From: Tony Mack Date: Mon, 22 Nov 2010 17:12:01 +0000 (-0500) Subject: validate credential against RelaxNG schema X-Git-Tag: sfa-1.0-9~17 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;ds=sidebyside;h=ecfe9e92f8beb1cb400173ba4d01fb3d90c8ec23;p=sfa.git validate credential against RelaxNG schema --- diff --git a/config/default_config.xml b/config/default_config.xml index ce5ec403..899d1736 100644 --- a/config/default_config.xml +++ b/config/default_config.xml @@ -24,6 +24,12 @@ Thierry Parmentelat The human readable name for this interface. + + Credential Schema + /etc/sfa/credential.rng + The path to the default credential schema + + Debug false diff --git a/setup.py b/setup.py index f0f89a49..897e3cd4 100755 --- a/setup.py +++ b/setup.py @@ -54,7 +54,8 @@ data_files = [('/etc/sfa/', [ 'config/aggregates.xml', 'config/registries.xml', 'config/default_config.xml', 'config/sfi_config', - 'sfa/managers/pl/pl.rng']), + 'sfa/managers/pl/pl.rng', + 'sfa/trust/credential.rng']), ('/etc/sfatables/matches/', glob('sfatables/matches/*.xml')), ('/etc/sfatables/targets/', glob('sfatables/targets/*.xml')), ('/etc/init.d/', ['sfa/init.d/sfa', 'sfa/init.d/sfa-cm'])] diff --git a/sfa.spec b/sfa.spec index 27158db7..96663d35 100644 --- a/sfa.spec +++ b/sfa.spec @@ -131,6 +131,7 @@ rm -rf $RPM_BUILD_ROOT %config (noreplace) /etc/sfa/registries.xml /etc/init.d/sfa /etc/sfa/pl.rng +/etc/sfa/credential.rng %{_bindir}/sfa-config-tty %{_bindir}/sfa-import-plc.py* %{_bindir}/sfa-clean-peer-records.py* diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 0b76d9ee..e74dc161 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -79,7 +79,7 @@ class Auth: raise InsufficientRights(operation) if self.trusted_cert_list: - self.client_cred.verify(self.trusted_cert_file_list) + self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 5aa76319..5478b03b 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -34,7 +34,8 @@ import datetime from tempfile import mkstemp from xml.dom.minidom import Document, parseString from dateutil.parser import parse - +from lxml import etree +from StringIO import StringIO from sfa.util.faults import * from sfa.util.sfalogging import sfa_logger from sfa.trust.certificate import Keypair @@ -649,11 +650,24 @@ class Credential(object): # must be done elsewhere # # @param trusted_certs: The certificates of trusted CA certificates - def verify(self, trusted_certs): + # @param schema: The RelaxNG schema to validate the credential against + def verify(self, trusted_certs, schema=None): if not self.xml: self.decode() + + # validate against RelaxNG schema + if not self.legacy: + if schema and os.path.exists(schema): + tree = etree.parse(StringIO(self.xml)) + schema_doc = etree.parse(schema) + relaxng = etree.RelaxNG(schema_doc) + if not relaxng(tree): + error = relaxng.error_log.last_error + message = "%s (line %s)" % (error.message, error.line) + raise CredentialNotVerifiable(message) + -# trusted_cert_objects = [GID(filename=f) for f in trusted_certs] +# trusted_cert_objects = [GID(filename=f) for f in trusted_certs] trusted_cert_objects = [] ok_trusted_certs = [] for f in trusted_certs: @@ -674,6 +688,7 @@ class Credential(object): if self.legacy.object_gid: self.legacy.object_gid.verify_chain(trusted_cert_objects) return True + # make sure it is not expired if self.get_expiration() < datetime.datetime.utcnow():