##
# Implements SFA Credentials
#
-# Credentials are layered on top of certificates, and are essentially a
-# certificate that stores a tuple of parameters.
+# Credentials are signed XML files that assign a subject gid privileges to an object gid
##
### $Id$
### $URL$
-import xmlrpclib
-import random
import os
+import datetime
+from xml.dom.minidom import Document, parseString
+from tempfile import mkstemp
-
-import xml.dom.minidom
-from xml.dom.minidom import Document
from sfa.trust.credential_legacy import CredentialLegacy
-from sfa.trust.certificate import Certificate
from sfa.trust.rights import *
from sfa.trust.gid import *
from sfa.util.faults import *
-from sfa.util.sfalogging import *
+
+from sfa.util.sfalogging import logger
+from dateutil.parser import parse
+
+
+
+# Two years, in seconds
+DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
# TODO:
-# . Need to verify credentials
-# . Need to add privileges (make PG and PL privs work together and add delegation per privelege instead of global)
-# . Need to fix lifetime
-# . Need to make sure delegation is fully supported
-# . Need to test
+# . make privs match between PG and PL
+# . Need to add support for other types of credentials, e.g. tickets
+
+
signature_template = \
'''
</Signature>
'''
+##
+# Convert a string into a bool
+
+def str2bool(str):
+ if str.lower() in ['yes','true','1']:
+ return True
+ return False
+
+##
+# Utility function to get the text of an XML element
+
+def getTextNode(element, subele):
+ sub = element.getElementsByTagName(subele)[0]
+ if len(sub.childNodes) > 0:
+ return sub.childNodes[0].nodeValue
+ else:
+ return None
+
+##
+# Utility function to set the text of an XML element
+# It creates the element, adds the text to it,
+# and then appends it to the parent.
+
+def append_sub(doc, parent, element, text):
+ ele = doc.createElement(element)
+ ele.appendChild(doc.createTextNode(text))
+ parent.appendChild(ele)
+
+##
+# Signature contains information about an xmlsec1 signature
+# for a signed-credential
+#
+
+class Signature(object):
+
+
+ def __init__(self, string=None):
+ self.refid = None
+ self.issuer_gid = None
+ self.xml = None
+ if string:
+ self.xml = string
+ self.decode()
+
+
+
+ def get_refid(self):
+ if not self.refid:
+ self.decode()
+ return self.refid
+
+ def get_xml(self):
+ if not self.xml:
+ self.encode()
+ return self.xml
+
+ def set_refid(self, id):
+ self.refid = id
+
+ def get_issuer_gid(self):
+ if not self.gid:
+ self.decode()
+ return self.gid
+
+ def set_issuer_gid(self, gid):
+ self.gid = gid
+
+ def decode(self):
+ doc = parseString(self.xml)
+ sig = doc.getElementsByTagName("Signature")[0]
+ self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
+ keyinfo = sig.getElementsByTagName("X509Data")[0]
+ szgid = getTextNode(keyinfo, "X509Certificate")
+ szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
+ self.set_issuer_gid(GID(string=szgid))
+
+ def encode(self):
+ self.xml = signature_template % (self.get_refid(), self.get_refid())
##
-# Credential is a tuple:
-# (GIDCaller, GIDObject, LifeTime, Privileges, DelegateBit)
+# A credential provides a caller gid with privileges to an object gid.
+# A signed credential is signed by the object's authority.
#
-# These fields are encoded in one of two ways. The legacy style places
+# Credentials are encoded in one of two ways. The legacy style places
# it in the subjectAltName of an X509 certificate. The new credentials
# are placed in signed XML.
+#
+# WARNING:
+# In general, a signed credential obtained externally should
+# not be changed else the signature is no longer valid. So, once
+# you have loaded an existing signed credential, do not call encode() or sign() on it.
