self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
-
def checkCredentials(self, creds, operation, xrns=[]):
if not isinstance(xrns, list):
xrns = [xrns]
valid = []
if not isinstance(creds, list):
creds = [creds]
- logger.debug("Auth.checkCredentials with %d creds"%len(creds))
+ logger.debug("Auth.checkCredentials with %d creds on hrns=%s"%(len(creds),hrns))
+ # won't work if either creds or hrns is empty - let's make it more explicit
+ if not creds: raise InsufficientRights("Access denied - no credential provided")
+ if not hrns: hrns = [None]
for cred in creds:
for hrn in hrns:
try:
self.check(cred, operation, hrn)
valid.append(cred)
except:
- cred_obj=Credential(string=cred)
+ cred_obj=Credential(cred=cred)
logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
error = sys.exc_info()[:2]
continue
return valid
- def check(self, cred, operation, hrn = None):
+ def check(self, credential, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
trusted cert and check if the credential is allowed to perform
the specified operation.
"""
- self.client_cred = Credential(string = cred)
+ cred = Credential(cred=credential)
+ self.client_cred = cred
+ logger.debug("Auth.check: handling hrn=%s and credential=%s"%\
+ (hrn,cred.get_summary_tostring()))
self.client_gid = self.client_cred.get_gid_caller()
self.object_gid = self.client_cred.get_gid_object()