X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=1ceb97535e1107254b6814089446fcaeee18ee3f;hb=e0c63dcc251bdc18bf90b51e5219a0f8b4953022;hp=daa8a897063217f728b42622e9ed15c3ee0cf77e;hpb=70a671de96cb9dd3d13fc8ea3eba165a52849ffd;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index daa8a897..1ceb9753 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -854,11 +854,16 @@ class Credential(object): # If caller explicitly passed in None that means skip cert chain validation. # - Strange and not typical if trusted_certs is not None: - # Verify the gids of this cred and of its parents + # Verify the caller and object gids of this cred and of its parents for cur_cred in self.get_credential_list(): - cur_cred.get_gid_object().verify_chain(trusted_cert_objects) - cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) - + # check both the caller and the subject + for gid in cur_cred.get_gid_object(), cur_cred.get_gid_caller(): + logger.debug("Credential.verify: verifying chain {}" + .format(gid.pretty_cert())) + logger.debug("Credential.verify: against trusted {}" + .format(" ".join(trusted_certs))) + gid.verify_chain(trusted_cert_objects) + refs = [] refs.append("Sig_{}".format(self.get_refid())) @@ -1060,9 +1065,9 @@ class Credential(object): message = "Delegated credential {} not signed by parent {}'s caller"\ .format(self.pretty_cred(), parent_cred.pretty_cred()) logger.error(message) - logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cred())) + logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cert())) logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string())) - logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cred())) + logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_crert())) logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string())) raise CredentialNotVerifiable(message) @@ -1106,29 +1111,36 @@ class Credential(object): return getattr(self,'filename',None) def actual_caller_hrn(self): - """a helper method used by some API calls like e.g. Allocate + """ + a helper method used by some API calls like e.g. Allocate to try and find out who really is the original caller This admittedly is a bit of a hack, please USE IN LAST RESORT This code uses a heuristic to identify a delegated credential - A first known restriction if for traffic that gets through a slice manager - in this case the hrn reported is the one from the last SM in the call graph - which is not at all what is meant here""" + A first known restriction if for traffic that gets through a + slice manager in this case the hrn reported is the one from + the last SM in the call graph which is not at all what is + meant here + """ - caller_hrn = self.get_gid_caller().get_hrn() - issuer_hrn = self.get_signature().get_issuer_gid().get_hrn() + caller_hrn, caller_type = urn_to_hrn(self.get_gid_caller().get_urn()) + issuer_hrn, issuer_type = urn_to_hrn(self.get_signature().get_issuer_gid().get_urn()) subject_hrn = self.get_gid_object().get_hrn() + # if the caller is a user and the issuer is not + # it's probably the former + if caller_type == "user" and issuer_type != "user": + actual_caller_hrn = caller_hrn # if we find that the caller_hrn is an immediate descendant of the issuer, then # this seems to be a 'regular' credential - if caller_hrn.startswith(issuer_hrn): - actual_caller_hrn=caller_hrn + elif caller_hrn.startswith(issuer_hrn): + actual_caller_hrn = caller_hrn # else this looks like a delegated credential, and the real caller is the issuer else: - actual_caller_hrn=issuer_hrn + actual_caller_hrn = issuer_hrn logger.info("actual_caller_hrn: caller_hrn={}, issuer_hrn={}, returning {}" - .format(caller_hrn,issuer_hrn,actual_caller_hrn)) + .format(caller_hrn, issuer_hrn, actual_caller_hrn)) return actual_caller_hrn ##