X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=66887670b55d941c2981c245773a572da9960995;hb=3d7237fa0b5f2b4a60cb97c7fb3b6aecfd94558a;hp=6faa397bb3cdbe097a961dd4913b61f2a1230bd4;hpb=1f4e472d0764170b92d2389fc4ae5cf502f7efeb;p=sfa.git

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 6faa397b..66887670 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -1,5 +1,5 @@
 #
-# GeniAPI authentication 
+# SfaAPI authentication 
 #
 ### $Id$
 ### $URL$
@@ -12,10 +12,10 @@ from sfa.trust.trustedroot import TrustedRootList
 from sfa.trust.rights import RightList
 from sfa.util.faults import *
 from sfa.trust.hierarchy import Hierarchy
-from sfa.util.genitable import GeniTable
 from sfa.util.config import *
-from sfa.util.misc import *
+from sfa.util.namespace import *
 from sfa.trust.gid import GID
+from sfa.util.sfaticket import *
 
 class Auth:
     """
@@ -61,9 +61,23 @@ class Auth:
                 self.client_gid.verify_chain(self.trusted_cert_list)
             if self.object_gid:
                 self.object_gid.verify_chain(self.trusted_cert_list)
+        else:
+           raise MissingTrustedRoots(self.config.get_trustedroots_dir())
 
         return True
 
+    def check_ticket(self, ticket):
+        """
+        Check if the tickt was signed by a trusted cert
+        """
+        if self.trusted_cert_list:
+            client_ticket = SfaTicket(string=ticket)
+            client_ticket.verify_chain(self.trusted_cert_list)
+        else:
+           raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+        return True 
+
     def verifyPeerCert(self, cert, gid):
         # make sure the client_gid matches client's certificate
         if not cert:
@@ -135,7 +149,7 @@ class Auth:
         caller_gid = cred.get_gid_caller()
         caller_hrn = caller_gid.get_hrn()
         if caller_hrn != self.config.SFA_INTERFACE_HRN:
-            raise GeniPermissionError(self.config.SFA_INTEFACE_HRN)
+            raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
 
         return   
         
@@ -217,7 +231,8 @@ class Auth:
 
         if type=="slice":
             researchers = record.get("researcher", [])
-            if (caller_hrn in researchers):
+            pis = record.get("PI", [])
+            if (caller_hrn in researchers + pis):
                 rl.add("refresh")
                 rl.add("embed")
                 rl.add("bind")
@@ -225,10 +240,10 @@ class Auth:
                 rl.add("info")
 
         elif type == "authority":
-            pis = record.get("pi", [])
+            pis = record.get("PI", [])
             operators = record.get("operator", [])
-            if (caller_hrn == config.SFA_INTERFACE_HRN):
-                rl.add("authority")
+            if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+                rl.add("authority,sa,ma",)
             if (caller_hrn in pis):
                 rl.add("authority,sa")
             if (caller_hrn in operators):
@@ -239,6 +254,9 @@ class Auth:
             rl.add("resolve")
             rl.add("info")
 
+        elif type == "node":
+            rl.add("operator")
+
         return rl
 
     def verify_cancreate_credential(self, src_cred, record):