self.verify_object_permission(record.get_name())
auth_name = get_authority(record.get_name())
+ if not auth_name:
+ auth_name = record.get_name()
table = self.get_auth_table(auth_name)
# make sure the record exists
existing_record_list = table.resolve(type, record.get_name())
if not existing_record_list:
raise RecordNotFound(record.get_name())
-
existing_record = existing_record_list[0]
+
+ # Update_membership needs the membership lists in the existing record
+ # filled in, so it can see if members were added or removed
+ self.fill_record_info(existing_record)
+
+ # Use the pointer from the existing record, not the one that the user
+ # gave us. This prevents the user from inserting a forged pointer
pointer = existing_record.get_pointer()
# update the PLC information that was specified with the record
def resolve_raw(self, type, name, must_exist=True):
auth_name = get_authority(name)
-
+ if not auth_name:
+ auth_name = name
table = self.get_auth_table(auth_name)
-
records = table.resolve(type, name)
-
if (not records) and must_exist:
raise RecordNotFound(name)
self.verify_object_belongs_to_me(name)
auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
auth_info = self.get_auth_info(auth_hrn)
-
# find a record that matches
records = self.resolve_raw(type, name, must_exist=True)
record = records[0]
return cred.save_to_string(save_parents=True)
+ ##
+ # verify_cancreate_credential
+ #
+ # Verify that a user can retrieve a particular type of credential. For
+ # slices, the user must be on the researcher list. For SA and MA the user
+ # must be on the pi and operator lists respectively.
+
+ def verify_cancreate_credential(self, src_cred, record):
+ type = record.get_type()
+ cred_object_hrn = src_cred.get_gid_object().get_hrn()
+ config = Config()
+ if cred_object_hrn in [config.GENI_REGISTRY_ROOT_AUTH]:
+ return
+ if type=="slice":
+ researchers = record.get_geni_info().get("researcher", [])
+ if not (cred_object_hrn in researchers):
+ raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name())
+ elif type == "sa":
+ pis = record.get_geni_info().get("pi", [])
+ if not (cred_object_hrn in pis):
+ raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name())
+ elif type == "ma":
+ operators = record.get_geni_info().get("operator", [])
+ if not (cred_object_hrn in operators):
+ raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name())
+
##
# GENI API: Get_credential
#
self.verify_object_belongs_to_me(name)
auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
auth_info = self.get_auth_info(auth_hrn)
records = self.resolve_raw(type, name, must_exist=True)
record = records[0]
+ # verify_cancreate_credential requires that the member lists
+ # (researchers, pis, etc) be filled in
+ self.fill_record_info(record)
+
+ self.verify_cancreate_credential(self.client_cred, record)
+
# TODO: Check permission that self.client_cred can access the object
object_gid = record.get_gid_object()
# that they should be combined?
auth_hrn = get_authority(name)
+ if not auth_hrn:
+ auth_hrn = name
auth_info = self.get_auth_info(auth_hrn)
records = self.resolve_raw("slice", name, must_exist=True)
git://git.onelab.eu / sfa.git / blobdiff