git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Full API implemented.
[sfa.git] / sfa / trust / credential.py
diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 8609c3b..bb58407 100644 (file)
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -1,39 +1,36 @@
 ##
 # Implements SFA Credentials
 #
-# Credentials are layered on top of certificates, and are essentially a
-# certificate that stores a tuple of parameters.
+# Credentials are signed XML files that assign a subject gid privileges to an object gid
 ##
 
 ### $Id$
 ### $URL$
 
-import xmlrpclib
-import random
 import os
 import datetime
-
-#import xml.dom.minidom
 from xml.dom.minidom import Document, parseString
+from tempfile import mkstemp
+
 from sfa.trust.credential_legacy import CredentialLegacy
-from sfa.trust.certificate import Certificate
 from sfa.trust.rights import *
 from sfa.trust.gid import *
 from sfa.util.faults import *
+
 from sfa.util.sfalogging import logger
+from dateutil.parser import parse
+
+
+
+# Two years, in seconds 
+DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
 
 
 # TODO:
-# . SFA is using set_parent to do chaining, but that's no longer necessary
-#   with the new credentials. fix.
-#    . This probably requires setting up some sort of CA hierarchy.
-# . Make sure that the creds pass xml verification (probably need some reordering)
-# . Need to implement full verification (parent signatures etc).
-# . remove verify_chain
-# . make delegation per privilege instead of global
 # . make privs match between PG and PL
-# . what about tickets?  do they need to be redone to be like credentials?
-# . Need to test
+# . Need to add support for other types of credentials, e.g. tickets
+
+
 
 signature_template = \
 '''
@@ -61,11 +58,19 @@ signature_template = \
     </Signature>
 '''
 
+##
+# Convert a string into a bool
+
+def str2bool(str):
+    if str.lower() in ['yes','true','1']:
+        return True
+    return False
+
 
 
 ##
 # Utility function to get the text of an XML element
-#
+
 def getTextNode(element, subele):
     sub = element.getElementsByTagName(subele)[0]
     if len(sub.childNodes) > 0:            
@@ -73,18 +78,28 @@ def getTextNode(element, subele):
     else:
         return None
         
+##
+# Utility function to set the text of an XML element
+# It creates the element, adds the text to it,
+# and then appends it to the parent.
 
+def append_sub(doc, parent, element, text):
+    ele = doc.createElement(element)
+    ele.appendChild(doc.createTextNode(text))
+    parent.appendChild(ele)
 
 ##
 # Signature contains information about an xmlsec1 signature
 # for a signed-credential
+#
 
 class Signature(object):
-    refid = None
-    issuer_gid = None
-    xml = None
+
     
     def __init__(self, string=None):
+        self.refid = None
+        self.issuer_gid = None
+        self.xml = None
         if string:
             self.xml = string
             self.decode()
@@ -126,28 +141,22 @@ class Signature(object):
 
 
 ##
-# Credential is a tuple:
-#    (GIDCaller, GIDObject, Expiration (in UTC time), Privileges, DelegateBit)
+# A credential provides a caller gid with privileges to an object gid.
+# A signed credential is signed by the object's authority.
 #
-# These fields are encoded in one of two ways.  The legacy style places
+# Credentials are encoded in one of two ways.  The legacy style places
 # it in the subjectAltName of an X509 certificate.  The new credentials
 # are placed in signed XML.
+#
+# WARNING:
+# In general, a signed credential obtained externally should
+# not be changed else the signature is no longer valid.  So, once
+# you have loaded an existing signed credential, do not call encode() or sign() on it.
 
 
 class Credential(object):
-    gidCaller = None
-    gidObject = None
-    expiration = None
-    privileges = None
-    delegate = False
-    issuer_privkey = None
-    issuer_gid = None
-    issuer_pubkey = None
-    parent_xml = None
-    signatures = []
-    xml = None
-    refid = None
-    
+
+
     ##
     # Create a Credential object
     #
@@ -157,6 +166,21 @@ class Credential(object):
     # @param filename If filename!=None, load the credential from the file
 
     def __init__(self, create=False, subject=None, string=None, filename=None):
+        self.gidCaller = None
+        self.gidObject = None
+        self.expiration = None
+        self.privileges = None
+        self.issuer_privkey = None
+        self.issuer_gid = None
+        self.issuer_pubkey = None
+        self.parent = None
+        self.signature = None
+        self.xml = None
+        self.refid = None
+        self.legacy = None
+
+
+
 
