# Credentials are signed XML files that assign a subject gid privileges to an object gid
##
-import os,sys
+import os
from types import StringTypes
import datetime
from StringIO import StringIO
if os.path.isfile(path + '/' + 'xmlsec1'):
self.xmlsec_path = path + '/' + 'xmlsec1'
break
+ if not self.xmlsec_path:
+ logger.warn("Could not locate binary for xmlsec1 - SFA will be unable to sign stuff !!")
def get_subject(self):
if not self.gidObject:
self.decode()
- return self.gidObject.get_printable_subject()
+ return self.gidObject.get_subject()
# sounds like this should be __repr__ instead ??
def get_summary_tostring(self):
if not self.gidObject:
self.decode()
return self.gidObject
-
-
##
# Expiration: an absolute UTC time of expiration (as either an int or string or datetime)
if isinstance(privs, str):
self.privileges = Rights(string = privs)
else:
- self.privileges = privs
-
+ self.privileges = privs
##
# return the privileges as a Rights object
def updateRefID(self):
if not self.parent:
- self.set_refid('ref0')
+ self.set_refid('ref0')
return []
refs = []
next_cred = self.parent
-
while next_cred:
-
refs.append(next_cred.get_refid())
if next_cred.parent:
next_cred = next_cred.parent
# you have loaded an existing signed credential, do not call encode() or sign() on it.
def sign(self):
- if not self.issuer_privkey or not self.issuer_gid:
+ if not self.issuer_privkey:
+ logger.warn("Cannot sign credential (no private key)")
+ return
+ if not self.issuer_gid:
+ logger.warn("Cannot sign credential (no issuer gid)")
return
doc = parseString(self.get_xml())
sigs = doc.getElementsByTagName("signatures")[0]
# Call out to xmlsec1 to sign it
ref = 'Sig_%s' % self.get_refid()
filename = self.save_to_random_tmp_file()
- signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
- % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
+ command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
+ % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)
+# print 'command',command
+ signed = os.popen(command).read()
os.remove(filename)
for gid_file in gid_files:
# Verify the gids of this cred and of its parents
for cur_cred in self.get_credential_list():
cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
- cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
+ cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
refs = []
refs.append("Sig_%s" % self.get_refid())
parentRefs = self.updateRefID()
for ref in parentRefs:
refs.append("Sig_%s" % ref)
+
for ref in refs:
# If caller explicitly passed in None that means skip xmlsec1 validation.
# Strange and not typical
msg = verified[mstart:mend]
raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
os.remove(filename)
-
+
# Verify the parents (delegation)
if self.parent:
self.verify_parent(self.parent)
+
# Make sure the issuer is the target's authority, and is
# itself a valid GID
self.verify_issuer(trusted_cert_objects)
print self.dump_string(*args, **kwargs)
- def dump_string(self, dump_parents=False):
+ def dump_string(self, dump_parents=False, show_xml=False):
result=""
result += "CREDENTIAL %s\n" % self.get_subject()
filename=self.get_filename()
print " gidIssuer:"
self.get_signature().get_issuer_gid().dump(8, dump_parents)
+ if self.expiration:
+ print " expiration:", self.expiration.isoformat()
+
gidObject = self.get_gid_object()
if gidObject:
result += " gidObject:\n"
result += "\nPARENT"
result += self.parent.dump_string(True)
+ if show_xml:
+ try:
+ tree = etree.parse(StringIO(self.xml))
+ aside = etree.tostring(tree, pretty_print=True)
+ result += "\nXML\n"
+ result += aside
+ result += "\nEnd XML\n"
+ except:
+ import traceback
+ print "exc. Credential.dump_string / XML"
+ traceback.print_exc()
+
return result