2 # Implements SFA Credentials
4 # Credentials are layered on top of certificates, and are essentially a
5 # certificate that stores a tuple of parameters.
16 import xml.dom.minidom
17 from xml.dom.minidom import Document
18 from sfa.trust.credential_legacy import CredentialLegacy
19 from sfa.trust.certificate import Certificate
20 from sfa.trust.rights import *
21 from sfa.trust.gid import *
22 from sfa.util.faults import *
23 from sfa.util.sfalogging import logger
27 # . Need to verify credential parents (delegation)
28 # . implement verify_chain
29 # . Need to manage ref #s
30 # . Need to add privileges (make PG and PL privs work together and add delegation per privilege instead of global)
33 signature_template = \
35 <Signature xml:id="Sig_%s" xmlns="http://www.w3.org/2000/09/xmldsig#">
37 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
38 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
41 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
43 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
44 <DigestValue></DigestValue>
62 # Credential is a tuple:
63 # (GIDCaller, GIDObject, Expiration (in UTC time), Privileges, DelegateBit)
65 # These fields are encoded in one of two ways. The legacy style places
66 # it in the subjectAltName of an X509 certificate. The new credentials
67 # are placed in signed XML.
70 class Credential(object):
83 # Create a Credential object
85 # @param create If true, create a blank x509 certificate
86 # @param subject If subject!=None, create an x509 cert with the subject name
87 # @param string If string!=None, load the credential from the string
88 # @param filename If filename!=None, load the credential from the file
90 def __init__(self, create=False, subject=None, string=None, filename=None):
92 # Check if this is a legacy credential, translate it if so
93 if string or filename:
97 str = file(filename).read()
99 if str.strip().startswith("-----"):
100 self.translate_legacy(str)
106 # Translate a legacy credential into a new one
108 # @param String of the legacy credential
110 def translate_legacy(self, str):
111 legacy = CredentialLegacy(False,string=str)
112 self.gidCaller = legacy.get_gid_caller()
113 self.gidObject = legacy.get_gid_object()
114 lifetime = legacy.get_lifetime()
116 self.set_lifetime(3600)
118 self.set_lifetime(int(lifetime))
119 self.lifeTime = legacy.get_lifetime()
120 self.privileges = legacy.get_privileges()
121 self.delegate = legacy.get_delegate()
124 # Need the issuer's private key and name
125 # @param key Keypair object containing the private key of the issuer
126 # @param gid GID of the issuing authority
128 def set_issuer_keys(self, privkey, gid):
129 self.issuer_privkey = privkey
130 self.issuer_gid = gid
132 def set_issuer(self, issuer):
135 def set_subject(self, subject):
138 def set_pubkey(self, pubkey):
139 self.issuer_pubkey = pubkey
141 def set_parent(self, cred):
145 # set the GID of the caller
147 # @param gid GID object of the caller
149 def set_gid_caller(self, gid):
151 # gid origin caller is the caller's gid by default
152 self.gidOriginCaller = gid
155 # get the GID of the object
157 def get_gid_caller(self):
158 if not self.gidCaller:
160 return self.gidCaller
163 # set the GID of the object
165 # @param gid GID object of the object
167 def set_gid_object(self, gid):
171 # get the GID of the object
173 def get_gid_object(self):
174 if not self.gidObject:
176 return self.gidObject
179 # set the lifetime of this credential
181 # @param lifetime lifetime of credential
182 # . if lifeTime is a datetime object, it is used for the expiration time
183 # . if lifeTime is an integer value, it is considered the number of minutes
184 # remaining before expiration
186 def set_lifetime(self, lifeTime):
187 if isinstance(lifeTime, int):
188 self.expiration = datetime.timedelta(seconds=lifeTime*60) + datetime.datetime.utcnow()
190 self.expiration = lifeTime
193 # get the lifetime of the credential (in minutes)
195 def get_lifetime(self):
196 if not self.lifeTime:
198 return self.expiration
201 # set the delegate bit
203 # @param delegate boolean (True or False)
205 def set_delegate(self, delegate):
206 self.delegate = delegate
209 # get the delegate bit
211 def get_delegate(self):
212 if not self.delegate:
219 # @param privs either a comma-separated list of privileges of a RightList object
221 def set_privileges(self, privs):
222 if isinstance(privs, str):
223 self.privileges = RightList(string = privs)
225 self.privileges = privs
228 # return the privileges as a RightList object
230 def get_privileges(self):
231 if not self.privileges:
233 return self.privileges
236 # determine whether the credential allows a particular operation to be
239 # @param op_name string specifying name of operation ("lookup", "update", etc)
241 def can_perform(self, op_name):
242 rights = self.get_privileges()
247 return rights.can_perform(op_name)
249 def append_sub(self, doc, parent, element, text):
250 ele = doc.createElement(element)
251 ele.appendChild(doc.createTextNode(text))
252 parent.appendChild(ele)
255 # Encode the attributes of the credential into an XML string
256 # This should be done immediately before signing the credential.
