X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=54fd9d23b92f15c07a4f798ec70fc631cb3040e2;hb=f2282434e40e06365e0fdd3f9bc273a793f41235;hp=11b8dd76a825171f285e6baaa233092cb0e57e71;hpb=b47e82ba386c944c888970cc254b09d80ac112a7;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 11b8dd76..54fd9d23 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -40,7 +40,6 @@ class Auth: valid = [] if not isinstance(creds, list): creds = [creds] - #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn) logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: @@ -69,7 +68,7 @@ class Auth: self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() - #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn()) + # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) @@ -79,25 +78,19 @@ class Auth: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation - if operation: - #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list) + if operation: if not self.client_cred.can_perform(operation): - #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)" raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) - #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_cert_file_list %s self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) - else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) # Make sure the credential's target matches the specified hrn. # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] - #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers if hrn and self.client_gid.get_hrn() not in trusted_peers: - target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ @@ -241,80 +234,63 @@ class Auth: return #if name.startswith(get_authority(name)): #return - + raise PermissionError(name) - def determine_user_rights(self, caller_hrn, record): + def determine_user_rights(self, caller_hrn, reg_record): """ Given a user credential and a record, determine what set of rights the user should have to that record. - This is intended to replace determine_rights() and + This is intended to replace determine_user_rights() and verify_cancreate_credential() """ rl = Rights() - type = record['type'] - - - if type=="slice": - researchers = record.get("researcher", []) - pis = record.get("PI", []) - if (caller_hrn in researchers + pis): - rl.add("refresh") - rl.add("embed") - rl.add("bind") - rl.add("control") - rl.add("info") - - elif type == "authority": - pis = record.get("PI", []) - operators = record.get("operator", []) + type = reg_record.type + + logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn)) + + if type == 'slice': + # researchers in the slice are in the DB as-is + researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ] + # locating PIs attached to that slice + slice_pis=reg_record.get_pis() + pi_hrns = [ user.hrn for user in slice_pis ] + if (caller_hrn in researcher_hrns + pi_hrns): + rl.add('refresh') + rl.add('embed') + rl.add('bind') + rl.add('control') + rl.add('info') + + elif type == 'authority': + pi_hrns = [ user.hrn for user in reg_record.reg_pis ] if (caller_hrn == self.config.SFA_INTERFACE_HRN): - rl.add("authority") - rl.add("sa") - rl.add("ma") - if (caller_hrn in pis): - rl.add("authority") - rl.add("sa") - if (caller_hrn in operators): - rl.add("authority") - rl.add("ma") - - elif type == "user": - rl.add("refresh") - rl.add("resolve") - rl.add("info") - - elif type == "node": - rl.add("operator") + rl.add('authority') + rl.add('sa') + rl.add('ma') + if (caller_hrn in pi_hrns): + rl.add('authority') + rl.add('sa') + # NOTE: for the PL implementation, this 'operators' list + # amounted to users with 'tech' role in that site + # it seems like this is not needed any longer, so for now I just drop that + # operator_hrns = reg_record.get('operator',[]) + # if (caller_hrn in operator_hrns): + # rl.add('authority') + # rl.add('ma') + + elif type == 'user': + rl.add('refresh') + rl.add('resolve') + rl.add('info') + + elif type == 'node': + rl.add('operator') return rl - def verify_cancreate_credential(self, src_cred, record): - """ - Verify that a user can retrive a particular type of credential. - For slices, the user must be on the researcher list. For SA and - MA the user must be on the pi and operator lists respectively - """ - - type = record.get_type() - cred_object_hrn = src_cred.get_gid_object().get_hrn() - if cred_object_hrn in [self.config.SFA_REGISTRY_ROOT_AUTH]: - return - if type=="slice": - researchers = record.get("researcher", []) - if not (cred_object_hrn in researchers): - raise PermissionError(cred_object_hrn + " is not in researcher list for " + record.get_name()) - elif type == "sa": - pis = record.get("pi", []) - if not (cred_object_hrn in pis): - raise PermissionError(cred_object_hrn + " is not in pi list for " + record.get_name()) - elif type == "ma": - operators = record.get("operator", []) - if not (cred_object_hrn in operators): - raise PermissionError(cred_object_hrn + " is not in operator list for " + record.get_name()) - def get_authority(self, hrn): return get_authority(hrn)