geni/methods/get_credential.py

   1 from geni.util.faults import *
   2 from geni.util.excep import *
   3 from geni.util.method import Method
   4 from geni.util.parameter import Parameter, Mixed
   5 from geni.util.auth import Auth
   6 from geni.util.record import GeniRecord
   7 from geni.util.credential import *
   8 from geni.util.rights import *
   9 from geni.util.debug import log
  10
  11 class get_credential(Method):
  12     """
  13     Retrive a credential for an object
  14     If cred == Nonee then the behavior reverts to get_self_credential
  15
  16     @param cred credential object specifying rights of the caller
  17     @param type type of object (user | slice | sa | ma | node)
  18     @param hrn human readable name of object
  19
  20     @return the string representation of a credential object
  21     """
  22
  23     interfaces = ['registry']
  24
  25     accepts = [
  26         Mixed(Parameter(str, "credential"),
  27               Parameter(None, "No credential")),
  28         Parameter(str, "Human readable name (hrn)")
  29         ]
  30
  31     returns = [GeniRecord]
  32
  33     def call(self, cred, type, hrn):
  34         if not cred:
  35             return self.get_self_credential(type, hrn)
  36
  37         self.api.auth.check(cred, 'getcredential')
  38
  39         self.api.auth.verify_object_belongs_to_me(name)
  40
  41         auth_hrn = self.api.auth.get_authority(hrn)
  42         if not auth_hrn:
  43             auth_hrn = hrn
  44         auth_info = self.api.auth.get_auth_info(auth_hrn)
  45         record = None
  46         table = self.api.auth.get_auth_table(auth_hrn)
  47         records = table.resolve('*', auth_hrn)
  48
  49         # verify_cancreate_credential requires that the member lists
  50         # (researchers, pis, etc) be filled in
  51         self.api.fill_record_info(record)
  52
  53         self.api.auth.verify_cancreate_credential(self.client_cred, record)
  54
  55         # TODO: Check permission that self.client_cred can access the object
  56
  57         object_gid = record.get_gid_object()
  58         new_cred = Credential(subject = object_gid.get_subject())
  59         new_cred.set_gid_caller(self.client_gid)
  60         new_cred.set_gid_object(object_gid)
  61         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
  62         new_cred.set_pubkey(object_gid.get_pubkey())
  63
  64         rl = determine_rights(type, name)
  65         new_cred.set_privileges(rl)
  66
  67         # determine the type of credential that we want to use as a parent for
  68         # this credential.
  69
  70         if (type == "ma") or (type == "node"):
  71             auth_kind = "authority,ma"
  72         else: # user, slice, sa
  73             auth_kind = "authority,sa"
  74
  75         new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  76
  77         new_cred.encode()
  78         new_cred.sign()
  79
  80         return new_cred.save_to_string(save_parents=True)
  81
  82     def get_self_credential(self, type, hrn):
  83         """
  84         get_self_credential a degenerate version of get_credential used by a client
  85         to get his initial credential when de doesnt have one. This is the same as
  86         get_credetial(..., cred = None, ...)
  87
  88         The registry ensures that the client is the principal that is named by
  89         (type, name) by comparing the public key in the record's  GID to the
  90         private key used to encrypt the client side of the HTTPS connection. Thus
  91         it is impossible for one principal to retrive another principal's
  92         credential without having the appropriate private key.
  93
  94         @param type type of object (user | slice | sa | ma | node)
  95         @param hrn human readable name of authority to list
  96         @return string representation of a credential object
  97         """
  98         self.api.auth.verify_object_belongs_to_me(hrn)
  99
 100         auth_hrn = self.api.auth.get_authority(hrn)
 101         if not auth_hrn:
 102             auth_hrn = hrn
 103         auth_info = self.api.auth.get_auth_info(auth_hrn)
 104
 105         # find a record that matches
 106         record = None
 107         table = self.api.auth.get_auth_table(auth_hrn)
 108         records = table.resolve('*', hrn)
 109         for rec in records:
 110             if type in ['*'] or rec.get_type() in [type]:
 111                 record = rec
 112         gid = record.get_gid_object()
 113         peer_cert = self.api.auth.peer_cert
 114         if not peer_cert.is_pubkey(gid.get_pubkey()):
 115            raise ConnectionKeyGIDMismatch(gid.get_subject())
 116
 117         # create the credential
 118         gid = record.get_gid_object()
 119         cred = Credential(subject = gid.get_subject())
 120         cred.set_gid_caller(gid)
 121         cred.set_gid_object(gid)
 122         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 123         cred.set_pubkey(gid.get_pubkey())
 124
 125         rl = determine_rights(type, hrn)
 126         cred.set_privileges(rl)
 127
 128         # determine the type of credential that we want to use as a parent for
 129         # this credential.
 130
 131         if (type == "ma") or (type == "node"):
 132             auth_kind = "authority,ma"
 133         else: # user, slice, sa
 134             auth_kind = "authority,sa"
 135
 136         cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 137
 138         cred.encode()
 139         cred.sign()
 140
 141         return cred.save_to_string(save_parents=True)