From: Josh Karlin Date: Wed, 14 Apr 2010 20:59:42 +0000 (+0000) Subject: Success! PG cert/cred able to call ListResources and GetVersion using sfi.py X-Git-Tag: geni-apiv1-totrunk~61 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=764c847e3598eaf6f7f5a2afadd7e53ad0afd9b7;p=sfa.git Success! PG cert/cred able to call ListResources and GetVersion using sfi.py --- diff --git a/sfa/client/sfi.py b/sfa/client/sfi.py index 9070bdb1..b280c26e 100755 --- a/sfa/client/sfi.py +++ b/sfa/client/sfi.py @@ -24,7 +24,7 @@ import zlib # utility methods here # display methods -def display_rspec(rspec, format = 'rspec'): +def display_rspec(rspec, format='rspec'): if format in ['dns']: spec = RSpec() spec.parseString(rspec) @@ -57,12 +57,12 @@ def display_list(results): print result -def display_records(recordList, dump = False): +def display_records(recordList, dump=False): ''' Print all fields in the record''' for record in recordList: display_record(record, dump) -def display_record(record, dump = False): +def display_record(record, dump=False): if dump: record.dump() else: @@ -92,7 +92,7 @@ def save_rspec_to_file(rspec, filename): def save_records_to_file(filename, recordList): index = 0 for record in recordList: - if index>0: + if index > 0: save_record_to_file(filename + "." + str(index), record) else: save_record_to_file(filename, record) @@ -100,15 +100,15 @@ def save_records_to_file(filename, recordList): def save_record_to_file(filename, record): if record['type'] in ['user']: - record = UserRecord(dict = record) + record = UserRecord(dict=record) elif record['type'] in ['slice']: - record = SliceRecord(dict = record) + record = SliceRecord(dict=record) elif record['type'] in ['node']: - record = NodeRecord(dict = record) + record = NodeRecord(dict=record) elif record['type'] in ['authority', 'ma', 'sa']: - record = AuthorityRecord(dict = record) + record = AuthorityRecord(dict=record) else: - record = SfaRecord(dict = record) + record = SfaRecord(dict=record) str = record.save_to_string() file(filename, "w").write(str) return @@ -132,7 +132,7 @@ class Sfi: options = None hashrequest = False - def create_cmd_parser(self,command, additional_cmdargs = None): + def create_cmd_parser(self, command, additional_cmdargs=None): cmdargs = {"gid": "", "list": "name", "show": "name", @@ -146,7 +146,7 @@ class Sfi: "create": "name rspec", "get_trusted_certs": "cred", "get_ticket": "name rspec", - "redeem_ticket": "ticket", + "redeem_ticket": "ticket", "delete": "name", "reset": "name", "start": "name", @@ -165,7 +165,7 @@ class Sfi: print "Invalid command\n" print "Commands: ", for key in cmdargs.keys(): - print key+",", + print key + ",", print "" sys.exit(2) @@ -173,24 +173,24 @@ class Sfi: % (command, cmdargs[command])) if command in ("resources"): - parser.add_option("-f", "--format", dest="format",type="choice", - help="display format ([xml]|dns|ip)",default="xml", - choices=("xml","dns","ip")) + parser.add_option("-f", "--format", dest="format", type="choice", + help="display format ([xml]|dns|ip)", default="xml", + choices=("xml", "dns", "ip")) parser.add_option("-a", "--aggregate", dest="aggregate", default=None, help="aggregate hrn") if command in ("create", "get_ticket"): - parser.add_option("-a", "--aggregate", dest="aggregate",default=None, + parser.add_option("-a", "--aggregate", dest="aggregate", default=None, help="aggregate hrn") if command in ("start", "stop", "reset", "delete", "slices"): - parser.add_option("-c", "--component", dest="component",default=None, + parser.add_option("-c", "--component", dest="component", default=None, help="component hrn") if command in ("list", "show", "remove"): - parser.add_option("-t", "--type", dest="type",type="choice", + parser.add_option("-t", "--type", dest="type", type="choice", help="type filter ([all]|user|slice|sa|ma|node|aggregate)", - choices=("all","user","slice","sa","ma","node","aggregate"), + choices=("all", "user", "slice", "sa", "ma", "node", "aggregate"), default="all") if command in ("resources", "show", "list"): @@ -199,8 +199,8 @@ class Sfi: if command in ("show", "list"): parser.add_option("-f", "--format", dest="format", type="choice", - help="display format ([text]|xml)",default="text", - choices=("text","xml")) + help="display format ([text]|xml)", default="text", + choices=("text", "xml")) if command in ("delegate"): parser.add_option("-u", "--user", @@ -223,10 +223,10 @@ class Sfi: help="root registry", metavar="URL", default=None) parser.add_option("-s", "--slicemgr", dest="sm", help="slice manager", metavar="URL", default=None) - default_sfi_dir=os.path.expanduser("~/.sfi/") + default_sfi_dir = os.path.expanduser("~/.sfi/") parser.add_option("-d", "--dir", dest="sfi_dir", help="config & working directory - default is " + default_sfi_dir, - metavar="PATH", default = default_sfi_dir) + metavar="PATH", default=default_sfi_dir) parser.add_option("-u", "--user", dest="user", help="user name", metavar="HRN", default=None) parser.add_option("-a", "--auth", dest="auth", @@ -253,7 +253,7 @@ class Sfi: try: config = Config (config_file) except: - print "Failed to read configuration file",config_file + print "Failed to read configuration file", config_file print "Make sure to remove the export clauses and to add quotes" if not self.options.verbose: print "Re-run with -v for more details" @@ -261,48 +261,48 @@ class Sfi: traceback.print_exc() sys.exit(1) - errors=0 + errors = 0 # Set SliceMgr URL if (self.options.sm is not None): sm_url = self.options.sm - elif hasattr(config,"SFI_SM"): + elif hasattr(config, "SFI_SM"): sm_url = config.SFI_SM else: - print "You need to set e.g. SFI_SM='http://your.slicemanager.url:12347/' in %s"%config_file - errors +=1 + print "You need to set e.g. SFI_SM='http://your.slicemanager.url:12347/' in %s" % config_file + errors += 1 # Set Registry URL if (self.options.registry is not None): reg_url = self.options.registry - elif hasattr(config,"SFI_REGISTRY"): + elif hasattr(config, "SFI_REGISTRY"): reg_url = config.SFI_REGISTRY else: - print "You need to set e.g. SFI_REGISTRY='http://your.registry.url:12345/' in %s"%config_file - errors +=1 + print "You need to set e.g. SFI_REGISTRY='http://your.registry.url:12345/' in %s" % config_file + errors += 1 if (self.options.geni_am is not None): geni_am_url = self.options.geni_am - elif hasattr(config,"SFI_GENI_AM"): + elif hasattr(config, "SFI_GENI_AM"): geni_am_url = config.SFI_GENI_AM # Set user HRN if (self.options.user is not None): self.user = self.options.user - elif hasattr(config,"SFI_USER"): + elif hasattr(config, "SFI_USER"): self.user = config.SFI_USER else: - print "You need to set e.g. SFI_USER='plc.princeton.username' in %s"%config_file - errors +=1 + print "You need to set e.g. SFI_USER='plc.princeton.username' in %s" % config_file + errors += 1 # Set authority HRN if (self.options.auth is not None): self.authority = self.options.auth - elif hasattr(config,"SFI_AUTH"): + elif hasattr(config, "SFI_AUTH"): self.authority = config.SFI_AUTH else: - print "You need to set e.g. SFI_AUTH='plc.princeton' in %s"%config_file - errors +=1 + print "You need to set e.g. SFI_AUTH='plc.princeton' in %s" % config_file + errors += 1 if errors: sys.exit(1) @@ -339,7 +339,7 @@ class Sfi: def get_key_file(self): - file=os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".pkey") + file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".pkey") #file = os.path.join(self.options.sfi_dir, get_leaf(self.user) + ".pkey") if (os.path.isfile(file)): return file @@ -348,14 +348,14 @@ class Sfi: sys.exit(-1) return - def get_cert_file(self,key_file): + def get_cert_file(self, key_file): #file = os.path.join(self.options.sfi_dir, get_leaf(self.user) + ".cert") - file=os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert") + file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert") if (os.path.isfile(file)): return file else: - k = Keypair(filename = key_file) + k = Keypair(filename=key_file) cert = Certificate(subject=self.user) cert.set_pubkey(k) cert.set_issuer(k, self.user) @@ -367,7 +367,7 @@ class Sfi: def get_gid(self): #file = os.path.join(self.options.sfi_dir, get_leaf(self.user) + ".gid") - file=os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".gid") + file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".gid") if (os.path.isfile(file)): gid = GID(filename=file) return gid @@ -382,17 +382,17 @@ class Sfi: def get_user_cred(self): #file = os.path.join(self.options.sfi_dir, get_leaf(self.user) + ".cred") - file=os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cred") + file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cred") if (os.path.isfile(file)): user_cred = Credential(filename=file) return user_cred else: # bootstrap user credential cert_string = self.cert.save_to_string(save_parents=True) - user_name=self.user.replace(self.authority+".", '') + user_name = self.user.replace(self.authority + ".", '') if user_name.count(".") > 0: user_name = user_name.replace(".", '_') - self.user=self.authority + "." + user_name + self.user = self.authority + "." + user_name user_cred = self.registry.get_self_credential(cert_string, "user", self.user) if user_cred: @@ -410,7 +410,7 @@ class Sfi: print "no authority specified. Use -a or set SF_AUTH" sys.exit(-1) - file = os.path.join(self.options.sfi_dir, get_leaf("authority") +".cred") + file = os.path.join(self.options.sfi_dir, get_leaf("authority") + ".cred") if (os.path.isfile(file)): auth_cred = Credential(filename=file) return auth_cred @@ -428,7 +428,7 @@ class Sfi: print "Failed to get authority credential" sys.exit(-1) - def get_slice_cred(self,name): + def get_slice_cred(self, name): file = os.path.join(self.options.sfi_dir, "slice_" + get_leaf(name) + ".cred") if (os.path.isfile(file)): slice_cred = Credential(filename=file) @@ -448,7 +448,7 @@ class Sfi: print "Failed to get slice credential" sys.exit(-1) - def delegate_cred(self,cred, hrn, type = 'authority'): + def delegate_cred(self, cred, hrn, type='authority'): # the gid and hrn of the object we are delegating user_cred = Credential(string=cred) object_gid = user_cred.get_gid_object() @@ -470,7 +470,7 @@ class Sfi: delegee_hrn = delegee_gid.get_hrn() # the key and hrn of the user who will be delegating - user_key = Keypair(filename = self.get_key_file()) + user_key = Keypair(filename=self.get_key_file()) user_hrn = user_cred.get_gid_caller().get_hrn() dcred = Credential(subject=object_hrn + " delegated to " + delegee_hrn) @@ -481,7 +481,7 @@ class Sfi: # Save the issuer's gid to a file - fname = self.options.sfi_dir + os.sep + "gid_%d" % random.randint(0,999999999) + fname = self.options.sfi_dir + os.sep + "gid_%d" % random.randint(0, 999999999) f = open(fname, "w") f.write(user_cred.get_gid_caller().save_to_string()) f.close() @@ -494,7 +494,7 @@ class Sfi: return dcred.save_to_string(save_parents=True) - def get_rspec_file(self,rspec): + def get_rspec_file(self, rspec): if (os.path.isabs(rspec)): file = rspec else: @@ -505,7 +505,7 @@ class Sfi: print "No such rspec file", rspec sys.exit(1) - def get_record_file(self,record): + def