+### $Id$
+### $URL$
+
+from geni.trust.credential import *
+from geni.trust.rights import *
from geni.util.faults import *
-from geni.util.excep import *
from geni.util.method import Method
from geni.util.parameter import Parameter, Mixed
from geni.util.auth import Auth
from geni.util.record import GeniRecord
-from geni.util.credential import *
-from geni.util.rights import *
from geni.util.debug import log
class get_credential(Method):
]
returns = Parameter(str, "String representation of a credential object")
-
+
def call(self, cred, type, hrn):
if not cred:
return self.get_self_credential(type, hrn)
-
+
self.api.auth.check(cred, 'getcredential')
self.api.auth.verify_object_belongs_to_me(hrn)
auth_hrn = self.api.auth.get_authority(hrn)
# (researchers, pis, etc) be filled in
self.api.fill_record_info(record)
- self.api.auth.verify_cancreate_credential(self.api.auth.client_cred, record)
+ rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
+ if rights.is_empty():
+ raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
# TODO: Check permission that self.client_cred can access the object
new_cred.set_gid_object(object_gid)
new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
new_cred.set_pubkey(object_gid.get_pubkey())
+ new_cred.set_privileges(rights)
+ new_cred.set_delegate(True)
- rl = determine_rights(type,hrn)
- new_cred.set_privileges(rl)
-
- # determine the type of credential that we want to use as a parent for
- # this credential.
-
- if (type == "ma") or (type == "node"):
- auth_kind = "authority,ma"
- else: # user, slice, sa
- auth_kind = "authority,sa"
-
+ auth_kind = "authority,ma,sa"
new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
new_cred.encode()
def get_self_credential(self, type, hrn):
"""
get_self_credential a degenerate version of get_credential used by a client
- to get his initial credential when de doesnt have one. This is the same as
+ to get his initial credential when de doesnt have one. This is the same as
get_credetial(..., cred = None, ...)
-
- The registry ensures that the client is the principal that is named by
- (type, name) by comparing the public key in the record's GID to the
+
+ The registry ensures that the client is the principal that is named by
+ (type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
- it is impossible for one principal to retrive another principal's
- credential without having the appropriate private key.
+ it is impossible for one principal to retrive another principal's
+ credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
- @return string representation of a credential object
+ @return string representation of a credential object
"""
self.api.auth.verify_object_belongs_to_me(hrn)
for rec in records:
if type in ['*'] or rec.get_type() in [type]:
record = rec
+ if not record:
+ raise RecordNotFound(hrn)
gid = record.get_gid_object()
peer_cert = self.api.auth.peer_cert
if not peer_cert.is_pubkey(gid.get_pubkey()):
raise ConnectionKeyGIDMismatch(gid.get_subject())
+ rights = self.api.auth.determine_user_rights(None, record)
+ if rights.is_empty():
+ raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name())
+
# create the credential
gid = record.get_gid_object()
cred = Credential(subject = gid.get_subject())
cred.set_gid_object(gid)
cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
cred.set_pubkey(gid.get_pubkey())
-
- rl = determine_rights(type, hrn)
- cred.set_privileges(rl)
-
- # determine the type of credential that we want to use as a parent for
- # this credential.
-
- if (type == "ma") or (type == "node"):
- auth_kind = "authority,ma"
- else: # user, slice, sa
- auth_kind = "authority,sa"
+ cred.set_privileges(rights)
+ cred.set_delegate(True)
+ auth_kind = "authority,sa,ma"
cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
cred.encode()