X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=41f42803b2123a41cdf09acdb42d6bd0c18d7b4e;hp=0c0327929ccd0bcb1749b0be21eda6213a0533e7;hb=d4fdf5099eff793459ad956b6a40ff85003cecc0;hpb=2ac2da4b770f57bede8e9a9ee65142242fdf05a3 diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 0c032792..41f42803 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -68,7 +68,6 @@ class Auth: self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() - # make sure the client_gid is not blank if not self.client_gid: raise MissingCallerGID(self.client_cred.get_subject()) @@ -78,12 +77,13 @@ class Auth: self.verifyPeerCert(self.peer_cert, self.client_gid) # make sure the client is allowed to perform the operation - if operation: + if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) + else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) @@ -91,6 +91,7 @@ class Auth: # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: + target_hrn = self.object_gid.get_hrn() if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ @@ -225,13 +226,16 @@ class Auth: @param name human readable name to test """ object_hrn = self.object_gid.get_hrn() - if object_hrn == name: - return - if name.startswith(object_hrn + "."): + #strname = str(name).strip("['']") + if object_hrn == name: + #if object_hrn == strname: + return + if name.startswith(object_hrn + ".") : + #if strname.startswith((object_hrn + ".")) is True: return #if name.startswith(get_authority(name)): #return - + raise PermissionError(name) def determine_user_rights(self, caller_hrn, reg_record):