1 ### $Id: get_credential.py 15321 2009-10-15 05:01:21Z tmack $
2 ### $URL: https://svn.planet-lab.org/svn/sfa/trunk/sfa/methods/get_credential.py $
4 from sfa.trust.credential import *
5 from sfa.trust.rights import *
6 from sfa.util.faults import *
7 from sfa.util.namespace import *
8 from sfa.util.method import Method
9 from sfa.util.parameter import Parameter, Mixed
10 from sfa.util.record import SfaRecord
11 from sfa.util.debug import log
13 class get_self_credential(Method):
15 Retrive a credential for an object
16 @param cert certificate string
17 @param type type of object (user | slice | sa | ma | node)
18 @param hrn human readable name of object (hrn or urn)
20 @return the string representation of a credential object
23 interfaces = ['registry']
26 Parameter(str, "certificate"),
27 Parameter(str, "Human readable name (hrn or urn)"),
28 Mixed(Parameter(str, "Request hash"),
29 Parameter(None, "Request hash not specified"))
32 returns = Parameter(str, "String representation of a credential object")
34 def call(self, cert, type, xrn, request_hash=None):
36 get_self_credential a degenerate version of get_credential used by a client
37 to get his initial credential when de doesnt have one. This is the same as
38 get_credetial(..., cred = None, ...)
40 The registry ensures that the client is the principal that is named by
41 (type, name) by comparing the public key in the record's GID to the
42 private key used to encrypt the client side of the HTTPS connection. Thus
43 it is impossible for one principal to retrive another principal's
44 credential without having the appropriate private key.
46 @param type type of object (user | slice | sa | ma | node)
47 @param hrn human readable name of authority to list
48 @return string representation of a credential object
51 hrn = urn_to_hrn(xrn)[0]
53 hrn, type = urn_to_hrn(xrn)
54 self.api.auth.verify_object_belongs_to_me(hrn)
56 # send the call to the right manager
57 manager_base = 'sfa.managers'
58 mgr_type = self.api.config.SFA_REGISTRY_TYPE
59 manager_module = manager_base + ".registry_manager_%s" % mgr_type
60 manager = __import__(manager_module, fromlist=[manager_base])
62 # authenticate the gid
63 records = manager.resolve(self.api, xrn, type)
65 raise RecordNotFound(hrn)
66 record = SfaRecord(dict=records[0])
67 gid = record.get_gid_object()
68 gid_str = gid.save_to_string(save_parents=True)
69 self.api.auth.authenticateGid(gid_str, [cert, type, hrn], request_hash)
70 # authenticate the certificate against the gid in the db
71 certificate = Certificate(string=cert)
72 if not certificate.is_pubkey(gid.get_pubkey()):
73 raise ConnectionKeyGIDMismatch(gid.get_subject())
75 return manager.get_credential(self.api, xrn, type, is_self=True)