Full API implemented.

[sfa.git] / sfa / trust / credential.py

diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 71325b4..bb58407 100644 (file)
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -9,8 +9,8 @@
 
 import os
 import datetime
-from random import randint
 from xml.dom.minidom import Document, parseString
+from tempfile import mkstemp
 
 from sfa.trust.credential_legacy import CredentialLegacy
 from sfa.trust.rights import *
@@ -18,11 +18,12 @@ from sfa.trust.gid import *
 from sfa.util.faults import *
 
 from sfa.util.sfalogging import logger
+from dateutil.parser import parse
 
 
 
-# Two years, in minutes 
-DEFAULT_CREDENTIAL_LIFETIME = 1051200
+# Two years, in seconds 
+DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
 
 
 # TODO:
@@ -179,6 +180,8 @@ class Credential(object):
         self.legacy = None
 
 
+
+
         # Check if this is a legacy credential, translate it if so
         if string or filename:
             if string:                
@@ -193,6 +196,14 @@ class Credential(object):
                 self.xml = str
                 self.decode()
 
+        # Find an xmlsec1 path
+        self.xmlsec_path = ''
+        paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
+        for path in paths:
+            if os.path.isfile(path + '/' + 'xmlsec1'):
+                self.xmlsec_path = path + '/' + 'xmlsec1'
+                break
+
 
     def get_signature(self):
         if not self.signature:
@@ -277,17 +288,17 @@ class Credential(object):
     #
     # @param lifetime lifetime of credential
     # . if lifeTime is a datetime object, it is used for the expiration time
-    # . if lifeTime is an integer value, it is considered the number of minutes
+    # . if lifeTime is an integer value, it is considered the number of seconds
     #   remaining before expiration
 
     def set_lifetime(self, lifeTime):
         if isinstance(lifeTime, int):
-            self.expiration = datetime.timedelta(seconds=lifeTime*60) + datetime.datetime.utcnow()
+            self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
         else:
             self.expiration = lifeTime
 
     ##
-    # get the lifetime of the credential (in minutes)
+    # get the lifetime of the credential (in datetime format)
 
     def get_lifetime(self):
         if not self.expiration:
@@ -356,7 +367,7 @@ class Credential(object):
         append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
         append_sub(doc, cred, "uuid", "")
         if  not self.expiration:
-            self.set_lifetime(3600)
+            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
         self.expiration = self.expiration.replace(microsecond=0)
         append_sub(doc, cred, "expires", self.expiration.isoformat())
         privileges = doc.createElement("privileges")
@@ -400,15 +411,19 @@ class Credential(object):
         self.xml = doc.toxml()
 
 
-    def save_to_random_tmp_file(self):
-        filename = "/tmp/cred_%d" % randint(0,999999999)
-        self.save_to_file(filename)
+    def save_to_random_tmp_file(self):       
+        fp, filename = mkstemp(suffix='cred', text=True)
+        fp = os.fdopen(fp, "w")
+        self.save_to_file(filename, save_parents=True, filep=fp)
         return filename
     
-    def save_to_file(self, filename, save_parents=True):
+    def save_to_file(self, filename, save_parents=True, filep=None):
         if not self.xml:
             self.encode()
-        f = open(filename, "w")
+        if filep:
+            f = filep 
+        else:
+            f = open(filename, "w")
         f.write(self.xml)
         f.close()
 
@@ -501,8 +516,8 @@ class Credential(object):
         # Call out to xmlsec1 to sign it
         ref = 'Sig_%s' % self.get_refid()
         filename = self.save_to_random_tmp_file()
-        signed = os.popen('/usr/bin/xmlsec1 --sign --node-id "%s" --privkey-pem %s,%s %s' \
-                 % (ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
+        signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
+                 % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
         os.remove(filename)
 
         for gid_file in gid_files:
@@ -544,10 +559,7 @@ class Credential(object):
 
 
         self.set_refid(cred.getAttribute("xml:id"))
-        sz_expires = getTextNode(cred, "expires")
-        if sz_expires != '':
-            self.expiration = datetime.datetime.strptime(sz_expires, '%Y-%m-%dT%H:%M:%S')        
-        self.lifeTime = getTextNode(cred, "expires")
+        self.set_lifetime(parse(getTextNode(cred, "expires")))
         self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
         self.gidObject = GID(string=getTextNode(cred, "target_gid"))   
 
@@ -652,8 +664,8 @@ class Credential(object):
             refs.append("Sig_%s" % ref)
 
         for ref in refs:
-            verified = os.popen('/usr/bin/xmlsec1 --verify --node-id "%s" %s %s 2>&1' \
-                            % (ref, cert_args, filename)).read()
+            verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
+                            % (self.xmlsec_path, ref, cert_args, filename)).read()
             if not verified.strip().startswith("OK"):
                 raise CredentialNotVerifiable("xmlsec1 error: " + verified)
         os.remove(filename)
@@ -684,8 +696,6 @@ class Credential(object):
         # Ensure that the signer of the root credential is the target_authority
         target_authority = hrn_to_urn(target_authority, 'authority')
 
-        logger.info( "%s %s" % (root_issuer, target_authority))
-
         if root_issuer != target_authority:
             raise CredentialNotVerifiable("issuer (%s) != authority of target (%s)" \
                                           % (root_issuer, target_authority))