geni/methods/get_credential.py

   1 ### $Id$
   2 ### $URL$
   3
   4 from geni.trust.credential import *
   5 from geni.trust.rights import *
   6 from geni.util.faults import *
   7 from geni.util.method import Method
   8 from geni.util.parameter import Parameter, Mixed
   9 from geni.util.auth import Auth
  10 from geni.util.record import GeniRecord
  11 from geni.util.debug import log
  12
  13 class get_credential(Method):
  14     """
  15     Retrive a credential for an object
  16     If cred == Nonee then the behavior reverts to get_self_credential
  17
  18     @param cred credential object specifying rights of the caller
  19     @param type type of object (user | slice | sa | ma | node)
  20     @param hrn human readable name of object
  21
  22     @return the string representation of a credential object
  23     """
  24
  25     interfaces = ['registry']
  26
  27     accepts = [
  28         Mixed(Parameter(str, "credential"),
  29               Parameter(None, "No credential")),
  30         Parameter(str, "Human readable name (hrn)")
  31         ]
  32
  33     returns = Parameter(str, "String representation of a credential object")
  34
  35     def call(self, cred, type, hrn):
  36         if not cred:
  37             return self.get_self_credential(type, hrn)
  38
  39         self.api.auth.check(cred, 'getcredential')
  40         self.api.auth.verify_object_belongs_to_me(hrn)
  41         auth_hrn = self.api.auth.get_authority(hrn)
  42         if not auth_hrn:
  43             auth_hrn = hrn
  44         auth_info = self.api.auth.get_auth_info(auth_hrn)
  45         table = self.api.auth.get_auth_table(auth_hrn)
  46         records = table.resolve('*', hrn)
  47         if not records:
  48             raise RecordNotFound(hrn)
  49         record = records[0]
  50         # verify_cancreate_credential requires that the member lists
  51         # (researchers, pis, etc) be filled in
  52         self.api.fill_record_info(record)
  53
  54         rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
  55         if rights.is_empty():
  56             raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
  57
  58         # TODO: Check permission that self.client_cred can access the object
  59
  60         object_gid = record.get_gid_object()
  61         new_cred = Credential(subject = object_gid.get_subject())
  62         new_cred.set_gid_caller(self.api.auth.client_gid)
  63         new_cred.set_gid_object(object_gid)
  64         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
  65         new_cred.set_pubkey(object_gid.get_pubkey())
  66         new_cred.set_privileges(rights)
  67         new_cred.set_delegate(True)
  68
  69         auth_kind = "authority,ma,sa"
  70         new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  71
  72         new_cred.encode()
  73         new_cred.sign()
  74
  75         return new_cred.save_to_string(save_parents=True)
  76
  77     def get_self_credential(self, type, hrn):
  78         """
  79         get_self_credential a degenerate version of get_credential used by a client
  80         to get his initial credential when de doesnt have one. This is the same as
  81         get_credetial(..., cred = None, ...)
  82
  83         The registry ensures that the client is the principal that is named by
  84         (type, name) by comparing the public key in the record's  GID to the
  85         private key used to encrypt the client side of the HTTPS connection. Thus
  86         it is impossible for one principal to retrive another principal's
  87         credential without having the appropriate private key.
  88
  89         @param type type of object (user | slice | sa | ma | node)
  90         @param hrn human readable name of authority to list
  91         @return string representation of a credential object
  92         """
  93         self.api.auth.verify_object_belongs_to_me(hrn)
  94
  95         auth_hrn = self.api.auth.get_authority(hrn)
  96         if not auth_hrn:
  97             auth_hrn = hrn
  98         auth_info = self.api.auth.get_auth_info(auth_hrn)
  99
 100         # find a record that matches
 101         record = None
 102         table = self.api.auth.get_auth_table(auth_hrn)
 103         records = table.resolve('*', hrn)
 104         for rec in records:
 105             if type in ['*'] or rec.get_type() in [type]:
 106                 record = rec
 107         if not record:
 108             raise RecordNotFound(hrn)
 109         gid = record.get_gid_object()
 110         peer_cert = self.api.auth.peer_cert
 111         if not peer_cert.is_pubkey(gid.get_pubkey()):
 112            raise ConnectionKeyGIDMismatch(gid.get_subject())
 113
 114         rights = self.api.auth.determine_user_rights(None, record)
 115         if rights.is_empty():
 116             raise PermissionError(gid.get_hrn() + " has no rights to " + record.get_name())
 117
 118         # create the credential
 119         gid = record.get_gid_object()
 120         cred = Credential(subject = gid.get_subject())
 121         cred.set_gid_caller(gid)
 122         cred.set_gid_object(gid)
 123         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 124         cred.set_pubkey(gid.get_pubkey())
 125         cred.set_privileges(rights)
 126         cred.set_delegate(True)
 127
 128         auth_kind = "authority,sa,ma"
 129         cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 130
 131         cred.encode()
 132         cred.sign()
 133
 134         return cred.save_to_string(save_parents=True)