         # Check if this is a legacy credential, translate it if so
         if string or filename:
@@ -166,11 +190,30 @@ class Credential(object):
                 str = file(filename).read()
                 
             if str.strip().startswith("-----"):
+                self.legacy = CredentialLegacy(False,string=str)
                 self.translate_legacy(str)
             else:
                 self.xml = str
                 self.decode()
-                
+
+        # Find an xmlsec1 path
+        self.xmlsec_path = ''
+        paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
+        for path in paths:
+            if os.path.isfile(path + '/' + 'xmlsec1'):
+                self.xmlsec_path = path + '/' + 'xmlsec1'
+                break
+
+
+    def get_signature(self):
+        if not self.signature:
+            self.decode()
+        return self.signature
+
+    def set_signature(self, sig):
+        self.signature = sig
+
+        
     ##
     # Translate a legacy credential into a new one
     #
@@ -182,12 +225,13 @@ class Credential(object):
         self.gidObject = legacy.get_gid_object()
         lifetime = legacy.get_lifetime()
         if not lifetime:
-            self.set_lifetime(3600)
+            # Default to two years
+            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
         else:
             self.set_lifetime(int(lifetime))
         self.lifeTime = legacy.get_lifetime()
         self.set_privileges(legacy.get_privileges())
-        self.delegate = legacy.get_delegate()
+        self.get_privileges().delegate_all_privileges(legacy.get_delegate())
 
     ##
     # Need the issuer's private key and name
@@ -198,37 +242,12 @@ class Credential(object):
         self.issuer_privkey = privkey
         self.issuer_gid = gid
 
-    #def set_issuer(self, issuer):
-    #    issuer = issuer
-
-    #def set_subject(self, subject):
-    #    subject = subject
-        
-    #def set_pubkey(self, pubkey):
-    #    self.issuer_pubkey = pubkey
-
 
     ##
-    # Store the parent's credential in self.parent_xml
-    # Store the parent's signatures in self.signatures
-    # Update this credential's refid
+    # Set this credential's parent
     def set_parent(self, cred):
-        if not cred.xml:
-            cred.encode()
-
-        doc = parseString(cred.xml)
-        signed = doc.getElementsByTagName("signed-credential")[0]
-        cred = signed.getElementsByTagName("credential")[0]
-        signatures = signed.getElementsByTagName("signatures")[0]
-        sigs = signatures.getElementsByTagName("Signature")
-
-        self.parent_xml = cred.toxml()
-        self.signatures = []
-        for sig in sigs:
-            self.signatures.append(Signature(string=sig.toxml()))
-
+        self.parent = cred
         self.updateRefID()
-        
 
     ##
     # set the GID of the caller
@@ -269,39 +288,24 @@ class Credential(object):
     #
     # @param lifetime lifetime of credential
     # . if lifeTime is a datetime object, it is used for the expiration time
-    # . if lifeTime is an integer value, it is considered the number of minutes
+    # . if lifeTime is an integer value, it is considered the number of seconds
     #   remaining before expiration
 
     def set_lifetime(self, lifeTime):
         if isinstance(lifeTime, int):
-            self.expiration = datetime.timedelta(seconds=lifeTime*60) + datetime.datetime.utcnow()
+            self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
         else:
             self.expiration = lifeTime
 
     ##
-    # get the lifetime of the credential (in minutes)
+    # get the lifetime of the credential (in datetime format)
 
     def get_lifetime(self):
-        if not self.lifeTime:
+        if not self.expiration:
             self.decode()
         return self.expiration
 
-    ##
-    # set the delegate bit
-    #
-    # @param delegate boolean (True or False)
-
-    def set_delegate(self, delegate):
-        self.delegate = delegate
-
-    ##
-    # get the delegate bit
-
-    def get_delegate(self):
-        if not self.delegate:
-            self.decode()
-        return self.delegate
-
     ##
     # set the privileges
     #
@@ -312,6 +316,7 @@ class Credential(object):
             self.privileges = RightList(string = privs)
         else:
             self.privileges = privs
+        
 
