1 from geni.util.faults import *
2 from geni.util.excep import *
3 from geni.util.method import Method
4 from geni.util.parameter import Parameter, Mixed
5 from geni.util.auth import Auth
6 from geni.util.record import GeniRecord
7 from geni.util.credential import *
8 from geni.util.rights import *
9 from geni.util.debug import log
11 class get_credential(Method):
13 Retrive a credential for an object
14 If cred == Nonee then the behavior reverts to get_self_credential
16 @param cred credential object specifying rights of the caller
17 @param type type of object (user | slice | sa | ma | node)
18 @param hrn human readable name of object
20 @return the string representation of a credential object
23 interfaces = ['registry']
26 Mixed(Parameter(str, "credential"),
27 Parameter(None, "No credential")),
28 Parameter(str, "Human readable name (hrn)")
31 returns = Parameter(str, "String representation of a credential object")
33 def call(self, cred, type, hrn):
35 return self.get_self_credential(type, hrn)
37 self.api.auth.check(cred, 'getcredential')
38 self.api.auth.verify_object_belongs_to_me(hrn)
39 auth_hrn = self.api.auth.get_authority(hrn)
42 auth_info = self.api.auth.get_auth_info(auth_hrn)
43 table = self.api.auth.get_auth_table(auth_hrn)
44 records = table.resolve('*', hrn)
46 raise RecordNotFound(hrn)
48 # verify_cancreate_credential requires that the member lists
49 # (researchers, pis, etc) be filled in
50 self.api.fill_record_info(record)
52 rights = self.api.auth.determine_user_rights(self.api.auth.client_cred, record)
54 raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record.get_name())
56 # TODO: Check permission that self.client_cred can access the object
58 object_gid = record.get_gid_object()
59 new_cred = Credential(subject = object_gid.get_subject())
60 new_cred.set_gid_caller(self.api.auth.client_gid)
61 new_cred.set_gid_object(object_gid)
62 new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
63 new_cred.set_pubkey(object_gid.get_pubkey())
64 new_cred.set_privileges(rights)
66 auth_kind = "authority,ma,sa"
67 new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
72 return new_cred.save_to_string(save_parents=True)
74 def get_self_credential(self, type, hrn):
76 get_self_credential a degenerate version of get_credential used by a client
77 to get his initial credential when de doesnt have one. This is the same as
78 get_credetial(..., cred = None, ...)
80 The registry ensures that the client is the principal that is named by
81 (type, name) by comparing the public key in the record's GID to the
82 private key used to encrypt the client side of the HTTPS connection. Thus
83 it is impossible for one principal to retrive another principal's
84 credential without having the appropriate private key.
86 @param type type of object (user | slice | sa | ma | node)
87 @param hrn human readable name of authority to list
88 @return string representation of a credential object
90 self.api.auth.verify_object_belongs_to_me(hrn)
92 auth_hrn = self.api.auth.get_authority(hrn)
95 auth_info = self.api.auth.get_auth_info(auth_hrn)
97 # find a record that matches
99 table = self.api.auth.get_auth_table(auth_hrn)
100 records = table.resolve('*', hrn)
102 if type in ['*'] or rec.get_type() in [type]:
104 gid = record.get_gid_object()
105 peer_cert = self.api.auth.peer_cert
106 if not peer_cert.is_pubkey(gid.get_pubkey()):
107 raise ConnectionKeyGIDMismatch(gid.get_subject())
109 # create the credential
110 gid = record.get_gid_object()
111 cred = Credential(subject = gid.get_subject())
112 cred.set_gid_caller(gid)
113 cred.set_gid_object(gid)
114 cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
115 cred.set_pubkey(gid.get_pubkey())
117 rl = determine_rights(type, hrn)
118 cred.set_privileges(rl)
120 auth_kind = "authority,sa,ma"
121 cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
126 return cred.save_to_string(save_parents=True)