1 #----------------------------------------------------------------------
2 # Copyright (c) 2008 Board of Trustees, Princeton University
4 # Permission is hereby granted, free of charge, to any person obtaining
5 # a copy of this software and/or hardware specification (the "Work") to
6 # deal in the Work without restriction, including without limitation the
7 # rights to use, copy, modify, merge, publish, distribute, sublicense,
8 # and/or sell copies of the Work, and to permit persons to whom the Work
9 # is furnished to do so, subject to the following conditions:
11 # The above copyright notice and this permission notice shall be
12 # included in all copies or substantial portions of the Work.
14 # THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
18 # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
19 # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 # OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
22 #----------------------------------------------------------------------
24 # Implements SFA Credentials
26 # Credentials are signed XML files that assign a subject gid privileges to an object gid
34 from tempfile import mkstemp
35 from xml.dom.minidom import Document, parseString
36 from dateutil.parser import parse
38 from sfa.util.faults import *
39 from sfa.util.sfalogging import sfa_logger
40 from sfa.trust.certificate import Keypair
41 from sfa.trust.credential_legacy import CredentialLegacy
42 from sfa.trust.rights import Right, Rights
43 from sfa.trust.gid import GID
44 from sfa.util.xrn import urn_to_hrn
47 DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14
51 # . make privs match between PG and PL
52 # . Need to add support for other types of credentials, e.g. tickets
55 signature_template = \
57 <Signature xml:id="Sig_%s" xmlns="http://www.w3.org/2000/09/xmldsig#">
59 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
60 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
63 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
65 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
66 <DigestValue></DigestValue>
82 # Convert a string into a bool
85 if str.lower() in ['yes','true','1']:
91 # Utility function to get the text of an XML element
93 def getTextNode(element, subele):
94 sub = element.getElementsByTagName(subele)[0]
95 if len(sub.childNodes) > 0:
96 return sub.childNodes[0].nodeValue
101 # Utility function to set the text of an XML element
102 # It creates the element, adds the text to it,
103 # and then appends it to the parent.
105 def append_sub(doc, parent, element, text):
106 ele = doc.createElement(element)
107 ele.appendChild(doc.createTextNode(text))
108 parent.appendChild(ele)
111 # Signature contains information about an xmlsec1 signature
112 # for a signed-credential
115 class Signature(object):
117 def __init__(self, string=None):
119 self.issuer_gid = None
136 def set_refid(self, id):
139 def get_issuer_gid(self):
144 def set_issuer_gid(self, gid):
148 doc = parseString(self.xml)
149 sig = doc.getElementsByTagName("Signature")[0]
150 self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
151 keyinfo = sig.getElementsByTagName("X509Data")[0]
152 szgid = getTextNode(keyinfo, "X509Certificate")
153 szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
154 self.set_issuer_gid(GID(string=szgid))
157 self.xml = signature_template % (self.get_refid(), self.get_refid())
161 # A credential provides a caller gid with privileges to an object gid.
162 # A signed credential is signed by the object's authority.
164 # Credentials are encoded in one of two ways. The legacy style places
165 # it in the subjectAltName of an X509 certificate. The new credentials
166 # are placed in signed XML.
169 # In general, a signed credential obtained externally should
170 # not be changed else the signature is no longer valid. So, once
171 # you have loaded an existing signed credential, do not call encode() or sign() on it.
173 def filter_creds_by_caller(creds, caller_hrn):
175 Returns a list of creds who's gid caller matches the
178 if not isinstance(creds, list): creds = [creds]
182 tmp_cred = Credential(string=cred)
183 if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
184 caller_creds.append(cred)
188 class Credential(object):
191 # Create a Credential object
193 # @param create If true, create a blank x509 certificate
194 # @param subject If subject!=None, create an x509 cert with the subject name
195 # @param string If string!=None, load the credential from the string
196 # @param filename If filename!=None, load the credential from the file
197 # FIXME: create and subject are ignored!