     ##
     # return the privileges as a RightList object
@@ -335,18 +340,16 @@ class Credential(object):
 
         return rights.can_perform(op_name)
 
-    def append_sub(self, doc, parent, element, text):
-        ele = doc.createElement(element)
-        ele.appendChild(doc.createTextNode(text))
-        parent.appendChild(ele)
 
     ##
     # Encode the attributes of the credential into an XML string    
     # This should be done immediately before signing the credential.    
+    # WARNING:
+    # In general, a signed credential obtained externally should
+    # not be changed else the signature is no longer valid.  So, once
+    # you have loaded an existing signed credential, do not call encode() or sign() on it.
 
     def encode(self):
-        p_sigs = None
-
         # Create the XML document
         doc = Document()
         signed_cred = doc.createElement("signed-credential")
@@ -356,31 +359,31 @@ class Credential(object):
         cred = doc.createElement("credential")
         cred.setAttribute("xml:id", self.get_refid())
         signed_cred.appendChild(cred)
-        self.append_sub(doc, cred, "type", "privilege")
-        self.append_sub(doc, cred, "serial", "8")
-        self.append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
-        self.append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
-        self.append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
-        self.append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
-        self.append_sub(doc, cred, "uuid", "")
+        append_sub(doc, cred, "type", "privilege")
+        append_sub(doc, cred, "serial", "8")
+        append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
+        append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
+        append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
+        append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
+        append_sub(doc, cred, "uuid", "")
         if  not self.expiration:
-            self.set_lifetime(3600)
+            self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
         self.expiration = self.expiration.replace(microsecond=0)
-        self.append_sub(doc, cred, "expires", self.expiration.isoformat())
+        append_sub(doc, cred, "expires", self.expiration.isoformat())
         privileges = doc.createElement("privileges")
         cred.appendChild(privileges)
 
         if self.privileges:
-            rights = self.privileges.save_to_string().split(",")
-            for right in rights:
+            rights = self.get_privileges()
+            for right in rights.rights:
                 priv = doc.createElement("privilege")
-                self.append_sub(doc, priv, "name", right.strip())
-                self.append_sub(doc, priv, "can_delegate", str(self.delegate))
+                append_sub(doc, priv, "name", right.kind)
+                append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
                 privileges.appendChild(priv)
 
         # Add the parent credential if it exists
-        if self.parent_xml:
-            sdoc = parseString(self.parent_xml)
+        if self.parent:
+            sdoc = parseString(self.parent.get_xml())
             p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
             p = doc.createElement("parent")
             p.appendChild(p_cred)
@@ -392,27 +395,35 @@ class Credential(object):
         signed_cred.appendChild(signatures)
 
         # Add any parent signatures
-        if self.parent_xml:
-            for sig in self.signatures:
-                sdoc = parseString(sig.get_xml())
+        if self.parent:
+            cur_cred = self.parent
+            while cur_cred:
+                sdoc = parseString(cur_cred.get_signature().get_xml())
                 ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
                 signatures.appendChild(ele)
 
+                if cur_cred.parent:
+                    cur_cred = cur_cred.parent
+                else:
+                    cur_cred = None
+                
         # Get the finished product
         self.xml = doc.toxml()
-        #print doc.toxml()
-        #self.sign()
 
 
-    def save_to_random_tmp_file(self):
-        filename = "/tmp/cred_%d" % random.randint(0,999999999)
-        self.save_to_file(filename)
+    def save_to_random_tmp_file(self):       
+        fp, filename = mkstemp(suffix='cred', text=True)
+        fp = os.fdopen(fp, "w")
+        self.save_to_file(filename, save_parents=True, filep=fp)
         return filename
     
-    def save_to_file(self, filename, save_parents=True):
+    def save_to_file(self, filename, save_parents=True, filep=None):
         if not self.xml:
             self.encode()
-        f = open(filename, "w")
+        if filep:
+            f = filep 
+        else:
+            f = open(filename, "w")
         f.write(self.xml)
         f.close()
 
@@ -435,19 +446,20 @@ class Credential(object):
     # the parents.
     
