From 657322510c9aa004ff13dcf71e4387afba0df379 Mon Sep 17 00:00:00 2001
From: Josh Karlin <jkarlin@bbn.com>
Date: Thu, 8 Apr 2010 18:44:31 +0000
Subject: [PATCH] new credentials are now working.. at least for list and
 get_resources

---
 sfa/server/modpythonapi/AuthenticatedApi.py |  6 ------
 sfa/trust/auth.py                           | 10 ----------
 sfa/trust/credential.py                     | 22 ++++++++++++++++-----
 sfa/util/namespace.py                       |  6 +++++-
 4 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/sfa/server/modpythonapi/AuthenticatedApi.py b/sfa/server/modpythonapi/AuthenticatedApi.py
index f87d4bb3..e86781f3 100755
--- a/sfa/server/modpythonapi/AuthenticatedApi.py
+++ b/sfa/server/modpythonapi/AuthenticatedApi.py
@@ -42,12 +42,6 @@ class AuthenticatedApi(BaseApi):
     def validateCred(self, cred):
         if self.trusted_cert_list:
             cred.verify(self.trusted_cert_file_list)
-            caller_gid = cred.get_gid_caller()
-            object_gid = cred.get_gid_object()
-            if caller_gid:
-                caller_gid.verify_chain(self.trusted_cert_list)
-            if object_gid:
-                object_gid.verify_chain(self.trusted_cert_list)
 
     def authenticateGid(self, gidStr, argList, requestHash):
         gid = GID(string = gidStr)
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 51b7edc1..15d3b589 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -58,10 +58,6 @@ class Auth:
 
         if self.trusted_cert_list:
             self.client_cred.verify(self.trusted_cert_file_list)
-            if self.client_gid:
-                self.client_gid.verify_chain(self.trusted_cert_list)
-            if self.object_gid:
-                self.object_gid.verify_chain(self.trusted_cert_list)
         else:
            raise MissingTrustedRoots(self.config.get_trustedroots_dir())
 
@@ -100,12 +96,6 @@ class Auth:
     def validateCred(self, cred):
         if self.trusted_cert_list:
             cred.verify(self.trusted_cert_file_list)
-            caller_gid = cred.get_gid_caller()
-            object_gid = cred.get_gid_object()
-            if caller_gid:
-                caller_gid.verify_chain(self.trusted_cert_list)
-            if object_gid:
-                object_gid.verify_chain(self.trusted_cert_list)
 
     def authenticateGid(self, gidStr, argList, requestHash=None):
         gid = GID(string = gidStr)
diff --git a/sfa/trust/credential.py b/sfa/trust/credential.py
index 4acaa204..84d9d93c 100644
--- a/sfa/trust/credential.py
+++ b/sfa/trust/credential.py
@@ -175,7 +175,8 @@ class Credential(object):
         self.gidObject = legacy.get_gid_object()
         lifetime = legacy.get_lifetime()
         if not lifetime:
-            self.set_lifetime(3600)
+            # Default to two years
+            self.set_lifetime(1051200)
         else:
             self.set_lifetime(int(lifetime))
         self.lifeTime = legacy.get_lifetime()
@@ -540,6 +541,7 @@ class Credential(object):
     #   to trusted roots (performed by xmlsec1)
     # . That the issuer of the credential is the authority in the target's urn
     #    . In the case of a delegated credential, this must be true of the root
+    # . That all of the gids presented in the credential are valid
     #
     # -- For Delegates (credentials with parents)
     # . The privileges must be a subset of the parent credentials
@@ -562,6 +564,17 @@ class Credential(object):
         filename = self.save_to_random_tmp_file()
         cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
 
+        # Verify the gids of this cred and of its parents
+        trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
+
+        cur_cred = self
+        while cur_cred:
+            cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
+            cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
+            if self.parent_xml:
+                cur_cred = Credential(string=self.parent_xml)
+            else:
+                cur_cred = None
         
         refs = []
         refs.append("Sig_%s" % self.get_refid())
@@ -589,10 +602,8 @@ class Credential(object):
 
     ##
     # Make sure the issuer of this credential is the target's authority
-    # Security hole: Because PL GID's use hrns in the CN instead of urns,
-    # the type is not checked, only the authority name.
-    def verify_issuer(self):
-        target_authority = get_authority(self.get_gid_object().get_hrn())
+    def verify_issuer(self):        
+        target_authority = get_authority(self.get_gid_object().get_urn())
 
         # Find the root credential's refid
         cur_cred = self
@@ -610,6 +621,7 @@ class Credential(object):
             if sig.get_refid().lower() == root_refid.lower():
                 root_issuer = sig.get_issuer_gid().get_urn()
                 
+                
         # Ensure that the signer of the root credential is the target_authority
         target_authority = hrn_to_urn(target_authority, 'authority')
 
diff --git a/sfa/util/namespace.py b/sfa/util/namespace.py
index e3a7536f..ebc8146c 100644
--- a/sfa/util/namespace.py
+++ b/sfa/util/namespace.py
@@ -9,7 +9,11 @@ def get_leaf(hrn):
     parts = hrn.split(".")
     return ".".join(parts[-1:])
 
-def get_authority(hrn):
+def get_authority(xrn):
+    hrn, type = urn_to_hrn(xrn)
+    if type and type == 'authority':
+        return hrn
+    
     parts = hrn.split(".")
     return ".".join(parts[:-1])
 
-- 
2.47.0