raise MissingCallerGID(self.client_cred.get_subject())
# validate the client cert if it exists
- if peer_cert:
- self.verifyPeerCert()
+ if self.peer_cert:
+ self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
if operation:
return True
- def verifyPeerCert(self):
+ def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
- peer_cert = self.peer_cert
- if not peer_cert.is_pubkey(self.client_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(self.client_gid.get_subject()
+ if not cert:
+ peer_cert = self.peer_cert
+ else:
+ peer_cert = cert
+
+ if not gid:
+ peer_gid = self.client_gid
+ else:
+ peer_gid = gid
+ if not peer_cert.is_pubkey(peer_gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(peer_gid.get_subject())
def verifyGidRequestHash(self, gid, hash, arglist):
key = gid.get_pubkey()
if object_gid:
object_gid.verify_chain(self.trusted_cert_list)
- def authenticateGid(self, gidStr, argList, requestHash):
+ def authenticateGid(self, gidStr, argList, requestHash=None):
gid = GID(string = gidStr)
self.validateGid(gid)
- self.verifyGidRequestHash(gid, requestHash, argList)
+ # request_hash is optional
+ if requestHash:
+ self.verifyGidRequestHash(gid, requestHash, argList)
return gid
- def authenticateCred(self, credStr, argList, requestHash):
+ def authenticateCred(self, credStr, argList, requestHash=None):
cred = Credential(string = credStr)
self.validateCred(cred)
- self.verifyCredRequestHash(cred, requestHash, argList)
+ # request hash is optional
+ if requestHash:
+ self.verifyCredRequestHash(cred, requestHash, argList)
return cred
def authenticateCert(self, certStr, requestHash):
raise PermissionError(name)
- def determine_user_rights(self, src_cred, record):
+ def determine_user_rights(self, caller_hrn, record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
- Src_cred can be None when obtaining a user credential, but should be
- set to a valid user credential when obtaining a slice or authority
- credential.
-
+
This is intended to replace determine_rights() and
verify_cancreate_credential()
"""
- type = record['type']
- if src_cred:
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- else:
- # supplying src_cred==None is only valid when obtaining user
- # credentials.
- #assert(type == "user")
-
- cred_object_hrn = None
-
rl = RightList()
+ type = record['type']
if type=="slice":
researchers = record.get("researcher", [])
- if (cred_object_hrn in researchers):
+ if (caller_hrn in researchers):
rl.add("refresh")
rl.add("embed")
rl.add("bind")
rl.add("info")
elif type == "authority":
- pis = record.get("pi", [])
+ pis = record.get("PI", [])
operators = record.get("operator", [])
- rl.add("authority,sa,ma")
- if (cred_object_hrn in pis):
- rl.add("sa")
- if (cred_object_hrn in operators):
- rl.add("ma")
+ if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+ rl.add("authority,sa,ma",)
+ if (caller_hrn in pis):
+ rl.add("authority,sa")
+ if (caller_hrn in operators):
+ rl.add("authority,ma")
elif type == "user":
rl.add("refresh")
git://git.onelab.eu / sfa.git / blobdiff