get_record_file(self, record): if (os.path.isabs(record)): file = record else: @@ -516,8 +516,8 @@ class Sfi: print "No such registry record file", record sys.exit(1) - def load_publickey_string(self,fn): - f = file(fn,"r") + def load_publickey_string(self, fn): + f = file(fn, "r") key_string = f.read() # if the filename is a private key file, then extract the public key @@ -549,8 +549,8 @@ class Sfi: # Registry-related commands # - def dispatch(self,command, cmd_opts, cmd_args): - getattr(self,command)(cmd_opts, cmd_args) + def dispatch(self, command, cmd_opts, cmd_args): + getattr(self, command)(cmd_opts, cmd_args) def gid(self, opts, args): gid = self.get_gid() @@ -558,7 +558,7 @@ class Sfi: return # list entires in named authority registry - def list(self,opts, args): + def list(self, opts, args): user_cred = self.get_user_cred().save_to_string(save_parents=True) hrn = args[0] try: @@ -579,7 +579,7 @@ class Sfi: return # show named registry record - def show(self,opts, args): + def show(self, opts, args): user_cred = self.get_user_cred().save_to_string(save_parents=True) hrn = args[0] records = self.registry.resolve(user_cred, hrn) @@ -588,16 +588,16 @@ class Sfi: print "No record of type", opts.type for record in records: if record['type'] in ['user']: - record = UserRecord(dict = record) + record = UserRecord(dict=record) elif record['type'] in ['slice']: - record = SliceRecord(dict = record) + record = SliceRecord(dict=record) elif record['type'] in ['node']: - record = NodeRecord(dict = record) + record = NodeRecord(dict=record) elif record['type'] in ['authority', 'ma', 'sa']: - record = AuthorityRecord(dict = record) + record = AuthorityRecord(dict=record) else: - record = SfaRecord(dict = record) - if (opts.format=="text"): + record = SfaRecord(dict=record) + if (opts.format == "text"): record.dump() else: print record.save_to_string() @@ -609,7 +609,7 @@ class Sfi: save_records_to_file(file, records) return - def delegate(self,opts, args): + def delegate(self, opts, args): user_cred = self.get_user_cred() if opts.delegate_user: object_cred = user_cred @@ -639,7 +639,7 @@ class Sfi: delegee_hrn = delegee_gid.get_hrn() # the key and hrn of the user who will be delegating - user_key = Keypair(filename = self.get_key_file()) + user_key = Keypair(filename=self.get_key_file()) user_hrn = user_cred.get_gid_caller().get_hrn() subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) dcred = Credential(subject=subject_string) @@ -661,13 +661,13 @@ class Sfi: dest_fn = os.path_join(self.options.sfi_dir, get_leaf(delegee_hrn) + "_slice_" + get_leaf(object_hrn) + ".cred") - dcred.save_to_file(dest_fn, save_parents = True) + dcred.save_to_file(dest_fn, save_parents=True) print "delegated credential for", object_hrn, "to", delegee_hrn, "and wrote to", dest_fn # removed named registry record # - have to first retrieve the record to be removed - def remove(self,opts, args): + def remove(self, opts, args): auth_cred = self.get_auth_cred().save_to_string(save_parents=True) hrn = args[0] type = opts.type @@ -676,7 +676,7 @@ class Sfi: return self.registry.remove(auth_cred, type, hrn) # add named registry record - def add(self,opts, args): + def add(self, opts, args): auth_cred = self.get_auth_cred().save_to_string(save_parents=True) record_filepath = args[0] rec_file = self.get_record_file(record_filepath) @@ -684,7 +684,7 @@ class Sfi: return self.registry.register(auth_cred, record) # update named registry entry - def update(self,opts, args): + def update(self, opts, args): user_cred = self.get_user_cred() rec_file = self.get_record_file(args[0]) record = load_record_from_file(rec_file) @@ -769,7 +769,7 @@ class Sfi: # list available nodes -- use 