X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;fp=sfa%2Ftrust%2Fauth.py;h=73fb592840f5c09261cfbfdaea71d10c9e388cf0;hb=f3d825457ff4881b8c9658967f8ed159a01dfcaa;hp=7a929590308af73a45e9e6a4b3238bdbf4be56ae;hpb=7928eda8ae331272276237740075e23c6fcfb63f;p=sfa.git

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 7a929590..73fb5928 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -32,7 +32,7 @@ class Auth:
     def load_trusted_certs(self):
         self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
         
-    def check(self, cred, operation):
+    def check(self, cred, operation, hrn = None):
         """
         Check the credential against the peer cert (callerGID included 
         in the credential matches the caller that is connected to the 
@@ -66,6 +66,13 @@ class Auth:
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
 
+        # Make sure the credential's target matches the specified hrn. 
+        # This check does not apply to trusted peers 
+        trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
+        if hrn and self.client_gid.get_hrn() not in trusted_peers:
+            if not hrn == self.object_gid.get_hrn():
+                raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+                                       (self.object_gid.get_hrn(), hrn) )       
         return True
 
     def check_ticket(self, ticket):