tests/testCred.py

   1 import unittest
   2 from sfa.trust.credential import *
   3 from sfa.trust.rights import *
   4 from sfa.trust.gid import *
   5 from sfa.trust.certificate import *
   6
   7 class TestCred(unittest.TestCase):
   8    def setUp(self):
   9       pass
  10
  11    def testCreate(self):
  12       cred = Credential(create=True)
  13
  14    def testDefaults(self):
  15       cred = Credential(subject="testCredential")
  16
  17       self.assertEqual(cred.get_gid_caller(), None)
  18       self.assertEqual(cred.get_gid_object(), None)
  19
  20    def testLoadSave(self):
  21       cred = Credential(subject="testCredential")
  22
  23       gidCaller = GID(subject="caller", uuid=create_uuid(), hrn="foo.caller")
  24       gidObject = GID(subject="object", uuid=create_uuid(), hrn="foo.object")
  25       lifeTime = 12345
  26       delegate = True
  27       rights = "embed:1,bind:1"
  28
  29       cred.set_gid_caller(gidCaller)
  30       self.assertEqual(cred.get_gid_caller().get_subject(), gidCaller.get_subject())
  31
  32       cred.set_gid_object(gidObject)
  33       self.assertEqual(cred.get_gid_object().get_subject(), gidObject.get_subject())
  34
  35       cred.set_lifetime(lifeTime)
  36
  37       cred.set_privileges(rights)
  38       self.assertEqual(cred.get_privileges().save_to_string(), rights)
  39
  40       cred.get_privileges().delegate_all_privileges(delegate)
  41
  42       cred.encode()
  43
  44       cred_str = cred.save_to_string()
  45
  46       # re-load the credential from a string and make sure its fields are
  47       # intact
  48       cred2 = Credential(string = cred_str)
  49       self.assertEqual(cred2.get_gid_caller().get_subject(), gidCaller.get_subject())
  50       self.assertEqual(cred2.get_gid_object().get_subject(), gidObject.get_subject())
  51       self.assertEqual(cred2.get_privileges().get_all_delegate(), delegate)
  52       self.assertEqual(cred2.get_privileges().save_to_string(), rights)
  53
  54
  55    def createSignedGID(self, subject, urn, issuer_pkey = None, issuer_gid = None):
  56       gid = GID(subject=subject, uuid=1, urn=urn)
  57       keys = Keypair(create=True)
  58       gid.set_pubkey(keys)
  59       if issuer_pkey:
  60          gid.set_issuer(issuer_pkey, str(issuer_gid.get_issuer()))
  61       else:
  62          gid.set_issuer(keys, subject)
  63
  64       gid.encode()
  65       gid.sign()
  66       return gid, keys
  67
  68
  69
  70
  71    def testDelegationAndVerification(self):
  72       gidAuthority, keys = self.createSignedGID("site", "urn:publicid:IDN+plc+authority+site")
  73       gidCaller, ckeys = self.createSignedGID("foo", "urn:publicid:IDN+plc:site+user+foo",
  74                                           keys, gidAuthority)
  75       gidObject, _ = self.createSignedGID("bar_slice", "urn:publicid:IDN+plc:site+slice+bar_slice",
  76                                           keys, gidAuthority)
  77       gidDelegatee, _ = self.createSignedGID("delegatee", "urn:publicid:IDN+plc:site+user+delegatee",
  78                                              keys, gidAuthority)
  79
  80       cred = Credential()
  81       cred.set_gid_caller(gidCaller)
  82       cred.set_gid_object(gidObject)
  83       cred.set_lifetime(3600)
  84       cred.set_privileges("embed:1, bind:1")
  85       cred.encode()
  86
  87       gidAuthority.save_to_file("/tmp/auth_gid")
  88       keys.save_to_file("/tmp/auth_key")
  89       cred.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
  90       cred.sign()
  91
  92
  93       cred.verify(['/tmp/auth_gid'])
  94
  95       # Test copying
  96       cred2 = Credential(string=cred.save_to_string())
  97       cred2.verify(['/tmp/auth_gid'])
  98
  99
 100       # Test delegation
 101       delegated = Credential()
 102       delegated.set_gid_caller(gidDelegatee)
 103       delegated.set_gid_object(gidObject)
 104       delegated.set_parent(cred)
 105       delegated.set_lifetime(600)
 106       delegated.set_privileges("embed:1, bind:1")
 107       gidCaller.save_to_file("/tmp/caller_gid")
 108       ckeys.save_to_file("/tmp/caller_pkey")
 109
 110       delegated.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
 111
 112       delegated.encode()
 113
 114       delegated.sign()
 115
 116       # This should verify
 117       delegated.verify(['/tmp/auth_gid'])
 118
 119       backup = Credential(string=delegated.get_xml())
 120
 121       # Test that verify catches an incorrect lifetime
 122       delegated.set_lifetime(6000)
 123       delegated.encode()
 124       delegated.sign()
 125       try:
 126          delegated.verify(['/tmp/auth_gid'])
 127          assert(1==0)
 128       except CredentialNotVerifiable:
 129          pass
 130
 131       # Test that verify catches an incorrect signer
 132       delegated = Credential(string=backup.get_xml())
 133       delegated.set_issuer_keys("/tmp/auth_key", "/tmp/auth_gid")
 134       delegated.encode()
 135       delegated.sign()
 136
 137       try:
 138          delegated.verify(['/tmp/auth_gid'])
 139          assert(1==0)
 140       except CredentialNotVerifiable:
 141          pass
 142
 143
 144       # Test that verify catches a changed gid
 145       delegated = Credential(string=backup.get_xml())
 146       delegated.set_gid_object(delegated.get_gid_caller())
 147       delegated.encode()
 148       delegated.sign()
 149
 150       try:
 151          delegated.verify(['/tmp/auth_gid'])
 152          assert(1==0)
 153       except CredentialNotVerifiable:
 154          pass
 155
 156
 157       # Test that verify catches a credential with the wrong authority for the object
 158       test = Credential(string=cred.get_xml())
 159       test.set_issuer_keys("/tmp/caller_pkey", "/tmp/caller_gid")
 160       test.encode()
 161       test.sign()
 162
 163       try:
 164          test.verify(['/tmp/auth_gid'])
 165          assert(1==0)
 166       except CredentialNotVerifiable:
 167          pass
 168
 169
 170
 171 if __name__ == "__main__":
 172     unittest.main()