X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=31853edab1756269aa022dc1228136fc141cd607;hb=eebbddb9a2fc13a20387a4e185cd999defeffbfd;hp=31ba051aab51682019b41d1095f0d67efd46628b;hpb=6fbad04fa3db515d73f2b6a298b376c7ff275521;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 31ba051a..31853eda 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -7,7 +7,7 @@ from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrusted BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied from sfa.util.sfalogging import logger from sfa.util.config import Config -from sfa.util.xrn import get_authority +from sfa.util.xrn import Xrn, get_authority from sfa.trust.gid import GID from sfa.trust.rights import Rights @@ -36,20 +36,25 @@ class Auth: - def checkCredentials(self, creds, operation, hrn = None): + def checkCredentials(self, creds, operation, xrns=[]): + if not isinstance(xrns, list): + xrns = [xrns] + hrns = [Xrn(xrn).hrn for xrn in xrns] valid = [] if not isinstance(creds, list): creds = [creds] logger.debug("Auth.checkCredentials with %d creds"%len(creds)) + error=[ "no credential","was given"] for cred in creds: - try: - self.check(cred, operation, hrn) - valid.append(cred) - except: - cred_obj=Credential(string=cred) - logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) - error = sys.exc_info()[:2] - continue + for hrn in hrns: + try: + self.check(cred, operation, hrn) + valid.append(cred) + except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) + error = sys.exc_info()[:2] + continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) @@ -239,18 +244,22 @@ class Auth: Given a user credential and a record, determine what set of rights the user should have to that record. - This is intended to replace determine_rights() and + This is intended to replace determine_user_rights() and verify_cancreate_credential() """ rl = Rights() type = reg_record.type + logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) - if type=='slice': - researchers = reg_record.get('researcher',[]) - pis = reg_record.get('PI',[]) - if (caller_hrn in researchers + pis): + if type == 'slice': + # researchers in the slice are in the DB as-is + researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] + # locating PIs attached to that slice + slice_pis=reg_record.get_pis() + pi_hrns = [ user.hrn for user in slice_pis ] + if (caller_hrn in researcher_hrns + pi_hrns): rl.add('refresh') rl.add('embed') rl.add('bind') @@ -258,18 +267,21 @@ class Auth: rl.add('info') elif type == 'authority': - pis = reg_record.get('PI',[]) - operators = reg_record.get('operator',[]) + pi_hrns = [ user.hrn for user in reg_record.reg_pis ] if (caller_hrn == self.config.SFA_INTERFACE_HRN): rl.add('authority') rl.add('sa') rl.add('ma') - if (caller_hrn in pis): + if (caller_hrn in pi_hrns): rl.add('authority') rl.add('sa') - if (caller_hrn in operators): - rl.add('authority') - rl.add('ma') + # NOTE: for the PL implementation, this 'operators' list + # amounted to users with 'tech' role in that site + # it seems like this is not needed any longer, so for now I just drop that + # operator_hrns = reg_record.get('operator',[]) + # if (caller_hrn in operator_hrns): + # rl.add('authority') + # rl.add('ma') elif type == 'user': rl.add('refresh')