self.client_cred = Credential(string = cred)
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()
-
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
- if operation:
+ if operation:
if not self.client_cred.can_perform(operation):
raise InsufficientRights(operation)
if self.trusted_cert_list:
self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
# This check does not apply to trusted peers
trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
if hrn and self.client_gid.get_hrn() not in trusted_peers:
+
target_hrn = self.object_gid.get_hrn()
if not hrn == target_hrn:
raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
@param name human readable name to test
"""
object_hrn = self.object_gid.get_hrn()
- if object_hrn == name:
- return
- if name.startswith(object_hrn + "."):
+ #strname = str(name).strip("['']")
+ if object_hrn == name:
+ #if object_hrn == strname:
+ return
+ if name.startswith(object_hrn + ".") :
+ #if strname.startswith((object_hrn + ".")) is True:
return
#if name.startswith(get_authority(name)):
#return
-
+
raise PermissionError(name)
def determine_user_rights(self, caller_hrn, reg_record):
Given a user credential and a record, determine what set of rights the
user should have to that record.
- This is intended to replace determine_rights() and
+ This is intended to replace determine_user_rights() and
verify_cancreate_credential()
"""
logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
- if type=='slice':
+ if type == 'slice':
+ # researchers in the slice are in the DB as-is
researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
- # xxx need a means to compute pi_hrns from the registry db
- pi_hrns = reg_record.get('PI',[])
+ # locating PIs attached to that slice
+ slice_pis=reg_record.get_pis()
+ pi_hrns = [ user.hrn for user in slice_pis ]
if (caller_hrn in researcher_hrns + pi_hrns):
rl.add('refresh')
rl.add('embed')
elif type == 'authority':
pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
- # xxx need a means to compute operator_hrns from the registry db
- operator_hrns = reg_record.get('operator',[])
if (caller_hrn == self.config.SFA_INTERFACE_HRN):
rl.add('authority')
rl.add('sa')
if (caller_hrn in pi_hrns):
rl.add('authority')
rl.add('sa')
- if (caller_hrn in operator_hrns):
- rl.add('authority')
- rl.add('ma')
+ # NOTE: for the PL implementation, this 'operators' list
+ # amounted to users with 'tech' role in that site
+ # it seems like this is not needed any longer, so for now I just drop that
+ # operator_hrns = reg_record.get('operator',[])
+ # if (caller_hrn in operator_hrns):
+ # rl.add('authority')
+ # rl.add('ma')
elif type == 'user':
rl.add('refresh')
git://git.onelab.eu / sfa.git / blobdiff