#
-# GeniAPI authentication
+# SfaAPI authentication
#
### $Id$
### $URL$
self.hierarchy = Hierarchy()
if not config:
self.config = Config()
- self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
-
+ self.load_trusted_certs()
- def check(self, cred, operation):
+ def load_trusted_certs(self):
+ self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+
+ def check(self, cred, operation, hrn = None):
"""
Check the credential against the peer cert (callerGID included
in the credential matches the caller that is connected to the
else:
raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+ # Make sure the credential's target matches the specified hrn.
+ # This check does not apply to trusted peers
+ trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list.get_list()]
+ if hrn and self.client_gid.get_hrn() not in trusted_peers:
+ if not hrn == self.object_gid.get_hrn():
+ raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+ (self.object_gid.get_hrn(), hrn) )
return True
def check_ticket(self, ticket):
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
- if not cert:
- peer_cert = self.peer_cert
- else:
- peer_cert = cert
-
- if not gid:
- peer_gid = self.client_gid
- else:
- peer_gid = gid
- if not peer_cert.is_pubkey(peer_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(peer_gid.get_subject())
+ if not cert.is_pubkey(gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(gid.get_subject()+":"+cert.get_subject())
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
- raise GeniPermissionError(self.config.SFA_INTEFACE_HRN)
+ raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
return
git://git.onelab.eu / sfa.git / blobdiff