X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=5aa76319aac685f4b922adb4410f82350bdcca86;hb=06b330f0ee047bdb107e43e82b1d7356c876bc15;hp=453401f695c3f45fd7f1396716472cd61d33acb1;hpb=2f0e1e03cfe5982a322d0ee1e24ac9751029df33;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 453401f6..5aa76319 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -31,21 +31,20 @@ import os import datetime -from xml.dom.minidom import Document, parseString from tempfile import mkstemp - -from sfa.trust.credential_legacy import CredentialLegacy -from sfa.trust.rights import * -from sfa.trust.gid import * -from sfa.util.faults import * - -from sfa.util.sfalogging import logger +from xml.dom.minidom import Document, parseString from dateutil.parser import parse +from sfa.util.faults import * +from sfa.util.sfalogging import sfa_logger +from sfa.trust.certificate import Keypair +from sfa.trust.credential_legacy import CredentialLegacy +from sfa.trust.rights import Right, Rights +from sfa.trust.gid import GID +from sfa.util.xrn import urn_to_hrn - -# Two years, in seconds -DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2 +# 2 weeks, in seconds +DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14 # TODO: @@ -171,6 +170,21 @@ class Signature(object): # not be changed else the signature is no longer valid. So, once # you have loaded an existing signed credential, do not call encode() or sign() on it. +def filter_creds_by_caller(creds, caller_hrn): + """ + Returns a list of creds who's gid caller matches the + specified caller hrn + """ + if not isinstance(creds, list): creds = [creds] + caller_creds = [] + for cred in creds: + try: + tmp_cred = Credential(string=cred) + if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + caller_creds.append(cred) + except: pass + return caller_creds + class Credential(object): ## @@ -201,6 +215,7 @@ class Credential(object): str = string elif filename: str = file(filename).read() + self.filename=filename if str.strip().startswith("-----"): self.legacy = CredentialLegacy(False,string=str) @@ -217,6 +232,10 @@ class Credential(object): self.xmlsec_path = path + '/' + 'xmlsec1' break + def get_subject(self): + if not self.gidObject: + self.decode() + return self.gidObject.get_subject() def get_signature(self): if not self.signature: @@ -238,10 +257,9 @@ class Credential(object): self.gidObject = legacy.get_gid_object() lifetime = legacy.get_lifetime() if not lifetime: - # Default to two years - self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME) + self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME)) else: - self.set_lifetime(int(lifetime)) + self.set_expiration(int(lifetime)) self.lifeTime = legacy.get_lifetime() self.set_privileges(legacy.get_privileges()) self.get_privileges().delegate_all_privileges(legacy.get_delegate()) @@ -296,43 +314,45 @@ class Credential(object): self.decode() return self.gidObject + + ## - # set the lifetime of this credential - # - # @param lifetime lifetime of credential - # . if lifeTime is a datetime object, it is used for the expiration time - # . if lifeTime is an integer value, it is considered the number of seconds - # remaining before expiration - - def set_lifetime(self, lifeTime): - if isinstance(lifeTime, int): - self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow() + # Expiration: an absolute UTC time of expiration (as either an int or datetime) + # + def set_expiration(self, expiration): + if isinstance(expiration, int): + self.expiration = datetime.datetime.fromtimestamp(expiration) else: - self.expiration = lifeTime + self.expiration = expiration + ## # get the lifetime of the credential (in datetime format) - def get_lifetime(self): + def get_expiration(self): if not self.expiration: self.decode() return self.expiration + ## + # For legacy sake + def get_lifetime(self): + return self.get_expiration() ## # set the privileges # - # @param privs either a comma-separated list of privileges of a RightList object + # @param privs either a comma-separated list of privileges of a Rights object def set_privileges(self, privs): if isinstance(privs, str): - self.privileges = RightList(string = privs) + self.privileges = Rights(string = privs) else: self.privileges = privs ## - # return the privileges as a RightList object + # return the privileges as a Rights object def get_privileges(self): if not self.privileges: @@ -380,7 +400,7 @@ class Credential(object): append_sub(doc, cred, "target_urn", self.gidObject.get_urn()) append_sub(doc, cred, "uuid", "") if not self.expiration: - self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME) + self.set_expiration(datetime.datetime.utcnow() + datetime.timedelta(seconds=DEFAULT_CREDENTIAL_LIFETIME)) self.expiration = self.expiration.replace(microsecond=0) append_sub(doc, cred, "expires", self.expiration.isoformat()) privileges = doc.createElement("privileges") @@ -433,6 +453,7 @@ class Credential(object): f = open(filename, "w") f.write(self.xml) f.close() + self.filename=filename def save_to_string(self, save_parents=True): if not self.xml: @@ -563,14 +584,14 @@ class Credential(object): self.set_refid(cred.getAttribute("xml:id")) - self.set_lifetime(parse(getTextNode(cred, "expires"))) + self.set_expiration(parse(getTextNode(cred, "expires"))) self.gidCaller = GID(string=getTextNode(cred, "owner_gid")) self.gidObject = GID(string=getTextNode(cred, "target_gid")) # Process privileges privs = cred.getElementsByTagName("privileges")[0] - rlist = RightList() + rlist = Rights() for priv in privs.getElementsByTagName("privilege"): kind = getTextNode(priv, "name") deleg = str2bool(getTextNode(priv, "can_delegate")) @@ -642,7 +663,7 @@ class Credential(object): trusted_cert_objects.append(GID(filename=f)) ok_trusted_certs.append(f) except Exception, exc: - logger.error("Failed to load trusted cert from %s: %r", f, exc) + sfa_logger().error("Failed to load trusted cert from %s: %r", f, exc) trusted_certs = ok_trusted_certs # Use legacy verification if this is a legacy credential @@ -655,7 +676,7 @@ class Credential(object): return True # make sure it is not expired - if self.get_lifetime() < datetime.datetime.utcnow(): + if self.get_expiration() < datetime.datetime.utcnow(): raise CredentialNotVerifiable("Credential expired at %s" % self.expiration.isoformat()) # Verify the signatures @@ -725,7 +746,7 @@ class Credential(object): # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn()) root_cred_signer_type = root_cred_signer.get_type() if (root_cred_signer_type == 'authority'): - #logger.debug('Cred signer is an authority') + #sfa_logger().debug('Cred signer is an authority') # signer is an authority, see if target is in authority's domain hrn = root_cred_signer.get_hrn() if root_target_gid.get_hrn().startswith(hrn): @@ -763,7 +784,7 @@ class Credential(object): raise CredentialNotVerifiable("Target gid not equal between parent and child") # make sure my expiry time is <= my parent's - if not parent_cred.get_lifetime() >= self.get_lifetime(): + if not parent_cred.get_expiration() >= self.get_expiration(): raise CredentialNotVerifiable("Delegated credential expires after parent") # make sure my signer is the parent's caller @@ -775,30 +796,63 @@ class Credential(object): if parent_cred.parent: parent_cred.verify_parent(parent_cred.parent) - ## - # Dump the contents of a credential to stdout in human-readable format - # - # @param dump_parents If true, also dump the parent certificates - - def dump(self, dump_parents=False): -# FIXME: get_subject doesnt exist -# print "CREDENTIAL", self.get_subject() - print "CREDENTIAL" - print " privs:", self.get_privileges().save_to_string() + def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile): + """ + Return a delegated copy of this credential, delegated to the + specified gid's user. + """ + # get the gid of the object we are delegating + object_gid = self.get_gid_object() + object_hrn = object_gid.get_hrn() + + # the hrn of the user who will be delegated to + delegee_gid = GID(filename=delegee_gidfile) + delegee_hrn = delegee_gid.get_hrn() + + #user_key = Keypair(filename=keyfile) + #user_hrn = self.get_gid_caller().get_hrn() + subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) + dcred = Credential(subject=subject_string) + dcred.set_gid_caller(delegee_gid) + dcred.set_gid_object(object_gid) + dcred.set_parent(self) + dcred.set_expiration(self.get_expiration()) + dcred.set_privileges(self.get_privileges()) + dcred.get_privileges().delegate_all_privileges(True) + #dcred.set_issuer_keys(keyfile, delegee_gidfile) + dcred.set_issuer_keys(caller_keyfile, caller_gidfile) + dcred.encode() + dcred.sign() + + return dcred + + # only informative + def get_filename(self): + return getattr(self,'filename',None) - print " gidCaller:" + # @param dump_parents If true, also dump the parent certificates + def dump (self, *args, **kwargs): + print self.dump_string(*args, **kwargs) + + def dump_string(self, dump_parents=False): + result="" + result += "CREDENTIAL %s\n" % self.get_subject() + filename=self.get_filename() + if filename: result += "Filename %s\n"%filename + result += " privs: %s\n" % self.get_privileges().save_to_string() gidCaller = self.get_gid_caller() if gidCaller: - gidCaller.dump(8, dump_parents) + result += " gidCaller:\n" + result += gidCaller.dump_string(8, dump_parents) - print " gidObject:" gidObject = self.get_gid_object() if gidObject: - gidObject.dump(8, dump_parents) - + result += " gidObject:\n" + result += gidObject.dump_string(8, dump_parents) if self.parent and dump_parents: - print "PARENT", - self.parent.dump_parents() + result += "PARENT" + result += self.parent.dump_string(dump_parents) + return result