### $Id$
### $URL$
-import xmlrpclib
import os
import datetime
-from random import randint
from xml.dom.minidom import Document, parseString
-from lxml import etree
+from tempfile import mkstemp
from sfa.trust.credential_legacy import CredentialLegacy
-from sfa.trust.certificate import Certificate
from sfa.trust.rights import *
from sfa.trust.gid import *
from sfa.util.faults import *
+
from sfa.util.sfalogging import logger
+from dateutil.parser import parse
-# Two years, in minutes
-DEFAULT_CREDENTIAL_LIFETIME = 1051200
+# Two years, in seconds
+DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
# TODO:
##
# Signature contains information about an xmlsec1 signature
# for a signed-credential
+#
class Signature(object):
- refid = None
- issuer_gid = None
- xml = None
+
def __init__(self, string=None):
+ self.refid = None
+ self.issuer_gid = None
+ self.xml = None
if string:
self.xml = string
self.decode()
# Credentials are encoded in one of two ways. The legacy style places
# it in the subjectAltName of an X509 certificate. The new credentials
# are placed in signed XML.
+#
+# WARNING:
+# In general, a signed credential obtained externally should
+# not be changed else the signature is no longer valid. So, once
+# you have loaded an existing signed credential, do not call encode() or sign() on it.
class Credential(object):
- gidCaller = None
- gidObject = None
- expiration = None
- privileges = None
- issuer_privkey = None
- issuer_gid = None
- issuer_pubkey = None
- parent = None
- signature = None
- xml = None
- refid = None
- legacy = None
+
##
# Create a Credential object
# @param filename If filename!=None, load the credential from the file
def __init__(self, create=False, subject=None, string=None, filename=None):
+ self.gidCaller = None
+ self.gidObject = None
+ self.expiration = None
+ self.privileges = None
+ self.issuer_privkey = None
+ self.issuer_gid = None
+ self.issuer_pubkey = None
+ self.parent = None
+ self.signature = None
+ self.xml = None
+ self.refid = None
+ self.legacy = None
+
+
+
# Check if this is a legacy credential, translate it if so
if string or filename:
self.xml = str
self.decode()
+ # Find an xmlsec1 path
+ self.xmlsec_path = ''
+ paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
+ for path in paths:
+ if os.path.isfile(path + '/' + 'xmlsec1'):
+ self.xmlsec_path = path + '/' + 'xmlsec1'
+ break
+
def get_signature(self):
if not self.signature:
#
# @param lifetime lifetime of credential
# . if lifeTime is a datetime object, it is used for the expiration time
- # . if lifeTime is an integer value, it is considered the number of minutes
+ # . if lifeTime is an integer value, it is considered the number of seconds
# remaining before expiration
def set_lifetime(self, lifeTime):
if isinstance(lifeTime, int):
- self.expiration = datetime.timedelta(seconds=lifeTime*60) + datetime.datetime.utcnow()
+ self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
else:
self.expiration = lifeTime
##
- # get the lifetime of the credential (in minutes)
+ # get the lifetime of the credential (in datetime format)
def get_lifetime(self):
if not self.expiration:
##
# Encode the attributes of the credential into an XML string
# This should be done immediately before signing the credential.
+ # WARNING:
+ # In general, a signed credential obtained externally should
+ # not be changed else the signature is no longer valid. So, once
+ # you have loaded an existing signed credential, do not call encode() or sign() on it.
def encode(self):
- p_sigs = None
-
# Create the XML document
doc = Document()
signed_cred = doc.createElement("signed-credential")
append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
append_sub(doc, cred, "uuid", "")
if not self.expiration:
- self.set_lifetime(3600)
+ self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
self.expiration = self.expiration.replace(microsecond=0)
append_sub(doc, cred, "expires", self.expiration.isoformat())
privileges = doc.createElement("privileges")
self.xml = doc.toxml()
- def save_to_random_tmp_file(self):
- filename = "/tmp/cred_%d" % randint(0,999999999)
- self.save_to_file(filename)
+ def save_to_random_tmp_file(self):
+ fp, filename = mkstemp(suffix='cred', text=True)
+ fp = os.fdopen(fp, "w")
+ self.save_to_file(filename, save_parents=True, filep=fp)
return filename
- def save_to_file(self, filename, save_parents=True):
+ def save_to_file(self, filename, save_parents=True, filep=None):
if not self.xml:
self.encode()
- f = open(filename, "w")
+ if filep:
+ f = filep
+ else:
+ f = open(filename, "w")
f.write(self.xml)
f.close()
self.encode()
return self.xml
+ ##
+ # Sign the XML file created by encode()
+ #
+ # WARNING:
+ # In general, a signed credential obtained externally should
+ # not be changed else the signature is no longer valid. So, once
+ # you have loaded an existing signed credential, do not call encode() or sign() on it.
+
def sign(self):
if not self.issuer_privkey or not self.issuer_gid:
return
# Call out to xmlsec1 to sign it
ref = 'Sig_%s' % self.get_refid()
filename = self.save_to_random_tmp_file()
- signed = os.popen('/usr/bin/xmlsec1 --sign --node-id "%s" --privkey-pem %s,%s %s' \
- % (ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
+ signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
+ % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
os.remove(filename)
for gid_file in gid_files:
self.set_refid(cred.getAttribute("xml:id"))
- sz_expires = getTextNode(cred, "expires")
- if sz_expires != '':
- self.expiration = datetime.datetime.strptime(sz_expires, '%Y-%m-%dT%H:%M:%S')
- self.lifeTime = getTextNode(cred, "expires")
+ self.set_lifetime(parse(getTextNode(cred, "expires")))
self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
self.gidObject = GID(string=getTextNode(cred, "target_gid"))
deleg = str2bool(getTextNode(priv, "can_delegate"))
if kind == '*':
# Convert * into the default privileges for the credential's type
- _ , type = urn_to_hrn(self.gidObject)
- rl = rlist.determine_rights(type, urn)
- for r in rlist.rights:
+ _ , type = urn_to_hrn(self.gidObject.get_urn())
+ rl = rlist.determine_rights(type, self.gidObject.get_urn())
+ for r in rl.rights:
rlist.add(r)
else:
rlist.add(Right(kind.strip(), deleg))
if not self.xml:
self.decode()
- # Check for schema conformance
-
-
-
trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
# Use legacy verification if this is a legacy credential
refs.append("Sig_%s" % ref)
for ref in refs:
- verified = os.popen('/usr/bin/xmlsec1 --verify --node-id "%s" %s %s 2>&1' \
- % (ref, cert_args, filename)).read()
+ verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
+ % (self.xmlsec_path, ref, cert_args, filename)).read()
if not verified.strip().startswith("OK"):
raise CredentialNotVerifiable("xmlsec1 error: " + verified)
-
os.remove(filename)
# Verify the parents (delegation)
if self.parent:
self.verify_parent(self.parent)
-
# Make sure the issuer is the target's authority
self.verify_issuer()
-
return True
def verify_issuer(self):
target_authority = get_authority(self.get_gid_object().get_urn())
+
# Find the root credential's signature
cur_cred = self
- root_refid = None
while cur_cred:
if cur_cred.parent:
cur_cred = cur_cred.parent
root_issuer = cur_cred.get_signature().get_issuer_gid().get_urn()
cur_cred = None
-
# Ensure that the signer of the root credential is the target_authority
target_authority = hrn_to_urn(target_authority, 'authority')
if self.parent and dump_parents:
- print "PARENT",
- self.parent.dump_parents()
+ print "PARENT",
+ self.parent.dump_parents()