X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fmethods%2Fget_credential.py;h=f788eadc89e093e8245e6a0354c1ad712a807dc4;hb=09089b7cecf89a0fa3f807c466f774683c29f221;hp=c67831b47e1960930b389437ca96ad03bf3acec4;hpb=f13173726f8382eef380f1e754f24dd2b126a77b;p=sfa.git diff --git a/sfa/methods/get_credential.py b/sfa/methods/get_credential.py index c67831b4..f788eadc 100644 --- a/sfa/methods/get_credential.py +++ b/sfa/methods/get_credential.py @@ -4,11 +4,11 @@ from sfa.trust.credential import * from sfa.trust.rights import * from sfa.util.faults import * +from sfa.util.namespace import * from sfa.util.method import Method from sfa.util.parameter import Parameter, Mixed -from sfa.util.auth import Auth -from sfa.util.record import GeniRecord from sfa.util.debug import log +from sfa.trust.credential import Credential class get_credential(Method): """ @@ -17,7 +17,7 @@ class get_credential(Method): @param cred credential object specifying rights of the caller @param type type of object (user | slice | sa | ma | node) - @param hrn human readable name of object + @param hrn human readable name of object (hrn or urn) @return the string representation of a credential object """ @@ -27,108 +27,28 @@ class get_credential(Method): accepts = [ Mixed(Parameter(str, "credential"), Parameter(None, "No credential")), - Parameter(str, "Human readable name (hrn)") + Parameter(str, "Human readable name (hrn or urn)") ] returns = Parameter(str, "String representation of a credential object") - def call(self, cred, type, hrn): - if not cred: - return self.get_self_credential(type, hrn) + def call(self, cred, type, xrn, origin_hrn=None): + if type: + hrn = urn_to_hrn(xrn)[0] + else: + hrn, type = urn_to_hrn(xrn) - self.api.auth.check(cred, 'getcredential') - self.api.auth.verify_object_belongs_to_me(hrn) - auth_hrn = self.api.auth.get_authority(hrn) - if not auth_hrn: - auth_hrn = hrn - auth_info = self.api.auth.get_auth_info(auth_hrn) - table = self.api.auth.get_auth_table(auth_hrn) - records = table.resolve('*', hrn) - if not records: - raise RecordNotFound(hrn) - record = records[0] - # verify_cancreate_credential requires that the member lists - # (researchers, pis, etc) be filled in - self.api.fill_record_info(record) - - rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record) - if rights.is_empty(): - raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name()) - - # TODO: Check permission that self.client_cred can access the object - - object_gid = record.get_gid_object() - new_cred = Credential(subject = object_gid.get_subject()) - new_cred.set_gid_caller(self.api.auth.client_gid) - new_cred.set_gid_object(object_gid) - new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) - new_cred.set_pubkey(object_gid.get_pubkey()) - new_cred.set_privileges(rights) - new_cred.set_delegate(True) - - auth_kind = "authority,ma,sa" - new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) - - new_cred.encode() - new_cred.sign() - - return new_cred.save_to_string(save_parents=True) - - def get_self_credential(self, type, hrn): - """ - get_self_credential a degenerate version of get_credential used by a client - to get his initial credential when de doesnt have one. This is the same as - get_credetial(..., cred = None, ...) + #log the call + if not origin_hrn: + origin_hrn = Credential(string=cred).get_gid_caller().get_hrn() + self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name)) - The registry ensures that the client is the principal that is named by - (type, name) by comparing the public key in the record's GID to the - private key used to encrypt the client side of the HTTPS connection. Thus - it is impossible for one principal to retrive another principal's - credential without having the appropriate private key. - - @param type type of object (user | slice | sa | ma | node) - @param hrn human readable name of authority to list - @return string representation of a credential object - """ + self.api.auth.check(cred, 'getcredential') self.api.auth.verify_object_belongs_to_me(hrn) - auth_hrn = self.api.auth.get_authority(hrn) - if not auth_hrn: - auth_hrn = hrn - auth_info = self.api.auth.get_auth_info(auth_hrn) - - # find a record that matches - record = None - table = self.api.auth.get_auth_table(auth_hrn) - records = table.resolve('*', hrn) - for rec in records: - if type in ['*'] or rec.get_type() in [type]: - record = rec - if not record: - raise RecordNotFound(hrn) - gid = record.get_gid_object() - peer_cert = self.api.auth.peer_cert - if not peer_cert.is_pubkey(gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(gid.get_subject()) - - rights = self.api.auth.determine_user_rights(None, record) - if rights.is_empty(): - raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name()) - - # create the credential - gid = record.get_gid_object() - cred = Credential(subject = gid.get_subject()) - cred.set_gid_caller(gid) - cred.set_gid_object(gid) - cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn) - cred.set_pubkey(gid.get_pubkey()) - cred.set_privileges(rights) - cred.set_delegate(True) - - auth_kind = "authority,sa,ma" - cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind)) - - cred.encode() - cred.sign() - - return cred.save_to_string(save_parents=True) + # send the call to the right manager + manager_base = 'sfa.managers' + mgr_type = self.api.config.SFA_REGISTRY_TYPE + manager_module = manager_base + ".registry_manager_%s" % mgr_type + manager = __import__(manager_module, fromlist=[manager_base]) + return manager.get_credential(self.api, xrn, type)