git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'upstreammaster'
[sfa.git] / sfa / trust / credential.py
diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index d3ac324..8fd11e8 100644 (file)
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -40,10 +40,11 @@ try:
 except:
     pass
 
-from sfa.util.faults import *
+from xml.parsers.expat import ExpatError
+
+from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent
 from sfa.util.sfalogging import logger
 from sfa.util.sfatime import utcparse
-from sfa.trust.certificate import Keypair
 from sfa.trust.credential_legacy import CredentialLegacy
 from sfa.trust.rights import Right, Rights, determine_rights
 from sfa.trust.gid import GID
@@ -180,7 +181,11 @@ class Signature(object):
         self.gid = gid
 
     def decode(self):
-        doc = parseString(self.xml)
+        try:
+            doc = parseString(self.xml)
+        except ExpatError,e:
+            logger.log_exc ("Failed to parse credential, %s"%self.xml)
+            raise
         sig = doc.getElementsByTagName("Signature")[0]
         self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
         keyinfo = sig.getElementsByTagName("X509Data")[0]
@@ -205,17 +210,19 @@ class Signature(object):
 # not be changed else the signature is no longer valid.  So, once
 # you have loaded an existing signed credential, do not call encode() or sign() on it.
 
-def filter_creds_by_caller(creds, caller_hrn):
+def filter_creds_by_caller(creds, caller_hrn_list):
         """
         Returns a list of creds who's gid caller matches the
         specified caller hrn
         """
         if not isinstance(creds, list): creds = [creds]
+        if not isinstance(caller_hrn_list, list): 
+            caller_hrn_list = [caller_hrn_list]
         caller_creds = []
         for cred in creds:
             try:
                 tmp_cred = Credential(string=cred)
-                if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
+                if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list:
                     caller_creds.append(cred)
             except: pass
         return caller_creds
@@ -924,7 +931,13 @@ class Credential(object):
         # But we haven't verified that it is _signed by_ an authority
         # We also don't know if xmlsec1 requires that cert signers
         # are marked as CAs.
-        root_cred_signer.verify_chain(trusted_gids)
+
+        # Note that if verify() gave us no trusted_gids then this
+        # call will fail. So skip it if we have no trusted_gids
+        if trusted_gids and len(trusted_gids) > 0:
+            root_cred_signer.verify_chain(trusted_gids)
+        else:
+            logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.")
 
         # See if the signer is an authority over the domain of the target.
         # There are multiple types of authority - accept them all here
sfa