geni/methods/get_credential.py

   1 from geni.util.faults import *
   2 from geni.util.excep import *
   3 from geni.util.method import Method
   4 from geni.util.parameter import Parameter, Mixed
   5 from geni.util.auth import Auth
   6 from geni.util.record import GeniRecord
   7 from geni.util.credential import *
   8 from geni.util.rights import *
   9 from geni.util.debug import log
  10
  11 class get_credential(Method):
  12     """
  13     Retrive a credential for an object
  14     If cred == Nonee then the behavior reverts to get_self_credential
  15
  16     @param cred credential object specifying rights of the caller
  17     @param type type of object (user | slice | sa | ma | node)
  18     @param hrn human readable name of object
  19
  20     @return the string representation of a credential object
  21     """
  22
  23     interfaces = ['registry']
  24
  25     accepts = [
  26         Mixed(Parameter(str, "credential"),
  27               Parameter(None, "No credential")),
  28         Parameter(str, "Human readable name (hrn)")
  29         ]
  30
  31     returns = Parameter(str, "String representation of a credential object")
  32
  33     def call(self, cred, type, hrn):
  34         if not cred:
  35             return self.get_self_credential(type, hrn)
  36
  37         self.api.auth.check(cred, 'getcredential')
  38         self.api.auth.verify_object_belongs_to_me(hrn)
  39         auth_hrn = self.api.auth.get_authority(hrn)
  40         if not auth_hrn:
  41             auth_hrn = hrn
  42         auth_info = self.api.auth.get_auth_info(auth_hrn)
  43         table = self.api.auth.get_auth_table(auth_hrn)
  44         records = table.resolve('*', hrn)
  45         if not records:
  46             raise RecordNotFound(hrn)
  47         record = records[0]
  48         # verify_cancreate_credential requires that the member lists
  49         # (researchers, pis, etc) be filled in
  50         self.api.fill_record_info(record)
  51
  52         rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
  53         if rights.is_empty():
  54             raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
  55
  56         # TODO: Check permission that self.client_cred can access the object
  57
  58         object_gid = record.get_gid_object()
  59         new_cred = Credential(subject = object_gid.get_subject())
  60         new_cred.set_gid_caller(self.api.auth.client_gid)
  61         new_cred.set_gid_object(object_gid)
  62         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
  63         new_cred.set_pubkey(object_gid.get_pubkey())
  64         new_cred.set_privileges(rights)
  65
  66         auth_kind = "authority,ma,sa"
  67         new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  68
  69         new_cred.encode()
  70         new_cred.sign()
  71
  72         return new_cred.save_to_string(save_parents=True)
  73
  74     def get_self_credential(self, type, hrn):
  75         """
  76         get_self_credential a degenerate version of get_credential used by a client
  77         to get his initial credential when de doesnt have one. This is the same as
  78         get_credetial(..., cred = None, ...)
  79
  80         The registry ensures that the client is the principal that is named by
  81         (type, name) by comparing the public key in the record's  GID to the
  82         private key used to encrypt the client side of the HTTPS connection. Thus
  83         it is impossible for one principal to retrive another principal's
  84         credential without having the appropriate private key.
  85
  86         @param type type of object (user | slice | sa | ma | node)
  87         @param hrn human readable name of authority to list
  88         @return string representation of a credential object
  89         """
  90         self.api.auth.verify_object_belongs_to_me(hrn)
  91
  92         auth_hrn = self.api.auth.get_authority(hrn)
  93         if not auth_hrn:
  94             auth_hrn = hrn
  95         auth_info = self.api.auth.get_auth_info(auth_hrn)
  96
  97         # find a record that matches
  98         record = None
  99         table = self.api.auth.get_auth_table(auth_hrn)
 100         records = table.resolve('*', hrn)
 101         for rec in records:
 102             if type in ['*'] or rec.get_type() in [type]:
 103                 record = rec
 104         gid = record.get_gid_object()
 105         peer_cert = self.api.auth.peer_cert
 106         if not peer_cert.is_pubkey(gid.get_pubkey()):
 107            raise ConnectionKeyGIDMismatch(gid.get_subject())
 108
 109         # create the credential
 110         gid = record.get_gid_object()
 111         cred = Credential(subject = gid.get_subject())
 112         cred.set_gid_caller(gid)
 113         cred.set_gid_object(gid)
 114         cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
 115         cred.set_pubkey(gid.get_pubkey())
 116
 117         rl = determine_rights(type, hrn)
 118         cred.set_privileges(rl)
 119
 120         auth_kind = "authority,sa,ma"
 121         cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 122
 123         cred.encode()
 124         cred.sign()
 125
 126         return cred.save_to_string(save_parents=True)