util/credential.py

   1 # credential.py
   2 #
   3 # implements GENI credentials
   4 #
   5 # Credentials are layered on top of certificates, and are essentially a
   6 # certificate that stores a tuple of parameters.
   7
   8 from cert import *
   9 from rights import *
  10 from gid import *
  11 import xmlrpclib
  12
  13 # Credential is a tuple:
  14 #     (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
  15 #
  16 # These fields are encoded using xmlrpc into the subjectAltName field of the
  17 # x509 certificate. Note: Call encode() once the fields have been filled in
  18 # to perform this encoding.
  19
  20 class Credential(Certificate):
  21     gidCaller = None
  22     gidObject = None
  23     lifeTime = None
  24     privileges = None
  25     delegate = False
  26
  27     def __init__(self, create=False, subject=None, string=None, filename=None):
  28         Certificate.__init__(self, create, subject, string, filename)
  29
  30     def set_gid_caller(self, gid):
  31         self.gidCaller = gid
  32
  33     def get_gid_caller(self):
  34         if not self.gidCaller:
  35             self.decode()
  36         return self.gidCaller
  37
  38     def set_gid_object(self, gid):
  39         self.gidObject = gid
  40
  41     def get_gid_object(self):
  42         if not self.gidObject:
  43             self.decode()
  44         return self.gidObject
  45
  46     def set_lifetime(self, lifeTime):
  47         self.lifeTime = lifeTime
  48
  49     def get_lifetime(self):
  50         if not self.lifeTime:
  51             self.decode()
  52         return self.lifeTime
  53
  54     def set_delegate(self, delegate):
  55         self.delegate = delegate
  56
  57     def get_delegate(self):
  58         if not self.delegate:
  59             self.decode()
  60         return self.delegate
  61
  62     def set_privileges(self, privs):
  63         if isinstance(privs, str):
  64             self.privileges = RightList(string = privs)
  65         else:
  66             self.privileges = privs
  67
  68     def get_privileges(self):
  69         if not self.privileges:
  70             self.decode()
  71         return self.privileges
  72
  73     def can_perform(self, op_name):
  74         rights = self.get_privileges()
  75         if not rights:
  76             return False
  77         return rights.can_perform(op_name)
  78
  79     def encode(self):
  80         dict = {"gidCaller": None,
  81                 "gidObject": None,
  82                 "lifeTime": self.lifeTime,
  83                 "privileges": None,
  84                 "delegate": self.delegate}
  85         if self.gidCaller:
  86             dict["gidCaller"] = self.gidCaller.save_to_string()
  87         if self.gidObject:
  88             dict["gidObject"] = self.gidObject.save_to_string()
  89         if self.privileges:
  90             dict["privileges"] = self.privileges.save_to_string()
  91         str = xmlrpclib.dumps((dict,), allow_none=True)
  92         self.set_data(str)
  93
  94     def decode(self):
  95         data = self.get_data()
  96         if data:
  97             dict = xmlrpclib.loads(self.get_data())[0][0]
  98         else:
  99             dict = {}
 100
 101         self.lifeTime = dict.get("lifeTime", None)
 102         self.delegate = dict.get("delegate", None)
 103
 104         privStr = dict.get("privileges", None)
 105         if privStr:
 106             self.privileges = RightList(string = privStr)
 107         else:
 108             self.privileges = None
 109
 110         gidCallerStr = dict.get("gidCaller", None)
 111         if gidCallerStr:
 112             self.gidCaller = GID(string=gidCallerStr)
 113         else:
 114             self.gidCaller = None
 115
 116         gidObjectStr = dict.get("gidObject", None)
 117         if gidObjectStr:
 118             self.gidObject = GID(string=gidObjectStr)
 119         else:
 120             self.gidObject = None
 121
 122     def verify_chain(self, trusted_certs = None):
 123         # do the normal certificate verification stuff
 124         Certificate.verify_chain(self, trusted_certs)
 125
 126         if parent:
 127             # make sure the parent delegated rights to the child
 128             if not parent.delegate:
 129                 raise MissingDelegateBit(self.get_subject())
 130
 131             # XXX todo: make sure child rights are a subset of parent rights
 132
 133         return
 134
 135     def dump(self):
 136         print "CREDENTIAL", self.get_subject()
 137
 138         print "      privs:", self.get_privileges().save_to_string()
 139
 140         print "  gidCaller:"
 141         gidCaller = self.get_gid_caller()
 142         if gidCaller:
 143             gidCaller.dump(indent=8)
 144
 145         print "  gidObject:"
 146         gidObject = self.get_gid_object()
 147         if gidObject:
 148             gidObject.dump(indent=8)
 149
 150         print "   delegate:", self.get_delegate()
 151
 152
 153
 154
 155