class Credential(object):
- gidCaller = None
- gidObject = None
- lifeTime = None
- privileges = None
- delegate = False
- issuer_privkey = None
- issuer_gid = None
- issuer_pubkey = None
- parent = None
- xml = None
+
##
# Create a Credential object
# @param filename If filename!=None, load the credential from the file
def __init__(self, create=False, subject=None, string=None, filename=None):
+ self.gidCaller = None
+ self.gidObject = None
+ self.expiration = None
+ self.privileges = None
+ self.issuer_privkey = None
+ self.issuer_gid = None
+ self.issuer_pubkey = None
+ self.parent = None
+ self.signature = None
+ self.xml = None
+ self.refid = None
+ self.legacy = None
+
+
+
# Check if this is a legacy credential, translate it if so
if string or filename:
str = file(filename).read()
if str.strip().startswith("-----"):
+ self.legacy = CredentialLegacy(False,string=str)
self.translate_legacy(str)
else:
self.xml = str
- # Let's not mess around with invalid credentials
- self.verify_chain()
+ self.decode()
+
+ # Find an xmlsec1 path
+ self.xmlsec_path = ''
+ paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
+ for path in paths:
+ if os.path.isfile(path + '/' + 'xmlsec1'):
+ self.xmlsec_path = path + '/' + 'xmlsec1'
+ break
+
+ def get_signature(self):
+ if not self.signature:
+ self.decode()
+ return self.signature
+
+ def set_signature(self, sig):
+ self.signature = sig
+
+
##
# Translate a legacy credential into a new one
#
legacy = CredentialLegacy(False,string=str)
self.gidCaller = legacy.get_gid_caller()
self.gidObject = legacy.get_gid_object()
+ lifetime = legacy.get_lifetime()
+ if not lifetime:
+ # Default to two years
+ self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+ else:
+ self.set_lifetime(int(lifetime))
self.lifeTime = legacy.get_lifetime()
- self.privileges = legacy.get_privileges()
- self.delegate = legacy.get_delegate()
+ self.set_privileges(legacy.get_privileges())
+ self.get_privileges().delegate_all_privileges(legacy.get_delegate())
##
# Need the issuer's private key and name
self.issuer_privkey = privkey
self.issuer_gid = gid
- def set_pubkey(self, pubkey):
- self.issuer_pubkey = pubkey
+ ##
+ # Set this credential's parent
def set_parent(self, cred):
self.parent = cred
+ self.updateRefID()
##
# set the GID of the caller
# set the lifetime of this credential
#
# @param lifetime lifetime of credential
+ # . if lifeTime is a datetime object, it is used for the expiration time
+ # . if lifeTime is an integer value, it is considered the number of seconds
+ # remaining before expiration
def set_lifetime(self, lifeTime):
- self.lifeTime = lifeTime
+ if isinstance(lifeTime, int):
+ self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
+ else:
+ self.expiration = lifeTime
##
- # get the lifetime of the credential
+ # get the lifetime of the credential (in datetime format)
def get_lifetime(self):
- if not self.lifeTime:
+ if not self.expiration:
self.decode()
- return self.lifeTime
-
- ##
- # set the delegate bit
- #
- # @param delegate boolean (True or False)
-
- def set_delegate(self, delegate):
- self.delegate = delegate
-
- ##
- # get the delegate bit
-
- def get_delegate(self):
- if not self.delegate:
- self.decode()
- return self.delegate
+ return self.expiration
+
##
# set the privileges
#
self.privileges = RightList(string = privs)
else:
self.privileges = privs
+
##
# return the privileges as a RightList object
def can_perform(self, op_name):
rights = self.get_privileges()
+
if not rights:
return False
+
return rights.can_perform(op_name)
- def append_sub(self, doc, parent, element, text):
- ele = doc.createElement(element)
- ele.appendChild(doc.createTextNode(text))
- parent.appendChild(ele)
##
# Encode the attributes of the credential into an XML string
# This should be done immediately before signing the credential.
+ # WARNING:
+ # In general, a signed credential obtained externally should
+ # not be changed else the signature is no longer valid. So, once
+ # you have loaded an existing signed credential, do not call encode() or sign() on it.
