuilder.egg-info/PKG-INFO