X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=31853edab1756269aa022dc1228136fc141cd607;hb=eebbddb9a2fc13a20387a4e185cd999defeffbfd;hp=2f2afb0bf3234c4d647c5f839e514648ebbbf419;hpb=d35a75bfcb731e89600e2dbe94f59d5d2f09adca;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 2f2afb0b..31853eda 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -7,7 +7,7 @@ from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrusted BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied from sfa.util.sfalogging import logger from sfa.util.config import Config -from sfa.util.xrn import get_authority +from sfa.util.xrn import Xrn, get_authority from sfa.trust.gid import GID from sfa.trust.rights import Rights @@ -36,20 +36,25 @@ class Auth: - def checkCredentials(self, creds, operation, hrn = None): + def checkCredentials(self, creds, operation, xrns=[]): + if not isinstance(xrns, list): + xrns = [xrns] + hrns = [Xrn(xrn).hrn for xrn in xrns] valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) + error=[ "no credential","was given"] for cred in creds: - try: - self.check(cred, operation, hrn) - valid.append(cred) - except: - cred_obj=Credential(string=cred) - logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) - error = sys.exc_info()[:2] - continue + for hrn in hrns: + try: + self.check(cred, operation, hrn) + valid.append(cred) + except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) @@ -239,7 +244,7 @@ class Auth: Given a user credential and a record, determine what set of rights the user should have to that record. - This is intended to replace determine_rights() and + This is intended to replace determine_user_rights() and verify_cancreate_credential() """ @@ -248,10 +253,12 @@ class Auth: logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) - if type=='slice': + if type == 'slice': + # researchers in the slice are in the DB as-is researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] - # xxx need a means to compute pi_hrns from the registry db - pi_hrns = reg_record.get('PI',[]) + # locating PIs attached to that slice + slice_pis=reg_record.get_pis() + pi_hrns = [ user.hrn for user in slice_pis ] if (caller_hrn in researcher_hrns + pi_hrns): rl.add('refresh') rl.add('embed') @@ -261,8 +268,6 @@ class Auth: elif type == 'authority': pi_hrns = [ user.hrn for user in reg_record.reg_pis ] - # xxx need a means to compute operator_hrns from the registry db - operator_hrns = reg_record.get('operator',[]) if (caller_hrn == self.config.SFA_INTERFACE_HRN): rl.add('authority') rl.add('sa') @@ -270,9 +275,13 @@ class Auth: if (caller_hrn in pi_hrns): rl.add('authority') rl.add('sa') - if (caller_hrn in operator_hrns): - rl.add('authority') - rl.add('ma') + # NOTE: for the PL implementation, this 'operators' list + # amounted to users with 'tech' role in that site + # it seems like this is not needed any longer, so for now I just drop that + # operator_hrns = reg_record.get('operator',[]) + # if (caller_hrn in operator_hrns): + # rl.add('authority') + # rl.add('ma') elif type == 'user': rl.add('refresh')