X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=6384afccccb95b4bae6ed91d1ff47f9db3678768;hb=9c3a451f7d42b349462d2c80f81644c5a150b2f2;hp=9387356065e51cd6891b3f81d75de857881a691f;hpb=99664acc80923d4f0bc65aa75dce55bc65c1699e;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 93873560..6384afcc 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -31,16 +31,17 @@ import os import datetime -from xml.dom.minidom import Document, parseString from tempfile import mkstemp +from xml.dom.minidom import Document, parseString +from dateutil.parser import parse + +import sfa.util.sfalogging from sfa.trust.certificate import Keypair from sfa.trust.credential_legacy import CredentialLegacy from sfa.trust.rights import * from sfa.trust.gid import * from sfa.util.faults import * -from sfa.util.sfalogging import logger -from dateutil.parser import parse @@ -171,6 +172,21 @@ class Signature(object): # not be changed else the signature is no longer valid. So, once # you have loaded an existing signed credential, do not call encode() or sign() on it. +def filter_creds_by_caller(creds, caller_hrn): + """ + Returns a list of creds who's gid caller matches the + specified caller hrn + """ + if not isinstance(creds, list): creds = [creds] + caller_creds = [] + for cred in creds: + try: + tmp_cred = Credential(string=cred) + if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + caller_creds.append(cred) + except: pass + return caller_creds + class Credential(object): ## @@ -646,7 +662,7 @@ class Credential(object): trusted_cert_objects.append(GID(filename=f)) ok_trusted_certs.append(f) except Exception, exc: - logger.error("Failed to load trusted cert from %s: %r", f, exc) + sfa.util.sfalogging.logger.error("Failed to load trusted cert from %s: %r", f, exc) trusted_certs = ok_trusted_certs # Use legacy verification if this is a legacy credential @@ -729,7 +745,7 @@ class Credential(object): # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn()) root_cred_signer_type = root_cred_signer.get_type() if (root_cred_signer_type == 'authority'): - #logger.debug('Cred signer is an authority') + #sfa.util.sfalogging.logger.debug('Cred signer is an authority') # signer is an authority, see if target is in authority's domain hrn = root_cred_signer.get_hrn() if root_target_gid.get_hrn().startswith(hrn): @@ -780,7 +796,7 @@ class Credential(object): parent_cred.verify_parent(parent_cred.parent) - def delegate(self, delegee_gid, keyfile): + def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile): """ Return a delegated copy of this credential, delegated to the specified gid's user. @@ -790,21 +806,21 @@ class Credential(object): object_hrn = object_gid.get_hrn() # the hrn of the user who will be delegated to - if isinstance(delegee_gid, str): - delegee_gid = GID(string=records[0]['gid']) + delegee_gid = GID(filename=delegee_gidfile) delegee_hrn = delegee_gid.get_hrn() - - user_key = Keypair(filename=keyfile) - user_hrn = self.get_gid_caller().get_hrn() + + #user_key = Keypair(filename=keyfile) + #user_hrn = self.get_gid_caller().get_hrn() subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) dcred = Credential(subject=subject_string) dcred.set_gid_caller(delegee_gid) dcred.set_gid_object(object_gid) - privs = self.get_privileges() + dcred.set_parent(self) + dcred.set_lifetime(self.get_lifetime()) dcred.set_privileges(self.get_privileges()) dcred.get_privileges().delegate_all_privileges(True) - dcred.set_issuer_keys(user_key, object_gid) - dcred.set_parent(self) + #dcred.set_issuer_keys(keyfile, delegee_gidfile) + dcred.set_issuer_keys(caller_keyfile, caller_gidfile) dcred.encode() dcred.sign()