     def updateRefID(self):
-        if not self.parent_xml:
+        if not self.parent:
             self.set_refid('ref0')
             return []
         
         refs = []
 
-        next_cred = Credential(string=self.parent_xml)
+        next_cred = self.parent
         while next_cred:
             refs.append(next_cred.get_refid())
-            if next_cred.parent_xml:
-                next_cred = Credential(string=next_cred.parent_xml)
+            if next_cred.parent:
+                next_cred = next_cred.parent
             else:
                 next_cred = None
+
         
         # Find a unique refid for this credential
         rid = self.get_refid()
@@ -466,10 +478,17 @@ class Credential(object):
             self.encode()
         return self.xml
 
+    ##
+    # Sign the XML file created by encode()
+    #
+    # WARNING:
+    # In general, a signed credential obtained externally should
+    # not be changed else the signature is no longer valid.  So, once
+    # you have loaded an existing signed credential, do not call encode() or sign() on it.
+
     def sign(self):
         if not self.issuer_privkey or not self.issuer_gid:
             return
-        
         doc = parseString(self.get_xml())
         sigs = doc.getElementsByTagName("signatures")[0]
 
@@ -482,31 +501,50 @@ class Credential(object):
 
         self.xml = doc.toxml()
 
+
+        # Split the issuer GID into multiple certificates if it's a chain
+        chain = GID(filename=self.issuer_gid)
+        gid_files = []
+        while chain:
+            gid_files.append(chain.save_to_random_tmp_file(False))
+            if chain.get_parent():
+                chain = chain.get_parent()
+            else:
+                chain = None
+
+
         # Call out to xmlsec1 to sign it
         ref = 'Sig_%s' % self.get_refid()
         filename = self.save_to_random_tmp_file()
-        signed = os.popen('/usr/bin/xmlsec1 --sign --node-id "%s" --privkey-pem %s,%s %s' \
-                 % (ref, self.issuer_privkey, self.issuer_gid, filename)).read()
+        signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
+                 % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
         os.remove(filename)
 
+        for gid_file in gid_files:
+            os.remove(gid_file)
 
         self.xml = signed
 
-    def getTextNode(self, element, subele):
-        sub = element.getElementsByTagName(subele)[0]
-        if len(sub.childNodes) > 0:            
-            return sub.childNodes[0].nodeValue
-        else:
-            return None
+        # This is no longer a legacy credential
+        if self.legacy:
+            self.legacy = None
+
+        # Update signatures
+        self.decode()
+
+        
+
         
     ##
     # Retrieve the attributes of the credential from the XML.
-    # This is automatically caleld by the various get_* methods of
+    # This is automatically called by the various get_* methods of
     # this class and should not need to be called explicitly.
 
     def decode(self):
+        if not self.xml:
+            return
         doc = parseString(self.xml)
-        sigs = None
+        sigs = []
         signed_cred = doc.getElementsByTagName("signed-credential")
 
         # Is this a signed-cred or just a cred?
@@ -521,46 +559,59 @@ class Credential(object):
 
 
         self.set_refid(cred.getAttribute("xml:id"))
-        sz_expires = getTextNode(cred, "expires")
-        if sz_expires != '':
-            self.expiration = datetime.datetime.strptime(sz_expires, '%Y-%m-%dT%H:%M:%S')            
-        self.lifeTime = getTextNode(cred, "expires")
+        self.set_lifetime(parse(getTextNode(cred, "expires")))
         self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
-        self.gidObject = GID(string=getTextNode(cred, "target_gid"))
+        self.gidObject = GID(string=getTextNode(cred, "target_gid"))   
+
+
+        # Process privileges
         privs = cred.getElementsByTagName("privileges")[0]
-        sz_privs = ''
-        delegates = []
+        rlist = RightList()
         for priv in privs.getElementsByTagName("privilege"):
-            sz_privs += getTextNode(priv, "name")
-            sz_privs += ","
-            delegates.append(getTextNode(priv, "can_delegate"))
-
-        # Can we delegate?
-        delegate = False
-        if "false" not in delegates:
-            self.delegate = True
+            kind = getTextNode(priv, "name")
+            deleg = str2bool(getTextNode(priv, "can_delegate"))
+            if kind == '*':
+                # Convert * into the default privileges for the credential's type                
+                _ , type = urn_to_hrn(self.gidObject.get_urn())
+                rl = rlist.determine_rights(type, self.gidObject.get_urn())
+                for r in rl.rights:
+                    rlist.add(r)
+            else:
+                rlist.add(Right(kind.strip(), deleg))
+        self.set_privileges(rlist)
 
