X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=d9368c4a54c109579da16ac06093ce1bb26a947e;hb=1cc8e9613cab8b5b22478de369f259e591c54e6d;hp=a336dcdeec85cf5e0d1d11ed1aa13d20a3291fe8;hpb=f6f1bf872dd9700136c54d5b14fc3e3aa9b18b7d;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index a336dcde..d9368c4a 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -40,17 +40,18 @@ try: except: pass -from sfa.util.faults import * +from xml.parsers.expat import ExpatError + +from sfa.util.faults import CredentialNotVerifiable, ChildRightsNotSubsetOfParent from sfa.util.sfalogging import logger from sfa.util.sfatime import utcparse -from sfa.trust.certificate import Keypair from sfa.trust.credential_legacy import CredentialLegacy from sfa.trust.rights import Right, Rights, determine_rights from sfa.trust.gid import GID from sfa.util.xrn import urn_to_hrn, hrn_authfor_hrn # 2 weeks, in seconds -DEFAULT_CREDENTIAL_LIFETIME = 86400 * 14 +DEFAULT_CREDENTIAL_LIFETIME = 86400 * 31 # TODO: @@ -209,17 +210,19 @@ class Signature(object): # not be changed else the signature is no longer valid. So, once # you have loaded an existing signed credential, do not call encode() or sign() on it. -def filter_creds_by_caller(creds, caller_hrn): +def filter_creds_by_caller(creds, caller_hrn_list): """ Returns a list of creds who's gid caller matches the specified caller hrn """ if not isinstance(creds, list): creds = [creds] + if not isinstance(caller_hrn_list, list): + caller_hrn_list = [caller_hrn_list] caller_creds = [] for cred in creds: try: tmp_cred = Credential(string=cred) - if tmp_cred.get_gid_caller().get_hrn() == caller_hrn: + if tmp_cred.get_gid_caller().get_hrn() in caller_hrn_list: caller_creds.append(cred) except: pass return caller_creds @@ -234,7 +237,7 @@ class Credential(object): # @param string If string!=None, load the credential from the string # @param filename If filename!=None, load the credential from the file # FIXME: create and subject are ignored! - def __init__(self, create=False, subject=None, string=None, filename=None): + def __init__(self, create=False, subject=None, string=None, filename=None, cred=None): self.gidCaller = None self.gidObject = None self.expiration = None @@ -247,6 +250,19 @@ class Credential(object): self.xml = None self.refid = None self.legacy = None + self.type = None + self.version = None + + if cred: + if isinstance(cred, StringTypes): + string = cred + self.type = 'geni_sfa' + self.version = '1.0' + elif isinstance(cred, dict): + string = cred['geni_value'] + self.type = cred['geni_type'] + self.version = cred['geni_version'] + # Check if this is a legacy credential, translate it if so if string or filename: @@ -271,10 +287,14 @@ class Credential(object): break def get_subject(self): + subject = "" if not self.gidObject: self.decode() - return self.gidObject.get_printable_subject() + if self.gidObject: + subject = self.gidObject.get_printable_subject() + return subject + # sounds like this should be __repr__ instead ?? def get_summary_tostring(self): if not self.gidObject: self.decode() @@ -360,8 +380,6 @@ class Credential(object): if not self.gidObject: self.decode() return self.gidObject - - ## # Expiration: an absolute UTC time of expiration (as either an int or string or datetime) @@ -400,8 +418,7 @@ class Credential(object): if isinstance(privs, str): self.privileges = Rights(string = privs) else: - self.privileges = privs - + self.privileges = privs ## # return the privileges as a Rights object @@ -679,6 +696,12 @@ class Credential(object): def decode(self): if not self.xml: return + + doc = None + try: + doc = parseString(self.xml) + except ExpatError,e: + raise CredentialNotVerifiable("Malformed credential") doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") @@ -928,7 +951,13 @@ class Credential(object): # But we haven't verified that it is _signed by_ an authority # We also don't know if xmlsec1 requires that cert signers # are marked as CAs. - root_cred_signer.verify_chain(trusted_gids) + + # Note that if verify() gave us no trusted_gids then this + # call will fail. So skip it if we have no trusted_gids + if trusted_gids and len(trusted_gids) > 0: + root_cred_signer.verify_chain(trusted_gids) + else: + logger.debug("No trusted gids. Cannot verify that cred signer is signed by a trusted authority. Skipping that check.") # See if the signer is an authority over the domain of the target. # There are multiple types of authority - accept them all here @@ -1033,7 +1062,11 @@ class Credential(object): result += "CREDENTIAL %s\n" % self.get_subject() filename=self.get_filename() if filename: result += "Filename %s\n"%filename - result += " privs: %s\n" % self.get_privileges().save_to_string() + privileges = self.get_privileges() + if privileges: + result += " privs: %s\n" % privileges.save_to_string() + else: + result += " privs: \n" gidCaller = self.get_gid_caller() if gidCaller: result += " gidCaller:\n" @@ -1043,6 +1076,9 @@ class Credential(object): print " gidIssuer:" self.get_signature().get_issuer_gid().dump(8, dump_parents) + if self.expiration: + print " expiration:", self.expiration.isoformat() + gidObject = self.get_gid_object() if gidObject: result += " gidObject:\n"