except:\r
pass\r
\r
-from sfa.util.faults import *\r
+from xml.parsers.expat import ExpatError\r
+\r
+from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent\r
from sfa.util.sfalogging import logger\r
from sfa.util.sfatime import utcparse\r
-from sfa.trust.certificate import Keypair\r
from sfa.trust.credential_legacy import CredentialLegacy\r
from sfa.trust.rights import Right, Rights, determine_rights\r
from sfa.trust.gid import GID\r
from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn\r
\r
# 2 weeks, in seconds \r
-DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14\r
+DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31\r
\r
\r
# TODO:\r
self.gid = gid\r
\r
def decode(self):\r
- doc = parseString(self.xml)\r
+ try:\r
+ doc = parseString(self.xml)\r
+ except ExpatError,e:\r
+ logger.log_exc ("Failed to parse credential, %s"%self.xml)\r
+ raise\r
sig = doc.getElementsByTagName("Signature")[0]\r
self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))\r
keyinfo = sig.getElementsByTagName("X509Data")[0]\r
# not be changed else the signature is no longer valid. So, once\r
# you have loaded an existing signed credential, do not call encode() or sign() on it.\r
\r
-def filter_creds_by_caller(creds, caller_hrn):\r
+def filter_creds_by_caller(creds, caller_hrn_list):\r
"""\r
Returns a list of creds who's gid caller matches the\r
specified caller hrn\r
"""\r
if not isinstance(creds, list): creds = [creds]\r
+ if not isinstance(caller_hrn_list, list): \r
+ caller_hrn_list = [caller_hrn_list]\r
caller_creds = []\r
for cred in creds:\r
try:\r
tmp_cred = Credential(string=cred)\r
- if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:\r
+ if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list:\r
caller_creds.append(cred)\r
except: pass\r
return caller_creds\r
self.decode()\r
return self.gidObject.get_printable_subject()\r
\r
+ # sounds like this should be __repr__ instead ??\r
def get_summary_tostring(self):\r
if not self.gidObject:\r
self.decode()\r
if not self.gidObject:\r
self.decode()\r
return self.gidObject\r
-\r
-\r
\r
##\r
# Expiration: an absolute UTC time of expiration (as either an int or string or datetime)\r
if isinstance(privs, str):\r
self.privileges = Rights(string = privs)\r
else:\r
- self.privileges = privs\r
- \r
+ self.privileges = privs \r
\r
##\r
# return the privileges as a Rights object\r
# But we haven't verified that it is _signed by_ an authority\r
# We also don't know if xmlsec1 requires that cert signers\r
# are marked as CAs.\r
- root_cred_signer.verify_chain(trusted_gids)\r
+\r
+ # Note that if verify() gave us no trusted_gids then this\r
+ # call will fail. So skip it if we have no trusted_gids\r
+ if trusted_gids and len(trusted_gids) > 0:\r
+ root_cred_signer.verify_chain(trusted_gids)\r
+ else:\r
+ logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.")\r
\r
# See if the signer is an authority over the domain of the target.\r
# There are multiple types of authority - accept them all here\r