The credential Module

Implements Geni Credentials Credentials are layered on top of certificates, and are essentially a certificate that stores a tuple of parameters.

Credential(create=False, subject=None, string=None, filename=None) (class) [#]

Credential is a tuple: (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) These fields are encoded using xmlrpc into the subjectAltName field of the x509 certificate.

For more information about this class, see The Credential Class.

The Credential Class

Credential(create=False, subject=None, string=None, filename=None) (class) [#]

Credential is a tuple: (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) These fields are encoded using xmlrpc into the subjectAltName field of the x509 certificate. Note: Call encode() once the fields have been filled in to perform this encoding.

__init__(create=False, subject=None, string=None, filename=None) [#]

Create a Credential object

create
If true, create a blank x509 certificate
subject
If subject!=None, create an x509 cert with the subject name
string
If string!=None, load the credential from the string
filename
If filename!=None, load the credential from the file

can_perform(op_name) [#]

determine whether the credential allows a particular operation to be performed

op_name
string specifying name of operation ("lookup", "update", etc)

decode() [#]

Retrieve the attributes of the credential from the alt-subject-name field of the X509 certificate. This is automatically done by the various get_* methods of this class and should not need to be called explicitly.

dump(dump_parents=False) [#]

Dump the contents of a credential to stdout in human-readable format

dump_parents
If true, also dump the parent certificates

encode() [#]

Encode the attributes of the credential into a string and store that string in the alt-subject-name field of the X509 object. This should be done immediately before signing the credential.

get_delegate() [#]

get the delegate bit

get_gid_caller() [#]

get the GID of the object

get_gid_object() [#]

get the GID of the object

get_lifetime() [#]

get the lifetime of the credential

get_privileges() [#]

return the privileges as a RightList object

set_delegate(delegate) [#]

set the delegate bit

delegate
boolean (True or False)

set_gid_caller(gid) [#]

set the GID of the caller

gid
GID object of the caller

set_gid_object(gid) [#]

set the GID of the object

gid
GID object of the object

set_lifetime(lifeTime) [#]

set the lifetime of this credential

lifetime
lifetime of credential

set_privileges(privs) [#]

set the privileges

privs
either a comma-separated list of privileges of a RightList object

verify_chain(trusted_certs=None) [#]

Verify that a chain of credentials is valid (see cert.py:verify). In addition to the checks for ordinary certificates, verification also ensures that the delegate bit was set by each parent in the chain. If a delegate bit was not set, then an exception is thrown. Each credential must be a subset of the rights of the parent.