def encode(self):
-
- # Get information from the parent credential
- if self.parent:
- p_doc = xml.dom.minidom.parseString(self.parent)
- p_signed_cred = p_doc.getElementsByTagName("signed-credential")[0]
- p_cred = p_signed_cred.getElementsByTagName("credential")[0]
- p_signatures = p_signed_cred.getElementsByTagName("signatures")[0]
- p_sigs = p_signatures.getElementsByTagName("Signature")
-
# Create the XML document
doc = Document()
signed_cred = doc.createElement("signed-credential")
doc.appendChild(signed_cred)
-
- # Fill in the <credential> bit
- refid = "ref1"
+ # Fill in the <credential> bit
cred = doc.createElement("credential")
- cred.setAttribute("xml:id", refid)
+ cred.setAttribute("xml:id", self.get_refid())
signed_cred.appendChild(cred)
- self.append_sub(doc, cred, "type", "privilege")
- self.append_sub(doc, cred, "serial", "8")
- self.append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
- self.append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
- self.append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
- self.append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
- self.append_sub(doc, cred, "uuid", "")
- self.append_sub(doc, cred, "expires", str(self.lifeTime))
- priveleges = doc.createElement("privileges")
- cred.appendChild(priveleges)
+ append_sub(doc, cred, "type", "privilege")
+ append_sub(doc, cred, "serial", "8")
+ append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
+ append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
+ append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
+ append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
+ append_sub(doc, cred, "uuid", "")
+ if not self.expiration:
+ self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
+ self.expiration = self.expiration.replace(microsecond=0)
+ append_sub(doc, cred, "expires", self.expiration.isoformat())
+ privileges = doc.createElement("privileges")
+ cred.appendChild(privileges)
if self.privileges:
- rights = self.privileges.save_to_string().split(",")
- for right in rights:
- priv = doc.createElement("privelege")
- priv.append_sub(doc, priv, "name", right.strip())
- priv.append_sub(doc, priv, "can_delegate", str(self.delegate))
- priveleges.appendChild(priv)
+ rights = self.get_privileges()
+ for right in rights.rights:
+ priv = doc.createElement("privilege")
+ append_sub(doc, priv, "name", right.kind)
+ append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
+ privileges.appendChild(priv)
# Add the parent credential if it exists
if self.parent:
- cred.appendChild(doc.createElement("parent").appendChild(p_cred))
-
+ sdoc = parseString(self.parent.get_xml())
+ p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
+ p = doc.createElement("parent")
+ p.appendChild(p_cred)
+ cred.appendChild(p)
- signed_cred.appendChild(cred)
-
- # Fill in the <signature> bit
+ # Create the <signatures> tag
signatures = doc.createElement("signatures")
-
- sz_sig = signature_template % (refid,refid)
-
- sdoc = xml.dom.minidom.parseString(sz_sig)
- sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
- signatures.appendChild(sig_ele)
-
+ signed_cred.appendChild(signatures)
# Add any parent signatures
if self.parent:
- for sig in p_sigs:
- signatures.appendChild(sig)
-
- signed_cred.appendChild(signatures)
+ cur_cred = self.parent
+ while cur_cred:
+ sdoc = parseString(cur_cred.get_signature().get_xml())
+ ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
+ signatures.appendChild(ele)
+
+ if cur_cred.parent:
+ cur_cred = cur_cred.parent
+ else:
+ cur_cred = None
+
# Get the finished product
self.xml = doc.toxml()
- #print doc.toprettyxml()
-
+ def save_to_random_tmp_file(self):
+ fp, filename = mkstemp(suffix='cred', text=True)
+ fp = os.fdopen(fp, "w")
+ self.save_to_file(filename, save_parents=True, filep=fp)
+ return filename
+
+ def save_to_file(self, filename, save_parents=True, filep=None):
+ if not self.xml:
+ self.encode()
+ if filep:
+ f = filep
+ else:
+ f = open(filename, "w")
+ f.write(self.xml)
+ f.close()
- def save_to_string(self):
+ def save_to_string(self, save_parents=True):
if not self.xml:
self.encode()
return self.xml
- def sign(self):
+ def get_refid(self):
+ if not self.refid:
+ self.refid = 'ref0'
+ return self.refid
+
+ def set_refid(self, rid):
+ self.refid = rid
+
+ ##
+ # Figure out what refids exist, and update this credential's id
+ # so that it doesn't clobber the others. Returns the refids of
+ # the parents.
+
+ def updateRefID(self):
+ if not self.parent:
+ self.set_refid('ref0')
+ return []
+
+ refs = []
+
+ next_cred = self.parent
+ while next_cred:
+ refs.append(next_cred.get_refid())
+ if next_cred.parent:
+ next_cred = next_cred.parent
+ else:
+ next_cred = None
+
+
+ # Find a unique refid for this credential
+ rid = self.get_refid()
+ while rid in refs:
+ val = int(rid[3:])
+ rid = "ref%d" % (val + 1)
+
+ # Set the new refid
+ self.set_refid(rid)
+
+ # Return the set of parent credential ref ids
+ return refs
+
+ def get_xml(self):
if not self.xml:
self.encode()
-
- # Call out to xmlsec1 to sign it
- XMLSEC = '/usr/bin/xmlsec1'
+ return self.xml
- filename = "/tmp/cred_%d" % random.randint(0,999999999)
- f = open(filename, "w")
- f.write(self.xml);
- f.close()
- signed = os.popen('/usr/bin/xmlsec1 --sign --node-id "%s" --privkey-pem %s,%s %s' \
- % ('ref1', self.issuer_privkey, self.issuer_gid, filename)).read()
+ ##
+ # Sign the XML file created by encode()
+ #
+ # WARNING:
+ # In general, a signed credential obtained externally should
+ # not be changed else the signature is no longer valid. So, once
+ # you have loaded an existing signed credential, do not call encode() or sign() on it.
