git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix speaks for auth
[sfa.git] / sfa / trust / auth.py
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 48ad5b2..1c74f1c 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -7,7 +7,7 @@ from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrusted
     BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
 from sfa.util.sfalogging import logger
 from sfa.util.config import Config
-from sfa.util.xrn import get_authority
+from sfa.util.xrn import get_authority, Xrn
 
 from sfa.trust.gid import GID
 from sfa.trust.rights import Rights
@@ -16,6 +16,7 @@ from sfa.trust.credential import Credential
 from sfa.trust.trustedroots import TrustedRoots
 from sfa.trust.hierarchy import Hierarchy
 from sfa.trust.sfaticket import SfaTicket
+from sfa.trust.speaksfor_util import determine_speaks_for
 
 
 class Auth:
@@ -35,44 +36,36 @@ class Auth:
         self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
        
-    def checkCredentials(self, creds, operation, hrn = None, speaking_for_hrn = None):
+    def checkCredentials(self, creds, operation, hrn = None, options = {}):
 
         def log_invalid_cred(cred):
-            cred_obj=Credential(string=cred)
-            logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
+            #cred_obj=Credential(string=cred)
+            #logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
             error = sys.exc_info()[:2]
             return error
 
         valid = []
-        speaks_for_cred = None
-
         if not isinstance(creds, list):
             creds = [creds]
-        logger.debug("Auth.checkCredentials with %d creds"%len(creds))
-        for cred in creds:
-            try:
-                self.check(cred, operation, hrn)
-                valid.append(cred)
-            except:
-                # check if credential is a 'speaks for  credential'
-                if speaking_for_hrn:
-                    try:
-                        self.check(cred, operation, speaking_for_hrn)
-                        speaks_for_cred = cred
-                        valid.append(cred)    
-                    except:
-                        error = log_invalid_cred(cred)
-                else:
+
+        # if speaks for gid matches caller cert then we've found a valid
+        # speaks for credential      
+        speaks_for_gid = determine_speaks_for(logger, creds, self.peer_cert, \
+                                              options, self.trusted_cert_list)
+        if self.peer_cert and \
+           not self.peer_cert.is_pubkey(speaks_for_gid.get_pubkey()):
+            valid = creds
+        else:
+            for cred in creds:
+                try:
+                    self.check(cred, operation, hrn)
+                    valid.append(cred)
+                except:
                     error = log_invalid_cred(cred)
-                continue
-            
-        if not len(valid):
-            raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
-        
-        if speaking_for_hrn and not speaks_for_cred:
-            raise InsufficientRights('Access denied: "geni_speaking_for" option specified but no valid speaks for credential found: %s -- %s' % (error[0],error[1]))
+                
+            if not len(valid):
+                raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1]))
             
-        
         return valid
         
         
sfa