from sfa.util.method import Method
from sfa.util.parameter import Parameter, Mixed
from sfa.trust.auth import Auth
+from sfa.trust.gid import GID
from sfa.util.record import GeniRecord
+from sfa.util.genitable import *
from sfa.util.debug import log
class get_credential(Method):
accepts = [
Mixed(Parameter(str, "credential"),
Parameter(None, "No credential")),
- Parameter(str, "Human readable name (hrn)")
+ Parameter(str, "Human readable name (hrn)"),
+ Mixed(Parameter(str, "Request hash"),
+ Parameter(None, "Request hash not specified"))
]
returns = Parameter(str, "String representation of a credential object")
- def call(self, cred, type, hrn):
+ def call(self, cred, type, hrn, request_hash=None):
if not cred:
- return self.get_self_credential(type, hrn)
+ return self.get_self_credential(type, hrn, request_hash)
+ self.api.auth.authenticateCred(cred, [cred, type, hrn], request_hash)
self.api.auth.check(cred, 'getcredential')
self.api.auth.verify_object_belongs_to_me(hrn)
auth_hrn = self.api.auth.get_authority(hrn)
- if not auth_hrn:
+
+ # Is this a root or sub authority
+ if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
auth_info = self.api.auth.get_auth_info(auth_hrn)
- table = self.api.auth.get_auth_table(auth_hrn)
- records = table.resolve(type, hrn)
+ table = GeniTable()
+ records = table.find({'type': type, 'hrn': hrn})
if not records:
raise RecordNotFound(hrn)
record = records[0]
rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
if rights.is_empty():
- raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
+ raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record['name'])
# TODO: Check permission that self.client_cred can access the object
- object_gid = record.get_gid_object()
- new_cred = Credential(subject = object_gid.get_subject())
+ gid = record['gid']
+ gid_object = GID(string=gid)
+
+ new_cred = Credential(subject = gid_object.get_subject())
new_cred.set_gid_caller(self.api.auth.client_gid)
- new_cred.set_gid_object(object_gid)
+ new_cred.set_gid_object(gid_object)
new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
- new_cred.set_pubkey(object_gid.get_pubkey())
+ new_cred.set_pubkey(gid_object.get_pubkey())
new_cred.set_privileges(rights)
new_cred.set_delegate(True)
return new_cred.save_to_string(save_parents=True)
- def get_self_credential(self, type, hrn):
+ def get_self_credential(self, type, hrn, request_hash):
"""
get_self_credential a degenerate version of get_credential used by a client
to get his initial credential when de doesnt have one. This is the same as
@return string representation of a credential object
"""
self.api.auth.verify_object_belongs_to_me(hrn)
-
auth_hrn = self.api.auth.get_authority(hrn)
- if not auth_hrn:
+
+ # if this is a root or sub authority get_authority will return
+ # an empty string
+ if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
auth_hrn = hrn
+
auth_info = self.api.auth.get_auth_info(auth_hrn)
# find a record that matches
record = None
- table = self.api.auth.get_auth_table(auth_hrn)
- records = table.resolve('*', hrn)
- for rec in records:
- if type in ['*'] or rec.get_type() in [type]:
- record = rec
- if not record:
+ table = GeniTable()
+ records = table.findObjects({'type': type, 'hrn': hrn})
+ if not records:
raise RecordNotFound(hrn)
+ record = records[0]
gid = record.get_gid_object()
- peer_cert = self.api.auth.peer_cert
- if not peer_cert.is_pubkey(gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(gid.get_subject())
-
rights = self.api.auth.determine_user_rights(None, record)
if rights.is_empty():
raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name())
+
+ # authenticate the gid
+ gid_str = gid.save_to_string(save_parents=True)
+ self.api.auth.authenticateGid(gid_str, [None, type, hrn], request_hash)
# create the credential
gid = record.get_gid_object()
cred.encode()
cred.sign()
-
return cred.save_to_string(save_parents=True)
git://git.onelab.eu / sfa.git / blobdiff