- for cred in creds:
- try:
- self.check(cred, operation, hrn)
- valid.append(cred)
- except:
- error = sys.exc_info()[:2]
- continue
-
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
+ # won't work if either creds or hrns is empty - let's make it more explicit
+ if not creds: raise Forbidden("no credential provided")
+ if not hrns: hrns = [None]
+ error=[None,None]
+
+ # if speaks for gid matches caller cert then we've found a valid
+ # speaks for credential
+ speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \
+ options, self.trusted_cert_list)
+
+ if self.peer_cert and \
+ not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
+ valid = creds
+ else:
+ for cred in creds:
+ for hrn in hrns:
+ try:
+ self.check(cred, operation, hrn)
+ valid.append(cred)
+ except:
+ error = log_invalid_cred(cred)
+
+ # make sure all sliver xrns are validated against the valid credentials
+ if sliver_xrns:
+ if not check_sliver_callback:
+ msg = "sliver verification callback method not found."
+ msg += " Unable to validate sliver xrns: %s" % sliver_xrns
+ raise Forbidden(msg)
+ check_sliver_callback(valid, sliver_xrns)
+