198 def __init__(self, create=False, subject=None, string=None, filename=None):
199 self.gidCaller = None
200 self.gidObject = None
201 self.expiration = None
202 self.privileges = None
203 self.issuer_privkey = None
204 self.issuer_gid = None
205 self.issuer_pubkey = None
207 self.signature = None
212 # Check if this is a legacy credential, translate it if so
213 if string or filename:
217 str = file(filename).read()
218 self.filename=filename
220 if str.strip().startswith("-----"):
221 self.legacy = CredentialLegacy(False,string=str)
222 self.translate_legacy(str)
227 # Find an xmlsec1 path
228 self.xmlsec_path = ''
229 paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
231 if os.path.isfile(path + '/' + 'xmlsec1'):
232 self.xmlsec_path = path + '/' + 'xmlsec1'
235 def get_subject(self):
236 if not self.gidObject:
238 return self.gidObject.get_subject()
240 def get_signature(self):
241 if not self.signature:
243 return self.signature
245 def set_signature(self, sig):
250 # Translate a legacy credential into a new one
252 # @param String of the legacy credential
254 def translate_legacy(self, str):
255 legacy = CredentialLegacy(False,string=str)
256 self.gidCaller = legacy.get_gid_caller()
257 self.gidObject = legacy.get_gid_object()
258 lifetime = legacy.get_lifetime()
260 self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
262 self.set_expiration(int(lifetime))
263 self.lifeTime = legacy.get_lifetime()
264 self.set_privileges(legacy.get_privileges())
265 self.get_privileges().delegate_all_privileges(legacy.get_delegate())
268 # Need the issuer's private key and name
269 # @param key Keypair object containing the private key of the issuer
270 # @param gid GID of the issuing authority
272 def set_issuer_keys(self, privkey, gid):
273 self.issuer_privkey = privkey
274 self.issuer_gid = gid
278 # Set this credential's parent
279 def set_parent(self, cred):
284 # set the GID of the caller
286 # @param gid GID object of the caller
288 def set_gid_caller(self, gid):
290 # gid origin caller is the caller's gid by default
291 self.gidOriginCaller = gid
294 # get the GID of the object
296 def get_gid_caller(self):
297 if not self.gidCaller:
299 return self.gidCaller
302 # set the GID of the object
304 # @param gid GID object of the object
306 def set_gid_object(self, gid):
310 # get the GID of the object
312 def get_gid_object(self):
313 if not self.gidObject:
315 return self.gidObject
320 # Expiration: an absolute UTC time of expiration (as either an int or datetime)
322 def set_expiration(self, expiration):
323 if isinstance(expiration, int):
324 self.expiration = datetime.datetime.fromtimestamp(expiration)
326 self.expiration = expiration
330 # get the lifetime of the credential (in datetime format)
332 def get_expiration(self):
333 if not self.expiration:
335 return self.expiration
339 def get_lifetime(self):
340 return self.get_expiration()
345 # @param privs either a comma-separated list of privileges of a Rights object
347 def set_privileges(self, privs):
348 if isinstance(privs, str):
349 self.privileges = Rights(string = privs)
351 self.privileges = privs
355 # return the privileges as a Rights object
357 def get_privileges(self):
358 if not self.privileges:
360 return self.privileges
363 # determine whether the credential allows a particular operation to be
366 # @param op_name string specifying name of operation ("lookup", "update", etc)
368 def can_perform(self, op_name):
369 rights = self.get_privileges()
374 return rights.can_perform(op_name)
378 # Encode the attributes of the credential into an XML string
379 # This should be done immediately before signing the credential.
381 # In general, a signed credential obtained externally should
382 # not be changed else the signature is no longer valid. So, once
383 # you have loaded an existing signed credential, do not call encode() or sign() on it.
386 # Create the XML document
388 signed_cred = doc.createElement("signed-credential")
389 doc.appendChild(signed_cred)
391 # Fill in the <credential> bit
392 cred = doc.createElement("credential")
393 cred.setAttribute("xml:id", self.get_refid())
394 signed_cred.appendChild(cred)
395 append_sub(doc, cred, "type", "privilege")
396 append_sub(doc, cred, "serial", "8")
397 append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
398 append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
399 append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
400 append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
401 append_sub(doc, cred, "uuid", "")
402 if not self.expiration:
403 self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME))
404 self.expiration = self.expiration.replace(microsecond=0)
405 append_sub(doc, cred, "expires", self.expiration.isoformat())
406 privileges = doc.createElement("privileges")
407 cred.appendChild(privileges)
410 rights = self.get_privileges()
411 for right in rights.rights:
412 priv = doc.createElement("privilege")
413 append_sub(doc, priv, "name", right.kind)
414 append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
415 privileges.appendChild(priv)
417 # Add the parent credential if it exists
419 sdoc = parseString(self.parent.get_xml())
420 p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
421 p = doc.createElement("parent")
422 p.appendChild(p_cred)
426 # Create the <signatures> tag
427 signatures = doc.createElement("signatures")
428 signed_cred.appendChild(signatures)
430 # Add any parent signatures
432 for cur_cred in self.get_credential_list()[1:]:
433 sdoc = parseString(cur_cred.get_signature().get_xml())
434 ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
435 signatures.appendChild(ele)
437 # Get the finished product
438 self.xml = doc.toxml()
441 def save_to_random_tmp_file(self):
442 fp, filename = mkstemp(suffix='cred', text=True)
443 fp = os.fdopen(fp, "w")
444 self.save_to_file(filename, save_parents=True, filep=fp)
447 def save_to_file(self, filename, save_parents=True, filep=None):
453 f = open(filename, "w")
456 self.filename=filename
458 def save_to_string(self, save_parents=True):
468 def set_refid(self, rid):
472 # Figure out what refids exist, and update this credential's id
473 # so that it doesn't clobber the others. Returns the refids of
476 def updateRefID(self):
478 self.set_refid('ref0')
483 next_cred = self.parent
485 refs.append(next_cred.get_refid())
487 next_cred = next_cred.parent
492 # Find a unique refid for this credential
493 rid = self.get_refid()
496 rid = "ref%d" % (val + 1)
501 # Return the set of parent credential ref ids
510 # Sign the XML file created by encode()
513 # In general, a signed credential obtained externally should
514 # not be changed else the signature is no longer valid. So, once
515 # you have loaded an existing signed credential, do not call encode() or sign() on it.
518 if not self.issuer_privkey or not self.issuer_gid:
520 doc = parseString(self.get_xml())
521 sigs = doc.getElementsByTagName("signatures")[0]
523 # Create the signature template to be signed
524 signature = Signature()
525 signature.set_refid(self.get_refid())
526 sdoc = parseString(signature.get_xml())
527 sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
528 sigs.appendChild(sig_ele)
530 self.xml = doc.toxml()
533 # Split the issuer GID into multiple certificates if it's a chain
534 chain = GID(filename=self.issuer_gid)
537 gid_files.append(chain.save_to_random_tmp_file(False))
538 if chain.get_parent():
539 chain = chain.get_parent()
544 # Call out to xmlsec1 to sign it
545 ref = 'Sig_%s' % self.get_refid()
546 filename = self.save_to_random_tmp_file()
547 signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
548 % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
551 for gid_file in gid_files:
556 # This is no longer a legacy credential
565 # Retrieve the attributes of the credential from the XML.
566 # This is automatically called by the various get_* methods of
567 # this class and should not need to be called explicitly.
572 doc = parseString(self.xml)
574 signed_cred = doc.getElementsByTagName("signed-credential")
576 # Is this a signed-cred or just a cred?
577 if len(signed_cred) > 0:
578 cred = signed_cred[0].getElementsByTagName("credential")[0]
579 signatures = signed_cred[0].getElementsByTagName("signatures")
580 if len(signatures) > 0:
581 sigs = signatures[0].getElementsByTagName("Signature")
583 cred = doc.getElementsByTagName("credential")[0]
586 self.set_refid(cred.getAttribute("xml:id"))
587 self.set_expiration(parse(getTextNode(cred, "expires")))
588 self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
589 self.gidObject = GID(string=getTextNode(cred, "target_gid"))
593 privs = cred.getElementsByTagName("privileges")[0]
595 for priv in privs.getElementsByTagName("privilege"):
596 kind = getTextNode(priv, "name")
597 deleg = str2bool(getTextNode(priv, "can_delegate"))
599 # Convert * into the default privileges for the credential's type
600 _ , type = urn_to_hrn(self.gidObject.get_urn())
601 rl = rlist.determine_rights(type, self.gidObject.get_urn())
605 rlist.add(Right(kind.strip(), deleg))
606 self.set_privileges(rlist)
610 parent = cred.getElementsByTagName("parent")
612 parent_doc = parent[0].getElementsByTagName("credential")[0]
613 parent_xml = parent_doc.toxml()
614 self.parent = Credential(string=parent_xml)
617 # Assign the signatures to the credentials
619 Sig = Signature(string=sig.toxml())
621 for cur_cred in self.get_credential_list():
622 if cur_cred.get_refid() == Sig.get_refid():
623 cur_cred.set_signature(Sig)
628 # trusted_certs: A list of trusted GID filenames (not GID objects!)
629 # Chaining is not supported within the GIDs by xmlsec1.
632 # . All of the signatures are valid and that the issuers trace back
633 # to trusted roots (performed by xmlsec1)
634 # . The XML matches the credential schema
635 # . That the issuer of the credential is the authority in the target's urn
636 # . In the case of a delegated credential, this must be true of the root
637 # . That all of the gids presented in the credential are valid
638 # . The credential is not expired
640 # -- For Delegates (credentials with parents)
641 # . The privileges must be a subset of the parent credentials
642 # . The privileges must have "can_delegate" set for each delegated privilege
643 # . The target gid must be the same between child and parents
644 # . The expiry time on the child must be no later than the parent
645 # . The signer of the child must be the owner of the parent
647 # -- Verify does *NOT*
648 # . ensure that an xmlrpc client's gid matches a credential gid, that
649 # must be done elsewhere
651 # @param trusted_certs: The certificates of trusted CA certificates
652 def verify(self, trusted_certs):
656 # trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
657 trusted_cert_objects = []
658 ok_trusted_certs = []
659 for f in trusted_certs:
661 # Failures here include unreadable files
663 trusted_cert_objects.append(GID(filename=f))
664 ok_trusted_certs.append(f)
665 except Exception, exc:
666 sfa_logger().error("Failed to load trusted cert from %s: %r", f, exc)
667 trusted_certs = ok_trusted_certs
669 # Use legacy verification if this is a legacy credential
671 self.legacy.verify_chain(trusted_cert_objects)
672 if self.legacy.client_gid:
673 self.legacy.client_gid.verify_chain(trusted_cert_objects)
674 if self.legacy.object_gid:
675 self.legacy.object_gid.verify_chain(trusted_cert_objects)
678 # make sure it is not expired
679 if self.get_expiration() < datetime.datetime.utcnow():
680 raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat())
682 # Verify the signatures
683 filename = self.save_to_random_tmp_file()
684 cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
686 # Verify the gids of this cred and of its parents
687 for cur_cred in self.get_credential_list():
688 cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
689 cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
692 refs.append("Sig_%s" % self.get_refid())
694 parentRefs = self.updateRefID()
695 for ref in parentRefs:
696 refs.append("Sig_%s" % ref)
699 verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
700 % (self.xmlsec_path, ref, cert_args, filename)).read()
701 if not verified.strip().startswith("OK"):
702 raise CredentialNotVerifiable("xmlsec1 error verifying cert: " + verified)
705 # Verify the parents (delegation)
707 self.verify_parent(self.parent)
709 # Make sure the issuer is the target's authority
714 # Creates a list of the credential and its parents, with the root
715 # (original delegated credential) as the last item in the list
716 def get_credential_list(self):
720 list.append(cur_cred)
722 cur_cred = cur_cred.parent
728 # Make sure the credential's target gid was signed by (or is the same) the entity that signed
729 # the original credential or an authority over that namespace.
730 def verify_issuer(self):
731 root_cred = self.get_credential_list()[-1]
732 root_target_gid = root_cred.get_gid_object()
733 root_cred_signer = root_cred.get_signature().get_issuer_gid()
735 if root_target_gid.is_signed_by_cert(root_cred_signer):
736 # cred signer matches target signer, return success
739 root_target_gid_str = root_target_gid.save_to_string()
740 root_cred_signer_str = root_cred_signer.save_to_string()
741 if root_target_gid_str == root_cred_signer_str:
742 # cred signer is target, return success
745 # See if it the signer is an authority over the domain of the target
746 # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn())
747 root_cred_signer_type = root_cred_signer.get_type()
748 if (root_cred_signer_type == 'authority'):
749 #sfa_logger().debug('Cred signer is an authority')
750 # signer is an authority, see if target is in authority's domain
751 hrn = root_cred_signer.get_hrn()
752 if root_target_gid.get_hrn().startswith(hrn):
755 # We've required that the credential be signed by an authority
756 # for that domain. Reasonable and probably correct.
