#
-# GeniAPI authentication
+# SfaAPI authentication
#
### $Id$
### $URL$
from sfa.trust.rights import RightList
from sfa.util.faults import *
from sfa.trust.hierarchy import Hierarchy
-from sfa.util.genitable import GeniTable
from sfa.util.config import *
-from sfa.util.misc import *
+from sfa.util.namespace import *
from sfa.trust.gid import GID
+from sfa.util.sfaticket import *
class Auth:
"""
self.client_gid.verify_chain(self.trusted_cert_list)
if self.object_gid:
self.object_gid.verify_chain(self.trusted_cert_list)
+ else:
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
return True
+ def check_ticket(self, ticket):
+ """
+ Check if the tickt was signed by a trusted cert
+ """
+ if self.trusted_cert_list:
+ client_ticket = SfaTicket(string=ticket)
+ client_ticket.verify_chain(self.trusted_cert_list)
+ else:
+ raise MissingTrustedRoots(self.config.get_trustedroots_dir())
+
+ return True
+
def verifyPeerCert(self, cert, gid):
# make sure the client_gid matches client's certificate
if not cert:
if object_gid:
object_gid.verify_chain(self.trusted_cert_list)
- def authenticateGid(self, gidStr, argList, requestHash):
+ def authenticateGid(self, gidStr, argList, requestHash=None):
gid = GID(string = gidStr)
self.validateGid(gid)
- self.verifyGidRequestHash(gid, requestHash, argList)
+ # request_hash is optional
+ if requestHash:
+ self.verifyGidRequestHash(gid, requestHash, argList)
return gid
- def authenticateCred(self, credStr, argList, requestHash):
+ def authenticateCred(self, credStr, argList, requestHash=None):
cred = Credential(string = credStr)
self.validateCred(cred)
- self.verifyCredRequestHash(cred, requestHash, argList)
+ # request hash is optional
+ if requestHash:
+ self.verifyCredRequestHash(cred, requestHash, argList)
return cred
def authenticateCert(self, certStr, requestHash):
caller_gid = cred.get_gid_caller()
caller_hrn = caller_gid.get_hrn()
if caller_hrn != self.config.SFA_INTERFACE_HRN:
- raise GeniPermissionError(self.config.SFA_INTEFACE_HRN)
+ raise SfaPermissionDenied(self.config.SFA_INTEFACE_HRN)
return
raise PermissionError(name)
- def determine_user_rights(self, src_cred, record):
+ def determine_user_rights(self, caller_hrn, record):
"""
Given a user credential and a record, determine what set of rights the
user should have to that record.
-
- Src_cred can be None when obtaining a user credential, but should be
- set to a valid user credential when obtaining a slice or authority
- credential.
-
+
This is intended to replace determine_rights() and
verify_cancreate_credential()
"""
- type = record['type']
- if src_cred:
- cred_object_hrn = src_cred.get_gid_object().get_hrn()
- else:
- # supplying src_cred==None is only valid when obtaining user
- # credentials.
- #assert(type == "user")
-
- cred_object_hrn = None
-
rl = RightList()
+ type = record['type']
if type=="slice":
researchers = record.get("researcher", [])
- if (cred_object_hrn in researchers):
+ pis = record.get("PI", [])
+ if (caller_hrn in researchers + pis):
rl.add("refresh")
rl.add("embed")
rl.add("bind")
rl.add("info")
elif type == "authority":
- pis = record.get("pi", [])
+ pis = record.get("PI", [])
operators = record.get("operator", [])
- rl.add("authority,sa,ma")
- if (cred_object_hrn in pis):
- rl.add("sa")
- if (cred_object_hrn in operators):
- rl.add("ma")
+ if (caller_hrn == self.config.SFA_INTERFACE_HRN):
+ rl.add("authority,sa,ma",)
+ if (caller_hrn in pis):
+ rl.add("authority,sa")
+ if (caller_hrn in operators):
+ rl.add("authority,ma")
elif type == "user":
rl.add("refresh")
rl.add("resolve")
rl.add("info")
+ elif type == "node":
+ rl.add("operator")
+
return rl
def verify_cancreate_credential(self, src_cred, record):
git://git.onelab.eu / sfa.git / blobdiff