- ##
- # Decode the credential string that was submitted by the caller. Several
- # checks are performed to ensure that the credential is valid, and that the
- # callerGID included in the credential matches the caller that is
- # connected to the HTTPS connection.
-
- def decode_authentication(self, cred_string, operation):
- self.client_cred = Credential(string = cred_string)
- self.client_gid = self.client_cred.get_gid_caller()
- self.object_gid = self.client_cred.get_gid_object()
-
- # make sure the client_gid is not blank
- if not self.client_gid:
- raise MissingCallerGID(self.client_cred.get_subject())
-
- # make sure the client_gid matches client's certificate
- peer_cert = self.server.peer_cert
- if not peer_cert.is_pubkey(self.client_gid.get_pubkey()):
- raise ConnectionKeyGIDMismatch(self.client_gid.get_subject())
-
- # make sure the client is allowed to perform the operation
- if operation:
- if not self.client_cred.can_perform(operation):
- raise InsufficientRights(operation)
-
- if self.trusted_cert_list:
- self.client_cred.verify_chain(self.trusted_cert_list)
- if self.client_gid:
- self.client_gid.verify_chain(self.trusted_cert_list)
- if self.object_gid:
- self.object_gid.verify_chain(self.trusted_cert_list)