X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=66401f896e8db071d3f386bf22645611bb9943ca;hb=dc78e3f893a576ed12c695682770a124f1462acc;hp=20b1dfde4d3dd2c4721216192397a259dd5f9eb6;hpb=22aa3afa8d052a3e293666eb30b29a684ec60b76;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 20b1dfde..66401f89 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -284,7 +284,7 @@ class Credential(object): self.xmlsec_path = path + '/' + 'xmlsec1' break - def get_subject(self): + def pretty_subject(self): subject = "" if not self.gidObject: self.decode() @@ -972,20 +972,28 @@ class Credential(object): # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()): - raise ChildRightsNotSubsetOfParent( - "Parent cred (ref {}) rights {} " - .format(parent_cred.get_refid(), - self.parent.get_privileges().save_to_string()) - + " not superset of delegated cred %s (ref %s) rights {}" - .format(self.pretty_cred(), self.get_refid(), - self.get_privileges().save_to_string())) + message = ( + "Parent cred {} (ref {}) rights {} " + " not superset of delegated cred {} (ref {}) rights {}" + .format(parent_cred.pretty_cred(),parent_cred.get_refid(), + parent_cred.get_privileges().pretty_rights(), + self.pretty_cred(), self.get_refid(), + self.get_privileges().pretty_rights())) + logger.error(message) + logger.error("parent details {}".format(parent_cred.get_privileges().save_to_string())) + logger.error("self details {}".format(self.get_privileges().save_to_string())) + raise ChildRightsNotSubsetOfParent(message) # make sure my target gid is the same as the parent's if not parent_cred.get_gid_object().save_to_string() == \ self.get_gid_object().save_to_string(): - raise CredentialNotVerifiable( + message = ( "Delegated cred {}: Target gid not equal between parent and child. Parent {}" .format(self.pretty_cred(), parent_cred.pretty_cred())) + logger.error(message) + logger.error("parent details {}".format(parent_cred.save_to_string())) + logger.error("self details {}".format(self.save_to_string())) + raise CredentialNotVerifiable(message) # make sure my expiry time is <= my parent's if not parent_cred.get_expiration() >= self.get_expiration(): @@ -999,8 +1007,10 @@ class Credential(object): message = "Delegated credential {} not signed by parent {}'s caller"\ .format(self.pretty_cred(), parent_cred.pretty_cred()) logger.error(message) - logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().save_to_string())) - logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().save_to_string())) + logger.error("compare1 parent {}".format(parent_cred.get_gid_caller().pretty_cred())) + logger.error("compare1 parent details {}".format(parent_cred.get_gid_caller().save_to_string())) + logger.error("compare2 self {}".format(self.get_signature().get_issuer_gid().pretty_cred())) + logger.error("compare2 self details {}".format(self.get_signature().get_issuer_gid().save_to_string())) raise CredentialNotVerifiable(message) # Recurse @@ -1078,7 +1088,7 @@ class Credential(object): # show_xml is ignored def dump_string(self, dump_parents=False, show_xml=None): result="" - result += "CREDENTIAL %s\n" % self.get_subject() + result += "CREDENTIAL %s\n" % self.pretty_subject() filename=self.get_filename() if filename: result += "Filename %s\n"%filename privileges = self.get_privileges()