261 # Get information from the parent credential
263 if not self.parent.xml:
265 p_doc = xml.dom.minidom.parseString(self.parent.xml)
266 p_signed_cred = p_doc.getElementsByTagName("signed-credential")[0]
267 p_cred = p_signed_cred.getElementsByTagName("credential")[0]
268 p_signatures = p_signed_cred.getElementsByTagName("signatures")[0]
269 p_sigs = p_signatures.getElementsByTagName("Signature")
271 # Create the XML document
273 signed_cred = doc.createElement("signed-credential")
274 doc.appendChild(signed_cred)
277 # Fill in the <credential> bit
278 refid = "ref%d" % (self.max_refid + 1)
281 cred = doc.createElement("credential")
282 cred.setAttribute("xml:id", refid)
283 signed_cred.appendChild(cred)
284 self.append_sub(doc, cred, "type", "privilege")
285 self.append_sub(doc, cred, "serial", "8")
286 self.append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
287 self.append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
288 self.append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
289 self.append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
290 self.append_sub(doc, cred, "uuid", "")
291 if not self.expiration:
292 self.set_lifetime(3600)
293 self.expiration = self.expiration.replace(microsecond=0)
294 self.append_sub(doc, cred, "expires", self.expiration.isoformat())
295 privileges = doc.createElement("privileges")
296 cred.appendChild(privileges)
299 rights = self.privileges.save_to_string().split(",")
301 priv = doc.createElement("privilege")
302 self.append_sub(doc, priv, "name", right.strip())
303 self.append_sub(doc, priv, "can_delegate", str(self.delegate))
304 privileges.appendChild(priv)
306 # Add the parent credential if it exists
308 parent = doc.createElement("parent")
309 parent.appendChild(p_cred)
310 cred.appendChild(parent)
313 signed_cred.appendChild(cred)
316 # Fill in the <signature> bit
317 signatures = doc.createElement("signatures")
319 sz_sig = signature_template % (refid,refid)
321 sdoc = xml.dom.minidom.parseString(sz_sig)
322 sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
323 signatures.appendChild(sig_ele)
325 # Add any existing signatures from the parent credential
328 signatures.appendChild(sig)
331 # Add any parent signatures
334 signatures.appendChild(sig)
336 signed_cred.appendChild(signatures)
337 # Get the finished product
338 self.xml = doc.toxml()
339 #print doc.toprettyxml()
342 def save_to_random_tmp_file(self):
343 filename = "/tmp/cred_%d" % random.randint(0,999999999)
344 self.save_to_file(filename)
347 def save_to_file(self, filename, save_parents=True):
350 f = open(filename, "w")
354 def save_to_string(self, save_parents=True):
363 # Call out to xmlsec1 to sign it
364 ref = 'Sig_ref%d' % self.max_refid
365 filename = self.save_to_random_tmp_file()
366 signed = os.popen('/usr/bin/xmlsec1 --sign --node-id "%s" --privkey-pem %s,%s %s' \
367 % (ref, self.issuer_privkey, self.issuer_gid, filename)).read()
372 def getTextNode(self, element, subele):
373 sub = element.getElementsByTagName(subele)[0]
374 return sub.childNodes[0].nodeValue
377 # Retrieve the attributes of the credential from the XML.
