From 01443db1ec49db8612171aa86d0a88f5a4984b7c Mon Sep 17 00:00:00 2001
From: Scott Baker <bakers@cs.arizona.edu>
Date: Wed, 11 Feb 2009 00:45:25 +0000
Subject: [PATCH] sa/ma credentials include the rights authority+sa or
 authority+ma, authorities include the register right, make sure
 user/slice/node credentials have the right kind of parent

---
 geni/registry.py        | 26 +++++++++++++++++++++-----
 geni/util/credential.py |  2 +-
 geni/util/hierarchy.py  |  7 ++++---
 geni/util/rights.py     |  2 +-
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/geni/registry.py b/geni/registry.py
index 61408e6b..5184e994 100644
--- a/geni/registry.py
+++ b/geni/registry.py
@@ -441,7 +441,7 @@ class Registry(GeniServer):
 
         record_list = table.resolve(type, hrn)
         if not record_list:
-            raise RecordNotFound(name)
+            raise RecordNotFound(hrn)
         record = record_list[0]
 
         # TODO: sa, ma
@@ -672,9 +672,9 @@ class Registry(GeniServer):
             rl.add("resolve")
             rl.add("info")
         elif type == "sa":
-            rl.add("authority")
+            rl.add("authority,sa")
         elif type == "ma":
-            rl.add("authority")
+            rl.add("authority,ma")
         elif type == "slice":
             rl.add("refresh")
             rl.add("embed")
@@ -730,7 +730,15 @@ class Registry(GeniServer):
         rl = self.determine_rights(type, name)
         cred.set_privileges(rl)
 
-        cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+        # determine the type of credential that we want to use as a parent for
+        # this credential.
+
+        if (type == "ma") or (type == "node"):
+            auth_kind = "authority,ma"
+        else: # user, slice, sa
+            auth_kind = "authority,sa"
+
+        cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 
         cred.encode()
         cred.sign()
@@ -776,7 +784,15 @@ class Registry(GeniServer):
         rl = self.determine_rights(type, name)
         new_cred.set_privileges(rl)
 
-        new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn))
+        # determine the type of credential that we want to use as a parent for
+        # this credential.
+
+        if (type == "ma") or (type == "node"):
+            auth_kind = "authority,ma"
+        else: # user, slice, sa
+            auth_kind = "authority,sa"
+
+        new_cred.set_parent(self.hierarchy.get_auth_cred(auth_hrn, kind=auth_kind))
 
         new_cred.encode()
         new_cred.sign()
diff --git a/geni/util/credential.py b/geni/util/credential.py
index 697adf05..1d469ac7 100644
--- a/geni/util/credential.py
+++ b/geni/util/credential.py
@@ -204,7 +204,7 @@ class Credential(Certificate):
             # make sure the rights given to the child are a subset of the
             # parents rights
             if not self.parent.get_privileges().is_superset(self.get_privileges()):
-                raise ChildRightsNotSubsetOfParent(self.get_subject())
+                raise ChildRightsNotSubsetOfParent(self.get_subject() + " " + self.parent.get_privileges().save_to_string() + " " + self.get_privileges().save_to_string())
 
         return
 
diff --git a/geni/util/hierarchy.py b/geni/util/hierarchy.py
index a96ec560..5aa3bc9b 100644
--- a/geni/util/hierarchy.py
+++ b/geni/util/hierarchy.py
@@ -264,15 +264,16 @@ class Hierarchy():
     # the authority's parent.
     #
     # @param hrn the human readable name of the authority
+    # @param authority type of credential to return (authority | sa | ma)
 
-    def get_auth_cred(self, hrn):
+    def get_auth_cred(self, hrn, kind="authority"):
         auth_info = self.get_auth_info(hrn)
         gid = auth_info.get_gid_object()
 
         cred = Credential(subject=hrn)
         cred.set_gid_caller(gid)
         cred.set_gid_object(gid)
-        cred.set_privileges("authority")
+        cred.set_privileges(kind)
         cred.set_delegate(True)
         cred.set_pubkey(auth_info.get_gid_object().get_pubkey())
 
@@ -285,7 +286,7 @@ class Hierarchy():
             # we need the parent's private key in order to sign this GID
             parent_auth_info = self.get_auth_info(parent_hrn)
             cred.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn)
-            cred.set_parent(self.get_auth_cred(parent_hrn))
+            cred.set_parent(self.get_auth_cred(parent_hrn, kind))
 
         cred.encode()
         cred.sign()
diff --git a/geni/util/rights.py b/geni/util/rights.py
index 1e6a8a37..ee959112 100644
--- a/geni/util/rights.py
+++ b/geni/util/rights.py
@@ -14,7 +14,7 @@
 # privilege_table is a list of priviliges and what operations are allowed
 # per privilege.
 
-privilege_table = {"authority": ["remove", "update", "resolve", "list", "getcredential"],
+privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "getcredential"],
                    "refresh": ["remove", "update"],
                    "resolve": ["resolve", "list", "getcredential"],
                    "sa": ["getticket", "redeemslice", "createslice", "deleteslice", "updateslice", "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "deleteslice", "resetslice", "listslices", "listnodes", "getpolicy"],
-- 
2.43.0