self.gid = gid\r
\r
def decode(self):\r
- doc = parseString(self.xml)\r
+ try:\r
+ doc = parseString(self.xml)\r
+ except ExpatError,e:\r
+ logger.log_exc ("Failed to parse credential, %s"%self.xml)\r
+ raise\r
sig = doc.getElementsByTagName("Signature")[0]\r
self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))\r
keyinfo = sig.getElementsByTagName("X509Data")[0]\r
# not be changed else the signature is no longer valid. So, once\r
# you have loaded an existing signed credential, do not call encode() or sign() on it.\r
\r
-def filter_creds_by_caller(creds, caller_hrn):\r
+def filter_creds_by_caller(creds, caller_hrn_list):\r
"""\r
Returns a list of creds who's gid caller matches the\r
specified caller hrn\r
"""\r
if not isinstance(creds, list): creds = [creds]\r
+ if not isinstance(caller_hrn_list, list): \r
+ caller_hrn_list = [caller_hrn_list]\r
caller_creds = []\r
for cred in creds:\r
try:\r
tmp_cred = Credential(string=cred)\r
- if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:\r
+ if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list:\r
caller_creds.append(cred)\r
except: pass\r
return caller_creds\r
# But we haven't verified that it is _signed by_ an authority\r
# We also don't know if xmlsec1 requires that cert signers\r
# are marked as CAs.\r
- root_cred_signer.verify_chain(trusted_gids)\r
+\r
+ # Note that if verify() gave us no trusted_gids then this\r
+ # call will fail. So skip it if we have no trusted_gids\r
+ if trusted_gids and len(trusted_gids) > 0:\r
+ root_cred_signer.verify_chain(trusted_gids)\r
+ else:\r
+ logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.")\r
\r
# See if the signer is an authority over the domain of the target.\r
# There are multiple types of authority - accept them all here\r