X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fcredential.py;h=d9368c4a54c109579da16ac06093ce1bb26a947e;hb=1cc8e9613cab8b5b22478de369f259e591c54e6d;hp=ad2d201ae36418afa063f5ba263fdbcc5e70c85c;hpb=3d51e29695f79b143974f5cf7b2e104d89626ba4;p=sfa.git diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index ad2d201a..d9368c4a 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -26,7 +26,7 @@ # Credentials are signed XML files that assign a subject gid privileges to an object gid ## -import os,sys +import os from types import StringTypes import datetime from StringIO import StringIO @@ -160,10 +160,8 @@ class Signature(object): def get_refid(self): - #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid\ self.refid %s " %(self.refid) if not self.refid: self.decode() - #print>>sys.stderr," \r\n \r\n credential.py Signature get_refid self.refid %s " %(self.refid) return self.refid def get_xml(self): @@ -239,7 +237,7 @@ class Credential(object): # @param string If string!=None, load the credential from the string # @param filename If filename!=None, load the credential from the file # FIXME: create and subject are ignored! - def __init__(self, create=False, subject=None, string=None, filename=None): + def __init__(self, create=False, subject=None, string=None, filename=None, cred=None): self.gidCaller = None self.gidObject = None self.expiration = None @@ -252,6 +250,19 @@ class Credential(object): self.xml = None self.refid = None self.legacy = None + self.type = None + self.version = None + + if cred: + if isinstance(cred, StringTypes): + string = cred + self.type = 'geni_sfa' + self.version = '1.0' + elif isinstance(cred, dict): + string = cred['geni_value'] + self.type = cred['geni_type'] + self.version = cred['geni_version'] + # Check if this is a legacy credential, translate it if so if string or filename: @@ -276,9 +287,12 @@ class Credential(object): break def get_subject(self): + subject = "" if not self.gidObject: self.decode() - return self.gidObject.get_printable_subject() + if self.gidObject: + subject = self.gidObject.get_printable_subject() + return subject # sounds like this should be __repr__ instead ?? def get_summary_tostring(self): @@ -366,8 +380,6 @@ class Credential(object): if not self.gidObject: self.decode() return self.gidObject - - ## # Expiration: an absolute UTC time of expiration (as either an int or string or datetime) @@ -406,8 +418,7 @@ class Credential(object): if isinstance(privs, str): self.privileges = Rights(string = privs) else: - self.privileges = privs - + self.privileges = privs ## # return the privileges as a Rights object @@ -591,23 +602,18 @@ class Credential(object): def updateRefID(self): if not self.parent: - self.set_refid('ref0') - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred ref0 " + self.set_refid('ref0') return [] refs = [] next_cred = self.parent - while next_cred: - refs.append(next_cred.get_refid()) if next_cred.parent: next_cred = next_cred.parent - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred " else: next_cred = None - #print>>sys.stderr, " \r\n \r\n updateRefID next_cred NONE" # Find a unique refid for this credential @@ -690,6 +696,12 @@ class Credential(object): def decode(self): if not self.xml: return + + doc = None + try: + doc = parseString(self.xml) + except ExpatError,e: + raise CredentialNotVerifiable("Malformed credential") doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") @@ -812,12 +824,10 @@ class Credential(object): # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs %s" %(GID(filename=f).get_hrn()) ok_trusted_certs.append(f) except Exception, exc: logger.error("Failed to load trusted cert from %s: %r", f, exc) trusted_certs = ok_trusted_certs - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs elemnebts %s" %(len(trusted_certs)) # Use legacy verification if this is a legacy credential if self.legacy: @@ -843,8 +853,7 @@ class Credential(object): # Verify the gids of this cred and of its parents for cur_cred in self.get_credential_list(): cur_cred.get_gid_object().verify_chain(trusted_cert_objects) - cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify cur_cred get_gid_object hrn %s get_gid_caller %s" %(cur_cred.get_gid_object().get_hrn(),cur_cred.get_gid_caller().get_hrn()) + cur_cred.get_gid_caller().verify_chain(trusted_cert_objects) refs = [] refs.append("Sig_%s" % self.get_refid()) @@ -852,7 +861,7 @@ class Credential(object): parentRefs = self.updateRefID() for ref in parentRefs: refs.append("Sig_%s" % ref) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs refs", ref + for ref in refs: # If caller explicitly passed in None that means skip xmlsec1 validation. # Strange and not typical @@ -863,7 +872,6 @@ class Credential(object): # (self.xmlsec_path, ref, cert_args, filename) verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \ % (self.xmlsec_path, ref, cert_args, filename)).read() - #print>>sys.stderr, " \r\n \t\t\t credential.py verify filename %s verified %s " %(filename,verified) if not verified.strip().startswith("OK"): # xmlsec errors have a msg= which is the interesting bit. mstart = verified.find("msg=") @@ -874,12 +882,11 @@ class Credential(object): msg = verified[mstart:mend] raise CredentialNotVerifiable("xmlsec1 error verifying cred %s using Signature ID %s: %s %s" % (self.get_summary_tostring(), ref, msg, verified.strip())) os.remove(filename) - - #print>>sys.stderr, " \r\n \t\t\t credential.py HUMMM parents %s", self.parent + # Verify the parents (delegation) if self.parent: self.verify_parent(self.parent) - #print>>sys.stderr, " \r\n \t\t\t credential.py verify trusted_certs parents" + # Make sure the issuer is the target's authority, and is # itself a valid GID self.verify_issuer(trusted_cert_objects) @@ -982,7 +989,6 @@ class Credential(object): # . The expiry time on the child must be no later than the parent # . The signer of the child must be the owner of the parent def verify_parent(self, parent_cred): - #print>>sys.stderr, " \r\n\r\n \t verify_parent parent_cred.get_gid_caller().save_to_string(False) %s self.get_signature().get_issuer_gid().save_to_string(False) %s" %(parent_cred.get_gid_caller().get_hrn(),self.get_signature().get_issuer_gid().get_hrn()) # make sure the rights given to the child are a subset of the # parents rights (and check delegate bits) if not parent_cred.get_privileges().is_superset(self.get_privileges()): @@ -1056,7 +1062,11 @@ class Credential(object): result += "CREDENTIAL %s\n" % self.get_subject() filename=self.get_filename() if filename: result += "Filename %s\n"%filename - result += " privs: %s\n" % self.get_privileges().save_to_string() + privileges = self.get_privileges() + if privileges: + result += " privs: %s\n" % privileges.save_to_string() + else: + result += " privs: \n" gidCaller = self.get_gid_caller() if gidCaller: result += " gidCaller:\n" @@ -1066,6 +1076,9 @@ class Credential(object): print " gidIssuer:" self.get_signature().get_issuer_gid().dump(8, dump_parents) + if self.expiration: + print " expiration:", self.expiration.isoformat() + gidObject = self.get_gid_object() if gidObject: result += " gidObject:\n"