-        # Make the rights list
-        sz_privs.rstrip(", ")
-        self.privileges = RightList(string=sz_privs)
-        self.delegate
 
         # Is there a parent?
         parent = cred.getElementsByTagName("parent")
         if len(parent) > 0:
-            self.parent_xml = getTextNode(cred, "parent")
+            parent_doc = parent[0].getElementsByTagName("credential")[0]
+            parent_xml = parent_doc.toxml()
+            self.parent = Credential(string=parent_xml)
             self.updateRefID()
 
-        # Get the signatures
+        # Assign the signatures to the credentials
         for sig in sigs:
-            self.signatures.append(Signature(string=sig.toxml()))
+            Sig = Signature(string=sig.toxml())
+
+            cur_cred = self
+            while cur_cred:
+                if cur_cred.get_refid() == Sig.get_refid():
+                    cur_cred.set_signature(Sig)
+                    
+                if cur_cred.parent:
+                    cur_cred = cur_cred.parent
+                else:
+                    cur_cred = None
+                
             
     ##
     # Verify that:
     # . All of the signatures are valid and that the issuers trace back
     #   to trusted roots (performed by xmlsec1)
+    # . The XML matches the credential schema
     # . That the issuer of the credential is the authority in the target's urn
     #    . In the case of a delegated credential, this must be true of the root
+    # . That all of the gids presented in the credential are valid
     #
     # -- For Delegates (credentials with parents)
     # . The privileges must be a subset of the parent credentials
@@ -579,10 +630,31 @@ class Credential(object):
         if not self.xml:
             self.decode()        
 
+        trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+
+        # Use legacy verification if this is a legacy credential
+        if self.legacy:
+            self.legacy.verify_chain(trusted_cert_objects)
+            if self.legacy.client_gid:
+                self.legacy.client_gid.verify_chain(trusted_cert_objects)
+            if self.legacy.object_gid:
+                self.legacy.object_gid.verify_chain(trusted_cert_objects)
+            return True
+
         # Verify the signatures
         filename = self.save_to_random_tmp_file()
         cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
 
+        # Verify the gids of this cred and of its parents
+
+        cur_cred = self
+        while cur_cred:
+            cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
+            cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
+            if cur_cred.parent:
+                cur_cred = cur_cred.parent
+            else:
+                cur_cred = None
         
         refs = []
         refs.append("Sig_%s" % self.get_refid())
@@ -592,85 +664,74 @@ class Credential(object):
             refs.append("Sig_%s" % ref)
 
         for ref in refs:
-            verified = os.popen('/usr/bin/xmlsec1 --verify --node-id "%s" %s %s 2>&1' \
-                            % (ref, cert_args, filename)).read()
+            verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
+                            % (self.xmlsec_path, ref, cert_args, filename)).read()
             if not verified.strip().startswith("OK"):
                 raise CredentialNotVerifiable("xmlsec1 error: " + verified)
-
         os.remove(filename)
 
         # Verify the parents (delegation)
-        #if self.parent_xml:
-        #    self.verify_parent(Credential(string=self.parent_xml))
-
+        if self.parent:
+            self.verify_parent(self.parent)
         # Make sure the issuer is the target's authority
         self.verify_issuer()
+        return True
 
-
-
+        
     ##
     # Make sure the issuer of this credential is the target's authority
-    # Security hole: Because PL GID's use hrns in the CN instead of urns,
-    # the type is not checked, only the authority name.
-    def verify_issuer(self):
-        target_authority = get_authority(self.get_gid_object().get_hrn())
+    def verify_issuer(self):        
+        target_authority = get_authority(self.get_gid_object().get_urn())
 
