def get_subject(self):\r
if not self.gidObject:\r
self.decode()\r
- return self.gidObject.get_subject() \r
+ return self.gidObject.get_printable_subject()\r
+\r
+ def get_summary_tostring(self):\r
+ if not self.gidObject:\r
+ self.decode()\r
+ obj = self.gidObject.get_printable_subject()\r
+ caller = self.gidCaller.get_printable_subject()\r
+ exp = self.get_expiration()\r
+ # Summarize the rights too? The issuer?\r
+ return "[ Grant %s rights on %s until %s ]" % (caller, obj, exp)\r
\r
def get_signature(self):\r
if not self.signature:\r
\r
# Is this a signed-cred or just a cred?\r
if len(signed_cred) > 0:\r
- cred = signed_cred[0].getElementsByTagName("credential")[0]\r
+ creds = signed_cred[0].getElementsByTagName("credential")\r
signatures = signed_cred[0].getElementsByTagName("signatures")\r
if len(signatures) > 0:\r
sigs = signatures[0].getElementsByTagName("Signature")\r
else:\r
- cred = doc.getElementsByTagName("credential")[0]\r
+ creds = doc.getElementsByTagName("credential")\r
\r
+ if creds is None or len(creds) == 0:\r
+ # malformed cred file\r
+ raise CredentialNotVerifiable("Malformed XML: No credential tag found")\r
+\r
+ # Just take the first cred if there are more than one\r
+ cred = creds[0]\r
\r
self.set_refid(cred.getAttribute("xml:id"))\r
self.set_expiration(utcparse(getTextNode(cred, "expires")))\r
xmlschema = etree.XMLSchema(schema_doc)\r
if not xmlschema.validate(tree):\r
error = xmlschema.error_log.last_error\r
- message = "%s (line %s)" % (error.message, error.line)\r
+ message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)\r
raise CredentialNotVerifiable(message)\r
\r
if trusted_certs_required and trusted_certs is None:\r
\r
# make sure it is not expired\r
if self.get_expiration() < datetime.datetime.utcnow():\r
- raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat())\r
+ raise CredentialNotVerifiable("Credential %s expired at %s" % (self.get_summary_tostring(), self.expiration.isoformat()))\r
\r
# Verify the signatures\r
filename = self.save_to_random_tmp_file()\r
mstart = mstart + 4\r
mend = verified.find('\\', mstart)\r
msg = verified[mstart:mend]\r
- raise CredentialNotVerifiable("xmlsec1 error verifying cred using Signature ID %s: %s %s" % (ref, msg, verified.strip()))\r
+ raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip()))\r
os.remove(filename)\r
\r
# Verify the parents (delegation)\r
# make sure the rights given to the child are a subset of the\r
# parents rights (and check delegate bits)\r
if not parent_cred.get_privileges().is_superset(self.get_privileges()):\r
- raise ChildRightsNotSubsetOfParent(("Parent cred ref %s rights " % self.parent.get_refid()) + \r
- self.parent.get_privileges().save_to_string() + (" not superset of delegated cred ref %s rights " % self.get_refid()) +\r
+ raise ChildRightsNotSubsetOfParent(("Parent cred ref %s rights " % parent_cred.get_refid()) +\r
+ self.parent.get_privileges().save_to_string() + (" not superset of delegated cred %s ref %s rights " % (self.get_summary_tostring(), self.get_refid())) +\r
self.get_privileges().save_to_string())\r
\r
# make sure my target gid is the same as the parent's\r
if not parent_cred.get_gid_object().save_to_string() == \\r
self.get_gid_object().save_to_string():\r
- raise CredentialNotVerifiable("Target gid not equal between parent and child")\r
+ raise CredentialNotVerifiable("Delegated cred %s: Target gid not equal between parent and child. Parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))\r
\r
# make sure my expiry time is <= my parent's\r
if not parent_cred.get_expiration() >= self.get_expiration():\r
- raise CredentialNotVerifiable("Delegated credential expires after parent")\r
+ raise CredentialNotVerifiable("Delegated credential %s expires after parent %s" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))\r
\r
# make sure my signer is the parent's caller\r
if not parent_cred.get_gid_caller().save_to_string(False) == \\r
self.get_signature().get_issuer_gid().save_to_string(False):\r
- raise CredentialNotVerifiable("Delegated credential not signed by parent caller")\r
+ raise CredentialNotVerifiable("Delegated credential %s not signed by parent %s's caller" % (self.get_summary_tostring(), parent_cred.get_summary_tostring()))\r
\r
# Recurse\r
if parent_cred.parent:\r