X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=8fd11e8e1ced110a6186eab996e93c34d006c5e7;hb=5c0e9940d36350e510f2acbe7ad9774fb2048ee4;hp=a336dcdeec85cf5e0d1d11ed1aa13d20a3291fe8;hpb=f6f1bf872dd9700136c54d5b14fc3e3aa9b18b7d;p=sfa.git

diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index a336dcde..8fd11e8e 100644
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -40,10 +40,11 @@ try:
 except:
     pass
 
-from sfa.util.faults import *
+from xml.parsers.expat import ExpatError
+
+from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent
 from sfa.util.sfalogging import logger
 from sfa.util.sfatime import utcparse
-from sfa.trust.certificate import Keypair
 from sfa.trust.credential_legacy import CredentialLegacy
 from sfa.trust.rights import Right, Rights, determine_rights
 from sfa.trust.gid import GID
@@ -209,17 +210,19 @@ class Signature(object):
 # not be changed else the signature is no longer valid.  So, once
 # you have loaded an existing signed credential, do not call encode() or sign() on it.
 
-def filter_creds_by_caller(creds, caller_hrn):
+def filter_creds_by_caller(creds, caller_hrn_list):
         """
         Returns a list of creds who's gid caller matches the
         specified caller hrn
         """
         if not isinstance(creds, list): creds = [creds]
+        if not isinstance(caller_hrn_list, list): 
+            caller_hrn_list = [caller_hrn_list]
         caller_creds = []
         for cred in creds:
             try:
                 tmp_cred = Credential(string=cred)
-                if tmp_cred.get_gid_caller().get_hrn() == caller_hrn:
+                if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list:
                     caller_creds.append(cred)
             except: pass
         return caller_creds
@@ -928,7 +931,13 @@ class Credential(object):
         # But we haven't verified that it is _signed by_ an authority
         # We also don't know if xmlsec1 requires that cert signers
         # are marked as CAs.
-        root_cred_signer.verify_chain(trusted_gids)
+
+        # Note that if verify() gave us no trusted_gids then this
+        # call will fail. So skip it if we have no trusted_gids
+        if trusted_gids and len(trusted_gids) > 0:
+            root_cred_signer.verify_chain(trusted_gids)
+        else:
+            logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.")
 
         # See if the signer is an authority over the domain of the target.
         # There are multiple types of authority - accept them all here