1 #----------------------------------------------------------------------
2 # Copyright (c) 2008 Board of Trustees, Princeton University
4 # Permission is hereby granted, free of charge, to any person obtaining
5 # a copy of this software and/or hardware specification (the "Work") to
6 # deal in the Work without restriction, including without limitation the
7 # rights to use, copy, modify, merge, publish, distribute, sublicense,
8 # and/or sell copies of the Work, and to permit persons to whom the Work
9 # is furnished to do so, subject to the following conditions:
11 # The above copyright notice and this permission notice shall be
12 # included in all copies or substantial portions of the Work.
14 # THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
18 # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
19 # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 # OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
22 #----------------------------------------------------------------------
24 # Implements SFA Credentials
26 # Credentials are signed XML files that assign a subject gid privileges to an object gid
34 from xml.dom.minidom import Document, parseString
35 from tempfile import mkstemp
37 from sfa.trust.credential_legacy import CredentialLegacy
38 from sfa.trust.rights import *
39 from sfa.trust.gid import *
40 from sfa.util.faults import *
42 from sfa.util.sfalogging import logger
43 from dateutil.parser import parse
47 # Two years, in seconds
48 DEFAULT_CREDENTIAL_LIFETIME = 60 * 60 * 24 * 365 * 2
52 # . make privs match between PG and PL
53 # . Need to add support for other types of credentials, e.g. tickets
57 signature_template = \
59 <Signature xml:id="Sig_%s" xmlns="http://www.w3.org/2000/09/xmldsig#">
61 <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
62 <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
65 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
67 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
68 <DigestValue></DigestValue>
84 # Convert a string into a bool
87 if str.lower() in ['yes','true','1']:
94 # Utility function to get the text of an XML element
96 def getTextNode(element, subele):
97 sub = element.getElementsByTagName(subele)[0]
98 if len(sub.childNodes) > 0:
99 return sub.childNodes[0].nodeValue
104 # Utility function to set the text of an XML element
105 # It creates the element, adds the text to it,
106 # and then appends it to the parent.
108 def append_sub(doc, parent, element, text):
109 ele = doc.createElement(element)
110 ele.appendChild(doc.createTextNode(text))
111 parent.appendChild(ele)
114 # Signature contains information about an xmlsec1 signature
115 # for a signed-credential
118 class Signature(object):
121 def __init__(self, string=None):
123 self.issuer_gid = None
141 def set_refid(self, id):
144 def get_issuer_gid(self):
149 def set_issuer_gid(self, gid):
153 doc = parseString(self.xml)
154 sig = doc.getElementsByTagName("Signature")[0]
155 self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
156 keyinfo = sig.getElementsByTagName("X509Data")[0]
157 szgid = getTextNode(keyinfo, "X509Certificate")
158 szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
159 self.set_issuer_gid(GID(string=szgid))
162 self.xml = signature_template % (self.get_refid(), self.get_refid())
166 # A credential provides a caller gid with privileges to an object gid.
167 # A signed credential is signed by the object's authority.
169 # Credentials are encoded in one of two ways. The legacy style places
170 # it in the subjectAltName of an X509 certificate. The new credentials
171 # are placed in signed XML.
174 # In general, a signed credential obtained externally should
175 # not be changed else the signature is no longer valid. So, once
176 # you have loaded an existing signed credential, do not call encode() or sign() on it.