+
+ def sign(self):
+ if not self.issuer_privkey or not self.issuer_gid:
+ return
+ doc = parseString(self.get_xml())
+ sigs = doc.getElementsByTagName("signatures")[0]
+
+ # Create the signature template to be signed
+ signature = Signature()
+ signature.set_refid(self.get_refid())
+ sdoc = parseString(signature.get_xml())
+ sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
+ sigs.appendChild(sig_ele)
+
+ self.xml = doc.toxml()
+
+
+ # Split the issuer GID into multiple certificates if it's a chain
+ chain = GID(filename=self.issuer_gid)
+ gid_files = []
+ while chain:
+ gid_files.append(chain.save_to_random_tmp_file(False))
+ if chain.get_parent():
+ chain = chain.get_parent()
+ else:
+ chain = None
+
+
+ # Call out to xmlsec1 to sign it
+ ref = 'Sig_%s' % self.get_refid()
+ filename = self.save_to_random_tmp_file()
+ signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
+ % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
os.remove(filename)
+ for gid_file in gid_files:
+ os.remove(gid_file)
+
self.xml = signed
- def getTextNode(self, element, subele):
- sub = element.getElementsByTagName(subele)[0]
- return sub.childNodes[0].nodeValue
+ # This is no longer a legacy credential
+ if self.legacy:
+ self.legacy = None
+
+ # Update signatures
+ self.decode()
+
+
+
##
# Retrieve the attributes of the credential from the XML.
- # This is automatically caleld by the various get_* methods of
+ # This is automatically called by the various get_* methods of
# this class and should not need to be called explicitly.
def decode(self):
- p_doc = xml.dom.minidom.parseString(self.xml)
- p_signed_cred = p_doc.getElementsByTagName("signed-credential")[0]
- p_cred = p_signed_cred.getElementsByTagName("credential")[0]
- p_signatures = p_signed_cred.getElementsByTagName("signatures")[0]
- p_sigs = p_signatures.getElementsByTagName("Signature")
-
- self.lifeTime = self.getTextNode(p_cred, "expires")
- self.gidCaller = GID(string=self.getTextNode(p_cred, "owner_gid"))
- self.gidObject = GID(string=self.getTextNode(p_cred, "target_gid"))
- privs = p_cred.getElementsByTagName("priveleges")[0]
- sz_privs = ''
- delegates = []
- for priv in privs.getElementsByTagName("privelege"):
- sz_privs += self.getTextNode(priv, "name")
- sz_privs += ", "
- delegates.append(self.getTextNode(priv, "can_delegate"))
-
- # Can we delegate?
- delegate = False
- if "false" not in delegates:
- self.delegate = True
-
- # Make the rights list
- sz_privs.rstrip(", ")
- self.priveleges = RightList(string=sz_privs)
- self.delegate
-
-
-## ##
-## # Retrieve the attributes of the credential from the alt-subject-name field
-## # of the X509 certificate. This is automatically done by the various
-## # get_* methods of this class and should not need to be called explicitly.
-
-## def decode(self):
-## data = self.get_data().lstrip('URI:http://')
+ if not self.xml:
+ return
+ doc = parseString(self.xml)
+ sigs = []
+ signed_cred = doc.getElementsByTagName("signed-credential")
+
+ # Is this a signed-cred or just a cred?
