From 798499da3d3c6b5d984044c9b1cdd2fd39f6b829 Mon Sep 17 00:00:00 2001
From: Tony Mack <tmack@cs.princeton.edu>
Date: Mon, 19 Apr 2010 20:49:27 +0000
Subject: [PATCH] check the specified hrn against the target hrn

---
 sfa/trust/auth.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 7a929590..2663417c 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -32,7 +32,7 @@ class Auth:
     def load_trusted_certs(self):
         self.trusted_cert_list = TrustedRootList(self.config.get_trustedroots_dir()).get_list()
         
-    def check(self, cred, operation):
+    def check(self, cred, operation, hrn = None):
         """
         Check the credential against the peer cert (callerGID included 
         in the credential matches the caller that is connected to the 
@@ -66,6 +66,13 @@ class Auth:
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
 
+        # Make sure the credential's target matches the specified hrn. 
+        # This check does not apply to trusted peers 
+        trusted_peers = [gid.get_hrn() for gid in self.trusted_cert_list.get_list()]
+        if hrn and client_gid.get_hrn() not in trusted_peers:
+            if not hrn == object_gid.get_hrn():
+                raise PermissionError("Target hrn: %s doesn't match specified hrn: %s " % \
+                                       (object_gid.get_hrn(), hrn) )       
         return True
 
     def check_ticket(self, ticket):
-- 
2.43.0