From eddcc8a722b907cd4b1df9fb3ee6964d15b94ea0 Mon Sep 17 00:00:00 2001
From: Tony Mack <tmack@cs.princeton.edu>
Date: Thu, 15 Oct 2009 05:01:21 +0000
Subject: [PATCH] added request_hash argument. authenticate the credential
 using request_hash

---
 sfa/methods/get_credential.py | 25 ++++++++++++++-----------
 sfa/methods/list.py           |  7 ++++---
 sfa/methods/register.py       |  6 ++++--
 sfa/methods/resolve.py        |  6 ++++--
 4 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/sfa/methods/get_credential.py b/sfa/methods/get_credential.py
index f6f34d65..5b5922cd 100644
--- a/sfa/methods/get_credential.py
+++ b/sfa/methods/get_credential.py
@@ -29,15 +29,18 @@ class get_credential(Method):
     accepts = [
         Mixed(Parameter(str, "credential"),
               Parameter(None, "No credential")),  
-        Parameter(str, "Human readable name (hrn)")
+        Parameter(str, "Human readable name (hrn)"),
+        Parameter(str, "Request hash")
         ]
 
     returns = Parameter(str, "String representation of a credential object")
 
-    def call(self, cred, type, hrn):
+    def call(self, cred, type, hrn, request_hash):
         if not cred:
-            return self.get_self_credential(type, hrn)
+            return self.get_self_credential(type, hrn, request_hash)
 
+        # authenticate the cred
+        self.api.auth.authenticateCred(cred, [cred, type, hrn], request_hash)
         self.api.auth.check(cred, 'getcredential')
         self.api.auth.verify_object_belongs_to_me(hrn)
         auth_hrn = self.api.auth.get_authority(hrn)
@@ -80,7 +83,7 @@ class get_credential(Method):
 
         return new_cred.save_to_string(save_parents=True)
 
-    def get_self_credential(self, type, hrn):
+    def get_self_credential(self, type, hrn, request_hash):
         """
         get_self_credential a degenerate version of get_credential used by a client
         to get his initial credential when de doesnt have one. This is the same as
@@ -98,8 +101,9 @@ class get_credential(Method):
         """
         self.api.auth.verify_object_belongs_to_me(hrn)
         auth_hrn = self.api.auth.get_authority(hrn)
-        
-        # is this a root or sub authority
+         
+        # if this is a root or sub authority get_authority will return
+        # an empty string
         if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
             auth_hrn = hrn
 
@@ -113,13 +117,13 @@ class get_credential(Method):
             raise RecordNotFound(hrn)
         record = records[0]
         gid = record.get_gid_object()
-        peer_cert = self.api.auth.peer_cert
-        if not peer_cert.is_pubkey(gid.get_pubkey()):
-           raise ConnectionKeyGIDMismatch(gid.get_subject())
-
         rights = self.api.auth.determine_user_rights(None, record)
         if rights.is_empty():
             raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name())
+       
+        # authenticate the gid
+        gid_str = gid.save_to_string(save_parents=True)
+        self.api.auth.authenticateGid(gid_str, [None, type, hrn], request_hash)
 
         # create the credential
         gid = record.get_gid_object()
@@ -136,5 +140,4 @@ class get_credential(Method):
 
         cred.encode()
         cred.sign()
-
         return cred.save_to_string(save_parents=True)
diff --git a/sfa/methods/list.py b/sfa/methods/list.py
index 73631c76..75327f22 100644
--- a/sfa/methods/list.py
+++ b/sfa/methods/list.py
@@ -23,13 +23,14 @@ class list(Method):
     
     accepts = [
         Parameter(str, "Credential string"),
-        Parameter(str, "Human readable name (hrn)")
+        Parameter(str, "Human readable name (hrn)"),
+        Parameter(str, "Request hash")
         ]
 
     returns = [GeniRecord]
     
-    def call(self, cred, hrn, caller_cred=None):
-
+    def call(self, cred, hrn, request_hash, caller_cred=None):
+        self.api.auth.authenticateCred(cred, [cred, hrn], request_hash)
         self.api.auth.check(cred, 'list')
         if caller_cred==None:
             caller_cred=cred
diff --git a/sfa/methods/register.py b/sfa/methods/register.py
index 6c4820a8..b266a649 100644
--- a/sfa/methods/register.py
+++ b/sfa/methods/register.py
@@ -31,12 +31,14 @@ class register(Method):
     
     accepts = [
         Parameter(str, "Credential string"),
-        Parameter(dict, "Record dictionary containing record fields")
+        Parameter(dict, "Record dictionary containing record fields"),
+        Parameter(str, "Request hash")
         ]
 
     returns = Parameter(int, "String representation of gid object")
     
-    def call(self, cred, record_dict, caller_cred=None):
+    def call(self, cred, record_dict, request_hash, caller_cred=None):
+        self.api.auth.authenticateCred(cred, [cred, record_dict], request_hash)
         self.api.auth.check(cred, "register")
         if caller_cred==None:
 	        caller_cred=cred
diff --git a/sfa/methods/resolve.py b/sfa/methods/resolve.py
index 65582b58..acf6ec08 100644
--- a/sfa/methods/resolve.py
+++ b/sfa/methods/resolve.py
@@ -25,13 +25,15 @@ class resolve(Method):
     
     accepts = [
         Parameter(str, "Credential string"),
-        Parameter(str, "Human readable name (hrn)")
+        Parameter(str, "Human readable name (hrn)"),
+        Parameter(str, "Request hash")
         ]
 
     returns = [GeniRecord]
     
-    def call(self, cred, hrn, caller_cred=None):
+    def call(self, cred, hrn, request_hash, caller_cred=None):
         
+        self.api.auth.authenticateCred(cred, [cred, hrn], request_hash) 
         self.api.auth.check(cred, 'resolve')
         if caller_cred==None:
             caller_cred=cred
-- 
2.47.0