378 # This is automatically caleld by the various get_* methods of
379 # this class and should not need to be called explicitly.
382 doc = xml.dom.minidom.parseString(self.xml)
383 signed_cred = doc.getElementsByTagName("signed-credential")[0]
384 cred = signed_cred.getElementsByTagName("credential")[0]
385 signatures = signed_cred.getElementsByTagName("signatures")[0]
386 sigs = signatures.getElementsByTagName("Signature")
389 self.max_refid = int(cred.getAttribute("xml:id")[3:])
390 sz_expires = self.getTextNode(cred, "expires")
392 self.expiration = datetime.datetime.strptime(sz_expires, '%Y-%m-%dT%H:%M:%S')
393 self.lifeTime = self.getTextNode(cred, "expires")
394 self.gidCaller = GID(string=self.getTextNode(cred, "owner_gid"))
395 self.gidObject = GID(string=self.getTextNode(cred, "target_gid"))
396 privs = cred.getElementsByTagName("privileges")[0]
399 for priv in privs.getElementsByTagName("privilege"):
400 sz_privs += self.getTextNode(priv, "name")
402 delegates.append(self.getTextNode(priv, "can_delegate"))
406 if "false" not in delegates:
409 # Make the rights list
410 sz_privs.rstrip(", ")
411 self.privileges = RightList(string=sz_privs)
416 # For a simple credential (no delegation) verify..
417 # . That the signature is valid for the credential's xml:id
418 # . That the signer's pub key matches the pub key of the target (object)
419 # . That the target/owner urns match those in the gids
421 # @param trusted_certs: The certificates of trusted CA certificates
423 def verify(self, trusted_certs):
427 # Verify the sigatures
428 filename = self.save_to_random_tmp_file()
429 cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
431 ref = "Sig_ref%d" % self.max_refid
432 verified = os.popen('/usr/bin/xmlsec1 --verify --node-id "%s" %s %s 2>&1' \
433 % (ref, cert_args, filename)).read()
435 if not verified.strip().startswith("OK"):
436 raise CredentialNotVerifiable("xmlsec1 error: " + verified)
441 # Verify that a chain of credentials is valid (see cert.py:verify). In
442 # addition to the checks for ordinary certificates, verification also
443 # ensures that the delegate bit was set by each parent in the chain. If
444 # a delegate bit was not set, then an exception is thrown.
446 # Each credential must be a subset of the rights of the parent.
448 def verify_chain(self, trusted_certs):
451 ## def verify_chain(self, trusted_certs = None):
452 ## # do the normal certificate verification stuff
453 ## Certificate.verify_chain(self, trusted_certs)
456 ## # make sure the parent delegated rights to the child
457 ## if not self.parent.get_delegate():
458 ## raise MissingDelegateBit(self.parent.get_subject())
460 ## # make sure the rights given to the child are a subset of the
462 ## if not self.parent.get_privileges().is_superset(self.get_privileges()):
463 ## raise ChildRightsNotSubsetOfParent(self.get_subject()
464 ## + " " + self.parent.get_privileges().save_to_string()
465 ## + " " + self.get_privileges().save_to_string())
470 # Dump the contents of a credential to stdout in human-readable format
472 # @param dump_parents If true, also dump the parent certificates
474 def dump(self, dump_parents=False):
475 print "CREDENTIAL", self.get_subject()
477 print " privs:", self.get_privileges().save_to_string()
480 gidCaller = self.get_gid_caller()
482 gidCaller.dump(8, dump_parents)
485 gidObject = self.get_gid_object()
487 gidObject.dump(8, dump_parents)
489 print " delegate:", self.get_delegate()
491 if self.parent and dump_parents:
493 self.parent.dump(dump_parents)