# Credentials are signed XML files that assign a subject gid privileges to an object gid
##
-import os,sys
+import os
from types import StringTypes
import datetime
from StringIO import StringIO
def get_refid(self):
- #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid\ self.refid %s " %(self.refid)
if not self.refid:
self.decode()
- #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid self.refid %s " %(self.refid)
return self.refid
def get_xml(self):
# @param string If string!=None, load the credential from the string
# @param filename If filename!=None, load the credential from the file
# FIXME: create and subject are ignored!
- def __init__(self, create=False, subject=None, string=None, filename=None):
+ def __init__(self, create=False, subject=None, string=None, filename=None, cred=None):
self.gidCaller = None
self.gidObject = None
self.expiration = None
self.xml = None
self.refid = None
self.legacy = None
+ self.type = None
+ self.version = None
+
+ if cred:
+ if isinstance(cred, StringTypes):
+ string = cred
+ self.type = 'geni_sfa'
+ self.version = '1.0'
+ elif isinstance(cred, dict):
+ string = cred['geni_value']
+ self.type = cred['geni_type']
+ self.version = cred['geni_version']
+
# Check if this is a legacy credential, translate it if so
if string or filename:
break
def get_subject(self):
+ subject = ""
if not self.gidObject:
self.decode()
- return self.gidObject.get_printable_subject()
+ if self.gidObject:
+ subject = self.gidObject.get_printable_subject()
+ return subject
# sounds like this should be __repr__ instead ??
def get_summary_tostring(self):
if not self.gidObject:
self.decode()
return self.gidObject
-
-
##
# Expiration: an absolute UTC time of expiration (as either an int or string or datetime)
if isinstance(privs, str):
self.privileges = Rights(string = privs)
else:
- self.privileges = privs
-
+ self.privileges = privs
##
# return the privileges as a Rights object
# Below throws InUse exception if we forgot to clone the attribute first
oldAttr = signed_cred.setAttributeNode(attr.cloneNode(True))
if oldAttr and oldAttr.value != attr.value:
- msg = "Delegating cred from owner %s to %s over %s replaced attribute %s value '%s' with '%s'" % (self.parent.gidCaller.get_urn(), self.gidCaller.get_urn(), self.gidObject.get_urn(), oldAttr.name, oldAttr.value, attr.value)
+ msg = "Delegating cred from owner %s to %s over %s:\n - Replaced attribute %s value '%s' with '%s'" % (self.parent.gidCaller.get_urn(), self.gidCaller.get_urn(), self.gidObject.get_urn(), oldAttr.name, oldAttr.value, attr.value)
logger.warn(msg)
#raise CredentialNotVerifiable("Can't encode new valid delegated credential: %s" % msg)
def updateRefID(self):
if not self.parent:
- self.set_refid('ref0')
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred ref0 "
+ self.set_refid('ref0')
return []
refs = []
next_cred = self.parent
-
while next_cred:
-
refs.append(next_cred.get_refid())
if next_cred.parent:
next_cred = next_cred.parent
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred "
else:
next_cred = None
- #print>>sys.stderr, " \r\n \r\n updateRefID next_cred NONE"
# Find a unique refid for this credential
def decode(self):
if not self.xml:
return
+
+ doc = None
+ try:
+ doc = parseString(self.xml)
+ except ExpatError,e:
+ raise CredentialNotVerifiable("Malformed credential")
doc = parseString(self.xml)
sigs = []
signed_cred = doc.getElementsByTagName("signed-credential")
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs %s" %(GID(filename=f).get_hrn())
ok_trusted_certs.append(f)
except Exception, exc:
- logger.error("Failed to load trusted cert from %s: %r", f, exc)
+ logger.error("Failed to load trusted cert from %s: %r"%( f, exc))
trusted_certs = ok_trusted_certs
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs elemnebts %s" %(len(trusted_certs))
# Use legacy verification if this is a legacy credential
if self.legacy:
# Verify the gids of this cred and of its parents
for cur_cred in self.get_credential_list():
cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
- cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify cur_cred get_gid_object hrn %s get_gid_caller %s" %(cur_cred.get_gid_object().get_hrn(),cur_cred.get_gid_caller().get_hrn())
+ cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
refs = []
refs.append("Sig_%s" % self.get_refid())
parentRefs = self.updateRefID()
for ref in parentRefs:
refs.append("Sig_%s" % ref)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs refs", ref
+
for ref in refs:
# If caller explicitly passed in None that means skip xmlsec1 validation.
# Strange and not typical
# (self.xmlsec_path, ref, cert_args, filename)
verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
% (self.xmlsec_path, ref, cert_args, filename)).read()
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify filename %s verified %s " %(filename,verified)
if not verified.strip().startswith("OK"):
# xmlsec errors have a msg= which is the interesting bit.
mstart = verified.find("msg=")
msg = verified[mstart:mend]
raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))
os.remove(filename)
-
- #print>>sys.stderr, " \r\n \t\t\t credential.py HUMMM parents %s", self.parent
+
# Verify the parents (delegation)
if self.parent:
self.verify_parent(self.parent)
- #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs parents"
+
# Make sure the issuer is the target's authority, and is
# itself a valid GID
self.verify_issuer(trusted_cert_objects)
# . The expiry time on the child must be no later than the parent
# . The signer of the child must be the owner of the parent
def verify_parent(self, parent_cred):
- #print>>sys.stderr, " \r\n\r\n \t verify_parent parent_cred.get_gid_caller().save_to_string(False) %s self.get_signature().get_issuer_gid().save_to_string(False) %s" %(parent_cred.get_gid_caller().get_hrn(),self.get_signature().get_issuer_gid().get_hrn())
# make sure the rights given to the child are a subset of the
# parents rights (and check delegate bits)
if not parent_cred.get_privileges().is_superset(self.get_privileges()):
result += "CREDENTIAL %s\n" % self.get_subject()
filename=self.get_filename()
if filename: result += "Filename %s\n"%filename
- result += " privs: %s\n" % self.get_privileges().save_to_string()
+ privileges = self.get_privileges()
+ if privileges:
+ result += " privs: %s\n" % privileges.save_to_string()
+ else:
+ result += " privs: \n"
gidCaller = self.get_gid_caller()
if gidCaller:
result += " gidCaller:\n"
print " gidIssuer:"
self.get_signature().get_issuer_gid().dump(8, dump_parents)
+ if self.expiration:
+ print " expiration:", self.expiration.isoformat()
+
gidObject = self.get_gid_object()
if gidObject:
result += " gidObject:\n"