X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=dfab5dab3ee7f17abaa77377409e099a3266c0e9;hb=57b6a99255d4a88be9c0f910f8524677e34ff4bc;hp=d0498e554049912dae075ed2e14673e551289526;hpb=ea995a055eba04aedff577e86652abaaa5e881aa;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index d0498e55..dfab5dab 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -3,16 +3,20 @@ # import sys +from sfa.util.faults import InsufficientRights, MissingCallerGID, MissingTrustedRoots, PermissionError, \ + BadRequestHash, ConnectionKeyGIDMismatch, SfaPermissionDenied +from sfa.util.sfalogging import logger +from sfa.util.config import Config +from sfa.util.xrn import get_authority + +from sfa.trust.gid import GID +from sfa.trust.rights import Rights from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import Credential -from sfa.trust.trustedroot import TrustedRootList -from sfa.util.faults import * +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import * -from sfa.util.namespace import * -from sfa.util.sfaticket import * +from sfa.trust.sfaticket import SfaTicket -from sfa.util.sfalogging import sfa_logger class Auth: """ @@ -27,8 +31,8 @@ class Auth: self.load_trusted_certs() def load_trusted_certs(self): - self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() - self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list() + self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() @@ -36,14 +40,14 @@ class Auth: valid = [] if not isinstance(creds, list): creds = [creds] - sfa_logger().debug("Auth.checkCredentials with %d creds"%len(creds)) + logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: cred_obj=Credential(string=cred) - sfa_logger().debug("failed to validate credential - dump="+cred_obj.dump_string(dump_parents=True)) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue @@ -79,7 +83,7 @@ class Auth: raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify(self.trusted_cert_file_list) + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) @@ -145,6 +149,7 @@ class Auth: def authenticateCert(self, certStr, requestHash): cert = Certificate(string=certStr) + # xxx should be validateCred ?? self.validateCert(self, cert) def gidNoop(self, gidStr, value, requestHash): @@ -303,7 +308,7 @@ class Auth: def get_authority(self, hrn): return get_authority(hrn) - def filter_creds_by_caller(self, creds, caller_hrn): + def filter_creds_by_caller(self, creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn @@ -311,10 +316,12 @@ class Auth: if not isinstance(creds, list): creds = [creds] creds = [] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] for cred in creds: try: tmp_cred = Credential(string=cred) - if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: creds.append(cred) except: pass return creds