+ if len(signed_cred) > 0:
+ cred = signed_cred[0].getElementsByTagName("credential")[0]
+ signatures = signed_cred[0].getElementsByTagName("signatures")
+ if len(signatures) > 0:
+ sigs = signatures[0].getElementsByTagName("Signature")
+ else:
+ cred = doc.getElementsByTagName("credential")[0]
-## if data:
-## dict = xmlrpclib.loads(data)[0][0]
-## else:
-## dict = {}
-
-## self.lifeTime = dict.get("lifeTime", None)
-## self.delegate = dict.get("delegate", None)
-
-## privStr = dict.get("privileges", None)
-## if privStr:
-## self.privileges = RightList(string = privStr)
-## else:
-## self.privileges = None
-
-## gidCallerStr = dict.get("gidCaller", None)
-## if gidCallerStr:
-## self.gidCaller = GID(string=gidCallerStr)
-## else:
-## self.gidCaller = None
-
-## gidObjectStr = dict.get("gidObject", None)
-## if gidObjectStr:
-## self.gidObject = GID(string=gidObjectStr)
-## else:
-## self.gidObject = None
+ self.set_refid(cred.getAttribute("xml:id"))
+ self.set_lifetime(parse(getTextNode(cred, "expires")))
+ self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
+ self.gidObject = GID(string=getTextNode(cred, "target_gid"))
+
+
+ # Process privileges
+ privs = cred.getElementsByTagName("privileges")[0]
+ rlist = RightList()
+ for priv in privs.getElementsByTagName("privilege"):
+ kind = getTextNode(priv, "name")
+ deleg = str2bool(getTextNode(priv, "can_delegate"))
+ if kind == '*':
+ # Convert * into the default privileges for the credential's type
+ _ , type = urn_to_hrn(self.gidObject.get_urn())
+ rl = rlist.determine_rights(type, self.gidObject.get_urn())
+ for r in rl.rights:
+ rlist.add(r)
+ else:
+ rlist.add(Right(kind.strip(), deleg))
+ self.set_privileges(rlist)
+
+
+ # Is there a parent?
+ parent = cred.getElementsByTagName("parent")
+ if len(parent) > 0:
+ parent_doc = parent[0].getElementsByTagName("credential")[0]
+ parent_xml = parent_doc.toxml()
+ self.parent = Credential(string=parent_xml)
+ self.updateRefID()
+
+ # Assign the signatures to the credentials
+ for sig in sigs:
+ Sig = Signature(string=sig.toxml())
+
+ cur_cred = self
+ while cur_cred:
+ if cur_cred.get_refid() == Sig.get_refid():
+ cur_cred.set_signature(Sig)
+
+ if cur_cred.parent:
+ cur_cred = cur_cred.parent
+ else:
+ cur_cred = None
+
+
##
- # Verify for the initial credential:
- # 1. That the signature is valid
- # 2. That the xml signer's certificate matches the object's certificate
- # 3. That the urns match those in the gids
+ # Verify that:
+ # . All of the signatures are valid and that the issuers trace back
+ # to trusted roots (performed by xmlsec1)
+ # . The XML matches the credential schema
+ # . That the issuer of the credential is the authority in the target's urn
+ # . In the case of a delegated credential, this must be true of the root
+ # . That all of the gids presented in the credential are valid
+ #
+ # -- For Delegates (credentials with parents)
+ # . The privileges must be a subset of the parent credentials
+ # . The privileges must have "can_delegate" set for each delegated privilege
+ # . The target gid must be the same between child and parents
+ # . The expiry time on the child must be no later than the parent
+ # . The signer of the child must be the owner of the parent
+ #
+ # -- Verify does *NOT*
+ # . ensure that an xmlrpc client's gid matches a credential gid, that
+ # must be done elsewhere
#
- # Verify for the delegated credentials:
- # 1. That the signature is valid
+ # @param trusted_certs: The certificates of trusted CA certificates
- # 4.
