2 from sfa.util.faults import RecordNotFound, ConnectionKeyGIDMismatch
3 from sfa.util.xrn import urn_to_hrn
4 from sfa.util.method import Method
6 from sfa.trust.certificate import Certificate
8 from sfa.storage.parameter import Parameter, Mixed
10 class GetSelfCredential(Method):
12 Retrive a credential for an object
13 @param cert certificate string
14 @param type type of object (user | slice | sa | ma | node)
15 @param hrn human readable name of object (hrn or urn)
17 @return the string representation of a credential object
20 interfaces = ['registry']
23 Parameter(str, "certificate"),
24 Parameter(str, "Human readable name (hrn or urn)"),
25 Mixed(Parameter(str, "Record type"),
26 Parameter(None, "Type not specified")),
29 returns = Parameter(str, "String representation of a credential object")
31 def call(self, cert, xrn, type):
33 GetSelfCredential a degenerate version of GetCredential used by a client
34 to get his initial credential when de doesnt have one. This is the same as
35 GetCredential(..., cred = None, ...)
37 The registry ensures that the client is the principal that is named by
38 (type, name) by comparing the public key in the record's GID to the
39 private key used to encrypt the client side of the HTTPS connection. Thus
40 it is impossible for one principal to retrieve another principal's
41 credential without having the appropriate private key.
43 @param type type of object (user | slice | sa | ma | node)
44 @param hrn human readable name of authority to list
45 @return string representation of a credential object
48 hrn = urn_to_hrn(xrn)[0]
50 hrn, type = urn_to_hrn(xrn)
51 self.api.auth.verify_object_belongs_to_me(hrn)
53 origin_hrn = Certificate(string=cert).get_subject()
54 self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
57 ### authenticate the gid
58 # import here so we can load this module at build-time for sfa2wsdl
59 #from sfa.storage.alchemy import dbsession
60 from sfa.storage.model import RegRecord
62 # xxx-local - the current code runs Resolve, which would forward to
63 # another registry if needed
64 # I wonder if this is truly the intention, or shouldn't we instead
65 # only look in the local db ?
66 records = self.api.manager.Resolve(self.api, xrn, type)
68 raise RecordNotFound(hrn)
70 record_obj = RegRecord (dict=records[0])
71 # xxx-local the local-only version would read
72 #record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
73 #if not record_obj: raise RecordNotFound(hrn)
74 gid = record_obj.get_gid_object()
75 gid_str = gid.save_to_string(save_parents=True)
76 self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
77 # authenticate the certificate against the gid in the db
78 certificate = Certificate(string=cert)
79 if not certificate.is_pubkey(gid.get_pubkey()):
80 for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
81 self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
82 self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
83 if hasattr (obj,'filename'):
84 self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
85 raise ConnectionKeyGIDMismatch(gid.get_subject())
87 return self.api.manager.GetCredential(self.api, xrn, type, is_self=True)