sfa/methods/get_credential.py

   1 ### $Id$
   2 ### $URL$
   3
   4 from sfa.trust.credential import *
   5 from sfa.trust.rights import *
   6 from sfa.util.faults import *
   7 from sfa.util.method import Method
   8 from sfa.util.parameter import Parameter, Mixed
   9 from sfa.trust.auth import Auth
  10 from sfa.trust.gid import GID
  11 from sfa.util.record import GeniRecord
  12 from sfa.util.genitable import *
  13 from sfa.util.debug import log
  14
  15 class get_credential(Method):
  16     """
  17     Retrive a credential for an object
  18     If cred == Nonee then the behavior reverts to get_self_credential
  19
  20     @param cred credential object specifying rights of the caller
  21     @param type type of object (user | slice | sa | ma | node)
  22     @param hrn human readable name of object
  23
  24     @return the string representation of a credential object
  25     """
  26
  27     interfaces = ['registry']
  28
  29     accepts = [
  30         Mixed(Parameter(str, "credential"),
  31               Parameter(None, "No credential")),
  32         Parameter(str, "Human readable name (hrn)"),
  33         Mixed(Parameter(str, "Request hash"),
  34               Parameter(None, "Request hash not specified"))
  35         ]
  36
  37     returns = Parameter(str, "String representation of a credential object")
  38
  39     def call(self, cred, type, hrn, request_hash=None):
  40
  41         self.api.auth.authenticateCred(cred, [cred, type, hrn], request_hash)
  42         self.api.auth.check(cred, 'getcredential')
  43         self.api.auth.verify_object_belongs_to_me(hrn)
  44         auth_hrn = self.api.auth.get_authority(hrn)
  45
  46         # Is this a root or sub authority
  47         if not auth_hrn or hrn == self.api.config.SFA_INTERFACE_HRN:
  48             auth_hrn = hrn
  49         auth_info = self.api.auth.get_auth_info(auth_hrn)
  50         table = GeniTable()
  51         records = table.find({'type': type, 'hrn': hrn})
  52         if not records:
  53             raise RecordNotFound(hrn)
  54         record = records[0]
  55         # verify_cancreate_credential requires that the member lists
  56         # (researchers, pis, etc) be filled in
  57         self.api.fill_record_info(record)
  58
  59         caller_hrn = self.api.auth.cleint_cred.get_gid_caller().get_hrn()
  60         rights = self.api.auth.determine_user_rights(caller_hrn, record)
  61         if rights.is_empty():
  62             raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record['name'])
  63
  64         # TODO: Check permission that self.client_cred can access the object
  65
  66         gid = record['gid']
  67         gid_object = GID(string=gid)
  68
  69         new_cred = Credential(subject = gid_object.get_subject())
  70         new_cred.set_gid_caller(self.api.auth.client_gid)
  71         new_cred.set_gid_object(gid_object)
  72         new_cred.set_issuer(key=auth_info.get_pkey_object(), subject=auth_hrn)
  73         new_cred.set_pubkey(gid_object.get_pubkey())
  74         new_cred.set_privileges(rights)
  75         new_cred.set_delegate(True)
  76
  77         auth_kind = "authority,ma,sa"
  78         new_cred.set_parent(self.api.auth.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
  79
  80         new_cred.encode()
  81         new_cred.sign()
  82
  83         return new_cred.save_to_string(save_parents=True)
  84