'resources' w/ no argument instead # list instantiated slices - def slices(self,opts, args): + def slices(self, opts, args): user_cred = self.get_user_cred().save_to_string(save_parents=True) server = self.slicemgr # direct connection to the nodes component manager interface @@ -780,7 +780,7 @@ class Sfi: return # show rspec for named slice - def resources(self,opts, args): + def resources(self, opts, args): user_cred = self.get_user_cred().save_to_string(save_parents=True) server = self.slicemgr if opts.aggregate: @@ -810,12 +810,12 @@ class Sfi: return # created named slice with given rspec - def create(self,opts, args): + def create(self, opts, args): slice_hrn = args[0] user_cred = self.get_user_cred() slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True) rspec_file = self.get_rspec_file(args[1]) - rspec=open(rspec_file).read() + rspec = open(rspec_file).read() server = self.slicemgr if opts.aggregate: aggregates = self.registry.get_aggregates(user_cred, opts.aggregate) @@ -832,7 +832,7 @@ class Sfi: user_cred = self.get_user_cred() slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True) rspec_file = self.get_rspec_file(rspec_path) - rspec=open(rspec_file).read() + rspec = open(rspec_file).read() server = self.slicemgr if opts.aggregate: aggregates = self.registry.get_aggregates(user_cred, opts.aggregate) @@ -854,7 +854,7 @@ class Sfi: # use this to get the right slice credential ticket = SfaTicket(filename=ticket_file) ticket.decode() - slice_hrn=ticket.gidObject.get_hrn() + slice_hrn = ticket.gidObject.get_hrn() #slice_hrn = ticket.attributes['slivers'][0]['hrn'] user_cred = self.get_user_cred() slice_cred = self.get_slice_cred(slice_hrn).save_to_string(save_parents=True) @@ -872,7 +872,7 @@ class Sfi: try: cm_port = "12346" url = "https://%(hostname)s:%(cm_port)s" % locals() - print "Calling redeem_ticket at %(url)s " % locals(), + print "Calling redeem_ticket at %(url)s " % locals(), cm = xmlrpcprotocol.get_server(url, self.key_file, self.cert_file) cm.redeem_ticket(slice_cred, ticket.save_to_string(save_parents=True)) print "Success" @@ -885,7 +885,7 @@ class Sfi: return # delete named slice - def delete(self,opts, args): + def delete(self, opts, args): slice_hrn = args[0] server = self.slicemgr # direct connection to the nodes component manager interface @@ -896,7 +896,7 @@ class Sfi: return server.delete_slice(slice_cred, slice_hrn) # start named slice - def start(self,opts, args): + def start(self, opts, args): slice_hrn = args[0] server = self.slicemgr # direct connection to the nodes component manager interface @@ -907,7 +907,7 @@ class Sfi: return server.start_slice(slice_cred, slice_hrn) # stop named slice - def stop(self,opts, args): + def stop(self, opts, args): slice_hrn = args[0] server = self.slicemgr # direct connection to the nodes component manager interface @@ -918,7 +918,7 @@ class Sfi: return server.stop_slice(slice_cred, slice_hrn) # reset named slice - def reset(self,opts, args): + def reset(self, opts, args): slice_hrn = args[0] server = self.slicemgr # direct connection to the nodes component manager interface @@ -930,11 +930,11 @@ class Sfi: # GENI AM related calls - def GetVersion(self,opts,args): + def GetVersion(self, opts, args): server = self.geni_am print server.GetVersion() - def ListResources(self,opts,args): + def ListResources(self, opts, args): user_cred = self.get_user_cred().save_to_string(save_parents=True) server = self.geni_am call_options = {'geni_compressed': True} @@ -951,7 +951,7 @@ class Sfi: rspec = zlib.decompress(rspec.decode('base64')) print rspec - def CreateSliver(self,opts,args): + def CreateSliver(self, opts, args): slice_xrn = args[0] user_cred = self.get_user_cred() slice_cred = self.get_slice_cred(slice_xrn).save_to_string(save_parents=True) @@ -968,11 +968,11 @@ class Sfi: self.options = options if options.hashrequest: - self.hashrequest=True + self.hashrequest = True if len(args) <= 0: print "No command given. Use -h for help." - return -1 + return - 1 command = args[0] (cmd_opts, cmd_args) = self.create_cmd_parser(command).parse_args(args[1:]) @@ -980,12 +980,12 @@ class Sfi: print "Registry %s, sm %s, dir %s, user %s, auth %s" % (options.registry, options.sm, options.sfi_dir, options.user, options.auth) - print "Command %s" %command + print "Command %s" % command if command in ("resources"): - print "resources cmd_opts %s" %cmd_opts.format - elif command in ("list","show","remove"): - print "cmd_opts.type %s" %cmd_opts.type - print "cmd_args %s" %cmd_args + print "resources cmd_opts %s" % cmd_opts.format + elif command in ("list", "show", "remove"): + print "cmd_opts.type %s" % cmd_opts.type + print "cmd_args %s" % cmd_args self.set_servers() @@ -998,5 +998,5 @@ class Sfi: return -if __name__=="__main__": +if __name__ == "__main__": Sfi().main() diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 06f490d5..1358547c 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -5,17 +5,15 @@ ### $URL$ # -import time from sfa.trust.credential import Credential from sfa.trust.trustedroot import TrustedRootList -from sfa.trust.rights import RightList from sfa.util.faults import * from sfa.trust.hierarchy import Hierarchy from sfa.util.config import * from sfa.util.namespace import * -from sfa.trust.gid import GID from sfa.util.sfaticket import * +from sfa.util.sfalogging import logger class Auth: """ @@ -62,7 +60,7 @@ class Auth: self.client_cred.verify(self.trusted_cert_file_list) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) - + return True def check_ticket(self, ticket): diff --git a/sfa/trust/certificate.py b/sfa/trust/certificate.py index c0d1a078..7089bd56 100644 --- a/sfa/trust/certificate.py +++ b/sfa/trust/certificate.py @@ -267,11 +267,16 @@ class Certificate: def load_from_string(self, string): # if it is a chain of multiple certs, then split off the first one and - # load it (support for the ---parent--- tag as well as normal chained certs) - - string = string.strip() + # load it (support for the ---parent--- tag as well as normal chained certs) + string = string.strip() + + + if not string.startswith('-----'): + string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string + parts = [] + if string.count('-----BEGIN CERTIFICATE-----') > 1 and \ string.count(Certificate.separator) == 0: parts = string.split('-----END CERTIFICATE-----',1) @@ -290,7 +295,7 @@ class Certificate: ## # Load the certificate from a file - def load_from_file(self, filename): + def load_from_file(self, filename): file = open(filename) string = file.read() self.load_from_string(string) diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py index 0b76372f..71325b4f 100644 --- a/sfa/trust/credential.py +++ b/sfa/trust/credential.py @@ -7,18 +7,16 @@ ### $Id$ ### $URL$ -import xmlrpclib import os import datetime from random import randint from xml.dom.minidom import Document, parseString -from lxml import etree from sfa.trust.credential_legacy import CredentialLegacy -from sfa.trust.certificate import Certificate from sfa.trust.rights import * from sfa.trust.gid import * from sfa.util.faults import * + from sfa.util.sfalogging import logger @@ -95,11 +93,12 @@ def append_sub(doc, parent, element, text): # class Signature(object): - refid = None - issuer_gid = None - xml = None + def __init__(self, string=None): + self.refid = None + self.issuer_gid = None + self.xml = None if string: self.xml = string self.decode() @@ -155,18 +154,7 @@ class Signature(object): class Credential(object): - gidCaller = None - gidObject = None - expiration = None - privileges = None - issuer_privkey = None - issuer_gid = None - issuer_pubkey = None - parent = None - signature = None - xml = None - refid = None - legacy = None + ## # Create a Credential object @@ -177,6 +165,19 @@ class Credential(object): # @param filename If filename!