X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=8e86eb42ce67d48d2be6a6806d4349ab05a2b3b3;hb=b8596ce95578bf77158db2a5dacbaab36bdf6b16;hp=41c71cfd70c2dae55ba68b8644f450672f98d5a3;hpb=6fca17072ba013a8beec2e669ce09391a90c0b3e;p=sfa.git

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 41c71cfd..8e86eb42 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -3,16 +3,20 @@
 #
 import sys
 
+from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \
+    BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied
+from sfa.util.sfalogging import logger
+from sfa.util.config import Config
+from sfa.util.xrn import get_authority
+
+from sfa.trust.gid import GID
+from sfa.trust.rights import Rights
 from sfa.trust.certificate import Keypair, Certificate
 from sfa.trust.credential import Credential
 from sfa.trust.trustedroots import TrustedRoots
-from sfa.util.faults import *
 from sfa.trust.hierarchy import Hierarchy
-from sfa.util.config import *
-from sfa.util.xrn import get_authority
-from sfa.util.sfaticket import *
+from sfa.trust.sfaticket import SfaTicket
 
-from sfa.util.sfalogging import logger
 
 class Auth:
     """
@@ -36,6 +40,7 @@ class Auth:
         valid = []
         if not isinstance(creds, list):
             creds = [creds]
+        #print>>sys.stderr, "\r\n \r\n \t AUTH.PY checkCredentials hrn %s" %(hrn)
         logger.debug("Auth.checkCredentials with %d creds"%len(creds))
         for cred in creds:
             try:
@@ -64,7 +69,7 @@ class Auth:
         self.client_cred = Credential(string = cred)
         self.client_gid = self.client_cred.get_gid_caller()
         self.object_gid = self.client_cred.get_gid_object()
-        
+        #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check client_gid %s  hrn %s object_gid %s" %(self.client_gid.get_hrn(),hrn, self.object_gid.get_hrn())
         # make sure the client_gid is not blank
         if not self.client_gid:
             raise MissingCallerGID(self.client_cred.get_subject())
@@ -74,19 +79,25 @@ class Auth:
             self.verifyPeerCert(self.peer_cert, self.client_gid)                   
 
         # make sure the client is allowed to perform the operation
-        if operation:
+        if operation:    
+            #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check operation %s trusted_cert_list %s " %(operation,self.trusted_cert_list)
             if not self.client_cred.can_perform(operation):
+                #print>>sys.stderr, " \r\n \r\n \t AUTH.PY InsufficientRights(operation)"
                 raise InsufficientRights(operation)
 
         if self.trusted_cert_list:
             self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+            #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check  trusted_cert_file_list %s  self.config.SFA_CREDENTIAL_SCHEMA %s" %(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA)
+            
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
        
         # Make sure the credential's target matches the specified hrn. 
         # This check does not apply to trusted peers 
         trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list]
+        #print>>sys.stderr, " \r\n \r\n \t AUTH.PY check trusted_peers ", trusted_peers
         if hrn and self.client_gid.get_hrn() not in trusted_peers:
+            
             target_hrn = self.object_gid.get_hrn()
             if not hrn == target_hrn:
                 raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
@@ -145,7 +156,8 @@ class Auth:
 
     def authenticateCert(self, certStr, requestHash):
         cert = Certificate(string=certStr)
-        self.validateCert(self, cert)   
+        # xxx should be validateCred ??
+        self.validateCred(cert)   
 
     def gidNoop(self, gidStr, value, requestHash):
         self.authenticateGid(gidStr, [gidStr, value], requestHash)
@@ -220,13 +232,15 @@ class Auth:
         @param name human readable name to test  
         """
         object_hrn = self.object_gid.get_hrn()
-        if object_hrn == name:
+	strname = str(name).strip("['']")
+	
+        if object_hrn == strname:
             return
-        if name.startswith(object_hrn + "."):
+        if strname.startswith((object_hrn + ".")) is True:
             return
         #if name.startswith(get_authority(name)):
             #return
-    
+    	#print>>sys.stderr, " \r\n \t AUTH.PY  verify_object_permission GROSECHECDELENFER "
         raise PermissionError(name)
 
     def determine_user_rights(self, caller_hrn, record):
@@ -311,7 +325,7 @@ class Auth:
         if not isinstance(creds, list):
             creds = [creds]
         creds = []
-        if not isinistance(caller_hrn_list, list):
+        if not isinstance(caller_hrn_list, list):
             caller_hrn_list = [caller_hrn_list]
         for cred in creds:
             try: