2 # Implements SFA Credentials
4 # Credentials are layered on top of certificates, and are essentially a
5 # certificate that stores a tuple of parameters.
10 from sfa.util.faults import MissingDelegateBit, ChildRightsNotSubsetOfParent
11 from sfa.trust.certificate import Certificate
12 from sfa.trust.gid import GID
15 # Credential is a tuple:
16 # (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
18 # These fields are encoded using xmlrpc into the subjectAltName field of the
19 # x509 certificate. Note: Call encode() once the fields have been filled in
20 # to perform this encoding.
22 class CredentialLegacy(Certificate):
30 # Create a Credential object
32 # @param create If true, create a blank x509 certificate
33 # @param subject If subject!=None, create an x509 cert with the subject name
34 # @param string If string!=None, load the credential from the string
35 # @param filename If filename!=None, load the credential from the file
37 def __init__(self, create=False, subject=None, string=None, filename=None):
38 Certificate.__init__(self, create, subject, string, filename)
41 # set the GID of the caller
43 # @param gid GID object of the caller
45 def set_gid_caller(self, gid):
47 # gid origin caller is the caller's gid by default
48 self.gidOriginCaller = gid
51 # get the GID of the object
53 def get_gid_caller(self):
54 if not self.gidCaller:
59 # set the GID of the object
61 # @param gid GID object of the object
63 def set_gid_object(self, gid):
67 # get the GID of the object
69 def get_gid_object(self):
70 if not self.gidObject:
75 # set the lifetime of this credential
77 # @param lifetime lifetime of credential
79 def set_lifetime(self, lifeTime):
80 self.lifeTime = lifeTime
83 # get the lifetime of the credential
85 def get_lifetime(self):
91 # set the delegate bit
93 # @param delegate boolean (True or False)
95 def set_delegate(self, delegate):
96 self.delegate = delegate
99 # get the delegate bit
101 def get_delegate(self):
102 if not self.delegate:
109 # @param privs either a comma-separated list of privileges of a Rights object
111 def set_privileges(self, privs):
112 if isinstance(privs, str):
113 self.privileges = Rights(string = privs)
115 self.privileges = privs
118 # return the privileges as a Rights object
120 def get_privileges(self):
121 if not self.privileges:
123 return self.privileges
126 # determine whether the credential allows a particular operation to be
129 # @param op_name string specifying name of operation ("lookup", "update", etc)
131 def can_perform(self, op_name):
132 rights = self.get_privileges()
135 return rights.can_perform(op_name)
138 # Encode the attributes of the credential into a string and store that
139 # string in the alt-subject-name field of the X509 object. This should be
140 # done immediately before signing the credential.
143 dict = {"gidCaller": None,
145 "lifeTime": self.lifeTime,
147 "delegate": self.delegate}
149 dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
151 dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
153 dict["privileges"] = self.privileges.save_to_string()
154 str = xmlrpclib.dumps((dict,), allow_none=True)
155 self.set_data('URI:http://' + str)
158 # Retrieve the attributes of the credential from the alt-subject-name field
159 # of the X509 certificate. This is automatically done by the various
160 # get_* methods of this class and should not need to be called explicitly.
163 data = self.get_data().lstrip('URI:http://')
166 dict = xmlrpclib.loads(data)[0][0]
170 self.lifeTime = dict.get("lifeTime", None)
171 self.delegate = dict.get("delegate", None)
173 privStr = dict.get("privileges", None)
175 self.privileges = Rights(string = privStr)
177 self.privileges = None
179 gidCallerStr = dict.get("gidCaller", None)
181 self.gidCaller = GID(string=gidCallerStr)
183 self.gidCaller = None
185 gidObjectStr = dict.get("gidObject", None)
187 self.gidObject = GID(string=gidObjectStr)
189 self.gidObject = None
192 # Verify that a chain of credentials is valid (see cert.py:verify). In
193 # addition to the checks for ordinary certificates, verification also
194 # ensures that the delegate bit was set by each parent in the chain. If
195 # a delegate bit was not set, then an exception is thrown.
197 # Each credential must be a subset of the rights of the parent.
199 def verify_chain(self, trusted_certs = None):
200 # do the normal certificate verification stuff
201 Certificate.verify_chain(self, trusted_certs)
204 # make sure the parent delegated rights to the child
205 if not self.parent.get_delegate():
206 raise MissingDelegateBit(self.parent.get_subject())
208 # make sure the rights given to the child are a subset of the
210 if not self.parent.get_privileges().is_superset(self.get_privileges()):
211 raise ChildRightsNotSubsetOfParent(self.get_subject()
212 + " " + self.parent.get_privileges().save_to_string()
213 + " " + self.get_privileges().save_to_string())
218 # Dump the contents of a credential to stdout in human-readable format
220 # @param dump_parents If true, also dump the parent certificates
222 def dump(self, *args, **kwargs):
223 print self.dump_string(*args,**kwargs)
225 def dump_string(self, dump_parents=False):
227 result += "CREDENTIAL %s\n" % self.get_subject()
229 result += " privs: %s\n" % self.get_privileges().save_to_string()
231 gidCaller = self.get_gid_caller()
233 result += " gidCaller:\n"
234 gidCaller.dump(8, dump_parents)
236 gidObject = self.get_gid_object()
238 result += " gidObject:\n"
239 result += gidObject.dump_string(8, dump_parents)
241 result += " delegate: %s" % self.get_delegate()
243 if self.parent and dump_parents:
245 result += self.parent.dump_string(dump_parents)