179 class Credential(object):
183 # Create a Credential object
185 # @param create If true, create a blank x509 certificate
186 # @param subject If subject!=None, create an x509 cert with the subject name
187 # @param string If string!=None, load the credential from the string
188 # @param filename If filename!=None, load the credential from the file
190 def __init__(self, create=False, subject=None, string=None, filename=None):
191 self.gidCaller = None
192 self.gidObject = None
193 self.expiration = None
194 self.privileges = None
195 self.issuer_privkey = None
196 self.issuer_gid = None
197 self.issuer_pubkey = None
199 self.signature = None
207 # Check if this is a legacy credential, translate it if so
208 if string or filename:
212 str = file(filename).read()
214 if str.strip().startswith("-----"):
215 self.legacy = CredentialLegacy(False,string=str)
216 self.translate_legacy(str)
221 # Find an xmlsec1 path
222 self.xmlsec_path = ''
223 paths = ['/usr/bin','/usr/local/bin','/bin','/opt/bin','/opt/local/bin']
225 if os.path.isfile(path + '/' + 'xmlsec1'):
226 self.xmlsec_path = path + '/' + 'xmlsec1'
230 def get_signature(self):
231 if not self.signature:
233 return self.signature
235 def set_signature(self, sig):
240 # Translate a legacy credential into a new one
242 # @param String of the legacy credential
244 def translate_legacy(self, str):
245 legacy = CredentialLegacy(False,string=str)
246 self.gidCaller = legacy.get_gid_caller()
247 self.gidObject = legacy.get_gid_object()
248 lifetime = legacy.get_lifetime()
250 # Default to two years
251 self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
253 self.set_lifetime(int(lifetime))
254 self.lifeTime = legacy.get_lifetime()
255 self.set_privileges(legacy.get_privileges())
256 self.get_privileges().delegate_all_privileges(legacy.get_delegate())
259 # Need the issuer's private key and name
260 # @param key Keypair object containing the private key of the issuer
261 # @param gid GID of the issuing authority
263 def set_issuer_keys(self, privkey, gid):
264 self.issuer_privkey = privkey
265 self.issuer_gid = gid
269 # Set this credential's parent
270 def set_parent(self, cred):
275 # set the GID of the caller
277 # @param gid GID object of the caller
279 def set_gid_caller(self, gid):
281 # gid origin caller is the caller's gid by default
282 self.gidOriginCaller = gid
285 # get the GID of the object
287 def get_gid_caller(self):
288 if not self.gidCaller:
290 return self.gidCaller
293 # set the GID of the object
295 # @param gid GID object of the object
297 def set_gid_object(self, gid):
301 # get the GID of the object
303 def get_gid_object(self):
304 if not self.gidObject:
306 return self.gidObject
309 # set the lifetime of this credential
311 # @param lifetime lifetime of credential
312 # . if lifeTime is a datetime object, it is used for the expiration time
313 # . if lifeTime is an integer value, it is considered the number of seconds
314 # remaining before expiration
316 def set_lifetime(self, lifeTime):
317 if isinstance(lifeTime, int):
318 self.expiration = datetime.timedelta(seconds=lifeTime) + datetime.datetime.utcnow()
320 self.expiration = lifeTime
323 # get the lifetime of the credential (in datetime format)
325 def get_lifetime(self):
326 if not self.expiration:
328 return self.expiration
334 # @param privs either a comma-separated list of privileges of a RightList object
336 def set_privileges(self, privs):
337 if isinstance(privs, str):
338 self.privileges = RightList(string = privs)
340 self.privileges = privs
344 # return the privileges as a RightList object
346 def get_privileges(self):
347 if not self.privileges:
349 return self.privileges
352 # determine whether the credential allows a particular operation to be
355 # @param op_name string specifying name of operation ("lookup", "update", etc)
357 def can_perform(self, op_name):
358 rights = self.get_privileges()
363 return rights.can_perform(op_name)
367 # Encode the attributes of the credential into an XML string
368 # This should be done immediately before signing the credential.
370 # In general, a signed credential obtained externally should
371 # not be changed else the signature is no longer valid. So, once
372 # you have loaded an existing signed credential, do not call encode() or sign() on it.
