+ def get_auth_cred(self, hrn):
+ auth_info = self.get_auth_info(hrn)
+ gid = auth_info.get_gid_object()
+
+ cred = Credential(subject=hrn)
+ cred.set_gid_caller(gid)
+ cred.set_gid_object(gid)
+ cred.set_privileges("authority")
+ cred.set_delegate(True)
+ cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
+
+ parent_hrn = get_authority(hrn)
+ if not parent_hrn:
+ # if there is no parent hrn, then it must be self-signed. this
+ # is where we terminate the recursion
+ cred.set_issuer(auth_info.get_pkey_object(), hrn)
+ else:
+ # we need the parent's private key in order to sign this GID
+ parent_auth_info = self.get_auth_info(parent_hrn)
+ cred.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
+ cred.set_parent(self.get_auth_cred(parent_hrn))
+
+ cred.encode()
+ cred.sign()
+
+ return cred
+
+ # this looks almost the same as get_auth_cred, but works for tickets
+ # XXX does similarity imply there should be more code re-use?
+ def get_auth_ticket(self, hrn):
+ auth_info = self.get_auth_info(hrn)
+ gid = auth_info.get_gid_object()
+
+ ticket = Ticket(subject=hrn)
+ ticket.set_gid_caller(gid)
+ ticket.set_gid_object(gid)
+ ticket.set_delegate(True)
+ ticket.set_pubkey(auth_info.get_gid_object().get_pubkey())
+
+ parent_hrn = get_authority(hrn)
+ if not parent_hrn:
+ # if there is no parent hrn, then it must be self-signed. this
+ # is where we terminate the recursion
+ ticket.set_issuer(auth_info.get_pkey_object(), hrn)
+ else:
+ # we need the parent's private key in order to sign this GID
+ parent_auth_info = self.get_auth_info(parent_hrn)
+ ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
+ ticket.set_parent(self.get_auth_cred(parent_hrn))
+
+ ticket.encode()
+ ticket.sign()
+
+ return ticket
+