X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=c3dbc46432b2345a2c7a93af0fb9bda041e20b9a;hp=470dc5e279d7728e51162afc67c569299e68ed42;hb=1e95f8a388325499564df5f8eb6eb1fd10ca2d42;hpb=952322d76247f8991f3c2688ed7e1f5a22ca4572 diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 470dc5e2..c3dbc464 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -1,21 +1,18 @@ # # SfaAPI authentication # -### $Id$ -### $URL$ -# - +import sys +from sfa.trust.certificate import Keypair, Certificate from sfa.trust.credential import Credential -from sfa.trust.trustedroot import TrustedRootList +from sfa.trust.trustedroots import TrustedRoots from sfa.util.faults import * from sfa.trust.hierarchy import Hierarchy from sfa.util.config import * -from sfa.util.namespace import * -from sfa.util.sfaticket import * -from sfa.util.sfalogging import logger +from sfa.util.xrn import get_authority +from sfa.trust.sfaticket import SfaTicket -import sys +from sfa.util.sfalogging import logger class Auth: """ @@ -30,18 +27,23 @@ class Auth: self.load_trusted_certs() def load_trusted_certs(self): - self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list() - self.trusted_cert_file_list = TrustedRootList(self.config.get_trustedroots_dir()).get_file_list() + self.trusted_cert_list = TrustedRoots(self.config.get_trustedroots_dir()).get_list() + self.trusted_cert_file_list = TrustedRoots(self.config.get_trustedroots_dir()).get_file_list() def checkCredentials(self, creds, operation, hrn = None): valid = [] + if not isinstance(creds, list): + creds = [creds] + logger.debug("Auth.checkCredentials with %d creds"%len(creds)) for cred in creds: try: self.check(cred, operation, hrn) valid.append(cred) except: + cred_obj=Credential(string=cred) + logger.debug("failed to validate credential - dump=%s"%cred_obj.dump_string(dump_parents=True)) error = sys.exc_info()[:2] continue @@ -56,7 +58,7 @@ class Auth: Check the credential against the peer cert (callerGID included in the credential matches the caller that is connected to the HTTPS connection, check if the credential was signed by a - trusted cert and check if the credential is allowd to perform + trusted cert and check if the credential is allowed to perform the specified operation. """ self.client_cred = Credential(string = cred) @@ -77,7 +79,7 @@ class Auth: raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify(self.trusted_cert_file_list) + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) @@ -85,9 +87,10 @@ class Auth: # This check does not apply to trusted peers trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list] if hrn and self.client_gid.get_hrn() not in trusted_peers: - if not hrn == self.object_gid.get_hrn(): + target_hrn = self.object_gid.get_hrn() + if not hrn == target_hrn: raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \ - (self.object_gid.get_hrn(), hrn) ) + (target_hrn, hrn) ) return True def check_ticket(self, ticket): @@ -235,7 +238,7 @@ class Auth: verify_cancreate_credential() """ - rl = RightList() + rl = Rights() type = record['type'] @@ -299,3 +302,22 @@ class Auth: def get_authority(self, hrn): return get_authority(hrn) + + def filter_creds_by_caller(self, creds, caller_hrn_list): + """ + Returns a list of creds who's gid caller matches the + specified caller hrn + """ + if not isinstance(creds, list): + creds = [creds] + creds = [] + if not isinistance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] + for cred in creds: + try: + tmp_cred = Credential(string=cred) + if tmp_cred.get_gid_caller().get_hrn() in [caller_hrn_list]: + creds.append(cred) + except: pass + return creds +