X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=43af740367392d4b03526e2a3fcedf07dd6eac6c;hb=70f4308757e799aeb96545f5e0a22c96dc8633c2;hp=0b76d9ee65f9c5652e0c7af837dd3d586e793e72;hpb=ba2aaa438f939a4b5c697052e37b1c3218901319;p=sfa.git

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 0b76d9ee..43af7403 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -3,16 +3,20 @@
 #
 import sys
 
+from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
+    BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
+from sfa.util.sfalogging import logger
+from sfa.util.config import Config
+from sfa.util.xrn import get_authority
+
+from sfa.trust.gid import GID
+from sfa.trust.rights import Rights
 from sfa.trust.certificate import Keypair, Certificate
 from sfa.trust.credential import Credential
-from sfa.trust.trustedroot import TrustedRootList
-from sfa.util.faults import *
+from sfa.trust.trustedroots import TrustedRoots
 from sfa.trust.hierarchy import Hierarchy
-from sfa.util.config import *
-from sfa.util.xrn import get_authority
-from sfa.util.sfaticket import *
+from sfa.trust.sfaticket import SfaTicket
 
-from sfa.util.sfalogging import sfa_logger
 
 class Auth:
     """
@@ -27,8 +31,8 @@ class Auth:
         self.load_trusted_certs()
 
     def load_trusted_certs(self):
-        self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
-        self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list()
+        self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list()
+        self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list()
 
         
         
@@ -36,14 +40,14 @@ class Auth:
         valid = []
         if not isinstance(creds, list):
             creds = [creds]
-        sfa_logger().debug("Auth.checkCredentials with %d creds"%len(creds))
+        logger.debug("Auth.checkCredentials with %d creds"%len(creds))
         for cred in creds:
             try:
                 self.check(cred, operation, hrn)
                 valid.append(cred)
             except:
                 cred_obj=Credential(string=cred)
-                sfa_logger().debug("failed to validate credential - dump="+cred_obj.dump_string(dump_parents=True))
+                logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True))
                 error = sys.exc_info()[:2]
                 continue
             
@@ -79,7 +83,7 @@ class Auth:
                 raise InsufficientRights(operation)
 
         if self.trusted_cert_list:
-            self.client_cred.verify(self.trusted_cert_file_list)
+            self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
@@ -145,7 +149,8 @@ class Auth:
 
     def authenticateCert(self, certStr, requestHash):
         cert = Certificate(string=certStr)
-        self.validateCert(self, cert)   
+        # xxx should be validateCred ??
+        self.validateCred(cert)   
 
     def gidNoop(self, gidStr, value, requestHash):
         self.authenticateGid(gidStr, [gidStr, value], requestHash)
@@ -220,13 +225,15 @@ class Auth:
         @param name human readable name to test  
         """
         object_hrn = self.object_gid.get_hrn()
-        if object_hrn == name:
+	strname = str(name).strip("['']")
+	
+        if object_hrn == strname:
             return
-        if name.startswith(object_hrn + "."):
+        if strname.startswith((object_hrn + ".")) is True:
             return
         #if name.startswith(get_authority(name)):
             #return
-    
+    	print>>sys.stderr, " \r\n \t AUTH.PY  verify_object_permission GROSECHECDELENFER "
         raise PermissionError(name)
 
     def determine_user_rights(self, caller_hrn, record):
@@ -303,7 +310,7 @@ class Auth:
     def get_authority(self, hrn):
         return get_authority(hrn)
 
-    def filter_creds_by_caller(self, creds, caller_hrn):
+    def filter_creds_by_caller(self, creds, caller_hrn_list):
         """
         Returns a list of creds who's gid caller matches the 
         specified caller hrn
@@ -311,10 +318,12 @@ class Auth:
         if not isinstance(creds, list):
             creds = [creds]
         creds = []
+        if not isinstance(caller_hrn_list, list):
+            caller_hrn_list = [caller_hrn_list]
         for cred in creds:
             try:
                 tmp_cred = Credential(string=cred)
-                if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
+                if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]:
                     creds.append(cred)
             except: pass
         return creds