from geni.util.hierarchy import Hierarchy
from geni.util.rights import RightList
from geni.util.genitable import *
-
+from geni.util.config import *
class Auth:
"""
Credential based authentication
"""
- def __init__(self, peer_cert):
+ def __init__(self, peer_cert = None, config = None ):
self.peer_cert = peer_cert
self.hierarchy = Hierarchy()
self.trusted_cert_list = TrustedRootList().get_list()
-
+ if not config:
+ self.config = Config()
def check(self, cred, operation):
if name.startswith(object_hrn + "."):
return
raise PermissionError(name)
-
+
+ def determine_user_rights(self, src_cred, record):
+ """
+ Given a user credential and a record, determine what set of rights the
+ user should have to that record.
+
+ Src_cred can be None when obtaining a user credential, but should be
+ set to a valid user credential when obtaining a slice or authority
+ credential.
+
+ This is intended to replace determine_rights() and
+ verify_cancreate_credential()
+ """
+
+ type = record.get_type()
+ if src_cred:
+ cred_object_hrn = src_cred.get_gid_object().get_hrn()
+ else:
+ # supplying src_cred==None is only valid when obtaining user
+ # credentials.
+ assert(type == "user")
+ cred_object_hrn = None
+
+ rl = RightList()
+
+ if type=="slice":
+ researchers = record.get_geni_info().get("researcher", [])
+ if (cred_object_hrn in researchers):
+ rl.add("refresh")
+ rl.add("embed")
+ rl.add("bind")
+ rl.add("control")
+ rl.add("info")
+
+ elif type == "authority":
+ pis = record.get_geni_info().get("pi", [])
+ operators = record.get_geni_info().get("operator", [])
+ if (cred_object_hrn in pis):
+ rl.add("sa")
+ if (cred_object_hrn in operators):
+ rl.add("ma")
+ if (cred_object_hrn in pis) or (cred_object_hrn in operators):
+ rl.add("authority")
+
+ elif type == "user":
+ rl.add("refresh")
+ rl.add("resolve")
+ rl.add("info")
+
+ return rl
+
def verify_cancreate_credential(self, src_cred, record):
"""
- Verify that a user can retrive a particular type of credential.
+ Verify that a user can retrive a particular type of credential.
For slices, the user must be on the researcher list. For SA and
- MA the user must be on the pi and operator lists respectively
+ MA the user must be on the pi and operator lists respectively
"""
type = record.get_type()
return ".".join(parts[-1:])
def get_authority(self, hrn):
-
parts = hrn.split(".")
return ".".join(parts[:-1])
- def get_auth_type(self, type):
- if (type=="slice") or (type=="user") or (type=="sa"):
- return "sa"
- elif (type=="component") or (type=="ma"):
- return "ma"
- else:
- raise UnknownGeniType(type)
-
def hrn_to_pl_slicename(self, hrn):
parts = hrn.split(".")
return parts[-2] + "_" + parts[-1]
git://git.onelab.eu / sfa.git / blobdiff