- self.api.auth.check(cred, 'getcredential')
- self.api.auth.verify_object_belongs_to_me(hrn)
- auth_hrn = self.api.auth.get_authority(hrn)
- if not auth_hrn:
- auth_hrn = hrn
- auth_info = self.api.auth.get_auth_info(auth_hrn)
- table = self.api.auth.get_auth_table(auth_hrn)
- records = table.resolve('*', hrn)
- if not records:
- raise RecordNotFound(hrn)
- record = records[0]
- # verify_cancreate_credential requires that the member lists
- # (researchers, pis, etc) be filled in
- self.api.fill_record_info(record)
-
- rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
- if rights.is_empty():
- raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
-
- # TODO: Check permission that self.client_cred can access the object
-
- object_gid = record.get_gid_object()
- new_cred = Credential(subject = object_gid.get_subject())
- new_cred.set_gid_caller(self.api.auth.client_gid)
- new_cred.set_gid_object(object_gid)
- new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
- new_cred.set_pubkey(object_gid.get_pubkey())
- new_cred.set_privileges(rights)
- new_cred.set_delegate(True)
-
- auth_kind = "authority,ma,sa"
- new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
-
- new_cred.encode()
- new_cred.sign()
-
- return new_cred.save_to_string(save_parents=True)
-
- def get_self_credential(self, type, hrn):
- """
- get_self_credential a degenerate version of get_credential used by a client
- to get his initial credential when de doesnt have one. This is the same as
- get_credetial(..., cred = None, ...)