- # 3. That the object's certificate stays the s
- # 2. That the GID of the
-
- #def verify(self, trusted_certs = None):
+ def verify(self, trusted_certs):
+ if not self.xml:
+ self.decode()
+
+ trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+
+ # Use legacy verification if this is a legacy credential
+ if self.legacy:
+ self.legacy.verify_chain(trusted_cert_objects)
+ if self.legacy.client_gid:
+ self.legacy.client_gid.verify_chain(trusted_cert_objects)
+ if self.legacy.object_gid:
+ self.legacy.object_gid.verify_chain(trusted_cert_objects)
+ return True
+
+ # Verify the signatures
+ filename = self.save_to_random_tmp_file()
+ cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
+
+ # Verify the gids of this cred and of its parents
+
+ cur_cred = self
+ while cur_cred:
+ cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
+ cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
+ if cur_cred.parent:
+ cur_cred = cur_cred.parent
+ else:
+ cur_cred = None
+ refs = []
+ refs.append("Sig_%s" % self.get_refid())
+
+ parentRefs = self.updateRefID()
+ for ref in parentRefs:
+ refs.append("Sig_%s" % ref)
+
+ for ref in refs:
+ verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
+ % (self.xmlsec_path, ref, cert_args, filename)).read()
+ if not verified.strip().startswith("OK"):
+ raise CredentialNotVerifiable("xmlsec1 error: " + verified)
+ os.remove(filename)
+ # Verify the parents (delegation)
+ if self.parent:
+ self.verify_parent(self.parent)
+ # Make sure the issuer is the target's authority
+ self.verify_issuer()
+ return True
+
##
- # Verify that a chain of credentials is valid (see cert.py:verify). In
- # addition to the checks for ordinary certificates, verification also
- # ensures that the delegate bit was set by each parent in the chain. If
- # a delegate bit was not set, then an exception is thrown.
- #
- # Each credential must be a subset of the rights of the parent.
+ # Make sure the issuer of this credential is the target's authority
+ def verify_issuer(self):
+ target_authority = get_authority(self.get_gid_object().get_urn())
- def verify_chain(self, trusted_certs = None):
- # do the normal certificate verification stuff
- Certificate.verify_chain(self, trusted_certs)
+
+ # Find the root credential's signature
+ cur_cred = self
+ while cur_cred:
+ if cur_cred.parent:
+ cur_cred = cur_cred.parent
+ else:
+ root_issuer = cur_cred.get_signature().get_issuer_gid().get_urn()
+ cur_cred = None
- if self.parent:
- # make sure the parent delegated rights to the child
- if not self.parent.get_delegate():
- raise MissingDelegateBit(self.parent.get_subject())
+ # Ensure that the signer of the root credential is the target_authority
+ target_authority = hrn_to_urn(target_authority, 'authority')
- # make sure the rights given to the child are a subset of the
- # parents rights
- if not self.parent.get_privileges().is_superset(self.get_privileges()):
- raise ChildRightsNotSubsetOfParent(self.get_subject()
- + " " + self.parent.get_privileges().save_to_string()
- + " " + self.get_privileges().save_to_string())
+ if root_issuer != target_authority:
+ raise CredentialNotVerifiable("issuer (%s) != authority of target (%s)" \
+ % (root_issuer, target_authority))
- return
+ ##
+ # -- For Delegates (credentials with parents) verify that:
+ # . The privileges must be a subset of the parent credentials
+ # . The privileges must have "can_delegate" set for each delegated privilege
+ # . The target gid must be the same between child and parents
+ # . The expiry time on the child must be no later than the parent
+ # . The signer of the child must be the owner of the parent
+
+ def verify_parent(self, parent_cred):
+ # make sure the rights given to the child are a subset of the
+ # parents rights (and check delegate bits)
+ if not parent_cred.get_privileges().is_superset(self.get_privileges()):
+ raise ChildRightsNotSubsetOfParent(
+ self.parent.get_privileges().save_to_string() + " " +
+ self.get_privileges().save_to_string())
+
+ # make sure my target gid is the same as the parent's
+ if not parent_cred.get_gid_object().save_to_string() == \
+ self.get_gid_object().save_to_string():
+ raise CredentialNotVerifiable("target gid not equal between parent and child")
+
+ # make sure my expiry time is <= my parent's
+ if not parent_cred.get_lifetime() >= self.get_lifetime():
+ raise CredentialNotVerifiable("delegated credential expires after parent")
+
+ # make sure my signer is the parent's caller
+ if not parent_cred.get_gid_caller().save_to_string(False) == \
+ self.get_signature().get_issuer_gid().save_to_string(False):
+ raise CredentialNotVerifiable("delegated credential not signed by parent caller")
+
+ if parent_cred.parent:
+ parent_cred.verify_parent(parent_cred.parent)
##
# Dump the contents of a credential to stdout in human-readable format
if gidObject:
gidObject.dump(8, dump_parents)
- print " delegate:", self.get_delegate()
if self.parent and dump_parents:
- print "PARENT",
- self.parent.dump(dump_parents)
+ print "PARENT",
+ self.parent.dump_parents()
git://git.onelab.eu / sfa.git / blobdiff