X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fmethods%2Fget_credential.py;h=774c1f38e8f8d54dbddb27a91f1d8a4aec32ea48;hb=23e5745a8d7871776aa846ac7ef5c6bde0b0f9f3;hp=ff5c1a2a2d1942b3cf191791b8371a0bae9e7e42;hpb=de68461a2dd24ecba761c3a897812d13bd456745;p=sfa.git diff --git a/sfa/methods/get_credential.py b/sfa/methods/get_credential.py index ff5c1a2a..774c1f38 100644 --- a/sfa/methods/get_credential.py +++ b/sfa/methods/get_credential.py @@ -7,7 +7,9 @@ from sfa.util.faults import * from sfa.util.method import Method from sfa.util.parameter import Parameter, Mixed from sfa.trust.auth import Auth +from sfa.trust.gid import GID from sfa.util.record import GeniRecord +from sfa.util.genitable import * from sfa.util.debug import log class get_credential(Method): @@ -27,15 +29,16 @@ class get_credential(Method): accepts = [ Mixed(Parameter(str, "credential"), Parameter(None, "No credential")), - Parameter(str, "Human readable name (hrn)") + Parameter(str, "Human readable name (hrn)"), + Mixed(Parameter(str, "Request hash"), + Parameter(None, "Request hash not specified")) ] returns = Parameter(str, "String representation of a credential object") - def call(self, cred, type, hrn): - if not cred: - return self.get_self_credential(type, hrn) + def call(self, cred, type, hrn, request_hash=None): + self.api.auth.authenticateCred(cred, [cred, type, hrn], request_hash) self.api.auth.check(cred, 'getcredential') self.api.auth.verify_object_belongs_to_me(hrn) auth_hrn = self.api.auth.get_authority(hrn) @@ -44,8 +47,8 @@ class get_credential(Method): if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN: auth_hrn = hrn auth_info = self.api.auth.get_auth_info(auth_hrn) - table = self.api.auth.get_auth_table(auth_hrn) - records = table.resolve(type, hrn) + table = GeniTable() + records = table.find({'type': type, 'hrn': hrn}) if not records: raise RecordNotFound(hrn) record = records[0] @@ -53,18 +56,21 @@ class get_credential(Method): # (researchers, pis, etc) be filled in self.api.fill_record_info(record) - rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record) + caller_hrn = self.api.auth.client_cred.get_gid_caller().get_hrn() + rights = self.api.auth.determine_user_rights(caller_hrn, record) if rights.is_empty(): - raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name()) + raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record['name']) # TODO: Check permission that self.client_cred can access the object - object_gid = record.get_gid_object() - new_cred = Credential(subject = object_gid.get_subject()) + gid = record['gid'] + gid_object = GID(string=gid) + + new_cred = Credential(subject = gid_object.get_subject()) new_cred.set_gid_caller(self.api.auth.client_gid) - new_cred.set_gid_object(object_gid) + new_cred.set_gid_object(gid_object) new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) - new_cred.set_pubkey(object_gid.get_pubkey()) + new_cred.set_pubkey(gid_object.get_pubkey()) new_cred.set_privileges(rights) new_cred.set_delegate(True) @@ -76,63 +82,3 @@ class get_credential(Method): return new_cred.save_to_string(save_parents=True) - def get_self_credential(self, type, hrn): - """ - get_self_credential a degenerate version of get_credential used by a client - to get his initial credential when de doesnt have one. This is the same as - get_credetial(..., cred = None, ...) - - The registry ensures that the client is the principal that is named by - (type, name) by comparing the public key in the record's GID to the - private key used to encrypt the client side of the HTTPS connection. Thus - it is impossible for one principal to retrive another principal's - credential without having the appropriate private key. - - @param type type of object (user | slice | sa | ma | node) - @param hrn human readable name of authority to list - @return string representation of a credential object - """ - self.api.auth.verify_object_belongs_to_me(hrn) - auth_hrn = self.api.auth.get_authority(hrn) - - # is this a root or sub authority - if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN: - auth_hrn = hrn - - auth_info = self.api.auth.get_auth_info(auth_hrn) - - # find a record that matches - record = None - table = self.api.auth.get_auth_table(auth_hrn) - records = table.resolve('*', hrn) - for rec in records: - if type in ['*'] or rec.get_type() in [type]: - record = rec - if not record: - raise RecordNotFound(hrn) - gid = record.get_gid_object() - peer_cert = self.api.auth.peer_cert - if not peer_cert.is_pubkey(gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(gid.get_subject()) - - rights = self.api.auth.determine_user_rights(None, record) - if rights.is_empty(): - raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name()) - - # create the credential - gid = record.get_gid_object() - cred = Credential(subject = gid.get_subject()) - cred.set_gid_caller(gid) - cred.set_gid_object(gid) - cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) - cred.set_pubkey(gid.get_pubkey()) - cred.set_privileges(rights) - cred.set_delegate(True) - - auth_kind = "authority,sa,ma" - cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) - - cred.encode() - cred.sign() - - return cred.save_to_string(save_parents=True)