from sfa.util.genitable import GeniTable
from sfa.util.config import *
from sfa.util.misc import *
+from sfa.trust.gid import GID
class Auth:
"""
def __init__(self, peer_cert = None, config = None ):
self.peer_cert = peer_cert
self.hierarchy = Hierarchy()
- self.trusted_cert_list = TrustedRootList().get_list()
if not config:
- self.config = Config()
-
+ self.config = Config()
+ self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
+
def check(self, cred, operation):
"""
# make sure the client_gid is not blank
if not self.client_gid:
raise MissingCallerGID(self.client_cred.get_subject())
-
- # make sure the client_gid matches client's certificate
- peer_cert = self.peer_cert
- if not peer_cert.is_pubkey(self.client_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(self.client_gid.get_subject())
+
+ # validate the client cert if it exists
+ if self.peer_cert:
+ self.verifyPeerCert(self.peer_cert, self.client_gid)
# make sure the client is allowed to perform the operation
if operation:
return True
+ def verifyPeerCert(self, cert, gid):
+ # make sure the client_gid matches client's certificate
+ if not cert:
+ peer_cert = self.peer_cert
+ else:
+ peer_cert = cert
+
+ if not gid:
+ peer_gid = self.client_gid
+ else:
+ peer_gid = gid
+ if not peer_cert.is_pubkey(peer_gid.get_pubkey()):
+ raise ConnectionKeyGIDMismatch(peer_gid.get_subject())
+
+ def verifyGidRequestHash(self, gid, hash, arglist):
+ key = gid.get_pubkey()
+ if not key.verify_string(str(arglist), hash):
+ raise BadRequestHash(hash)
+
+ def verifyCredRequestHash(self, cred, hash, arglist):
+ gid = cred.get_gid_caller()
+ self.verifyGidRequestHash(gid, hash, arglist)
+
+ def validateGid(self, gid):
+ if self.trusted_cert_list:
+ gid.verify_chain(self.trusted_cert_list)
+
+ def validateCred(self, cred):
+ if self.trusted_cert_list:
+ cred.verify_chain(self.trusted_cert_list)
+ caller_gid = cred.get_gid_caller()
+ object_gid = cred.get_gid_object()
+ if caller_gid:
+ caller_gid.verify_chain(self.trusted_cert_list)
+ if object_gid:
+ object_gid.verify_chain(self.trusted_cert_list)
+
+ def authenticateGid(self, gidStr, argList, requestHash=None):
+ gid = GID(string = gidStr)
+ self.validateGid(gid)
+ # request_hash is optional
+ if requestHash:
+ self.verifyGidRequestHash(gid, requestHash, argList)
+ return gid
+
+ def authenticateCred(self, credStr, argList, requestHash=None):
+ cred = Credential(string = credStr)
+ self.validateCred(cred)
+ # request hash is optional
+ if requestHash:
+ self.verifyCredRequestHash(cred, requestHash, argList)
+ return cred
+
+ def authenticateCert(self, certStr, requestHash):
+ cert = Certificate(string=certStr)
+ self.validateCert(self, cert)
+
+ def gidNoop(self, gidStr, value, requestHash):
+ self.authenticateGid(gidStr, [gidStr, value], requestHash)
+ return value
+
+ def credNoop(self, credStr, value, requestHash):
+ self.authenticateCred(credStr, [credStr, value], requestHash)
+ return value
def verify_cred_is_me(self, credential):
is_me = False