375 # Create the XML document
377 signed_cred = doc.createElement("signed-credential")
378 doc.appendChild(signed_cred)
380 # Fill in the <credential> bit
381 cred = doc.createElement("credential")
382 cred.setAttribute("xml:id", self.get_refid())
383 signed_cred.appendChild(cred)
384 append_sub(doc, cred, "type", "privilege")
385 append_sub(doc, cred, "serial", "8")
386 append_sub(doc, cred, "owner_gid", self.gidCaller.save_to_string())
387 append_sub(doc, cred, "owner_urn", self.gidCaller.get_urn())
388 append_sub(doc, cred, "target_gid", self.gidObject.save_to_string())
389 append_sub(doc, cred, "target_urn", self.gidObject.get_urn())
390 append_sub(doc, cred, "uuid", "")
391 if not self.expiration:
392 self.set_lifetime(DEFAULT_CREDENTIAL_LIFETIME)
393 self.expiration = self.expiration.replace(microsecond=0)
394 append_sub(doc, cred, "expires", self.expiration.isoformat())
395 privileges = doc.createElement("privileges")
396 cred.appendChild(privileges)
399 rights = self.get_privileges()
400 for right in rights.rights:
401 priv = doc.createElement("privilege")
402 append_sub(doc, priv, "name", right.kind)
403 append_sub(doc, priv, "can_delegate", str(right.delegate).lower())
404 privileges.appendChild(priv)
406 # Add the parent credential if it exists
408 sdoc = parseString(self.parent.get_xml())
409 p_cred = doc.importNode(sdoc.getElementsByTagName("credential")[0], True)
410 p = doc.createElement("parent")
411 p.appendChild(p_cred)
415 # Create the <signatures> tag
416 signatures = doc.createElement("signatures")
417 signed_cred.appendChild(signatures)
419 # Add any parent signatures
421 for cur_cred in self.get_credential_list()[1:]:
422 sdoc = parseString(cur_cred.get_signature().get_xml())
423 ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
424 signatures.appendChild(ele)
426 # Get the finished product
427 self.xml = doc.toxml()
430 def save_to_random_tmp_file(self):
431 fp, filename = mkstemp(suffix='cred', text=True)
432 fp = os.fdopen(fp, "w")
433 self.save_to_file(filename, save_parents=True, filep=fp)
436 def save_to_file(self, filename, save_parents=True, filep=None):
442 f = open(filename, "w")
446 def save_to_string(self, save_parents=True):
456 def set_refid(self, rid):
460 # Figure out what refids exist, and update this credential's id
461 # so that it doesn't clobber the others. Returns the refids of
464 def updateRefID(self):
466 self.set_refid('ref0')
471 next_cred = self.parent
473 refs.append(next_cred.get_refid())
475 next_cred = next_cred.parent
480 # Find a unique refid for this credential
481 rid = self.get_refid()
484 rid = "ref%d" % (val + 1)
489 # Return the set of parent credential ref ids
498 # Sign the XML file created by encode()
501 # In general, a signed credential obtained externally should
502 # not be changed else the signature is no longer valid. So, once
503 # you have loaded an existing signed credential, do not call encode() or sign() on it.
506 if not self.issuer_privkey or not self.issuer_gid:
508 doc = parseString(self.get_xml())
509 sigs = doc.getElementsByTagName("signatures")[0]
511 # Create the signature template to be signed
512 signature = Signature()
513 signature.set_refid(self.get_refid())
514 sdoc = parseString(signature.get_xml())
515 sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
516 sigs.appendChild(sig_ele)
518 self.xml = doc.toxml()
521 # Split the issuer GID into multiple certificates if it's a chain
522 chain = GID(filename=self.issuer_gid)
525 gid_files.append(chain.save_to_random_tmp_file(False))
526 if chain.get_parent():
527 chain = chain.get_parent()
532 # Call out to xmlsec1 to sign it
533 ref = 'Sig_%s' % self.get_refid()
534 filename = self.save_to_random_tmp_file()
535 signed = os.popen('%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
536 % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)).read()
539 for gid_file in gid_files:
544 # This is no longer a legacy credential
555 # Retrieve the attributes of the credential from the XML.
556 # This is automatically called by the various get_* methods of
557 # this class and should not need to be called explicitly.