757 # A looser model would also allow the signer to be an authority
758 # in my control framework - eg My CA or CH. Even if it is not
759 # the CH that issued these, eg, user credentials.
761 # Give up, credential does not pass issuer verification
763 raise CredentialNotVerifiable("Could not verify credential owned by %s for object %s. Cred signer %s not the trusted authority for Cred target %s" % (self.gidCaller.get_urn(), self.gidObject.get_urn(), root_cred_signer.get_hrn(), root_target_gid.get_hrn()))
767 # -- For Delegates (credentials with parents) verify that:
768 # . The privileges must be a subset of the parent credentials
769 # . The privileges must have "can_delegate" set for each delegated privilege
770 # . The target gid must be the same between child and parents
771 # . The expiry time on the child must be no later than the parent
772 # . The signer of the child must be the owner of the parent
773 def verify_parent(self, parent_cred):
774 # make sure the rights given to the child are a subset of the
775 # parents rights (and check delegate bits)
776 if not parent_cred.get_privileges().is_superset(self.get_privileges()):
777 raise ChildRightsNotSubsetOfParent(
778 self.parent.get_privileges().save_to_string() + " " +
779 self.get_privileges().save_to_string())
781 # make sure my target gid is the same as the parent's
782 if not parent_cred.get_gid_object().save_to_string() == \
783 self.get_gid_object().save_to_string():
784 raise CredentialNotVerifiable("Target gid not equal between parent and child")
786 # make sure my expiry time is <= my parent's
787 if not parent_cred.get_expiration() >= self.get_expiration():
788 raise CredentialNotVerifiable("Delegated credential expires after parent")
790 # make sure my signer is the parent's caller
791 if not parent_cred.get_gid_caller().save_to_string(False) == \
792 self.get_signature().get_issuer_gid().save_to_string(False):
793 raise CredentialNotVerifiable("Delegated credential not signed by parent caller")
796 if parent_cred.parent:
797 parent_cred.verify_parent(parent_cred.parent)
800 def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile):
802 Return a delegated copy of this credential, delegated to the
803 specified gid's user.
805 # get the gid of the object we are delegating
806 object_gid = self.get_gid_object()
807 object_hrn = object_gid.get_hrn()
809 # the hrn of the user who will be delegated to
810 delegee_gid = GID(filename=delegee_gidfile)
811 delegee_hrn = delegee_gid.get_hrn()
813 #user_key = Keypair(filename=keyfile)
814 #user_hrn = self.get_gid_caller().get_hrn()
815 subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn)
816 dcred = Credential(subject=subject_string)
817 dcred.set_gid_caller(delegee_gid)
818 dcred.set_gid_object(object_gid)
819 dcred.set_parent(self)
820 dcred.set_expiration(self.get_expiration())
821 dcred.set_privileges(self.get_privileges())
822 dcred.get_privileges().delegate_all_privileges(True)
823 #dcred.set_issuer_keys(keyfile, delegee_gidfile)
824 dcred.set_issuer_keys(caller_keyfile, caller_gidfile)
831 def get_filename(self):
832 return getattr(self,'filename',None)
834 # @param dump_parents If true, also dump the parent certificates
835 def dump (self, *args, **kwargs):
836 print self.dump_string(*args, **kwargs)
838 def dump_string(self, dump_parents=False):
840 result += "CREDENTIAL %s\n" % self.get_subject()
841 filename=self.get_filename()
842 if filename: result += "Filename %s\n"%filename
843 result += " privs: %s\n" % self.get_privileges().save_to_string()
844 gidCaller = self.get_gid_caller()
846 result += " gidCaller:\n"
847 result += gidCaller.dump_string(8, dump_parents)
849 gidObject = self.get_gid_object()
851 result += " gidObject:\n"
852 result += gidObject.dump_string(8, dump_parents)
854 if self.parent and dump_parents:
856 result += self.parent.dump_string(dump_parents)