本文整理匯總了Python中sfa.trust.credential.Credential.get_gid_object方法的典型用法代碼示例。如果您正苦於以下問題:Python Credential.get_gid_object方法的具體用法?Python Credential.get_gid_object怎麽用?Python Credential.get_gid_object使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類sfa.trust.credential.Credential的用法示例。
在下文中一共展示了Credential.get_gid_object方法的4個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: delegate_credential_string
# 需要導入模塊: from sfa.trust.credential import Credential [as 別名]
# 或者: from sfa.trust.credential.Credential import get_gid_object [as 別名]
def delegate_credential_string (self, original_credential, to_hrn, to_type='authority'):
"""
sign a delegation credential to someone else
original_credential : typically one's user- or slice- credential to be delegated to s/b else
to_hrn : the hrn of the person that will be allowed to do stuff on our behalf
to_type : goes with to_hrn, usually 'user' or 'authority'
returns a string with the delegated credential
this internally uses self.my_gid()
it also retrieves the gid for to_hrn/to_type
and uses Credential.delegate()"""
# the gid and hrn of the object we are delegating
if isinstance (original_credential, str):
original_credential = Credential (string=original_credential)
original_gid = original_credential.get_gid_object()
original_hrn = original_gid.get_hrn()
if not original_credential.get_privileges().get_all_delegate():
self.logger.error("delegate_credential_string: original credential %s does not have delegate bit set"%original_hrn)
return
# the delegating user's gid
my_gid = self.my_gid()
# retrieve the GID for the entity that we're delegating to
to_gidfile = self.gid (to_hrn,to_type)
# to_gid = GID ( to_gidfile )
# to_hrn = delegee_gid.get_hrn()
# print 'to_hrn',to_hrn
delegated_credential = original_credential.delegate(to_gidfile, self.private_key(), my_gid)
return delegated_credential.save_to_string(save_parents=True)示例2: delegate_cred
# 需要導入模塊: from sfa.trust.credential import Credential [as 別名]
# 或者: from sfa.trust.credential.Credential import get_gid_object [as 別名]
def delegate_cred(self, object_cred, hrn):
# the gid and hrn of the object we are delegating
if isinstance(object_cred, str):
object_cred = Credential(string=object_cred)
object_gid = object_cred.get_gid_object()
object_hrn = object_gid.get_hrn()
if not object_cred.get_privileges().get_all_delegate():
self.logger.error("Object credential %s does not have delegate bit set"%object_hrn)
return
# the delegating user's gid
caller_gid = self._get_gid(self.user)
caller_gidfile = os.path.join(self.options.sfi_dir, self.user + ".gid")
# the gid of the user who will be delegated to
delegee_gid = self._get_gid(hrn)
delegee_hrn = delegee_gid.get_hrn()
delegee_gidfile = os.path.join(self.options.sfi_dir, delegee_hrn + ".gid")
delegee_gid.save_to_file(filename=delegee_gidfile)
dcred = object_cred.delegate(delegee_gidfile, self.get_key_file(), caller_gidfile)
return dcred.save_to_string(save_parents=True)示例3: delegate
# 需要導入模塊: from sfa.trust.credential import Credential [as 別名]
# 或者: from sfa.trust.credential.Credential import get_gid_object [as 別名]
def delegate(self, opts, args):
delegee_hrn = args[0]
if opts.delegate_user:
user_cred = self.get_user_cred()
cred = self.delegate_cred(user_cred, delegee_hrn)
elif opts.delegate_slice:
slice_cred = self.get_slice_cred(opts.delegate_slice)
cred = self.delegate_cred(slice_cred, delegee_hrn)
else:
self.logger.warning("Must specify either --user or --slice <hrn>")
return
delegated_cred = Credential(string=cred)
object_hrn = delegated_cred.get_gid_object().get_hrn()
if opts.delegate_user:
dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_"
+ get_leaf(object_hrn) + ".cred")
elif opts.delegate_slice:
dest_fn = os.path.join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_slice_"
+ get_leaf(object_hrn) + ".cred")
delegated_cred.save_to_file(dest_fn, save_parents=True)
self.logger.info("delegated credential for %s to %s and wrote to %s"%(object_hrn, delegee_hrn,dest_fn))示例4: __init__
# 需要導入模塊: from sfa.trust.credential import Credential [as 別名]
# 或者: from sfa.trust.credential.Credential import get_gid_object [as 別名]
class Auth:
"""
Credential based authentication
"""
def __init__(self, peer_cert = None, config = None ):
self.peer_cert = peer_cert
self.hierarchy = Hierarchy()
if not config:
self.config = Config()
self.load_trusted_certs()
def load_trusted_certs(self):
self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
def checkCredentials(self, creds, operation, hrn = None):
valid = []
if not isinstance(creds, list):
creds = [creds]
logger.debug("Auth.checkCredentials with %d creds"%len(creds))
for cred in creds:
try:
self.check(cred, operation, hrn)
valid.append(cred)
except:
cred_obj=Credential(string=cred)
logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
continue
if not len(valid):
raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
return valid
def check(self, cred, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
HTTPS connection, check if the credential was signed by a
trusted cert and check if the credential is allowed to perform
the specified operation.
"""
self.client_cred = Credential(string = cred)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
# validate the client cert if it exists
if self.peer_cert:
self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
if operation:
if not self.client_cred.can_perform(operation):
raise InsufficientRights(operation)
if self.trusted_cert_list:
self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
# Make sure the credential's target matches the specified hrn.
# This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
(target_hrn, hrn) )
return True
def check_ticket(self, ticket):
"""
Check if the tickt was signed by a trusted cert
"""
if self.trusted_cert_list:
client_ticket = SfaTicket(string=ticket)
client_ticket.verify_chain(self.trusted_cert_list)
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
return True
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert.is_pubkey(gid.get_pubkey()):
raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject())
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
if not key.verify_string(str(arglist), hash):
raise BadRequestHash(hash)
#.........這裏部分代碼省略.........