X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=135d8170c0b4cb956bb7c52e4e3a6adb250aa015;hb=759d9dc7edbc97a15483000534610e0e44fc1f5d;hp=7f347574a7f4f2318d44aca2c76fd488e92661e9;hpb=6d8f4a104dbe6e8925dec1f2a89fb3e152491d4a;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 7f347574..135d8170 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -26,7 +26,7 @@ # Credentials are signed XML files that assign a subject gid privileges to an object gid ## -import os,sys +import os from types import StringTypes import datetime from StringIO import StringIO @@ -51,7 +51,7 @@ from sfa.trust.gid import GID from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn # 2 weeks, in seconds -DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14 +DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31 # TODO: @@ -160,10 +160,8 @@ class Signature(object): def get_refid(self): - #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid\ self.refid %s " %(self.refid) if not self.refid: self.decode() - #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid self.refid %s " %(self.refid) return self.refid def get_xml(self): @@ -274,12 +272,15 @@ class Credential(object): if os.path.isfile(path + '/' + 'xmlsec1'): self.xmlsec_path = path + '/' + 'xmlsec1' break + if not self.xmlsec_path: + logger.warn("Could not locate binary for xmlsec1 - SFA will be unable to sign stuff !!") def get_subject(self): if not self.gidObject: self.decode() - return self.gidObject.get_printable_subject() + return self.gidObject.get_subject() + # sounds like this should be __repr__ instead ?? def get_summary_tostring(self): if not self.gidObject: self.decode() @@ -365,8 +366,6 @@ class Credential(object): if not self.gidObject: self.decode() return self.gidObject - - ## # Expiration: an absolute UTC time of expiration (as either an int or string or datetime) @@ -405,8 +404,7 @@ class Credential(object): if isinstance(privs, str): self.privileges = Rights(string = privs) else: - self.privileges = privs - + self.privileges = privs ## # return the privileges as a Rights object @@ -590,23 +588,18 @@ class Credential(object): def updateRefID(self): if not self.parent: - self.set_refid('ref0') - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred ref0 " + self.set_refid('ref0') return [] refs = [] next_cred = self.parent - while next_cred: - refs.append(next_cred.get_refid()) if next_cred.parent: next_cred = next_cred.parent - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred " else: next_cred = None - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred NONE" # Find a unique refid for this credential @@ -635,7 +628,11 @@ class Credential(object): # you have loaded an existing signed credential, do not call encode() or sign() on it. def sign(self): - if not self.issuer_privkey or not self.issuer_gid: + if not self.issuer_privkey: + logger.warn("Cannot sign credential (no private key)") + return + if not self.issuer_gid: + logger.warn("Cannot sign credential (no issuer gid)") return doc = parseString(self.get_xml()) sigs = doc.getElementsByTagName("signatures")[0] @@ -664,8 +661,10 @@ class Credential(object): # Call out to xmlsec1 to sign it ref = 'Sig_%s' % self.get_refid() filename = self.save_to_random_tmp_file() - signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \ - % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read() + command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \ + % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename) +# print 'command',command + signed = os.popen(command).read() os.remove(filename) for gid_file in gid_files: @@ -811,12 +810,10 @@ class Credential(object): # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs %s" %(GID(filename=f).get_hrn()) ok_trusted_certs.append(f) except Exception, exc: logger.error("Failed to load trusted cert from %s: %r", f, exc) trusted_certs = ok_trusted_certs - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs elemnebts %s" %(len(trusted_certs)) # Use legacy verification if this is a legacy credential if self.legacy: @@ -842,8 +839,7 @@ class Credential(object): # Verify the gids of this cred and of its parents for cur_cred in self.get_credential_list(): cur_cred.get_gid_object().verify_chain(trusted_cert_objects) - cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify cur_cred get_gid_object hrn %s get_gid_caller %s" %(cur_cred.get_gid_object().get_hrn(),cur_cred.get_gid_caller().get_hrn()) + cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) refs = [] refs.append("Sig_%s" % self.get_refid()) @@ -851,7 +847,7 @@ class Credential(object): parentRefs = self.updateRefID() for ref in parentRefs: refs.append("Sig_%s" % ref) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs refs", ref + for ref in refs: # If caller explicitly passed in None that means skip xmlsec1 validation. # Strange and not typical @@ -862,7 +858,6 @@ class Credential(object): # (self.xmlsec_path, ref, cert_args, filename) verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \ % (self.xmlsec_path, ref, cert_args, filename)).read() - #print>>sys.stderr, " \r\n \t\t\t credential.py verify filename %s verified %s " %(filename,verified) if not verified.strip().startswith("OK"): # xmlsec errors have a msg= which is the interesting bit. mstart = verified.find("msg=") @@ -873,12 +868,11 @@ class Credential(object): msg = verified[mstart:mend] raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip())) os.remove(filename) - - #print>>sys.stderr, " \r\n \t\t\t credential.py HUMMM parents %s", self.parent + # Verify the parents (delegation) if self.parent: self.verify_parent(self.parent) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs parents" + # Make sure the issuer is the target's authority, and is # itself a valid GID self.verify_issuer(trusted_cert_objects) @@ -981,7 +975,6 @@ class Credential(object): # . The expiry time on the child must be no later than the parent # . The signer of the child must be the owner of the parent def verify_parent(self, parent_cred): - #print>>sys.stderr, " \r\n\r\n \t verify_parent parent_cred.get_gid_caller().save_to_string(False) %s self.get_signature().get_issuer_gid().save_to_string(False) %s" %(parent_cred.get_gid_caller().get_hrn(),self.get_signature().get_issuer_gid().get_hrn()) # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()): @@ -1050,7 +1043,7 @@ class Credential(object): print self.dump_string(*args, **kwargs) - def dump_string(self, dump_parents=False): + def dump_string(self, dump_parents=False, show_xml=False): result="" result += "CREDENTIAL %s\n" % self.get_subject() filename=self.get_filename() @@ -1065,6 +1058,9 @@ class Credential(object): print " gidIssuer:" self.get_signature().get_issuer_gid().dump(8, dump_parents) + if self.expiration: + print " expiration:", self.expiration.isoformat() + gidObject = self.get_gid_object() if gidObject: result += " gidObject:\n" @@ -1074,4 +1070,16 @@ class Credential(object): result += "\nPARENT" result += self.parent.dump_string(True) + if show_xml: + try: + tree = etree.parse(StringIO(self.xml)) + aside = etree.tostring(tree, pretty_print=True) + result += "\nXML\n" + result += aside + result += "\nEnd XML\n" + except: + import traceback + print "exc. Credential.dump_string / XML" + traceback.print_exc() + return result