1 from geni.util.faults import *
2 from geni.util.excep import *
3 from geni.util.method import Method
4 from geni.util.parameter import Parameter, Mixed
5 from geni.util.auth import Auth
6 from geni.util.record import GeniRecord
7 from geni.util.credential import *
8 from geni.util.rights import *
9 from geni.util.debug import log
11 class get_credential(Method):
13 Retrive a credential for an object
14 If cred == Nonee then the behavior reverts to get_self_credential
16 @param cred credential object specifying rights of the caller
17 @param type type of object (user | slice | sa | ma | node)
18 @param hrn human readable name of object
20 @return the string representation of a credential object
23 interfaces = ['registry']
26 Mixed(Parameter(str, "credential"),
27 Parameter(None, "No credential")),
28 Parameter(str, "Human readable name (hrn)")
31 returns = [GeniRecord]
33 def call(self, cred, type, hrn):
35 return self.get_self_credential(type, hrn)
37 self.api.auth.check(cred, 'getcredential')
39 self.api.auth.verify_object_belongs_to_me(name)
41 auth_hrn = self.api.auth.get_authority(hrn)
44 auth_info = self.api.auth.get_auth_info(auth_hrn)
46 table = self.api.auth.get_auth_table(auth_hrn)
47 records = table.resolve('*', auth_hrn)
49 # verify_cancreate_credential requires that the member lists
50 # (researchers, pis, etc) be filled in
51 self.api.fill_record_info(record)
53 self.api.auth.verify_cancreate_credential(self.client_cred, record)
55 # TODO: Check permission that self.client_cred can access the object
57 object_gid = record.get_gid_object()
58 new_cred = Credential(subject = object_gid.get_subject())
59 new_cred.set_gid_caller(self.client_gid)
60 new_cred.set_gid_object(object_gid)
61 new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
62 new_cred.set_pubkey(object_gid.get_pubkey())
64 rl = determine_rights(type, name)
65 new_cred.set_privileges(rl)
67 # determine the type of credential that we want to use as a parent for
70 if (type == "ma") or (type == "node"):
71 auth_kind = "authority,ma"
72 else: # user, slice, sa
73 auth_kind = "authority,sa"
75 new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
80 return new_cred.save_to_string(save_parents=True)
82 def get_self_credential(self, type, hrn):
84 get_self_credential a degenerate version of get_credential used by a client
85 to get his initial credential when de doesnt have one. This is the same as
86 get_credetial(..., cred = None, ...)
88 The registry ensures that the client is the principal that is named by
89 (type, name) by comparing the public key in the record's GID to the
90 private key used to encrypt the client side of the HTTPS connection. Thus
91 it is impossible for one principal to retrive another principal's
92 credential without having the appropriate private key.
94 @param type type of object (user | slice | sa | ma | node)
95 @param hrn human readable name of authority to list
96 @return string representation of a credential object
98 self.api.auth.verify_object_belongs_to_me(hrn)
100 auth_hrn = self.api.auth.get_authority(hrn)
103 auth_info = self.api.auth.get_auth_info(auth_hrn)
105 # find a record that matches
107 table = self.api.auth.get_auth_table(auth_hrn)
108 records = table.resolve('*', hrn)
110 if type in ['*'] or rec.get_type() in [type]:
112 gid = record.get_gid_object()
113 peer_cert = self.api.auth.peer_cert
114 if not peer_cert.is_pubkey(gid.get_pubkey()):
115 raise ConnectionKeyGIDMismatch(gid.get_subject())
117 # create the credential
118 gid = record.get_gid_object()
119 cred = Credential(subject = gid.get_subject())
120 cred.set_gid_caller(gid)
121 cred.set_gid_object(gid)
122 cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
123 cred.set_pubkey(gid.get_pubkey())
125 rl = determine_rights(type, hrn)
126 cred.set_privileges(rl)
128 # determine the type of credential that we want to use as a parent for
131 if (type == "ma") or (type == "node"):
132 auth_kind = "authority,ma"
133 else: # user, slice, sa
134 auth_kind = "authority,sa"
136 cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
141 return cred.save_to_string(save_parents=True)