=None, load the credential from the file def __init__(self, create=False, subject=None, string=None, filename=None): + self.gidCaller = None + self.gidObject = None + self.expiration = None + self.privileges = None + self.issuer_privkey = None + self.issuer_gid = None + self.issuer_pubkey = None + self.parent = None + self.signature = None + self.xml = None + self.refid = None + self.legacy = None + # Check if this is a legacy credential, translate it if so if string or filename: @@ -338,8 +339,6 @@ class Credential(object): # you have loaded an existing signed credential, do not call encode() or sign() on it. def encode(self): - p_sigs = None - # Create the XML document doc = Document() signed_cred = doc.createElement("signed-credential") @@ -561,9 +560,9 @@ class Credential(object): deleg = str2bool(getTextNode(priv, "can_delegate")) if kind == '*': # Convert * into the default privileges for the credential's type - _ , type = urn_to_hrn(self.gidObject) - rl = rlist.determine_rights(type, urn) - for r in rlist.rights: + _ , type = urn_to_hrn(self.gidObject.get_urn()) + rl = rlist.determine_rights(type, self.gidObject.get_urn()) + for r in rl.rights: rlist.add(r) else: rlist.add(Right(kind.strip(), deleg)) @@ -619,10 +618,6 @@ class Credential(object): if not self.xml: self.decode() - # Check for schema conformance - - - trusted_cert_objects = [GID(filename=f) for f in trusted_certs] # Use legacy verification if this is a legacy credential @@ -661,16 +656,13 @@ class Credential(object): % (ref, cert_args, filename)).read() if not verified.strip().startswith("OK"): raise CredentialNotVerifiable("xmlsec1 error: " + verified) - os.remove(filename) # Verify the parents (delegation) if self.parent: self.verify_parent(self.parent) - # Make sure the issuer is the target's authority self.verify_issuer() - return True @@ -679,9 +671,9 @@ class Credential(object): def verify_issuer(self): target_authority = get_authority(self.get_gid_object().get_urn()) + # Find the root credential's signature cur_cred = self - root_refid = None while cur_cred: if cur_cred.parent: cur_cred = cur_cred.parent @@ -689,10 +681,11 @@ class Credential(object): root_issuer = cur_cred.get_signature().get_issuer_gid().get_urn() cur_cred = None - # Ensure that the signer of the root credential is the target_authority target_authority = hrn_to_urn(target_authority, 'authority') + logger.info( "%s %s" % (root_issuer, target_authority)) + if root_issuer != target_authority: raise CredentialNotVerifiable("issuer (%s) != authority of target (%s)" \ % (root_issuer, target_authority)) @@ -752,6 +745,6 @@ class Credential(object): if self.parent and dump_parents: - print "PARENT", - self.parent.dump_parents() + print "PARENT", + self.parent.dump_parents() diff --git a/sfa/util/namespace.py b/sfa/util/namespace.py index ebc8146c..d2006e50 100644 --- a/sfa/util/namespace.py +++ b/sfa/util/namespace.py @@ -89,7 +89,10 @@ def hrn_to_urn(hrn, type=None): authority = get_authority(hrn) name = get_leaf(hrn) - urn = "+".join([unicode(part).replace('.', ':') \ - for part in ['',authority,type,name]]) - + + if authority.startswith("plc"): + urn = "+".join(['',authority.replace('.',':'),type,name]) + else: + urn = "+".join(['',authority,type,name]) + return URN_PREFIX + urn