2 # Implements Geni Credentials
4 # Credentials are layered on top of certificates, and are essentially a
5 # certificate that stores a tuple of parameters.
14 # Credential is a tuple:
15 # (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
17 # These fields are encoded using xmlrpc into the subjectAltName field of the
18 # x509 certificate. Note: Call encode() once the fields have been filled in
19 # to perform this encoding.
21 class Credential(Certificate):
29 # Create a Credential object
31 # @param create If true, create a blank x509 certificate
32 # @param subject If subject!=None, create an x509 cert with the subject name
33 # @param string If string!=None, load the credential from the string
34 # @param filename If filename!=None, load the credential from the file
36 def __init__(self, create=False, subject=None, string=None, filename=None):
37 Certificate.__init__(self, create, subject, string, filename)
40 # set the GID of the caller
42 # @param gid GID object of the caller
44 def set_gid_caller(self, gid):
48 # get the GID of the object
50 def get_gid_caller(self):
51 if not self.gidCaller:
56 # set the GID of the object
58 # @param gid GID object of the object
60 def set_gid_object(self, gid):
64 # get the GID of the object
66 def get_gid_object(self):
67 if not self.gidObject:
72 # set the lifetime of this credential
74 # @param lifetime lifetime of credential
76 def set_lifetime(self, lifeTime):
77 self.lifeTime = lifeTime
80 # get the lifetime of the credential
82 def get_lifetime(self):
88 # set the delegate bit
90 # @param delegate boolean (True or False)
92 def set_delegate(self, delegate):
93 self.delegate = delegate
96 # get the delegate bit
98 def get_delegate(self):
106 # @param privs either a comma-separated list of privileges of a RightList object
108 def set_privileges(self, privs):
109 if isinstance(privs, str):
110 self.privileges = RightList(string = privs)
112 self.privileges = privs
115 # return the privileges as a RightList object
117 def get_privileges(self):
118 if not self.privileges:
120 return self.privileges
123 # determine whether the credential allows a particular operation to be
126 # @param op_name string specifying name of operation ("lookup", "update", etc)
128 def can_perform(self, op_name):
129 rights = self.get_privileges()
132 return rights.can_perform(op_name)
135 # Encode the attributes of the credential into a string and store that
136 # string in the alt-subject-name field of the X509 object. This should be
137 # done immediately before signing the credential.
140 dict = {"gidCaller": None,
142 "lifeTime": self.lifeTime,
144 "delegate": self.delegate}
146 dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
148 dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
150 dict["privileges"] = self.privileges.save_to_string()
151 str = xmlrpclib.dumps((dict,), allow_none=True)
155 # Retrieve the attributes of the credential from the alt-subject-name field
156 # of the X509 certificate. This is automatically done by the various
157 # get_* methods of this class and should not need to be called explicitly.
160 data = self.get_data()
162 dict = xmlrpclib.loads(self.get_data())[0][0]
166 self.lifeTime = dict.get("lifeTime", None)
167 self.delegate = dict.get("delegate", None)
169 privStr = dict.get("privileges", None)
171 self.privileges = RightList(string = privStr)
173 self.privileges = None
175 gidCallerStr = dict.get("gidCaller", None)
177 self.gidCaller = GID(string=gidCallerStr)
179 self.gidCaller = None
181 gidObjectStr = dict.get("gidObject", None)
183 self.gidObject = GID(string=gidObjectStr)
185 self.gidObject = None
188 # Verify that a chain of credentials is valid (see cert.py:verify). In
189 # addition to the checks for ordinary certificates, verification also
190 # ensures that the delegate bit was set by each parent in the chain. If
191 # a delegate bit was not set, then an exception is thrown.
193 # Each credential must be a subset of the rights of the parent.
195 def verify_chain(self, trusted_certs = None):
196 # do the normal certificate verification stuff
197 Certificate.verify_chain(self, trusted_certs)
200 # make sure the parent delegated rights to the child
201 if not self.parent.get_delegate():
202 raise MissingDelegateBit(self.parent.get_subject())
204 # make sure the rights given to the child are a subset of the
206 if not self.parent.get_privileges().is_superset(self.get_privileges()):
207 raise ChildRightsNotSubsetOfParent(self.get_subject())
212 # Dump the contents of a credential to stdout in human-readable format
214 # @param dump_parents If true, also dump the parent certificates
216 def dump(self, dump_parents=False):
217 print "CREDENTIAL", self.get_subject()
219 print " privs:", self.get_privileges().save_to_string()
222 gidCaller = self.get_gid_caller()
224 gidCaller.dump(8, dump_parents)
227 gidObject = self.get_gid_object()
229 gidObject.dump(8, dump_parents)
231 print " delegate:", self.get_delegate()
233 if self.parent and dump_parents:
235 self.parent.dump(dump_parents)