-        # Find the root credential's refid
+        
+        # Find the root credential's signature
         cur_cred = self
-        root_refid = None
         while cur_cred:            
-            if cur_cred.parent_xml:
-                cur_cred = Credential(string=cur_cred.parent_xml)
+            if cur_cred.parent:
+                cur_cred = cur_cred.parent
             else:
-                root_refid = cur_cred.get_refid()                
+                root_issuer = cur_cred.get_signature().get_issuer_gid().get_urn()
                 cur_cred = None
 
-        # Find the signature for the root credential
-        root_issuer = None
-        for sig in self.signatures:
-            if sig.get_refid().lower() == root_refid.lower():
-                root_issuer = sig.get_issuer_gid().get_urn()
-                
         # Ensure that the signer of the root credential is the target_authority
         target_authority = hrn_to_urn(target_authority, 'authority')
 
         if root_issuer != target_authority:
             raise CredentialNotVerifiable("issuer (%s) != authority of target (%s)" \
                                           % (root_issuer, target_authority))
-                                          
-        
-    def verify_parent(self, parent_cred):
-        if parent_cred.parent_xml:
-            parent_cred.verify_parent(Credential(string=parent_cred.parent_xml))
 
     ##
-    # Verify that a chain of credentials is valid (see cert.py:verify). In
-    # addition to the checks for ordinary certificates, verification also
-    # ensures that the delegate bit was set by each parent in the chain. If
-    # a delegate bit was not set, then an exception is thrown.
-    #
-    # Each credential must be a subset of the rights of the parent.
-
-    def verify_chain(self, trusted_certs):
-        return
-
- ##    def verify_chain(self, trusted_certs = None):
-##         # do the normal certificate verification stuff
-##         Certificate.verify_chain(self, trusted_certs)
-
-##         if self.parent:
-##             # make sure the parent delegated rights to the child
-##             if not self.parent.get_delegate():
-##                 raise MissingDelegateBit(self.parent.get_subject())
-
-##             # make sure the rights given to the child are a subset of the
-##             # parents rights
-##             if not self.parent.get_privileges().is_superset(self.get_privileges()):
-##                 raise ChildRightsNotSubsetOfParent(self.get_subject() 
-##                                                    + " " + self.parent.get_privileges().save_to_string()
-##                                                    + " " + self.get_privileges().save_to_string())
-
-##         return
+    # -- For Delegates (credentials with parents) verify that:
+    # . The privileges must be a subset of the parent credentials
+    # . The privileges must have "can_delegate" set for each delegated privilege
+    # . The target gid must be the same between child and parents
+    # . The expiry time on the child must be no later than the parent
+    # . The signer of the child must be the owner of the parent
+        
+    def verify_parent(self, parent_cred):
+        # make sure the rights given to the child are a subset of the
+        # parents rights (and check delegate bits)
+        if not parent_cred.get_privileges().is_superset(self.get_privileges()):
+            raise ChildRightsNotSubsetOfParent(
+                self.parent.get_privileges().save_to_string() + " " +
+                self.get_privileges().save_to_string())
+
+        # make sure my target gid is the same as the parent's
+        if not parent_cred.get_gid_object().save_to_string() == \
+           self.get_gid_object().save_to_string():
+            raise CredentialNotVerifiable("target gid not equal between parent and child")
+
+        # make sure my expiry time is <= my parent's
+        if not parent_cred.get_lifetime() >= self.get_lifetime():
+            raise CredentialNotVerifiable("delegated credential expires after parent")
+
+        # make sure my signer is the parent's caller
+        if not parent_cred.get_gid_caller().save_to_string(False) == \
+           self.get_signature().get_issuer_gid().save_to_string(False):
+            raise CredentialNotVerifiable("delegated credential not signed by parent caller")
+                
+        if parent_cred.parent:
+            parent_cred.verify_parent(parent_cred.parent)
 
     ##
     # Dump the contents of a credential to stdout in human-readable format
@@ -692,9 +753,8 @@ class Credential(object):
         if gidObject:
             gidObject.dump(8, dump_parents)
 
-        print "   delegate:", self.get_delegate()
 
-        if self.parent_xml and dump_parents:
-           print "PARENT",
-           #self.parent.dump(dump_parents)
+        if self.parent and dump_parents:
+            print "PARENT",
+            self.parent.dump_parents()
 
sfa