sfa/methods/get_credential.py

   1 ### $Id$
   2 ### $URL$
   3
   4 from sfa.trust.credential import *
   5 from sfa.trust.rights import *
   6 from sfa.util.faults import *
   7 from sfa.util.method import Method
   8 from sfa.util.parameter import Parameter, Mixed
   9 from sfa.trust.auth import Auth
  10 from sfa.trust.gid import GID
  11 from sfa.util.record import GeniRecord
  12 from sfa.util.genitable import *
  13 from sfa.util.debug import log
  14
  15 class get_credential(Method):
  16     """
  17     Retrive a credential for an object
  18     If cred == Nonee then the behavior reverts to get_self_credential
  19
  20     @param cred credential object specifying rights of the caller
  21     @param type type of object (user | slice | sa | ma | node)
  22     @param hrn human readable name of object
  23
  24     @return the string representation of a credential object
  25     """
  26
  27     interfaces = ['registry']
  28
  29     accepts = [
  30         Mixed(Parameter(str, "credential"),
  31               Parameter(None, "No credential")),
  32         Parameter(str, "Human readable name (hrn)")
  33         ]
  34
  35     returns = Parameter(str, "String representation of a credential object")
  36
  37     def call(self, cred, type, hrn):
  38         if not cred:
  39             return self.get_self_credential(type, hrn)
  40
  41         self.api.auth.check(cred, 'getcredential')
  42         self.api.auth.verify_object_belongs_to_me(hrn)
  43         auth_hrn = self.api.auth.get_authority(hrn)
  44
  45         # Is this a root or sub authority
  46         if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
  47             auth_hrn = hrn
  48         auth_info = self.api.auth.get_auth_info(auth_hrn)
  49         table = GeniTable()
  50         records = table.find({'type': type, 'hrn': hrn})
  51         if not records:
  52             raise RecordNotFound(hrn)
  53         record = records[0]
  54         # verify_cancreate_credential requires that the member lists
  55         # (researchers, pis, etc) be filled in
  56         self.api.fill_record_info(record)
  57
  58         rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
  59         if rights.is_empty():
  60             raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
  61
  62         # TODO: Check permission that self.client_cred can access the object
  63
  64         gid = record['gid']
  65         gid_object = GID(string=gid)
  66
  67         new_cred = Credential(subject = gid_object.get_subject())
  68         new_cred.set_gid_caller(self.api.auth.client_gid)
  69         new_cred.set_gid_object(gid_object)
  70         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
  71         new_cred.set_pubkey(gid_object.get_pubkey())
  72         new_cred.set_privileges(rights)
  73         new_cred.set_delegate(True)
  74
  75         auth_kind = "authority,ma,sa"
  76         new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  77
  78         new_cred.encode()
  79         new_cred.sign()
  80
  81         return new_cred.save_to_string(save_parents=True)
  82
  83     def get_self_credential(self, type, hrn):
  84         """
  85         get_self_credential a degenerate version of get_credential used by a client
  86         to get his initial credential when de doesnt have one. This is the same as
  87         get_credetial(..., cred = None, ...)
  88
  89         The registry ensures that the client is the principal that is named by
  90         (type, name) by comparing the public key in the record's  GID to the
  91         private key used to encrypt the client side of the HTTPS connection. Thus
  92         it is impossible for one principal to retrive another principal's
  93         credential without having the appropriate private key.
  94
  95         @param type type of object (user | slice | sa | ma | node)
  96         @param hrn human readable name of authority to list
  97         @return string representation of a credential object
  98         """
  99         self.api.auth.verify_object_belongs_to_me(hrn)
 100         auth_hrn = self.api.auth.get_authority(hrn)
 101
 102         # is this a root or sub authority
 103         if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
 104             auth_hrn = hrn
 105
 106         auth_info = self.api.auth.get_auth_info(auth_hrn)
 107
 108         # find a record that matches
 109         record = None
 110         table = GeniTable()
 111         records = table.find({'type': type, 'hrn':  hrn})
 112         if not records:
 113             raise RecordNotFound(hrn)
 114         record = records[0]
 115         gid = record.get_gid_object()
 116         peer_cert = self.api.auth.peer_cert
 117         if not peer_cert.is_pubkey(gid.get_pubkey()):
 118            raise ConnectionKeyGIDMismatch(gid.get_subject())
 119
 120         rights = self.api.auth.determine_user_rights(None, record)
 121         if rights.is_empty():
 122             raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name())
 123
 124         # create the credential
 125         gid = record.get_gid_object()
 126         cred = Credential(subject = gid.get_subject())
 127         cred.set_gid_caller(gid)
 128         cred.set_gid_object(gid)
 129         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 130         cred.set_pubkey(gid.get_pubkey())
 131         cred.set_privileges(rights)
 132         cred.set_delegate(True)
 133
 134         auth_kind = "authority,sa,ma"
 135         cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 136
 137         cred.encode()
 138         cred.sign()
 139
 140         return cred.save_to_string(save_parents=True)