X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=ad2d201ae36418afa063f5ba263fdbcc5e70c85c;hb=3d51e29695f79b143974f5cf7b2e104d89626ba4;hp=a336dcdeec85cf5e0d1d11ed1aa13d20a3291fe8;hpb=f6f1bf872dd9700136c54d5b14fc3e3aa9b18b7d;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index a336dcde..ad2d201a 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -26,7 +26,7 @@ # Credentials are signed XML files that assign a subject gid privileges to an object gid ## -import os +import os,sys from types import StringTypes import datetime from StringIO import StringIO @@ -40,17 +40,18 @@ try: except: pass -from sfa.util.faults import * +from xml.parsers.expat import ExpatError + +from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent from sfa.util.sfalogging import logger from sfa.util.sfatime import utcparse -from sfa.trust.certificate import Keypair from sfa.trust.credential_legacy import CredentialLegacy from sfa.trust.rights import Right, Rights, determine_rights from sfa.trust.gid import GID from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn # 2 weeks, in seconds -DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14 +DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31 # TODO: @@ -159,8 +160,10 @@ class Signature(object): def get_refid(self): + #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid\ self.refid %s " %(self.refid) if not self.refid: self.decode() + #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid self.refid %s " %(self.refid) return self.refid def get_xml(self): @@ -209,17 +212,19 @@ class Signature(object): # not be changed else the signature is no longer valid. So, once # you have loaded an existing signed credential, do not call encode() or sign() on it. -def filter_creds_by_caller(creds, caller_hrn): +def filter_creds_by_caller(creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] caller_creds = [] for cred in creds: try: tmp_cred = Credential(string=cred) - if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list: caller_creds.append(cred) except: pass return caller_creds @@ -275,6 +280,7 @@ class Credential(object): self.decode() return self.gidObject.get_printable_subject() + # sounds like this should be __repr__ instead ?? def get_summary_tostring(self): if not self.gidObject: self.decode() @@ -585,18 +591,23 @@ class Credential(object): def updateRefID(self): if not self.parent: - self.set_refid('ref0') + self.set_refid('ref0') + #print>>sys.stderr, " \r\n \r\n updateRefID next_cred ref0 " return [] refs = [] next_cred = self.parent + while next_cred: + refs.append(next_cred.get_refid()) if next_cred.parent: next_cred = next_cred.parent + #print>>sys.stderr, " \r\n \r\n updateRefID next_cred " else: next_cred = None + #print>>sys.stderr, " \r\n \r\n updateRefID next_cred NONE" # Find a unique refid for this credential @@ -801,10 +812,12 @@ class Credential(object): # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) + #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs %s" %(GID(filename=f).get_hrn()) ok_trusted_certs.append(f) except Exception, exc: logger.error("Failed to load trusted cert from %s: %r", f, exc) trusted_certs = ok_trusted_certs + #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs elemnebts %s" %(len(trusted_certs)) # Use legacy verification if this is a legacy credential if self.legacy: @@ -830,7 +843,8 @@ class Credential(object): # Verify the gids of this cred and of its parents for cur_cred in self.get_credential_list(): cur_cred.get_gid_object().verify_chain(trusted_cert_objects) - cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) + cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) + #print>>sys.stderr, " \r\n \t\t\t credential.py verify cur_cred get_gid_object hrn %s get_gid_caller %s" %(cur_cred.get_gid_object().get_hrn(),cur_cred.get_gid_caller().get_hrn()) refs = [] refs.append("Sig_%s" % self.get_refid()) @@ -838,7 +852,7 @@ class Credential(object): parentRefs = self.updateRefID() for ref in parentRefs: refs.append("Sig_%s" % ref) - + #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs refs", ref for ref in refs: # If caller explicitly passed in None that means skip xmlsec1 validation. # Strange and not typical @@ -849,6 +863,7 @@ class Credential(object): # (self.xmlsec_path, ref, cert_args, filename) verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \ % (self.xmlsec_path, ref, cert_args, filename)).read() + #print>>sys.stderr, " \r\n \t\t\t credential.py verify filename %s verified %s " %(filename,verified) if not verified.strip().startswith("OK"): # xmlsec errors have a msg= which is the interesting bit. mstart = verified.find("msg=") @@ -859,11 +874,12 @@ class Credential(object): msg = verified[mstart:mend] raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip())) os.remove(filename) - + + #print>>sys.stderr, " \r\n \t\t\t credential.py HUMMM parents %s", self.parent # Verify the parents (delegation) if self.parent: self.verify_parent(self.parent) - + #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs parents" # Make sure the issuer is the target's authority, and is # itself a valid GID self.verify_issuer(trusted_cert_objects) @@ -928,7 +944,13 @@ class Credential(object): # But we haven't verified that it is _signed by_ an authority # We also don't know if xmlsec1 requires that cert signers # are marked as CAs. - root_cred_signer.verify_chain(trusted_gids) + + # Note that if verify() gave us no trusted_gids then this + # call will fail. So skip it if we have no trusted_gids + if trusted_gids and len(trusted_gids) > 0: + root_cred_signer.verify_chain(trusted_gids) + else: + logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.") # See if the signer is an authority over the domain of the target. # There are multiple types of authority - accept them all here @@ -960,6 +982,7 @@ class Credential(object): # . The expiry time on the child must be no later than the parent # . The signer of the child must be the owner of the parent def verify_parent(self, parent_cred): + #print>>sys.stderr, " \r\n\r\n \t verify_parent parent_cred.get_gid_caller().save_to_string(False) %s self.get_signature().get_issuer_gid().save_to_string(False) %s" %(parent_cred.get_gid_caller().get_hrn(),self.get_signature().get_issuer_gid().get_hrn()) # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()):