2 # Implements Geni Credentials
4 # Credentials are layered on top of certificates, and are essentially a
5 # certificate that stores a tuple of parameters.
13 from sfa.trust.certificate import Certificate
14 from sfa.trust.rights import *
15 from sfa.trust.gid import *
16 from sfa.util.faults import *
19 # Credential is a tuple:
20 # (GIDCaller, GIDObject, LifeTime, Privileges, Delegate)
22 # These fields are encoded using xmlrpc into the subjectAltName field of the
23 # x509 certificate. Note: Call encode() once the fields have been filled in
24 # to perform this encoding.
26 class Credential(Certificate):
27 gidOriginCaller = None
35 # Create a Credential object
37 # @param create If true, create a blank x509 certificate
38 # @param subject If subject!=None, create an x509 cert with the subject name
39 # @param string If string!=None, load the credential from the string
40 # @param filename If filename!=None, load the credential from the file
42 def __init__(self, create=False, subject=None, string=None, filename=None):
43 Certificate.__init__(self, create, subject, string, filename)
45 ## set the GID of the original caller
47 # @param gid GID object of the original caller
48 def set_gid_origin_caller(self, gid):
49 self.gidOriginCaller = gid
52 # get the GID of the object
54 def get_gid_origin_caller(self):
55 if not self.gidOriginCaller:
57 return self.gidOriginCaller
60 # set the GID of the caller
62 # @param gid GID object of the caller
64 def set_gid_caller(self, gid):
66 # gid origin caller is the caller's gid by default
67 self.gidOriginCaller = gid
70 # get the GID of the object
72 def get_gid_caller(self):
73 if not self.gidCaller:
78 # set the GID of the object
80 # @param gid GID object of the object
82 def set_gid_object(self, gid):
86 # get the GID of the object
88 def get_gid_object(self):
89 if not self.gidObject:
94 # set the lifetime of this credential
96 # @param lifetime lifetime of credential
98 def set_lifetime(self, lifeTime):
99 self.lifeTime = lifeTime
102 # get the lifetime of the credential
104 def get_lifetime(self):
105 if not self.lifeTime:
110 # set the delegate bit
112 # @param delegate boolean (True or False)
114 def set_delegate(self, delegate):
115 self.delegate = delegate
118 # get the delegate bit
120 def get_delegate(self):
121 if not self.delegate:
128 # @param privs either a comma-separated list of privileges of a RightList object
130 def set_privileges(self, privs):
131 if isinstance(privs, str):
132 self.privileges = RightList(string = privs)
134 self.privileges = privs
137 # return the privileges as a RightList object
139 def get_privileges(self):
140 if not self.privileges:
142 return self.privileges
145 # determine whether the credential allows a particular operation to be
148 # @param op_name string specifying name of operation ("lookup", "update", etc)
150 def can_perform(self, op_name):
151 rights = self.get_privileges()
154 return rights.can_perform(op_name)
157 # Encode the attributes of the credential into a string and store that
158 # string in the alt-subject-name field of the X509 object. This should be
159 # done immediately before signing the credential.
162 dict = {"gidOriginCaller": None,
165 "lifeTime": self.lifeTime,
167 "delegate": self.delegate}
168 if self.gidOriginCaller:
169 dict["gidOriginCaller"] = self.gidOriginCaller.save_to_string(save_parents=True)
171 dict["gidCaller"] = self.gidCaller.save_to_string(save_parents=True)
173 dict["gidObject"] = self.gidObject.save_to_string(save_parents=True)
175 dict["privileges"] = self.privileges.save_to_string()
176 str = xmlrpclib.dumps((dict,), allow_none=True)
180 # Retrieve the attributes of the credential from the alt-subject-name field
181 # of the X509 certificate. This is automatically done by the various
182 # get_* methods of this class and should not need to be called explicitly.
185 data = self.get_data()
187 dict = xmlrpclib.loads(self.get_data())[0][0]
191 self.lifeTime = dict.get("lifeTime", None)
192 self.delegate = dict.get("delegate", None)
194 privStr = dict.get("privileges", None)
196 self.privileges = RightList(string = privStr)
198 self.privileges = None
200 gidOriginCallerStr = dict.get("gidOriginCaller", None)
201 if gidOriginCallerStr:
202 self.gidOriginCaller = GID(string=gidOriginCallerStr)
204 self.gidOriginCaller = None
206 gidCallerStr = dict.get("gidCaller", None)
208 self.gidCaller = GID(string=gidCallerStr)
210 self.gidCaller = None
212 gidObjectStr = dict.get("gidObject", None)
214 self.gidObject = GID(string=gidObjectStr)
216 self.gidObject = None
219 # Verify that a chain of credentials is valid (see cert.py:verify). In
220 # addition to the checks for ordinary certificates, verification also
221 # ensures that the delegate bit was set by each parent in the chain. If
222 # a delegate bit was not set, then an exception is thrown.
224 # Each credential must be a subset of the rights of the parent.
226 def verify_chain(self, trusted_certs = None):
227 # do the normal certificate verification stuff
228 Certificate.verify_chain(self, trusted_certs)
231 # make sure the parent delegated rights to the child
232 if not self.parent.get_delegate():
233 raise MissingDelegateBit(self.parent.get_subject())
235 # make sure the rights given to the child are a subset of the
237 if not self.parent.get_privileges().is_superset(self.get_privileges()):
238 raise ChildRightsNotSubsetOfParent(self.get_subject()
239 + " " + self.parent.get_privileges().save_to_string()
240 + " " + self.get_privileges().save_to_string())
245 # Dump the contents of a credential to stdout in human-readable format
247 # @param dump_parents If true, also dump the parent certificates
249 def dump(self, dump_parents=False):
250 print "CREDENTIAL", self.get_subject()
252 print " privs:", self.get_privileges().save_to_string()
254 print " gidOriginCaller:"
255 gidOriginCaller = self.get_gid_origin_caller()
257 gidOriginCaller.dump(8, dump_parents)
260 gidCaller = self.get_gid_caller()
262 gidCaller.dump(8, dump_parents)
265 gidObject = self.get_gid_object()
267 gidObject.dump(8, dump_parents)
269 print " delegate:", self.get_delegate()
271 if self.parent and dump_parents:
273 self.parent.dump(dump_parents)