X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=66887670b55d941c2981c245773a572da9960995;hb=3d7237fa0b5f2b4a60cb97c7fb3b6aecfd94558a;hp=ce654ae66dc7cfac77499ebb2cc093b3c6d385a9;hpb=192794abaa1cce23f9a0e1e0e9291f41703410a2;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index ce654ae6..66887670 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,5 +1,5 @@ # -# GeniAPI authentication +# SfaAPI authentication # ### $Id$ ### $URL$ @@ -13,8 +13,9 @@ from sfa.trust.rights import RightList from sfa.util.faults import * from sfa.trust.hierarchy import Hierarchy from sfa.util.config import * -from sfa.util.misc import * +from sfa.util.namespace import * from sfa.trust.gid import GID +from sfa.util.sfaticket import * class Auth: """ @@ -60,11 +61,23 @@ class Auth: self.client_gid.verify_chain(self.trusted_cert_list) if self.object_gid: self.object_gid.verify_chain(self.trusted_cert_list) - else: + else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True + def check_ticket(self, ticket): + """ + Check if the tickt was signed by a trusted cert + """ + if self.trusted_cert_list: + client_ticket = SfaTicket(string=ticket) + client_ticket.verify_chain(self.trusted_cert_list) + else: + raise MissingTrustedRoots(self.config.get_trustedroots_dir()) + + return True + def verifyPeerCert(self, cert, gid): # make sure the client_gid matches client's certificate if not cert: @@ -136,7 +149,7 @@ class Auth: caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: - raise GeniPermissionError(self.config.SFA_INTEFACE_HRN) + raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return @@ -218,7 +231,8 @@ class Auth: if type=="slice": researchers = record.get("researcher", []) - if (caller_hrn in researchers): + pis = record.get("PI", []) + if (caller_hrn in researchers + pis): rl.add("refresh") rl.add("embed") rl.add("bind")