X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=66887670b55d941c2981c245773a572da9960995;hb=3d7237fa0b5f2b4a60cb97c7fb3b6aecfd94558a;hp=e4483d059030a3e0206ee6b964216c8fba1a7b54;hpb=d525a3280e4cfa024770ad4fbe1d9c8ec7137c9b;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index e4483d05..66887670 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,5 +1,5 @@ # -# GeniAPI authentication +# SfaAPI authentication # ### $Id$ ### $URL$ @@ -12,10 +12,10 @@ from sfa.trust.trustedroot import TrustedRootList from sfa.trust.rights import RightList from sfa.util.faults import * from sfa.trust.hierarchy import Hierarchy -from sfa.util.genitable import GeniTable from sfa.util.config import * -from sfa.util.misc import * +from sfa.util.namespace import * from sfa.trust.gid import GID +from sfa.util.sfaticket import * class Auth: """ @@ -47,8 +47,8 @@ class Auth: raise MissingCallerGID(self.client_cred.get_subject()) # validate the client cert if it exists - if peer_cert: - self.verifyPeerCert() + if self.peer_cert: + self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation if operation: @@ -61,14 +61,36 @@ class Auth: self.client_gid.verify_chain(self.trusted_cert_list) if self.object_gid: self.object_gid.verify_chain(self.trusted_cert_list) + else: + raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True - def verifyPeerCert(self): + def check_ticket(self, ticket): + """ + Check if the tickt was signed by a trusted cert + """ + if self.trusted_cert_list: + client_ticket = SfaTicket(string=ticket) + client_ticket.verify_chain(self.trusted_cert_list) + else: + raise MissingTrustedRoots(self.config.get_trustedroots_dir()) + + return True + + def verifyPeerCert(self, cert, gid): # make sure the client_gid matches client's certificate - peer_cert = self.peer_cert - if not peer_cert.is_pubkey(self.client_gid.get_pubkey()): - raise ConnectionKeyGIDMismatch(self.client_gid.get_subject()) + if not cert: + peer_cert = self.peer_cert + else: + peer_cert = cert + + if not gid: + peer_gid = self.client_gid + else: + peer_gid = gid + if not peer_cert.is_pubkey(peer_gid.get_pubkey()): + raise ConnectionKeyGIDMismatch(peer_gid.get_subject()) def verifyGidRequestHash(self, gid, hash, arglist): key = gid.get_pubkey() @@ -93,16 +115,20 @@ class Auth: if object_gid: object_gid.verify_chain(self.trusted_cert_list) - def authenticateGid(self, gidStr, argList, requestHash): + def authenticateGid(self, gidStr, argList, requestHash=None): gid = GID(string = gidStr) self.validateGid(gid) - self.verifyGidRequestHash(gid, requestHash, argList) + # request_hash is optional + if requestHash: + self.verifyGidRequestHash(gid, requestHash, argList) return gid - def authenticateCred(self, credStr, argList, requestHash): + def authenticateCred(self, credStr, argList, requestHash=None): cred = Credential(string = credStr) self.validateCred(cred) - self.verifyCredRequestHash(cred, requestHash, argList) + # request hash is optional + if requestHash: + self.verifyCredRequestHash(cred, requestHash, argList) return cred def authenticateCert(self, certStr, requestHash): @@ -123,7 +149,7 @@ class Auth: caller_gid = cred.get_gid_caller() caller_hrn = caller_gid.get_hrn() if caller_hrn != self.config.SFA_INTERFACE_HRN: - raise GeniPermissionError(self.config.SFA_INTEFACE_HRN) + raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN) return @@ -191,34 +217,22 @@ class Auth: raise PermissionError(name) - def determine_user_rights(self, src_cred, record): + def determine_user_rights(self, caller_hrn, record): """ Given a user credential and a record, determine what set of rights the user should have to that record. - - Src_cred can be None when obtaining a user credential, but should be - set to a valid user credential when obtaining a slice or authority - credential. - + This is intended to replace determine_rights() and verify_cancreate_credential() """ - type = record['type'] - if src_cred: - cred_object_hrn = src_cred.get_gid_object().get_hrn() - else: - # supplying src_cred==None is only valid when obtaining user - # credentials. - #assert(type == "user") - - cred_object_hrn = None - rl = RightList() + type = record['type'] if type=="slice": researchers = record.get("researcher", []) - if (cred_object_hrn in researchers): + pis = record.get("PI", []) + if (caller_hrn in researchers + pis): rl.add("refresh") rl.add("embed") rl.add("bind") @@ -226,19 +240,23 @@ class Auth: rl.add("info") elif type == "authority": - pis = record.get("pi", []) + pis = record.get("PI", []) operators = record.get("operator", []) - rl.add("authority,sa,ma") - if (cred_object_hrn in pis): - rl.add("sa") - if (cred_object_hrn in operators): - rl.add("ma") + if (caller_hrn == self.config.SFA_INTERFACE_HRN): + rl.add("authority,sa,ma",) + if (caller_hrn in pis): + rl.add("authority,sa") + if (caller_hrn in operators): + rl.add("authority,ma") elif type == "user": rl.add("refresh") rl.add("resolve") rl.add("info") + elif type == "node": + rl.add("operator") + return rl def verify_cancreate_credential(self, src_cred, record):