562 doc = parseString(self.xml)
564 signed_cred = doc.getElementsByTagName("signed-credential")
566 # Is this a signed-cred or just a cred?
567 if len(signed_cred) > 0:
568 cred = signed_cred[0].getElementsByTagName("credential")[0]
569 signatures = signed_cred[0].getElementsByTagName("signatures")
570 if len(signatures) > 0:
571 sigs = signatures[0].getElementsByTagName("Signature")
573 cred = doc.getElementsByTagName("credential")[0]
577 self.set_refid(cred.getAttribute("xml:id"))
578 self.set_lifetime(parse(getTextNode(cred, "expires")))
579 self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
580 self.gidObject = GID(string=getTextNode(cred, "target_gid"))
584 privs = cred.getElementsByTagName("privileges")[0]
586 for priv in privs.getElementsByTagName("privilege"):
587 kind = getTextNode(priv, "name")
588 deleg = str2bool(getTextNode(priv, "can_delegate"))
590 # Convert * into the default privileges for the credential's type
591 _ , type = urn_to_hrn(self.gidObject.get_urn())
592 rl = rlist.determine_rights(type, self.gidObject.get_urn())
596 rlist.add(Right(kind.strip(), deleg))
597 self.set_privileges(rlist)
601 parent = cred.getElementsByTagName("parent")
603 parent_doc = parent[0].getElementsByTagName("credential")[0]
604 parent_xml = parent_doc.toxml()
605 self.parent = Credential(string=parent_xml)
608 # Assign the signatures to the credentials
610 Sig = Signature(string=sig.toxml())
612 for cur_cred in self.get_credential_list():
613 if cur_cred.get_refid() == Sig.get_refid():
614 cur_cred.set_signature(Sig)
619 # trusted_certs: A list of trusted GID filenames (not GID objects!)
620 # Chaining is not supported within the GIDs by xmlsec1.
623 # . All of the signatures are valid and that the issuers trace back
624 # to trusted roots (performed by xmlsec1)
625 # . The XML matches the credential schema
626 # . That the issuer of the credential is the authority in the target's urn
627 # . In the case of a delegated credential, this must be true of the root
628 # . That all of the gids presented in the credential are valid
629 # . The credential is not expired
631 # -- For Delegates (credentials with parents)
632 # . The privileges must be a subset of the parent credentials
633 # . The privileges must have "can_delegate" set for each delegated privilege
634 # . The target gid must be the same between child and parents
635 # . The expiry time on the child must be no later than the parent
636 # . The signer of the child must be the owner of the parent
638 # -- Verify does *NOT*
639 # . ensure that an xmlrpc client's gid matches a credential gid, that
640 # must be done elsewhere
642 # @param trusted_certs: The certificates of trusted CA certificates
644 def verify(self, trusted_certs):
647 trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
649 # Use legacy verification if this is a legacy credential
651 self.legacy.verify_chain(trusted_cert_objects)
652 if self.legacy.client_gid:
653 self.legacy.client_gid.verify_chain(trusted_cert_objects)
654 if self.legacy.object_gid:
655 self.legacy.object_gid.verify_chain(trusted_cert_objects)
658 # make sure it is not expired
659 if self.get_lifetime() < datetime.datetime.utcnow():
660 raise CredentialNotVerifiable("credential is expired")
662 # Verify the signatures
663 filename = self.save_to_random_tmp_file()
664 cert_args = " ".join(['--trusted-pem %s' % x for x in trusted_certs])
666 # Verify the gids of this cred and of its parents
670 for cur_cred in self.get_credential_list():
671 cur_cred.get_gid_object().verify_chain(trusted_cert_objects)
672 cur_cred.get_gid_caller().verify_chain(trusted_cert_objects)
676 refs.append("Sig_%s" % self.get_refid())
678 parentRefs = self.updateRefID()
679 for ref in parentRefs:
680 refs.append("Sig_%s" % ref)
683 verified = os.popen('%s --verify --node-id "%s" %s %s 2>&1' \
684 % (self.xmlsec_path, ref, cert_args, filename)).read()
685 if not verified.strip().startswith("OK"):
686 raise CredentialNotVerifiable("xmlsec1 error: " + verified)
689 # Verify the parents (delegation)
691 self.verify_parent(self.parent)
693 # Make sure the issuer is the target's authority
698 # Creates a list of the credential and its parents, with the root
699 # (original delegated credential) as the last item in the list
700 def get_credential_list(self):
704 list.append(cur_cred)
706 cur_cred = cur_cred.parent
712 # Make sure the credential's target gid was signed by (or is the same) the entity that signed
713 # the original credential or an authority over that namespace.
