git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
working towards supporting speaks for credentials
[sfa.git] / sfa / trust / auth.py
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 0c03279..0dffa08 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -7,7 +7,7 @@ from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrusted
     BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
 from sfa.util.sfalogging import logger
 from sfa.util.config import Config
-from sfa.util.xrn import get_authority
+from sfa.util.xrn import get_authority, Xrn
 
 from sfa.trust.gid import GID
 from sfa.trust.rights import Rights
@@ -34,10 +34,19 @@ class Auth:
         self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
         self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
-        
-        
-    def checkCredentials(self, creds, operation, hrn = None):
+       
+    def checkCredentials(self, creds, operation, hrn = None, options = {}):
+
+        def log_invalid_cred(cred):
+            #cred_obj=Credential(string=cred)
+            #logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+            error = sys.exc_info()[:2]
+            return error
+
         valid = []
+        speaking_for = options.get('geni_speaking_for', None)
+        speaks_for_cred = None
+
         if not isinstance(creds, list):
             creds = [creds]
         logger.debug("Auth.checkCredentials with %d creds"%len(creds))
@@ -46,14 +55,27 @@ class Auth:
                 self.check(cred, operation, hrn)
                 valid.append(cred)
             except:
-                cred_obj=Credential(string=cred)
-                logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
-                error = sys.exc_info()[:2]
+                # check if credential is a 'speaks for  credential'
+                if speaking_for:
+                    try:
+                        speaking_for_xrn = Xrn(speaking_for)
+                        speaking_for_hrn = speaking_for_xrn.get_hrn()     
+                        self.check(cred, operation, speaking_for_hrn)
+                        speaks_for_cred = cred
+                        valid.append(cred)    
+                    except:
+                        error = log_invalid_cred(cred)
+                else:
+                    error = log_invalid_cred(cred)
                 continue
             
         if not len(valid):
             raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
         
+        if speaking_for and not speaks_for_cred:
+            raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
+            
+        
         return valid
         
         
sfa