714 def verify_issuer(self):
715 root_cred = self.get_credential_list()[-1]
716 root_target_gid = root_cred.get_gid_object()
717 root_cred_signer = root_cred.get_signature().get_issuer_gid()
719 if root_target_gid.is_signed_by_cert(root_cred_signer):
720 # cred signer matches target signer, return success
723 root_target_gid_str = root_target_gid.save_to_string()
724 root_cred_signer_str = root_cred_signer.save_to_string()
725 if root_target_gid_str == root_cred_signer_str:
726 # cred signer is target, return success
729 # See if it the signer is an authority over the domain of the target
730 # Maybe should be (hrn, type) = urn_to_hrn(root_cred_signer.get_urn())
731 root_cred_signer_type = root_cred_signer.get_type()
732 if (root_cred_signer_type == 'authority'):
733 # signer is an authority, see if target is in authority's domain
734 hrn = root_cred_signer.get_hrn()
735 domain = hrn[:hrn.rindex('.')]
736 if root_target_gid.get_hrn().startswith(domain):
737 # target is in domain of signer's authority
740 # Give up, credential does not pass issuer verification
741 raise CredentialNotVerifiable("Could not verify credential signer")
745 # -- For Delegates (credentials with parents) verify that:
746 # . The privileges must be a subset of the parent credentials
747 # . The privileges must have "can_delegate" set for each delegated privilege
748 # . The target gid must be the same between child and parents
749 # . The expiry time on the child must be no later than the parent
750 # . The signer of the child must be the owner of the parent
752 def verify_parent(self, parent_cred):
753 # make sure the rights given to the child are a subset of the
754 # parents rights (and check delegate bits)
755 if not parent_cred.get_privileges().is_superset(self.get_privileges()):
756 raise ChildRightsNotSubsetOfParent(
757 self.parent.get_privileges().save_to_string() + " " +
758 self.get_privileges().save_to_string())
760 # make sure my target gid is the same as the parent's
761 if not parent_cred.get_gid_object().save_to_string() == \
762 self.get_gid_object().save_to_string():
763 raise CredentialNotVerifiable("target gid not equal between parent and child")
765 # make sure my expiry time is <= my parent's
766 if not parent_cred.get_lifetime() >= self.get_lifetime():
767 raise CredentialNotVerifiable("delegated credential expires after parent")
769 # make sure my signer is the parent's caller
770 if not parent_cred.get_gid_caller().save_to_string(False) == \
771 self.get_signature().get_issuer_gid().save_to_string(False):
772 raise CredentialNotVerifiable("delegated credential not signed by parent caller")
774 if parent_cred.parent:
775 parent_cred.verify_parent(parent_cred.parent)
778 # Dump the contents of a credential to stdout in human-readable format
780 # @param dump_parents If true, also dump the parent certificates
782 def dump(self, dump_parents=False):
783 print "CREDENTIAL", self.get_subject()
785 print " privs:", self.get_privileges().save_to_string()
788 gidCaller = self.get_gid_caller()
790 gidCaller.dump(8, dump_parents)
793 gidObject = self.get_gid_object()
795 gidObject.dump(8, dump_parents)
798 if self.parent and dump_parents:
800 self.parent.dump_parents()